Tuesday, 6 May 2014

Dropbox and Box users warned of major link-sharing privacy flaw

Browser address bar with mouse cursor
Users of Dropbox and Box cloud services have been warned that generating links to share information with others can put sensitive data at risk through several basic flaws. Dropbox has already suspended this function while it rushes to fix the issue.
The flaws relate to links that users of the services can generate to share a document with a trusted source. The issues were uncovered by a rival of the two firms, Intralinks, during some research into a Google Adword campaign it was running.
During this work, Intralinks uncovered simple ways in which the links were easily accessible and allowed the documents that had supposedly only been shared between trusted sources, to be viewed by third parties.
The firm was able to access reams of sensitive data in this manner such as tax returns, bank records, mortgage applications, blueprints and business plans.
The flaw worked in two ways. Firstly, if the document contained a link within the text to a website, such as Intralinks, the referral data for that website would store the link of the document. This could then be clicked on, and the entire document would be visible.
Secondly, if a user put the link for the shared file in a search engine, rather than the URL bar, then the Google AdWords campaign Intralinks had running would gather this as a relevant search term, again making the document accessible.
John Landy, the chief security officer at Intralinks, wrote in a blog post that the flaw was a “disturbing privacy problem” and said web users should be wary of free storage services.
“To be clear, we gained access to files because users of file-sharing applications often aren’t taking simple precautions to safeguard their data. When used this way, all file sharing apps are potentially vulnerable,” he wrote.
“When using file-sharing apps, many people fail to use basic security features and take few precautions with even highly sensitive financial data. In addition, many mingle personal data along with confidential company data, with no security in place."
In response to the issue, Dropbox said in a blog post that it has fixed the problem for any links now created, but that existing links shared in this manner have been disabled, which it acknowledged was not an ideal scenario.
"For all shared links created going forward, we’ve patched the vulnerability. For previously shared links to such documents, we’ve disabled access entirely until further notice," Dropbox said.
"We realise that many of your workflows depend on shared links, and we apologise for the inconvenience. We’ll continue working hard to make sure your stuff is safe and keep you updated on any new developments."
V3 contacted Box for comment on the flaw, but had received no reply at the time of publication.
Intralinks' Landy said firms should make sure employees are fully trained on which services are safe for corporate use and how to keep data secure.

“The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured."
The cost of data breaches was revealed by government research to be as high as £1.15m per incident, as firms face numerous threats to their data.

NSA and Google email chats reveal close work on security

The NSA and Google know each other
Key leaders at Google and the National Security Agency (NSA) have been emailing one another directly regarding work on key security issues, it has been revealed.
Emails between Google and the NSA were revealed by Al Jazeera, which showed conversations between NSA director general Keith Alexander and Google chiefs Sergey Brin and Eric Schmidt.
The paper reports that while Google claims only to have dealt with the NSA in official ways, emails suggest otherwise and show the web firm being invited to sessions hosted by the security agency in very informal tones.
"The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security," wrote Alexander in an email to Schmidt. The email adds that the meeting was to be a follow-up that would allow the two parties to talk more.
"About six months ago, we began focusing on the security of mobility devices," added the agency director.
"A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organisation to move ahead ... Google's participation in refinement, engineering and deployment of the solutions will be essential."
Schmidt responded positively, despite not being able to attend.
"General Keith.. so great to see you.. !" he wrote. "I'm unlikely to be in California that week so I'm sorry I can't attend (will be on the east coast). Would love to see you another time. Thank you!"
Brin was also asked to attend, but also could not. Al Jazeera suggested that he has an equally good relationship with Alexander, and again it produced email content as evidence. Also in that email is evidence that other Google staffers, including Android security professionals, are involved.
"I ... really appreciate Vint Cerf [Google's vice president and chief internet evangelist], Eric Grosse [vice president of security engineering] and Adrian Ludwig's [lead engineer for Android security] contributions to these efforts during the past year," wrote the director in a mail to Brin.
"You recently received an invitation to the ESF Executive Steering Group meeting, which will be held on January 19, 2012. We will also discuss some of the threats we see and what we are doing to mitigate those threats ... Your insights, as a key member of the Defense Industrial Base, are valuable to ensure ESF's efforts have measurable impact."
When asked for comment on this, Google pointed V3 towards the statement it gave Al Jazeera, explaining that yes, its high-ups have attended NSA sessions.
It said: "We work really hard to protect our users from cyber attacks, and we always talk to experts - including in the US government - so we stay ahead of the game... It's why Sergey attended this NSA conference."
Google has regularly tried to distance itself from the NSA and PRISM stories, and last year in a legal filing it complained about media reports that link the two parties and bemoaned its lack of power to respond to allegations.
"Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegations," the web giant said in the filing.
"Google must respond to such claims with more than generalities. Moreover, these are matters of significant weight and importance, and transparency is critical to advancing public debate in a thoughtful and democratic manner."

