Tagged: security

Square getting ready for chipped credit cards

Square announced it was developing a new credit card reader that would allow businesses to begin accepting a more secure type of credit card being rolled out in the U.S. over the next 15 months.

The announcement comes as credit cards embedded with microchips finally begin to reach American consumers. The cards, which have been common for a decade in many other parts of the world, are believed to be harder to clone than traditional stripe cards.

Hustlers in Europe will agree.

Beginning in October 2015, liability for credit card fraud will sit with whichever entity — the issuer or the merchant — is using the less secure equipment. So a merchant would be penalized if it doesn’t have the equipment to accept chip cards and suffers an unauthorized purchase with a card that had a chip in it. On the other hand, the bank would be liable if it doesn’t issue chip cards and one of its customers makes an unauthorized transaction with a traditional card at a store that accepts chip cards…

Square makes the point this will enable expansion into other markets.

I’m not certain how that statement fits into Square’s growth plans. Are they taking advantage of opportunities opening up because they have to make this change, anyway – or is this around the time when they planned on moving into Europe.

Either way, I admit to liking the usability and design of their hardware/software packages.

About these ads

The Heartbleed web security flaw – runaway, runaway! — UPDATE: NSA scumbags knew about the bug for 2 years

heartbleed

It seems as though every week or so there’s a new hack or exploit that reveals millions of passwords or important data from a popular web service, and this week is no exception. On Tuesday, IT professionals got word of a serious flaw in OpenSSL — the browser encryption standard used by an estimated two-thirds of the servers on the internet. The flaw, which was dubbed “Heartbleed,” may have exposed the personal data of millions of users and the encryption keys to some of the web’s largest services. Here’s what you need to know:

It’s a bug in some versions of the OpenSSL software that handles security for a lot of large websites. In a nutshell, a weakness in one feature of the software — the so called “heartbeat” extension, which allows services to keep a secure connection open over an extended period of time — allows hackers to read and capture data that is stored in the memory of the system. It was discovered independently by a security company called Codenomicon and a Google researcher named Neel Mehta, both of whom have helped co-ordinate the response…

As Tim Lee at Vox points out in his overview, the lock that you see in your browser’s address bar when you visit a website “is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher.” But researchers found it was possible to “send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information…”

What can you do about it?

If you are a web user, the short answer is not much. You can check the list of sites affected on Github, or you could try a tool from developer Filippo Valsorda that checks sites to see if they are still vulnerable (although false positives have been reported), and you should probably change your passwords for those sites if you find any you use regularly.

RTFA if you want all the gory details. The bug is 2 years old albeit just discovered; so, no one has a clue how long evildoers may have been screwing around with folks’ accounts at sites containing the bug.

I’d suggest reading the list at Github and staying away from sites on the list – until they disappear from the list. Changing passwords – as suggested – at affected sites is a good idea as well. Though I can think of problems happening if you’re pinged while doing exactly that. If and when sites are certified clean, then, change your passwords and do a thorough job of it.

UPDATE: NSA scumbags knew about the bug for two years and used it to break into encrypted communications – rather than notify American companies and consumers so they might protect themselves…http://tinyurl.com/mq8owa2

Independent commission to investigate future of internet freedom

A major independent commission headed by the Swedish foreign minister, Carl Bildt, was launched on Wednesday to investigate the future of the internet in the wake of the Edward Snowden revelations.

The two-year inquiry, announced at the World Economic Forum at Davos, will be wide-ranging but focus primarily on state censorship of the internet as well as the issues of privacy and surveillance raised by the Snowden leaks about America’s NSA and Britain’s GCHQ spy agencies…

Bildt, the former Swedish prime minister, said: “The rapid evolution of the net has been made possible by the open and flexible model by which it has evolved and been governed. But increasingly this is coming under attack.

“And this is happening as issues of net freedom, net security and net surveillance are increasingly debated. Net freedom is as fundamental as freedom of information and freedom of speech in our societies.”

