Friday, May 30, 2014

8 numbers identity thieves want to steal from you

         

Credit.com                    


   Identity theft
.
View photo


The Star Wars Cantina of cybercriminals targeting your identity, healthcare, finances and privacy today might seem like a movie you’ve seen so many times you could lip sync the entire thing. Nevertheless, cybercrime and identity-related scams change faster than trending hashtags on Twitter, and the fact is nobody knows what’s going to happen next. Who would have thought Apple’s iCloud was vulnerable (much less to ransomware)? Or eBay? Data breaches are now the third certainty in life and sooner or later, you will become a victim.
According to the Privacy Rights Clearinghouse Chronology of Data Breaches tracking tool, at least 867,254,692 records were exposed through data breaches between 2005 and May 28, 2014. The Milken Institute says the number of compromised records was more than 1.1 billion between 2004-2012. The Identity Theft Resource Center reported 91,982,172 exposed records in 2013 alone. Frankly, it really doesn’t matter who is right. The amount of information out there is simply staggering.
You probably realize that identity thieves are after your email addresses and passwords, but that’s not all they want. In particular, each of us is attached to various sets of numbers that, when cobbled together, enable sophisticated identity thieves to get their claws into you. The fraudster doesn’t need all your information to complete the problem set. They just need enough to convince others that they are you. Here are eight numbers that they are gunning for.
1. Phone Numbers
You want people to be able to call you; you may even list your phone number on a public-facing site. If you do, bear in mind some companies use your phone number to identify you, at least in part. With caller ID spoofing, it’s not hard for a fraudster to make your number appear when they call one of those companies.
2. Dates and ZIPs
Birth, college attendance, employment, when you resided at a particular address, ZIP codes associated with open accounts—these are all numbers that can help a scam artist open the door to your identity by cracks and creaks. Many people put this information on public websites, like personal blogs and social media sites. In the post-privacy era, it is imperative you grasp the concept that less is more. Another tactic worth trying is populating public-facing social media sites with inaccurate information—though you might want to check each site’s rules since some sites frown upon the practice.
3. PIN Codes
Card-skimming operations use a device to capture your debit card information while a camera records you as you type in your PIN code, making it very easy for a thief to replicate. Cover your hands and be paranoid, because it’s possible someone actually is watching you.
4. Social Security Numbers
Your Social Security number is the skeleton key to your personal finances. There are many places that ask for it but don’t actually need it. Be very careful about who gets it and find out how they collect it, store it and protect it. Whenever you’re asked for your SSN, always consider whether the request is logical based upon the context of your relationship with them.
5. Bank Account Numbers
Your bank account number is on your checks, which makes a personal check one of the least secure ways to pay for something. Consider using a credit card. You get rewards, buyer protection and less of your information will be out there.
6. IP Addresses
Scammers can use malware and a remote access tool to lock files on your computer and then demand a ransom in exchange for access. A message informing a user that his or her IP address is associated with online criminal activity is a common scare tactic used in ransomware scams. Don’t fall for it.  While it’s not difficult to track an IP address, there are a number of browsers that hide your IP address and associated searches from the bad guys, and there are fixes for ransomware.
7. Driver’s License and Passport Numbers
These are critical elements of your personally identifiable information that represent major pieces of your identity puzzle and, once you have the number, these documents can be counterfeited. Countless times each day, millions of personal documents undergo major makeovers and suddenly feature new names, addresses and photographs of fraudsters.
8. Health Insurance Account Numbers
Health insurance fraud is on the rise, and one of the biggest growth areas is identity-related health care crimes. This can jeopardize your life — not just your credit or finances, as the fraudster’s medical information can be commingled with yours, precipitating blood type changes, and eliminating certain allergies to meds or presenting new ones.  The results can be catastrophic when a course of treatment is prescribed based upon incorrect information in the file.
It’s time to become a data security realist. Data breach fatigue is the enemy. Every new compromise and scam is potentially crucial news for you, since it may point to weak spots in your own behaviors and ways that your data hygiene might be putting you at risk. So keep reading articles about new threats to your personal data security, and read every single email alert that you receive—though be careful of the obviously fake emails and always verify directly with the institution.
The smartest thing you can do is to assume the worst. Your personally identifying information is out there, and, in the wrong hands, you’re toast—even if you are really on top of things. That said, by monitoring your bank and credit card accounts and the Explanation of Benefits Statements you receive from your health insurers, you’ll be in a better position to minimize the damage. Most importantly, read your credit reports. You can do that for free once a year, and use free online credit tools, like those on Credit.com, which updates your information monthly, explains why your credit scores are what they are, and give tips for what you can do to improve your credit standing. But then what?
It is also vital for you to have a damage control program in place once you suspect that you have an identity theft issue. Contact your insurance agent, bank and credit union account rep, or the HR Department where you work to learn if there is a program to help you recover from an identity theft. You may well be surprised that there is and you are already enrolled for free as a perk of your relationship.
While there is no way to avoid cybercrime and identity theft, there is plenty you can do to make sure the damage is minimized and contained, and that no matter what happens, your daily life can go on without too much disruption.
Yahoo Finance is answering your money questions on Tumblr! Got a question about your credit score, your student loans, your retirement portfolio, your health insurance, or anything else finance-related? Drop us a line: YFmoneymailbag@yahoo.com.

