STE WILLIAMS

US grocery chain Safeway has confirmed that registers at several stores in California and Colorado had somehow been fitted with “skimmer” hardware to collect payment card information.

According to a report from Krebs on Security citing investigators involved with the case, registers at two stores in northern California and five stores in Colorado were found to have been fitted with the skimming devices. Safeway believes these were unrelated incidents. The source of the devices is not known.

The Krebs report noted that the Colorado discovery was only made after bank customers had reported unauthorized cash withdrawals and that reports of the activity have been coming in since September of 2015.

Safeway said that no card data had been stolen by either of the two skimmers in California, and that a total of three skimmers had been found in Colorado in November.

“When our store teams find evidence of criminal activity like this, we have been able to pinpoint with surveillance video when the devices were installed and how many transactions were processed,” Safeway said in a statement to The Register.

“We immediately followed the proper protocol of contacting law enforcement and the banks that service the few cards that were used on those pin pads.”

Safeway is advising customers in Colorado to check their bank statements and report any unauthorized activity.

Cash registers and sales terminals have become favorite targets for criminals looking to collect credit card information. Attackers use skimmers or specialized malware packages to collect and then upload card numbers and data for fraudulent transactions or bulk resale online. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/18/safeway_supermarket_stung/

The rolling debate over encryption has been joined by BlackBerry’s CEO and a range of former national security officials.

Following a recent political pushback, and a Republican debate that appeared to again ask for backdoors to be introduced into encryption products, the experts have stepped in to argue for a more realistic assessment.

As BlackBerry’s CEO, John Chen knows precisely how important security and hence encryption is to modern communications. Having long since lost its lead in the smartphone market, the company still makes a good living thanks to the fact that its technology is more secure than competitors.

As a result, the company’s phones are still the default for many governments and organizations for whom data security is critical – such as banks, law firms, and hospitals.

However, in a blog post this week, Chen criticized the position taken by Apple CEO Tim Cook, who he said has displayed “disdain” when the tech industry was asked by law enforcement to help provide access to certain accounts.

Said Chen: “One of the world’s most powerful tech companies recently refused a lawful access request in an investigation of a known drug dealer because doing so would ‘substantially tarnish the brand’ of the company. We are indeed in a dark place when companies put their reputations above the greater good.”

Yin yang

Instead, Chen argues that a “proper balance can be struck,” and while he notes that BlackBerry has refused to put backdoors in its systems, has quit countries such as Pakistan that have insisted it do so, and writes that “we have never allowed government access to our servers and never will,” he states that BlackBerry “rejects the notion that tech companies should refuse reasonable, lawful access requests.”

Unfortunately, Chen’s solution does not appear to be much of a solution at all. He praises the messaging app Telegram for culling public channels that it discovered were being used to spread propaganda stemming from the Islamic State.

However, both Telegram and BlackBerry allow private channels and protect them from intrusion. As does Apple. As does WhatsApp, which this week was temporarily suspended in Brazil as a result of refusing to hand over data on a suspected drug trafficker.

While the public/private split may make sense to Chen, the fact is that one of the most recent cases that has sparked discussion – the San Bernardino mass shooting – saw the shooters sharing information through private messages on Twitter and Facebook.

Chen appears to be arguing the same case as Tim Cook, but saying that he should just be more polite about it.

Encryption is here to stay

One area where Chen and the former security officials are in fierce agreement is on the topic of encryption itself.

Some politicians, and even the head of the FBI, James Comey, have called for encryption to be limited or prevented. Comey hates the term “backdoor” because of its negative implications. But whatever name you give to it, the insertion of a way to bypass encrypted data is the same thing.

Chen says that BlackBerry “rejects any notion of banning or disabling encryption” and notes that the wave of recent high-profile hacks shows that “we need more, not fewer, security controls for our sensitive information.”

The same point was made by former NSA head Mike McConnell in an interview with The Washington Post.

“Chinese economic espionage is so severe that stopping that is more important than being able to read the communications of a criminal,” he argued. McConnell went through the exact same debate as people are having now with backdoors – the security services want it and others are worried about the impact. He accepts that the debate was lost but regardless, “from that time until now, NSA has had better sigint than any time in history.”

Let it go

He makes the point that so many technologists have: “Technology will advance, and you can’t stop it. Learn how to deal with it.”

