STE WILLIAMS

Email delivery: 4 steps to get more email to the inbox

A monumentally silly clerical error led to the personal details of all the prisoners serving at HMP Cardiff being emailed to three of the inmates’ families.

Data watchdogs at the Information Commissioner’s Office (ICO) have slapped a £140K fine on the Ministry of Justice over the serious data breach, which was only discovered after one of the recipients of the August 2011 mailout contacted the prison.

An email from the prison clerk about an upcoming visit had apparently included a file containing the inmates’ details. “The file included a spreadsheet containing sensitive information including the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all of the prison’s 1,182 inmates,” the ICO reports.

An internal investigation discovered that the same massive slip-up had occurred TWICE before within the previous month, with details sent to different inmates’ families. Both of the previous incidents went unreported. Each of the three breaches arose because of the same mistake by the same untrained member of staff, an investigation (PDF) concluded.

A request for a booking had been made by a family member of an inmate. The clerk had intended to send him an email about the visit. In doing so, she accidentally “pasted” a text file containing the details of the inmates at the prison as an attachment to the email. The two prior incidents had occurred as a result of the same mistake, by the same clerk.

The police and a member of the prison’s staff were sent to the recipients’ home addresses following the incident to ensure the files had been deleted. The unauthorised disclosures were reported to the ICO in September 2011.

The ICO’s investigation blamed the problem on a “clear lack of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training”. A lack of audit trails or other checks also meant that the disclosures would have gone unnoticed if they hadn’t been reported by one of the recipients.

The investigation also found fault in how prisoners’ records were handled, with unencrypted floppy disks regularly used to transfer large volumes of data between the prison’s two separate networks, Quantum (a secure and restricted network) and a less secure systems used for booking visits.

The prisoner data is stored on a database which is held on a network system called Quantum. It is a secure accredited network system meeting HM Government IT standards for handling information up to a RESTRICTED marking, and access to it is strictly controlled.

There is a separate non-networked system, the biometrics system, used for booking and processing visits, and other security-related matters for prisoners. The two systems are physically separate. There are daily transfers of data from the Quantum system to update the biometrics system, to facilitate visits and other prisoner movements.

The only way the information can be transferred from the Quantum system to the biometrics system is to carry out a ‘profile dump’ of all inmate details. The transfer is done at the start of each day by the booking clerk who locates the text file via Windows Explorer on the Quantum system and then, using the ‘copy and paste’ function, places the file on an unencrypted floppy disc.

ICO deputy commissioner and director of data protection, David Smith, said: “The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.

“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.

“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach,” he concluded.

The ICO fined the Ministry of Justice because the National Offender Management Service, which is responsible for commissioning and delivering prison and probation services across England and Wales, is an executive agency of the government department. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/inmate_detail_mailout_data_breach/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Google has pulled multiple Android apps that relied on a popular mobile app library that posed a severe security risk.

The ad library, codenamed “Vulna” (or Ap Vulna”) by FireEye, the net society firm that uncovered the threat, aggressively collects sensitive data as well as being able to perform dangerous operations such as phoning home to a command-and-control server before downloading and running secondary components on demand.

In the two weeks since the alarm about Vulna first went out, Google has removed numerous apps from Google Play that relied on the technology. It has also cancelled a number of Developer accounts, as a follow-up blog post on the issue by FireEye explains.

A number of these vulnaggressive apps and their developers’ accounts have been taken down from Google Play, including app developer Main Games Mobile, Itch Mania and Popadworld. The total number of downloads of these apps was more than six million before the take-down. Sadly, while removing these apps from Google Play prevents more people from being infected, the millions of devices that already downloaded them remain vulnerable.

Second, a number of apps from the list that we reported to Google and Ad Vulna have updated the ad library included in the app to the newest version, which fixes many of the security issues we found. Moreover, a number of other apps, such as Mr. Number Blocker with more than 5 million downloads, have simply removed the vulnaggressive ad library Ad Vulna. The total number of downloads of these apps before they were updated was more than 26 million. Unfortunately, many users do not update their downloaded apps often, and hence millions of users of these apps will still be vulnerable until they update to the latest version of the apps.

The move is welcome but fails to deal with the legacy problem of users who are using older versions of apps the incorporate the dodgy Vulna code. According to the latest estimated from FireEye, more than 166 million downloads from Google Play featured apps including other versions of the ad library.