http://finance.yahoo.com/news/8-numbers-identity-thieves-want-103033107.html

Thursday, May 29, 2014

Why More Retailer Breaches on the Way

Malware Infections of POS Networks Are Multiplying

By , May 27, 2014. Follow Tracy @FraudBlogger
                                                            
Why More Retailer Breaches on the Way
 

The number of point-of-sale networks infected with new and enhanced strains of retail-oriented malware has significantly increased, researchers say. As a result, they predict that retailer breaches that expose everything from card data to personally identifiable information will continue to grow.
In the most recent development, cyberintelligence firm IntelCrawler last week described attacks in nearly 40 nations, including the U.S., using a new type of POS malware known as Nemanja.
It's just one of many emerging malware strains attacking domestic and international payments systems, says Curt Wilson, senior research analyst at online security firm Arbor Networks.


Wilson recently blogged about how POS malware attacks have evolved over the last five years. Today's attacks often begin with "lateral" attacks against third-party vendors to gain credentials that cybercriminals then can use to infiltrate a retailer's POS system, as was the case in the Target Corp. attack, he says.

Major Botnet

Nemanja, which Intelcrawler claims is linked to the compromise of more than 1,000 POS systems globally, is likely the biggest botnet affecting POS terminals, says Andrew Komarov, Intelcrawler's CEO.
So far, more than 1,478 hosts in nearly 40 countries have been infected by Nemanja, he says. While actual fraud losses linked to these compromises are not yet known, Komarov believes as many as a half million debit and credit cards could have been exposed.
The documented attacks involving Nemanja have affected mainly small businesses and grocery stores, Komarov says. "[Nemanja] was operated by pretty large gang of cybercriminals who specialized in credit cards fraud," he points out.
"Not only were POS terminals compromised, but also back-office systems of retailers and grocery stores," he says. "The malware has key-logging support and a self-delete option," meaning the hackers have the ability to delete the malware from the system at any time if they suspect their intrusion has been detected, Komarov says.
"The key-logger helps the bad actors gather additional information, which may help them organize a large breach and compromise the network infrastructure," he adds.
In some cases, Nemanja was able to penetrate POS networks through a remote-access portal, using default passwords, IntelCrawler found. In other cases, the malware infiltrated the system using a drive-by-download attack or by breaching the network perimeter. And in a few instances, IntelCrawler believes an insider's network credentials may have been compromised or knowingly shared with cybercriminals.

