Organizations using “remote access software or appliances” susceptible to the Heartbleed bug should “identify infrastructure affected by the vulnerability and upgrade it as soon as possible,” said security provider Mandiant in a blog post (http://bit.ly/1tinjDV) Friday. Heartbleed is the recently discovered security glitch in Secure Sockets Layer (SSL), which affects OpenSSL, a cryptographic software library used to secure websites using HTTPS encryption to protect data (CD April 11 p13). Organizations and businesses with vulnerabilities to Heartbleed should “implement network intrusion detection signatures to identify repeated attempts to leverage the vulnerability,” it said. “In our experience, an attacker will likely send hundreds of attempts because the vulnerability only exposes up to 64KB of data from a random section of memory,” it said. Historical reviews of virtual private networks should be performed to “identify instances where the IP address of a session changed repeatedly between two IP addresses,” it said. “It is common for an IP address to legitimately change during a session, but from our analysis it is fairly uncommon for the IP address to repeatedly change back and forth between IP addresses that are in different network blocks, geographic locations, from different service providers, or rapidly within a short time period,” it said.
The White House’s updated privacy policy took effect Friday. The planned update was announced in a March 19 blog post (http://1.usa.gov/RvJYhF). “On a practical level, if you have opted in to receive email updates, we'll use data that you submit or that is automatically generated by your use of the website to try to send you more information about issues or events you care about,” said Nathaniel Lubin, White House acting director-digital strategy. “Of course, you can always unsubscribe from our emails or turn off cookies in your browser if you decide you're not interested in this kind of information anymore.” The new policy clarifies the White House app does not collect geolocation information. It’s the first overhaul since 2011, the White House said.
A human rights guide for Internet users was approved by the 47-nation Council of Europe Thursday. User rights are generally contained in Internet companies’ lengthy contract terms, which few people read or fully understand, prompting the development of the guide (http://bit.ly/QqYztJ) to help users assert their rights online, the CoE said. The document focuses on the rights on which the Internet has the most impact, it said: (1) Access and non-discrimination. Generally, users shouldn’t be disconnected against their will except when ordered by a court. (2) Freedom of expression and information. Users have the right to express themselves online and to access others’ information and opinions, including those that may be offensive or shocking, while respecting other’s reputation and privacy. Governments must ensure that any restrictions on that right are based on legitimate goals such as protecting national security and that they comply with the European Convention on Human Rights. (3) Privacy and data protection. Personal data should be processed only with users’ consent or when it’s required by law. People should be told what personal data is processed or transferred to other parties, when, by whom, and for what purpose. Users should be able to check the accuracy of the data processed or request a deletion. Internet users shouldn’t be subjected to general surveillance or interception measures except in exceptional circumstances prescribed by law. (4) Education and literacy. Users should have online access to education. (5) Protection of children and young people. If they post content that compromises their dignity, security or privacy, or could be detrimental to them in the future, they should have the right to ask to have it deleted within a short time period. (6) Right to effective remedies for violations. Users should have accessible, affordable mechanisms for obtaining redress when their human rights are restricted or violated online.
Eight companies joined the Application Developers Alliance, the industry group said in a Monday release (http://bit.ly/1nqELlm). The companies -- including ridesharing company Lyft and comparison engine FindTheBest -- are joining to advocate for issues such as consumer privacy, software patents and reducing ridesharing regulations, the alliance said. FindTheBest Director of Operations Danny Seigle said his company is hoping by joining the alliance to “take a stance against patent trolls that attack startups and small businesses.” “As a leading voice on patent reform issues, the Alliance has brought us to Washington to testify on the impact of patent troll abuse on behalf of innovators across the globe,” he said. Lyft Vice President-Government Relations David Estrada said “this partnership will be invaluable as peer-to-peer transportation continues to face challenges from city and state leaders across the country who are more concerned with protecting entrenched interests than furthering public safety through technology.” In total, the alliance has more than 175 member companies, it said.
The 4th U.S. Circuit Court of Appeals Wednesday affirmed a contempt-of-court finding against encrypted email provider Lavabit for resisting a government subpoena asking for the company’s private encryption keys (http://bit.ly/1j1aPtp). Lavabit initially refused to give over the information because it argued doing so would make sensitive customer information vulnerable. The Electronic Frontier Foundation (EFF) filed an amicus brief on Lavabit’s behalf in its appeal (CD Oct 28 p12). Wednesday’s ruling said many of Lavabit’s arguments raised on appeal were new arguments and “when a party in a civil case fails to raise an argument in the lower court and instead raises it for the first time before us, we may reverse only if the newly raised argument establishes ‘fundamental error’ or a denial of fundamental justice.” The only argument against turning over the encryption keys previously was one sentence from Lavabit owner Ladar Levison: “I have only ever objected to turning over the [Secure Sockets Layer] keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.” The court ruled “we cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal."
