iOS flaw tricks you into giving up your iCloud password

Successful hack attacks often happen not because of tricky coding, but plain old “social engineering” — ie, conning people. The latest version of iOS, 8.3, apparently fails to filter out potentially dangerous HTML code embedded in incoming emails. The researcher’s proof-of-concept code takes advantage of that by calling up a remote HTML form that looks identical to the iCloud log-in window. It could easily trick someone into entering their iCloud username and password, then hide the dialog after the user clicks “OK.”

More from engadget.com by clicking here

Quantum computing is about to overturn cybersecurity’s balance of power

“Spooky action at a distance” is how Albert Einstein described one of the key principles of quantum mechanics: entanglement.  Entanglement occurs when two particles become related such that they can coordinate their properties instantly even across a galaxy. Think of wormholes in space or Star Trek transporters that beam atoms to distant locations. Quantum mechanics posits other spooky things too: particles with a mysterious property called superposition, which allows them to have a value of one and zero at the same time; and particles’ ability to tunnel through barriers as if they were walking through a wall.

We are making substantial progress in harnessing the power of quantum mechanics.

In theory, Quantum computers can perform 2^512 operations simultaneously. That’s more calculations than there are atoms in the universe — by many orders of magnitude.  They will be as transformative for mankind as were the mainframe computers, personal computers, and smartphones that we all use. As do all advancing technologies, they will also create new nightmares. The most worrisome development will be in cryptography. Developing new standards for protecting data won’t be easy.

More on this from the Washington Post by clicking here.

 

Feds Heighten Scrutiny of TSA Screeners and Aviation Staff to Thwart Insider Threat

Transportation Security Administration and aviation industry employees will be subjected to heightened electronic surveillance following several incidents involving insiders who abused their badges to traffic guns, federal officials announced Monday.

Among the actions that kick in immediately are random passenger-like screening of airline employees throughout the workday and biennial criminal history checks, until there is a system in place for “real-time recurrent” FBI background checks for all aviation workers, officials said.

TSA potentially also might monitor social media communications of individuals near certain airports, as well as suspect employees. And threat assessments of employees could be expanded to include cross-checks of employee information against additional U.S. and international watch lists.

The new and prospective measures stem from an advisory panel report the Department of Homeland Security requested after a former baggage handler last December allegedly helped smuggle loaded guns aboard a Hartsfield-Jackson Atlanta International Airport plane bound for New York City.

The Aviation Security Advisory Committee called for an “immediate pilot” and full operation by the end of 2015.

One potentially divisive recommendation: “When a threat stream is identified, monitoring of social media via keyword GEO Fencing at the appropriate airport, or monitoring of the social media of suspect employees, can be effective tools to determine the existence of an insider threat.”

The committee acknowledged that social media monitoring “can be contentious” if not done appropriately, “but it is vital to today’s security.” DHS was hit with a lawsuit a few years ago for a national security surveillance program that would work, in part, by having the government concoct fake social media usernames and profiles to spy on users.

Other inspection techniques suggested include feeding security camera footage into prediction software that can flag odd activity.

More from NextGov.com by clicking here.

Surveillance strains the ‘backbone of democracy’

Wikimedia and other groups sued the U.S. National Security Agency on Tuesday and challenged one of its mass surveillance programs under the contention that the agency violates Americans’ privacy. In addition, the groups argue that the program would actually have the adverse effect of making individuals worldwide less likely to share sensitive information.

This lawsuit was filed in a Maryland federal court and claims that the NSA is violating U.S. constitutional protections and the law by tapping into high-capacity cables, switches and routers that move Internet traffic through the United States.

The case may become a potential front for privacy advocates who have challenged U.S. spying programs in the past. Privacy because a hotly contested issue in 2013, when documents leaked by former NSA contractor Edward Snowden revealed the long reach of government surveillance.

This particular case, Wikimedia Foundation, et al, v. National Security Agency, attacks “upstream” collection, which happens along high-capacity cables of the Internet and away from individual users. According to the lawsuit, bulk collection violates the constitution’s First Amendment, which protects freedom of speech and association, and the Fourth Amendment, which protects against unreasonable search and seizure.

“By tapping the backbone of the Internet, the NSA is straining the backbone of democracy,” Lila Tretikov, executive director of the Wikimedia Foundation, said in a statement.

More from the State Column by clicking here

Online trust is at the breaking point

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the 1000 bountyworld’s economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.

Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

“The overwhelming theme in this year’s report is that online trust is at the breaking point.

More on this available from Help Net Security by clicking here.

A matter of trust…

Whether it is business or personal, more and more human interaction is happening in an online environment. But, how do you know if you can trust the person on the other end of the connection? The simple answer is most people don’t.

Great article from Florida State 24/7

How corporate America can fight cybersecurity threats

Companies must also address the non-technological tools of cybersecurity. For example, current and former employees are the most frequently-cited culprits in cyber breaches. That’s Shuyuan in actionwhy companies at the forefront of tackling the problems are going beyond a compliance checklist approach to an information security approach. They are developing broader data governance policies and practices to protect sensitive information. Thus, rather than key in on defending themselves from external threats, these companies are developing and implementing policies for the creation, use, storage, and deletion of information.

See the whole article in Fortune Magazine by clicking here.

The stakes continue to rise…

An international hacking ring has stolen as much as $1 billion from more than 100 banks in 30 countries including Russia, the U.S. and China in what could be one of the biggest banking breaches ever. Hackers used phishing schemes and other methods to infiltriate the banks’ systems and lie dormant gathering information about bank operations. Then, they steal funds by transferring money to fake accounts and dispensing cash from ATMs, according to a report that Russian-based Kaspersky Lab is to present Monday at a security conference in Cancun, Mexico. “This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” the lab’s Chris Doggett told The New York Times, which first reported on the incident. In one case, a bank lost $7.3 million through ATM fraud. In another case, a financial institution lost $10 million by the attackers exploiting its online banking platform. Most of the targets have been in Russia, the U.S., Germany, China and Ukraine. More from USA Today by clicking here.

Really – it only takes one minute to understand my research…

Mary in a minute

Coordinated cyber attacks on global critical infrastructure exposed

“We discovered the scope and damage of these operations during investigations of what we thought were separate cases,” said Stuart McClure, CEO of Cylance.

Through custom and publicly available tools that use, among other methods, SQL Injection, spear phishing, water holing attacks and hacking directly through public websites, the attackers have been able to extract highly sensitive and confidential materials and compromise networks with persistent presence to such a severity that they have control over networks of victims in 16 countries.cleaver_logo

The targets belong to five groups:

Oil and Gas/Energy/Chemical – Targets discovered include a company specializing in natural gas production, electric utilities organizations, as well as a variety of oil and gas providers. This group was a particular focus of the hackers.

Government/Defense – Targets discovered include a large defense contractor and major U.S. military installation. Cylance can confirm one of those targets was San Diego¹s Navy Marine Corp Intranet, where unclassified computers were hacked.

Airports/Transportation – Targets discovered include airports, airlines, automobile manufacturers, as well as transportation networks. The most concerning evidence collected was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan.

Telecommunications/Technology – Targets discovered include telecom and technology companies in several countries.

Education/Healthcare – Targets discovered include multiple colleges and universities, often with an emphasis on medical schools. Large amounts of data on foreign students have been taken, including images of passports and social security cards.

See the whole article from Help Net Security by clicking here.