That view is also shared by former Homeland Security secretary Michael Chertoff. Chertoff says that efforts to “undermine or create exceptions” in encryption are “misguided.” The trend is in end-to-end encryption and that’s just how it is, he notes, arguing that in free society the deal is that you accept a “less-than-perfect ability to detect people who do bad things.”

Meanwhile, former CIA head Michael Hayden also thinks that forcing US tech firms to unlock customer data is a mistake, since it will “drive the market away from them” and simply result in unbreakable encryption made by companies outside the US.

And just to add to the crowd, former NSA inspector general Joel Brenner told the Post what many security experts have been saying for months: if you create a backdoor “the likelihood that others will gain access is quite high.”

Of course the big difference between being in government and having left government is that you no longer have the direct responsibility to keep people safe.

You could argue that with experience comes wisdom, but it is all too easy to forget the pressure that public officials feel to do something when the news arrives of yet another seemingly random public shooting carried out in the name of a twisted ideology.

And while Chen’s argument that being polite is always better than aggressive refusal, at the same time he has not found himself subject to the kind of direct public criticism that Cook has been at the receiving end of. Being accused of assisting terrorists and criminals is not exactly the sort of language that encourages a polite response. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/18/security_officials_blackberry_ceo_encryption_debate/

The annual Consumer Electronics Show in Las Vegas is renowned for being crowded – 170,000 people attended last year – but new security restrictions will mean that the traditional lines to get in are going to be exponentially worse.

“Due to recent global tragedies, we have new security procedures for CES. This includes bag restrictions as well as additional security measures that you will need to know before coming to CES,” the organizers said.

“We want you to have a safe CES experience. We are implementing these enhanced measures with the goal of maintaining the safety of all of our guests – attendees, exhibitors, members of the media – and show personnel while creating as little inconvenience as possible. Please review the following new measures.”

The new restrictions mean everyone wanting to get into the conference venue will be subject to a bag search, and bags can’t be larger than 12″ x 17″ x 6″ (30cm x 43cm x 15cm). No luggage or rolling bags of any kind will be allowed into the venue, meaning those heading from the show to the airport will have to make an extra stop.

In addition, the organizers will be installing metal detectors for everyone entering, and security will be on hand to administer patdowns. Police officers in armored gear and explosive detection dogs will also be roaming the show halls.

If you are going to bring a bag, the organizers suggest something mesh, plastic, or vinyl to speed up the process. “Bags and backpacks with many pockets are not helpful,” they warn.

There are going to be some exceptions to the new rules. CES exhibitors and credentialed members of the press get a special dispensation on the searches, presumably on the grounds that if you’re spending money on the show (or under the aegis of a strict editor) you’re unlikely to bomb it.

The Consumer Electronics Association hasn’t responded to requests for just why the new security restrictions are going to be in place, but the current concern in the US about mass shootings (foreign or domestically inspired) might have something to do with it. ®

Sponsored:
Building secure multi-factor authentication

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/18/ces_tech_show_adds_more_security/

Microsoft is cutting the ranks of its Trusted Root Certificate partners in hopes of improving the security of Windows applications.

The Redmond giant said that it would be dropping 20 currently trusted Certificate Authorities (CAs), leaving the applications and sites signed with those certificates untrusted and causing their users to receive warnings when launched.

According to Microsoft, the elimination of the CAs came after the company decided to implement a stricter set of audits and requirements for the Trusted Root Certificate program in June of this year.

With the more stringent requirements now having been in place for several months, Microsoft has begun culling the ranks to remove those who can’t, or won’t, meet its security requirements.

“Through this effort, we identified a few partners who will no longer participate in the program, either because they have chosen to leave voluntarily or because they will not be in compliance with the new requirements,” wrote Microsoft enterprise and security group program manager Aaron Kornblum.

“We encourage all owners of digital certificates currently trusted by Microsoft to review the list and take action as necessary.”

The complete list, via Microsoft:

Following the removal of the CAs in January, certificates from the listed CAs will no longer be valid. Owners of the revoked certificates are being advised by Microsoft to get new certificates from one of the remaining Trusted CAs in order to obtain new, valid certificates. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/microsoft_trusted_root_certificate_cull/

Juniper Networks has admitted that “unauthorized code” has been found in ScreenOS, the operating system for its NetScreen firewalls.

