After reports of iCloud phishing attempts in China, Apple shows users how to stay safe

After reports of iCloud phishing attempts in China, Apple shows users how to stay safe

This article originally appeared on The Next Web

After recent reports of iCloud logins being harvested in China through purportedly state-sponsored phishing attempts, Apple is doing some damage control.  In an update to its iCloud support documents, the company clarifies that it’s “aware of intermittent organized network attacks,” but that its servers were never breached.

It then proceeds to describe guidelines for users to keep safe online when using their iCloud logins, laying out how to detect whether you’re on a safe site when using Safari, Chrome and Firefox by indicating the various methods each browser uses to show the user he or she is on an encrypted connection (and the warnings when not).

iCloud chrome verified 730x490 After reports of iCloud phishing attempts in China, Apple shows users how to stay safe

Even if your login information is not likely to be affected, it’s worth checking out as a simple refresher on how to keep your information safe.

Apple update on iCloud.com security [Apple Support]

Chrome Beta for Android updated with Material Design tweaks and simplified sign-in

Google strengthens its 2-step account verification with support for physical security keys

This article originally appeared on The Next Web

google_chrome-645x250

Enabling 2-Step Verification is a quick and easy way to add a truly effective layer of security to your sensitive accounts. For those who need or want even tighter security, however, Google just announced it’s introducing support for physical security devices to help you out.

Simply called Security Key, it works via a physical device that verifies the accounts you’re logging into are genuinely connected to Google and not a phishing effort by online crooks.

Instead of typing a code, you need only insert Security Key into your USB port and tap on it when asked to in Chrome. The key uses the FIDO Universal 2nd Factor (U2F) security protocol, which means that other websites that support the protocol can also access Security Key’s features within Chrome.

Screen Shot 2014 09 28 at 11 15 24 PM Google strengthens its 2 step account verification with support for physical security keys

The service is free, but you need to purchase your own device supporting the U2F protocol in order to use it.

It’s an interesting measure by Google given the increased attention matters of online privacy have gotten in recent times, and it should be useful for those looking to go an extra step towards keeping their accounts safe.

➤ Strengthening 2-Step Verification with Security Key [Google Online Security Blog]

Birgitta Jonsdottir, Amie Stepanovich And Adam Ghetti Believe Privacy Isn't Dead But Needs Millennials

Birgitta Jonsdottir, Amie Stepanovich And Adam Ghetti Believe Privacy Isn’t Dead But Needs Millennials

In the shadow of hacking scandals like Snapchat’s massive photo leak and a world still processing the news that came from Edward Snowden’s NSA data dump, the question “Is privacy dead” desperately needs an answer.

A group of privacy and cybersecurity experts tackled the topic Monday at the Forbes Under 30 Summit. They reasoned that privacy isn’t dead, but needs better protection and the younger generation to spearhead change.

“We are in this flux right now trying to determine what is the balance between safety and privacy,” said Adam Ghetti, cofounder of Iconic Security and one of the speakers.

Ghetti was joined by Birgitta Jonsdottir, a member of the Icelandic parliament for the Pirate Party, and Amie Stepanovich, senior policy counsel for Accessnow and moderator Bruce Upbin, managing editor of Forbes. The group of speakers concurred that finding the middle ground between protecting people with surveillance while respecting people’s privacy is a complicated task and involves working with technology and politics.

Technology is a driving force in the debate on privacy. As new tools are made to ease connectivity, conflicts over how the programs are used pop up.

“There’s not a whole lot of energies being put into truly secure telecommunication and information sharing technology,” Ghetti said. “There’s a lot of energies being put into solutions that seem good enough, act good enough.”

Stepanovich argued that changing the public perception of privacy was also key. She asked the room who has heard the the phrase “I have nothing to hide so I don’t care” when it comes to privacy and the internet. She then asked who believed that and found that not many in the crowd agreed with that statement.

“There are a lot of issues when you think about privacy from the ‘I don’t have anything to hide’ perspective,” Stepanovich said. “The big one is how much of privacy is a societal concern. When you take privacy away you take away a tremendous value to society as a whole.”

