Data security company Vormetric found “high levels of data breach and compliance failures” in the U.K., Germany and the U.S., a news release said. Polling for the Vormetric report was done by Harris Poll in fall 2014 through online surveys. Almost 45 percent of U.S. respondents, 40 percent of U.K. respondents and 26 percent of German respondents said they had encountered a data breach or failed a compliance audit in the past year, Vormetric said. “These responses are disturbing because they represent strong evidence that organizations are systematically failing to secure their data," said Tina Stewart, vice president-global market strategy. "Part of the problem is a pervasive perception that meeting compliance standards is all that needs to be done to protect sensitive information,” she said. “With this perception, and with attacks changing by the hour, slowly evolving compliance mandates result in organizations fighting today's battles with yesterday's weapons, and failing to protect sensitive data not covered by compliance requirements." There are “notable contrasts” between how European and U.S. organizations prioritized cloud security, data accessibility, privacy violations and compliance requirements, such as 62 percent of U.S. respondents planning to increase spending on additional security measures, compared with 44 percent of German respondents and 51 percent in the U.K., the firm said.
Toshiba will begin two years of “verification testing” in August of “genome analysis data” transmissions using “quantum cryptography” technology that’s “theoretically completely secure” from hacking, the company said in a Thursday announcement. The testing will be the first use in Japan of quantum cryptographic communication for the transmission of actual data, Toshiba said. Quantum cryptography, which Toshiba began researching in 2003, uses quantum physics “to ensure that genomic data encrypted with digital keys remains secret,” it said. “Standard optical” cryptography methods can be “intercepted and read by measuring a part of the optical signal,” it said. In quantum cryptography, “communications bits are carried and sent by individual photons” that can’t be “tampered with,” it said. The secrecy of the system’s encryption keys, and the genome data they protect, “can be guaranteed,” it said. Toshiba representatives didn’t say why the company hedged as it did in the announcement by calling the technology “theoretically completely secure” from hacking. Toshiba’s goal is to use the results of the verification tests “to support commercialization within five years of a quantum cryptographic communication system able to guarantee secure transfers of confidential information and personal information,” the company said. “Potential users will include public agencies and medical institutions.”
U.S. Chief Information Officer Tony Scott ordered federal agencies to begin a 30-day “cybersecurity sprint” to review and improve their cybersecurity policies, the White House said Friday. Obama administration officials said the effort to strengthen federal cyber defenses was unrelated to the Office of Personnel Management (OPM) data breach announced earlier this month (see 1506050042). But the White House noted in a fact sheet distributed to reporters that “recent events underscore the need to accelerate the Administration’s cyber strategy and confront” hackers. The White House has generally had a “laser-like focus” on cybersecurity issues but "it’s hard not to see how this 30-day sprint isn’t connected to the OPM data breach,” said Norma Krayem, co-leader of Squire Patton’s cybersecurity practice. The OPM data breach is to be the subject of two House briefings Tuesday and a House Homeland Security Cybersecurity Subcommittee hearing next week. Tuesdays’ OPM briefings include a 10 a.m. House Oversight Committee hearing in 2154 Rayburn and a 1 p.m. closed all-House briefing that’s to include Homeland Security Secretary Jeh Johnson. A “Cybersecurity Sprint Team” is leading a 30-day review of all federal agencies’ cybersecurity policies as part of the cyber policy push, with members of the team coming from the Department of Homeland Security, the Department of Defense, OMB’s E-Gov Cyber and National Security Unit and the National Security Council Cybersecurity Directorate, the White House said. The U.S. CIO’s office will recommend a federal civilian cybersecurity strategy based on the review team’s findings and will issue action plans to further address critical cyber issues, the White House said. The U.S. CIO’s office is requiring federal agencies to use DHS-provided cyberthreat indicators on their networks and report any malicious activity, the White House said. Federal agencies will also be required to immediately patch critical cyber vulnerabilities, accelerate adoption of multifactor authentication and tighten which network users have “privileged” access.
The Wikimedia Foundation is in the process of implementing HTTPS by default to encrypt all Wikimedia traffic, wrote Wikimedia Foundation Senior Legal Counsel Yana Welinder, Legal Counsel Victoria Baranetsky and Operations Engineer Brandon Black in a blog post Friday. “We will also use HTTP Strict Transport Security (HSTS) to protect against efforts to ‘break’ HTTPS and intercept traffic,” the post said. “With this change, the nearly half a billion people who rely on Wikipedia and its sister projects every month will be able to share in the world’s knowledge more securely.” In the past four years, Wikimedia users could access Wikimedia sites with HTTPS manually through HTTPS Everywhere, and since 2013, logged in users accessed Wikimedia sites via HTTPS by default, the post said. Increasing concerns about government surveillance prompted Wikimedia community members to push for more broad HTTPS protection, so Wikimedia made the transition a priority, the post said. “In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world,” the post said. “Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens,” it said. “Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications.” The final migration to HTTPS and HSTS for all Wikimedia sites is expected to be completed within a couple of weeks, the post said.
As of Wednesday, Twitter lets users share block lists with others, allowing a user to block multiple accounts in an easy, fast and community-driven way, User Safety Engineer Xiaoyun Zhang wrote in a blog post Wednesday. The new feature comes as Twitter recognizes some users experience “high volumes of unwanted interactions on Twitter” and require more sophisticated tools than individually muting and blocking other users, Zhang wrote. With the new feature, a user can export and share a block list with those facing similar issues or import another user’s block list to block multiple accounts at once. Twitter hopes these “advanced blocking tools will prove useful to the developer community to further improve users’ experience,” said Zhang. “This feature is yet another step towards making Twitter safer for everyone and will be available to some of our users starting [Wednesday] and all users in the coming weeks.”
The Department of Homeland Security Science and Technology Directorate (S&T) Cyber Security Division has made it a top priority to develop tools to prevent criminals from using malicious software and is ready to demonstrate its new malware detection technologies at the Transition to Practice Technology Demonstration Day for Investors, Integrators and IT Companies in Santa Clara, California, Tuesday, an S&T blog post said. One of the technologies S&T developed is the Federated Malware Analysis System (FMAS), which is a CSD-funded technology that counters the strengths of a malware attacker by clustering malware behaviors into “families” so it’s easier to detect, the post said. “Our aim is to work with our private sector partners to protect the nation’s critical infrastructure systems and commercial marketplace,” S&T Cyber Security Division Director Douglas Maughan said. “Showcasing and, most importantly, transitioning these technologies into the commercial market will be impactful to all organizations engaged in securing cyberspace and protecting various organizations such as government, public utilities and healthcare,” Maughan said. “We know these solutions can impact the cyber landscape that the Department is working to protect,” said S&T Cyber Security Division Transition to Practice Program Manager Michael Pozmantier.
Pro-transparency organization WikiLeaks launched a campaign Tuesday to generate $100,000 as a reward for the release of the Trans-Pacific Partnership negotiating text. The organization aims to “crowdsource” the “bounty,” it said in a release. The U.S. and other TPP parties have shielded the text from the public, though WikiLeaks has leaked a number of chapters over recent years (see 1503260017). Reps. Rosa DeLauro, D-Conn., Lloyd Doggett, D-Texas, and trade union officials in a news conference Tuesday also pushed the Office of the U.S. Trade Representative to disclose the text.
Caution should be used by those who use a credit card at a local retailer, gas station, restaurant or bar, because the black market demand for user and credit card data has made point-of-sale (PoS) system compromises a lucrative business, said a blog post from Level 3 Threat Research Labs Friday. “As PoS systems are targeted with greater frequency, new families of malware are developed and extended at a breakneck pace.” High-profile compromises are often either a result of lax security policies and procedures or a very sophisticated targeted attack, the blog said. “With PoS malware continuously evolving and becoming more difficult to detect, the security community, as well as retailers, has a real challenge on its hands.” Merchants should have their PoS and support systems behind a properly configured firewall, with logs and alerts enabled, the blog said. Merchants should also disallow remote access to PoS networks, control access within local networked environments and ensure their software is up to date, it said. PoS malware is lucrative for malware developers around the globe and U.S. merchants are transitioning to chip and PIN technology at a slow pace, it said. “As more American merchants implement chip and PIN for credit card transactions it will be interesting to see how the malware developers adapt.”
A report on “Cybersecurity Risk Management and Best Practices” from the FCC Communications Security, Reliability and Interoperability Council is “the most comprehensive Framework implementation proposal for any industry to date,” CTIA said in comments on a public notice on the framework. “The Report goes beyond merely offering guidance for reducing cybersecurity risk to critical infrastructure, enterprises, and consumers; it provides detailed, scalable recommendations designed to apply to each segment of the communications industry.” The Telecommunications Industry Association also said the report is on the right track. “This report not only provides guidance to communications sector stakeholders, but also serves as a model for industry members and policymakers globally, and reinforces the success of the voluntary public-private partnership model which TIA and many others advocate as the most effective means to improve cybersecurity for critical infrastructure,” TIA said. Comments were due Friday on the PN, released by the Public Safety Bureau March 19. The comments were filed in docket 15-68.
Scams related to social media have increased “substantially” in the past five years, said the FBI Internet Crime Complaint Center’s (IC3) Internet crime report for 2014. An average of 22,000 complaints were reported each month, with total losses costing victims $800.5 million, it said Friday. Men and women were targeted almost equally. Those aged 40-59 were the most targeted age group, followed by 20-39-year-olds. The U.S. was the No. 1 targeted country, followed by Canada and the U.K. California had the most victim complaints followed by Florida and Texas. The report found 12 percent of all complaints submitted in 2014 had a social media aspect. “In most cases, victim’s personal information was exploited through compromised accounts or social engineering,” said IC3. Social media scams included: doxing, publicly releasing a person’s identifying information about themselves, family and friends; click-jacking, concealing hyperlinks beneath legitimate clickable content that causes a user to unknowingly download malware or send personal information to a website; and pharming, redirecting users from legitimate websites to fraudulent ones to extract confidential data, the report said. The second popular trend IC3 found in 2014 was related to vulnerabilities of the digital currency systems. Criminals bilked millions of dollars from those who use cryptocurrencies such as Bitcoin, Litecoin and Peercoin, the report said. Other frequently reported Internet crimes in 2014 included auto fraud, government impersonation email scams, intimidation and extortion scams, real estate fraud, confidence fraud and romance scams, and business email compromises, it said.