Monday, 5 May 2014

Is my data safe? -- Bruce Schneier

bruce schneier
In the April issue of Money, before the story of the Heartbleed bug broke, Money spoke with computer security expert Bruce Schneier, chief technology officer at Co3 Systems and a fellow at Harvard Law's Berkman Center for Internet and Society. Schneier said it is difficult for consumers to protect their data on their own -- a point that Heartbleed has demonstrated all too well.
Is my data safe?
A: Well, that depends ... What does that question even mean?
For example, the recent theft of credit card data from Target -- as well as names, phone numbers, and email addresses -- worries people.
That story is all over the Net, but if your card number was stolen, it didn't cost you any money and you got a new one. Most of the other data is in telephone books. And all of it is for sale, cheap, from data brokers. If the bad guys want that stuff, getting it is easy. It's common information, and not very useful for fraud.
So is there anything about data people should be worried about?
Sure. Pretty much everything you do on the Internet is spied on. I used to say that Google knows more about my interests than my wife does. But actually that's wrong: Google knows more about my interests than I do.
Heartbleed: 'Secure' internet wasn't safe
Google knows exactly what I'm interested in and when I'm interested, and Google remembers those things more than I do. Do I remember what I was interested in six months ago? I don't. Google remembers.
What's the danger there?
We think we have a right to private thoughts, and that's increasingly unlikely. That's why the question "Is my data safe?" makes no sense.
The problem isn't security of your data. When you go on Google or Facebook, for example, you say, "Yes, I am open to you spying on me." And I'm talking about legitimate, legal uses.
Take the Nest thermostat, which connects to the Internet. All your heating and cooling data are stored in the cloud, meaning on the company's servers. The company knows when you're home, when you're not.

You might have said, "Well, that's a small company." But Google just bought Nest. Now Google has that data, along with its other data. [Nest's CEO has said that data is used only for Nest services, and that if this changes, users will be asked to "opt in."]
And what can happen when companies have all this data?
Then they can use it for psychological manipulation -- for advertising. That's the fundamental business model of the Internet. Google's profit is the net difference between the value of your data, to them, and the value of the services they're giving you for your data. You are not the customer of Google or Facebook or other free services. The customers are advertisers. The product is you.
Is this just about showing me targeted ads?
The Federal Trade Commission is now looking at what to do about cellphone tracking in stores. You can be surveilled in a store because you're carrying a phone. We've moved into an era when we are always observed.
Is this really spying? If a computer monitors me to send me ads, that's not like a person looking at me.
Someone at Google said having a computer read your email is like having a dog see you naked. And that's sort of what you're asking.

It's a computer -- what's the problem? But then think of the difference between a computer and a dog. You can trust the dog. The dog will never say anything. But a year from now if someone asked the computer what it saw you do, the computer might tell.
What about criminals getting into my data?
There are hacker threats. Compared with the threat of what you give away, they're kind of the background noise, but they're real. Primarily people are stealing data for financial fraud, and the effort is to get account numbers, passwords -- information that can be used for identity theft.
Can I protect myself?
You can do things around the edges, but in the main, not really. And what's interesting is why not really: Most of your data is not under your control.
How can you protect your Gmail? You can't. Google protects it. Google can do a good job or a bad job, but you can't fix it.
That Target hack was interesting because it happened out of Target servers: You as a Target customer could do nothing. It was a wholesale attack: Stealing one credit card is inefficient, so thieves break into a server and steal 40 million.
What are the things you can do around the edges?
You can do things like not putting your passwords in an email. Have good antivirus software. Make sure your software is updated. This is good computer hygiene. But the big threats are not related to those solutions.
Is biometrics, like using your thumbprint to open your phone, safer than using a password?
I wrote a piece on Apple's new fingerprint ID, and I said on the whole this is a good idea. It secures the phone in ways that you'd probably not secure it otherwise. But the neat thing about a password is that if someone steals it, you can make a new one. If someone steals your biometric data, you can't get a new thumb.
You said having a credit card number stolen isn't that big a deal. Why? It feels scary.
Card fraud has been largely solved by credit card companies. They want you to use your cards, so they've made it easy to get problems fixed. Other kinds of identity theft are nastier, like when someone gets credit in your name.
Card lenders are also legally liable for the losses. You've said liability is a key to good security.
We need to put the risk onto the organizations with the power to fix the problem. Congress limited the amount you were liable for credit card fraud to $50. The lender pays the rest. So the people in the position to implement security have the incentive to do so.