Vulna is a codename and FireEye is yet to name the developer of the mobile ad library it argues created a new class of vulnerability for Android users. FireEye recently announced a cloud-based mobile threat prevention technology. The new product, FireEye Mobile Threat Prevention, based on virtual machine-based threat protection and targeted at securing the Android platform, is due to be generally available by the end of 2013. The launch of the product explains FireEye’s interest in Vulna.

Ad libraries in general present privacy risks such as collecting device identifiers (IMEI, IMSI, etc) and location information. But Vulna went far further than this and its built-in functionality allowed it to collect highly sensitive information such as text messages, phone call history, and contact lists. It can also performs dangerous operations such as executing dynamically downloaded code. All this functionality is controlled by remote servers.

Security shortcomings of the software include its use of unsecured HTTP for receiving commands and the dynamic loading of code from its control server. This means a skilled hackers might be able to hijack the update process towards their own ends, something that might potentially be used to steal two-factor authentication tokens sent via SMS, or even turn the device into part of a mobile botnet, as previously reported in our earlier story about the threat.

FireEye notified both Google and the unnamed developer of the software. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/vulna_mobile_ad_threat_followup/

Most young employees are so dependent on their mobile devices that they are prepared to break any policy that restricts their use, according to a new study.

In a survey of 3,200 employees from Generation Y (ages 21 to 32), researchers at Fortinet found that 51 percent were prepared to contravene any policy banning the use of personal devices at work or for work purposes.

And this attitude is spreading to other technologies: Thirty-six percent of respondents using their own personal cloud storage accounts (e.g., Dropbox) for work purposes said they would break any rules brought in to stop them. On the subject of emerging technologies such as Google Glass and smartwatches, almost half (48 percent) would contravene any policy brought in to curb use of these at work.

Eighty-nine percent of the users surveyed have a personal account for at least one cloud storage service, with Dropbox accounting for 38 percent of the total sample, Fortinet says. Seventy percent of personal account holders have used their accounts for work purposes.

Twelve percent of this group admits to storing work passwords using these accounts, and 16 percent have stored financial information, the study says. Twenty-two percent of the respondents have stored critical private documents, such as contracts/business plans in their cloud accounts, while one-third (33 percent) have stored customer data.

Almost one-third (32 percent) of the cloud storage users sampled stated they fully trust the cloud for storing their personal data, with only 6 percent saying they don’t use cloud services because they don’t trust them.

When asked if their personal devices had ever been compromised, over 55 percent of respondents indicated that they had experienced an attack on personally owned PCs or laptops. About half of these respondents said the compromise had an impact on their productivity and/or they had experienced a loss of personal and/or corporate data. Attacks were far less frequent on smartphones and laptops (both 19 percent).

Fourteen percent of respondents said they would not tell an employer if a personal device they used for work purposes became compromised.

“It’s worrying to see policy contravention so high and so sharply on the rise, as well as the high instances of Generation Y users being victims of cybercrime,” said John Maddison, vice president of marketing at Fortinet. “On the positive side, however, 88 percent of the respondents accept that they have an obligation to understand the security risks posed by using their own devices. Educating employees on the threat landscape and its possible impact is another key aspect for ensuring an organization’s IT security.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/generation-y-users-say-they-will-break-c/240162955

A job interview is a difficult way to find out whether a job candidate will wind up doing a good job if he or she gets hired.

So how can companies better gauge the future performance of their hires?

Don Moore, an associate professor at the Haas School of Business at the University of California, Berkeley, suggests that structured interviews that provide quantifiable ratings, coupled with intelligence tests, can help to reduce the need to rely on unreliable gut instincts.

Then again, employers can always simply check out job candidates’ social media postings.

New research from the Department of Psychology at North Carolina State University examined whether job applicants’ personality characteristics can in fact be inferred through the content of their social media postings.

The study wasn’t designed to find out what character traits are related to negative behaviors.

Rather, it analyzed which characteristics are related to leaving traces of negative behavior in a public, online, social space, where people are less likely to keep a lid on their behavior.

The research focused on two types of postings cited by hiring managers as sending up red flags about applicants: bad-mouthing of superiors and peers, and postings concerning alcohol and drug use.

The research focused on what’s known in the field of psychology as the Big Five personality variables: openness to experience, conscientiousness, extraversion, agreeableness, and emotional stability.

The object of the research was to come up with evidence that can be used by researchers, applied psychologists and, yes, employers who might turn to social-networking employment screening.

Study participants self-reported their social media content as it related to photos and text-based references to alcohol and drug use, as well as to criticisms of superiors and peers (bad-mouthing).

The results were unsurprising and supported researchers’ hypotheses that predicted that disagreeable or non-conscientious people would be more likely to bad-mouth their peers and employers.

