Tagged: security

Companies won’t learn from the T-Mobile/Experian hack — Om Malik

Last Thursday, John Legere, the C.E.O. of T-Mobile, joined the ranks of the dozens of chief executives who, in the past few years, have had to inform their customers that their personal information has been stolen. “One of our vendors, Experian, experienced a data breach,” Legere tweeted, referring to a Dublin-based credit bureau that his company uses to collect, store, and secure customers’ personal information. Experian explained the details on its Web site:

The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015. Records containing a name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile’s own credit assessment were accessed. No payment card or banking information was obtained.

As one of the fifteen million people who applied for T-Mobile USA’s post-paid services during that period, I was particularly aghast to learn about this breach. T-Mobile USA has, in the past two and a half years, been selling itself as an “uncarrier,” dedicated to upending the telecom industry’s status quo by offering simpler, cheaper, and more intelligible plans. I’d bought into this spin, and believed that it was the way forward for the industry.

Although no financial information was stolen in the T-Mobile breach, the completeness of the data that was acquired is akin to a Lego set for an identity thief. The fraudsters can set up new lines of credit or file for phony tax refunds in our names, and there isn’t much we can do about it. The cybersecurity consultant Bryan Seely told the Seattle Times that, on a scale of one to ten, this breach rates a seven, because it included fifteen million Social Security numbers, along with names and addresses. “When Target had a breach, people were reissued cards. You can’t reissue Socials that easily,” he said. Over the weekend, the e-commerce security firm Trustev claimed that it had found data sets from the Experian hack for sale on the dark Web…

By now, we’re familiar with this pattern: a company discloses a data theft, executives express grave concern, and customers are left to reset their passwords and sign up for free data protection, feeling all the while like data piñatas…

An offer of a credit-watching service in the wake of a hack is sort of like getting an alert after a fire has burned down your house. Moreover, in a recent blog post, Brian Krebs, of Krebs on Security, wrote, “Identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name.

RTFA for more details and Om’s analysis including the political problems with trying to get business security into the 21st Century. As Om says, 800 data breaches in one year proves the status quo isn’t working.

Pentagon’s views on the Free Press in wartime

Credit Brian Stauffer

The Defense Department earlier this summer released a comprehensive manual outlining its interpretation of the law of war. The 1,176-page document, the first of its kind, includes guidelines on the treatment of journalists covering armed conflicts that would make their work more dangerous, cumbersome and subject to censorship. Those should be repealed immediately.

Journalists, the manual says, are generally regarded as civilians, but may in some instances be deemed “unprivileged belligerents,” a legal term that applies to fighters that are afforded fewer protections than the declared combatants in a war. In some instances, the document says, “the relaying of information (such as providing information of immediate use in combat operations) could constitute taking a direct part in hostilities.”

The manual warns that “Reporting on military operations can be very similar to collecting intelligence or even spying,” so it calls on journalists to “act openly and with the permission of relevant authorities.” It says that governments “may need to censor journalists’ work or take other security measures so that journalists do not reveal sensitive information to the enemy.”

Allowing this document to stand as guidance for commanders, government lawyers and officials of other nations would do severe damage to press freedoms. Authoritarian leaders around the world could point to it to show that their despotic treatment of journalists — including Americans — is broadly in line with the standards set by the United States government.

Nice to see the NY TIMES stand up for a Free Press. Even in wartime. Finally.

RTFA for a more detailed albeit brief exposition. The editorial originally had a link to a .pdf of the relevant portion of the manual. That seems to have disappeared. But, we all know nothing ever really disappears from the Web.

Hee, hee, hee!

Germany halts treason charges against journalists – for the present

Andre Meister and Markus Beckedahl

A treason investigation into two journalists who reported that the German state planned to increase online surveillance has been suspended by the country’s prosecutor general following protests by leading voices across politics and media.

Harald Range, Germany’s prosecutor general, said on Friday he was halting the investigation “for the good of press and media freedom”. It was the first time in more than half a century that journalists in Germany had faced charges of treason.

Speaking to the Frankfurter Allgemeine Zeitung, Range said he would await the results of an internal investigation into whether the journalists from the news platform netzpolitik.org had quoted from a classified intelligence report before deciding how to proceed.

