Cybersecurity, Trust and e-ID
64 views | +0 today
Follow
Your new post is loading...
Your new post is loading...
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Social networks | Homeland Security News Wire

Social networks | Homeland Security News Wire | Cybersecurity, Trust and e-ID | Scoop.it
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

The NSA's First Privacy Officer Is A Woman

The NSA's First Privacy Officer Is A Woman | Cybersecurity, Trust and e-ID | Scoop.it
The National Security Agency just hired a privacy officer for the first time.
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Almost 70pc Irish people claim data privacy breaches - Independent.ie

Almost 70pc Irish people claim data privacy breaches - Independent.ie | Cybersecurity, Trust and e-ID | Scoop.it
One in five Irish people do not trust public sector bodies to guard their personal information in a safe and secure manner, according to a survey conducted by the Office of The Data Pro
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Secret radio technology allowed NSA to spy on PCs disconnected from the Internet

Secret radio technology allowed NSA to spy on PCs disconnected from the Internet | Cybersecurity, Trust and e-ID | Scoop.it
Secret radio technology allowed NSA to spy on PCs disconnected from the Internet
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Hacking Wireless DSL routers via Administrative password Reset Vulnerability

Hacking Wireless DSL routers via Administrative password Reset Vulnerability | Cybersecurity, Trust and e-ID | Scoop.it
Netgear and Linkys Wireless Router vulnerability allow an attacker to reset the admin password by executing bruteforce exploit on TCP port 32764.
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

SEA attacks Skype in NSA spying protest

SEA attacks Skype in NSA spying protest | Cybersecurity, Trust and e-ID | Scoop.it
Takes over its Twitter account and blog
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

NSA paid $10 Million bribe to RSA Security for Keeping Encryption Weak

NSA paid $10 Million bribe to RSA Security for Keeping Encryption Weak | Cybersecurity, Trust and e-ID | Scoop.it
NSA paid $10 Million bribe to RSA Security company for Keeping Encryption Weak in its Bsafe security tool.
more...
No comment yet.
Rescooped by Intellinium - the first extranet collaborative tool integrated with a professional social network from Pervasive Entertainment Times
Scoop.it!

World of Spycraft: Documents reveal NSA & CIA Spied on users in WoW, Xbox, Second Life & others

World of Spycraft: Documents reveal NSA & CIA Spied on users in WoW, Xbox, Second Life & others | Cybersecurity, Trust and e-ID | Scoop.it
Snowden documents show intelligence agencies conducting surveillance and grabbing data in virtual worlds.

Via Gary Hayes
more...
siobhan-o-flynn's curator insight, December 10, 2013 3:00 PM

not surprising, but still...

 

"Games “are built and operated by companies looking to make money, so the players’ identity and activity is tracked,” said Peter W. Singer of the Brookings Institution, an author of “Cybersecurity and Cyberwar: What Everyone Needs to Know.” “For terror groups looking to keep their communications secret, there are far more effective and easier ways to do so than putting on a troll avatar.”

The surveillance, which also included Microsoft’s Xbox Live, could raise privacy concerns. It is not clear exactly how the agencies got access to gamers’ data or communications, how many players may have been monitored or whether Americans’ communications or activities were captured.

One American company, the maker of World of Warcraft, said that neither the NSA nor its British counterpart, the Government Communications Headquarters, had gotten permission to gather intelligence in its game. Many players are Americans, who can be targeted for surveillance only with approval from the nation’s secret intelligence court. The spy agencies, though, face far fewer restrictions on collecting certain data or communications overseas...."

 
Alain Duménil's curator insight, December 11, 2013 4:41 AM

On n'est plus tranquille nulle part.

AJ A. Gildner's curator insight, January 1, 2014 9:53 PM

I have participated in many online games like World of Warcraft  and I have noticed how other players have reacted to this.  Ever since this information has been released, it has become a topic of conversation among many. especially those who play these games.  If this keeps happening, there could be many more problems for the NSA in the future, but maybe I will be proven wrong.

Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

How Your IT Workers Are Putting Your Company at Risk

How Your IT Workers Are Putting Your Company at Risk | Cybersecurity, Trust and e-ID | Scoop.it
The employees charged with keeping a watchful eye over a business's cybersecurity are the ones most likely to engage in risky activities, new research finds.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

A study from McAfee revealed that IT employees, more than any other type of worker, use unapproved software and applications in the workplace. Specifically, 83% of IT employees, compared with 81% of other employees, admit to using technology solutions at work that have not been approved by the IT department or been obtained in adherence to IT policies.

 

Overall, 35% of the software-as-a-service (SaaS) applications used within companies are unapproved, the study found. Microsoft Office 365, Zoho, LinkedIn and Facebook are the most used unapproved applications being accessed by employees.

Lynda Stadtmueller, program director of the cloud computing analysis service within Stratecast, a division of Frost & Sullivan that helped conduct the research, said there are risks associated with nonsanctioned SaaS subscriptions infiltrating corporations, particularly related to security, compliance and availability.

 

"Without appropriate knowledge, nontechnical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption," Stadtmueller said. "They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches."

 

Despite the associated risks, nearly 40% of the IT employees surveyed said they use unapproved software and applications in order to bypass company-regulated IT processes. Additionally, 18% believe that IT restrictions make it difficult for them to do their job.

Pat Calhoun, general manager of network security at McAfee, said that with more than 80% of employees admitting to using unapproved SaaS in their jobs, businesses need to protect themselves while still enabling access to applications that help employees be more productive.

 

"The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of Web traffic, and uniformly apply enterprise policies, without restricting employees' ability to do their jobs better," Calhoun said. "These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware and enable IT to enforce acceptable usage policies."

 

The study was based on surveys of more than 600 IT and line-of-business decision makers or influencers at companies based in North America, the United Kingdom, Australia and New Zealand.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

The Truth About Why Stores Track You - InformationWeek

The Truth About Why Stores Track You - InformationWeek | Cybersecurity, Trust and e-ID | Scoop.it
Apple's iBeacon and other contextual awareness technologies might soon pop up on your smartphone as shopping advice. That's not as frightening as it sounds.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

When I talk to people about indoor-tracking tools like iBeacon, which Apple launched at its US stores last Friday, they're both fascinated and frightened. They quickly appreciate how helpful a connected world can be when it knows where you are and what you're doing. But the steady of stream of news about privacy intrusions -- mostly by the NSA -- makes them wonder if the cost of allowing access to more personal data is really worth it.

 

Apple introduced the iBeacon feature as part of the iOS 7 launch in September. It makes use of the iPhone's Bluetooth radio to communicate with other iOS 7 devices as well as compatible sensors placed at strategic spots around Apple stores. Among other things, the close-range nature of Bluetooth can be used to pinpoint a shopper's whereabouts to deliver location-specific messages. For example, someone with an older iPhone might get a trade-in offer while checking out the newer models.

 

Location is the cornerstone for contextual awareness, a collection of efforts aimed at giving our smartphones the tools they need to begin making timely, relevant suggestions and even take action on our behalf. Understanding that we're standing in front of the smartphones rather than the tablets is an important piece of the puzzle.

 

[Read how one clothes chain keeps inventory moving: How Gap Connects Store And Online Channels. ]

Apple isn't the first to implement a Bluetooth indoor-tracking system. For example, the Miami Dolphins' Fin Club app uses Gimbal -- a set of location-aware developer tools from Qualcomm -- to send in-stadium discounts to fans. In fact, Apple isn't even the first to outfit stores with its own iBeacon platform. Shopkick is motivating shoppers inside several Macy's stores with reward points and special offers based on where they are.

 

Contextual awareness isn't just about commerce, though it would be a benefit if all it did was offer up ads that we care about. (A philosophical question: if we receive pushed ads that actually interest us, are they spam?) There are efforts under way by transportation authorities to deliver updated train schedules when you're standing near the track and by museums to push information about the artist when you're admiring a painting.

