Senate passes CISA, without privacy protection amendments

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Sen­ate on Tues­day passed CISA, a bill encour­ag­ing com­pa­nies to share pri­vate user data with the gov­ern­ment that is wor­ry­ing to civ­il lib­er­ties advo­cates. Four amend­ments were pro­posed to address pri­va­cy con­cerns, but they all died on the floor. The Cyber­se­cu­ri­ty Infor­ma­tion Shar­ing Act was intro­duced by Sen. Dianne Fein­stein, D-Calif., in June 2014 fol­low­ing sev­er­al high-pro­file cyber attacks tar­get­ing major cor­po­ra­tions. It is aimed at pro­tect­ing user data from falling into the wrong hands. Under the bill, com­pa­nies would have increased lia­bil­i­ty pro­tec­tion when col­lect­ing and shar­ing users’ per­son­al infor­ma­tion that could poten­tial­ly be relat­ed to secu­ri­ty threats. The pro­posed leg­is­la­tion also makes it eas­i­er to share that data with gov­ern­ment agen­cies and with one anoth­er. This caused the con­cern of pri­va­cy advo­cates. Sev­er­al amend­ments to address pri­va­cy con­cerns were added to the bill, but they were all vot­ed down. Source: The RT.com

CIA director says no one’s information is safe

CIA Brennan_280CIA Direc­tor John Bren­nan says the hack of his per­son­al email account shows that every­one is vul­ner­a­ble to the com­pro­mise of per­son­al infor­ma­tion on the Inter­net. Bren­nan said he was out­raged by the pub­li­ca­tion of sen­si­tive data, includ­ing his con­tact list and his wife’s Social Secu­ri­ty num­ber. The hack­er has said he is a high school stu­dent protest­ing U.S. pol­i­cy. Bren­nan said he was annoyed that some media accounts sug­gest­ed impro­pri­ety on his part, but he did not cite any par­tic­u­lar out­lets. The CIA direc­tor said he did noth­ing wrong. Source: CBS News

She fought the law, and the law won

A woman accused of pos­ing as a lawyer and defraud­ing peo­ple of tens of thou­sands of dol­lars was ordered to stand tri­al on 18 counts of grand theft and iden­ti­ty theft. Pros­e­cu­tor Hec­tor Jimenez described Giu­liana Bosco Huer­ta dur­ing her pre­lim­i­nary hear­ing as some­one “very tal­ent­ed at dup­ing peo­ple.” Among oth­er things, she’s accused of steal­ing more than $40,000 from a man after telling him she would set up a trust for his child and a license for his bak­ery busi­ness. Accord­ing to Jimenez, she built “an aura of cred­i­bil­i­ty” by using made-up bar asso­ci­a­tion mem­ber num­bers and imper­son­at­ing oth­er peo­ple when send­ing emails to alleged vic­tims. Some emails were sent while she was out on bail fol­low­ing her arrest in June, he alleged. At a pri­or hear­ing, Jimenez alleged the defen­dant in 2005 scammed peo­ple out of $50,000 in a med­ical diet scheme. Source: The Times of San Diego

If the update is offered, take it

sh_software update_280Cyber experts say you prob­a­bly should not ignore mes­sages or alerts on your iPhone or Android say­ing you need to update the sys­tem. The devices are full of per­son­al data, and if your phone hasn’t down­loaded the newest soft­ware update, Green Bay Net co-founder Elliot Chris­ten­son says hack­ers can eas­i­ly steal your infor­ma­tion. “They can remote­ly exploit your phone. … They can con­trol your phone to send out spam or attack oth­er phones or poten­tial­ly get your data,” Chris­ten­son says. Through Blue­tooth, which many peo­ple leave on, Chris­ten­son says hack­ers can take what they want with­out you know­ing it. He says that on iPhones, the iOS 9 update fix­es a prob­lem with air­drop, a file-shar­ing fea­ture between Apple devices.  He says there’s risk for Androids, too. “They have sim­i­lar exploits. And because of the nature of Android, they actu­al­ly fix them faster, but get them out to cus­tomers a lit­tle bit slow­er,” he says. Source: WBAY, Green Bay, Wis.

