Tuesday, 26 November 2013

Staying Secure While Traveling Over the Holidays

airport lost and found If you are among the 43 million Americans planning to travel over the next days, you are most likely not leaving your electronics behind. Make sure you secure your data before you hit the road (or the air).
It may be tempting to catch up on some work, get some holiday shopping done, or just surf the Web while sitting around the airport waiting for your flight. If you have a long list of to-do items to tackle, the hours spent travelling may seem like the perfect time to get started. It's really easy to misplace electronic devices on trips, and the last thing you want ruining your holiday is realizing that all those precious photos and important work files are lost.
Protect the Device
First of all, decide what you really need to take. The fewer devices you are carrying, the smaller the chances of losing or breaking them. Do you really need to take both your work laptop and your personal laptop? Perhaps you will be fine with just your smartphone and don't need to take both your iPad and the Kindle Fire.
Credant Technologies surveyed seven airports—Chicago, Denver, San Francisco, Miami, Orlando, Minneapolis-St. Paul, and Charlotte—back in 2012 and found over 8,000 lost devices. Of those lost devices, 43 percent were laptops, 45 percent were phones and tablets, and the remaining 12 percent were USB drives. Security checkpoints and restrooms were two common places where people left their items. Anecdotal evidence suggests under the seat and the seat pouches are, too.
Whatever you decide to take, make sure each one has some kind of a lock or password on it. This way, if you do lose it, someone can't just pick it up and gain access to all your data. If you have the new iPhone, turn on the fingerprint lock. For other phones, select an actual PIN or passcode instead of relying only on the "swipe to unlock" feature.
For your iPhones and Androids, be sure to take advantage of the anti-theft capabilities provided by Apple and Google respectively. iPhone users should enable iCloud services and familiarize themselves with Find My iPhone. Android users should likewise activate Android Device Manager and learn how to use it. Both of these services let you remotely track, lock, and wipe your mobile devices keeping you in control of your phone or tablet at all times.
Backup Your Data, Twice
Before you leave, take the time to back up all the files on the devices. That's ebooks, documents, pictures, videos, everything. This way, if you lose the device, you can reduce some of that angst because the precious data is backed up and just a few clicks away. This is also particularly useful if you are going to be going through customs since there's always the risk the officials may decide to confiscate your electronics.
Do it again before coming home. Back up those pictures you took and the files you created before you head out again. Upload those images and files to Flickr, Dropbox or any cloud storage service of your choice. You can copy the data onto a smart card or USB drive and put it in your checked luggage and hope the airline doesn't lose your entire bag. I personally like to drop the drive into a padded envelope and mail it home.
If you don't feel like using public cloud services, consider setting up your own personal cloud at home before you leave. You can copy data on to an external drive, such as Western Digital's My Cloud or even Transporter. This way, you can access the saved data remotely, and upload new files while you are still away. Android users should definitely look at our tips on how to backup your Android.
Beware of Public Networks
Beware of public networks, even if they aren't free. You may think you are hopping on to the hotel wireless, or the one belonging to the airport, but it may actually be a rogue network set up to trap unsuspecting users. Invest in a 3G/4G Internet dongle (I have one from Virgin Mobile) for mobile broadband, or take advantage of tethering to piggyback onto your smartphone's data plan. Make sure you put a password on your personal hotspot before tethering so that you don't have unknown visitors hopping on and listening in.
Earlier this month, Southwest Airlines announced it will offer gate-to-gate Wi-Fi, and lots of other airlines are expected to follow suit. At $8 per device for all-day in-flight Wi-Fi, it's not the cheapest offering out there, so I would suggest paying for the dongle instead. And remember, just because it's a paid wireless service doesn't preclude an unscrupulous person from eavesdropping on all the traffic flowing on the network. Don't decide to take care of your online banking just because you are on a paid network. If you don't know who else is on that network, it's not secure.
If you really need to use the unknown network, consider using a VPN service such as Editors' Choice CyberGhost VPN or VPNBook. iPhone users should be wary of connecting to any network that requires special configuration, as Skycure demonstrated. If you're on Android, consider using Hotspot Shield VPN to secure your browsing.
Safe travels, and may all your data be secure and backed up! That's something to be thankful for.

Hacking Yahoo Fantasy Football

Image via Flickr user Tiago A. Pereira Each week's Mobile Threat Monday examines one or two Android apps that leak your private data to third parties without your being aware of it, or act as malware and behave in unauthorized ways on your device. This week, we switch gears to look at how hackers can take advantage of legitimate apps and developer mistakes.
"Developers aren't thinking beyond the device" and taking into account how mobile apps interact with the back-end systems, Dan Kuykendall, CTO and co-CEO of NTObjectives, said in his presentation at last week's AppSec USA conference in New York City. He described how he was able to take advantage of programming and design flaws in Yahoo's Fantasy Football app to manipulate the team rosters for other players in his league. He was also able to impersonate other players on the league's message board.
While the presentation focused on the fantasy football app, Kuykendall was quick to note that the issues weren't unique to Yahoo. When developers "trust the device" and assume all transactions coming from the app must have been initiated by the user, that opens up a lot of potential holes where the bad guys can abuse that trust, Kuykendall said. He described previously identified authentication issues in apps such as My Backup Pro and Words With Friends where users could bypass authentication and user verification steps. The AP Mobile, a news app, had a SQL injection flaw that could be used to overwrite news headlines on user devices.
If someone stole the physical device or the user's session cookie, it would be easy to impersonate the user.
In his case, all Kuykendall had to do was intercept the session ID identifying the user to the back-end server. Kuykendall found that Yahoo didn't expire session IDs, so once he grabbed this token from other players, he could submit fraudulent transactions on their behalf.
"I was them [other players] as far as the back-end servers were concerned," Kuykendall said.
Kuykendall was able to sniff mobile traffic and collect session IDs for other players in the league during the fantasy football draft because the players all connected to his wireless network. There are plenty of tools available that make eavesdropping on mobile traffic fairly "trivial," he said.
What End Users Can Do
As non-developers, we have to trust that the company releasing the app considered the security implications and built in those safeguards. We can tell companies we care about security and privacy by letting companies know that is a priority.
Mobile devices are no longer just for Web browsing, making phone calls, and checking email. The apps provide a very rich user experience where we can compare prices across stores, watch movies and video clips, check our bank balance, and keep up with our obsessions. That said, we should think about how much data we are entering in these apps in the first place, and consider how this data is being transmitted. Kuykendall didn't look at ways to harvest user data or infect mobile devices in his research. Rather, he focused on ways he could impersonate the users to access back-end servers.
Trusting the device is a very common design flaw, and as users, one way we can protect ourselves is to really be careful about where our devices are connecting. Don't hop on any random wireless hotspots with your mobile device and be careful about where you are when using your apps. Researchers have shown how easy it is to set up a "Wi-Fi pineapple" to intercept mobile traffic in malls and crowded areas. Checking your fantasy football team when on the go is one thing, but maybe you can hold off on what you are doing with your banking app, for example.
The issues Kuykendall described weren't specific to the app but how the apps communicated with the servers. It may be worth taking the time to evaluate the benefits of having an app versus not having it. In the end, you may decide to go ahead and install the app, but at least you thought about the risks.