 

Understanding where we are at the moment is a big step on the way to empowering our smartphones to understand us, but it's just the first step. There's a lot of innovative work underway that promises a suite of novel benefits -- but require access to even more of your personal information. Instead of showing you an ad for the cordless drill you're admiring, for example, the app on your phone might instead point you to a scarf in another corner of the store because it knows your spouse has a birthday coming up. And it knows you haven't bought her anything yet.

 

Read the full article on Information Week

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Mozilla advises webmasters to implement X-Frame-Options security header

Mozilla advises webmasters to implement X-Frame-Options security header | Cybersecurity, Trust and e-ID | Scoop.it
In light of overall low adoption of HTTP security headers, Mozilla is advising webmasters to at least implement X-Frame-Options on their sites, arguing that this header can prevent several types of attacks.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

The X-Frame-Options is an HTTP response header that allows webmasters to define if and how their websites can be loaded into frame elements on other sites. It comes with three options: ALLOW, DENY and SAMEORIGIN, the latter meaning a page can only be framed by other pages with the same origin -- same domain, URI scheme and port. There's a fourth option called ALLOW-FROM, but it's not supported by all browsers.

If a site X tries to load a page from a site Y into a frame and site Y includes X-Frame-Options DENY in its responses, a modern browser visiting site X will not load the framed page.

 

This header was primarily created as a security mechanism against clickjacking attacks, which can be used to trick users into performing actions on websites without their knowledge.

A common clickjacking technique is to load a button from a targeted site into an iframe on an attack site and then use legitimate Web development techniques to make the framed content transparent. The framed button can be positioned over a clickable element from the attack site, so that when a site's visitor attempts to click on the visible element, they actually click on the now invisible button from the targeted website that was positioned on top.

A few years ago this type of attack was common on Facebook, attackers using it to trick users into unknowingly sharing spam messages from their accounts. However, the possibilities for clickjacking-based abuse are varied and depend on the nature of the targeted site.

 

Despite X-Frame-Options being relatively easy to implement, a scan of the Internet's top 1 million most trafficked websites by security firm Veracode in November, revealed thatonly around 30,000 sites were using the header and a few hundred of those were actually using it incorrectly.

Clickjacking is not the only type of attack that X-Frame-Options can prevent, Frederik Braun, a security engineer at Mozilla, said Thursday in a blog post.

 

For example, Internet Explorer allows websites to specify that they want to run in IE7 compatibility mode, meaning they will be rendered with algorithms from Internet Explorer 7 that date back to 2006. IE7 lacks many security mechanisms against content injection attacks that exist in the browser's newer versions, Braun said.

 

Discover the rest of the article on IT World.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

NSA taps tracking cookies used by Google, others, to monitor surveillance targets

NSA taps tracking cookies used by Google, others, to monitor surveillance targets | Cybersecurity, Trust and e-ID | Scoop.it
Browser cookies used to serve targeted ads are a rich source of material for NSA, report says.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

The browser cookies that online companies use to track Internet customers for targeted advertising are also used by the National Security Agency to track surveillance targets and break into their systems.

The agency's use of browser cookies is restricted to tracking specific suspects rather than sifting through vast amounts of user data, the Washington Post reported Tuesday, citing internal documents obtained from former NSA contractor Edward Snowden.

Google's PREF (for preference) cookies, which the company uses to personalize webpages for Internet users based on their previous browsing habits and preferences, appears to be a particular favorite of the NSA, the Post noted.

 

PREF cookies don't store any user identifying information such as user name or email address. But they contain information on a user's general location, language preference, search engine settings, number of search results to display per page and other data that lets advertisers uniquely identify an individual's browser.

The Google cookie, and those used by other online companies, can be used by the NSA to track a target user's browsing habits and to enable remote exploitation of their computers, the Post said.

Documents made available by Snowden do not describe the specific exploits used by the NSA to break into a surveillance target's computers. Neither do they say how the NSA gains access to the tracking cookies, the Post reported.

It is theorized that one way the NSA could get access to the tracking cookies is to simply ask the companies for them under the authority granted to the agency by the Foreign Intelligence Surveillance Act (FISA).