As we move into this era where you have less control over security, those who have control should have the liability. If your email provider has lousy security and you suffer privacy loss as a result, you should have legal recourse. That aligns the incentives properly.
Sometimes people seem to shrug off all these privacy concerns. Why?
They're not unconcerned. It's that this is how you live your life. You really don't have a choice. It's hard to live without Facebook or a cellphone. We're dealing with immediate gains vs. long-term, nebulous losses. Those are hard tradeoffs for people.

AOL hack causes zombie spam

aol zombieWhether or not you use AOL, a recently exposed mass hack of the company's network promises trouble for everybody.

AOL (AOL) users: Hackers stole "a significant number" of email addresses, passwords, contact lists, postal addresses and answers to security questions, the company said in a blog post Monday. Anyone of the company's 120 million account holders might be affected. Judging by AOL's description of the incident, that total number could well be in the tens of millions. But AOL isn't giving any details about the incident for now.
Non-AOL users: Watch out for spam that looks like it came from you or your friends' AOL accounts.
It's a double whammy that's shows just how annoying hackers can be when they loot our contact lists.

Hackers are doing something called email spoofing, and it's making it seem as if long-discarded AOL email accounts are back and sending spam. Emails appear to come from your friend's email address because the "From:" field shows their email address. But this spam is actually coming from someone else. Hooligans know who to send spam to because they have your contact list.
Although the massive hack likely affected untold millions, AOL estimates only 2% of its email accounts are being spoofed so far. So far, AOL has only been able to redirect these spoofed emails into people's junk mail folders.
How hackers beat the Heartbleed bug
The situation leaves folks like Mindy Sopher of Raleigh, N.C., feeling hopeless. Two weeks ago, she was approached by a few coworkers at the North Carolina State University who said she was spamming them from an AOL account she hadn't used in years. Curious, she logged in and realized her account wasn't sending anything. The situation soon grew worse. This was the account she used to teach her public speaking class seven years ago -- and her old students were now receiving a flood of one-line emails with questionable links to websites based in Russia and Thailand.
Sopher is overcome by embarrassment and the fear that an unsuspecting ex-student will think the emails are actually from her.
"It's disheartening," she said. "I would hate for something to go off on their computer because of me."
AOL is now asking that all users -- current and former -- change their credentials. It won't stop spoofing, but it'll limit any spillover damage from the larger data breach. Anyone who receives suspicious email is directed to forward the message to
There's little else you can do, but you can tell if your account has been targeted, said Gary Davis at antivirus maker McAfee. If you're getting "mailer daemon" error messages for emails you never sent, and they're not in your email outbox? You're being spoofed.

AIG cyber insurance covers bodily harm

cyber insurance

Who says the digital world and the physical one are separate?

On Wednesday, AIG announced it's expanding cyber insurance offering to cover property damage and bodily injury. It's a watershed moment. A major insurer is saying the virtual and corporeal are now, in some cases, one and the same.
In a statement, AIG (AIG, Fortune 500) acknowledged the closing gap.
"Cyber risk goes well beyond data privacy concerns covered by stand-alone cyber insurance offerings prevalent in the market," said Tracie Grella, who leads AIG's professional liability division. "The physical risk of a cyber attack or cyber event to property and people is very real."
Researchers have accessed control systems for heart rate monitors, traffic lights, home security apps, swimming pool acid tanks and gondola rides -- none of which had security protocols of any kind built in. Imagine the damage that could be done if the wrong people tinkered with those systems.
The nation's critical infrastructure of utilities -- power plants, water treatment centers, dams, etc. -- runs on cyber platforms. Much of it is Internet-accessible.
The best proof that cyber hacks lead to physical damage actually comes from a U.S. offensive. The United States famously dealt a serious setback to Iran's nuclear ambitions with a cyberattack called Stuxnet that made many of the nation's centrifuges spin out of control.
In another case, Iran is believed to have attacked Saudi Oil company Aramco in 2012, ruining 30,000 computers. The company had to trash three-quarters of their PCs.
The repercussions of a cyber-to-physical hack could be fatal. A dam told to ignore pressure readings could burst. A power plant taken offline could pull the plug on hospitals.
Hackers control car's steering and brakes
And on a personal level, consider how our cars are essentially computers at this point. The average car has 50 or more microprocessors inside of it. And recent research has shown they're just as hackable as our PCs. If something goes wrong on the highway, it's not like a malfunctioning app you just close. Your life is at risk.
Cybersecurity insurance is a relatively new phenomenon. It's a hedge against getting hacked, which is now seen as an inevitability.
Companies are starting to add cybersecurity insurance to their policies. Most have already bought it or will soon, according to a Ponemon Institute report last year. A survey discovered 31% of companies have a policy, and another 39% are planning to get one. The practice is getting so much attention even the Department of Homeland Security is weighing in.
It makes sense to insure against data breaches, because the cost of those incidents is increasing. Between 2011 and 2012, Ponemon saw the average cost of a data breach in the United States rise from $188 per-person to $194. If a massive database with thousands of names gets lost, that quickly gets multiplied.
The Target hack affected as many as 110 million shoppers -- a third of the United States. The Neiman Marcus hack hit 1.1 million customers. The most recent Michaels hack hit 3 million.
The damage in all those cases is monetary: thieves make fraudulent purchases, customer financial data is exposed and credit cards must be reissued. Target told senators it's investing $100 million to upgrade to a more advanced credit card system to avoid a repeat of last year's debacle.
But physical damage is seen as the next big liability. AIG didn't come up with this idea on its own. The company said it's responding to concerns from power plants, oil companies and hospitals. To top of page

Smart Home Kits Easily Hacked

AV-TEST Smart-Home Chart After installing a smart home kit, you can control and monitor your house in many ways. Turn the air conditioner on before you get home, make sure doors and windows are closed, switch lights on and off; these are just a few of the possibilities. However, researchers at AV-Test found some smart house kits to be extremely lax in their security. A back door in the software might literally let a crook remotely open your back door!
They evaluated seven products with a variety of different functions, and found some real klunkers. AV-Test is in Germany, and the selection of products for testing has a distinct European slant, but I have no doubt they'd find similar results testing smart home kits more commonly sold in the US. A talk at last year's Black Hat conference revealed some serious problems with the popular WeMo Home Automation System from Belkin, for example.
Good News and Bad
Three of the seven products were clearly designed with security in mind. All three use encrypted communication, and all three require active authentication for access. The researchers couldn't find any way that an external attacker could gain access, and the secure remote control feature for all three was thoroughly locked down.
Two of the remaining four use no encryption, and are therefore vulnerable to any malware that may have infiltrated the local network. Worse yet, the other two proved susceptible to manipulation across the Internet.
What Could Happen?
If malefactors can take over your system remotely, the consequences depend on just what sort of smart house features you've installed. If they're just plain nasty, they could turn off your heat to freeze your pipes. More likely, they could use the monitoring feature to determine when nobody's home; a perfect time for a burglary! In the worst case scenario, they might even be able to unlock the house or turn off the alarm system remotely.
The report also speculates on the possibility that hackers might effectively take the connected devices hostage and demand payment before releasing them. I'm not so sure about that one; it seems to me the victim could simply disconnect the smart home components. It also suggests that "minimally protected smart home devices will therefore soon be ambushed by Trojans that...will not hide in the PC, but, for example, in the smoke detector's memory."
If you're considering installing a smart home system, or otherwise connecting your appliances and devices into the "Internet of Things," you'll definitely want to read the full report.

