Wednesday, March 26, 2014

New Encryption System "Mylar" Encrypts Data in Browser Before Reaching Server

8 comment(s) - last by Scootie.. on Mar 26 at 5:25 PM

This will stop websites from leaking data

An MIT researcher has created a service that keeps data encrypted on servers at all times, only decrypting the data on a person's computer for them to see.

According to MIT Technology Review, MIT researcher Roluca Popa developed the system -- called "Mylar" -- along with Meteor Development Group. It aims to stop websites from leaking data or allowing hackers to steal data.

Mylar runs code inside a user's browser, which handles most of the processing and displaying of information (in other words, it takes over what a traditional service's servers would do). A server can still perform actions the user needs, but doesn't have a way to decrypt the data, as the user is the only one with a password in their browser. This password encrypts data there before it ever makes its way to the server.

Popa said a service using Mylar could search across encrypted data stored on its servers, enabling a user to search documents they had uploaded to a file storage service. Mylar can also let users share data with other users, because a system distributes the necessary encryption key in a way that protects it from being seen by the server or anyone monitoring activities.


Raluca Popa [SOURCE:]

There's even an optional browser extension that can protect against the server stealing the key needed to decrypt a person’s data.

Popa used the Web service building tool called Meteor to create her system, which will make it more simple for developer's to use.

A big upside to this system is its ease of use. Popa said a group of patients at Newton-Wellesley hospital in Boston are currently testing Mylar for their medical information, and all the change needed in the hospital's current system was changing 28 lines of code out of 3,659 total.

“You don’t notice any difference, but your data gets encrypted using your password inside your browser before it goes to the server,” said Popa. “If the government asks the company for your data, the server doesn’t have the ability to give unencrypted data.” 

Source: MIT Technology Review

Trustwave in the firing line in Target lawsuit

Trustwave in the firing line in Target lawsuit

Legal payout could be significant in a breach whose costs may reach £10.9 million ($18 billion).
Trustwave in the firing line in Target lawsuit
Trustwave in the firing line in Target lawsuit
Two US banks have sued Trustwave for damages in connection with the major data breach at Target Corporation, the giant US retailer, late last year.
The lawsuit damages of more than $5 million and names Trustwave Holdings and Target as defendants, says the American Banker, which broke the story.
The suit cites figures from the Consumer Bankers Association which reveal that US banks have spent more than $172 million reissuing new cards to customers, noting that cost of the breach could top the $18 billion mark.
The bank suit – from Trustmark National Bank and Green Bank NA - also requests a jury trial and seeks unspecified compensatory and statutory damages, meaning that - if successful - a payout could be in the billions of dollars range.
Although the lawsuit names Trustwave and Target, the focus of the legal action appears to be against Trustwave, as it alleges that the security vulnerabilities were either undetected or ignored by Trustwave, giving hackers access to customer payment card details and allied information.
Trustwave has refused comment on the lawsuit. The company filed for an IPO in April 2011.
At that time it reported annual revenues of $111m, but still remains in private hands, meaning that its figures remain unreported.  The firm has, however, grown in the last few years, and now services more than two million client companies in 96 countries, which suggests the company's annual turnover has increased significantly.
A report by the US Senate yesterday says that Target missed multiple opportunities to stop the hacker incursions into its systems, adding that Target gave access to its network to a third-party vendor that did not follow accepted information security practices.
Several security vendors and industry experts - bar one - that approached refused comment on the case, with many citing commercial reasons.
Steve Smith, managing director with Reading-based pen-testing specialist Pentura, however, said that virtually all enterprise security solutions need to be installed - and configured - correctly in order to secure a corporate IT system.
In addition, he says, there is a need for regular updates to maintain protection against new security threats and vulnerabilities.
"At an enterprise level, few solutions are plug-and-play so it's hard to see how a security vendor alone could be held liable in this type of situation," he said.
"The lawsuit filed by the two banks names both the security vendor and the end-user as defendants, which implies the case will be looking into Target's internal security practices," he added.
The lawsuit, however, claims that Trustwave scanned Target's network on September 20 last year and told the retailer that no vulnerabilities were found.
Target itself has said it believes the attackers stole the data between the 27th of November and the 15th of December last year, using malicious software installed on the EFTPOS point-of-sale devices in regular use by customers at its many hundreds of branches.
As previously reported, the malware is believed to have used RAM scraping techniques - capitalising on the fact that unencrypted debit or credit card details are held briefly in computer memory, before being encrypted and stored on a server's hard drive.

Wednesday, March 5, 2014

Practical tools for a broker-dealer to help achieve the goal of “no findings”

by Regulatory Compliance on March 5, 2014
Is a “no-findings” Letter Still Possible to Receive?
Presented by:  Beverly Fetcko, Director of Compliance

It feels as though every day brings a new regulation requiring broker-dealers to leap into action and put additional supervisory procedures into place.   With the increased focus on how and what a broker-dealer is doing day-to-day, is it merely a dream gone by to come through any regulatory examination with no findings?  I don’t think so.  A broker-dealer can put into play various policies and procedures that will help the BD reduce or potentially eliminate regulatory deficiencies.  Let’s discuss some practical tools a broker-dealer can deploy to help achieve the goal of “no findings” from a regulator.

FINRA and the SEC have not kept it a secret that all broker-dealers should adopt procedures that are “reasonably designed to achieve compliance with applicable securities laws and regulations…”.[1]  These should be tailored specifically to the type of business the broker-dealer conducts, giving consideration to the size of the broker-dealer and the complexity of the products and business activities it engages.  NASD Notice to Members 99-45 offers some specific guidance as to how a broker-dealer’s supervisory system can be best tailored to its business.