His announcement followed a deluge of criticism and accusations that Germany’s prosecutor had “misplaced priorities”, having failed to investigate with any conviction the NSA spying scandal revealed by whistleblower Edward Snowden, and targeting instead the two investigative journalists, Markus Beckedahl and Andre Meister.

In a scathing attack, the leading Green MP Renate Künast, who is also chair of the Bundestag’s legal affairs committee, called the investigation a “humiliation to the rule of law”. She accused Range of disproportionately targeting the two journalists, whilse ignoring the “massive spying and eavesdropping [conducted] by the NSA in Germany”.

Künast told the Kölner Stadt-Anzeiger: “Nothing happened with that. If it wasn’t for investigative journalism, we would know nothing.”…

In articles that appeared on netzpolitik.org in February and April, the two reporters made reference to what is believed to be a genuine intelligence report that had been classified as confidential, which proposed establishing a new intelligence department to monitor the internet, in particular social media networks.

The federal prosecutor’s investigation was triggered by a complaint made by Germany’s domestic intelligence agency, the Office for the Protection of the Constitution (BfV) over the articles, which it said had been based on leaked documents…

In an act of solidarity, the research website Correctiv reported itself to the general prosecutor’s office on Friday, saying that it too was “guilty of treason”, at the same time as republishing the controversial documents originally published by netzpolitik.org.

“They should be investigating the whole lot of us!” said Correctiv’s editor-in-chief, Markus Grill. Meanwhile, German lawyers called for the abolition of the offence “journalistic treason”.

The uproar against NSA-style security measures seems to have had the desired effect for now. German justice minister, Heiko Maas, is requesting the dismissal and retirement of the chief federal prosecutor, Harald Range, who initiated the charges against the journalists.

Of course, I wouldn’t expect the same to happen here in the GOUSA. And it hasn’t. Much of our Free Press is owned by entertainment media corporations. They aren’t about the rock the boat. The Democratic Party couldn’t turn out a united demonstration for Free Speech if it threatened the military-industrial complex. Republicans would start wearing armbands if requested. And American Greens don’t seem able to generate a grassroots movement with the energy and smarts to grow into a national party.

Yup. Still a cynic. Mail me a penny postcard when Obama invites Ed Snowden to return home.

Time to allow banks to be part of the marijuana economy

The Senate introduced a bipartisan bill on Thursday that would prevent criminal prosecution as well as liability and asset forfeiture for banks that do business with a state-sanctioned marijuana business.

Sen. Michael Bennet, a Democrat, and Sen. Cory Gardner, a Republican, both of Colorado, announced the bill in a joint statement.

Joint statement. Har.

Last year, the Treasury Department said banks could serve the marijuana industry under certain conditions. Many banks call the guidelines too onerous, resulting in a marijuana industry that still relies heavily on cash. That reliance on cash rather than traditional banking methods has made marijuana dispensary operators robbery targets.

Marijuana advocacy groups lauded the new bill, citing safety issues involved with cash-rich businesses…

Gov. John Hickenlooper of Colorado, a state that legalized marijuana in 2012, praised the Senate bill, saying the federal government has a duty to ensure the safety of people as the marijuana legalization experiment expands in states across the country.

At the community level, banks considered the Treasury statement last year to be nothing more than window dressing. Unless laws and regulations are officially changed no bank executive is going to consider arrest or closure of their bank at the whim of some pissed-off bureaucrat. Laws to protect folks who aren’t breaking reasonable laws should be easy as pie.

The problem, as usual, is Congress. Federal laws passed from sheer stupidity, obstinate sophistry, decades ago.

Apple and others ask Obama to reject backdoors for cops and other snoops

Yes, this is what it says on my wife’s iPhone, same on my iPad

In a letter…delivered to President Barack Obama on Tuesday, Apple is among a group of signatories requesting the White House reject incoming government proposals that would modify current policies to allow law enforcement access to encrypted user data.

As reported by The Washington Post, which gained access to the letter on Monday, Apple joins a cadre of more than 140 tech companies, security experts and interested civil groups concerned with upcoming legislation that could force access to consumer data, even if it is encrypted.

“Strong encryption is the cornerstone of the modern information economy’s security,” the letter reads. Further, signatories unanimously recommend that government agencies should “fully support and not undermine efforts to create encryption standards.”