Why Mobile Holiday Shopping is Safe Holiday Shopping

Online Holiday Shopping It's almost Thanksgiving so that means it's almost Black Friday, Cyber Monday, and whatever other events retailers have made up to kick off the holiday shopping season. The convenience of modern technology lets us buy gifts for others, or ourselves, online instead of trampling each other to death in department stores. However, exchanging money online can also put it at risk. Tim "TK" Keanini of network security firm Lancope lists three reasons why mobile devices may be the safest, cheeriest way to shop online this holiday season.
1. Retailer-Specific Apps
Amazon, Target, Walmart, and other big retailers all have their own dedicated mobile apps now. Dedicated apps need dedicated attacks unlike websites which can be targeted by general browser attacks. That extra effort required by hackers means these trusted apps are generally less vulnerable than their website counterparts. While nothing is ever completely safe, even a little bit of extra security can make a big difference.
2. Mobile Sandboxes
Thanks to a practice called "sandboxing," mobile apps have a much more limited level of access than PC applications. To combat malware, mobile appsand soon Windows 8 appsare "partitioned in such a way that they have only what they need and nothing more," says Keanini. Mobile apps also tend to do a better job at explaining to users what they access so users can grant permissions as they see fit. By restricting freedom for themselves, as well as for any malware that might infect them, mobile apps give more freedom and safety options to the user.
3. App Legitimacy
While some may decry the walled garden approach of mobile app stores, the truth is that the high levels of authority and oversight from Apple and Google have made mobile apps much safer for the end consumers. Being able to easily trace software back to its authors has made identifying and eliminating potential threats much easier while making the App Store and Google Play Store more legitimate overall. Of course, this only applies to phones that aren't jailbroken or rooted though.
Thanks to their superior security, Keanini suggests shoppers switch to mobile devices for online banking and financial account auditing as well. Of course, that applies only when connected to a secure, trusted network. Despite these advantages though, mobile shoppers still aren't completely safe from cyber criminals. With mobile becoming a larger market every day, more hackers flock to it making mobile security more important than ever. Still, if you want to shop safer this holiday season, consider using your smartphone or tablet instead of your desktop or laptop.

Congress Draws Battle Lines Over NSA Phone Snooping Program

NSA Phone Program
In the wake of revelations about the National Security Agency's domestic surveillance programs over American phone records and Internet activities, Congressional leaders are demanding reform to rein in the agency's broad powers.
"The constant stream of disclosures about U.S. surveillance since June has surprised and appalled me as much as it has the American public and our international allies," Rep. Jim Sensenbrenner (R-Wis), the original author of the Patriot Act, said recently. Sensenbrenner has argued that the Patriot Act was never supposed to give NSA the powers it has claimed to collect domestic telephone records.
The question remains, however: exactly how far will these reforms go?
Sen. Dianne Feinstein (D-Calif), chair of the Senate Intelligence Committee, has introduced a bill that codifies the NSA's internal bulk phone records program into law so that there can be rules regulating what the NSA can do. In contrast, Sen. Patrick Leahy (D-Vermont), chair of the Senate Judiciary Committee, has teamed up with Sensenbrenner to introduce a bill that would ban the program altogether.
Endorse SurveillanceWhile opposing large-scale surveillance, Feinstein has defended the NSA's internal bulk phone call records collection program as a "vital national security program." The bill would explicitly authorize the NSA to collect Americans' phone records in bulk, including information such as the phone numbers called, the time of the calls, and the duration of each call. However, the bill explicitly states the NSA cannot collect the content of the communications.
The bill also expands the reporting requirements, defines how long the NSA can retain the records, and establishes criminal penalties for misusing intelligence capabilities. The bill, if passed, would also allow the NSA to continue targeting the cellphones of foreign nationals who enter the United States for up to 72 hours without a warrant. Feinstein's bill also would require the posts of NSA director and inspector general to be confirmed by the Senate, in the same way the posts for major government agencies, such as the Federal Bureau of Investigation and Department of Homeland Security are filled.
Sen. Mark Udall (D-Col) criticized Feinstein's bill as falling short of "real reform" because it "does not go far enough to address the NSA's overreaching domestic surveillance programs," he said.
Shut Down SurveillanceLeahy's bill, the United and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring (USA Freedom) Act, will shut down the NSA's program. Google, Apple, Facebook, Microsoft, Yahoo, and AOL have stated their support for this bill.
Feinstein's and Leahy's bills are on a collision course as Democrats try to figure out how to tackle the problem that is the NSA.
Then there is the bill introduced this month by Sen. Al Franken (D-Mich), chair of the Senate Judiciary's Subcommittee on Privacy, Technology, and the Law, which argues that the NSA has to be transparent in its activities. The Surveillance Transparency Act would require that the NSA disclose to the public how many people are having their data collected under each key foreign intelligence authority. The NSA would also have to estimate how many of the affected are Americans, and how many had their data actually looked at by an agent. The bill would also lift the gag order which currently prevents Internet and phone companies from informing customers about the number of orders to hand over information they are receiving from the government, and how many people have been affected by these orders.
The Supreme Court SilentWhile debate ranges in both chambers of Congress, the Electronic Privacy Information Center (EPIC) filed a petition to the Supreme Court last Friday, demanding immediate final judicial review of the bulk phone records program. The petition claims a secret federal court, in this case, the Foreign Intelligence Surveillance Court, improperly authorized the government to collect those electronic domestic telephone communication records.
Normally, these cases would have to work through lower federal courts, but EPIC lawyers argued "exceptional ramifications" to justify the petition. The Supreme Court declined without comment on Monday to review EPIC petition. If EPIC wants to pursue the lawsuit, the privacy rights group will have to go back to the lower courts. There have been other lawsuits against the NSA, but thus far the cases are all either pending or have been rejected.
The President has suggested "appropriate" changes were necessary to the program to restore trust from Americans and foreign allies. "Just because we can get information doesn't necessarily always mean that we should," he said at a news conference in Russia recently.
The President has appointed a committee to look into the NSA's current powers and to determine what kind of reforms, if any, are necessary. The committee is not expected to release a report until the end of the year, at the earliest.
For the moment, any curbs on the NSA's powers will have to come directly from Congress, but with only a few weeks left before the end of the year, it remains to be seen which direction the lawmakers will go.