The group of speakers agreed that privacy is very much alive and encouraged the new wave of entrepreneurs, inventors and politicians to find a way to protect that.

“We have to reinvent our democracies and reinvent our systems and that is the challenge you guys have,” Jonsdottir said. “And that is incredibly, I really envy you.”

The Department of Justice logo is seen on the podium during a news conference on the Gozi Virus in New York

U.S. national security prosecutors shift focus from spies to cyber

WASHINGTON (Reuters) – The U.S. Justice Department is restructuring its national security prosecution team to deal with cyber attacks and the threat of sensitive technology ending up in the wrong hands, as American business and government agencies face more intrusions.

The revamp, led by Assistant Attorney General John Carlin, also marks a recognition that national security threats have broadened and become more technologically savvy since the 9/11 attacks against the United States.

As part of the shift, the Justice Department has created a new position in the senior ranks of its national security division to focus on cyber security and recruited an experienced prosecutor, Luke Dembosky, to fill the position.

The agency is also renaming its counter-espionage section to reflect its expanding work on cases involving violations of export control laws, Carlin confirmed in an interview.

Such laws prohibit the export without appropriate licenses of products or machinery that could be used in weapons or other defense programs, or goods or services to countries sanctioned by the U.S. government.

“We need to develop the capability and bandwidth to deal with what we can see as an evolving threat,” said Carlin, who was confirmed to his post in April.

As Carlin builds his team, he has also recruited a new deputy, Mary McCord, from the U.S. Attorney’s office in Washington.

The result, according to experts, could be an uptick in the number of national security-related cases brought in federal court, a shift in focus from the National Security Division’s prior mandate to investigate intelligence violations.

“This is not just a reshuffling of the deck,” said former national security cyber crime prosecutor Nicholas Oldham, who is now in private practice.

CYBER THREATS

The changes come amid reports that hackers in Russia and elsewhere are targeting everyone from the North Atlantic Treaty Organization and the European Union, to JPMorgan Chase & Co and other financial institutions.

The counter espionage section, which deals less with on-the-ground spies than it used to, will now be called the Counter Intelligence and Export Controls Section. A network of terrorism prosecutors around the country called the Anti-Terrorism Advisory Council, or ATAC, will also be renamed the National Security/ATAC network to make clear its broader responsibilities, Carlin said.

In 2012, Carlin helped create a similar network of national security cyber specialists in each U.S. Attorney’s office around the country. That was the first of his efforts to start building cyber expertise within the group of prosecutors that had access to national security intelligence information.

In the first public case to come out of the effort, the agency charged five Chinese military officers in May, accusing them of hacking into U.S. nuclear, metal and solar companies to steal trade secrets. The move ratcheted up tensions between the two countries.

“This prosecution raises the risk that other countries are going to go after our employees … it’s a risky strategy, but a bold one,” said Amy Jeffress, a former national security prosecutor who is now in private practices at Arnold & Porter.

While the Chinese officers are not expected to be extradited to face charges in the United States, Carlin said his team is busy with similar cases that would likely be litigated in court.

“I think you will more regularly see the use of the criminal justice system … We are now actively investigating a variety of nation-state cases. Not all, but some, will result in prosecutions,” he said.

In addition to Dembosky, who was coordinating litigation within the criminal division’s computer crime section and will serve as one of four deputy assistant attorney generals, Carlin has also brought on board others with cyber expertise. He expects to bring in several more cyber lawyers soon. His chief of staff, Anita Singh, also spent time as a prosecutor in the computer crime section.

(Reporting by Aruna Viswanatha. Editing by Karey Van Hall and Andre Grenon)

Apple CEO Tim Cook looks at a new IMac after presentation at Apple headquarters in Cupertino

China-backed hackers may have infiltrated Apple’s iCloud: blog

SAN FRANCISCO (Reuters) – Apple Inc’s <AAPL.O> iCloud storage and backup service in China was attacked by hackers trying to steal user credentials and other information, a cyber security blog charged on Monday, saying it believes the country’s government is behind the campaign.