What do these terms mean? In psychology, “agreeable” people are generally characterized as being courteous, flexible, trusting, good-natured, cooperative, forgiving, soft-hearted, and tolerant.

Such people, the theory goes, are unlikely to be critical, cynical, or to hold disparaging viewpoints that prompt bad-mouthing.

“Conscientious” is defined in terms including careful, thorough, responsible, organized, systematic, deliberate, hardworking, self-disciplined, and persevering.

Such people would be expected to heed warnings about using social media inappropriately or in unprofessional ways, and prior research has shown that conscientious people tend to take a more guarded approach to Facebook postings than to flaunt their wild partying lives.

Extraverted people, meanwhile – those who tend to be sociable, gregarious, assertive, talkative, and active – were more likely to post about alcohol and drug use.

The research serves as a good reminder about how employers are diligently harvesting the fruits of our online behaviors to better assess whether they want to hire us or run screaming in the other direction.

We post plenty of online material to send them running, that’s for sure.

As I reported in September, 57% of college students think their Facebook postings are fine.

Too bad that 69% of recruiters report finding candidates whom they wouldn’t let step through the door, thanks to social media evidence of drinking, drugs, bad-mouthing previous employers, lying on their resumes or a host of other sins.

Keeping posts private is one way to avoid handing employers a reason to fire you or potential employers a reason to avoid hiring you in the first place.

That, actually, is tip number one on Sophos’s 5 tips to keep your Facebook account safer.

Then too, tip number one on Sophos’s follow-up list of even more Facebook tips is to stop search engines from indexing your profile.

Keeping things tucked down on Facebook and other social media spaces is a baseline way to attempt to maintain your privacy, but keep in mind that privacy isn’t legally guaranteed in all countries or in all US states.

Employers haven’t shied away from demanding that potential employees hand over their Facebook user name and password if they want to get a job.

Spied-on employees, understandably, don’t like the notion much, with 91% of Naked Security readers saying it should be illegal to ask for such data.

In the US, some state legislatures have moved to protect employees’ privacy.

From the site of the National Conference of State Legislatures, here’s a summary of current state legislation on laws regarding employer demands for social media passwords.

As of 12 September 2013, legislation preventing employers from requesting passwords to personal internet accounts to get or keep a job had been introduced or was pending in at least 36 states. Ten states – Arkansas, Colorado, Illinois, Nevada, New Jersey, New Mexico, Oregon, Utah, Vermont and Washington – had enacted legislation as of that date.

If you’d like to stay on top of who’s getting into trouble on Facebook and other security matters, think of plugging into Naked Security’s Facebook page.

Follow @LisaVaas

Follow @NakedSecurity

Image of drunk guy courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XhHCkH8GG3c/

Former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts, he said in an interview with CBS’s “60 Minutes” that aired on Sunday.

Cheney’s heart problems were bad: between 1978 and 2010, he suffered five heart attacks, underwent quadruple bypass surgery, and had a pump implanted directly to his heart. A defibrillator was implanted to regulate his heartbeat in 2007.

Cheney told his 60 Minutes interviewer, CNN Chief Medical Correspondent Dr. Sanjay Gupta, that at the time of the pacemaker implant, he was concerned about reports that attackers could hack the devices and kill their owners:

“I was aware of the danger, if you will, that existed.”

The TV show “Homeland” wasn’t even on the air yet, but a pacemaker assassination attempt was depicted at the end of last season.

Cheney found the assassination plot all too realistic, he said:

“I found [the depiction] credible because I knew from the experience that we had assessing the need for my own device that it was an accurate portrayal of what was possible.”

Cheney’s concerns were based on reality.

A year ago, the US Government Accountability Office (GAO), prodded by Congress, took the Food and Drug Administration (FDA) to task for ignoring the possibility that medical devices are susceptible to malware, unauthorized access and denial of service.

As the GAO’s report stated at the time, researchers had demonstrated the potential for incidents resulting from intentional threats in insulin pumps and implantable cardioverter defibrillators.

One example is the work done by the late Barnaby Jack.

In October 2011, Jack succeeded in overriding an insulin pump’s radio control and its vibrating alert safety feature, demonstrating the dumping of a potentially lethal dose of insulin without the pump alerting a wearer.

The FDA in June complied with the GAO’s marching orders, telling medical device makers and hospitals to strengthen security to prevent an intentional version of such hacking, unencrypted data transfer that can be manipulated or a host of other threat vectors.