Kaspersky Wins Independent Antivirus Test Trifecta

Your antivirus program needs to protect you against all threats without getting in the way of your day-to-day activities or slowing down performance. Sometimes it seems like there's a tradeoff; if you want the best protection maybe you have to accept a little performance drag. But according to the latest report from AV-Test, Kapersky has managed to excel in all areas. It earned the maximum possible score overall; first time I've seen that.
In AV-Test's ongoing series of evaluations, products can earn up to six points in each of three categories. The protection category rates how well the antivirus fends off real-world malware. Performance is a measure of how much the antivirus's resource usage slows the system overall. A good usability score means the program flagged few or no legitimate programs and legitimate websites as malicious or suspicious. Kaspersky took the full six points in all three categories.
Jockeying for Position
Only a handful of the two dozen products tested earned the same score as in the previous test, but most changed by just a point or half-point. Avira made the most progress, leaping from 12.0 points last time to 16.0 points this time. It earned better scores in all three categories. ZoneAlarm's score went up two full points, from 11.0 to 13.0.
More programs rose than fell, but one fell impressively. Norton was riding high last time around with an impressive 17.0 points. This time it earned just 14.5, which is not a bad score, but quite a drop. Performance was the main issue. Last time Norton had 5.5 for performance, this time it dropped to 3.5. I'm not sure how to explain that.
K7 didn't drop quite as far as Norton, 1.5 points compared to 2.5, but it crossed a line. To receive certification from AV-Test a product needs to score at least 10 points, with a non-zero score in all three categories. K7 went down to 9, so it missed certification. AhnLab also fell below the certification level.
You can view the full test results on the AV-Test website. I really appreciate the work of AV-Test and the other dedicated, innovative testing labs. Because they do such a good job, I've been able to back off from the most difficult, time-consuming, and downright dangerous of my own hands-on tests. Thanks again, guys!

Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsy

Bug Bash What do you get when you put some hackers in a room and give them a list of target Websites? They go bug-hunting!
That was what happened at Bug Bash 2013, an "internet-wide hack-a-thon" run by Bugcrowd at the AppSec USA conference in New York earlier this week. Approximately 80 people participated over the course of three evenings, and "hundreds" participated remotely over the Internet, said Casey John Ellis, founder and CEO of Bugcrowd. Participants submitted the bugs they identified to Bugcrowd, and the team replicated the conditions leading up to the error to confirm the issue.
The list of targets included companies like Facebook, Google, Etsy, Prezi, and Yandex. The security testers who took part identified over 220 bugs, Ellis said. For the most part, the issues were of the mundane run-of-the-mill variety, including some injection and bypass vulnerabilities.
"I haven't heard about any exotic vulnerabilities, yet, but we are still analyzing our data," Ellis said.
Bugcrowd plans to release more details about the type of bugs uncovered and information about the event at a later date. The San Francisco-based startup runs programs where groups of people work together to find bugs in Websites and applications. Once it confirms that the bugs being reported are legitimate, it handles the process of notifying appropriate vendors.
Bug Bounties
Bug bounty programs are increasingly becoming popular, as companies encourage researchers to submit bug reports to them directly, instead of selling them to the government or offering them to exploit brokers. Not reporting the bug to the vendor means that buyer can use these vulnerabilities for their own purposes and leaves users unprotected from that software flaw.
Mozilla and Google probably have the best known bug bounty programs, but many other companies now offer some kind of a program (a long, but not complete, list is here). Facebook announced in August that it had paid out a million dollars in bounties over the past two years.
Not all bugs qualify for these programs. For example, Facebook makes it clear their program covers only issues that could "could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure." Microsoft launched a series of prizes recently and was very specific in the kind of issues it was looking for.
Bug Bash 2013
It's hard to estimate at this point how much the bugs uncovered as part of Bug Bash are worth in total, since bug bounty programs vary so widely in how much they pay. Some programs pay several hundred dollars and others pay several thousand dollars. It's also important to note that each company has specific rules about what they recognize as a bug and what types of issues are covered under the bug bounty program.
Even though 220 bugs were submitted, it's up to the vendor to decide whether the issues qualified for a payout. And even if there is a payout, it's also up to the vendor to decide the amount. However, even if every single one of the 200+ bugs are worth only a few hundred dollars, that isn't bad for a few hours of work over three days.
Facebook representatives were even on hand during the events to give insights into their bug bounty programs as well as to answer questions from the participants.
People who had been in training sessions learning about different techniques were stopping by to take part in the group-hack, said Tom Brennan, a board member for OWASP Foundation and one of the organizers for AppSec USA. People were collaborating while working on targets and asking for help from each other. Finding bugs is not an automated process as it really requires people to think about what they are seeing and adjusting their techniques accordingly. A collaborative environment where people can bounce ideas off each other can be "very effective" for bug-hunting, Brennan said.

Cybercriminals Don't Care Who's Been Naughty or Nice

ThreatMetrix gift card scams It doesn't matter which Santa's list you're on this holiday season. Cybercriminals want to leave a not-so sweet present under the tree as they seek different ways to compromise consumers during their shopping sprees. ThreatMetrix revealed possible holiday gift card fraud scenarios that you could be victim to.
Gift Cards GaloreGift cards are foolproof presents; it's the present you can never go wrong with. The National Retail Federation (NRF) even surveyed Americans earlier this year and over 50 percent said they'd like to receive gift cards this holiday. You may consider getting gift cards to relieve driving woes; 12 percent of the respondent shoppers claimed they would buy gift cards from gas stations. The NRF projected total spending on gift cards to reach $29.8 billion this season, an all-time high.
Consumers and businesses aren't the only ones excited about gift cards. Cybercriminals eye this industry's boom as a convenient target in the upcoming months. With the soon-to-come high volume of transactions, it's difficult for merchants to detect suspicious activity.
Holiday WoesHackers plot to deploy holiday gift card fraud schemes that can lead to severe losses for businesses and compromised customer account data. These sneaky thieves can illegally gain access to virtual gift cards, known as eCerts, and then purchase goods and services. They will then resell these for profit on auction sites or search for international buyers.
The gaming industry has to watch its back as well; fraudsters will try to take advantage of the industry's expected success this upcoming season with the release of Playstation 4 and Xbox One. Fraudsters aim to compromise online currency and steal virtual goods, like extra lives and customized features in video games, to reap personal profit. Cybercriminals can also use stolen credit card numbers to purchase gift cards both on and off-line, and sell any physical goods, like electronics or clothing.
How Can Companies Wrap Up This Problem?Businesses need to prepare for the busiest time of year in order to make sure they don't find themselves, and their consumers, as victims of cybercrime. According to ThreatMetrix, because gift card fraud is becoming prevalent some retailers have stopped offering gift cards online and only accept cash in-store for gift cards.
Instead of losing revenue this way, businesses would be better off using security solutions. The ThreatMetrix Global Trust Intelligence Network, a collective data repository, helps retailers differentiate authentic gift card transactions from suspicious ones. It can flag questionable transactions as high risk and recommend additional screening for them.
It also may be safer for consumers to shop on their mobile devices rather than ordering virtual gift cards on computers. Minimize the chances of being victim to cybercrime; holiday shopping is already stressful enough.

Why do we need for Incident Response plan?

Due to the constant growth in the number of cyber attacks it is necessary to properly define the actions composing an incident response plan.

FireEye firm published an interesting post on the need of incident response (IR) capabilities to reply numerous cyber  attacks that daily hit almost any web service.
Starting from the data proposed by Zone-h.org online database every day an average of 100 .co.uk domain websites are hacked, the data are really concerning if we consider that the trend is on the rise and that in many cases the impact on the security of a wide audience of users is serious.
“Over 95 percent of businesses are already compromised with malware (source: FireEye) but don’t know it…..the mindset needs to change from when we are compromised, to we are already compromised and how do we better protect our assets, intellectual property, etc. and mitigate future risks?”
Another reflection that must be done is that also the number of targeted attacks is increased, spear fishing and watering hole are the principal methods of attack for state sponsored hacking operations, in many cases hackers exploited zero-day vulnerabilities.
FireEye is one of the most active company in the security scenario, it has in fact detected in 2013 various zero-day flaws, some of them still not fixed
Exposure Reference Application
12/28/12 CVE-2012-4792 IE
01/10/13 CVE-2013-0422 Java
02/07/13 CVE-2013-0634 Flash
02/12/13 CVE-2013-0640/CVE-2013-0641 PDF
02/28/13 CVE-2013-1493 Java
05/03/13 CVE-2013-1347 IE
09/17/13 CVE-2013-3893 IE
11/08/13 CVE-2013-3918/CVE-PENDING IE
The statistics on on security for websites are discouraging, more than 80% are vulnerable, meanwhile 75% of new attacks specifically target the application layer of systems in order to exploit these flaws according data provided by U.S. CERT.
Some sectors appears under incessant attack, it is the case of energy industry and of government networks, both hit by state-sponsored hackers and cyber criminals.
The improvement of the incident response (IR) capabilities is becoming a must for private companies and government agencies, it is crucial to identify cyber threats as soon as possible, to reach the goal it is necessary the definition and deployment of best practices to mitigate the risks of exposure to the menaces.
Another essential factor is the information sharing on the cyber threats, organisms like CERTs must fulfill this function also, businesses must receive accurate information of infections to adopt proper mitigation strategy.
Businesses, and in particular each single employee, must have a clear idea of task to do in case of incident, roles and responsibilities must be clearly defined and all the actions must be carried on to repairs an ordinary situational and preserving information useful for investigation.
Incident response is a critical component in a cyber strategy, it must be accurate and detailed as it provides valuable guidance in the immediate aftermath of an accident, moments when it is necessary to preserve as much as possible the critical assets of an organization.
“It’s important to be able to answer the who, what, how, when, and why questions that should be addressed, and critical if it’s a high value computer that has been infected.” states the post.
Which are the critical actions for an effective incident response procedure?
  1. Identification: This is the number one issue in the industry today. What should you do quickly when a PC or server has been hit? The quicker you move, the smaller the risk typically.
  2. Containment: Contain the computer and move it away from production systems ASAP. Most infections, with malware today, spread quickly using key loggers to capture login credentials, as an example, to log in to other systems such as databases, AD controllers, and other critical systems.
  3. Forensic investigation: Take the time and use a number of open source and commercial tools to understand what happened to the computer system, where it came from, what is has accessed, what it did to make itself persistent and survive reboot, etcassuming it merits forensics investigation.
  4. Remediate/Recover: Get the computer system back online and in production once forensics are complete.
  5. Report: A full review of who, what, when, where, how, and how to avoid this from happening again.
Based on my personal experience the trend is to secure the victim organization, but in the majority of the case are ignored all the action necessary to collect evidence of the attacks and to produce sharable results, the side effect is the lack of information about ongoing attacks that is the base for cyber threat identification and mitigation.
incident Response Plan
Following the point of view provided by FireEye experts:
“The containment and remediation process has up until now been a primarily manual human process, but lots of vendors FireEye partners with today are seeking to redress the balance by automating the containment and forensics parts with software products. The pain is recognized that skilled humans do not scale and sadly not every organization has the budget to spend on this.”
The incident response procedure is essential for small business and large organizations, independently of the type of menace and the nature of the attackers.
It is quite impossible to recognizing every cyber threat and mitigate it, but it’s absolutely crucial a mature approach to cyber security that is composed also of an efficient incident response plan that makes system resilience to survive cyber attacks and quickly recover from an incident.
“Building out an incident response capability is something that should be on your list of actions for 2014!”

