[ISN] New attack on HTTPS crypto might reveal if you’re pregnant or have cancer

http://arstechnica.com/security/2014/03/new-attack-on-https-crypto-might-know-if-youre-pregnant-or-have-cancer/ By Dan Goodin Ars Technica March 6 2014 As the most widely used technology to prevent eavesdropping on the Internet, HTTPS encryption has seen its share of attacks, most of which work by exploiting weaknesses that allow snoops to decode cryptographically scrambled traffic. Now there’s a novel technique that can pluck out details as personal as someone’s sexual orientation or a contemplation of suicide, even when the protection remains intact. A recently published academic paper titled “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it’s possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide. The attack works by carefully analyzing encrypted traffic and taking note of subtle differences in data size and other characteristics of the encrypted contents. In much the way someone holding a wrapped birthday present can tell if it contains a book, a Blu-ray disk, or a box of candy, an attacker can know with a high degree of certainty the specific URL of the HTTPS-protected website. The transport layer security and secure sockets layer protocols underpinning the Web encryption specifically encrypt the URL, so until now, many people presumed an attacker could only deduce the IP address of a site someone was visiting rather than specific pages belonging to that site. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Visa CFO: ‘Quite a bit of investment’ needed to install chip technology

http://www.zdnet.com/visa-cfo-quite-a-bit-of-investment-needed-to-install-chip-technology-7000027067/ By Larry Dignan Between the Lines ZDNet News March 6, 2014 Visa’s chief financial officer said that securing retail point-of-sale infrastructure will take a hefty investment, chips on credit cards are critical and better encryption may be the fastest way to secure transactions. Byron Pollitt, CFO of Visa, said at the Morgan Stanley Technology Media & Telecom conference that cybersecurity is the No. 1 topic in the payment ecosystem following the widely publicized data breaches at Target. Target CIO Beth Jacob resigned on Wednesday. Pollitt characterized security as a never-ending investment cycle for retailers. In the near term, Pollitt said Visa will be “pushing more in the encryption activity. Encryption that goes beyond the minimum required to be PCI compliant.” Why? Better encryption could be implemented the fastest. So-called chip and PIN technology is also critical, but will take more time to implement, he said. EMV (Europay, Mastercard, Visa) puts chips on cards and makes them harder to counterfeit. About 70 percent of fraud revolves around the magnetic stripe on credit cards. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The greatest security story never told — how Microsoft’s SDL saved Windows

http://news.techworld.com/security/3505545/greatest-security-story-never-told-how-microsofts-sdl-saved-windows/ By John E Dunn Techworld 06 March 2014 Microsoft has launched a new website to “tell the untold story” of something it believes changed the history of Windows security and indeed Microsoft itself


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers steal 12m KT users’ information

http://www.koreaherald.com/view.php?ud=20140306001442 By Choi He-suk Heraldcorp.com 2014-03-06 The Incheon Metropolitan Police Agency on Thursday arrested two hackers and a telemarketing firm CEO in connection with the theft of 12 million KT Corp. customers’ personal information. KT is the country’s second largest telecom services provider with some 16 million consumers subscribing to its mobile, fixed-line telephone and internet services. “KT will fully cooperate with the police investigation. (The company) will work to minimize the damage to customers.” KT said in a statement. According to the police, the hackers, identified by the surnames Kim and Chung, had been stealing user personal information from KT since February 2013. Using a random number generating program, the hackers matched KT customer identification numbers to steal as many has 300,000 pieces of information on a daily basis. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Criminals on Tor is the price of global liberty

http://www.csoonline.com/article/749367/criminals-on-tor-is-the-price-of-global-liberty By Antone Gonsalves CSO Online March 06, 2014 Research pointing to rising criminality on Tor shows the cost of having a network that provides anonymity to whistleblowers, journalists, political dissidents and others trying to avoid government surveillance. Experts agreed on Thursday that nothing could be done to prevent cybercriminals from using Tor without raising the risk to legitimate users. Recent research by Kaspersky Lab expert Sergey Lozhkin found that “the cybercriminal element is growing” on the anonymity network. The way Tor is used by Chinese dissidents to skirt the Great Firewall and oppressive censorship is the same way criminals cloak the operators of marketplaces and forums where criminals can rent botnets for DDoS attacks or to distribute malware, buy stolen credit card numbers and launder bitcoins, the most widely used currency on the dark Web. “If it were possible to stop criminals from using Tor, it would be useless,” Julian Sanchez research fellow at the Cato Institute, said. “After all, the dissidents who use it to protect themselves are considered criminals by their own regimes.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail