FTC Commissioner Julie Brill proposed a plan she called Reclaim Your Name that would regulate how data brokers collect and share consumers’ personal information.
Archive for June, 2013
In spite of a committee report recommending that Australia’s Senate pass the proposed data breach notification bill, the overcrowded legislative program has put paid to the legislation for now.
With the government presumably holding its last parliamentary sitting before this year’s election, and with the political distraction of the ALP government playing hot-swap-the-leader on Thursday evening, the data breach notification bill was not brought forward for a vote.
On Thursday evening, former prime minister Julia Gillard called a Labor Caucus vote on her leadership, losing to her predecessor Kevin Rudd.
The only chance the current legislation would have would be if the country’s prime ministerial redux Kevin Rudd decides to delay an election long enough for there to be another sitting of federal parliament. This is not completely out of the question, since the election could be delayed until November, but it’s unlikely.
However, the Senate did manage to pass laws strengthening whistleblower protections in Australia.
The two bills passed late last week puts an obligation on commonwealth public officials to report suspected wrongdoing. The law allows officials to make reports to their own agency, directly to the commonwealth ombudsman, or if they are reporting intelligence issues, to the Inspector General of Intelligence and Security.
However, the whistleblower protection bills are criticised for exempting too many national security agencies, an issue that has become prominent in the light of the ongoing revelations of US snooping by former NSA contractor Edward Snowden, who fled to Russia after sensationally releasing NSA PowerPoint slides and other data in Hong Kong. Snowden is believed to remain in the Moscow Airport transit area while his possible asylum – and the need to travel without a US passport – is sorted out (or not). ®
A security researcher has uncovered a number of serious vulnerabilities in one of the core security components of several secure telephony applications, including the Silent Circle system developed by PGP creator Phil Zimmermann. The vulnerabilities in the GNU ZRTPCPP library already have been addressed in a new version of the library and Silent Circle has implemented a fix, as well.
ZRTPCPP is a library that implements the ZRTP protocol that Zimmermann and others developed to establish secure sessions over a pre-existing connection. Silent Circle, which sells a cryptographically secure mobile phone application, and several other products implement the ZRTPCPP library, and Mark Dowd of Azimuth Security has identified several vulnerabilities in the library that could give an attacker the ability to get remote code execution. Dowd said that the bugs can be exploited by remote, unauthenticated users.
The first vulnerability is a heap buffer overflow in a function used to temporarily store a packet.
“The ZRtp::storeMsgTemp() function is used to temporarily hold a packet in memory so that it may later be hashed/verified. A buffer overflow exists in this function due to a lack of bounds checking of the size of the source buffer,” Dowd said. “If an attacker sends a packet larger than 1024 bytes that gets stored temporarily (which occurs many times – such as when sending a ZRTP Hello packet), a heap overflow will occur, leading to potential arbitrary code execution on the vulnerable host.”
Dowd also found a number of stack overflows in ZRTPCPP that could enable an attacker to crash a vulnerable app, but probably can’t be exploited beyond that.
“The flaw here is that ZrtpConfigure::maxNoOfAlgos is defined as 7 (as per the ZRTP specification dictates), meaning that algosOffered has 8 array slots in total. However, the count of public keys specified in the Hello packet is 4 bits, allowing the client to specify a maximum of 15 keys rather than 7. By taking advantage of this, a stack overflow may be triggered. Due to the technical constraints of this vulnerability, it is unlikely that these are exploitable beyond a crash, but further investigation would be required to confirm this,” Dowd said.
The third bug is an information-leakage vulnerability that Dowd said may be a vector for getting access to sensitive data about the cryptographic functions of the protocol.
“Using this vulnerability allows the attacker to discover useful pointers and heap state, and could be used in conjunction with the aforementioned heap overflow to gain reliable code execution. In addition, it could possibly be used to leak sensitive crypto-related data, although the extent of how useful this is has not been investigated,” he said.
Silent Circle has fixed the vulnerabilities in its product, Dowd said, and the GNU ZRTPCPP library also has been updated to fix the problems.
Image from Flickr photos of Ralph Aichinger.
Only 15 percent of businesses have conducted a risk assessment to determine docu… Tuesday, May 07, 2013 12:59:16 PM
The PRISM International Conference in Bonita Springs, Fla., is less than one mon… Thursday, April 18, 2013 05:58:27 PM
Access Ends 2012 with Two Acquisitions http://ow.ly/gZT7G Monday, January 21, 2013 05:30:45 PM
Storetrieve opens new records center in Cucamonga, Calif.
http://ow.ly/gZTAh Monday, January 21, 2013 12:35:40 PM
Massachusetts Attorney General Fines Medical Billing Firm http://ow.ly/gUmKz Sunday, January 20, 2013 04:01:06 PM
Storetrieve Opens New Records Center http://ow.ly/gVVX9 Sunday, January 20, 2013 11:55:22 AM
The 2013 Paper Recycling Markets Directory is now available for immediate delive… Friday, January 18, 2013 08:20:16 PM
Massachusetts Attorney General Fines Medical Billing Firm http://ow.ly/gUmKz Friday, January 18, 2013 06:15:39 PM
The 2013 Paper Recycling Markets Directory is now available for immediate delive… Tuesday, January 15, 2013 02:25:30 PM
The 2013 Paper Recycling Markets Directory is now available for immediate delive… Sunday, January 13, 2013 03:45:32 PM
Storetrieve opens new records center http://ow.ly/gFAYb Sunday, January 13, 2013 08:45:21 AM
The 2013 Paper Recycling Markets Directory is now available for immediate delive… Thursday, January 10, 2013 04:34:24 PM
The 2013 Paper Recycling Markets Directory is now available for immediate delive… Thursday, January 10, 2013 04:25:19 PM
Storetrieve opens new records center http://ow.ly/gFAYb Thursday, January 10, 2013 03:45:41 PM
HHS announces HIPAA breach settlement http://ow.ly/gFAHJ Wednesday, January 09, 2013 02:10:17 PM
NAID Canada Workshop will feature Ontario Information and Privacy Commissioner h… Friday, December 21, 2012 02:45:55 PM
Iron Mountain acquires three information management companies http://ow.ly/geM8j Wednesday, December 19, 2012 07:15:25 PM
William Meaney to replace Richard Reese, who will retire after nearly 30 years w… Tuesday, December 11, 2012 12:51:14 PM
AFPA Seeks Entries for Recycling Awards The deadline is Feb. 15 http://ow.ly/fVclW Friday, December 07, 2012 04:45:29 PM
Chicago, Warsaw, Dubai, Shanghai … we’ll be in these fine locals in 2013 http:… Friday, December 07, 2012 02:05:33 PM
Meet Iron Mountain’s new president and CEO http://ow.ly/fQDXK Wednesday, December 05, 2012 11:18:43 AM
Chicago, Warsaw, Dubai, Shanghai … we’ll be in these fine locals in 2013 http:… Wednesday, December 05, 2012 09:02:18 AM
Tepid Times for Office Paper http://ow.ly/fIm8I Monday, December 03, 2012 09:02:01 AM
Time is running out. If you haven’t filled out our State of the RIM Industry Rep… Friday, November 30, 2012 04:10:29 PM
Act Fast! What to do if your facility inquires water damage. http://ow.ly/fImxr Friday, November 30, 2012 03:06:01 PM
What would you do if your facility had water damage? http://ow.ly/fCOzQ Thursday, November 29, 2012 02:20:50 PM
Meet our November cover stars from Stevens Stevens Business Records Management… Tuesday, November 27, 2012 08:30:25 PM
Paper Recycling Conference Interview: Todd Petracek http://ow.ly/fCMWA Tuesday, November 27, 2012 06:40:18 PM
Stolen Laptop Contains Data on More Than 100,000 Patients http://ow.ly/fCMPe Tuesday, November 27, 2012 06:00:44 PM
NAID Task Force to Examine Data Destruction on SSDs http://ow.ly/foUa9 Monday, November 19, 2012 09:35:17 AM
Article source: http://www.sdbmagazine.com/no-data-breach-immunity.aspx
Facebook Data Breach Affects 6 Million Users (SDB)
Facebook Inc (NASDAQ:FB) has disclosed that 6 million of its users’ phone numbers and email addresses have been exposed to unauthorized users during the last year. According to Reuters, the company blames the leaks on a technical glitch that began in 2012 in its archive of information for its 1.1 billion users. Facebook Inc (NASDAQ:FB) reports that the bug was fixed within 24 hours of its technical team receiving notified about it. The company told Reuters that it notified affected users and regulators about the breach prior to making a public announcement.