Gaining Organizational Buy-In:

While the broker-dealer’s written supervisory procedures forms the foundation for a firm in laying out overall expectations and the broker-dealer’s approach to meeting regulatory requirements, just having them is not enough.  The broker-dealer must have strong support and a solid supervisory structure to effectively implement the procedures.  All areas of the broker-dealer need to “buy-in” to a culture of compliance to try to meet the no findings objective.  One of the best ways to gain this is to have clear, concise, and relevant procedures and make certain all personnel understand the expectations.

Written procedures should provide the framework to ensure employees understand the expectation of the broker-dealer and to help the broker-dealer identify areas of risk and regulatory exposure.  The procedures should be clear and relevant to the broker-dealer’s business lines and processes. In addition, the procedures should be kept current to address and identify all new regulations, actions or broker-dealer initiatives and business.  When new procedures are added, the broker-dealer should assess the impact the implementation will have on various roles, including IT capabilities.  A key component to having comprehensive procedures is to ensure they address the frequency of the supervision that must take place and the records that must be maintained to evidence supervision.  (Remember, if you don’t document it, it is assumed it didn’t take place.)

While the written supervisory procedures describe the tasks and who is responsible in order for the broker-dealer to remain compliant, how does a broker-dealer keep up with these required tasks?  A compliance calendar can help make this much easier.  While it is easy to say create a calendar; however, the most effective compliance calendars must translate the responsibilities outlined in the WSP into a routine for the persons responsible in fulfilling the action.

With robust procedures initiated that describe the duties that need to be completed, and a compliance calendar where all the designated principals have items to complete and know the expected time frame, the broker-dealer should be well on their way to the coveted “no findings” letter – right?  Unfortunately, not quite.  Like anything else, there must be execution.

Execute and Monitor:

Each designated principal must not only be aware of what they are required to complete, but be trained and knowledgeable in the task.  It is important for principals and compliance staff to keep current on new rules, rule changes, and expectations – not only from the broker-dealer, but from regulators.  Attending educational conferences and then sharing information learned from them with the staff is one way of accomplishing this.  As with so many areas of compliance, training is meant to be ongoing.  In addition, the WSPs will list relevant reports, such as exception reports, and other tools available for use by designated principals.

For your areas of compliance to remain effective, they must be monitored closely and often to make certain it is working as it was designed.  This is the intent behind the annual supervisory and control testing required under NASD Rule 3012 as well as branch office inspections required by NASD Rule 3010.  These two activities help Compliance areas to review and monitor the completion of assigned duties of designated principals to make certain the responsibilities have been fully completed and on a timely basis.   When a broker-dealer conducts the annual testing required under Rule 3012, it ensures that their supervisory procedures are kept current with any changes in business or product lines as well as regulatory changes.  Also of benefit is identifying  and addressing outside regulatory risks.  These risks (i.e. financial and operational among others), if not addressed in a timely fashion, can result in significant negative consequences, including regulatory violations.  When gaps are uncovered in a firm’s testing results, the involvement of the Compliance Department will help to ensure that any related risks are addressed and will go a long way in helping to achieve a “no findings” letter.  Any gaps or weaknesses that are identified must be addressed immediately by senior management.  Failure to do so could cause the broker-dealer’s compliance and supervisory systems to be jeopardized.

Do What You Say:

The best thing a broker-dealer can do to help in achieving the most successful regulatory examination is to say what it is going to do, and then do it.  Keeping your WSPs clear, concise, and to the point of your business; establishing clear action items and identifying who is responsible for the item; making certain each designated principal is qualified for their area of responsibility and remains up-to-date with training; and conducting risk-based compliance testing to help ascertain areas of improvement all will move your organization closer towards achieving that sought-after “no findings” letter.

Please call Regulatory Compliance with further questions (603) 434-3594.

[1] See FINRA Rule 3010.

Sunday, March 2, 2014

Hackers attack Vegas casino

Posted by: News Mar 2, 2014 in Technology  

Las Vegas Sands Corp. confirmed Friday that information about some customers of its Pennsylvania casino was stolen during a data breach earlier this month.
All of the Las Vegas-based company’s sites were down for six days starting Feb. 11, after hackers posted images apparently condemning CEO Sheldon Adelson’s views about using nuclear weapons on Iran.
Sands said hackers crashed its email system and stole employees’ Social Security numbers.
Sands said it was still working to determine whether customer information from other properties was breached, a process made more time-consuming by the destruction the hackers wrought. The company runs the Italian-themed Venetian and Palazzo on the Las Vegas Strip, and several hotel-casinos in China and Singapore.
In its statement, Sands noted that the number of patron accounts that were compromised made up fewer than 1% of all visitors to the Bethlehem casino since its 2009 opening. It has set up a website and free phone number for concerned customers.
The Las Vegas-based company pulled down its corporate and individual hotel websites on February11 after hackers defaced them with images condemning comments Sands chief executive Sheldon Adelson had made about using nuclear weapons on Iran.
The hackers also posted social security numbers for Sands’ Bethlehem employees.
It took the company nearly a week to get the sites back up. The hacking also crippled internal systems and left corporate employees without access to their computers and email accounts for days.
Last week an anonymous video surfaced that appeared to catalogue additional information stolen during the hacking, including administrator passwords for slot machine systems and player information at the Bethlehem casino.