Mozilla’s First Internet Health Report Tackles Security, Privacy

January 21st, 2017
by The Feeder
Mozilla released its first Internet Health Report, examining the dangers of over-sharing eroding privacy, and the security of connected devices.

Posted in critical infrastructure, cryptography, encyption, Government, Internet Health Report, Internet Privacy, internet security, IoT, Lets Encrypt, mirai, Mozilla Foundation, privacy, security | Comments (0)

Fastest magnetic read/write ever is incredibly energy efficient

January 21st, 2017
by The Feeder

Enlarge / Magnets, how do they work? (credit: Paul Downey (Flickr))

Magnetic media, in the form of disk and tape drives, has been the dominant way of storing bits. But the speed and low power of flash memory has been displacing it from consumer systems, and various forms of long-term memory are in development that are even faster. But a new paper suggests that magnetic media may still be competitive—you just have to stop reading and writing it with magnets.

Using a specific form of garnet and some ultrafast laser pulses, a Dutch-Polish team of researchers performed what they suspect is the fastest read/write of magnetic media ever. And, for good measure, the process was extremely energy efficient.

Heat is actually a problem for both hard drives and flash. Although it doesn't create a problem in most consumer systems, dealing with excess heat is a major issue in data centers. The problem, according to the authors of the new paper, is one of scale. While we can calculate the minimum energy needed to flip a magnetic bit, we use much more than that to ensure that every bit gets written as intended. Eight orders of magnitude more, in fact. Most of that excess energy ends up dissipating into the environment, where it ends up as heat.

Read 9 remaining paragraphs | Comments

Posted in magnets, materials science, Scientific Method, Storage, Technology Lab | Comments (0)

A really obscure forgotten audio format: “Talking rubber”

January 21st, 2017
by The Feeder

“Hi, you’ve reached Eran. Please leave a message, and I’ll get back to you.”

That’s my voicemail message on my cell phone that I recorded in high school and can’t figure out how to change. Although I’m still a loyal proponent of phone calls themselves, I have to admit, I probably don’t check my voicemail as much as I should.

And it’s not just me. As young people shy away from leaving voice messages when an e-mail or text message can instantly reach business colleagues, we may have moved beyond the simple answering machine.

Read 30 remaining paragraphs | Comments

Posted in Gear & Gadgets, Ministry of Innovation | Comments (0)

Lavabit — Encrypted Email Service Once Used by Snowden, Is Back

January 21st, 2017
by The Feeder
Texas-based Encrypted Email Service 'Lavabit,' that was forced to shut down in 2013 after not complying with a court order demanding access to SSL keys to snoop on Edward Snowden's emails, is relaunching on Friday. Lavabit CEO Ladar Levison had custody of the service's SSL encryption key that could have helped the government obtain Snowden's password. Although the FBI insisted it was only

Posted in best secure email service, encrypted email, Encrypted email service, encryption, encryption keys, end-to-end encryption, Lavabit, NSA, secure email, SSL encryption, Surveillance | Comments (0)

Doctoring Data: Why Cybercriminals Have Their Eye on Healthcare

January 20th, 2017
by The Feeder

Fun fact: your healthcare data is worth roughly 10 times as much as your credit card number. Well, to a cybercriminal at least. Why the value increase, you may ask? Insurance fraud—and a lot of it. Which translates to a lot of billing for fake treatments and stolen prescriptions. And before you write that off as someone else’s problem, remember the ramifications of stolen health data last longer and have a deeper effect than any other kind of stolen data.

So why does this kind of theft have such a powerful effect? First off, these transactions end up on your medical records, which could potentially result in a mistaken diagnosis, incorrect treatment, unnecessary delays—the list goes on. But the true value behind healthcare data not only lies behind the reaping of these tangible benefits, but in the data’s longevity.

Credit card companies can detect fraud and cancel a card in the blink of an eye. Healthcare data, however, connects policy numbers to employee numbers, which are difficult to change, leaving the control out of the hands of the insurer. Adding to this longevity is ambiguity. Is that an MRI for your arm, or fraud? Did you ask for this prescription, or did a cybercriminal? It’s impossible to know. Not to mention, it’s extremely difficult for providers to be able to determine fraud while still complying with HIPAA.