Center for Internet Security President and CEO William F. Pelgrin told me that to date, there haven’t been any documented cases of successful attacks on mobile medical devices (other than those demonstrated in a research environment).

Nonetheless, he said, “the risk is real. Unsecured wireless devices are vulnerable to attack.”

Cheney’s revelation highlights the importance of protecting the devices, Pelgrin said.

In fact, these types of potential scenarios prompted the Center for Internet Security to launch a mobile medical device benchmark initiative earlier this year to develop solutions.

The resulting benchmarks will be recommended guidance for device makers, he said, focused on the detailed, step-by-step guidance of hardening a given device.

I asked Pelgrin why the effort to harden the devices has taken so long, and he remarked that the Center is actually getting ahead of the curve in proactively addressing these complex issues now, before a catastrophic event takes place.

Compare that with the auto or airline industries, for example, he said: in either industry, many accidents had to occur before changes were made to improve safety.

The changes certainly didn’t happen overnight, Pelgrin said:

What’s so encouraging to me in terms of mobile medical device security is that we are on the cusp of tremendous positive change, and we are doing it before accidents happen.

Besides, he said, when you’re dealing with mobile medical devices, availability is crucial. It’s one thing to hack a computer and knock it offline. That’s disruptive, but not necessarily fatal, he said.

But if a mobile medical device is hacked and unavailable – or altered – it can be “devastating”:

We must approach this process in a careful manner, with the input of many organizations and individuals, in order to develop security solutions without compromising the confidentiality, integrity and availability of the devices.

The Center is encouraging anyone who wants to join in the effort to contact them.

It plans on hosting a working session webinar later this month. To register and find more details, click here.

Follow @LisaVaas

Follow @NakedSecurity

Image of Dick Cheney courtesy of CBS’s “60 Minutes”.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r-4lzLjvjsA/

Tags: Backdoor, chet chat, cipher, cryptanalysis, cryptolocker, d-link, dlink, Exploit, Java, joel, one time pad, Oracle, Patch, ransomware, RC4, rce, sscc, stream cipher, vulnerability, WhatsApp

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aECbo5RlSJE/

Email delivery: 4 steps to get more email to the inbox

Chinese hotel-goers beware – newspaper reports from the Middle Kingdom claim that the personal details of thousands of guests from major hotel chains have been leaked online.

The personal information appeared in a page on e-commerce platform Taobao, where a seller offer 8GB of data for 2,000 yuan (£203), and on a website called chakaifang.info – both have which have now been blocked, according to the South China Morning Post.

Before it was taken down, Cha Kai Fang apparently allowed visitors to search for guest bookings across the country by name, address, telephone number, ID number and other sensitive info.

It’s suspected that the data may have been pilfered from Zhejiang-based CNWisdom, a firm which provides Wi-Fi access to hotel chains in China. The firm was apparently fingered by vulnerability data site WooYun a fortnight ago for having been breached by hackers.

However, it is denying any involvement, claiming that the data it stores is different to that which has appeared online recently.

Nevertheless, the company services over 4,500 hotels across China and, back in 2011, processed over 450,000 hotel rooms, capturing name, address, workplace, ID number, birth date and phone number just to register for Wi-Fi, SCMP said.

If nothing else the breach scare illustrates once again why best practice advice is always for firms in such industries to collect and store as little customer information as possible, to reduce the risk of such data getting in the wrong hands.

In China, personal data theft is commonplace, often perpetrated by malicious insiders who sell that info on for profit.

However, the authorities have been trying to clamp down, with telecoms and internet service providers subject to new data protection rules as of 1 September this year.

In January, Beijing published guidelines similar to EU data protection rules promoting the idea of data minimisation and of gaining user consent before processing data.

However, according to law firm Pinsent Masons, laws in this area have been implemented in a confusing and inconsistent manner typical of China.

“It is to be welcomed that China is making strides to give Chinese citizens protection to their personal data, backed with the force of law,” said Pinsent Mason’s Kening Li back in August.

“It is somewhat frustrating that these laws are being issued in a fragmentary fashion, although this is normal practice in the PRC. As always with China regulation, it remains to be seen how these laws will be enforced – such as which companies will face enforcement action and the alacrity with which regulators will act, and whether or not with meaningful penalties against transgressors.” ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/china_hotel_data_breach_victims/

Email delivery: 4 steps to get more email to the inbox

Internet email maestro Mail.ru is fighting the Russian government’s request for its customer data.

