Now the federal Office of Personnel Management says the number of individuals whose fingerprints were stolen is 5.6 million – up from 1.1 million – and that they can look forward to having those prints misused as criminals get better at exploiting them.OPM says, “an interagency working group with expertise in this area … will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.”To read this article in full or to leave a comment, please click here
The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.On Friday, security research firm Palo Alto Networks reported that 39 apps found in the App Store had been compromised after their developers -- most of them located in China -- used a rogue version of Xcode that had been distributed on forums. Xcode is a development tool for iOS and OS X apps provided by Apple.To read this article in full or to leave a comment, please click here
Following in the footsteps of some other U.S. companies like Hewlett-Packard and Intel, Cisco Systems is planning to tie up with a Chinese partner for joint development and better access to the local market, according to a newspaper report.The networking equipment company is planning to announce a partnership with server maker Inspur Group during Chinese President Xi Jinping's visit to Seattle on Wednesday, The Wall Street Journal reported on Tuesday.Cisco said Tuesday it declined to comment on rumors related to any specific announcements or companies. Company spokesman Nigel Glennie said the company is optimistic about the opportunities for its China team, and is open to local partnerships playing a role in its future strategy. The company has done business in China for over 20 years and learned the importance of having the right relationships, he added.To read this article in full or to leave a comment, please click here
Researchers have been demonstrating attacks against printers for years. Now, Hewlett-Packard has started building defenses directly into its printers' firmware instead of just patching individual vulnerabilities.The company's new M506, M527 and M577 series of LaserJet Enterprise printers, set to go on sale in October and November, will have built-in detection for unauthorized BIOS and firmware modifications.HP refers to this capability as "self-healing security," but it's actually a set of code integrity checking mechanisms that security researchers have asked embedded systems manufacturers to implement for years.One of the new features, called HP Sure Start, validates the integrity of the BIOS code at boot time and if any modification is detected, it reboots the device and loads a clean copy. This is based on a similar feature that HP's Elite line of PCs have had since 2013.To read this article in full or to leave a comment, please click here
It seems like it might be about 10 years too late to the party but come October 1, the Central Intelligence Agency will ad a new directorate that will focus on all things cyber and digital espionage.The CIA’s Deputy Director David Cohen to a Cornell University audience last week that once the new Directorate of Digital Innovation (DDI) is up and running “it will be at the center of the Agency’s effort to inject digital solutions into every aspect of our work. It will be responsible for accelerating the integration of our digital and cyber capabilities across all our mission areas—human intelligence collection, all-source analysis, open source intelligence, and covert action.”To read this article in full or to leave a comment, please click here
Despite an Oct. 1 deadline for U.S. merchants to accept secure chip-enabled credit and debit cards, experts believe it will take years for the conversion."Realistically, we should expect the adoption of chip cards in the U.S. to take a few years," said Avivah Litan, an analyst at Gartner who has been following the conversion for a decade, in an interview this week.Oct. 1 is the deadline for merchants to begin using newer point-of-sale terminals to accept chip cards. Meanwhile, banks are steadily sending chip cards to millions of customers as replacements for magnetic stripe cards. Chip cards are more secure than the older technology, and the U.S. is one of the latest countries to make the conversion.To read this article in full or to leave a comment, please click here
The market for unpatched vulnerabilities has grown so much that an exploit reseller is willing to pay US$1 million dollars for an attack that can compromise iOS 9 devices.Zerodium, an exploit acquisition company, promises to pay $1 million to researchers who can provide it with an "exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices."In the context of iOS devices, jailbreaking refers to bypassing the security restrictions enforced by the mobile operating system in order to install applications that haven't been authorized by Apple and are not distributed through the official app store.To read this article in full or to leave a comment, please click here
China and the U.S. appear close to a ground-breaking agreement on cyber espionage that could be signed later this week when President Xi and President Obama meet in Washington.On the eve of the state visit, both countries have expressed a desire to stop cyber espionage for economic gain and agreed it's illegal.But the two countries are still in disagreement over whether China's government plays any part in trans-national cyber hacking for economic purposes.On Monday, U.S. National Security Advisor Susan Rice said "cyber-enabled economic espionage must stop."During a speech in Washington, D.C., she said the issue was more than an irritation and "puts enormous strain on our bilateral relationship and it is a critical factor in determining the future trajectory of U.S.-China ties."To read this article in full or to leave a comment, please click here
Sectra Communications is working with Samsung Electronics to integrate its Tiger/R end-to-end hardware encryption system with the phone maker's Knox mobile security platform to create smartphones secure enough to carry government secrets.