Unknown “Chinese authorities” interposed their own website between users and Apple’s iCloud, intercepting instructions and messages while the user believes he or she is communicating directly with Apple’s site, Greatfire.org wrote in its blog post.

The attack coincided with the start of iPhone 6 sales in China on Friday, the blog said.

“This is clearly a malicious attack on Apple in an effort to gain access to usernames and passwords and consequently all data stored on iCloud such as iMessages, photos, contacts, etc,” the security blog said.

It was unclear whether the hackers were still active. Apple did not have an immediate comment when contacted.

“All the evidence I’ve seen would support that this is a real attack. The Chinese government is directly attacking Chinese users of Apple’s products,” said Mikko Hypponnen, chief research officer at security software developer F-Secure. “As always, we recommend using the Internet over a trusted virtual private network.”

Greatfire.org said without elaborating that the attacks were similar to others against Google Inc <GOOG.O> and Yahoo Inc <YHOO.O>.

The United States and Western companies have accused Chinese-backed hackers of infiltrating government and corporate websites and services. But Beijing has repeatedly denied its involvement in such attacks.

The Chinese embassy was not immediately available for comment.

(Reporting by San Francisco newsroom. Editing by Andre Grenon)

Cyber insurance: Worth it, but beware of the exclusions

Cyber insurance: Worth it, but beware of the exclusions

It’s what all sensible people do to mitigate the risk of catastrophic financial damage: Buy insurance. There’s not even a choice when it comes to auto and health risks – insurance is a legal mandate. And most people would agree that anyone with a house who does not carry homeowner’s insurance is a fool or fabulously wealthy.

So, why not cyber insurance?

Indeed, the case for it is compelling. The costs of data breaches are in the millions and rising fast. As the Ponemon Institute put it in a synopsis of one of its recent reports on the issue, “data breaches have become as common as a cold, but far more expensive to treat.”

[How to spot a phishing email]

In another report sponsored by HP Enterprise Security, Ponemon found that, “the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million,” up 96% since five years ago. The average cost to resolve a single breach was $1.6 million.

Wendi Rafferty, vice president of services, CrowdStrike

Most policies are nowhere near inclusive of all cost associated with breaches.

So, as Wendi Rafferty, vice president of services at CrowdStrike, put it to CSO in an earlier interview, part of any prudent organization’s advance plan to respond to a data breach should include data breach insurance.

The biggest reason is that a general liability policy is no longer enough. It covers, “third-party claims of bodily injury or property damage, but the trend among insurance providers is to exclude electronic records and data,” said Jared Kaplan, executive vice president and CFO of insureon.

First introduced a decade ago, the field has grown rapidly. Christine Marciano, president of Cyber Data Risk Managers, said there are, “close to 50 carriers offering stand-alone cyber insurance policies.”

And Rafferty called it, “a burgeoning industry, with new organizations entering the market nearly every week.”

Getting effective cyber insurance is not simple, however. Data breaches, in addition to being expensive, are notoriously complicated. They require a host of costly responses, including forensic investigation, notification of first and third parties, fulfillment of legal and compliance obligations, possible litigation, working with law enforcement, public relations, credit monitoring fees, crisis management – the list goes on.

Christine Marciano, president, Cyber Data Risk Managers

As technology risks continue to evolve, many carriers arestarting to pull back on the types of industries and risks they will cover.

Also different industries have different kinds of risks – health care is not the same as retail, which is not the same as education.

That means simply buying a “cookie-cutter, off-the-shelf” policy is asking for trouble since it will likely have exclusions for significant expenses.

According to a recent post in Dark Reading, many such policies exclude coverage for:

  • Breaches of protected information in paper files.
  • Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General.
  • Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system.
  • Unencrypted data.

Marciano said another common exclusion is, “based upon negligent computer security. If a data breach happens, coverage will be denied for companies that failed to use their best efforts to install software updates or releases, or failed to apply security patches to their computer systems,” she said.