Target CEO steps down after data breach

Resignation letter
The chief executive of US retail giant Target, Gregg Steinhafel, has stepped down from the company in the wake of a high-profile data breach that hit the company last year.
The data attack last year affected some 70 million customers, after hackers broke into Target's systems and stole customers' credit and debit card numbers, card expiration dates and debit card PINs. The data was later found being offered for sale by Eastern Europe hackers.
The board of the company said Steinhafel had handed in his notice voluntarily and thanked him for his service over the years, noting the work he had done during the data breach crisis.
“The board is deeply grateful to Gregg for his significant contributions and outstanding service throughout his notable 35-year career with the company,” it said.
“Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company. We are grateful to him for his tireless leadership and will always consider him a member of the Target family.”
Despite the positive statement, the breach caused a lot of negative publicity for the firm and served to underline the cyber threats faced by major companies and the pressure that can fall on senior executives if a major security breach occurs on their watch.
Target chief information officer (CIO) Beth Jacob resigned from her role after the breach. Bob DeRodes was announced as her replacement last week. He has previously worked in key roles at US firms including CitiBank, First Data, Home Depot and Delta Air Lines.
Recent government data showed the average breach costs a company £1.15m per incident.

NSA gets cryptic with coded job ad in Twitter post

The US National Security Agency (NSA) posted an intriguing message on its Twitter account over the weekend, in a novel way to appeal to those who have an aptitude for cracking codes and ciphers.
Usually the NSA's careers Twitter account posts up short, bland opportunities for applications, but this one is very different.

It is very obviously a cipher, and looks a lot like one that uses substituted letters. The question mark is something of a clue and suggests that the NSA is happy to leave such hints.
There are various ways and means of cracking substitution ciphers and one of them is to start with the letter E - the most commonly used of English letter characters, and work back from that.
You can do this manually, automatically or in your browser using Javascript. The end result should be the same, the time spent working on the solution may differ radically though.
We can confirm that the advert is not actually a job ad, but is more of a knowing wink in the direction of people that like codes and ciphers, want a job with the NSA, and are not Edward Snowden. You can see the solution to the NSA code puzzle in this YouTube video.
Last year the UK agency GCHQ carried out a similar experiment to help it in its search for the next Alan Turing. At the time GCHQ's head of resourcing, Jane Jones, said that modern threats require new ways of finding talented people to help crack complex codes.
"We want employees who have evolved with the ever-changing digital world and therefore have the right skills to combat these challenges," she said at the time. "It's a puzzle but it's also a serious test - the jobs on offer here are vital to protecting national security."