According to The Post, three signatories were on a five-member presidential review team formed to investigate U.S. technology policy in 2013, just after former NSA contractor Edward Snowden sparked public outrage by leaking information regarding secret government surveillance programs. Among the revelations aired by Snowden was the existence of mass data collection initiatives targeting everything from phone calls to social networks and other high-traffic consumer products…

With iOS 8, Apple built an encryption system so secure that it is technically incapable of decrypting a user’s device even with the appropriate documentation. The lockout method was not well received by officials wanting access to user data, a procedure allowed through [so-called] proper warrants.

RTFA if you need to dull your brain with predictable rationales from security-snoops. The history of this sort of political paranoia tends to end with Big Brother having his patriarchal way with your thought and speech. Coppers are accustomed, now, to the government handing them them anything they need or need to know – or think they need to know – on a bulletproof platter.

They’re incensed that Apple dares to advertise the fact that they can’t decrypt your iPad or iPhone, either.

14-year-old shows up auto industry security


A 14-year-old boy may have forever changed the way the auto industry views cyber security.

He was part of a group of high-school and college students that joined professional engineers, policy-makers and white-hat security experts for a five-day camp last July that addressed car-hacking threats…

With some help from the assembled experts, he was supposed to attempt a remote infiltration of a car, a process that some of the nation’s top security experts say can take weeks or months of intricate planning. The student, though, eschewed any guidance. One night, he went to Radio Shack, spent $14 on parts and stayed up late into the night building his own circuit board.

The next morning, he used his homemade device to hack into the car of a major automaker. Camp leaders and automaker representatives were dumbfounded. “They said, ‘There’s no way he should be able to do that,'” Brown said Tuesday, recounting the previously undisclosed incident at a seminar on the industry’s readiness to handle cyber threats. “It was mind-blowing.”

Windshield wipers turned on and off. Doors locked and unlocked. The remote start feature engaged. The student even got the car’s lights to flash on and off, set to the beat from songs on his iPhone. Though they wouldn’t divulge the student’s name or the brand of the affected car, representatives from both Delphi and Battelle, the nonprofit that ran the CyberAuto Challenge event, confirmed the details…

It was a pivot moment,” said Dr. Anuja Sonalker, lead scientist and program manager at Battelle. “For the automakers participating, they realized, ‘Huh, the barrier to entry was far lower than we thought.’ You don’t have to be an engineer. You can be a kid with $14.”

She described the breach as more of a nuisance attack, and emphasized that, in this case, no critical safety functions, like steering, braking or acceleration, were compromised. But the incident underscored just how vulnerable cars have become.

None of this is geek news. Nor is is there any surprise to this display of auto industry leaders’ ignorance of the vulnerability of their tech, the sophisticated toolkits of hardware and software available to even kid-level hackers.

European manufacturers experienced something similar a few years back and revised their engineering designs to match reality. Some more successfully than others, some less so. Why American corporate leaders didn’t pay attention and learn speaks to how parochial, insular, most Americans are. Another part of that corporate [and political] personality is native to imperial populations. If you have the most power you think you must also know best how to do anything.

In fact, reality, especially when much of your culture is well past its peak, contradicts that belief.

American bankers/retailers cheap out on improving security

Adding a PIN is so difficult, eh?

New technology about to be deployed by credit card companies will require U.S. consumers to carry a new kind of card and retailers across the nation to upgrade payment terminals. But despite a price tag of $8.65 billion, the shift will address only a narrow range of security issues.

Credit card companies have set an October deadline for the switch to chip-enabled cards, which come with embedded computer chips that make them far more difficult to clone. Counterfeit cards, however, account for only about 37 percent of credit card fraud, and the new technology will be nearly as vulnerable to other kinds of hacking and cyber attacks as current swipe-card systems, security experts say.

Moreover, U.S. banks and card companies will not issue personal identification numbers (PINs) with the new credit cards, an additional security measure that would render stolen or lost cards virtually useless when making in-person purchases at a retail outlet. Instead, they will stick with the present system of requiring signatures…

Chip technology has been widely used in Europe for nearly two decades, but banks there typically require PINs. Even so, the technology leaves data unprotected at three key points, security experts say: When it enters a payment terminal, when it is transmitted through a processor, and when it is stored in a retailer’s information systems. It also does not protect online transactions.

American corporations inside the retail purchasing loop are perfectly willing to expand that to four key points.