Facebook’s Valuation Is Still Too Optimistic (BusinessInsider)
Is Facebook Inc (NASDAQ:FB) an attractive shorting opportunity at current levels? We think the answer is yes, and here’s why. The stock trades with a premium valuation despite major growth challenges, and the social media industry is becoming fragmented as competition picks up. Shares of Facebook Inc (NASDAQ:FB) are currently priced for the best possible scenario. Despite trading at more than a 35% discount to its IPO price, Facebook is still valued at roughly 42 times earnings estimates for this year. This, despite the fact that earnings are only expected to grow by 7.5% in 2013.
Facebook Hashtags Make Their Way to Mobile (PCMag)
It was a pretty big deal when Facebook Inc (NASDAQ:FB) earlier this month made hashtags clickable on the Web. Now, the social network has extended hashtags to mobile devices as well. A Facebook spokeswoman confirmed to PCMag that the company on Thursday began rolling out hashtag support for its HTML5 mobile site m.facebook.com. At this point, however, hashtags are still non-functional on Facebook Inc (NASDAQ:FB)’s iOS and Android apps. Facebook first introduced hashtags two weeks ago, but only on its main site on the Web. Hashtags — one or more words strung together with no spaces behind a pound sign — gained in popularity in 2009, when Twitter began hyperlinking them to search results. They are often used to clarify or add context to a post, and in recent years have extended beyond Twitter to services like Google Inc (NASDAQ:GOOG)+ and Yahoo! Inc. (NASDAQ:YHOO)‘s Flickr.
Facebook to Shield Ads From Offensive Content (NYTimes)
Facebook Inc (NASDAQ:FB) said on Friday that it would remove ads from pages that contain controversial content, as it tries to protect advertisers from appearing next to offensive material beyond their control. In a message posted on its Web site, the company wrote: “Our goal is to both preserve the freedoms of sharing on Facebook Inc (NASDAQ:FB) but also protect people and brands from certain types of content.” “We know that marketers work hard to promote their brands, and we take their objectives seriously. While we already have rigorous review and removal policies for content against our terms, we recognize we need to do more to prevent situations where ads are displayed alongside controversial Pages and Groups. So we are taking action.”
Former Facebook Exchange Product Director Joins Nanigans (Virtual-Strategy)
Nanigans, Inc., developer of the predictive lifetime value SaaS platform for performance marketing at scale, has appointed Antonio Garcia-Martinez as advisor. Antonio joins Nanigans after a strong year of growth, with the company growing revenues 2.5X, serving 200 enterprise customers, and operating four offices worldwide. Antonio comes to Nanigans after more than two years developing Facebook Inc (NASDAQ:FB) advertising technologies. Antonio is a former ad targeting product manager at Facebook, most recently spearheading and directing Facebook Inc (NASDAQ:FB)’s real-time bidding exchange, Facebook Exchange (FBX), from inception through launch and scaling.
Click here to show more posts instantly
Data compromises discovered at Greensboro and other Triad ABC stores aren’t a problem here, the manager of Alamance County’s ABC stores said Friday
Greensboro ABC stores stopped accepting credit and debit cards at some stores after it was discovered that the software used by registers there had been hacked. The malware that snatched credit and debit card numbers was found after some customers complained that fraudulent charges appeared on their accounts after using their cards for ABC purchases. Problems were reported at Greensboro and Winston-Salem stores.
Steven Small, general manager of the Alamance Municipal ABC Board, said no similar problems had been reported here.
“We don’t do business with the (software) company they do business with there,” Small said. “Our systems are scanned constantly to make sure we don’t have any problems.”
The Alamance ABC board contracts with Carolina Data for computer services, Small said.
Other news outlets were reporting that some Greensboro stores were only accepting cash or checks until the problem is resolved.
Agnes Stevens, public affairs director for the N.C. ABC Commission, said the stores in question contract with Dalcom of Greensboro for their sales support software. She said they were undergoing security scans to remedy the hacked software.
The state commission leaves local contracts and service up to each of the 168 ABC boards across the state, she said.
Article source: http://threatpost.com/mike-mimoso-on-the-nsa-leaks/
The University of South Carolina sent letters this week to 6,300 students whose personal information, including Social Security numbers, could have been on a laptop stolen from the school.