Target breach: How things stand

target where things stand Target's CEO stepped down as the company deals with a challenging turnaround since the massive data breech.
The resignation of Target CEO Gregg Steinhafel is the culmination of months of turmoil at the discount retailer.
Target's business and image took a beating after a massive data breach occurred in the 2013 holiday shopping season, exposing personal data of about 110 million customers who had used their debit and credit cards at the store.
In the aftermath, several states and the federal government launched criminal investigations into the company. Target executives testified before Congress and multiple lawsuits were filed.
Customers also stayed away, hurting sales. And Target spent $61 million in the final months of 2013 addressing the breach.
The company has been fighting to reclaim its reputation, but still has multiple issues looming. Here's how things stand:
Investigation is ongoing, no arrests yet: Earlier this year, Attorney General Eric Holder told a Senate committee that his office was joining the investigation into the Target data breach. The Secret Service and several states also said they were investigating. No arrests have been made so far related to the hacker data breach.
Brian Krebs demystifies today's hacker
New cards aim to protect customers: Target (TGT, Fortune 500) inked a deal with MasterCard to bring a more secure version of its credit cards to stores by September. The cards will be enabled with computer chips and require customers to type in a PIN, which would prevent the mass theft of personal information that occurred at Target.
Target shakes up executive ranks: The breach led to the resignation of the company's chief information officer and the creation of two new positions: chief information security officer and a chief compliance officer. As chief information officer, it named Bob DeRodes, formerly a technology adviser to various U.S. government agencies including the Department of Homeland Security and the Justice Department. Target said it is looking externally to fill all positions in its information security division.

Lawsuits pending but big payout could loom: Approximately 100 lawsuits -- including class action suits, suits filed on behalf of banks and suits from shareholders -- have been bundled together and are being presided over by a U.S. District Court judge in Minnesota, Target's home state. It's unclear if Target is on the hook for any big payout.
Rival retailer TJ Maxx (TJX, Fortune 500) had to pay millions in multiple settlements after hackers stole data from around 45 million credit cards of shoppers at its discount stores T.J. Maxx and Marshalls. Among other payments, the company paid $40 million to Visa and the banks that processed credit card payments.
The Consumer Bankers Association recently said the banks have already spent $200 million related to Target's breach.

Chip-based credit cards coming to Target

target credit card
Target learned from its massive hack and will start issuing more advanced chip-and-PIN credit cards early next year.
The company announced it will swap out its current Target REDcards, which only work at the chain, to newer models that are enabled with computer chips and require customers to type in a PIN. It might sound annoying for consumers, but it's a major step forward to preventing the kind of mass credit card theft Target experienced in 2013.
Target (TGT, Fortune 500) is also replacing payment terminals at all 1,797 U.S. stores by this September. It's part of a $100 million investment to better secure its stores.
"Target and MasterCard are taking an important step forward in providing consumers with a secure shopping experience," MasterCard (MA, Fortune 500) executive Chris McWilton said in a statement.

This makes Target the first big retailer to move into the more advanced credit card system, which is already used worldwide but not in the United States.
Most U.S. consumers are unaware of how unsafe and outdated their credit cards are right now. A card's magnetic stripe delivers all your data without hiding anything: your name, credit card provider, card number, expiration date and more. That worked in the 1960s, but it's dangerous at a time when hackers can collect that in bulk.
That's how hackers stole credit card information from 40 million Target shoppers. It's how the Neiman Marcus hack hit 1.1 million customers and the Michael's hack hit 3 million.
Chip-and-PIN credit cards are significantly more secure, because thieves can't easily replicate the card -- and even if they do, they still need to know the victim's secret, four-digit PIN code.
But don't expect Target's move to be a catalyst for other retailers to follow suit. Target is a special case, because it issues its own branded credit cards through TD Bank (TD), and the card doesn't work at any other retailer. That means this upgrade is like a domino that falls all by itself, explained Jason Oxman, CEO of the Electronic Transactions Association trade group. He compared it to how Starbucks (SBUX, Fortune 500) introduced mobile payments. They work at Starbucks, but paying with your cell phone hasn't caught on elsewhere.
Brian Krebs demystifies today's hacker
There are also several barriers delaying a full-blown migration to new credit card technology. Merchants don't want to slow down lines, and forcing customers to type in a PIN could add a few seconds to every order. That adds up and could cost big chains millions of dollars.
"At any quick-service restaurant, the last thing they want you to do is spend another five seconds using a PIN. They don't even require a signature anymore for anything under $25. They want you out of there as fast as possible," Oxman said.
Then there's the massive cost associated with updating payment systems. The National Retail Federation estimates that an upgrade to chip-and-PIN machines and cards will cost anywhere between $25 billion and $30 billion nationwide. Every card needs to be reissued, and 9 million retail terminals would have to be replaced at more than $2,000 each. Shop owners know they'll be better off, but it's not easy.
"It's a very expensive wall to scale," explained Mallory Duncan, the group's lobbyist.
Related story: Target hack is a wake-up call on privacy
The upgrade is bound to happen, though. Every U.S. merchant faces a game-changing deadline in October 2015, when liability for credit card fraud shifts to merchants if they haven't upgraded equipment or banks if they haven't issued new cards.
What might speed the process up is if retailers notice that Target customers who use chip-and-PIN say they feel more secure with that new technology, according to Jeremy Gumbley, chief technology officer of CreditCall, which helps merchants upgrade their credit card systems.
"We're living in a post-Target-hack world. Consumer confidence is dented," he said. "They'll ultimately vote for the technology they feel is safest."