Retailers and security experts say it would make more sense for the United States to jump instead to a more secure system, such as point-to-point encryption. This technology is superior to chip-and-PIN, which first was deployed about 20 years ago, because it scrambles data to make it unreadable from the moment a transaction starts.

But the newer technology would cost as much as twice what the chip card transition will cost…

Moreover, some security experts say that mobile payment services such as Apple Pay, a service from Apple that stores data on the cloud, have the potential in coming years to secure payments without the need to swipe or tap a card at all…

Rick Dakin, who is advising a group of banks on payment security, said no industry standard exists for the newer point-to-point encryption systems, and banks and card companies are hesitant to make large-scale investments before the standards are set.

Apparently, 20 years isn’t sufficient time to adopt standards in the United States.

Banks and card companies said a chip card alone can make stolen data less useful for hackers and the technology has worked in reducing counterfeit card fraud in Europe and elsewhere.

Security experts said the shift cannot prevent massive consumer data breaches of the sort that recently hit Target and Home Depot. But the technology will make it more difficult to use stolen data.

The installation of 15 million payment terminals that can read chip cards in the U.S. will cost approximately $6.75 billion. Banks are expected to spend some $1.4 billion to issue new cards and another $.5 billion to upgrade their Automated Teller Machines according to Javelin Strategy & Research.

Beancounters live and die on hindsight – and this is another case of crap decisions being worthless.

What would this conversion have cost in 1995 dollar$? How many billion$ have been lost to fraud, counterfeit credit cards and identity theft? All it took in the first place was a willingness to make security a priority.

Tim Cook won’t back down — opposes terrorism, selling data, and snooping

During an unannounced visit to Apple’s Covent Garden store

Following comments regarding Apple Watch specifications and an upcoming Apple Store revamp, Cook spoke with the Telegraph in an extensive interview covering data privacy, government snooping, terrorism and more.

The Apple chief is cognizant of the amount of customer information being “trafficked around” by corporations, governments and other organizations, saying data sharing is a practice that goes against Apple’s core philosophies. He said consumers, however, “don’t fully understand what is going on” at present, but “one day they will, and will be very offended.”

“None of us should accept that the government or a company or anybody should have access to all of our private information,” Cook said. “This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering or to people who fundamentally don’t understand the details…”

The publication also asked about implications of terrorism, especially government surveillance operations created with the intent of aiding law enforcement agencies. Cook took a hard-nosed stance on the topic, saying the issue is a non-starter in his book because terrorists use proprietary encryption tools not under the control of U.S. or UK governments.

“Terrorists will encrypt. They know what to do,” Cook said. “If we don’t encrypt, the people we affect [by cracking down on privacy] are the good people. They are the 99.999 percent of people who are good.” He added, “You don’t want to eliminate everyone’s privacy. If you do, you not only don’t solve the terrorist issue but you also take away something that is a human right. The consequences of doing that are very significant…”

The executive reiterated Apple’s mantra of making products, not marketing consumers as products. Every device and service that comes out of Cupertino is designed to store only a minimal amount of customer information, Cook said.

Finally, Cook talked about privacy as it applies to Apple Pay, the fledgling payments service Apple rolled out in October. Unlike other payments processors, Apple designed Apple Pay to reveal little to no information to outside parties, including itself.

“If you use your phone to buy something on Apple Pay, we don’t want to know what you bought, how much you paid for it and where you bought it. That is between you, your bank and the merchant,” Cook said. “Could we make money from knowing about this? Of course. Do you want us to do that that? No. Would it be in our value system to do that? No. We’ve designed [Apple Pay] to be private and for it to be secure.”

I love the privacy of Apple Pay. I haven’t stopped smiling since the first time a checkout clerk exclaimed…”It doesn’t even tell me your name!”

This is excerpted from a long interview in the TELEGRAPH – worth reading.

Why visit your boyfriend in the slammer when you can chat online?

Arizona mother Cathy Seymour’s 16-year-old son was arrested in August 2013 for allegedly shooting a detention officer to death and was charged with first-degree murder as an adult and held in a jail.

Now she uses her laptop and a video link to spring him from maximum security detention in the 4th Avenue Jail in downtown Phoenix, take him on a virtual tour of some of his favorite places and visit with family and friends.

“If there’s Wi-Fi and you have a laptop, you don’t have to stay in your home,” she says of the recently installed pay-per-view system that links a video terminal in the jail to her laptop at a cost of $5 for 20 minutes.