Separately, the documents leaked by Snowden show that the NSA is also tapping into cell-phone location data gathered and transmitted by makers of mobile applications and operating systems. Google and other Internet companies use the geo-location data transmitted by mobile apps and operating systems to deliver location-aware advertisements and services to mobile users.

However, the NSA is using the same data to track surveillance targets with more precision than was possible with data gathered directly from cell-phone makers, the Post noted. The mobile app data, gathered by the NSA under a program codenamed "Happyfoot," allows the agency to tie Internet addresses to physical locations more precisely than was possible with cell-phone location data.

An NSA division called Tailored Access Operations uses the data gathered from tracking cookies and mobile applications to launch offensive hacking operations against specific target computers, the Post said.

An NSA spokeswoman Wednesday did not comment on the specific details in the Post story but reiterated the agency's commitment to fulfill its mission of protecting the country against those seeking to do it harm.

"As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans and allies," the spokeswoman said.

The Post's latest revelations are likely to shine a much-needed spotlight on the extensive tracking and monitoring activities carried out by major Internet companies in order to deliver targeted advertisements to users.

Privacy rights groups have protested such tracking for several years and have sought legislation that would give users more visibility and control over the data that is collected on them by online companies.

But efforts to implement an effective, industrywide Do Not Track system remain elusive as a result of opposition by trade groups like the Digital Advertising Alliance which argues that self-regulation is a better approach.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Bots now running the Internet with 61 percent of Web traffic

Bots now running the Internet with 61 percent of Web traffic | Cybersecurity, Trust and e-ID | Scoop.it
Both good bots and bad bots can be found lurking online -- looking to either drive traffic or wreak havoc. Read this article by Dara Kerr on CNET News.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

With much trepidation, I must report that there is a pretty good chance that half the visitors to this story will not be human.

According to a recent study by Incapsula, more than 61 percent of all Web traffic is now generated by bots, a 21 percent increase over 2012.

Much of this increase is due to "good bots," certified agents such as search engines and Web performance tools. These friendly bots saw their proportion of traffic increase from 20 percent to 31 percent.

 

Incapsula believes that the growth of good bot traffic comes from increased activity of existing bots, as well as new online services, like search engine optimization.

"For instance, we see newly established SEO oriented services that crawl a site at a rate of 30-50 daily visits or more," Incapsula wrote in a blog post.

But, along with the good comes the bad. That other 30 percent of bot traffic is from malicious bots, including scrapers, hacking tools, spammers, and impersonators. However, malicious bot traffic hasn't increased much over 2012 and spam bot activity has actually decreased from 2 percent to 0.5 percent.

 

Of the malicious bots, the "other impersonators" category has increased the most -- by 8 percent. According to Incapsula, this group of unclassified bots is in the higher-tier of bot hierarchy -- they have hostile intentions and are most likely why there's been a noted increase in cyberattacks over the last year.

 

"The common denominator for this group is that all of its members are trying to assume someone else's identity," Incapsula wrote. "For example, some of these bots use browser user-agents while others try to pass themselves as search engine bots or agents of other legitimate services. The goal is always the same -- to infiltrate their way through the website's security measures."

Here's to hoping the bot visitors that do come to this story are of the benign kind.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

EU justice chief accuses bloc of hypocrisy in data privacy debates

EU justice chief accuses bloc of hypocrisy in data privacy debates | Cybersecurity, Trust and e-ID | Scoop.it
The EU needs to start protecting its own citizens from the American global spying initiatives and quit being “hypocritical” when it comes to reforming its own data protection system, said the EU’s Justice Commissioner.
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

EPIC - EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht

EPIC - EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht | Cybersecurity, Trust and e-ID | Scoop.it
EPIC has given the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht for “modernizing and defending the law of data protection.” As a rapporteur for the Committee on Civl Liberties, Justice an...
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

New Hampshire Bills Seek to Regulate Drones, Protect Citizens' Privacy

New Hampshire Bills Seek to Regulate Drones, Protect Citizens' Privacy | Cybersecurity, Trust and e-ID | Scoop.it
New Hampshire could join more than a dozen other states in limiting government and public use of drones to protect citizens' privacy. The House Criminal Ju
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