POS Malware: Then and Now

Nemanja is a prime example of emerging retail malware attacks the security industry has identified in recent months, Wilson says.
"All indicators that we have at this time suggest that Nemanja is yet another in a long line of memory-scraping POS malware," he says. "Organizations at risk must be well aware of this vulnerability and ensure adequate protection and monitoring of all systems associated with point-of-sale infrastructure."
Today's retail attacks are often fed by the takeover of POS terminals used as command and control centers for future attacks, he says.
And more attacks like this are already under way, Wilson says. "Arbor is aware of other hostile activity directed toward the POS infrastructure, and our awareness of this, plus the volume of POS malware, indicates that this serious problem continues, with attackers most likely emboldened by the success of large-scale compromise and theft of card data."
Al Pascual, a senior fraud analyst specializing in security and fraud for consultancy Javelin Strategy & Research, says Nemanja is similar to other POS malware strains such as Dexter and BlackPOS.


"There has been a surge of malware development in Eastern Europe as cybercrime groups pay for the best talent and newest schemes," he says. "Botnets can't be identified and shut down fast enough, nor can most of those responsible be arrested in meaningful enough numbers to prevent this trend from continuing. ... Retailers around the world need to do more to harden their systems and prevent data exfiltration. Right now, they are the low-hanging fruit."

Dispelling Myths

The global nature of these attacks is dispelling certain myths about card security, says Andreas Baumhof, chief technology officer at malware research firm ThreatMetrix.
Chip and PIN card technology, which helps to prevent skimming-related card breaches, is no defense against the emerging POS attacks the payments industry is facing, he says. Even with cards that conform to the Europay, MasterCard, Visa standard, compromises linked to attacks such as Nemanja would not be prevented, he contends.
The payments industry's rally to migrate to EMV chip cards in the U.S., to replace the legacy magnetic-stripe cards still commonly used, isn't likely to have a huge impact on curbing card compromises, adds Arbor's Wilson.
"I've seen experts say that chip and PIN will change the landscape a lot, but these attackers are smart and they have found ways around all types of things," he says. "We still see point-of-sale compromises in Europe, where they have chip and PIN. Even with the chip, there is still opportunity for card data to be stolen there."
The best defense is immediate intrusion detection, which means organizations have to understand what legitimate network traffic looks like so that they can pick up on anomalies sooner, Wilson explains.
Because so many new strains are emerging daily, focusing solely on malware detection is a losing battle, he adds. "But if they focus on activity on the host or on the network, they can question why certain POS commands are showing up. To do this, you have to monitor the internal network."


http://www.databreachtoday.com/more-retailer-breaches-on-way-a-6874/p-2  

12 Quick Internet Safety Tips That Will Save Your Digital Life From Getting Hacked


           