The beat goes on: Heartbeat-sensing bracelet Nymi could kill off “PINs, passwords, keys and cards”

Human heartbeats are near-unique – each person’s rhythm forms a mathematical pattern which can be used to identify people. A bracelet which aims to use this for secure ID – instead of  passwords and PINS – took a big step towards PCs and phones in the home this week, as 6,000 developers began work on apps for the hi-tech bangle, according to a TechCrunch report.
TechCrunch reports that the Toronto-based start-up Bionym has already pre-sold 7,000 $79 Nymi bracelets. Nymi read a users heartbeat via a miniature ECG, then wirelessly communicates with nearby devices – instantly unlocking PCs, smartphones and sites. Maker Bionym envisage it could be used to replace “PINs, passwords, and even keys and cards.”
“The Nymi wristband authenticates the wearer’s identity by matching the overall shape of their heartwave (captured via an electrocardiogram sensor). It sustains authentication, so long as the wristband remains in position, reducing the need for repeated authentications during the day,” TechCrunch wrote.
The device will initially work with Android, iOS and Mac OS X devices, its makers say, and will ship in 2014. Since the Toronto start-up unveiled the device, it has produced a white paper explaining the underlying science – and why such devices have been unavailable until now.
The bracelet was announced a few days before Apple unveiled the fingerprint sensor in its iPhone 5S – which helped reignite the debate over biometric security in consumer devices, as reported by We Live Security here.
Stephen Cobb, ESET Security Researcher with ESET said when Apple unveiled the fingerprint sensor in Apple’s iPhone 5S that the device could be a “game changer.” in a We Live Security report here.  Cobb said, “Successful implementation of biometrics in a segment leading product could bode well for consumer acceptance.”
“I have been a fan of biometrics as an added authentication factor ever since I first researched multi-factor and 2FA systems 20 years ago, however, user adoption is very sensitive to performance; in other words the iPhone 5S could advance biometrics, or put a whole lot of people off biometrics.”
Bionym is just one of several “biometric” systems in development, such as Fiberio, an in-development touchscreen that reads users fingerprints.
“It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym chief executive Martin said in an interview with TechHive. “The modern research into practical systems goes back about 10 years or so. What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”
ESET Senior Research Fellow David Harley discusses the advantages of biometric systems in a We Live Security blog post, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. Biometrics and one-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”
“The Nymi functions as a three-factor security system,” its makers claim. “It requires your personalized Nymi, your unique heartbeat, and a smartphone or device that has been registered to the app. This system allows for complete security without compromising convenience.”
“When it comes to identity, privacy is a chief concern,” said Karl Martin, CEO of Bionym, “The Nymi has been built by the principles of Privacy by Design. This means that each user has complete control over their data and identity. Transparency is very important to Bionym’s culture, and every user has a right to know where their data is going.”

Bitcoin heist nets cybercriminals $1 million after huge DDoS “smokescreen”

A large-scale “heist” targeting Bitcoin site BIPS led to the theft of $1 million in Bitcoin – the second such major attack this month. BIPS was blasted with a massive DDoS attack two days before the theft on November 15, which the site owners now believe was a smokescreen in preparation for the subsequent attack.
Several Bitcoin “wallet” services have been targeted this month, including Inputs.io and Polish Bitcoin exchange Bidextreme. The Inputs.io heist, reported by We Live Security here, netted attackers more than $1 million.
“BIPS has been a target of a coordinated attack and subsequent security breach. Several consumer wallets have been compromised and BIPS will be contacting the affected users,” the company said in a statement, as reported by Tech World.
Tech World stated that the attacks appeared to be Russian in origin – the company said in a Reddit post that the DDoS attack came from Russian IP addresses as it attempted to block the attack.  BIPS has disabled all Bitcoin wallets in the wake of the attack, Mashable reports, saying that 1,295 Bitcoins were stolen.
Speaking on the Bitcoin Talk forums, and reported by SC Magazine, CEO and BIPS founder Kris Henrikson said that the attack targeted ‘web wallets’, designed to store small amounts of the cryptocurrency, “The wallet part of BIPS was a free service to make payments easier for users,” Henrikson wrote. “Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.”
Bitcoins can be stored in online wallets, but can also be stored offline, which offers more security, or can be stored as a code written down on paper. Henrikson said, “We offered a paper wallet as a cold storage alternative for those who wanted a safe storage solution.”
Henrikson did not say how many users had been affected, but told Mashable,“”most of the missing funds were from our company’s own holdings,” adding that, “This is my fifth night without sleep.” Users on Bitcoin Talk were not appeased, demanding to know how many wallets were affected, and accusing BIPS of not communicating adequately.
“We will be contacting all affected users as already proclaimed,” Henrikson said on Bitcoin Talk. “We will need their consent to hand over information to the authorities for further investigation, which hopefully can assist in catching the thief.”

Phish to phry: The Thoughtful Phisher Revisited…

Now the New Year, reviving last Year’s Debt,
The Thoughtful Fisher casteth wide his Net;
So I with begging Dish and ready Tongue
Assail all Men for all that I can get.
(The Rupaiyat of Omar Kal’vin, Rudyard Kipling)
[A much shorter version of this article appeared in the October 2013 Threat Radar Report as 'The Thoughtful Phisher'. As these particular scam/spam campaigns don’t seem to be diminishing, however – indeed, some of the phishing techniques seem to be getting more sophisticated – I thought perhaps it was worth updating and expanding for a wider audience. In fact, I’ve got so many new samples it’s going to take me several blog articles to get them all in, and that’s just the interesting ones.]
Small Blue-Green World
Small Blue-Green World
New Year is a little way off yet. However, I’ve been interested in the past month or two to see a minor avalanche of phishing scams, most of them targeting users of NatWest, Lloyds and the Halifax (all banks with huge customer-bases in the UK). There’s a pronounced family resemblance between these scams. While the earlier ones mostly point to phishing sites apparently hosted in Poland (*.pl) or Niue (*.nu), the most recent include *.be (Belgium – what would Poirot say???) *.br (Brazil), *.es (Spain), *.cl and *.za (South Africa) domain names. I say “apparently” because domains used for phishing are by no means always authentic, registered domains and there’s no guarantee that these regional suffixes offer any real clue as to the geographical location of the scammer. In any case phishing sites come and go all the time as they’re spotted, blacklisted, and replaced.
On the other hand, if your bank or credit card provider is based in the UK, the chances are that it either has a local domain (*.co.uk) or a (*.com) domain. There may be less obvious possibilities, but an address for a UK bank apparently hosted in South America or Eastern Europe should really ring alarm bells, if only because these are regions particularly noted for phishing activity.
Nevertheless, an apparently legitimate TLD (Top Level Domain) can be spoofed in a variety of ways. That’s why we always recommend that you don’t click on a URL (web address) in any message that could be a phish. Instead, you should be able to navigate from a known, authentic URL. Still, if a URL looks blatantly improbable, that’s a pretty good reason to ignore it immediately and completely.
One way of getting some further insight into the validity of a link is to check the Top Level Domain with a reasonably reliable source like this one. Not only will this tell you in some instances that ‘your bank’ is apparently operating a web site somewhere quite unexpected like the middle of the Pacific, but it may also tell you that there’s something phishy about the email address from which a message appears to have been sent.
  • Why would an English bank send you emails from Peru?
  • Why would any bank send you emails from a domain called boat.com? (Must be a phishing boat…)
  • …Or from parish.net? I know nets are used by phishermen – sorry, fishermen – but clergymen? (I was wondering if it was in good taste to use a ‘phisher of men’ biblical reference here but an article on the phys.org web-site got in first, so the question is academic anyway.)
Oddly enough, while some of the apparent sender addresses in this particular kettle of phish are spoofed – as you’d expect – so as to look as if they were sent from a real domain owned by a phished bank or building society, others make less of an attempt to look like a real bank address. So as well as ‘info@lloyds.com’, ‘onlineservice@nationwide.com’, we have ‘info@nbs.mobi’, ‘secure@lloydsbank.mobi’ and ‘info@lloydsbank.mobi’. These at least sound as if they have some tenuous connection with the banking industry, except that major banks don’t usually sit on the .mobi domain, but ‘info@services.com’, and ‘info@service.mobi’ are almost as generic as ‘info@yahoo.com’ would be. (That’s just an example, not a known phishing address.) Meanwhile ‘info@box.com’, ‘review@dot.com’, and ‘info@be.mobi’ really make no effort at all to sound like a bank.
As we always say, you shouldn’t expect email to be genuine just because it seems to come from [yourbank].com, but you should be even more sceptical if the sender’s address looks the least bit ‘odd’. For instance, a Hotmail or Gmail address: that is, something that doesn’t sound like a legitimate bank email address (like the above-mentioned boat.com). Not that Hotmail or Gmail addresses can’t be legitimate in the right context, but respectable financial institutions can afford to use addresses that are clearly from their own domains.
It’s also worth checking the address that the mail is sent to. If the ‘To’ field is empty, that means it’s been blind-copied, and that suggests that it’s been sent to several recipients. If it’s sent to ‘Recipients’ or ‘Customers’, it’s certainly been sent to many people. And if, despite that, it includes a link that sounds as if it should be personal to you (like one that’s supposed to enable you to log in to fix a ‘problem’) that should certainly tell you that something is very wrong. But you should be suspicious if the mail includes any link, even if it doesn’t look particularly odd. (I know ‘odd’ is rather a broad term, but there are some examples of oddity given below.)
We’d always advise that even if a login link looks OK, it’s safer to go through a URL known to be legitimate, not the one that’s given in an email. Unless, at any rate, you have no doubt at all that the email is genuine (like one you’ve verified with the sender by other means). And in general, any email apparently requiring you to click on a link in the message in order to log in to your account is either fake or sent by a bank that knows so little about phishing that you probably ought to consider banking elsewhere.
Here are some typical (and typically odd) sender addresses along with the subject of the message they accompany. N.B. email addresses can be (and usually are) spoofed, so an address might look much more authentic than these: still, while scammers continue to use addresses that don’t look genuine, they’re worth noting as a potential heuristic. It’s actually unlikely that any email address given here is genuine.
Address (apparently from…) Subject
NatWest Card Services [info@service.mobi] REFUND SLATED ON YOUR ACCOUNT
Nationwide Building Society [info@nbs.mobi] Nationwide – Security Certificates Update
Lloyds Bank [secure@lloydsbank.mobi Lloyds Bank - Existing Customer Notification
Lloyds Bank [info@lloydsbank.mobi] Lloyds Bank – Existing Customer Notification
Nationwide [info@box.com] Nationwide – Resolve Your Account
Nationwide [info@services.com] Nationwide – Upgrade Notification.
Halifax [info@halifax.co.uk] LloydsTSB – Account Upgrade Notice
NatWest Credit Card [xx@kio.com] NatWest Credit Card Security upgrade – Must Read
NatWest Card [info@pe.mobi] NatWest Card – Important Notification.
NatWest [server@parish.net] Natwest Credit Card Online Services Review
NatWest [veri@cred.com]  Important Notification On Your NatWest Card
NatWest Card Services [info@bt.mobi] Verify The Error On Your NatWest Card.
MINT [service@mn.mobi] Your MINT Card Important Notification !
Lloyds Bank [sin@resolve.com] New security notice on your Lloyds account
MINT [info@edi.mobi] Fix The Error On Your MINT Card.
MINT [info@large.mobi]  Fix The Error On Your MINT Card Account
Lloyds Bank [i@noreply.com] Account Notification
Lloyds Bank [noreply@lloydsonline.com] Online Customer Identification Requirements
NatWest  Card Service [card@boat.com] NatWest Credit Card Security upgrade – Must Read
NatWest Card [info@vu.mobi] NatWest is giving you a chance to shop for free !
NatWest Credit Card [wages@salary.com] Your NatWest Card Important Notification
NatWest Card [info@be.mobi] NatWest Important Security Notification.
NatWest [review@dot.com] NatWest Card Online Service Review
Santander [onlineregistrations@santander.co.uk] Pending Incoming Credit Notification [or]Pending Credit Alert
NatWest [info@lt.mobi {NatWest Card Service Secure Message}
And these are some of the links: on the left is the text that it conceals unless you’re the sort of professional sceptic (like me) who always passes his mouse over the link to see where it really goes, even if he has no intention of following it.
What you see What it links to
Kindly Click here now. hxxp://www.enocowanie.net/model/Natwest-Card/
LOG ON HERE hxxp://rygielska.pl/wp-includes/css/txt.htm
Click here hxxp://drukujfoto.pl/fotogaleria/formularze/xy/rrs.htm
click here to avoid services interruption  hxxp://static.teatrwybrzeze.pl/phpThumb/docs/rrs.htm
click here hxxp://succesformule.nu/frm.htm
SECURE ACCOUNT hxxp://www.lebenstraum-immo.de/kickers/images/fbfiles/images/gou.htm
click fraud text alert services hxxp://www.villademerlo.gov.ar/vecino/libraries/wp.htm
Resolve Your Nationwide Account hxxp://www.globalla.pl/views/img/prettyPhoto/default/NATIONWIDE/nationwide.co.uk.htm
Click Here to avoid services interruption hxxp://www.quady-gorzow.pl/images/cms/Natwest-Card/
That was me. hxxp://www.toiture-antony.lu/ps.htm
That was NOT me. hxxp://www.toiture-antony.lu/ps.htm
Yes, I made this request. hxxp://www.plasticadosonho.com.br/txt.htm
No, I did not make this request. hxxp://www.plasticadosonho.com.br/rrs.htm
Resolve Here hxxp://www.csie.ncue.edu.tw/csie/include/wp.htm
Confirm Pending Credit hxxp://vservetech.com/files/wpThumbnails/error.php
Unlock Your NatWest Credit Card Online Services hxxp://www.bornllibres.com/content/user_images/tiny/mcith/Natwest-Card/
In the next article in this series, we’ll look at some specific messages and see what we can learn from them about the kind of social engineering that scammers use.

Surveillance as a Business Model

Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on its website.
These changes come on the heels of Google's move to explore replacing tracking cookies with something that users have even less control over. Microsoft is doing something similar by developing its own tracking technology.
More generally, lots of companies are evading the "Do Not Track" rules, meant to give users a say in whether companies track them. Turns out the whole "Do Not Track" legislation has been a sham.
It shouldn't come as a surprise that big technology companies are tracking us on the Internet even more aggressively than before.
If these features don't sound particularly beneficial to you, it's because you're not the customer of any of these companies. You're the product, and you're being improved for their actual customers: their advertisers.
This is nothing new. For years, these sites and others have systematically improved their "product" by reducing user privacy. This excellent infographic, for example, illustrates how Facebook has done so over the years.
The "Do Not Track" law serves as a sterling example of how bad things are. When it was proposed, it was supposed to give users the right to demand that Internet companies not track them. Internet companies fought hard against the law, and when it was passed, they fought to ensure that it didn't have any benefit to users. Right now, complying is entirely voluntary, meaning that no Internet company has to follow the law. If a company does, because it wants the PR benefit of seeming to take user privacy seriously, it can still track its users.
Really: if you tell a "Do Not Track"-enabled company that you don't want to be tracked, it will stop showing you personalized ads. But your activity will be tracked -- and your personal information collected, sold and used -- just like everyone else's. It's best to think of it as a "track me in secret" law.
Of course, people don't think of it that way. Most people aren't fully aware of how much of their data is collected by these sites. And, as the "Do Not Track" story illustrates, Internet companies are doing their best to keep it that way.
The result is a world where our most intimate personal details are collected and stored. I used to say that Google has a more intimate picture of what I'm thinking of than my wife does. But that's not far enough: Google has a more intimate picture than I do. The company knows exactly what I am thinking about, how much I am thinking about it, and when I stop thinking about it: all from my Google searches. And it remembers all of that forever.
As the Edward Snowden revelations continue to expose the full extent of the National Security Agency's eavesdropping on the Internet, it has become increasingly obvious how much of that has been enabled by the corporate world's existing eavesdropping on the Internet.
The public/private surveillance partnership is fraying, but it's largely alive and well. The NSA didn't build its eavesdropping system from scratch; it got itself a copy of what the corporate world was already collecting.
There are a lot of reasons why Internet surveillance is so prevalent and pervasive.
One, users like free things, and don't realize how much value they're giving away to get it. We know that "free" is a special price that confuses peoples' thinking.
Google's 2013 third quarter profits were nearly $3 billion; that profit is the difference between how much our privacy is worth and the cost of the services we receive in exchange for it.
Two, Internet companies deliberately make privacy not salient. When you log onto Facebook, you don't think about how much personal information you're revealing to the company; you're chatting with your friends. When you wake up in the morning, you don't think about how you're going to allow a bunch of companies to track you throughout the day; you just put your cell phone in your pocket.
And three, the Internet's winner-takes-all market means that privacy-preserving alternatives have trouble getting off the ground. How many of you know that there is a Google alternative called DuckDuckGo that doesn't track you? Or that you can use cut-out sites to anonymize your Google queries? I have opted out of Facebook, and I know it affects my social life.
There are two types of changes that need to happen in order to fix this. First, there's the market change. We need to become actual customers of these sites so we can use purchasing power to force them to take our privacy seriously. But that's not enough. Because of the market failures surrounding privacy, a second change is needed. We need government regulations that protect our privacy by limiting what these sites can do with our data.
Surveillance is the business model of the Internet -- Al Gore recently called it a "stalker economy.: All major websites run on advertising, and the more personal and targeted that advertising is, the more revenue the site gets for it. As long as we users remain the product, there is minimal incentive for these companies to provide any real privacy.

The FBI Might Do More Domestic Surveillance than the NSA

This is a long article about the FBI's Data Intercept Technology Unit (DITU), which is basically its own internal NSA.
It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies -- an operation that the NSA once conducted, was reprimanded for, and says it abandoned.
The unit works closely with the "big three" U.S. telecommunications companies -- AT&T, Verizon, and Sprint -- to ensure its ability to intercept the telephone and Internet communications of its domestic targets, as well as the NSA's ability to intercept electronic communications transiting through the United States on fiber-optic cables.
After Prism was disclosed in the Washington Post and the Guardian, some technology company executives claimed they knew nothing about a collection program run by the NSA. And that may have been true. The companies would likely have interacted only with officials from the DITU and others in the FBI and the Justice Department, said sources who have worked with the unit to implement surveillance orders.
Recently, the DITU has helped construct data-filtering software that the FBI wants telecom carriers and Internet service providers to install on their networks so that the government can collect large volumes of data about emails and Internet traffic.
The software, known as a port reader, makes copies of emails as they flow through a network. Then, in practically an instant, the port reader dissects them, removing only the metadata that has been approved by a court.
The FBI has built metadata collection systems before. In the late 1990s, it deployed the Carnivore system, which the DITU helped manage, to pull header information out of emails. But the FBI today is after much more than just traditional metadata -- who sent a message and who received it. The FBI wants as many as 13 individual fields of information, according to the industry representative. The data include the route a message took over a network, Internet protocol addresses, and port numbers, which are used to handle different kinds of incoming and outgoing communications. Those last two pieces of information can reveal where a computer is physically located -- perhaps along with its user -- as well as what types of applications and operating system it's running. That information could be useful for government hackers who want to install spyware on a suspect's computer -- a secret task that the DITU also helps carry out.
Some federal prosecutors have gone to court to compel port reader adoption, the industry representative said. If a company failed to comply with a court order, it could be held in contempt.
It's not clear how many companies have installed the port reader, but at least two firms are pushing back, arguing that because it captures an entire email, including content, the government needs a warrant to get the information. The government counters that the emails are only copied for a fraction of a second and that no content is passed along to the government, only metadata. The port reader is designed also to collect information about the size of communications packets and traffic flows, which can help analysts better understand how communications are moving on a network. It's unclear whether this data is considered metadata or content; it appears to fall within a legal gray zone, experts said.
The Operational Technology Division also specializes in so-called black-bag jobs to install surveillance equipment, as well as computer hacking, referred to on the website as "covert entry/search capability," which is carried out under law enforcement and intelligence warrants.
But having the DITU act as a conduit provides a useful public relations benefit: Technology companies can claim -- correctly -- that they do not provide any information about their customers directly to the NSA, because they give it to the DITU, which in turn passes it to the NSA.
There is an enormous amount of information in the article, which exposes yet another piece of the vast US government surveillance infrastructure. It's good to read that "at least two" companies are fighting at least a part of this. Any legislation aimed at restoring security and trust in US Internet companies needs to address the whole problem, and not just a piece of it.