Defense, energy, banks hit by Internet Explorer bug

operation clandestine fox The cyber offensive nicknamed "Operation Clandestine Fox" is being used to attack PCs.
Hackers have attacked the government agencies, defense contractors, energy companies and banks by exploiting the software flaw in Internet Explorer.
That's according to FireEye (FEYE), the cybersecurity firm that revealed the software flaw last week. The company discovered that hackers took advantage of a bug in the Internet Explorer Web browser to secretly take control of computers.
The cyber offensive has been dubbed "Operation Clandestine Fox," and affects all versions of Microsoft's (MSFT, Fortune 500) Web browser.
Microsoft has issued a fix, but FireEye's announcement on Thursday showed there are already victims. FireEye also spotted that hackers are now specifically targeting older computers running on the outdated Windows XP operating system and those using the Internet Explorer 8 version of the browser.
Among those still using Windows XP are the Defense Department, the IRS, and bank ATMs. That's a problem, because Microsoft (MSFT, Fortune 500) has taken its 12-year-old operating system off life-support, ceasing security updates (although it did, in this case, apply an update to Windows XP).
Consider this a wake-up call.
It's easy to ignore Internet security scares, especially when there's a deluge of news about them. In the month of April alone, we were bombarded with news about the pervasive Heartbleed bug, a massive AOL hack and the Internet Explorer glitch.
But there are real world consequences. The Heartbleed bug was used to steal personal information of Canadian taxpayers. The AOL (AOL) hack led to a flood of spam (that could link to infected websites.)
An attack like Clandestine Fox is of the more serious variety -- a cyber reconnaissance mission by a foreign government that reveals weaknesses in industries crucial to the United States' economy, defenses and power. It targeted power plants, banks, government agencies and military technology, which is essentially a precursor for war, said David Kennedy, CEO of security consulting firm TrustedSec.
"They're going after the core critical infrastructure of the United States, so in the event of a war, they can take it down," Kennedy said. "The scary part is that the financial sector and energy are extremely vulnerable."
Internet Explorer bug worst for Windows XP
A typical power plant, for example, makes expensive investments on equipment that's meant to last decades. It's common to find 1970s-era software on turbines, Kennedy said. That's a danger.
"When you have old technology, the defenses they made back then aren't adequate today," he said.
FireEye wouldn't say who is launching the attack, but offensives of this nature are typically conducted by foreign governments. In the past, cybersecurity firms have pointed to China and Iran.