The National Retail Federation (NRF) is creating a cybersecurity information sharing program, it said in a Monday release (http://bit.ly/Qn7P1S). The platform, dubbed the Information Sharing and Analysis Center (ISAC), follows a similar effort by the financial industry, which has already developed its own ISAC (http://bit.ly/1iSy4Eo). The retail trade industry has been under the crosshairs of federal agencies and lawmakers because of large data breaches from major retailers such as Target and Neiman Marcus. The move also comes days after the FTC and Department of Justice issued a joint policy statement saying properly sharing cyberthreat information is “not likely to raise antitrust concerns.” The NRF said it expects its ISAC to be functional in June. It will be overseen, in part, by the NRF’s IT Security Council, which includes chief information officers and tech experts from roughly 120 retailers, NRF said.
Google Glass raises privacy and safety concerns, said Consumer Watchdog in a report released Monday (http://bit.ly/RlstR8). “Google Glass threatens the privacy of both people whose images are captured unbeknownst to them and the user of the device,” said Consumer Watchdog Privacy Project Director John Simpson. “Google Glass can easily be used for improper and even criminal purposes.” While Google has said it won’t offer facial recognition software, Consumer Watchdog said it has uncovered apps that do offer the technology, which poses privacy concerns. Google has also lobbied against having Google Glass banned while driving, despite obstructed view for Glass wearers, according to Consumer Watchdog. “Glass’s visual display takes up about 15 percent of the visual field, obviously providing a distraction to a driver who wears them,” said Consumer Watchdog.
RIAA, MPAA and the Justice Department are “like three blind mice,” following one another “in pursuit of meritless copyright claims against Megaupload” and founder Kim “Dotcom” Schmitz, said Ira Rothken, Megaupload counsel, by email. Four record labels (CD April 14 p14 ) and six movie studios (CD April 8 p19) filed civil action lawsuits against Megaupload and its operators last week. The suits are an “assault on cloud storage generally,” as Megaupload “used industry standard copyright-neutral technology found on popular websites like YouTube and Dropbox,” said Rothken. “We believe that the Hollywood Oligopoly is assisting the U.S. Department of Justice in a war of attrition by trying to win the cases on economics, rather than on the merits,” he said. “Like Youtube,” which “had a user rewards program and won its case,” Megaupload, Schmitz, and the other defendants “will prevail,” he said. “The recent release of specific evidence by the DoJ in its criminal complaint against Megaupload that showed massive infringement of music, as well as the statute of limitations, were both factors in our decision to file a civil lawsuit,” said a spokeswoman from RIAA by email.
The percentage of people who report having sensitive personal information stolen is rising, said research released Monday by the Pew Research Center (http://bit.ly/RigxzA). Eighteen percent of online adults said they have had information -- for instance, a Social Security number, credit card number or bank account information -- stolen, Pew said. That’s up from 11 percent in a July survey, Pew said. “Research suggests that young adults and younger baby boomers may have been especially hard hit in the second half of 2013,” said Mary Madden, a senior researcher for the Pew Research Center’s Internet & American Life Project, in a Monday blog post. However, the percentage of online adults who said they had an email or social networking account compromised stayed static at 21 percent, according to Pew. The numbers released Monday are from a survey of 1,002 adults conducted in January, said Pew.
The launch of the Amazon Fire TV box is a “win” for Netflix, said Wedbush Securities analyst Michael Pachter in a research note Monday, saying Amazon listed Netflix ahead of its own Prime Instant Video service on the list of streaming apps available for the $99 box. But Wedbush maintains an “underperform” rating on Netflix, projecting a 12-month price target of $175 compared with its midday price of $326.71 on a “sum-of-the-parts” valuation of $140 for domestic streaming, $17 per share for international streaming and $18 per share for Netflix’s domestic DVD business. Pachter predicted Q1 results, to be released April 21, will likely “meet or exceed” expectations of the street driven by a high signup rate owing to House of Cards and low ad spending during the quarter. Pachter expects Netflix management to “complain about the state of net neutrality” in the U.S. on its Q1 earnings call, while downplaying the financial impact of interconnection agreements, he said. Noting the multiyear interconnection agreement Netflix signed with Comcast in February -- which Pachter estimated to be a “material” expense -- Wedbush expects Netflix to reach similar agreements with other ISPs in coming years “to minimize throttling.” Over time, Wedbush believes interconnection agreements will force Netflix to raise prices, “limiting the company’s growth potential."