“His favorite spot is McDonald’s, so we went to McDonald’s … I’ll show him, like, the street … He gets to see other people … He gets to see my mom and dad and church,” said Seymour, who spoke to Al Jazeera America on the condition that her son not be named.

She is among thousands of family members nationwide using pay-per-view video chats to connect with loved ones who are incarcerated. The technology is gaining traction in jail systems across the U.S. in a push by the for-profit prison industry to monetize inmate contact.

At the end of 2014, 388 U.S. jails — about 1 in 8 — offered pay-per-view video visits, and the service was also available in 123 prisons, according to a study by the nonprofit Prison Policy Initiative (PPI).

Since the report was published in January, the PPI has become aware of at least 25 additional jails that have implemented the technology. Once video visitation systems are in place, most jails eliminate in-person family visits, securing a captive market for private firms. Seven companies dominate the market, and for 20 minutes, they charge from $5 in Maricopa County, Arizona, to $29.95 in Racine County, Wisconsin…

For Seymour, the pay-per-view video visits help her maintain a relationship with her teenage son, with whom she shares as many as four video chats a day. “He’s in an ugly place now … I don’t agree with the sheriff on much, but there is benefit to it,” she said of the system…

The boom in for-profit video visitation is also transforming the way lawyers work with their clients. Some criminal defense attorneys, like Marci Kratter in Phoenix, find much to like.

Before the system went live in November, Kratter had to drive to a jail, park, sign in and go to a visitation area to wait for her client in what she described as an “at least a two-hour ordeal.” Now with video visitation, “it’s 20 minutes. You do it from your desk … As far as rapport building goes and trust, when you can check in with [your clients] every week, they know you’re thinking about them.”

RTFA. Many variations on the theme – as you would expect. A predictable number of jailers are more interested in vacuuming every last greenback from the wallets of relatives, friends, lawyers. Some are more interested in security. You ain’t smuggling in smack or a cell phone over an internet connection.

There is a lawsuit started by defense attorneys in Travis County against Securus, the sheriff’s office and other county officials. It charges that video visits were used to illegally record attorneys’ confidential calls with their clients…using the info gained against clients and other prisoners. I’d be shocked, shocked I tell you – if something like that actually happened.

Y’all know how deeply we trust law enforcement in America. Right?

Retailers who don’t want Apple Pay have already been hacked

MCX hacked

You can’t make this stuff up.

MCX, the retailer consortium behind Apple Pay competitor CurrentC, has already been hacked, according to an email sent out to those people who have signed up for, or downloaded, the CurrentC app…

A spokeswoman confirmed that the email is real.

MCX, which is a consortium of dozens of retailers including Walmart, Best Buy, Target, Kohl’s and CVS, say that no other information has been taken but that the investigation is continuing. The “unauthorized third parties” were able to access email addresses of people who were part of the app’s private beta testing program as well as email addresses of people who simply signed up to access the app when it launches publicly…

MCX confirmed this morning that its member companies have promised to only support CurrentC. MCX was formed in large part to create a mobile app that would persuade shoppers to pay through their phone with their checking account or store-branded plastic. The retailers’ goal here was to cut down on the transaction fees it has to pay banks and credit card networks on traditional credit card purchases. That is likely a big reason why it opposes Apple Pay, which supports those traditional cards.

But the hack now raises big questions about whether shoppers will trust CurrentC app with their sensitive financial information when it launches; the app asks for users’ social security number and driver’s license information if they want to link their bank account with the app. The app does not currently let users pay with their traditional credit card accounts, though an MCX blog post published this morning said it would eventually support credit cards, though it didn’t provide details on which kinds. Until CurrentC launches, customers shopping at MCX stores will be left with the choice of using cash or traditional magstripe cards which have proved to be easy to clone.

By banning Apple Pay, which is built into the new line of iPhones, merchants are choosing to ban a more secure payment method. Apple Pay customers can use a wide range of credit and debit card accounts to make purchases. Users have to authorize a transaction by pressing their finger against the phone’s fingerprint sensor. The phone then sends payment information to a store’s checkout equipment, though it comes in the form of a stand-in string of characters known as a token and does not include an actual credit or debit card number.

Our household has already switched over to ApplePay. More than anything, we love the anonymity and security. No one gets to see our credit card number. Not even our name.