Business Insider



student computer laptop studying

AP/Jerry Lai
If we've learned anything about cyber security in 2014, it's that hackers are becoming more of a threat than ever before.
Within the past two months companies such as Microsoft, AOL, and eBay have been the victim of security breaches.
And let's not forget about the Heartbleed bug — a giant vulnerability that was discovered within an encryption protocol that guards a massive chunk of the internet.
If you've been laid back about your online habits, now might be a great time to change your ways.
Here are some tips to help prevent your digital life from being stolen, whether it be a password breach or an internet-wide vulnerability.
Make sure you've got a superstrong, unique password. In other words, ensure that your password is difficult to guess. One way to come up with a creative password is to brainstorm a random sentence. Take the first letter of each word in that sentence and use that acronym as the base for your password.
Don't use the same password for multiple services. Using the same term for all of your passwords leaves your entire digital life vulnerable to attack. This means that if a hacker has one password, he or she has all of your passwords.
Enable two-factor authentication. Many services, including Google, offer two-factor authentication for logging into your account. Instead of simply entering a username and password to log in, the website will prompt you to enter a code sent to your smartphone to verify your identity.
Apply software updates when necessary. Apple, Google, and Microsoft typically include security bug fixes and patches in their most recent software updates. So don't ignore those annoying prompts and keep your software up-to-date.
Carefully read the permissions before installing apps. This is one of the most prominent ways in which malicious apps can gain access to your personal information. These types of issues have been especially present in the Google Play store. A lot of apps ask for a lengthy list of permissions, and that doesn't mean they're all ill-intentioned. But it's important to be aware of the types of information your apps are accessing, which can include your contacts, location, and even your phone's camera. 
Check the app publisher before installing. There have been numerous instances in which scammers have published apps in the Google Play store posing as another popular app. For example, in late 2012 an illegitimate developer posted an imposter app in Google Play pretending to be "Temple Run." A quick look at the publisher shows that the app comes from a developer named "apkdeveloper," not the game's true publisher Imangi Studios.
Avoid inserting hard drives and thumbdrives you don't trust into your computer. If you find a random USB stick, don't let your curiosity tempt you to plug it in. Someone could have loaded malware onto it hoping that an interested person was careless enough to insert it into their device. If you don't trust the source, you're better off not putting your computer at risk.
Make sure a website is secure before you enter personal information. Look for the little padlock symbol in front of the web address in the URL bar. Also, make sure the web address starts with the prefix https://. If these things aren't there, then the network isn't secure and you shouldn't enter any  data you wouldn't want made public.
Don't send personal data via email. Sending critical information such as credit card numbers or bank account numbers puts it at risk of being intercepted by hackers or cyber attacks.
Keep an eye out for phishing scams. A phishing scam is an email or website that's designed to steal from you. Often times, a hacker will use this email or website to install malicious software onto your computer. These web entities are designed to look like a normal email or website, which is how hackers convince their victims to hand over personal information. Phishing scams are typically easy to spot, but you should know what to look out for. Many of these emails contain spell errors and are written in poor grammar. Here's a great example of a standard phishing email from Microsoft's security blog:

View photo
.
Phishing

Avoid logging into your important accounts on public computers. Sometimes you've got no choice but to use a computer at the coffee shop, library, or local FedEx. But try not to do it frequently, and make sure you completely wipe the browser's history when you're finished.
Back up your personal files to avoid losing them. You should keep a copy of all important files in the cloud and on some sort of hard drive. If one of them gets hacked or damaged, you'll still have a backup copy.