The code “could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”

And on The Register‘s reading of the situation, the unauthorised code may have been present since 2008, an assertion we make because Juniper’s notice about the problem says it impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released in 2008. Screen OS 6.3 came out in 2009.

We’ve asked Juniper if it has any theories about the origin of the code and have been told the company has nothing to say on the matter beyond the post we’ve linked to above and canned statements from its PR team.

Just what happened is therefore obscure for now, but the obvious scenarios aren’t good news for Juniper.

The first scenario we’re considering is an internal SNAFU that saw rejected code left in production releases of ScreenOS. That’s an unfortunate error with potentially terrifying consequences, but also a rather “better” reason than our second scenario: parties unknown snuck the code into ScreenOS in order to do ill to Juniper customers. Would such malfeasants have done so in hope of finding something interesting, or in order to target known Juniper users?

Whatever the source of the code, the fact remains that a major vendor’s security appliances have been revealed – by the vendor – to contain very dangerous code about which it knew nothing. For years. During which time customers’ confidential communications may well have been monitored.

Juniper’s issued an out-of-band patch for the problem and strongly recommends its application “as soon as possible.”

The Register has contacted Juniper to seek more detail about the situation, but is yet to receive a reply. ®

Sponsored:
IT evolution to a hybrid enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/juniper_screen_os_contains_unauthorised_code/

New Verizon PHI report finds that organizations’ workers comp and wellness programs are also vulnerable repositories for personal health information.

Financial services companies, retailers, government agencies, take heed. You’re vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report, released yesterday.

The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States.

The data is gathered from breaches covered in the Verizon Data Breach Incident Report and in the Vocabulary for Event Recordings and Incident Sharing Community Database. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a “patient” by the breached organization.

Therefore, not all “PHI” in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist’s office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program.

In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations. “That’s going to be surprising to them too I think,” says Suzanne Widup, senior consultant for the Verizon RISK team and lead author of the report.

Widup says much of this sensitive information is being volunteered by employees, and showing up in  worker’s compensation and wellness program files. Companies “need to treat that data just like any other data,” says Widup, and secure it accordingly.

Yet, the majority of incidents still came from healthcare. The type of actors and threats also varied by the type of healthcare organization. The vast majority of events came from hospitals and from “ambulatory healthcare services,” which includes physician’s offices, denstist’s offices, diagnostic labs, and a variety of other outpatient care centers.

While ambulatory services are more prone to attacks by external threat actors, hospitals are more vulnerable to insiders, both malicious and accident-prone. Hacking and malware are smaller problems in hospitals (experienced by only 7.4% and 3.4% of hospitals, respectively), but a more significant issue for ambulatory services (14.3% and 9.3%). Conversely, misuse — like snooping on celebrity medical records, Widup suggests — is a much bigger problem for hospitals (25.2%) than it is for ambulatory services (13.9%).

For both though, the top problems are “error” (22.0% for ambulatory services, 28.2% for hospitals) and “physical actions,” like loss or theft of unencrypted devices (38.9% for ambulatory services, 32.0% for hospitals). Does the sad “physical action” figure in this particular report, however, simply reflect the fact that the report covers incidents that occurred before hard-disk encryption of laptops was a standard security best practice?

“God I wish it did,” says Widup. Healthcare, she says, continues to lag behind when it comes to putting in encryption as a control. “This is something we see consistently in healthcare year after year … It’s really kind of frustrating.”

The healthcare industry is often wary of security measures that could jeopardize the availability and performance of devices, particularly when they are essential to emergency patient care. However, devices that are often lost and stolen, says Widup, are not even used in patient care. She suggests that healthcare organizations look at a subset of those devices that aren’t used in patient care, but might nevertheless hold medical records — or credentials to systems that hold medical records — and start at least locking down those systems.

On the plus side, incidence of lost/stolen devices were discovered relatively quickly. Conversely, according to the report, “incidents in this dataset that took years to discover were over three times more likely to be caused by an insider abusing their LAN access privileges, and twice as likely to be targeting a server (particularly a database).”

The weak security of healthcare data is having far-reaching effects. The Verizon report references a Harvard study that found 12.3% of respondents had withheld information from a healthcare provider because of security concerns and a study from Dartmouth and the University of Wisconsin-Milwaukee that found 13% of respondents reported having ever withheld information from a provider because of privacy/security concerns related to EHRs.

