STE WILLIAMS

PORTLAND, Ore. — October 9, 2013 — Lost laptops and internal snafus happen. If they involve personal information of customers, employees or others–as they often do–organizations must act in accordance with Federal regulations and state data breach laws. Now that the HIPAA Omnibus Final Rule is in effect, healthcare organizations and their third parties are required to perform a risk assessment for every privacy and security incident that involves sensitive personal information.

The rise of data breaches in healthcare, combined with the highly scrutinized, regulatory environment, has forced the emergence of a new category: data incident management software. Organizations are turning to ID Experts’ software, RADAR, to document and simplify the entire data incident management process. RADAR is a leader in this space, with customer adoption up 242% in one year. RADAR 3.0 takes the “guess work” out of compliance, by performing incident-specific risk assessments and offering incident response guidance.

RADAR Meets Compliance with Changing Laws; Takes “Guess Work” Out of Risk Assessments

According to Gartner Inc., “A prerequisite to managing the regulatory risks and compliance costs is that the compliance manager must know which regulations apply in the first place. Yet, with new regulations and changes to current regulations proliferating rapidly, compliance professionals may question whether they are up-to-date on which regulations apply to their organizations.” [1]

“RADAR’s incident risk assessment engine provides consistency in how we evaluate all PHI incidents, as well as helps us to comply with the HIPAA Final Rule,” said Meredith R. Phillips, chief information privacy and security officer, Henry Ford Health System. “RADAR is an important part of our incident management program and it tracks any changes in federal and state breach laws, so that we can focus on protecting our patients and ensure compliance.”

RADARtrade 3.0 is for covered entities and insurance companies to better manage privacy and security incidents involving protected health information (PHI) and personally identifiable information (PII). RADAR provides incident risk assessment and response guidance to drive decision-making consistency that informs when an incident is a breach and what actions need to be taken. RADAR allows users to meet regulatory requirements imposed by the federal HIPAA Omnibus Final Rule and state data breach laws. More information about RADAR is available at http://www2.idexpertscorp.com/RADAR. RADAR 3.0 helps organizations and covered entities to:

Meet federal and state incident risk assessment and reporting requirements for data breaches.

Create consistency and efficiency during data incident risk assessment and documentation.

Stay organized by maintaining incident investigation, risk assessment, remediation and notification documentation in one secure location.

Track and report privacy program performance metrics including investigation and remediation measures.

Collaborate across the organization during incident assessment and allow decision-making based on users’ roles and responsibilities.

“Unlike general-purpose workflow and documentation software, such as case management and GRC systems that provide forms and regulatory libraries but no incident risk assessment analytics, RADAR delivers patent pending incident risk assessment to guide organizations through the decision-making process, to determine if an unauthorized disclosure of PHI/PII is a data breach and if action is required,” said Mahmood Sher-Jan, vice president, product management, at ID Experts. “RADAR handles all data incidents in a consistent way, taking the subjective element out.”

Best Practices Checklist for Covered Entities

Healthcare organizations must comply with the requirements outlined in the HIPPA Omnibus Final Rule. To help navigate, ID Experts developed a “playbook,” a free resource that offers best practices and guidance to manage business associates. For a free copy, visit http://www2.idexpertscorp.com/resources/BestPracticesChecklists/hipaa-final-omnibus-rule-playbook/.

About ID Experts

ID Experts delivers complete data breach care. The company’s solutions in data breach prevention, analysis and response are endorsed by the American Hospital Association, meet regulatory compliance and achieve the most positive outcomes for its customers. ID Experts is a leading advocate for privacy as a contributor to legislation, a corporate and active member in both the IAPP and HIMSS, a corporate member of HCCA and chairs the ANSI Identity Management Standards Panel PHI Project. For more information, join the LinkedIn All Things HITECH discussion at bit.ly/AllThingsHITECH or All Things Data Breach at http://linkd.in/TsbwgJ; follow ID Experts on Twitter @IDExperts; and visit http://www2.idexpertscorp.com/.

Article source: http://www.darkreading.com/privacy/id-experts-rolls-out-new-version-of-rada/240162729

Users of the photo-sharing app Snapchat should not have any assumptions that their images are not being shared with law enforcement.

On Monday, the company admitted in a blog post that it will, and already has, handed photos over to US law enforcement agencies:

Since May 2013, about a dozen of the search warrants we’ve received have resulted in us producing unopened snaps to law enforcement. That’s out of 350 million snaps sent every day.