http://finance.yahoo.com/news/12-quick-internet-safety-tips-015000821.html

Cybercrime is outwitting, outpacing security

Cybercrime is outwitting, outpacing security

May 28, 2014: 7:46 AM ET


When it comes to smart cybersecurity investments, most U.S. organizations dawdle.
By Robert Hackett
140528074344-business-people-meeting-room-waiting-hands-chair-back-620xa
FORTUNE -- Cybersecurity is no longer just an afterthought; it's a core part of any successful business strategy. Yet in the battle to secure cyberspace -- where cybercriminals are becoming ever more adept at looting precious data -- many U.S. organizations are not wisely defending themselves.
According to a new report from PricewaterhouseCoopers, most U.S. organizations are not prioritizing their security spending or appraising their digital assets. Of the more than 500 U.S. businesses, government agencies, and law enforcement services that responded to the survey, only 38 percent said they strategically invest in cybersecurity based on risk and impact to business. And just 17 percent reported taking steps to identify which business data are most important.
"Our respondents in the survey continue to fail to adequately allocate resources necessary to address the cybersecurity risks that we see out there in the marketplace. It's disappointing," said David Burg, Global and U.S. Advisory Cybersecurity Leader at PwC, which partnered with CSO magazine, the Software Engineering Institute at Carnegie Mellon University, and the U.S. Secret Service on the survey. "Unfortunately, we've seen this pattern manifest for a number of years."
PwC's findings are consistent with a survey it conducted last year that found an identical 17 percent of respondents who reported classifying the business value of data. (The earlier survey was far broader and collected responses from more than 9,600 senior leaders across the globe. It was also the first time the question was added to the smaller, U.S.-centric survey.)
"There's a real large gap that needs to be filled in terms of companies all around the world -- not just in the U.S. -- taking the time necessary to actually have a smart cybersecurity strategy, and then to execute that strategy," Burg said.
MORE: Breaking down the White House big data and privacy report
In the latest survey, more than three quarters of respondents reported a security incident in the past year, and the number of security incidents detected over that period averaged 135 per organization. Just over one-third of respondents said that the frequency of security events has increased since last year. Fourteen percent reported losing more money to cybercrime in the last year, estimated at an annual average of $415,000.
Perhaps most surprising: 67 percent of respondents who detected a security incident were unable to estimate how much it cost. Given the frequency of high-profile data breaches at Target (TGT), eBay (EBAY), and other large companies this year, it is perhaps unsurprising that three-fifths of respondents reported being more concerned about cyber threats this year than last.
"The increasing sophistication of cyber criminals and their ability to circumvent security technologies indicates the need for a radically different approach to cybersecurity," said Ed Lowery, Special Agent in Charge for the Criminal Investigative Division of the U.S. Secret Service, in the survey's press release. "A balanced approach that, in addition to using effective cybersecurity technologies, develops the people, processes, and effective partnerships in order to strategically counter cybersecurity threats."
Other findings from this year's survey include a lack of attention to the security practices of contractors, supply chain partners and other third-party business partners. Less than half of the group surveyed reported having a process for evaluating third parties before they launch business operations, and fewer than a third included security provisions in contracts with external vendors and suppliers.
MORE: No, anti-virus software isn't dead (yet)
Despite acknowledging that they spend 76 percent less on security incidents when employees are properly trained, less than half of respondents admitted that they do not offer security training to new hires. And though respondents acknowledged the rapid adoption of mobile technologies, "We don't see investment in security or security capability really following that," Burg said.
Burg called the current state of affairs "a strategic lagging problem" -- meaning that senior executives are aware of security issues but need more time to execute the necessary changes within their organizations.
"This is a business transformation exercise," Burg said. "Transformation takes time, and its takes focus, and it takes commitment, and it all begins at the top of the house."

Thursday, May 15, 2014

Simplifying the complexities of IT security

Simplifying the complexities of IT security

17 March, 2014
IT security professionals are in danger of losing sight of the basics as systems and their protection become increasingly complex.

In the world of cyber-crime, it is a certainty that whatever you do to protect access and lock down your systems, a breach will nonetheless occur if a cyber-criminal is determined to achieve it.



Using this assumption, those in the IT security profession are left with the basic principle that has always been the fundamental of their trade and has never changed - focus on the data and make sure it is protected so that when a breach occurs, the cyber-criminal is left empty-handed.



These were the views expressed by Jason Hart, the VP Cloud at SafeNet, a former ethical hacker and a renowned expert in the tools and techniques of hacking and password vulnerabilities. Intrigued by his approach, ProSecurityZone met Jason recently in London to discuss data protection and find out why passwords are so vulnerable.



Password proliferation



Passwords are a pain and it would be better to assign them the same status as floppy disks as curious artefacts of the bygone age of obsolete technology. Unfortunately, we're not there yet and continue to have to put up with an escalating number of passwords that have to be used. Each one needs to be unique, conform to a set of rules (which may be different for each one), memorised and then changed regularly.



Such a process across multiple systems and web sites is clearly unsustainable so people write them down, re-use and re-cycle them, use their browser facility to remember passwords, list them on a spreadsheet on their computer or on their smart-phones. Some of the more tech-savvy keep them in a secure password vault, the security of which is determined by a single password needed in order to enter the vault. Whatever system you use in order to manage your unmanageable list of passwords is vulnerable.



This is one of the reasons behind Jason's opening statement when we met that we have to accept that breaches will happen and therefore need to focus on protecting the data. Passwords aren't the only means of breaching a system of course, there are many others including network vulnerabilities and capturing data in transit.