“It’s pretty concerning,” says Widup, “when you think about the implications for public health.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/analytics/90--of-industries-not-just-healthcare-have-disclosed-phi-in-breaches/d/d-id/1323535?_mc=RSS_DR_EDT

It’s holiday season, so it’s likely you’ll be emailing groups of friends, friends of friends, and so on.

Whether it’s passing on Christmas greetings, or making plans to meet them at the beach after work for a barbecue (maybe not in the Northern Hemisphere, but you get the idea), or figuring out who’s going to take the least popular Christmas-to-New-Year support desk shifts…

…you may end up with emails that have plenty of recipients, possibly including people you don’t know very well, or who are your boss’s boss’s boss.

And if you have email access on your phone, you may very well find yourself replying when you’re already at the beach barbie, perhaps even when you’ve already been there a while.

That’s where today’s tip comes in.

“Reply All” is probably not what you want.

To make it perfectly clear why, here’s an example:

To: Roland
From: James
CC: Management Team, HR Department, Senior VP Team, Board
Subject: Company beach party this Friday

You are invited. Dress code casual.

Reply All would result in this:

To: James
From: Roland
CC: Management Team, HR Department, Senior VP Team, Board

Bring it on, Jimbo! Let's sink a few tinnies, then dump
the other losers and head to the Beach Bar.

“Reply All” is not what you wanted, if you see what we mean.

Also, while we’re about it, remember that when you are emailing many different recipients, especially people outside your organisation who don’t already know one another, you should be using BCC:, not CC:, and here’s why.

Take care, and if in doubt, don’t sent it out!

💡 LEARN MORE – When to use BCC in your emails instead of CC, and why ►

Follow @NakedSecurity

Follow @duckblog

Images of Christmas tree and Advent calendar courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/erfwONB3y_c/

A viral Facebook post is making the rounds showing an image of a dinner table shaped like a Nazi swastika, alongside claims that Swedish furniture giant IKEA is selling the offensive item in its 2016 catalog.

It would be a shocking story if it were true, but it’s a complete hoax.

The hoaxers claim the ‘Hadolf’ table is being sold for 88 euros (“88” is a code neo-Nazis use to represent “Heil Hitler”).

Viral social media posts like this are hard to track back to their original source because anyone can share the content as their own.

A little searching on Facebook turns up one version of the hoax posted 12 December 2015 by a user in Germany, which has been shared almost 12,000 times and “liked” by 29,000 people.

The hoax was first reported on Monday, 14 December, by the German newspaper Berliner Zeitung, whose story was picked up by media outlets around the world.

Berliner Zeitung reported that the viral Facebook post was first seen in Italy before spreading to Germany.

In a statement to Berliner Zeitung, an IKEA spokesperson said the rumor is absolutely false:

It is of course clear that such a table is not part of our program, either in Italy or anywhere else.

According to the Daily Mail, IKEA is also threatening legal action, if it can determine the source of the hoax.

Any company would hate to have its reputation tarnished by association with Nazism, but IKEA has been stung by this kind of rumor before. Another hoax that spread on Facebook in 2013 claimed to show a photo from inside an IKEA store with a swastika wall decoration.

It might seem like a bit of harmless fun but chain letters and social media posts that spread misinformation can and do cause damage.

We’ve seen countless hoaxes on Facebook, such as: unfounded rumors about the Talking Angela children’s app containing secret child predators; a viral post claiming Mark Zuckerberg is giving away his riches to regular folks who share the hoax with their friends; and another claiming that you need to copy, paste and share a post to protect your profile from changes in Facebook’s privacy policy.

Please don’t spread hoaxes, even for a laugh.

At best it’s spreading bad security and privacy advice, and at worst it thoughtlessly tarnishes the reputations of real people by casually associating them with deeply offensive things like Nazism or child abuse.

If you want to stay safe on social media and find out about more hoaxes like this one follow us on Facebook.

Follow @NakedSecurity
Follow @JohnZorabedian

Image of IKEA sign courtesy of JuliusKielaitis / Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MnzUYyA0UiA/

Last Christmas LizardSquad played Grinch with the holiday fun of gamers by knocking out XBox Live and smacking the PlayStation Network offline with a distributed denial-of-service (DDoS) attack.

