Skip navigation
Help

Electronic commerce

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.

Fnord666 writes with this excerpt from Tech Crunch "Twitter has enabled Perfect Forward Secrecy across its mobile site, website and API feeds in order to protect against future cracking of the service's encryption. The PFS method ensures that, if the encryption key Twitter uses is cracked in the future, all of the past data transported through the network does not become an open book right away. 'If an adversary is currently recording all Twitter users' encrypted traffic, and they later crack or steal Twitter's private keys, they should not be able to use those keys to decrypt the recorded traffic,' says Twitter's Jacob Hoffman-Andrews. 'As the Electronic Frontier Foundation points out, this type of protection is increasingly important on today's Internet.'"

Of course, they are also using Elliptic Curve ciphers.

0
Your rating: None

There are all kinds of reasons to think that Bitcoin is a joke, and that the value of the bitcoins themselves will ultimately go to zero. It's inherently unstable as a currency, prone to hyperdeflation, has an artificial scarcity, and is subject to hoarding.

0
Your rating: None
Original author: 
Caleb Barlow

mobilesec380

Mobile phone image copyright Oleksiy Mark

When it comes to mobile computing, many organizations either cringe at the fear of security risks or rejoice in the business potential. On one hand, mobile is revolutionizing business operations — improving operational efficiency, enhancing productivity, empowering employees and delivering an engaging user experience. On the other hand, sensitive data that used to be housed in a controlled environment of a company desktop or even laptop is now sitting in an employee’s back pocket or purse.

In today’s ultra-connected world, it can seem like threats are all around us. High-profile breaches and attacks from hacker groups have organizations of all sizes — from multinational enterprises to mom-and-pop shops — doubling down on security and making sure there aren’t any cracks in their defenses. Mobile security doesn’t have to be the Achilles’ heel that leads to a breach. New, innovative solutions for securing mobile devices at the application level are rapidly hitting the market and the latest IBM X-Force report indicates that by 2014, mobile computing will be more secure than traditional desktops. Phones, tablets and other devices are a staple of the 21st century workplace and in order to fully embrace this technology, businesses must be certain they’re well protected and secure.

Do You Know Where Your Data Is?

Tackling mobile security can seem like a daunting task. The IBM X-Force report also indicates a 19 percent increase in the number of exploits publicly released that can be used to target mobile devices. Making the task more challenging is the fact that — especially in the case of BYOD — the line between professional and personal data is more blurred on mobile platforms than anywhere before. According to Gartner, by 2014, 90 percent of organizations will support corporate applications on personal devices. This means that devices being used to connect with enterprise networks or create sensitive company data are also being used for social networking and to download mobile apps, leaving organizations with the predicament of how to manage, secure and patrol those devices. From the point of view of a hacker, a mobile device becomes an ideal target as it has access to the enterprise data as well as personal data that can be used to mount future attacks against your friends and colleagues.

Mobile apps are a great example of why mobile security tends to raise concerns among security professionals and business leaders. Employees install personal apps onto the same devices they use to access their enterprise data, but are not always careful or discriminating about the security of those apps — whether they are the real version or a manipulated version that will attempt to steal corporate data. According to a recent report by Arxan Technologies, more than 90 percent of the top 100 mobile apps have been hacked in some capacity. Some free mobile apps even demand access to an employee’s contact list in order to function correctly. Just pause and think about that for a second. Would you give your entire contact list to a complete stranger? That’s effectively what you are doing when you install many of these popular applications. If an organization takes a step back and really considers what employees are agreeing to, willingly or not, the results can be troublesome. So the challenge remains — how to get employees to recognize and understand just how vulnerable their mobile device can be to an enterprise.

Mitigating Mobile Risks: Why it’s easier than you think

Mobile app security and device management do not have to be a company’s security downfall. By employing intelligent security solutions that adapt to the requirements of a specific context, businesses can mitigate operational risk and unleash the full potential of mobility.

The key to mitigating security risks when it comes to mobile devices accessing enterprise data is access control. This may include passcode locks, data protection and malware and virus prevention. With that said, IT security priorities should focus on practices, policies and procedures, such as:

  • Risk analysis: Organizations must understand what enterprise data is on employee devices, how it could be compromised and the potential impact of the comprise (i.e. What does it cost? What happens if the device is lost? Is the data incidental or crucial to business?).
  • Securing the application: In the pre-mobile, personal computer era, simply securing the device and the user were sufficient. When it comes to mobile devices, we also need to think about securing the application itself. As a typical application is downloaded from a store, the end user really has no idea who built the application, what it actually does with your data or how secure it is. Corporate applications with sensitive data need to be secure in their own right.
  • Secure mobile access — authentication: Since mobile devices are shared, it’s important to authenticate both the user and the device before granting access and to look at the context of the user requesting access based on factors like time, network, location, device characteristics, role, etc. If the context appears to be out of line with normal behavior, appropriate counter measures can be taken.
  • Encryption: Simply put, if the data is sensitive it needs to be encrypted both while at rest as well as while in motion on the network.