And though most healthcare attacks are against hospitals or insurance companies, that doesn’t mean that these attacks won’t directly impact you and your personal data. Additionally, that doesn’t mean that your personal devices won’t be targeted for compromise of this kind of healthcare data as well—as the increase in healthcare apps makes that data so readily available. And with the complications from this kind of breach seeming endless, it’s up to you to start taking preventative measures now, to protect yourself from this emerging type of identity theft.

For starters, here are a few tips and best practices to follow:

  • Maintain good password hygiene. There’s a password for everything these days, especially for accessing insurance information online. Therefore, don’t use the same passwords across online accounts, especially for apps that require self-identifying information, and make sure your logins complex. Additionally, you can use a password manager, like the one included in True Key™ by Intel Security to make sure you can keep track of all of your unique credentials.
  • Regularly review activity. Similar to checking your credit card activity, routinely log in to your health insurance or benefit provider’s website and review recent activity. Make yourself aware of all activities listed, check the prescriptions and treatments ordered, and immediately flag anything that is suspicious or incorrect.
  • Look into a monitoring service. A monitoring service won’t, unfortunately, prevent your identify from being stolen or protect you from fraud, but they can provide early warning if its set to happen. Typical services scan for usage of personal info and mentions of your document numbers in criminal marketplaces, then alert you of anything that comes up.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @IntelSec_Home on Twitter, and ‘Like’ us on Facebook.

gary

The post Doctoring Data: Why Cybercriminals Have Their Eye on Healthcare appeared first on McAfee Blogs.

Posted in consumer, Consumer Threat Notices, Cybersecurity, healthcare | Comments (0)

MongoDB Databases Hit by Wave of Data Extortion

January 20th, 2017
by The Feeder

During the past couple of weeks an attacker with the alias Harak1r1 has gone after MongoDB databases connected to the cloud. These old database instances were not protected by an administrator password, and were non-firewalled. Therefore, the attacker logged onto these databases, downloaded the content, then removed the content, and left a note demanding 0.2 Bitcoin to restore the data. Although many observers have called this as a ransomware attack, it is more accurately extortion because none of the data is encrypted, which is the case with crypto-ransomware.

Screen Shot 2017-01-20 at 11.31.48 AM

All of these actions were automated instead of manual hacks into the databases. The following screenshot shows a code snippet of the scripts being used by the attackers:

Screen Shot 2017-01-20 at 11.32.32 AM

A report generated on Shodan shows an overview of MongoDB databases connected to the Internet:

Screen Shot 2017-01-20 at 11.34.00 AM

As usual, when an attack like this is revealed, many copycats attempt similar attacks. 0wn3d, byterot, and P1l4tos, as well as the professional ransomware group Kraken, soon followed. P1l4tos and Kraken0 have not limited themselves to MongoDB instances but have targeted instances of Elasticsearch as well. Other reports name Hadoop and other databases as targets.

The Kraken group is actually offering its MongoDB and Elasticsearch code, including data, as a kit for US$500.

Screen Shot 2017-01-20 at 11.34.40 AM

How profitable are these attacks for the actors? According to researchers Niall Merrigan and Victor Gerves, the total amount of Bitcoins being paid by the MongoDB victims is around BTC 23.3, roughly $20,000. If we look, for example, at the initial attacker, Harak1r1, we can create a small overview:

Screen Shot 2017-01-20 at 11.36.12 AM

Analyzing the Bitcoin wallets involved, to date the actor has made a total of BTC 4.2, which translates to $3,700.

So why exactly were these MongoDB not protected and such easy targets? It seems that many of these instances stemmed from Shadow IT—developers or departments took matters into their own hands and built out systems without IT knowledge or approval and subsequently did not follow proper security policies.

The hackers found these unapproved and unsecured cloud services systems with their data was wide open, and cybercriminals we’re able to jump on the opportunity.

