"The total population of the countries covered in this study is 524 million, and the total population of internet users in these countries is 409 million. Expressed in ratios, this means that
for every 100 people in the study countries, 43 personal records have been compromised. For every 100 internet users in the study countries, 56 records have been compromised. Fully 51 percent of all the
breaches involved corporations and 89 percent of all the breached records were from compromised corporations. Among all the kinds of organizations from which personal records have been compromised, 41
percent of the incidents involved clear acts of theft by hackers, but 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement (2 percent
"I’ve spent much of the past week trying to better understand Apple’s security architecture, and the method they formerly used to provide law enforcement with access to user data. What I’ve read, and learned from talking with actual crypto experts, has affirmed my confidence in two core points. First: Apple is not just inexplicably thumbing its corporate nose at law enforcement. They are fixing a poor security design choice that previously left specific types of sensitive data on phones inadequately protected. Second: Apple, with its closed ecosystem, might actually be unusually well situated to satisfy the FBI’s demand for backdoors, but the idea is in profound conflict with more open computing models."
"With data breaches making headlines the world over, awareness about the importance of having technologies and governance practices in place to respond to such incidents should be at an
alltime high. In this study sponsored by Experian® Data Breach Resolution, we surveyed 567 executives in the United States about how prepared they think their companies are to respond to a data breach. In
2013 a similar study was conducted. A comparison of those findings to this research reveals that companies are making some positive changes. However, many companies are deficient in governance and
security practices that could strengthen their data breach preparedness. These include: keeping the data breach response plan up-to-date, conducting risk assessments of areas vulnerable to a breach,
continuous monitoring of information systems to detect unusual and anomalous traffic and investing in technologies that enable timely detections of a security breach."
"For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the ‘first step’ in protecting their children online. Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an ‘Internet Safety’ outreach initiative. The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet. As official as it looks, ComputerCOP is actually just spyware, generally bought in bulk from a New York company that appears to do nothing but market this software to local government agencies."
"In the world of hacking, every malicious tool has its heyday—that period when it rules the underground forums and media headlines and is the challenger keeping computer security pros on their toes. Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what’s making the news."
"There’s a shady industry out there of businesses that sell spyware apps that market themselves to jealous partners, domestic abusers and stalkers, keen to spy upon others. Some market themselves as a way of easily keeping taps on your children, but there’s no doubt that many are used to abuse individual’s privacy and potentially put innocent people in danger."
"One of the problems with bash is that it’s simply obsolete code. We have modern objective standards about code quality, and bash doesn’t meet those standards. In this post, I’m going to review the code […]"
"If the government howls of protest at the idea that people will be using encryption sound familiar, it’s because regulating and controlling consumer use of encryption was a monstrous proposal officially declared dead in 2001 after threatening Americans’ privacy, free speech rights, and innovation for nearly a decade. But like a zombie, it’s now rising from the grave, bringing the same disastrous flaws with it. For those who weren’t following digital civil liberties issues in 1995, or for those who have forgotten, here’s a refresher list of why forcing companies to break their own privacy and security measures by installing a back door was a bad idea 15 years ago: […]"
"This report examines existing certification schemes relevant to cloud computing, focusing on benefits and challenges of such schemes as well as the identification of possible supporting
actions and next steps recommendations as regards the implementation of the key action on certification of the European Cloud Computing Strategy. The report is based on research of the state of the art in
cloud certification, how cloud certification schemes could enhance trust and transparency in the cloud; which elements of cloud computing could be considered for certification; challenges still affecting
existing cloud certification schemes; and the role of public sector. The key findings from the research have been used to develop seven recommendations detailing possible intervention by the European
Union with regards to cloud certification."
"This document was created to assist and educate merchants regarding security best practices associated with skimming attacks. Though currently not mandated by PCI SSC, guidelines and best
practices documents are produced to help educate and create awareness of challenges faced by the payment industry. The guidelines are the result of industry and law enforcement understanding of the
current and evolving threat landscape associated with skimming. In addition we have incorporated known best practices, currently conducted by many merchants, to mitigate skimming attacks taking place in
their respective point-of-sale environments."
"Apple, Google and the other big tech companies should acknowledge that millions of their customers regularly use their products to engage in sensitive, intimate activities. These companies can and should offer a ‘private photo’ option for sensitive photos that prevents them from being uploaded to the cloud. More importantly, they should treat their customers like grownups and educate them about how they can use their products and services to engage in intimate activities, as safely as possible."
"Hosts must be able to access other hosts in an automated fashion, often with very high privileges, for a variety of reasons, including file transfers, disaster recovery, privileged access
management, software and patch management, and dynamic cloud provisioning. This is often accomplished using the Secure Shell (SSH) protocol. The SSH protocol supports several mechanisms for
authentication, with public key authentication being recommended for automated access with SSH. Management of automated access requires proper provisioning, termination, and monitoring processes, just as
interactive access by normal users does. However, the security of SSH-based automated access has been largely ignored to date. This publication assists organizations in understanding the basics of SSH
automated access management in an enterprise, focusing on the management of SSH access tokens."
"Advanced imaging technologies are a new class of people screening systems used at airports and other sensitive environments to detect metallic as well as nonmetallic contraband. We present
the first independent security evaluation of such a system, the Rapiscan Secure 1000 full-body scanner, which was widely deployed at airport checkpoints in the U.S. from 2009 until 2013. We find that the
system provides weak protection against adaptive adversaries: It is possible to conceal knives, guns, and explosives from detection by exploiting properties of the device’s backscatter X-ray technology.
We also investigate cyberphysical threats and propose novel attacks that use malicious software and hardware to compromise the the effectiveness, safety, and privacy of the device. Overall, our findings
paint a mixed picture of the Secure 1000 that carries lessons for the design, evaluation, and operation of advanced imaging technologies, for the ongoing public debate concerning their use, and for
cyberphysical security more broadly."
"Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google’s end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo
onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs. So great work by Google and Yahoo! Which is why following complaint is going to seem awfully
ungrateful. I realize this and I couldn’t feel worse about it. As transparent and user-friendly as the new email extensions are, they’re fundamentally just re-implementations of OpenPGP — and non-
legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it’s a model of email encryption that’s fundamentally broken. It’s time for PGP to die."
"Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative
capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations,
but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this
complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems’ responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component’s
design or direction to degrade or subvert system behavior. These systems’ empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present
in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us."