Data in transit vulnerability



Data in transit is particularly easy to hack in Wi-Fi environments which Jason was able to demonstrate in the small cafe with free Wi-Fi access where we'd chosen to meet. Using a piece of hardware cobbled together from easily available components and some similarly accessible software, Jason was able to create his own unsecured hotspot.



Using my computer to search for hotspots, I found his and logged on with ease. Once connected to Jason's hotspot, everything I did on my computer was his to analyse so I logged onto one of my password protected cloud services. To demonstrate the simplicity of harvesting login credentials using unsecured hotspots, Jason invited me to watch it as it happened using a Linux console that looked suitably geeky with its green-screen display scrolling dozens of lines of characters and no graphics. Despite the unfriendly looking interface, it took him all of 5 seconds to locate both the userid and the password in plain text that I'd passed to my cloud provider.



Hacking software for stealing data in transit at WiFi hotspots




This isn't unusual, he told me. Cloud servers are everywhere, we all use them in one form or another but most of them don't even offer two-factor authentication (2FA) for more secure access control to that all-important data. Even banks only use 2FA for transactions outside of the managed accounts. Accessing online bank accounts is more difficult because only random sequences of bits of PINs and passwords are used but to set up a new payee and transfer money to it requires a Hardware Security Module (HSM) which provides another authentication factor.



As far as Jason's demonstration was concerned, it was clear that providing a free hotspot introduces a temptation that makes users extremely vulnerable. I argued that although this may be the case for people with very low awareness of security, most people understand the vulnerability of free Wi-Fi access and are unlikely to fall into such a trap, particularly when dealing with sensitive data.



Trusted connections shouldn't be trusted



However, the reality is that free Wi-Fi comes as such a relief to people travelling on business that security is often the last thing on their minds. Nonetheless, to capture even the most security conscious browser, Jason had something much more sinister in his bag of tricks.



Using his self-assembled hardware and a downloadable piece of hacking software, Jason was able to scan my computer for all the wireless networks listed that are trusted and that I automatically connect to. The software then spoofed one of those connections and my computer automatically connected to it. I didn't have to do anything, the computer simply connected itself to a hostile hotspot thinking it was one of my trusted networks.



This would have looked a bit fishy if I'd hovered over the connection icon in the toolbar and seen the name of a network that I only use when I'm abroad but, as Jason pointed out, I was taking part in a hacking demonstration so I knew what I was looking for. Most people would have no awareness of what was going on, they would just work on their computer as normal while the hacker sifted through all the information being transmitted, searching for something useful .... or something targetted.



Focusing on the data



Hackers have always wanted your data and although this hasn't changed, their armoury for accessing it becomes more sophisticated every day. Since it's the data that's important to them, it is on this data that information security should be focused, Jason asserts.



The only effective way of doing this is by making the data unusable through encryption and effective key management. Encrypting data at rest protects it from being read if accessed and protecting data in transit protects it when it's being transmitted such as in a cafe with Wi-Fi. If my userid and password for the cloud service I'd been accessing had been encrypted for transmission, it wouldn't have been readable on Jason's Linux console.



Access control is of course also important but simple password control just isn't enough. Two-factor authentication should be deployed as a minimum and shouldn't be seen as an alternative for protecting the data through well managed encryption.



Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan


Read more: http://www.prosecurityzone.com/blog/Simplifying_the_complexities_of_it_security_286.asp#ixzz31n4d6Kfo

Friday, May 9, 2014

Heartbleedfaal: 30.000 nieuwe SSL-certificaten waardeloos

Heartbleedfaal: 30.000 nieuwe SSL-certificaten waardeloos

door
heartbleed
    
Nieuws - Meer dan 30.000 SSL-certificaten zijn ingetrokken door webmasters naar aanleiding van de Heartbleedbug en vervangen door nieuwe certificaten met hergebruik van de mogelijk al gestolen private key. Daardoor zijn de nieuwe certificaten net zo nutteloos als de oude.
Nadat Heartbleed, het lek in OpenSSL, vorige maand pijnlijk in de openbaarheid kwam, hebben beveiligingsbedrijven direct drie belangrijke stappen neergelegd die website-eigenaren moesten nemen om hun beveiligde verbindingen weer betrouwbaar te maken.
Die drie stappen zijn:
1. vervang je SSL-certificaten,
2. trek de oude certificaten in,
3. gebruik een nieuwe private key.


