blog trackingRealtime Web Statistics Digital Archives - Page 4 of 8 - Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘Digital’

FTC’s Digital Privacy Report Has Welcome Recommendations

This article first appeared in the San Jose Mercury News

by Larry Magid

The Federal Trade Commission’s final report on digital privacy contains some very welcome recommendations.

The recently released report, title “Protecting Consumer Privacy in an Era of Rapid Change,” looks at challenges consumers face in “today’s world of smart phones, smart grids, and smart cars,” as “companies are collecting, storing, and sharing more information about consumers than ever before.” It sets out a framework that would allow consumers to control whether they are tracked online, have better visibility into how information is used by mobile apps and have access to their information being held by data brokers.

The commission isn’t calling for “do not track” legislation similar to the “do not call” law that, in theory, protects us against unwanted marketing calls. Rather, it calls for voluntary industry compliance, which it says is starting to happen through browser-based tools and cooperation from the Digital Advertising Alliance and other players.

Ironically, this voluntary approach may actually work better than the “do not call” law, which makes it a crime for businesses to cold call phone numbers registered at DoNotCall.gov. I’ve registered all my phone numbers, but I still get annoying robocalls trying to sell me carpet cleaning, car insurance and a new mortgage.

The commission’s focus on mobile apps is right on target. Between Google’s Android and Apple’s iOS there are now about a million smartphone apps capable of doing virtually anything with your phone, including tracking who you know (your contact list), where you go (your geolocation) and even who you’re calling and what you’re texting. There have already been several reported cases of both deliberate and accidental disclosure, so government attention to this is certainly warranted.

One area where the commission did call for “targeted legislation” is to address consumers’ lack of control over how data brokers collect and use our information. The amount of information floating around about each of us is staggering. Anyone with a phone, a bank account or a “loyalty” card, such as the one I use to get fairer prices when I shop at Safeway, is giving up information every time they shop, make a call or get on an airplane.

Many years ago — even before the explosion of the Internet — I made a quick and unexpected trip to Los Angeles and realized that I hadn’t told anyone, not even my wife, where I was. But I realized that my cellular company, the car rental company, my credit card companies and the airline knew exactly where I was, as did all the networks and clearinghouses that transmitted and stored data. My credit and debit card companies even knew what I bought and where I was staying and my bank and the bank whose ATM I used had a pretty good idea of how much cash I had in my wallet.

Much of the information from our lives is stored in computers, and some of that is for sale to marketers, insurance companies, employers and even law enforcement — anyone with the money.

The FTC wants Congress to pass a law that would “provide consumers with access to information about them held by a data broker.” The agency is calling for a “centralized website where data brokers could identify themselves to consumers and describe how they collect and use consumer data,” as well as to “detail the access rights and other choices they provide with respect to the consumer data they maintain.”

That strikes me as more than reasonable. Some data brokers (along with all credit bureaus) will sell you access to your own information, but that feels a bit like extortion to me. If it’s my information, it should be available to me at any time, as often as I want, for no cost and without any strings, gimmicks or sales pitches.

I hope the law is more consumer friendly than the Fair Credit Reporting Act (FRCA), which gives consumers the right to an annual free copy of their credit reports from the three major bureaus: Experian, Equifax and TransUnion. It’s a great law but when you ask for your annual report, you’re likely to get a sales pitch, such as the one I got with my free TransUnion report. It offered me “instant access to my FREE credit score” that would cost me $29.95 a month after my “free trial.”

It seems to me that a government mandated program should be devoid of any commercial offers, especially deceptive ones that claim to be “free” but actually cost money if you fail to cancel in time. And why should I have to pay for my “credit score,” which in some ways is more important than the report itself? It’s about me, so it should be completely free and available at any time — not just one report per year per bureau.

So, thank you FTC for outlining a broad approach to transparency when it comes to accessing our own data. Now it’s time for Congress to enact legislation that truly benefits consumers, not just those who profit from our information.

