Tech
Zero Day Weekly: FREAKouts, Clinton shadow IT, Australia's data retention security
A collection of notable security news items for the week ending March 6, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.
- The FREAK bug disclosed this week is the latest in a series of vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser. Apple and Google are preparing patches for the newly-revealed bug in the web encryption protocols used by the two companies' mobile browsers. Microsoft revealed Windows is vulnerable to it too.
- Mandatory data retention: Australia's Communications Minister and Attorney-General have said that the government will support all of the recommendations made by the Parliamentary Joint Committee looking into its proposed mandatory data-retention legislation. The legislation would require telecommunications companies to keep a set of customer metadata for a minimum of two years. This would include call records, assigned IP addresses, email addresses, SMS history, and other communications records that can be accessed by law enforcement. It will include the establishment of a two-year period for metadata retention and the requirement for a telco to provide notification in the event of a security breach of its data stores, which will be mandated to be encrypted.
How infosec people look after watching #CSICyber pic.twitter.com/CQie0un2nk
-- Help Net Security (@helpnetsecurity) March 5, 2015
- After news surfaced that former Secretary of State Hillary Clinton used a private email server for communications related to her post, industry pundits immediately began to wrestle with the implications of the move, from both a security and transparency standpoint. Larry Dignan writes, "For our purposes, Clinton has provided us with the most high-profile case of shadow IT practices. And the first lesson of shadow IT is that the techies aren't going to push around the top execs."
- Anthem Healthcare initially earned brownie points with security professionals by publicly disclosing a major data breach well before they were obligated to do so. However, now it's been revealed that Anthem refused to allow the U.S. Office of Personnel Management's Office of the Inspector General (OIG) to conduct vulnerability scans and compliance tests post-breach.
- Secure communications startup Silent Circle has detailed its plans for a second version of its privacy-focused smartphone and confirmed that it is also working on a tablet. The BlackPhone 2 smartphone will arrive in the second half of this year with a focus on enterprise privacy: Silent Circle launched its first BlackPhone device at MWC last year. The company said it will integrate with standard mobile device management systems like Citrix and will also add a faster processor, more RAM, a longer-lasting battery, and a larger display over the original model.
#xkcd on #crypto #encryption #security pic.twitter.com/6tLIRlPEOX
-- The Hacker News (@TheHackersNews) March 5, 2015
- Lawmakers target data brokers in privacy bill: Four U.S. senators have resurrected legislation that would allow consumers to see and correct personal information held by data brokers and tell those businesses to stop sharing or selling it for marketing purposes. The Data Broker Accountability and Transparency Act, introduced Thursday, also would require the U.S. Federal Trade Commission to craft rules for a centralized website for consumers to view a list of data brokers covered by the bill.
- Mandarin Oriental Hotel Group has confirmed the credit card systems at a number of its hotels in the United States and Europe have been accessed by hackers. Mandarin has removed malicious software that was used to steal credit card data from some of its hotels, the company said Thursday. The security codes for the cards were not compromised, it said, although it wasn't clear if that referred to the cards' PIN (personal identification number) or the three-digit CVV code on the back. No other personal information was taken, the company said in a statement.
- Google Android encryption changes: Phones and tablets running Android "Lollipop" will not have device encryption switched on by default. Ars Technica first reported Monday the company's move to reverse its policy. Although all phones and tablets running Android "Lollipop" will support encryption, it will be the responsibility of the phone or tablet maker to decide how to implement it. A Google spokesperson confirmed the reason in an email was "due to performance issues on some Android partner devices," adding: "We remain firmly committed to encryption because it helps keep users safe and secure on the web."
Hollywood has spoken, "release malworm" is now a thing to be shouted in bedrooms across the globe... #CSICyber pic.twitter.com/YNKV0O3xgX
-- Hacker Fantastic (@hackerfantastic) March 5, 2015