The Obama administration on Friday announced the initial findings of a White House-organised review of the NSA. There are also inquiries by the US Congress and by the European parliament, but this is the first major independent one.

The nicest thing said about Obama’s recommendations is that they have the strength of weak tea. My characterization would be more scatalogical.

Robin Niblett, director of Chatham House, said: “The issue of internet governance is set to become one of the most pressing global policy issues of our time…”

Gordon Smith, who is to be deputy chair of the commission, said: “For many people, internet governance sounds technical and esoteric but the reality is that the issues are ‘high politics’ and of consequence to all users of the internet, present and future.”

Many of America’s geek pundits feel the United States owns the Internet and every other nation should simply follow whatever our government says should be the rules. Obedience is required by the Internet Overlords.

The battle comes up every few years, The next round will not only involve the question of global democracy; but, individual privacy and security will have to be part of the discussion.

Tech contracts now requiring data storage offshore from USA

Firms in the UK and Canada are reportedly updating their cloud contracts to demand that their data be kept out of the US. The report doesn’t contain enough details, however, to say if this is a trend or an isolated incident.

Is this the backlash? A handful of companies are requiring cloud service providers to promise — in writing — that they won’t store any client data in the United States, according to Bloomberg.

The report says that a British grocery chain and a Canadian pharma company have responded to the ongoing US surveillance scandal by adding language to existing contracts that mandate suppliers to segment their data and keep it out of America.

The report of the revised contracts comes as the cloud computing industry continues to digest news that America’s National Security Agency is tapping underwater cables and infiltrating the servers of storage providers as part of a sweeping counter-terrorism program…

So does the Bloomberg report portend the start of a trend? It’s too soon to say. The report, which also claimed a Canadian agency had asked for the “no data in USA” clause, was based on a single source (an Indiana security firm known as Rook Consulting) and did not name any of the companies involved.

And, while such reports are eye-catching, they also provide a public relations opportunity for cloud providers outside of the US.. to drum up business. In the meantime, it’s unclear if European cloud providers have the capacity to take over existing large-scale data storage contracts, and to what degree companies’ existing cloud contracts dissuade them from switching services.

Are we to give thanks to the NSA for providing a great reason for offshoring business from the United States? Roberts’ article doesn’t ask the important question: What idiots in our government skipped past the question of how being the most intrusive Big Brother in the World would affect American businesses dependent on guaranteeing security to their clients?

If I was working in communications with valuable data there is no way on Earth I would trust an American corporation to provide me with anymore privacy than the American government seems to allow. Which is damned little.

Fears over NSA endanger US cloud computing firms

American technology businesses fear they could lose between $21.5bn and $35bn in cloud computing contracts worldwide over the next three years, as part of the fallout from the NSA revelations.

Some US companies said they have already lost business, while UK rivals said that UK and European businesses are increasingly wary of trusting their data to American organisations, which might have to turn it over secretly to the National Security Agency, its government surveillance organisation…

A survey by the US-based Cloud Security Alliance, quoted by the Information Technology & Innovation Foundation (ITIF) found that American companies which offer file storage and computing in cloud systems – so they can be stored and accessed anywhere in the world – are gloomy about the effects of the Guardian’s revelations of the extent of US government snooping and data gathering through projects such as Prism and Xkeyscore.

Daniel Castro, author of the ITIF survey, said that it seemed reasonable to suggest that US cloud businesses could lose between 10% and 20% of the overseas market to rivals.

The effect has already been felt, Castro said. The ITIF survey found that of those outside the US, 10% had cancelled a project with a US-based cloud computing provider, and 56% would be “less likely” to use a US-based cloud computing service.

The US government has struggled to respond to the series of revelations in the Guardian about the extent of the NSA’s oversight of data, which travels into the US. Prism allows it to target details about individuals residing outside the US; the NSA claims that it has “direct access” to data from Google and Microsoft, among others, who are both also major cloud computing providers…Xkeyscore allows the NSA to drill down to details about individuals almost anywhere on the internet.

Yup…Obama and his Big Bubba spies have laid one more road block across the path of American firms trying for global presence on the Web. No one here trusts the Web any farther than they can throw a Republican. Why should anyone else?

US Government’s propaganda fail – Americans accept Edward Snowden as a whistleblower

snowden+hrw
Snowden meeting with Human Rights Watch in Moscow – today

A majority of U.S. registered voters consider Edward Snowden a whistle-blower, not a traitor, and a plurality says government anti-terrorism efforts have gone too far in restricting civil liberties, a poll released today shows.

Fifty-five percent said Snowden was a whistle-blower in leaking details about top-secret U.S. programs that collect telephone and Internet data, in the survey from…Quinnipiac University. Thirty-four percent said he’s a traitor…

The poll also showed that by 45 percent to 40 percent, respondents said the government goes too far in restricting civil liberties as part of the war on terrorism. That was a reversal from January 2010, when in a similar survey 63 percent said anti-terrorism activities didn’t go far enough to protect the U.S. from attacks, compared with 25 percent who disagreed.

“The massive swing in public opinion about civil liberties and governmental anti-terrorism efforts, and the public view that Edward Snowden is more whistle-blower than traitor, are the public reaction and apparent shock at the extent to which the government has gone in trying to prevent future terrorist incidents,” said Peter Brown, assistant director of Quinnipiac’s polling institute.

The view of Snowden as a whistle-blower rather than traitor predominated among almost every group of respondents broken down by party, gender, income, education and age. Black voters were the lone exception, with 43 percent calling Snowden a traitor compared with 42 percent saying he was a whistle-blower.

“The verdict that Snowden is not a traitor goes against almost the unified view of the nation’s political establishment,” Brown said…

The poll showed both Democrats and Republicans about evenly divided on whether government counter-terrorism measures have become excessive. Independent voters view the methods as having gone too far by 49 percent to 36 percent.

“The fact that there is little difference now along party lines about the overall anti-terrorism effort and civil liberties and about Snowden is in itself unusual in a country sharply divided along political lines about almost everything,” Brown said…

…Among Republicans the percentage who said government has gone overboard in restricting civil liberties in the fight against terrorism grew to 41 percent in the new poll, compared with 17 percent three years ago.

It would be naive to see these numbers as anything but evidence of a rethinking by the public about the tradeoffs between security and freedom,” Brown said.

It would be naive – or simply the voice of hypocrites whose politics support a government spying on its citizens, who consider their political security more important than individual liberty, freedom to think and speak, a right to privacy.

We know which side Obama and the executive are on. We know which side the noisiest baboons in Congress have chosen – predictably, I might add. We have watched the conflict in play between the generally tame mass media and the few American journalists with the courage to stand for the Bill of Rights. The responsibility is ours to press government into defense of our rights and, not so incidentally, withdraw the blank check given to the NSA.

Pentagon flash drive ban has exceptions – of course

The Pentagon has granted many exceptions, possibly numbering in the thousands, to allow staff members who administer secure computer networks to use flash drives and other portable storage devices, department spokesmen say.

The exceptions to policies barring the use of such devices could make it easier for rogue employees to remove sensitive documents. But officials say waivers go to people who update software and run helpdesk services for the Pentagon’s vast computer network and are needed to run the system efficiently.

The U.S. government’s handling of sensitive documents has come under scrutiny since Edward Snowden, a systems administrator for a contractor with the National Security Administration, copied classified materials at a Hawaii installation and leaked them to the news media.

Snowden used a simple flash drive to store the materials, according to a government source close to the investigation.

Storage devices have been a concern at the Defense Department since the 2008 Buckshot Yankee incident, in which a malicious software worm known as agent.btz was uploaded to military networks by a thumb drive.

Then-Deputy Secretary Bill Lynn declassified the incident in 2010 and U.S. Cyber Command, which was established in the wake of Buckshot Yankee, banned the devices…

Cyber Command, cripes? Do you have to be a graduate of Star Trek Academy?