Article source: http://www.safekids.com/2012/03/30/ftcs-digital-privacy-report-has-welcome-recommendations/

View full post on National Cyber Security

Fake YouTube site targeted Syrian activists, digital watchdog EFF says

A fake YouTube site purporting to show videos supporting the opposition in Syria has been taken down after it tried to infect visitors with malicious software, according to digital watchdog Electronic Frontier Foundation (EFF).

The EFF is “deeply concerned about this pattern of pro-government malware targeting online activists in authoritarian regimes,” wrote Eva Galperin and Morgan Marquis-Boire.

Syria, which has been sternly criticised for its brutal treatment of anti-government protestors since an uprising began about a year ago, is known to heavily censor the internet and monitor users.

The fraudulent YouTube page tried to get users to enter their username and password, which in some cases is linked with a person’s Gmail account. The site also tried to get the victim to download a bogus update for Adobe Flash, which was actually Windows malware, the EFF wrote.

The malware then “connects back to an address in Syrian IP space and downloads additional malware, which gives the attacker administrative access to your computer,” the EFF wrote.

The EFF detailed how a user can tell if he has been infected. The organisation recommended reinstalling the operating system if the computer has been infected, since an attacker could have installed other kinds of malware on the machine as well. The EFF said all passwords should also be changed for services accessed while the machine was infected.

Last week, the EFF blogged about a remote access tool called “XTreme RAT,” which was spreading through email and chat programs. The malware could take screenshots and log keystrokes on a victim’s computer, sending the data to a Syrian IP address.

The organisation also noted another remote access tool, Darkcomet RAT, which was reportedly infecting the computers of Syrian activists a few weeks before. That tool could disable antivirus programs, record keystrokes and steal passwords, also sending the data to the same IP address in Syria as “XTreme RAT,” the EFF explained.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1d76e3a6/l/0Lnews0Btechworld0N0Csecurity0C33446650Cfake0Eyoutube0Esite0Etargeted0Esyrian0Eactivists0Edigital0Ewatchdog0Eeff0Esays0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

Digital Forensics Leader AccessData Cites Industry Report Underscoring Dramatic Rise in Forensics Service Demand

On the heels of an industry report detailing a nearly 14% annualized increase in demand for digital forensics services over the past five years, AccessData Group, one of the largest computer forensic technology companies in the U.S., today affirmed the unprecedented growth in digital forensics as a key component of enterprise security.

View full post on computer forensic – Yahoo! News Search Results

View full post on National Cyber Security

What’s next for the Digital Economy Act?

Last week, British internet service providers BT and TalkTalk lost their court appeal against the Digital Economy Act, meaning that they will have to send warning letters to customers suspected of illegal file-sharing.

Following a failed appeal against the Act last year, in which four out of five grounds for appeal were rejected, the two ISPs argued that the anti-piracy measures were “inconsistent with European law” and would breach the privacy of their customers, as well as driving up costs for providers and consumers.

However, Lord Justice Arden, Lord Justice Patten and Lord Justice Richards dismissed these objections on 6 March, saying that the DEA is proportionate in dealing with illegal file-sharing and that the costs incurred are justified.

In response to the ruling, BT said it was “considering its next steps” and TalkTalk said that it would “continue fighting to defend its customers’ rights against this ill-judged legislation”. But what options are open to the ISPs now that their appeal has been rejected?

ISPs are running out of options

“They are running out of options,” said Ian De Freitas, IP partner at law firm Berwin Leighton Paisner (BLP). “They can ask the Supreme Court for another appeal, but I would be surprised if the Supreme Court would agree to hear it, although there are quite a lot of public interest arguments. Nevertheless the Court of Appeal judgement is pretty strong.

“They can’t go to the Court of Justice for the European Union – they tried that in the Court of Appeal, but the Court of Appeal said no. You can only really get permission to go to the Court of Justice if the European law is in doubt. The Court of Appeal said the position was so clear that they didn’t need to ask the Court of Justice for any guidance on this one.”