The web portal, social network and email service, which employs an estimated 3,000 people and is roughly comparable with Yahoo! in Russian language markets, was fined $15,000 (500,000 rubbles) for refusing to hand customer records over Russia’s financial regulators. The Federal Service for Financial Markets of Russia (which has since come under the authority of the Bank of Russia) wanted metadata about Mail.ru users’ contacts over a time period related to an ongoing investigation.

The web firm unsuccessfully argued that the Russian constitution protects private correspondence in contesting this order. Mail.ru was fined $15k, a relatively modest sum for a firm its size, over its stance. However rather than let the matter lay there it intends to contest the fine in court, East-West Digital News (a specialist site reporting on Russian digital industries) claims.

“Information about who the user is in correspondence with for a given period is considered confidential correspondence and is protected by Section 2, Article 23 of the Russian Constitution. The Mail.ru Group has no right to disclose this correspondence without a court order,” Mail.ru Group’s legal service, Anton Malginov, said in a statement (in Russian here).

There is a legal precedent for Mail.ru’s argument. The Federal Service for Financial Markets was found to be at fault by a Moscow court in July for fining Rambler Internet Holdings, a smaller Russian-language news portal and webmail service, in a similar case involving the protection of users’ constitutional rights to privacy in email correspondence, East-West Digital News reports.

Mail.ru’s (the fifth most visited site in Russia, according to Alexia) stance in fighting for user privacy contrasts what’s perceived as the routine compliance with US net communication firms, such as Facebook and Yahoo!, to US government and law enforcement requests. However it would be naive to think that Russia is a haven for email and web communications privacy. The spying agency FSB operates a net surveillance scheme called SORM-2 that’s every bit as aggressive as the NSA’s infamous PRISM programme. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/mailru_fights_rus_gov_data_requests/

Email delivery: 4 steps to get more email to the inbox

A Vietnamese man has been charged in connection with a long-running scam involving the theft and resale of what the DoJ rather hiply refers to as the “fullz”* (personal information) of hundreds of thousands of Americans.

Hieu Minh Ngo, 24, a Vietnamese national, was hit with a total of 15 charges, including conspiracy to commit wire fraud, substantive wire fraud, conspiracy to commit identity fraud, substantive identity fraud, aggravated identity theft, conspiracy to commit access device fraud, and substantive access device fraud, according to a Department of Justice statement on the case.

From 2007 until 2012 Ngo, allegedly operating under the alias “hieupc”, conspired with others to sell “personal information packages” of more than 500,000 people, according to prosecutors.

Many of these sales were carried out on carding forums or cybercrime marketplaces operated by the suspects, claims the DoJ. Higher prices were charged for more recently updated information, while the illegal trades also involved stolen payment card data, the Feds said. Payments for the illicit info was through a “digital currency service”.

Ngo was arrested upon his entry into the United States in February 2013. The charges, filed in November 2012, were unsealed on 18 October. The full indictment against Ngo can be found here (PDF).

Investigative blogger and cybercrime specialist Brian Krebs reports that the business was run through an underground service called Superget.info.

Krebs claims that cybercrooks posing as US-based private investigators bought the information which was later resold through Superget.info. Access was paid for via monthly wire transfers from Singapore, it is alleged. ®

* An individual’s “fullz”, according to a press release by the US Department of Justice, include their name, date of birth, social security number, bank account number and bank routing number.

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/id_fraud_data_brokering_charges/

Email delivery: 4 steps to get more email to the inbox

Brit kids are engaged in risky behaviour online, including arranging meetings with people they meet on the internet and playing games intended for older age groups, according to a new study.

A survey of 1,162 primary school age children in the south east and Guernsey found that many were sharing personal information on the web – and 18 per cent had arranged to meet up with friends they’d made online.

Tim Wilson, the information security worker who carried out the survey for ISC2, told El Reg: “Young children seem to approach the real world and the virtual world very differently, and as a result, their perception of safety is skewed when spending time online.

“For parents, there is a strong call to action to ensure they are engaged in how their children use the internet. Bringing the family computer into the living room and having open conversations about potential online dangers will help them play a more active role in the relationships children are increasingly starting online.”

The ISC2 study found that 43 per cent of kids were going online every day and 46 per cent spent more than two hours on the net every time they went on. Just over a fifth of the children were using the web after 9pm at night and seven per cent were still online after midnight.

Mostly, kids were using the web to use social networks, watch videos and play games, including 18-rated games like Call of Duty Black Ops and Modern Warfare.

Although the majority of the 18 per cent of children who met online friends in real life took an adult or an older sibling along with them, a third said they just went along with their friends. ®

Free Regcast : Microsoft Cloud OS

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/22/brit_kid_internet_safety_survey/