The basic premise of Snapchat is that recipients of images (“snaps”) can only view those pictures for up to ten seconds before they are permanently deleted from the device on which they were received.

Given the short period of time that images are available to the recipient it might seem remarkable that they could be intercepted by third parties.

It is, however, entirely possible – Snapchat’s head of trust and safety, Micah Schaffer, explained in the blog post that forensic examination of a handset that has received a snap is not the only means by which investigators could gain access to photos.

Schaffer says that in some instances it is possible to grab the images from the servers before the recipient(s) open them. This can be achieved by using an in-house tool, subject to a valid request from investigators:

For example, there are times when we, like other electronic communication service providers, are permitted and sometimes compelled by law to access and disclose information.

For example if we receive a search warrant from law enforcement for the contents of snaps and those snaps are still on our servers, a federal law called the Electronic Communications Privacy Act (ECPA) obliges us to produce the snaps to the requesting law enforcement agency.

The blog posting also makes it clear that the US company may hold onto some snaps for longer periods of time. It would do this in cases where law enforcement was considering whether or not to make a formal request to access the images via the search warrant procedure.

The company’s ability to hold onto snaps and access them isn’t something that law abiding users of the service should be overly concerned about though.

Unlike some organisations where a great many people have access to sensitive data, Snapchat only allows two people to use the tool for manually retrieving snaps – Micah Schaffer and the company’s CTO and co-founder, Bobby Murphy.

Outside of the company’s control, things may be different though. If someone accesses an image under the 10 second rule then they may be able to save it for themselves.

Savvy users can take screenshots of their devices when the image is displayed but apps such as Snaphack Pro circumvent the auto-destruction of previously viewed photos and allows users to post images directly to social media sites.

Given that Snapchat and its auto-deletion of images lends itself to “sexting”, knowledge of such apps may encourage users of the service to think twice before sending explicit images of their bits to their significant others.

While having sexy photos of yourself appear on social media sites may be incredibly embarrassing, having images of questionable legality may prove far more troublesome.

So, when using Snapchat, think very, very carefully indeed about what you are sending. If the content of your photo is private then keep it that way – don’t send it!

Follow @Security_FAQs

Follow @NakedSecurity

Image of selfie girl and surprised guy courtesy of Shutterstock

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Wl1R2pDara4/

Supercharge your infrastructure

A UK startup is trying to make a game out of solving CAPTCHAs*, the ubiquitous but sometimes irritating challenges designed to make sure that a human, rather than a ‘bot, is registering for an online service.

CAPTCHAs typically oblige website visitors to type out distorted words presented in images to prove that they are human and not a computer bot. They are commonly found when buying tickets online, posting to forums or completing webmail sign-up forms.

Future Ad Labs’ interactive advertising format, PlayCaptcha, aims to turn completing CAPTCHAs into a game. The technology launched last week with two initial partners, Heinz and Reckitt Benckiser.

The PlayCaptcha for Heinz invites visitors to pour a virtual bottle of Salad Cream onto a sandwich, instead of being forced to decipher hard-to-read text. For Reckitt Benckiser, Future Ad Labs has developed a PlayCaptcha that persuades visitors to clean a virtual dirty penny by dragging it into a bowl of Cillit Bang.

The challenge takes the place of banner ads for Heinz or the like on third-party sites while also serving as a test to differentiate between bots and humans for website signups.

A demo showing a Heinz sauce-themed CAPTCHA on a Marketing Week sign-up page can be seen here.

Future Ad Labs’ PR agency offered to arrange a similar mock-up for El Reg (feeding Reg the Vulture a tasty morsel of raw BOFH? – Sub-ed) but we declined, since the Marketing Week example illustrates the basic point of how the technology would work in practice just as well.

Future Ad Labs’ technology is built for both mobile and tablets and in either case is capable of being solved by touch alone.

Over the years many weird and wonderful alternatives to the unloved mangled-text CAPTCHA have been tried, ranging from videos, politically correct Voight-Kampff style questions to calculus-based CAPTCHAs. Google’s reCAPTCHA at least serves some useful purpose of helping to digitize books.

None of the approaches stops spammers signing up for online services, they simply use sweatshops in India to defeat the puzzle. PlayCaptcha might be defeated in just the same way but at least it’s less annoying than mangled text. Its developers claim the technology offers a way of commercialising the signup process.