White House Asks For 'Transparency' in Data Collection

privacy issues J.D.Power The White House released a report last week urging companies to be more transparent about how they collect and use customer data. It was silent about the National Security Agency.
The 79-page report, "Big Data: Seizing Opportunities, Preserving Values," examined the data collection practices of companies that collect and store large amounts of consumer information. While the report itself didn't name any names, it appeared to target large data-rich companies such as Google and Facebook, data brokers such as Experian and Acxiom, and online advertising companies.
The authors of the report, led by White House counselor John Podesta, made six recommendations to improve data privacy in the private sector and in government. The report recommended that Congress pass national data breach legislation, extend privacy protections to non-U.S. citizens, and amend the Electronic Communications Privacy Act to be more in line with how technology is currently used. The report also suggested advancing the 2012 Consumer Privacy Bill of Rights, ensuring student data is used only for educational purposes, and ensuring large-scale collection of data is not used in a discriminatory way.
What exactly does that mean?"Consumers deserve more transparency about how their data is shared beyond the entities with which they do business directly, including 'third-party' data collectors," the report said.
Two years ago, President Obama called for a consumer data bill of rights to protect consumers from companies collecting data. The data services industry should have a common website that "lists companies, describes their data practices, and provides methods for consumers to better control how their information is collected and used or to opt-out of certain marketing uses," the report said. The initiative never really gained traction in Congress, but the report recommended the proposal be revived.
Similarly, the effort to enact a national data breach law fizzled before the legislation came up for a full vote. The report said the bills need to be reintroduced.
"A federal law with strong provisions and coordinated enforcement between the federal government and state attorneys general would help alleviate those concerns and promote strong consumer protections," said Gautam S. Hans, a fellow at the Center for Democracy and Technology.
Amending the ECPA is a good idea, as it currently lets law enforcement seize digital communications—namely email—without a warrant. The report recognized that email privacy is critical, and that the law was out of step with how email is currently used, wrote the Electronic Frontier Foundation's staff technologist Jeremy Gillula, deputy general counsel Kurt Opsahl, and activism director Rainey Reitman on the EFF's Deeplinks blog.
"Law enforcement should be required to get a warrant before reading your email, regardless of where it's stored or how long it's been there," they wrote.
Collecting and analyzing large amounts of data can result in individuals being discriminated against when applying for jobs, searching for housing, or obtaining healthcare. The Justice Department, the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Equal Employment Opportunity Commission should proactively make sure this sort of discrimination doesn't become common, the report said.
"We were also glad the report emphasized the dangers of big data when it comes to fairness and discrimination," Gillula, Ospahl, and Reitman wrote.
What the Report Forgot"Despite being a fairly thorough analysis of the privacy implications of big data, there is one topic that it glaringly omits: the NSA's use of big data to spy on innocent Americans," the EFF noted, calling the report "surprisingly silent."
CDT said the commercial collection of data and the NSA's surveillance programs are linked, CDT's Hans said. "To address commercial collection and use of data without discussing the danger of government access is a half answer at best," he said.
Podesta claimed on a press call discussing the report the omission was intentional, because the group's focus was on other sectors, according to the Washington Post. "It's in no way hypocritical" for the White House to talk about data collection issues, he said.

Spy plane causes air traffic chaos, says FAA

A U2 spy plane  
A spy plane used during the Cold War was blamed for computer glitch
A spy plane was responsible for a computer glitch that caused air-traffic chaos in western US states last week, the Federal Aviation Administration has revealed.
The meltdown occurred when software incorrectly thought the plane was on a collision course with other aeroplanes.
The system was overloaded as it struggled to plot new courses for affected aircraft.
Hundreds of planes were grounded at Los Angeles International airport.
While the system was rebooted, dozens of flights were delayed at smaller airports across the area.
Training operations "On April 30 2014, an FAA air-traffic system that processes flight-plan information experienced problems while processing a flight plan filed for a U-2 aircraft that operates at very high altitudes under visual flight rules," FAA spokesman Lynn Lunsford said.
She added the computer system had "misinterpreted" the U-2 as a more typical low-altitude flight and become overwhelmed in trying to make sure its flight path did not conflict with other air traffic in the area.
"The FAA resolved the issue within an hour, and then immediately adjusted the system to now require specific altitude information for each flight plan," she added.
The agency said it had now added more flight-processing memory to the computer system.
The Pentagon confirmed on Monday that an Air Force U-2 spy plane had been conducting training operations in the area, adding that "all the proper flight plan paperwork" had been submitted.
The U-2 was used to fly reconnaissance missions during the Cold War, and there are plans to retire the planes within the next few years.