In order for the DEA to be implemented, two pieces of legislation have to be passed. The first establishes the cost-sharing element – who will pay for the operating fees, the running and setting up of an appeals body, and case fees charged by the proposed appeals body. The second is Ofcom’s Initial Obligations Code, which sets out the practicalities of how the Act will be enforced.

Both these pieces of legislation have to be submitted to the European Union for approval – which involves a three-month consultation – before the Act can be passed and become law.

A spokesperson for the Department for Culture Media and Sport (DCMS) explained that, before the appeal by BT and TalkTalk, the cost-sharing legislation had been scrutinised by the EU and been approved. However, the latest judicial ruling states that, although ISPs will still have to pay 25 percent of operating fees, and 25 percent of the cost of setting up an appeals body, they will not have to pay 25 percent of case fees, as was previously stipulated.

This means that, even though this piece of legislation has already been approved, the government has to withdraw it, rewrite it and re-submit it to the EU before proceeding.

A new Initial Obligations Code?

This will have a knock-on effect on the second piece of legislation – Ofcom’s Initial Obligations Code. Ofcom published its initial draft of this code in 2010, generating a great deal of criticism from organisations that campaign for freedom of access to the Internet, such as the Open Rights Group.

For example, the draft code does not necessarily target the person using a system to infringe copyright; it targets the person who has the computer, or controls it. This means that the reports about infringement could be directed at cafés, museums and libraries that offer free WiFi access, putting the burden of responsibility on those outlets.

“One of the challenges to the Act was that it was so burdensome that some of these organsiations will think that it’s simply not worth offering free WiFi. This means that people who found the access useful for lots of things will no longer have access, and that has a chilling effect on use of the internet.”

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1d5c21d7/l/0Lfeatures0Btechworld0N0Csecurity0C33436910Cwhats0Enext0Efor0Edigital0Eeconomy0Eact0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

49 New Digital Media Resources You May Have Missed

This has been quite a week in digital culture. Between Apple's revealing of the new iPad and the beginning of the 2012 SXSW Interactive Festival in Austin, Texas, Mashable has a multitude of new digital media resources for you. Don't worry if you've fallen behind — here's our weekly features roundup.

View full post on social media scam – Yahoo! News Search Results

View full post on National Cyber Security

RSA: Trust in our Digital World is in Jeopardy

RSA chief warns that risk is a way of life and that the time has come to embrace a Big Data approach to security.

View full post on eSecurityPlanet RSS Feed

View full post on National Cyber Security

While most recent American Internet safety conferences focus on digital citizenship issues such as preventing cyber …

I’m writing from Moscow, where I spoke at Russia’s Safer Internet Day conference last week. Safer Internet Day, which originated in Europe, is celebrated in much of the world, though there are relatively few events in the United States.

While most recent American Internet safety conferences focus on digital citizenship issues such as preventing cyberbullying, most speakers at the Russian event talked about protecting children from undesirable content. There was, however, one panel on digital literacy where my ConnectSafely.org co-director Anne Collier talked about strategies for helping kids learn to treat each other respectfully and to protect their online reputations.

Russia is behind the United States and much of Europe in Internet usage, but it’s growing quickly. In 2009, the World Bank reported Internet penetration in the Russian Federation at 42 percent but the growth curve is impressive. In 2006, it was only 18 percent. One speaker at the conference said it’s now over 50 percent, with even higher usage among youth.

Still, the Internet is new to many people in this former Soviet capitol and it’s common to be afraid of things that are unfamiliar. So my main role as a speaker was to try to put some of the safety concerns into perspective.

I reminded delegates that there was a time when people bought short-term life insurance before they got on an airplane. Those passengers

were probably less worried about their car crashing on the way to the airport, even though then, as now, driving was more dangerous than flying.

It’s a bit like that with technology. Bullying, pornography and child molestation have been around forever. But because widespread Internet use is new here, I heard politicians and others worrying aloud about the increased danger of the Net, even though American and European data show that most risks to kids are actually lower online than in the “real world,” and that sexual crimes against children have actually decreased by 58 percent between 1992 and 2008, the very years that huge numbers of U.S. kids got online. I’m not saying the Internet is the reason for the decline, but it certainly didn’t usher in any increase, as some feared it would.