“For both Heinz and Cillit Bang, PlayCaptcha delivers engagement rates many times higher than traditional digital advertisement formats, while providing a better user experience for web page visitors,” according to Future Ad Labs’ promotional blurb.

“PlayCaptcha will also have a positive impact on the brand-publisher relationship because it provides the opportunity to generate revenue for the advertiser through the CAPTCHA process, which until now has been an unmonetisable part of every website,” it adds.

The London-based start-up reckons 300 million CAPTCHAs are completed daily, something it equates to 150,000 human hours wasted every 24 hours. Making a bad problem worse, one in four attempts at completing a CAPTCHA fail – a figure that (although we weren’t able to independent verify it) sounds about right.

“By utilising a creative solution that avoids the negative experience of CAPTCHAs, consumers can immerse themselves in the brand without interrupting their online experience, which helps build brand awareness,” explained Howard Kingston, chief exec and co-founder of Future Ad Labs.

Kingston claimed that PlayCaptchas are “just as secure at verifying humans as wiggly words that you can’t even read” during a video pitch for the technology, shown below. ®

Promo video by Future Ad Labs to promote their CAPTCHA technology ®

* Completely Automated Public Turing test to tell Computers and Humans Apart

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/gamified_captcha_playcaptcha/

Supercharge your infrastructure

Oracle’s autumn batch of quarterly updates included no fewer than 127 security fixes, including 51 for Java alone.

The arrival of the Critical Patch Update (CPU) from Oracle means pretty much all of the enterprise server packages from the software giant need patching.

Oracle Database Server, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle Siebel CRM, Oracle and Sun Systems Products Suite, Oracle Virtualization and Oracle MySQL all need security fixes for one reason or another. Many of the patched vulns allow attackers to gain remote unauthenticated access to marks’ networks.

The October update marks the first occasion Oracle has patched Java on the same quarterly cycle as other products, a move that makes sense and is arguably overdue – Java updates previously arrived on a four month cycle.

The numerous Java updates are the most serious and pressing of of the whole batch, according to security experts.

“The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication,” warns Wolfgang Kandek, CTO at cloud security firm Qualys in a blog post.

“The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments,” adds Kandek, “with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines.”

Ross Barrett, senior manager of security engineering at vlun management biz Rapid7, said: “Aside from Java, it’s mostly ho-hum, low impact stuff. There’s a CVSS 8.5 vulnerability in MySQL’s Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting.”

Chester Wisniewski, a senior security advisor at Sophos Canada, notes that some of the Java updates rely on operating system vendor support rather than auto-updates, a factor that further complicates the update process.

“[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser,” Wisniewski explains. “Worse yet, all but one are remotely exploitable without authentication.”

Wisniewski repeats what’s become standard advice from security vendors: Java can be useful elsewhere but it doesn’t belong in the browser, where it presents by far the greatest security risk.

“If you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser,” Wisniewski writes. “If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.”

Kandek concurs with the advice that patching Java, moving to the latest version 7 where possible, ought to be the first order of business. Internet-facing servers and databases also need patching sooner rather than later, he adds.

“We recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels,” Kandek advises. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/oracle_quarterly_patch_batch/

Supercharge your infrastructure

“I’ll just [tap, tap, runs a ping command] see if you have any antivirus protection. See, all the requests timed out. That is why your computer is working so slow.”

These were the words of “technician” caught on video trying to convince a Mac user to hand over some cash for his “help”.

Convincing PC users that they have a non-existent problem with their computers in order to coax them into handing over their hard-earned cash for useless remote diagnostic and cleanup services has been a popular scam for years.

Victims are often encouraged to sign up to multi-year support contract costing hundreds of dollars for worthless services. But despite enforcement actions taken by consumer groups such as the Federal Trade Commission, there’s no sign that these scams are slowing down.

If anything they seem to be growing and diversifying.

According to Malwarebytes post, a company called Speak Support, which offers “Mac® Techical Support” (sic) is one of the culprits. The researchers say the firm is misusing the ping command to convince a victim that he or she has no protective software installed.

It achieves this by going to a site called protection.com that doesn’t respond to the ping utility. The site’s owners have no connection at all with the attempted scam, and were merely chosen by the fraudsters because they had disabled its response to ping, security researchers at Malwarebytes discovered.