The laptop used to generate and grade tests in four physics courses went missing from a locked room at the Jones Physical Sciences Building in late April, USC spokesman Wes Hickman said.
The university needed about two months to gather contact information for students who took the physics classes from 2010 through 2013 about the possibility their information could be exposed, Hickman said. USC officials do not know if information belonging to all students from that time period was on the laptop.
The password-protected computer included names and Social Security numbers of students who took the classes, Hickman said.
USC is moving away from using Social Security numbers for students in favor of a unique identifier, Hickman said.
More than 87,000 records belonging to USC students and employees have been exposed in seven reported breaches during the past seven years.
USC is in the midst of a six-year, $75 million overhaul of the school’s 1970s-era software and establishing a new security program that goes into place next year.
The school will nearly double the five employees working on cyber security.
Mozilla has fixed 14 security vulnerabilities in Firefox, including four critical flaws that could allow remote code execution. There also are six high-severity vulnerabilities fixed in Firefox 22.
The source code for the Carberp Trojan, which typically sells for $40,000 on the underground, has been leaked and is now available to anyone who wants it. The leak has echoes of the release of the Zeus crimeware source code a couple of years ago and has security researchers concerned that it may lead to a similar crop of new Trojans and crimeware kits.
Several thousand Opera users may have been presented with script redirecting them to a server hosting malware as a result of a hack of the Opera network and theft of a code-signing certificate.
A new version of the browser is available and Opera representatives urge users to update as soon as possible.
“We know what time period this redirect was in place for, and we know how many users were sent to the affected server, but we have no way of identifying these users,” said Opera developer and QA specialist Mark Wilton-Jones. “We also have no way of knowing what happened to them once they were redirected away, but we have strong reasons to believe at least some of them were presented with malware.”
The malware, according to a published scan by VirusTotal, is a Trojan capable of opening back door communication to a third-party server where keylogging and other data-stealing malware may be installed.
The certificate was used, Opera said, to sign the malware and present it as Opera software. The certificate was old and used to sign Opera 12.00; it expired on Jan. 29, however according to Opera it will still install.
“Attempting to install this file works in common scenarios, even though the certificate is expired,” Wilton-Jones said. “This is controlled by the OS, not us, although in the future it would certainly be possible to run our own checks on the certificate of downloaded auto-updates, in addition to those imposed by the OS.”
While antimalware protection or User Access Controls in Windows should block the installation, not all versions of Windows perform these certificate checks. Also, some users may disable UAC.
“Even for users who were presented with malware, we don’t know how many actually installed it,” Wilton-Jones said. “It might have failed due to issues with the certificate, being blocked by anti-virus, or due to problems with the connection or download.”
Opera said the network intrusion happened on June 19 between 01.00 and 01.36 UTC, and that the network was cleaned in short order. “The active attack on Opera users ended shortly after it began,” Opera developer Sigbjorn Vik said, adding that because of security reasons, they could not comment on the details of how the attackers compromised the Opera network. Vik also said this was the only code-signing certificate stolen and no user data or passwords to Opera Link were stolen. Opera Link is a service that synchronizes browser data across devices.
Opera did caution that Opera 15 uses the same autoupdate server as Opera 12, meaning that some users could have been affected too.
“It took us some time to determine the extent of the attack, and find out exactly what had happened. The best way forward would have been to release a new version of Opera, with a new certificate, at the same time as we published these details,” Wilton-Jones said in explaining the delay between discovery and disclosure. “We received the new certificate on Monday, but due to technical issues, we were not able to ship an update as of yesterday, so we decided to release the details even without the update, rather than wait any longer.”
Attackers have successfully used stolen code-signing certificates to sign malware in the past, most notably in attacks against Adobe and Microsoft, putting the onus on organizations to keep crypto keys safe.
“Organizations’ failure to control and protect cryptographic keys and certificates, the foundation of digital security and online trust, leaves the front doors open for attackers to enter at will and pilfer whatever sensitive data they want, whenever they want,” said Jeff Hudson, CEO of key management company Venafi, who added that most companies aren’t clear on their inventory of keys and certificates.
“Unplanned outages from expired certificates can no longer be viewed as an inconvenient IT operations issue, rather these common outages are symptomatic of much larger security vulnerabilities,” Hudson said. “It’s become clear that certificate-based attacks have become the attack vector of choice. Organizations must implement effective controls to ensure the safety of their network.”