CryptoLocker Variant Disguised as Photoshop and Office Activation Codes - Information Security Services

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Prison Locker Ransomware, an upcoming malware threat in 2014

Prison Locker Ransomware, an upcoming malware threat in 2014 | Cybersecurity, Trust and e-ID | Scoop.it
Power Locker Ransomware, an upcoming malware threat in 2014
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Hacker threatens to sell data of 3.7 Million Israeli Bank Customers, demands extortion money in Bitcoin

Hacker threatens to sell data of 3.7 Million Israeli Bank Customers, demands extortion money in Bitcoin | Cybersecurity, Trust and e-ID | Scoop.it
Hacker threatens to sell customer's personal data of 3 Major Israeli Banks and demanding extortion money in Bitcoin
more...
No comment yet.
Rescooped by Intellinium - the first extranet collaborative tool integrated with a professional social network from Technology in Business Today
Scoop.it!

Judge Orders NSA to Stop Collecting Phone Records

Judge Orders NSA to Stop Collecting Phone Records | Cybersecurity, Trust and e-ID | Scoop.it
Republican appointee rebuts case for NSA's bulk phone record collection.

Via TechinBiz
more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Government avert cyber security 'gap' with drive to recruit computer skills

Government avert cyber security 'gap' with drive to recruit computer skills | Cybersecurity, Trust and e-ID | Scoop.it
Schemes range from GCHQ interest in small firms to schools' hacking race, with £210m boost to security strategy
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

Ministers are leading a recruitment drive for computer scientists and hackers as they try to avert a potential shortfall in the number of skilled cyber security experts over the next decade.

One scheme designed to identify and encourage talented children through a hacking competition is being extended to schools across the country, while an Open University course planned for summer next year will aim to attract 200,000 students into the industry.

The government is already funding apprenticeships and trainee schemes, including one at GCHQ and is also subsidising academics from Africa, Asia and America who join Cranfield University's cyber policy course.

 

Cabinet Office minister Francis Maude – giving an update on progress on the government's two-year old cyber security strategy – said GCHQ was increasingly looking to British small and medium-sized firms to recruit staff from and increase its cyber security expertise, recently courting experts at an event at Cheltenham racecourse.

 

Maude said: "We need to sustain and grow the capabilities of UK cybersecurity, and it is now vital we ensure that we have young talent coming through our education system and the workplace. While the online world has grown exponentially over the last few years, our education system hasn't kept pace."

He cited the town of Malvern, Worcestershire, which has developed a cluster of around 40 specialist companies, and also gave the example of one talented apprentice who had been thrown out of school. "Talent won't always be found in the usual places. Some of the brightest and best are self-taught. We have to avoid a gap in the UK's cyber defences in the years to come. There will never be a moment when we dare to say 'we are there'. This will always be a work in progress."

 

The government wants to increase both public and business awareness of security issues. A basic cyber security standard is being developed for businesses and will be extended to government departments, Maude said.

He said more than 250 companies have joined the Cyber security Information Sharing Programme (CISP) which encourages businesses to share problems and expertise in dealing with threats.

Adrian Nish, analyst at BAE Systems Detica, said the company was targeted several times each day by various cyber-attacks. "We can use the profile of these attacks to defend ourselves going forward. Where CISP comes in is that by bringing details of various attacks together, we are able to build a bigger profile of what that threat looks like and are able to look at how to mitigate it.

 

"One recent example is where a company in the aerospace sector reported a compromised UK website and fed that information into CISP. It transpired it wasn't a random attack, but one perpetrated by a particular known attack group. That information could then be briefed out to other sector members and the threat picture added to."

 

The new National Crime Agency's specialist cyber crime unit was launched in spring 2013. Detailing a recent case by the National Cyber Crime Unit, lead officer Stewart Garrick detailed how six hackers used free ads site Gumtree to harvest email addresses, planted malware on victims' machines and eventually stole online banking details. The group is thought to have earned as much as £4m from the scam but last month each member was jailed for up to seven years.