However the resulting error message is used to persuade marks that they have a serious problem with their Apple Macs.

Although Speak Support claims it is based in New Jersey, US, the registrant records for both speaksupport.com and an associated site (121usa.com) show that the firm is based in India, says Malwarebytes.

Jerome Segura of Malwarebytes has put together a blog post explaining how the Mac support scam works in greater depth here.

Malwarebytes’ interaction with Speak Support is recorded (for quality-assurance purposes, as they say) in a video posted on YouTube (below). Isolated cases of tech support scams have been noted before, such as this example from 2011, but Malwarebytes has come up with the most detailed explanation of such a scheme in action we’ve seen recorded to date.

We wanted to get Speak Support’s response to these accusations but the firm has thus far failed to reply to our request to speak sent via its web form, despite promises to respond to queries within seven hours. We’ve had no joy in our attempt to reach its marketing team via a request through its official Twitter account either.

A research paper – My PC has 32,539 errors: how telephone support scams really work – by David Harley of Eset, Martijn Grooten of Virus Bulletin, Steve Burn of Malwarebytes, and independent researcher Craig Johnston gives a comprehensive lowdown on how Windows users have been targeted by similar scams over the last five years or so.

Over time, cold-calling support scams have evolved from “Microsoft told us you have a virus” gambits to more technically sophisticated hooks such as deliberate misinterpretation of output from system utilities such as Event Viewer as explained in the whitepaper (PDF, DNS hijack attack).

A top-notch help and resource page from Malwarebytes on how to deal with technical support scams, the various tricks used in the short con and how victims can best extricate themselves from any mess can be found here).

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/mac_cold_call_support_scam/

Regular readers of Naked Security will know that we aren’t terribly prone to commercialism.

We don’t think we need to be.

The brand we represent is pretty obvious, what with the domain name nakedsecurity.​sophos.​com and the corporate logo on every page, where we say, “Award-winning news, opinion, advice and research from SOPHOS.”

Nevertheless, we’d like to use this article to offer you some free Sophos stuff.

Here’s why we’ve decided to do this right now:

1. It’s half way through National Cyber Security Awareness Month.
2. We’ve been urging you do DO THESE 3 things, including making sure you seek out and get rid of any malware lurking on your computer.
3. As a result, numerous people, from readers to journalists, have been asking, “Where would you sugggest that I start?”
4. We’ve been encouraging techies who act as unofficial home IT support to help their friends and family with item (2).
5. They’ve been asking, “Where would you sugggest that I start?”

So here is a brief and, we trust, unpushy list of four free tools you can find on our website.

Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Sophos Anti-Virus for Mac Home Edition

Yes, Macs get viruses too.

And even if you never see a virus that directly attacks your Mac, the chances are good that you’ll encounter malware from your Windows-using friends (or even from your own Windows partition, if you dual-boot your Mac).

Sophos for Mac stops threats for Windows and Mac alike, protecting you and those you share files with.

Choose from blocking viruses in real time (on-access protection), scanning at scheduled times, or running a check whenever you want.

Sophos Mobile Security for Android

Our Sophos Mobile Security app protects your Android device without reducing performance or battery life.

Using up-to-the-minute threat data from SophosLabs, we automatically scan apps as you install them.

As well as malware protection, you’ll also get: loss and theft protection with remote lock and wipe, a security advisor to alert you if you inadvertently activate risky configuration settings, and a privacy advisor to help you decide whether an app is asking for permission to do too much.

Sophos UTM Home Edition

You’ll need a spare computer to install it on, and you’ll probably want to get your unofficial home support techie to set it up for you, but if you do, you’ll have our award winning network security device for businesses, 100% free for home use.

That includes all the Sophos UTM features: email scanning, web filtering, a VPN, web appplication security, and everything you need to keep up to 50 devices on your home network secure.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.

You can get any or all of these tools free of charge from our website.

Only the UTM requires registration – we need an email address so we can send you a licence key. For the others, we don’t even ask who you are.

So, if you’ve been thinking, “I really ought to get more serious about cybersecurity,” just remember that there’s no time like the present.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U4l9UR5apdw/

Lavabit, formerly the encrypted-email provider for NSA secret-leaker Edward Snowden, has reopened for a brief window of time to let its users get at their data.