Jared Kaplan, executive vice president and CFO, Insureon

It’s incredibly important to train your employees in data security best practices.

Yet another “increasingly common” exclusion, Rafferty said, is expenses for first-party notification, which result from, “disclosure of personally identifiable, confidential corporate, or personal health information.”

The reason, she said, is because those costs, especially in the retail sector (illustrated by breaches of major retailers like Target and Home Depot), have skyrocketed.

All of that, experts agree, means that companies need to custom-design their coverage. “No two policies are alike,” Kaplan said. “’Significant’ and ‘reasonable’ depend entirely on the kind of work a business does.”

An example, he said, is companies in the medical field. “They may be more likely than others to be targeted by government or regulatory claims because there are more stringent state and federal-level laws that govern medical data than there are for other kinds of data.”

Lucas Zaichkowsky, enterprise defense architect, AccessData

Damage to reputation cannot be mitigated by insurance policies.

Rafferty said it is crucial to have any proposed insurance policy, “thoroughly reviewed by someone with extensive experience investigating cyber breaches,” to make sure it meets the specific needs of the organization.

Some damages, of course, cannot be measured exactly. “Damage to reputation cannot be mitigated by insurance policies,” said Lucas Zaichkowsky, enterprise defense architect at AccessData. Nor can, “forecasted revenue that drops both short and long term as loyal customers change allegiances.”

But there are ways to close coverage gaps. One of the most obvious is to practice good security “hygiene,” including end-to-end encryption of data and keeping software up to date with all recent patches.

Kaplan said the obvious way to avoid the “vicarious liability” exclusion is to, “work only with third-party vendors who have insurance; that way, in a worst-case scenario, you have an avenue for seeking compensation.”

And he added, as many experts have, that one of the best ways to avoid the headaches and costs of a major data breach is for organizations to make themselves a more difficult target.

“It’s incredibly important to train your employees in data security best practices,” he said, noting that according to Verizon Enterprise, 25% of data loss incidents in 2013 happened, “not because of hacking, but because of human error. Another 14% were caused because of theft or loss of devices.”

The other reason to try to avoid the need for an insurance claim is because, even if most exclusions are eliminated, it will not cover every expense. Marciano offers a list of typical annual premiums for organizations of different sizes in different fields, which range from a mere $649 for $500,000 of coverage for a doctor’s office, to $84,000 for $5 million in coverage for a $4 billion pharmacy benefits management company.

Common exclusions in “off-the-shelf” cyber insurance policies:

  • Breaches of protected information in paper files
  • Claims brought by the government or regulators
  • Vicarious liability, for data entrusted to a third-party vendor that is breached
  • Unencrypted data
  • Negligence: Failure to install software updates or security patches
  • First-party notification expenses for disclosure of PII or PHI

Many of the policies, with premiums ranging from $6,000 to $37,000, limit coverage to just $1 million, which in today’s world rarely comes close to covering the total expenses.

And those limits may decline. “As technology risks continue to evolve, many carriers are starting to pull back on the types of industries and risks they will cover,” Marciano said.

In short, cyber insurance can ease the pain, but it won’t eliminate it. “Most policies are nowhere near inclusive of all cost associated with breaches,” Rafferty said, “but they can certainly offset the cost of the response and first-party monetary loss for breach victims.”

CenturyLinkVoice: 4 Cybersecurity Tools Every Government Agency Needs To Have

CenturyLinkVoice: 4 Cybersecurity Tools Every Government Agency Needs To Have

America’s biggest national security vulnerabilities are moving from the battlefield to data centers and server rooms, where email and domain name systems reside. Indeed, for many government agencies, there may be no IT priority higher right now than getting their cybersecurity protections up to speed.

“Cybersecurity shouldn’t be bolted-on as an afterthought,” said John Cassidy, branch director of the cybersecurity division at CenturyLink. “It is a foundational component of IT and needs to be designed from day one of an IT strategy for an organization. Cybersecurity needs to be ingrained in the everyday culture of the workforce. This can be accomplished via education, training and awareness.”