Three 20-Year-Olds Make Their Own WORKING Obamacare Site – In Just Three Days

The Obama Administration has spent multiple years and over $634 million to build the Obamacare website, HealthCare.gov. Despite all of the time and money poured into the site, it still remains broken and glitchy.
Meanwhile in San Francisco, three 20-year-olds were able to build their own Obamacare website that actually works — and they did it in just three days.
Ning Liang, George Kalogeropoulos and Michael Wasser built HealthSherpa.com, which presents the Obamacare marketplace in a much simpler, more effective manner than HealthCare.gov does.

Currently, users must enter all of their personal information into the HealthCare.gov system before even getting a quote. On HealthSherpa.com, however, users only need to enter their zip code to see all of the plans and available pricing.
Liang said, “[The government] got it completely backwards in terms of what people want up front. They want prices and benefits, so that they could make the decision.”
HealthSherpa.com says, “The Health Sherpa is a free guide that makes it easier to find and sign up for health insurance under the Affordable Care Act. We only use carefully vetted, publicly available data.”
The trio claims they made the site to help people — not to make money. Wasser said, “There was no thought of, ‘How do we make money this time?’ It was like, ‘This is a problem that we know we can solve in a really short period of time. So let’s just do it.’”
The 20-year-olds’ project has many scratching their heads. With hundreds of millions of tax dollars at its disposal, why couldn’t the government get it right?

Cyberespionage – Chinese Hackers targeting US Cloud service providers

U.S.-China Economic and Security Review Commission reported for the first time that cloud computing “represents a potential espionage threat.”
U.S.-China Economic and Security Review Commission reported for the first time that cloud computing “represents a potential espionage threat.” , Chinese hackers are a persistent collector of sensitive information, their action is incessant and represent a serious threat for principal internet services.
According a congressional commission Chinese hackers are increasing targeting high profile companies, including Google, Microsoft and Apple to spy on US.
Last week the U.S.-China Economic and Security Review Commission stated in its annual report to Congress that the Chinese government wages “a large-scale cyber espionage campaign” and “has successfully targeted the networks of U.S. Government and private organizations,”
“Our focus has been on making sure that Defense Department or State Department data, or other government information, is secure,” “To the extent those entities use the cloud as well, we think that they need to get a better grip on who’s actually providing their services and where their data is going.” “If you allow a Chinese entity to provide cloud services then you’re entrusting them with your data,” “That creates with it certain risks.” said William Reinsch, chairman of the commission.
The situation is very concerning, cloud computing paradigm raises security issues related to the way data are managed by service providers,  clouds also provide to attackers powerful platforms for attacks against strategic targets.
cloud storage
The principal concerns are related to the possible exploit made by Chinese hackers of zero-day vulnerabilities present is the cloud architectures, Cloud computing technology could be abused for cyber attacks against military and government networks ensuring anonymity to the attackers.
The US Government is aware of the constant menace moved from China-based hackers, President Obama’s administration has also tried a diplomatic resolution to request Chinese Government in Beijing to adopt necessary measures to stop cyber-attacks originated from its country and that are estimated to cost the US economy as much as $300 billion a year.
The report of the commission wrote that China’s Ministry of State Security, which is the country’s main foreign intelligence collection agency, is “closely connected” to a special cloud-computing zone in the city of Chongqing, of course all the Western companies that use could computing services locate in the area are exposed to the concrete risk that their data are syphoned by Chinese intelligence agencies.
“Developments in cloud computing in China may present cybersecurity risks for U.S. users and providers of cloud computing services. The relationship between China’s Ministry of
State Security and the Chongqing Special Cloud Computing Zone represents a potential espionage threat to foreign companies that might use cloud computing services provided from the
zone or base operations there. In addition, the plan to link 21Vianet’s data centers in China and Microsoft’s data centers in other countries suggests the Chinese government one day
may be able to access data centers outside China through Chinese data centers states the document.”

In a first time the report explicitly referred Microsoft as possible victims of cyber espionage operated by the Chinese government because the US cloud provider has licensed its products to 21Vianet Group Inc. A Beijing-based company selling online data center services.
It seems that Microsoft licenses its Windows Azure and Office 365 products to 21Vianet, but the commission on Nov. 19 backed away from that assertion because it was based on an incorrect report called Red Cloud Rising written by private U.S. Intelligence and security company, Defense Group Inc., based in Vienna, Virginia.
In reality the Chinese company 21Vianet, the Chinese company doesn’t have access to “services and datacenters operated by Microsoft outside of China,” according Doug Hauger, the Microsoft’s general manager for China commercial cloud services.
The commission recommends in its report that Congress direct the Obama administration “to prepare an inventory of existing federal use of cloud computing platforms and services and determine where the data storage and computing services are geographically located.” The inventory should be prepared annually, it said.
The opinion on the report are divided, is security and intelligence specialists fear Chinese cyber threats IT manager believe that the commission’s report could damage a growing industry in China.
China’s cloud computing industry will continue to grow despite the strict control of Internet operated by the government of Beijing and be valued at $163 billion by 2015, Many experts believe IT industry will not be able to seize the opportunity also in terms of security.