Lavabit founder Ladar Levison on Monday posted a brief message saying that the first step would be to enable users to change their password during a 72-hour period that started on Monday at 7:00 pm Central time (Greenwich Mean Time [GMT] -5).

Lavabit said that the password-change step was created “due to recent events in the news that have lead people to believe that their account information may have been compromised.”

Any users who are concerned that their account information has been compromised will be able to change their account password on a website with a newly secured SSL key.

(Note that the URL Lavabit provided, http://liberty.lavabit.com, doesn’t work in some browsers, bringing up a blank page. This can be fixed by switching to HTTPS: https://liberty.lavabit.com.)

Following the 72-hour window to change passwords, starting on 17 October, the site will then enable users to access email archives and personal account data.

Lavabit abruptly shut down in August amidst legal wranglings that a gag order kept it from disclosing.

Levison said in a statement at the time that it had come down to a decision: either “become complicit in crimes against the American people” or “walk away from nearly ten years of hard work by shutting down Lavabit.”

(As it turned out, Lavabit did, in fact, hand over its crypto keys to the US government – printed in a near-microscopic 4-point font.)

Sister encrypted email service Silent Circle quickly followed suit, silencing email in anticipation of the US government getting its hands on the metadata inevitably associated with email.

Lavabit now says that it’s moving to open the data access window to its users because its abrupt closure – done to protect its users’ privacy – left users without a way to access their sensitive data.

That includes the founder himself, who said in the message posted on Monday that he’s feeling the same pain as his email-less users:

I’m in the same boat as them. I used my Lavabit email account for 10 years. It was my only email account.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jPrft3-aKT4/

October is National Cyber Security Awareness Month and this week’s focus is on hiring a cyber workforce – so just how do you make sure your new IT recruits are security-aware?

As an IT Security Manager at Sophos, I’ve been hiring for five years. Here are my tips to winnow away the chaff and discover what your candidate really knows about security.

Always check the basics

Anyone working in IT absolutely must have a basic knowledge of the major threats. Everyone in an IT department is likely to be called upon to offer general IT advice at some point. If the question is “what should I do with this strange email I’ve just received?”, you need to be sure everyone will give the right answer.

A lack of basic knowledge should also raise alarm bells about other potential critical skill deficiencies.

Look for an interest

If you’re reading a blog about computer security you obviously have an interest in the subject. Although not everyone will share this interest, it’s reasonable to expect anyone who has picked a career in Information Technology has at least a passing interest in the big infosec stories.

Demonstrating knowledge of Anonymous, Lulzsec, WikiLeaks or the Snowden revelations, for example, should give you some confidence that a candidate will proactively keep their knowledge up to date.

Prepare relevant technical questions

Technical professionals should also be expected to be able to go into some detail on security issues relating to their expertise. For instance, any web developer should have a grasp of all the threats in the OWASP Top 10.

Do a little research prior to an interview on your main technology’s common attack vectors and security record so that you can check a candidate is suitably conversant in the area.

Open-ended tests and scenarios can really help you understand the breadth and depth of a candidate’s knowledge so look for ways to get them talking, talking, and talking some more.

Consider asking candidates to stand at a whiteboard with a realistic system architecture and have them talk you through it, identifying as many attack vectors and protection strategies as they can. This technique can be particularly effective at identifying gaps in knowledge.

You might also want to test your interviewees with a recent real-world problem your team has had to deal with. As far as possible give them the same information that your team had access to and let them run with it. You can learn a lot from watching how a candidate thinks about your problem, how long they take, how thoroughly and how clearly they answer and, of course, you can compare it directly with your own team’s performance.

Look for the right thought processes

Sometimes you may be hiring someone with an understanding that they will be learning the technology on the job. In these cases they are unlikely to have technology-specific security knowledge. You may wish instead to check how they think about problems.

Look for an understanding of trust and where it is inappropriate. For example, ask them about the dangers of an application which lets users run their own raw SQL queries or scripts. It may sound simple but you’ll be surprised how often an inexperienced person just doesn’t consider the possibility of a malicious user.

Remember that anyone other than a junior candidate should be able to talk you through their thought processes on things they have actually done, not just what they would do. Question them about the previous projects they have worked on and ask questions that help you discover evidence of them showing the right thought process in a real-world situation.

Be prepared for post-hire training

Not everyone can be an expert. You may find some talented individuals have surprising gaps in their knowledge. The hiring process should be used to help identify these gaps and ensure they are filled in as quickly as possible. Make sure your interview notes feed into a training plan or the individual’s personal goals.