Once an enterprise has defined its security policy — establishing set policies/procedures regarding content that is allowed to be accessed on devices, how it’s accessed and how the organization will handle lost/stolen devices that may contain business data — mobile technology solutions can help ensure that no opening is left unguarded.

So if security concerns are holding you back from “going mobile,” rest assured — there are many companies that have embraced trends like “Bring Your Own Device” without sending their Chief Security Officers into a panic. As long as organizations take the right steps and continually revisit their security posture to ensure that every endpoint is secured and that the proper technology is in place, it really is possible to be confident about your mobile security strategy.

Caleb Barlow is part of the executive team in IBM’s Security division. He manages three portfolios — Application Security, Data Security and Mobile Security. In addition to his day job, Caleb also hosts a popular Internet Radio show focused on IT Security with an audience averaging over 20k listeners per show.

0
Your rating: None
Original author: 
Cyrus Farivar

On Thursday, the world’s largest Bitcoin exchange, Mt. Gox, announced that it would require all users to “be verified in order to perform any currency deposits and withdrawals. Bitcoin deposits do not need verification, and at this time we are not requiring verification for Bitcoin withdrawals.”

The company did not provide any explanation about why it was imposing this new requirement, but it did say that it would be able to process most verifications within 48 hours.

The move comes two days after federal prosecutors went after Liberty Reserve, another online currency that had notoriously poor verification. (In court documents, a federal investigator in that case included an address of “123 Fake Main Street, Completely Made Up City, New York” to create an account that was accepted.) It also comes two weeks after the Department of Homeland Security started investigating Mt. Gox over the possible crime of money transmitting without a license.

Read 1 remaining paragraphs | Comments

0
Your rating: None
Original author: 
Aaron Souppouris

110315newyork_lg_large

The asset freeze at Mt. Gox was due to the Bitcoin exchange's failure to obey financial regulations as required by US authorities. The news comes via IDG, which obtained a copy of the seizure order from the US Immigration and Customs Enforcement (ICE).

The agency froze the Dwolla (a US-based online payments system) account of Mutum Sigillium (aka Mt. Gox) on the grounds that it had lied in an official form. When asked if his company "[accepts] funds from customers and send[s] the funds based on customers' instructions," Mt. Gox CEO Mark Karpeles answered "no." When asked if Mt. Gox "deal[s] in or exchange[s] currency" for its customers," Karpeles again answered "no." In both cases, it seems likely — and ICE asserts — that these...

Continue reading…

0
Your rating: None
Original author: 
Adrianne Jeffries

Atm_robbers_large

Defendants Elvis Rafael Rodriguez and Emir Yasser Yeje posing with approximately $40,000 with cash. Source: US Attorney, Eastern District of New York

If you’d been waiting for the ATM inside the deli at East 59th and Third in Manhattan on Tuesday, February 19th around 9:24PM, you would have been annoyed. A young man in a black beanie and puffy black jacket made seven withdrawals in a row, stuffing around $5,620 into his blue backpack. The man wasted no time. He exited the deli and headed up five blocks to repeat the process at four more ATMs, finishing his route at a Chase bank at 69th and Third at 9:55PM, where he made four withdrawals totaling $4,000.

While the man in the black beanie was beelining along the Upper East Side, seven...

Continue reading…

0
Your rating: None
Original author: 
Dan Goodin

Wikipedia

Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards.

The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, "cashing crews" in cities in at least 26 countries withdrew more than $40 million in a similar fashion.

Prosecutors have labeled this type of heist an "unlimited operation" because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn't identify the payment processors except to say one was in India and the other in the United States.

Read 3 remaining paragraphs | Comments

0
Your rating: None
Original author: 
WIRED UK

Bryan Mills

A study of the Bitcoin exchange industry has found that 45 percent of exchanges fail, taking their users' money with them. Those that survive are the ones that handle the most traffic—but they are also the exchanges that suffer the greatest number of cyber attacks.

Computer scientists Tyler Moore (from the Southern Methodist University, Dallas) and Nicolas Christin (of Carnegie Mellon University) found 40 exchanges on the Web that offered a service changing bitcoins into other fiat currencies or back again. Of those 40, 18 have gone out of business—13 closing without warning, and five closing after suffering security breaches that forced them to close. Four other exchanges have suffered serious attacks but remain open.

One of those is Mt Gox, the largest Bitcoin exchange, with Moore and Christin stating that at its peak it handles more than 40,000 Bitcoin transactions a day, compared to a mean average of 1,716. It has been the victim of a huge number of distributed denial-of-service (DDoS) attacks over the past month during the peak of the Bitcoin bubble (and its subsequent bursting—though the price now appears to be rising again). Its latest statement, dealing with the attack it suffered on April 21, is long and comprehensive, seeking to assuage the fears of Bitcoin users who feel that Mt. Gox is becoming a weak chain in Bitcoin's infrastructure.

Read 8 remaining paragraphs | Comments

0
Your rating: None