This includes training users in simple best practices, such as using complex passwords and changing them frequently, and not clicking on suspicious links or downloading suspicious files. It’s one of the simplest parts of an organization’s cyber defenses, but also one of the most critical.

Cassidy also stressed the importance of federal agencies implementing basic cyber protections. “The federal government needs to focus on implementing the basics–such as continuous diagnostics and mitigation–correctly, consistently and comprehensively across all departments and agencies,” he said.

“There is also plenty of work to be done around automation, which frees limited manpower for more sophisticated cyber protection activities. The federal government should also continue to use managed security services that provide advanced capabilities that are deployed faster, are repeatable and scaleable, and thus can result in cost savings,” Cassidy said.

Configuring the right systems

There are many products and services that organizations can tap into to help them meet the goals described above—so many, in fact, that choosing the most effective ones can be challenging. To help narrow down the choices, here are four technologies, or cybersecurity tools, that government agencies must have on their radar screens right now:

1. DDoS mitigation service

Distributed denial of service (DDoS) attacks flood the resources of a specific system and are one of the biggest cyber threats that federal agencies currently face. To prevent such attacks and to recover from them quickly should they occur, organizations must have a dedicated cyber mitigation service in place. And, when working with a service provider, organizations must ensure that the provider can not just meet, but exceed, certain key security benchmarks–and do so for a reasonable cost.

“DDoS mitigation services should be at the top of any organization’s list of required services,” Cassidy stressed. “Consider only those providers that can detect attack traffic on the network before it impacts an organization’s infrastructure. Providers should be able to divert traffic and cleanse it of malicious packets before forwarding it. Services can be expensive, so agencies should look for a provider that charges only a low monthly retainer fee, plus an hourly charge for traffic cleansing. In this way, you get protection but don’t pay a large monthly premium for mitigation you may rarely need.”

2. Skilled analysts

Products and services can only go so far, however, to protect the organization. It’s also important to engage skilled, experienced security analysts as well. But many organizations lack this expertise in-house, and the cost of hiring such personnel is often out of reach. Service providers can step in here, but agencies need to make sure they’re working with a provider that can demonstrate its expertise and commitment in this area.

“You want a provider that commits fully to standing by you in case of an attack, with skilled analysts who not only monitor the network for attack traffic, but also work with you around-the-clock during an attack to deploy any available countermeasures to keep your sites protected,” said Cassidy.

3. E-mail and DNS protection

E-mail and Domain Name System (DNS) protections, such as those provided by the U.S. Department of Homeland Security’s Einstein 3 Accelerated  (E3A) program to federal civilian agencies and by DHS’s Enhanced Cybersecurity Service (ECS) program to critical infrastructure organizations, can also provide crucial protections. CenturyLink is a DHS-approved provider of both E3A and ECS protections.

“For example, ECS will augment a critical infrastructure company’s existing security posture and better protect their corporate email, DNS and network,” Cassidy explained.

4. Managed Trusted IP Services

Managed Trusted Internet Protocol Services, known as MTIPS, can also help protect agencies’ networks and data from malicious intrusions. In a nutshell, MTIPS allows federal government agencies to connect to the public Internet while still complying with the Office of Management and Budget’s Trusted Internet Connection (TIC) initiative.

However, MTIPS isn’t one-size-fits-all. The federal government is often viewed as one comprehensive ecosystem, but when it comes to federal IT, the truth is that every agency has its own unique environment with different architectures, locations and systems. For many agencies, a custom MTIPS solution is the way to go.

Of course, there are many other services that government agencies need to have in place to protect themselves and, by extension, U.S. citizens from a cyber attack, but starting with these four cybersecurity tools will go a long way toward meeting that goal.

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin

Wall Street urges U.S. regulators’ joint cybersecurity approach

WASHINGTON (Reuters) – Wall Street’s top trade group is calling for the creation of a new inter-agency working group of regulators and the White House that would be tasked with developing consistent cybersecurity rules for the financial industry.