One reason it’s important to put the fears into perspective is because there are lots of people in Russia, and in the United States as well, who want to put limits on Internet content in the name of protecting children. In fact, there is a law on the books in Russia that’s supposed to take effect in September that would require websites to classify themselves by age ratings so Internet service providers could block kids from content that would harm their “health and development.”

It’s not clear even to Internet professionals I spoke with here how this law is supposed to be implemented and whether it will apply just to Russian-based sites, or if ISPs will be required to filter out access to international sites that aren’t rated. One of the criteria bans kids’ access to images of sexual relations between people of the opposite sex. Apparently, the drafters forgot to include images of people of the same sex.

There were also people at the conference proposing that ISPs should be required to block access to certain types of illegal content. If this sounds familiar, think back just a couple of weeks ago to our debate around a pair of U.S. bills that would have done just that for sites with alleged pirated content.

Illegal content would, of course, include child pornography, even though images of children being abused already are illegal in Russia. But it could also include sites that advocate the use of drugs or alcohol, gambling sites and sites that advocate “extremism.” That last category is particularly bothersome to one political activist I spoke with who worries it could be used to block sites that advocate demonstrations against Prime Minister Vladimir Putin or some future regime.

Other countries do ban some extremist content. France and Germany, have laws that prohibit the display of Nazi memorabilia or advocacy of anti-Semitism. Depicting a swastika on an American website may be offensive to most of us, but it’s not illegal.

As I listened to simultaneous translation of the debates, I was reminded of the battles we’ve had in the United States over the past 15 years or so. In 1996, Congress passed the Communications Decency Act, which would have made it a crime for anyone to post content that kids could access that was “patently offensive as measured by contemporary community standards.”

That was mostly overturned by the Supreme Court, and a somewhat less restrictive follow-up attempt, the Children’s Online Privacy Protection Act, was overturned by a federal circuit court. The Supreme Court refused to hear an appeal, which effectively killed that bill as well. We do have a law, the Children’s Internet Protection Act, that requires schools and libraries that receive certain federal funding to use filters and other measures to protect children from inappropriate content. But that doesn’t prevent the posting of the content and only applies to federally subsidized schools and libraries.

Contact Larry Magid at larry@larrymagid.com. Listen for his technology chats on KCBS-AM (740) weekdays at 3:50 p.m.

Article source: http://www.mercurynews.com/business/ci_19931950?source=rss

View full post on National Cyber Security

Trustwave issued digital certificate allowing SSL spying

Digital certificate authority Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA’s root certificate should be removed from Firefox.

The certificate issued by Trustwave is known as a subordinate root and enabled its owner to sign digital certificates for virtually any domain on the Internet. The certificate was to be used within a private network within a data loss prevention system, Trustwave said.

The CA took steps to ensure that the subordinate root could not be stolen or abused. The certificate was stored in a hardware security module, a device built specifically for the management of digital keys, which ensured that its extraction was impossible, Trustwave said.

The company also performed on-site physical security audits to make sure that the system can’t be removed from the premises and used to intercept SSL-encrypted (Secure Sockets Layer-encrypted) traffic on another network.

Mozilla bug tracker

“We did not create a system where the customer could generate ad-hoc SSL certificates and extract the private keys to be used outside this device,” said Brian Trzupek, Trustwave’s vice president for managed identity and authentication, in a discussion on Mozilla’s bug tracker. “Nor could the subordinate root key ever get exported from the device.”

Mozilla’s community is currently debating whether the issuing of such certificates represents a breach of the software vendor’s CA certificate policy, regardless of what security measures were put in place. CAs adhere to this policy in order to have their root certificates trusted by Mozilla’s products.

“We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its “trust bits” in a particular way) would cause undue risks to users’ security, for example, with CAs that knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates,” the Mozilla’s CA certificate policy states.

Some users are asking Mozilla to remove Trustwave’s root certificate from Firefox and Thunderbird because domain name owners were not aware that Trustwave was re-signing certificates in their name through a subordinate root. Mozilla did not immediately return a request for comment.

Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry. However, the CA decided to stop issuing such certificates in the future and revoke the existent ones.

Trustwave praised

“I would say that Trustwave should be commended for making this statement public, knowing that this could result in reputational damage,” said Calum MacLeod, director for the EMEA region at Venafi, a company that sells certificate and digital key management products. “I believe it is commendable that they will no longer continue this practice, but the reality is in my opinion that this is a common industry practice.”

Trustwave might have taken significant steps to ensure that its subordinate root will not be abused, but this is not necessarily true for all cases where companies make use of this technique.

“In the vast majority of enterprises today, there is little or no control over the security and management of private keys,” MacLeod said. “In most cases, the private keys are not being protected, and system administrators are handling keys manually.”

MacLeod pointed out that just because Trustwave did not issue a subordinate root certificate to a government, an ISP or a law enforcement agency, does not mean that other CAs haven’t done so. “Maybe it’s time websites carried the same message as the telephone service; ‘this session may be recorded!’,” he said.

According to Amichai Shulman, chief technology officer and co-founder of security firm Imperva, there are other techniques that companies can use to snoop on SSL-encrypted traffic within their networks, and they don’t require the use of such broad certificates.

“The fact that CA services are willing to issue ‘weak CA’ certificates to practically anyone is outrageous,” Shulman said. “Not only that the effect of a compromise of such a certificates is devastating but the chances for it happening are not negligible.”

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1c8406b5/l/0Lnews0Btechworld0N0Csecurity0C333620A50Ctrustwave0Eissued0Edigital0Ecertificate0Eallowing0Essl0Espying0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

Trustwave admits issuing ‘man-in-the-middle’ digital certificate



Mozilla debates punishment for the issuing of a subordinate root certificate that let company snoop on SSL-encrypted traffic

Digital Certificate Authority (CA) Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA’s root certificate should be removed from Firefox.

The certificate issued by Trustwave is known as a subordinate root and enabled its owner to sign digital certificates for virtually any domain on the Internet. The certificate was to be used within a private network within a data loss prevention system, Trustwave said in a blog post on Saturday.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

The CA took steps to ensure that the subordinate root could not be stolen or abused. The certificate was stored in a Hardware Security Module, a device built specifically for the management of digital keys, which ensured that its extraction was impossible, Trustwave said.

The company also performed on-site physical security audits to make sure that the system can’t be removed from the premises and used to intercept SSL-encrypted (Secure Sockets Layer-encrypted) traffic on another network.

“We did not create a system where the customer could generate ad-hoc SSL certificates AND extract the private keys to be used outside this device,” said Brian Trzupek, Trustwave’s vice president for managed identity and authentication, in a discussion on Mozilla’s bug tracker on Tuesday. “Nor could the subordinate root key ever get exported from the device.”

Mozilla’s community is currently debating whether the issuing of such certificates represents a breach of the software vendor’s CA Certificate Policy, regardless of what security measures were put in place. CAs adhere to this Policy in order to have their root certificates trusted by Mozilla’s products.

“We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its “trust bits” in a particular way) would cause undue risks to users’ security, for example, with CAs that knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates,” the Mozilla’s CA Certificate Policy states.

Some users are asking Mozilla to remove Trustwave’s root certificate from Firefox and Thunderbird because domain name owners were not aware that Trustwave was re-signing certificates in their name through a subordinate root. Mozilla did not immediately return a request for comment.

Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry. However, the CA decided to stop issuing such certificates in the future and revoke the existent ones.

View full post on National Cyber Security

Cold War 2.0: East and West divide on digital rights

Disagreements on how to manage intellectual property theft, Internet freedom between U.S., allies and Russia, China

View full post on russia cyber attacks – Yahoo! News Search Results

View full post on National Cyber Security

Page 4 of 8« First...«23456»...Last »

Get The New Book By Gregory Evans

Everyone Is Talking About!

Are You Hacker Proof?
$15.95

Find Out More, Click Here!