Giving voice to the bad guys

Researchers can hack voice over LTE imple­men­ta­tions on two tier-one mobile car­ri­er net­works, gain­ing access to free data usage or shut­ting down voice or data access for anoth­er user. Aca­d­e­mics at the Uni­ver­si­ty of Cal­i­for­nia Los Ange­les, Ohio State Uni­ver­si­ty and Shang­hai Jiao Tong Uni­ver­si­ty in Chi­na out­lines a num­ber of vul­ner­a­bil­i­ties on the device, chipset and net­work lev­el that made VoLTE hack­able, con­clud­ing that the “device OS and chipset fail to pro­hib­it non-VoLTE apps from access­ing and inject­ing pack­ets into VoLTE con­trol and data planes. The net­work infra­struc­ture also lacks prop­er access con­trol and run­time check. Secu­ri­ty for VoLTE, and LTE in gen­er­al, has been on the tele­com indus­try radar for some time. “The mobile broad­band industry’s rapid migra­tion to LTE has opened the door to mali­cious and non­ma­li­cious threats due to fun­da­men­tal vul­ner­a­bil­i­ties in the all-IP LTE archi­tec­ture,” said Stéphane Téral, prin­ci­pal ana­lyst for mobile infra­struc­ture and car­ri­er eco­nom­ics at Info­net­ics Research. Source: RCR Wire­less

Bad guys chip in with yet another scam

sh_chip-and-PIN card_750Banks and oth­er cred­it card issuers are adding com­put­er chips to make trans­ac­tions more secure. But a scam is tak­ing advan­tage of the tran­si­tion, the Bet­ter Busi­ness Bureau warns. Peo­ple are get­ting offi­cial-look­ing emails say­ing a new cred­it or deb­it card with a chip is on its way to you. The BBB says these emails look offi­cial, using the logos and even the reply address of banks and cred­it card com­pa­nies. But from there, you’re asked to fol­low a link in the email to con­firm your bank­ing or per­son­al infor­ma­tion — infor­ma­tion the bank already has and wouldn’t ask for. Or, you’re instruct­ed to fol­low a link to con­tin­ue the process, giv­ing crim­i­nals a chance to down­load soft­ware to your com­put­er, which can be used to steal your infor­ma­tion, lock up your data for ran­som, or use your com­put­er as a serv­er for spread­ing more spam and mal­ware. Source: ABC8, Rich­mond

Shoplifting a cart full of data

British super­mar­ket group Mor­risons could be sued by 2,000 employ­ees fol­low­ing last year’s data secu­ri­ty breach. A dis­grun­tled for­mer employ­ee leaked the employ­ees’ per­son­al details. Andrew Skel­ton was sen­tenced to eight years after he was found guilty of steal­ing and ille­gal­ly shar­ing the bank, salary and nation­al insur­ance details of near­ly 10,000 of his for­mer col­leagues with news out­lets and data-shar­ing web­sites. More than 2,000 Mor­risons staff are pur­su­ing a group lit­i­ga­tion order against the super­mar­ket group fol­low­ing a hear­ing in London’s High Court. The case has been giv­en a four-month wait­ing peri­od for oth­er Mor­risons staff to join the group claim, rep­re­sent­ed by JMW Solic­i­tors. Source: The Tele­graph

An unhealthy outlook

sh_medical records_750Bon Sec­ours St. Fran­cis Health Sys­tem in Greenville, S.C., is inves­ti­gat­ing a data breach by a for­mer employ­ee after they said she accessed near­ly 2,000 med­ical records of patients and about 30 employ­ees. The health sys­tem was noti­fied this past August that sev­er­al employ­ees were get­ting unpaid bal­ances for an antibi­ot­ic cream, and oth­ers were report­ing their health insur­ance com­pa­nies being charged for the antibi­ot­ic creams. St. Fran­cis Health per­formed an audit and found that an employ­ee had accessed the patient infor­ma­tion of approx­i­mate­ly 1,997 indi­vid­u­als, com­pro­mis­ing patient names, dates of birth, driver’s license num­bers, insur­ance infor­ma­tion, clin­i­cal infor­ma­tion, and poten­tial­ly, Social Secu­ri­ty num­bers. Author­i­ties have been noti­fied, and the employ­ee has been ter­mi­nat­ed. Source: Health IT Secu­ri­ty