 

Another government initiative, the Centre for the Protection of National Infrastructure, supports private companies managing critical services and in early 2014, the new national Computer Emergency Response Team will open to coordinate response to major cyber emergencies.

The government dedicated £650m to its Cyber Security Strategy when it launched in 2011, and has committed to spend a further £210m by 2016. Maude said extra money had been allocated because, despite economic restraints, cyber security is a priority concern for the government.

 

Maude, who said he is known as "Dr No" within Whitehall for his insistence on cutting budgets, claimed the government has saved £5.4bn in the first half of 2013, 7% less than 2012.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

3 in 4 Chinese firms unprepared for data attacks | ZDNet

3 in 4 Chinese firms unprepared for data attacks | ZDNet | Cybersecurity, Trust and e-ID | Scoop.it
Their average financial loss through security breaches in 2013 was US$1.8 million, above the Asia-Pacific average of US$1.6 million, according to PricewaterhouseCoopers.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

The average financial loss through security breaches in 2013 was US$1.8 million in the Chinese mainland and Hong Kong, above the Asia-Pacific average of US$1.6 million, according to PricewaterhouseCoopers (PwC).

Less than a quarter of companies in China and Hong Kong are adequately prepared for an information security incident, said PwC in a Xinhua news report.

 

"As the Chinese economy grows and becomes more global, individual companies will come under closer scrutiny by those seeking to exploit weaknesses," said Samuel Sinn, Risk Assurance Partner at PwC China. The survey collected 9,600 responses from corporate executives around the world between February and April this year on questions regarding privacy and information security protection.

 

Corporate IT systems have become more complex, with cloud technology and mobile devices making them fragmented," said Kenny Hui, risk assurance partner at PwC China.

Data security has increasingly become a concern in China, with more consumers switching to websites and mobile apps to access a wide range of services including retail and money markets.

The PwC report based on the survey does not have data for the Internet sector, but finds that while

Two in three of respondents in China said they have actively executed effective strategies to respond to security challenges, with the cost of doing so for each incident nearly as much as the losses of those least prepared to run an effective security program, accorindg to the report.


41 percent cited former employees as the most likely source of attacks, compared with the global average of 27 percent.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Why Fed Cybersecurity Reboot Plan Fails To Convince - InformationWeek

Why Fed Cybersecurity Reboot Plan Fails To Convince - InformationWeek | Cybersecurity, Trust and e-ID | Scoop.it
Does a presidential commission's hodgepodge analysis and suggestions for improving federal cybersecurity tells us anything we didn't already know?
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

The President's Council of Advisors on Science and Technology (PCAST) has studied government cybersecurity, and it says the picture isn't pretty.

 

"The federal government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make cyberattacks more difficult by implementing hardening practices for its own systems," reads the 17-page, recently released report from PCAST. The report is a declassified version of a study that PCAST -- which is comprised largely of members of academia and major technology vendors -- submitted in February 2013 to President Obama.

 

Some of the PCAST report's recommendations include getting government agencies to ditch Windows XP within two years, increase their use of trusted identities, share threat intelligence sharing with the private sector, and design systems that are hardened against attacks from the outset. "Research is needed to foster systems with dynamic, real-time defenses to complement hardening approaches," according to the report.

 

But how many of PCAST's recommendations promise the best bang for the government's cybersecurity buck? "This report reads as being very disconnected from what the federal government is actually doing or has been doing, and what has worked or hasn't worked," said John Pescatore, director of the SANS Institute, in a recent SANS newsletter. For example, the report only makes a passing reference to the Federal Risk and Authorization Management Program (FedRAMP), which gives government agencies cost-effective, standardized techniques for -- in the program's own language -- "assessment, authorization, and continuous monitoring" of cloud-based services. The goal is to only have to conduct an assessment once, then to let government agencies subscribe as they see fit.

 

Pescatore added that the PCAST report also omits any mention of the Department of Homeland Security's Continuous Diagnostics and Mitigation program, which DHS is building "to provide adequate, risk-based, and cost-effective cybersecurity" for the executive branch. That would seem to square well with PCAST's call for better "dynamic, real-time defenses" for the government. In the future, furthermore, DHS plans to extend the program to include the defense industry, as well as state and local government agencies.