Hopefully these five tips will help you when you’re looking to hire security-savvy IT professionals. If you have any other suggestions for fellow IT managers, please leave them in the comments below.

And if you’re interested in reading other stories related to National Cyber Security Awareness Month, take a look at 3 essential security tasks you can do for your family today, 10 tips for securing your smartphone and our 10 topical security tales.

Follow @rossmckerchar

Follow @NakedSecurity

Image of professionals on a bench courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7zbBncS__8I/

Supercharge your infrastructure

A German researcher is asking why Google is using the “horribly broken” RC4 and MD5 cipher as its first-default for SSL.

The change, he notes in this blog post, has gone unnoticed since December 2010, when the Android 2.3 release swapped from a default preference for the AES256-SHA1 cipher (followed by 3DES and AES128), instead defaulting to RC4-MD5 and RC4-SHA1 as its first and second preference.

For those unfamiliar with encryption implementations: there’s a host of cipher types available to encryption apps. To ensure that both ends can negotiate an encrypted connection, each end needs to know which ciphers the other end can support – which means stepping through a list of ciphers during handshaking^*.

As the researcher, George Lukas, notes, exploits based on MD5 collisions have been known for years.

The guilty party, he asserts, isn’t the Android development team, but Java developers – and in a demonstration of how long a zombie decision can keep shambling around calling “braaains!”, it’s an implementation recommendation first made in 2002.

As Lukas notes: “So what the fine Google engineers did to reduce our security was merely to copy what was [in the Reference Implementation], defined by the inventors of Java!

“In the Java reference implementation, the code responsible for creating the cipher list is split into two files. First, a priority-ordered set of ciphers is constructed in the CipherSuite class,” he writes. “Then, all enabled ciphers with sufficient priority are added to the list for CipherSuiteList.getDefault(). The cipher list has not experienced relevant changes since the initial import of Java 6 into Hg, when the OpenJDK was brought to life.”

Finally: “The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility. RC4 is considered problematic since 2001 (remember WEP?), MD5 was broken in 2009.” ®

^*Bootnote: For the sake of simplicity, the author didn’t digress to present a full cryptography primer. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/zombie_cipher_list_gives_android_weak_encryption/

Email delivery: Hate phishing emails? You’ll love DMARC

North Korea’s supposed 3,000-strong army of highly trained hackers has caused financial damage to its southern neighbour amounting to over £500 million over the past four years, according to a South Korean lawmaker.

Citing figures provided by the defence ministry’s cyber warfare unit, Chung Hee-soo of the ruling Saenuri Party told parliament that NORKS’ attacks on South Korea in March and on the anniversary of the Korean war in June this year were the most serious, causing 800bn won in damage (£470m), according to Yonhap.

A DDoS attack on 7 July 2009 came next on the list, apparently causing 50bn won’s (£29m) worth of damage.

Although always denied by Pyongyang as South Korean mischief-making, the evidence is mounting that hermit state has been waging an extensive online battle against its near neighbour to the south – disrupting and defacing web sites and stealing personal and military information.

Chung said that since 2010 the South Korean military had been targeted by 6,392 online attacks.

The “Dark Seoul” attack of March 2013 which affected some 48,000 machines and caused major disruption to several banks and TV broadcasters was traced back to six computers in North Korea.

Most recently, researchers at Kaspersky Lab unearthed a highly targeted APT attack, labelled “Kimsuky”, on several key South Korean thinktanks. The attack was traced back to several IP addresses just over the North Korean border in China’s Jilin and Liaoning provinces.

Chung, who’s a member of the parliamentary defence committee, told parliament that the Seoul government has only 400 staff tasked with cyber operations, as opposed to 3,000 working for Kim Jong-un.

Whether those figures are entirely accurate remains to be seen, especially on the NORKS side. It’s also notoriously difficult to quantify the financial impact of cyber attacks.

However, Chung believes that Seoul should be stepping up its efforts to mitigate the risk of attack, despite a plan announced in July to train up an additional 5,000 info-security experts.

“We are seriously lacking in the necessary budget and professional staff,” she said. “The establishment of a cyber command center with defence capabilities against North Korea’s cyber attacks and electromagnetic bombs is also being delayed.” ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/16/north_korea_attacks_cost_south_800_million/