Expanding the security shield across borders

sh_global cybersecurity_750The Fed­er­al Trade Com­mis­sion and enforce­ment agen­cies from sev­en oth­er coun­tries have launched an infor­ma­tion-shar­ing sys­tem that will enable them to bet­ter coor­di­nate inter­na­tion­al efforts in pro­tect­ing con­sumer pri­va­cy. FTC Chair­woman Edith Ramirez joined rep­re­sen­ta­tives from sev­er­al agen­cies and mem­bers of the Glob­al Pri­va­cy Enforce­ment Net­work in sign­ing a Mem­o­ran­dum of Under­stand­ing among users of the new sys­tem, called GPEN Alert. “Today, data is increas­ing­ly cross­ing bor­ders, and our pri­va­cy inves­ti­ga­tions and enforce­ment must do the same,” Ramirez said. “GPEN Alert is an impor­tant, prac­ti­cal coop­er­a­tion tool that will help GPEN author­i­ties pro­tect con­sumer pri­va­cy across the globe.” GPEN Alert is a mul­ti­lat­er­al sys­tem that will enhance coor­di­na­tion by enabling par­tic­i­pants to con­fi­den­tial­ly share infor­ma­tion about inves­ti­ga­tions. Source: Impe­r­i­al Val­ley News (Calif.)

Just browsing? That might be a bad idea

sh_browser history_280A researcher has demon­strat­ed two unpatched weak­ness­es that Web mas­ters can exploit to track mil­lions of peo­ple who vis­it their sites. The attacks allow web­sites to com­pile a list of pre­vi­ous­ly vis­it­ed domains, even when users have flushed their brows­ing his­to­ry, and to tag vis­i­tors with a track­ing cook­ie that will per­sist even after users have delet­ed all nor­mal cook­ies. The his­to­ry-sniff­ing attack works against peo­ple who vis­it sites that use HTTP strict trans­port (HSTS), which allows web­sites to instruct browsers to con­nect only when an encrypt­ed HTTPS con­nec­tion is avail­able and to reject any attempts to use an unse­cured HTTP link. The mea­sure, used by banks, cloud ser­vices, and oth­er sen­si­tive sites, is designed to pre­vent down­grade attacks, in which a hack­er with the abil­i­ty to tam­per with traf­fic pass­ing between an end user and serv­er resets an HTTPS con­nec­tion to use HTTP so the data isn’t pro­tect­ed. The attack embeds non-exis­tent images from HSTS-pro­tect­ed sites. The unscrupu­lous web­site then uses JavaScript to mea­sure how long it takes for an error to reg­is­ter. If the user has vis­it­ed the HSTS site before, the error will occur with­in a few mil­lisec­onds. If it takes longer for the error to reg­is­ter, the attack­er can deter­mine that the site has nev­er been vis­it­ed before. Zhu also described a way a web­site can track Google Chrome users even when they delete cook­ies. Instead of abus­ing HSTS, the super­cook­ie tech­nique exploits weak­ness­es in a secu­ri­ty mea­sure known as HTTP pub­lic key pin­ning, designed to pro­tect against cer­tifi­cate forg­eries by allow­ing web­sites to spec­i­fy the HTTPS cre­den­tials that a brows­er should accept when nego­ti­at­ing all encrypt­ed con­nec­tions. The spec­i­fi­ca­tion allows web­sites to pin mul­ti­ple cer­tifi­cates to a brows­er. Unscrupu­lous sites can abuse the stan­dard by pin­ning text that’s unique to each vis­i­tor. Source: Ars Tech­ni­ca