The traffic flooding exercise turned out to be a promo for a DDoS-for-hire cybercrime service. Arrests against both the hackers and their customers followed and LizardSquad has since dropped off the radar. Now, almost 12 months later, it looks like something similar may be about to happen.

The self-styled “Phantom Squad” crew is threatening to disrupt the PlayStation and XBox Live networks through co-ordinated denial-of-service attacks over the festive season.

The hacker group has already claimed responsibility for recent outages to XBox Live earlier and social news site Reddit. The group’s stated aim is to show up the continuing lack of security defences on gaming networks rather than pure mischief or immediate profit. “PSN and Xbox Live… Companies that have millions of dollars… and don’t bother on working on security,” it said through its @PhantomSqaud Twitter account.

Running DDoS attacks can be done without any particular skill. Phantom Squad are at pains to deny the obvious accusation that they are attention-seeking s’kiddies. “We are Grey Hat Hackers. Not skids not fakes not wannabes,” Phantom Squad said.

Whether Phantom Squad will make good on the threats remains unclear. It’s also unknown if Xbox Live and PSN are much better prepared to defend their borders compared to last year. Either way, gamers and security watchers are taking the threat seriously.

Dave Larson, chief operating officer at DDoS mitigation firm Corero Network Security, commented: “These latest threats against the Xbox Live and PSN networks indicate something that we’ve known for a while; the online gaming industry – given its high-volume, highly transactional environment – relies on 24/7 accessibility and is significantly impacted when this can be intentionally compromised. Any downtime or interruption causes real financial and reputational impact. Last year, the largest online gaming platforms were brought to their knees during probably the most critical time of year, and it sounds like they are up against round two this holiday season.”

He added: “If these online gaming giants have, in fact, figured out how to effectively mitigate the attacks of 2014, they must remain vigilant, as DDoS is an evolving, multi-vector cyber-attack technique that cannot be stopped without automatic and real-time defences.” ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/hackers_threaten_xbox_live_psn/

The unregulated and growing market for spyware poses an increasing risk to privacy, an EU regulator warns.

Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), argues that the trade in covert monitoring technology is not covered by existing European legislation and now he’s calling for new policies to be formulated.

Left unregulated, the trade in commercial spyware threatens both privacy and data protection rights, he says.

Surveillance tools can be instruments for legitimate use by law enforcement, according to Buttarelli. However, they can also be used to circumvent security measures in communications and data processing for both businesses and consumers. Privacy concerns in the area are only going to grow as more and more devices are plugged into the Internet of Things.

The EDPS is calling (pdf) for a coordinated approach to tackle these risks. In many non-EU countries, the standards of data protection may be lower than those in Europe. This leaves EU citizens – for example journalists – vulnerable to potentially being monitored in non-EU countries.

The trade and use of surveillance software in the private sector must be regulated more closely since there is a lack of legal safeguards in many countries. The EU regulator defines dual-use spyware as technologies that can be used for both military and civilian (often commercial) purposes.

The EDPS says the complex challenges this poses for law enforcement agencies must not be an excuse for the disproportionate processing of personal data that these surveillance tools allow. Buttarelli asks that law enforcement agencies be more transparent and accountable in their use of such software so that the individual’s right to self-determination is not infringed.

Complying with data protection laws is as much an obligation as compliance with other relevant regulations such as export, according to Buttarelli. He adds that the legality of surveillance technologies is too frequently a grey area.

The fall of government in Egypt and Libya during the Arab Spring from 2010 onwards lifted the lid on the previously cloaked trade in commercial spyware to governments with poor human rights records.

This threw firms such as Gamma International into the spotlight. The later dump of data following a deep penetrating hack against Hacking Team only increased the level of scrutiny.

In response, the US government put forward amendments to the Wassenaar Arrangement, an export control treaty, to cover hacking tools. The proposed changes produced a swift backlash from security researchers warning that the rules were overly broad and would threaten to derail security research. The US has since promised a re-think.

Buttarelli wants to tighten up the regulation in this market and to clarify the criteria for legal trading, export and usage, for instance by security researchers.

The office of the EDPS describes itself as an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, or more poetically, the European guardian of data protection. ®

Sponsored:
Evolution of the Hybrid Enterprise

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/12/17/eu_regulator_spyware_alarm/