What Does Your Security Suite Know About You?

Computer Eye
You installed that security suite to protect your computer, and your privacy, but just what is it reporting to its maker? Could your suite itself be a security risk? A pair of German computer magazines commissioned AV-Comparatives to find out. Their results are now publicly available, and the report makes interesting reading.
Data Sources
To start, the researchers loaded 21 popular security suites onto test PCs and analyzed their network traffic, looking at just what data was sent. The report notes that "in some cases" the data was encrypted, so they couldn't read it. That's as it should be, but it implies that in other cases the data was not encrypted. Alas, the report doesn't identify which those were.
They also perused the End User License Agreement (EULA) and privacy policy supplied with each product. These documents should spell out exactly what data the program may send back to its maker.
As a final step, they sent a detailed questionnaire to each vendor, though they gave the other two data sources more weight than the results of the questionnaire. The report notes that in some cases the vendors didn't answer particular questions, for various reasons. "We understand that too much transparency might be useful for criminals," noted the report. "We thus accept that vendors cannot provide us with any information that could compromise security."
What Do They Share
There's quite a lot of variation in the amount and type of information shared by the various vendors. They all necessarily share the product version, in order to stay up to date, and that's perfectly reasonable. Almost all of them assign each installation a unique identifier, so they can aggregate information from a specific machine without necessarily identifying the user.
And yet, the system information shared by many of the products might well identify the user. Almost half of the products share the Windows username, which in many cases is the user's full name. Well over half transmit the computer name. Hmm, maybe I shouldn't have named mine "Neil's Computer".
Many security functions must send additional information about your computer usage. A product whose features include a vulnerability checker will necessarily send the version numbers of installed third-party programs, for example. Phishing protection and parental control components may transmit every URL you visit. And any antivirus that includes a cloud-based detection component will have to send file hashes, or in some cases, whole files that are suspect.
Burning Questions
It's conceivable that a security vendor could be required by government agencies to turn over the data they've collected on a particular user. Different jurisdictions have different laws in this area, so knowing where the data is stored can be quite important. Nine of the tested vendors store their data in the European Union, seven in the United States. The EU has stricter privacy laws, so this is significant. There was also one in Russia (Kaspersky) and one in South Korea (AhnLab). Three vendors declined to state where their data is stored.
Here's something I hadn't thought of. It's conceivable that, under a court order, a vendor could be forced to deliver a "special" update to specific user IDs, perhaps to monitor terror suspects. 13 of the vendors said no, they never do this. The rest declined to answer, which is slightly unnerving.
In truth, your security suite absolutely needs to send quite a bit of information back to its home base in order to do its job. The report offers full details about each vendor's data collection. My biggest takeaway is that you should actually read the EULA and privacy policy for your security suite, and opt out of any data collection that isn't required for security. To make checking EULAs simple, the report concludes with EULA links for the vendors who make those available online.