The market is a lucrative one: Another company, Secusmart, has won over several government organizations in recent years with a BlackBerry smartphone equipped with a microSD encryption module. The combination, costing around €2,000 (US$2,250), is approved by the German government to carry Restricted-level voice and data traffic. Restricted is one of the lowest ratings for government secrets.
Sectra and Secusmart both use additional hardware in the form of a microSD card to assist in the encryption process and to protect encryption keys. While Secusmart's system will encrypt calls and data stored on the phone, Sectra's encrypts only voice traffic and text messages.To read this article in full or to leave a comment, please click here
The Indian government has withdrawn a controversial draft encryption policy, with a minister stating that the document was not the final view of the government.Under the policy, consumers would have been required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to law enforcement agencies when required under the laws of the country. The government would have also specified the algorithms and the length of the encryption keys used by different categories of people.The policy was largely seen as meeting the need for access to information by law enforcement agencies, and included similar restrictions on business users as well. It also called for Internet services providers to enter into unspecified agreements with the government.To read this article in full or to leave a comment, please click here
Twistlock is the first ever security suite that focuses on vulnerability management and policy enforcement of containers (i.e. Docker, runc, rkt) and container host environments. Twistlock provides tools and analytics that make it easier for developers, infrastructure teams, and security professionals to deploy and run containers securely. Here with more is CTO, John Morello.
Congress members and staff are being urged by a civil rights group to use encrypted smartphone apps such as WhatsApp and Signal rather than traditional cellular networks.Unlike cellular networks which use weak and outdated encryption, some of the newer apps use strong and modern encryption to protect their customers' communications, the American Civil Liberties Union has written in a letter Tuesday to officials in the U.S. Senate and House of Representatives.The move is not going to cost a lot. Many members of Congress already have smartphones and the apps like Signal and WhatsApp are free and can be easily downloaded from app stores. Besides, Apple’s FaceTime and iMessage apps are already built into Apple’s iOS mobile operating system and thus are available to every member or staffer with an iPhone, according to ACLU's letter to Frank J. Larkin, Senate Sergeant at Arms and Paul D. Irving, House Sergeant at Arms.To read this article in full or to leave a comment, please click here
The U.S. Senate Intelligence Committee has dropped a provision that would have required Internet companies to report on vaguely-defined terrorist activity on their platforms, a move that was strongly opposed by the industry and civil rights groups.The controversial section 603 was included in the Intelligence Authorization Act for Fiscal Year 2016 but Senator Ron Wyden, a Democrat from Oregon, had put a hold on the bill, stating that he wanted to work with colleagues to revise or remove the provision so that the rest of the bill could move forward.On Monday, Wyden said that the "vague & dangerous" provision had been removed from the bill and he would now be lifting the hold on it.To read this article in full or to leave a comment, please click here
The U.S. Senate Intelligence Committee has dropped a provision that would have required Internet companies to report on vaguely-defined terrorist activity on their platforms, a move that was strongly opposed by the industry and civil rights groups.
The controversial section 603 was included in the Intelligence Authorization Act for Fiscal Year 2016 but Senator Ron Wyden, a Democrat from Oregon, had put a hold on the bill, stating that he wanted to work with colleagues to revise or remove the provision so that the rest of the bill could move forward.