Since then, the Pentagon has bolstered efforts to prevent removal of classified data, Lieutenant Colonel James Gregory said. The department is in 100 percent compliance with directives to disable or tightly control use of removable media devices on the Pentagon’s secure network, he said…

While use of flash drives is largely barred, exceptions are granted to systems administrators who install software and manage helpdesk services for the department’s millions of computers and nearly 600,000 mobile devices in some 15,000 networked groups.

Decisions on who gets waivers are made by colonels or generals who have been granted that authority for their installations, brigades or other units, Pentagon officials said.

If your local bank is anything like mine the USB ports on all the computers are crazy glued shut. All IT maintenance is done on the network which maintains strict records and protocols governing who is accessing what. Banks have to be as secure as possible. The military get to talk about it. Congressional multitasking is chewing gum and checking online banking to see if the check has arrived from your favorite lobbyist.

I have no doubt that the system in Pentagon – left in the hands of people whose qualification is rank rather than ability – having a computer on your desktop that has flash drive access has already become a sign of status. You’re too important to be regulated by geeks.

Glowing polymer detects explosives


William Dichtel and Deepti Gopalakrishnan

Detecting bombs in places such as airports could be getting easier, thanks to a new fluorescing polymer. While you might expect the material to glow in the presence of explosives, they actually cause it to stop glowing.

The polymer was developed at Cornell University by chemist William Dichtel and his graduate student, Deepti Gopalakrishnan.

Ordinarily, its random cross-linked structure lets it absorb light, transport the energy through itself, and ultimately release that energy back out as light. Should the energy meet up with even a single molecule of explosive as it moves through the polymer, however, it will be released as heat instead of light. This causes the polymer to promptly cease fluorescing.

It is now hoped that the polymer could be incorporated into low-cost hand-held sensors, which could be used with or instead of bomb-sniffing dogs.

This is definitely better than using X-Rays to peer beneath my underwear.

Congress starts gutting the law prohibiting their insider trading


Obama signing the STOCK Act, last year. No fanfare, this week, for the change that hides transactions.

The legislative process on Capitol Hill is often slow and grinding. There are committee hearings, filibuster threats and hours of floor debate. But sometimes, when Congress really wants to get something done, it can move blindingly fast…

A year ago, President Obama signed the Stop Trading on Congressional Knowledge Act into law at a celebratory ceremony attended by a bipartisan cast of lawmakers…

The law wouldn’t just outlaw trading on nonpublic information by members of Congress, the executive branch and their staffs. It would greatly expand financial disclosures and make all of the data searchable so insider trading and conflicts of interest would be easier to detect.

On Monday, when the president signed a bill reversing big pieces of the law, the emailed announcement was one sentence long. There was no fanfare last week either, when the Senate and then the House passed the bill in largely empty chambers using a fast-track procedure known as unanimous consent.

In the House, Majority Leader Eric Cantor, R-Va., shepherded the bill through. It was Friday afternoon at 12:52. Many members had already left for the weekend or were on their way out. The whole process took only 30 seconds. There was no debate…

“There were particular concerns about risks for those who either travel overseas on government business or work overseas,” says Carol Bonosaro, president of the Senior Executives Association, who represents many of the 28,000 executive branch employees.

An independent study said there were also risks of identity theft, which she says the new law helps avoid…

The White House cited the independent report in explaining why the president signed the bill. And a spokesman for Cantor said the House and Senate were simply following recommendations of the study.

…Two major elements of the law remain. Insider trading is illegal, even for members of Congress and the executive branch. And for those who are still covered by the now-narrower law, disclosures of large stock trades are required within 45 days. It will just be harder to get to them.

Eric Cantor and his bubbas proved that legal chicanery is still the fastest and easiest thing to get through Congress. Making it difficult for voters to see what their elected representatives and staff are doing in bed with lobbyists is the opposite of transparency.

The president could have vetoed the bill and sent it back to the House and Senate for revisions that would have retained the original purpose – transparency in Congress and online access for voters. He chose to let the bill slide through as is.

I wonder what the next revision will be? After the 2014 elections, of course.