Attackers Use Microsoft Security Hole Against Energy, Defense, Finance Targets

A security vulnerability that affected all versions of Microsoft's Internet Explorer browser took on added urgency because the company had stopped supporting its Windows XP operating system. 
A security vulnerability that affected all versions of Microsoft’s Internet Explorer browser took on added urgency because the company had stopped supporting its Windows XP operating system.
SAN FRANCISCO — By the time Microsoft warned customers of a nasty security hole in its web browser Saturday, a sophisticated group of attackers were already using the vulnerability against defense and energy companies, according to FireEye, the security company.
Things went from bad to worse over the weekend. FireEye’s researchers watched as the attackers shared their exploit with a separate attack group, which began using the vulnerability to target companies in the financial services industry, according to Darien Kindlund, the director of threat intelligence at FireEye.
Even after Microsoft issued its advisory on Saturday, Mr. Kindlund said, “There was a notable increase in proliferation.”
Soon, the attackers were using the vulnerability for so-called watering hole attacks, in which hackers infect a popular website with malware, then wait for victims to click to the site and infect their computers.
Mr. Kindlund said FireEye believed the two attack groups were nation-state sponsored. While he said the company did not yet have conclusive evidence, based on the groups’ previous campaigns it was believed they were operating from China.
The vulnerability affected all versions of Microsoft’s Internet Explorer web browser. Only those who had configured their browsers to run in enhanced protection mode were protected.
The situation took on added urgency because Microsoft stopped supporting its Windows XP operating system last month, meaning that any devices running Windows XP would be permanently vulnerable to attack.
Typically in its regular upgrade cycle, Microsoft waits to issue security fixes on the first Tuesday of every month — what system administrators call “Patch Tuesday.” But given the gravity of the hole, Microsoft raced to issue a patch Thursday and decided to update Windows XP systems as well.
“The security of our products is something we take incredibly seriously,” Adrienne Hall, the general manager of Microsoft’s Trustworthy Computing project, said in a statement on Thursday. “When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all customers.”
The timing of FireEye’s discovery was fortuitous for the company, whose stock has tumbled 40 percent since a finding last month by NSS Labs, an independent research company, that FireEye’s breach-detection systems underperformed similar offerings by Cisco Systems, Trend Micro and General Dynamics. NSS Labs actually issued a grade of “caution” to customers using FireEye’s web and email malware protection systems.
The findings set off an unusual back-and-forth online between NSS Labs and FireEye. Responding to the report in a blog post, Manish Gupta, FireEye’s senior vice president for products, said NSS Labs’ test environment did not match the real threat landscape. NSS Labs’ researchers responded in a blog post of their own — titled “Don’t Shoot the Messenger.” 
FireEye’s stock, which had been trading at $65 before the NSS Labs report was released, has been tumbling and closed near $40 Thursday.
Mr. Kindlund, of FireEye, said this week’s discovery of the security hole in Internet Explorer was proof that isolated tests did not reflect real-world threats. A separate finding by NSS Labs released in March had found that Internet Explorer was more secure than Google’s Chrome and Apple’s Safari browser.
“Look, we’re focused on protecting and defending against real-world attacks,” Mr. Kindlund said. “It’s hard to model and test for that in any controlled way. Clearly, there’s a disconnect between what’s happening in the real world and what’s currently being tested.”

Hackers target Windows XP users with Internet Explorer attacks

Microsoft Windows XP screen
Hackers are leveraging a zero-day vulnerability in Microsoft's Internet Explorer (IE) web browser to target Windows XP users with an advanced cyber attack.
Researchers from FireEye uncovered the attack and listed it as being a part of a wider campaign, codenamed "Operation Clandestine Fox". FireEye reported uncovering the IE vulnerability earlier this week.
The vulnerability affects IE6 through IE11 and can theoretically be used to exploit machines running Windows XP, 7 and 8.1. The original Operation Clandestine Fox attacks focused on targeting Windows 7 and 8.1 machines running IE9 through IE11. The new attacks target Windows XP machines running IE8.
Threat intelligence manager at FireEye Darien Kindlund told V3 the attacks have the same end goal as the earlier Windows 7 and 8 raids and are designed to infiltrate businesses involved in critical infrastructure areas.
"The XP attack is identical to the previously discovered vulnerability," said Kindlund. "It lets attackers gain remote access to compromised systems, and it appears to be used in targeted attacks against [the] defence, finance, and energy sectors."
The attacks' discovery comes just after Microsoft released a patch plugging the IE vulnerability which included a fix for Windows XP users. The fix comes less than a month after Microsoft officially ceased support for its decade-old Windows XP operating system (OS). Microsoft said the XP fix is a one-off, promising it will not release any further patches for the OS.
Kindlund told V3 the advanced nature of the attack makes tracking its origin difficult, but FireEye is operating under the assumption that it's state sponsored. "We don't have definitive evidence to link the attackers to a particular country of origin; however, we believe these attacks were sponsored by at least one nation state," said Kindlund.
State-sponsored cyber attacks have been a growing concern within the security community with new campaigns believed to be government funded and appearing on a near-monthly basis. For a look at the most dangerous state-sponsored cyber attacks check out V3's top 10 guide.