On Monday, Wyden said that the "vague & dangerous" provision had been removed from the bill and he would now be lifting the hold on it.To read this article in full or to leave a comment, please click here
Volkswagen is in a lot of trouble for installing software on some of its diesel cars that figures out when they are undergoing emissions tests so it can adjust the cars to put out nitrogen oxide at acceptable levels.That’s likely to win the company billions of dollars in fines, but it’s not the first time the company has hidden problems rather than fix them.Just last month, security researchers delivered a paper that showed three ways to get around the Volkswagen lockout system that prevents its cars from being started unless the correct key with the correct chip embedded is used to crank it over.The paper was noteworthy for the ingenuity of the three attacks it outlines but also for the length of time it sat on the shelf before being delivered to the public. It was ready to go back in 2013 but Volkswagen got a court order to block it then, and that was nearly a year after the researchers had told the manufacturers of the hardware about it under the principle of responsible disclosure.To read this article in full or to leave a comment, please click here
There's no doubt Facebook is a wonder of engineering, a site that brings on vast amounts of data for a user despite it being scattered throughout data centers and external sources. No question, Mark Zuckerberg and crew have engineered a marvel.But there are times when it really spooks me. It comes with friend recommendations. Somehow, this site has the capacity to recommend people that I know in real life but have absolutely no online connections to whatsoever. It's happened so often it can't be a coincidence, either. Three recent examples come to mind: Example 1: While closing the suggestion box for recommended friends, up popped the name of my acupuncturist, whom I haven't seen in six months. She is not in my Outlook contact list, only on my cellphone. Now, I frequently share stories about holistic news and have my naturopathic doctor among my friend's list, but why of the dozens of acupuncturists in northern Orange County did she come up?To read this article in full or to leave a comment, please click here
Adobe Systems released new updates for Flash Player to patch critical vulnerabilities that could allow attackers to install malware on computers.The updates fix a total of 23 flaws, of which 18 can potentially be exploited to execute malicious code on the underlying systems. Adobe is not aware of any exploits being publicly available for the fixed vulnerabilities.The other flaws could lead to information disclosure, bypassing of the same-origin policy mechanism in browsers and memory leaks. Two of the patches are adding or improving protections against vector length corruptions and malicious content from vulnerable JSONP callback APIs used by JavaScript programs running in browsers.To read this article in full or to leave a comment, please click here
China's government must halt economic espionage in cyberspace, U.S. National Security Advisor Susan Rice warned on Monday, days before Chinese President Xi Jinping is due in Washington, D.C., on an official visit.The issue has become a major thorn in the side of U.S.-China relations in the last year, especially in the wake of the breach of personal information of tens of millions of U.S. government workers at the Office of Personnel Management. The U.S. hasn't publicly accused China of that hack but has done so privately. China denies any involvement."This isn’t a mild irritation," Rice said in a speech at George Washington University. "It’s an economic and national security concern to the United States. It puts enormous strain on our bilateral relationship and it is a critical factor in determining the future trajectory of U.S.-China ties."To read this article in full or to leave a comment, please click here
In this segment of The Irari Report’s discussion about Chinese cyber-espionage, Ira Winkler and Araceli Treu Gomes interview Lt. Col. Bill Hagestad, author of Chinese Cyber Crime, about how companies should respond if they believe they are being hacked by China.
If you bought cyber insurance so you’d be covered if you were hacked, and then had $1.8 million stolen after being hacked, wouldn’t you expect your insurance claim to be paid? If so, then think again as the claim can be denied due to the wording of the risk insurance contract.BitPay, a Bitcoin payment processor, had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC), but BitPay was in for a rude awakening.In December 2014, an unknown hacker pulled off a social engineering attack; he spearphished BitPay’s Chief Financial Officer, managed to capture corporate credentials, then used the hacked email account to spoof emails to the CEO; the hacker tricked BitPay into making three separate transfer transactions over two days to the tune of 5,000 bitcoins, which were valued at $1,850,000. Well at least the company had cyber insurance, right? No; the insurance company denied the claim due to the wording in the contract; BitPay then sued the insurance company.To read this article in full or to leave a comment, please click here