The recommendation by the Securities Industry and Financial Markets Association (SIFMA) was one of several unveiled on Monday as part of a new paper that lays out proposed “principles for effective cybersecurity regulatory guidance.”

The inter-agency harmonization working group could be led by the Office of Management and Budget, SIFMA said, and would be charged with avoiding “unnecessary overlap” and making sure that “any domestic requirements are consistent with international legal obligations”.

“You could have a patchwork … for a big global bank, of five or six regulators all looking at this from a slightly different perspective, with slightly different guidance or principles of what they think is effective,” Karl Schimmeck, SIFMA’s managing director for financial services operations said in an interview.

SIFMA’s paper comes just a few weeks after JPMorgan Chase & Co shocked Wall Street with revelations that the names, addresses, phone numbers and emails of about 83 million households and small business accounts were compromised by hackers.

Although the cyber attack had been previously disclosed, the bank only recently revealed the extent of the attack, which was considered to be one of the largest data breaches in history.

The group also laid out principles for regulators to consider, saying for instance that regulators should tailor any cybersecurity rules to the size, resources and potential risks of a firm so that the rules are not “one size fits all.”

It also calls for having financial regulators engage in “risk-based” and “value-added” audits as opposed to mere “checklist reviews.”

The U.S. government has been struggling with trying to develop one uniform standard for protecting against cyber threats that retailers and banks face.

Currently, standards for when companies must disclose cyber attacks are governed by a patchwork of state regulations.

Congress has been unable to pass more comprehensive federal laws, and retailers, credit card companies and banks have all argued over who should be responsible for bearing the brunt of the costs in the aftermath of a major cyber breach.

Last Friday, President Barack Obama signed an executive order to beef up security on federal credit and debit cards, and he unveiled efforts by a series of major public companies to follow suit.

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)

China's State Councillor Yang and U.S. Secretary of State Kerry talk over tea during a day of meetings in Boston

China says it’s hard to resume cyber security talks with U.S.

BEIJING (Reuters) – Resuming cyber security cooperation between China and the United States would be difficult because of “mistaken U.S. practices”, China’s top diplomat told U.S. Secretary of State John Kerry.

Cyber security is an irritant to bilateral ties. On Wednesday the U.S. Federal Bureau of Investigation said hackers it believed were backed by the Chinese government had launched more attacks on U.S. companies, a charge China rejected as unfounded.

In May, the United States charged five Chinese military officers with hacking American firms, prompting China to shut down a bilateral working group on cyber security.

Yang Jiechi, a state councillor overseeing foreign affairs, told Kerry in Boston the United States “should take positive action to create necessary conditions for bilateral cyber security dialogue and cooperation to resume”, according to a statement seen on the Chinese Foreign Ministry website on Sunday.

“Due to mistaken U.S. practices, it is difficult at this juncture to resume Sino-U.S. cyber security dialogue and cooperation,” Yang was quoted as saying. The statement did not elaborate.

Former U.S. spy agency contractor Edward Snowden has said the U.S. National Security Agency hacked into official network infrastructure at universities in China and Hong Kong.

China, repeatedly accused by the United States of hacking, has used Snowden’s allegations as ammunition to point the finger at Washington for hypocrisy.

(Reporting by Benjamin Kang Lim; editing by Andrew Roche)

Obama's under-used credit card declined in NY cafe

Obama’s under-used credit card declined in NY cafe

WASHINGTON – The Secret Service is charged with watching the president’s back, but who’s watching his wallet?

When his credit card was declined last month while dining in New York, President Barack Obama wondered if he had become a victim of identity theft. Obama said Friday at the Consumer Financial Protection Bureau that fraud was suspected because he just doesn’t use his card enough.

Fortunately, first lady Michelle Obama was able to whip out a credit card they could use.

Identity theft is a growing problem and an estimated 100 million people have been affected by security breaches in the past year at retailers like Target and Home Depot. Obama on Friday announced a government plan to tighten security for debit cards transferring federal benefits like Social Security to millions of Americans.