Prevention

In these particular cases, a simple password would have stopped this attack. Of course, there is much more to do to protect an online database. Think in the line of firewall, SQL-injection proof, updates, auditing and backup.

But first, the IT department needs to find these Shadow IT instances and bring it to light, to ensure these proper security measures are in place. This is no easy feat, but it can be accomplished.

Criminals will always seek new ventures to make money. This is an example of the latest wave. What if an attack is targeted at your company’s database (online or onsite) and it is encrypted by attackers: are you prepared?

The post MongoDB Databases Hit by Wave of Data Extortion appeared first on McAfee Blogs.

Posted in Business, cloud, Cloud security, Cybercrime | Comments (0)

Kaléo reveals the price of it’s Epipen alternative: $4,500

January 20th, 2017
by The Feeder

Enlarge (credit: Kaléo)

As public outcry over the skyrocketing price of Mylan’s Epipens hit fever pitch last fall, Ars noted that there was upcoming competitor: Auvi-Q by Kaléo. But we were pretty confident back then that Kaléo was not going to offer an affordable epinephrine auto-injector alternative, given that the company has a well-documented history of price gouging on life-saving medications, too. Nevertheless, Auvi-Q’s price may still send some jaws toward the floor.

In an announcement Thursday, the company revealed that Auvi-Q will have a $4,500 list price for a two-pack and will be available February 14 for anyone who wants to buy one.

Auvi-Qs were initially introduced in 2013 but were pulled from the market following dosage issues. The devices are slim and rectangular, easy to slip into pockets, and provide a voice-prompt system to guide through a life-saving epinephrine injection. At the time of their initial release, Auvi-Qs were listed at around $200 for a two-pack. By early 2015, when they were pulled, that price had floated up to $500, largely in step with Mylan’s pricing.

The company also makes a device for injecting a cheap, older drug called naloxone, which reverses deadly opioid overdoses. As the country has suffered from an epidemic of opioid abuse and overdoses during the last two years, Kaléo raised the price of its device, called Evzio, from $575 to $3,750.

Read 2 remaining paragraphs | Comments

Posted in Adrenaclick, Auvi-Q, CVS, drug pricing, EpiPen, Impax, kaleo, Mylan, Scientific Method | Comments (0)

Apple sues Qualcomm, saying chipmaker withheld $1B as “extortion”

January 20th, 2017
by The Feeder

Apple's shiny logo outside its San Francisco store. (credit: Steve Rhodes)

Apple sued Qualcomm today, alleging that the chip company charges billions in patent royalties "for technologies they have nothing to do with."

In its complaint, Apple says that Qualcomm actually withheld $1 billion in payments it owes to Apple because Apple cooperated with the Korea Fair Trade Commission, or KFTC. Apple lawyers go on to make an extraordinary claim: that Qualcomm "attempted to extort Apple into changing its responses and providing false information to the KFTC in exchange for Qualcomm's release of those payments to Apple," but Apple refused.

Apple's lawsuit seeks unspecified damages while stating it has been "overcharged billions" by Qualcomm. The lawsuit notes that law enforcement agencies around the world are investigating Qualcomm, which "has been declared a monopolist by three separate governments" in the past two years. Last month, Korean regulators slapped Qualcomm with a $850 million fine over its patent-licensing practices. The US Federal Trade Commission sued Qualcomm earlier this week, again over patent issues.

Read 8 remaining paragraphs | Comments

Posted in apple, FTC, Infinite Loop, Law & Disorder, patents, Qualcomm, South Korea | Comments (0)

Already on probation, Symantec issues more illegit HTTPS certificates

January 20th, 2017
by The Feeder

Enlarge (credit: Own Work)

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof protected HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued. Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing.

Read 7 remaining paragraphs | Comments

Posted in certificate authorities, Law & Disorder, PKI, Public Key Infrastructure, Risk Assessment, Symantec, TLS | Comments (0)

Corporate Legal Counsels Fret Over Cybersecurity

January 20th, 2017
by The Feeder
BDO Consulting survey shows in-house legal executives cite data breaches, cross-border data transfers, as risks with e-discovery.

Posted in Uncategorized | Comments (0)