Volgens Internetbeveiligingsbedrijf Netcraft heeft slechts 14 procent van alle getroffen websites die drie stappen gevolgd.

Wel certificaten vervangen, maar niet de private key

Van de getroffen websites heeft 5 procent wel de certificaten vervangen, maar zonder dat de private key is vervangen. Cruciaal is dat public keys die zorgen voor de verificatie van de beveiligde verbinding gegenereerd worden van de private key. Als die laatste niet is vervangen, zijn de SSL-certificaten die de public keys in zich hebben net zo waardeloos als hun voorgangers.
Heartbleed heeft ervoor gezorgd dat aanvallers mogelijk de private key van een website hebben kunnen stelen. Dat is zeer waardevol voor criminelen omdat zij via die private key een valse website in de lucht kunnen brengen die doet alsof hij de originele website is, compleet dus met een volledig betrouwbare SSL-verbinding.

Misbruik van private keys blijft dus mogelijk

Zolang de private key dus door de rechtmatige eigenaar niet is vervangen en ingetrokken, blijft misbruik van de gestolen private key mogelijk en is de aanmaak van nieuwe certificaten op basis van die private key volledig nutteloos. En dat terwijl de website-admins denken alles gedaan te hebben om Heartbleed te stoppen.
Volgens Netcraft heeft ook nog eens 57 procent van de betrokken websites geen enkele actie ondernomen en heeft 21 procent wel een nieuwe private key gebruikt om certificaten aan te maken maar hebben ze de oude private key niet buiten werking gesteld.

Monday, May 5, 2014

Heartbleed: Facts And Recommendations


What has just happened

A security vulnerability has been discovered this week. One more and why should I care, you’ll ask.
This vulnerability, romantically named “Heartbleed”, impacts some versions of a tool called OpenSSL. You know that when you enter confidential information online, such as a credit card number, you should check that there’s a lock icon in your web browser navigation bar. The lock is displayed when https protocol is used. OpenSSL is the open-source tool many websites use to handle https. So if OpenSSL is broken, online transactions are no longer confidential. This vulnerability is not a small one…

How bad is it for me?

Assume that all information you’ve been exchanging online in the last 2 years may have been eavesdropped. You regularly check your credit card transactions? Keep doing that! However, you probably don’t change your passwords regularly. Now, you should, as they may have been captured and recorded. All of them? Unless you want to check the OpenSSL version used by each and every website where you have an account, assume all your passwords may have been captured.
You’ve probably been hearing a lot about passwords in the recent weeks, months, years. Have you done something about it? If not, that’s probably the right time to do so. Remember, you should have a strong unique password for each of your sites.

How can I do that?

Ordinary people can’t, unless they maintain long lists of passwords (on a paper, in an Excel spreadsheet…). The alternative that you should seriously consider now is to use a Password Manager to create strong unique passwords and automate the connection to your websites. inWebo has such a tool available for you. It’s super easy, synchronized with your multiple devices, and free.
Free!? Where”s the trap? There’s no trap, no ad, no limitation to the number of passwords or number of devices. It’s free because our model is to charge the business and enterprise versions.
To use it, simply open an account HERE. inWebo Password Manager will propose to record your password when you connect or sign up to a website that is not yet known. Also, inWebo will propose a new, strong and unique password if you use the password lost or change password features proposed by the website.
Finally, you should pay a special attention to the passwords of your email addresses, as they are used to recover all other passwords. Make sure that the password you use for email is unique, strong, and that you have a way to recover it that doesn’t rely on other emails.


http://www.inwebo.com/blog/heartbleed-facts-and-recommendations/

Europe's cybersecurity policy settings under attack

AFP                    

       

    Even as Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job
    .
    View photo
    Even as Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job (AFP Photo/Thomas Samson)

    Brussels (AFP) - Even as Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job.
    The exercise, called Cyber Europe 2014, is the largest and most complex ever enacted, involving 200 organisations and 400 cybersecurity professionals from both the European Union and beyond.
    Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking.
    Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments.
    "The main concern is national governments' reluctance to cooperate," said Professor Bart Preneel, an information security expert from the Catholic University of Leuven, in Belgium.
    "You can carry out all of the exercises you want, but cybersecurity really comes down to your ability to monitor, and for that, national agencies need to speak to each other all the time," Preneel said.
    The Crete-based office coordinating the EU's cybersecurity, the European Union Agency for Network and Information Security (ENISA), calls itself a "body of expertise" and cannot force national agencies to share information.
    As with most aspects of policing and national security, the EU's 28 members have traditionally been reluctant to hand over powers to a central organisation, even when -- as in the case of online attacks -- national borders are almost irrelevant.
    - 'Citizens and economy at risk' -
    Cyberattacks occur when the computer information systems of individuals, organisations or infrastructure are targeted, whether by criminals, terrorists or even states with an interest in disrupting computer networks.
    The EU estimates that over recent years there has been an increase in the frequency and magnitude of cybercrime and that the attacks go beyond national borders, while the smaller-scale spreading of software viruses is also an increasingly complex problem.
    The EU's vulnerability has been highlighted over recent years by a number of high-profile cyberattacks, including one against Finland's foreign ministry in 2013 and a network disruption of the European Parliament and the European Commission in 2011.
    And with Europe's supply of gas from Russia focusing attention on energy security, the highly computerised "smart" energy grids which transport and manage energy in the EU are also seen as vulnerable.
    Yet the view from Brussels is that the member states' reluctance to work together on cybersecurity amounts to "recklessness", with one EU source saying national governments were "happy to put their citizens and economy at risk rather than coordinate across the EU."
    ENISA was established in 2001 when it became clear that cybersecurity in the EU would require a level of coordination. Unlike other EU agencies, ENISA does not have regulatory powers and relies on the goodwill of the national agencies it works with.
    The agency is undaunted by its task, arguing that the simulations it stages every two years, taking in up to 29 European countries, are both effective and necessary in preparing a response to cyber-attacks.
    This week's simulation created what ENISA described as "very realistic" incidents in which key infrastructure and national interests came under attack, "mimicking unrest and political crisis" and "disrupting services for millions of citizens across Europe."
    - Responsibility with industry -
    However, Amelia Andersdotter, a Swedish member of the European Parliament with the libertarian Pirate Party, is dismissive of both the exercise and the European online security model.
    Andersdotter, along with a number of European experts, is calling for reforms to move responsibility for cybersecurity away from law enforcement agencies toward civilian bodies.
    Their argument is that a civilian agency would be better placed to coordinate a response with industry, which Andersdotter argues has not done enough to safeguard cybersecurity.
    At present, she told AFP, industry actors in software or infrastructure simply report cybercrime to authorities without being required to compensate or inform consumers.
    A civilian authority would end what Andersdotter calls the "conspiracy of database manufacturers and law enforcement agencies" by placing greater responsibility with industry.
    What most experts agree on is that European companies and consumers are vulnerable to cybersecurity threats, and that can have an impact on people's willingness to use online services.
    James Wootton, from British online security firm IRM, said the ENISA exercises are a step in the right direction, but are not enough.
    "The problem is nation states wanting to fight cybercrime individually, even when cybercrime does not attack at that level," Wootton says, arguing that national law enforcement agencies often lack the required resources.
    "So it is good to look at this at the European level, but what power does ENISA have? What can they force countries to do?"
    Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place.
    One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are."


    http://news.yahoo.com/europes-cybersecurity-policy-settings-under-attack-042108714.html