 

Do federal agencies really need the PCAST report's recommended trusted identity program? Would the report's call for greater information sharing between government agencies and the private sector lead to betterfederal cybersecurity? "It was very obvious that the report was written mostly by folks from universities, along with Craig Mundie of Microsoft and Eric Schmidt of Google: many recommendations for more government funding for research, government updating of operating systems and browsers, and more use of cloud services," said Pescatore.

 

Where is the business case?
Given the PCAST members' vested interests in many of their recommendations, it's notable that -- despite many of them hailing from the private sector -- they've failed to offer a business case for any of their suggestions.

 

For example, what's the return on investment to be gained from PCAST's recommendation to advance the trusted identities program? For comparison's sake, the Department of Energy hasn't been able to get the Congressional appropriations it needs to replace an outdated -- and recently hacked -- Adobe ColdFusion system that stores personal information on every employee and contractor. But fixing that vulnerability would immediately plug an existing security hole, protect identity information, create a safe foundation for building future agency applications, and demonstrate an immediate return on investment for an agency that's now paying for credit monitoring services after losing information on more than 100,000 current and former employees, contractors, and their dependents.

 

Or take the PCAST recommendation to replace Windows XP, despite the use of the operating system remaining widespread not just in the government, but also the private sector. Microsoft, of course, has been warning people to upgrade before it ceases related support come April 2014, and there are strong security reasons to do so.

 

But should government agencies pay to upgrade to Windows 8, which will necessitate purchasing new hardware? Instead, why not instead install virtualized -- and locked down -- Windows XP clients, thus retaining existing hardware and avoiding many refresh costs? That combination might not appeal to PCAST members, but it would provide better information security at an affordable cost, and avoid the expense of silver-bullet thinking.

 

Another useful take on PCAST's recommendations comes via Gal Shpantzer, an information security and risk management advisor who offered -- also in a recent SANS newsletter -- the following finding: "It is important to influence designers of future computers and software so that security controls can be installed before the fact and as an integral part of the system. It is also important to ascertain what can be done with equipment presently installed or owned by the government."

 

That recommendation isn't from the PCAST report, but rather the Defense Science Board Task Force on Computer Security. As the group's name might suggest -- note the lack of the government-speak word "cybersecurity" in the title -- the report isn't recent. In fact, it dates from 1970. Perhaps the more the government's information security problems apparently change, the more they really stay the same.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

Are your smartphone apps selling you out?

Are your smartphone apps selling you out? | Cybersecurity, Trust and e-ID | Scoop.it
Just because you're paranoid doesn't mean your mobile apps aren't out to get you.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

The president of the United States says he's not "allowed" to own an iPhone, which is why he's sticking with his BlackBerry, according to The Wall Street Journal.

 

It's a politically sensitive subject because the iPhone is the big American brand, and the president is a self-proclaimed fan of the late Apple founder and CEO Steve Jobs. He'd love to pander to buy-America voters. (Obama is also probably not "allowed" to have an Android phone.)

Of course, neither the president nor the Secret Service is willing to say exactly how security could be compromised with an iPhone. But one security risk is the unpredictable nature of both iPhone and Android apps.

 

Sure, there's a lot of flat-out malware flying around online, most of which looks like regular, legitimate apps but in fact are either malware or they compromise privacy or security in some way.

There are certain types of apps that users are wary about and may take precautions about downloading. But others don't seem to have anything to do with user data, so they seem safe.

 

The Federal Trade Commission announced this week that it reached a settlement with Goldenshores Technologies, which makes a free Android app called "Brightest Flashlight." The FTC said the app harvested data on users' locations and device IDs and sold it to advertisers without telling the users, and even when users rejected the app's terms of service. The settlement forced the company to improve its privacy policy, user communication and data handling.

The FTC said the app had been installed on "tens of millions" of phones.

 

The whole "Brightest Flashlight" fiasco shines light on an uncomfortable set of facts aboutsmartphone apps. For starters, some apps that have no apparent need to harvest personal data or compromise privacy or security go ahead and do so anyway.

But even those that don't move user data can leave users vulnerable through sheer incompetence.

Silicon Valley computing giant Hewlett-Packard recently conducted a study about the security of business apps for the iPhone and concluded that many of them give themselves permission to access phone features and user data that make no sense, given the stated purposes of the apps.

HP found that more than 90% of the business apps it studied had privacy or security flaws.

 

Many of the flaws involved unencrypted data or insecure protocols. Some 20% of the apps send user data via unprotected HTTP. A similar percentage sent via HTTPS, but didn't do it right. And HP found other problems where an app could compromise user security and privacy not through malice, but through incompetence.

HP isn't the only organization looking at app security and finding a gigantic problem.

 

A new report from Trend Micro found that there are now 1 million "malware and high-risk apps" in the wild.

"High-risk apps" are defined in the report as those that "aggressively serve ads that lead to dubious sites," and represent one quarter of the total.

An information security company called Trustwave said this month that file-sharing apps for iPhones and iPads can compromise user security -- even simple picture-sharing apps or apps that enable users to exchange documents.

 

The problem is that some of these apps open up an insecure file server on the device, which theoretically makes the file vulnerable to copying or could enable malicious crackers to upload files of their own. Some apps don't even require user authentication. The problems tend to be worse when apps run on older versions of iOS.

Some of these reports come from companies that sell solutions to the smartphone apps' security and privacy problems, so their conclusions should be taken in that context. However, it's clear that the problem is real and widespread.

 

So what can users do about it? Do you have to become a security expert just to keep your personal data private?

The unfortunate answer is: Yes, kind of.

Education is the best defense. Certain types of smartphone security products, such as iPhone fingerprint readers or Android anti-malware apps, protect against some risk but not most of the problems associated with apps.

 

In general, we all need to be more selective about the apps we download and not assume that just because it's highly rated or popular that it's OK.

We also need to think about which data we want to keep private, and which data we don't. For example, if you're concerned about protecting your location data, there are a set of steps you can take to reduce the risk of that information getting out.

If, on the other hand, you carry financial data around on your phone, well, there's an entirely different set of actions you need to take.

 

The take-away here for all users is that the Apple App Store and the Google Play Store and the other Android stores are jam-packed with apps that can compromise your security and privacy without you ever knowing anything bad happened.

So be careful about what you download, don't be lulled by security features that can't protect you against bad apps, and take deliberate action to protect the private information you most want to safeguard.

more...
No comment yet.
Scooped by Intellinium - the first extranet collaborative tool integrated with a professional social network
Scoop.it!

NSA agents are posing as Santa Claus, sings ACLU - VIDEO

NSA agents are posing as Santa Claus, sings ACLU - VIDEO | Cybersecurity, Trust and e-ID | Scoop.it
In a Christmas YouTube video, there to make you laugh and quake, the ACLU gives a traditional Christmas song new lyrics and meaning. Read this article by Chris Matyszczyk on CNET News.
Intellinium - the first extranet collaborative tool integrated with a professional social network's insight:

It's been a year in which the alleged needs of security have made many people feel more insecure.

So now as we all prepare to gather round with our families, the American Civil Liberties Union would like to remind us that Santa Claus does exist, but he might be an NSA agent.

In a YouTube video made, I imagine, to make you titter and quiver, we hear a famous song that's been infiltrated.

"Santa Claus Is Coming To Town" has become "The NSA Is Coming To Town."

 

Some might be moved by lines such as "You're making a list, they're checking it twice" and "they see while you are sleeping, they hear while you're awake."

 

As you're listening to these words of foreboding, we see that NSA agents are dressing up as secret Santas so that they can follow your every move.

We see the NSAntas marauding around, photographing people's cell phones with their own cell phones, and generally being intrusive to the point of insanity.

Your insanity, that is.

Some people fight back. Some are merely bemused by this overactivity, while they're trying to focus on what's important at Christmas: buying things.

"Help us end the NSA's unlawful spying programs," is the message at the end of this cheery piece.

How might you do that? Kidnap the secret Santas' reindeer?

more...
No comment yet.