Tag Archives: Security

Trump to use U.S. security review panel to curb China tech investments
June 27, 2018 6:20 pm|Comments (0)

WASHINGTON (Reuters) – U.S. President Donald Trump said on Wednesday he will use a strengthened national security review process to thwart Chinese acquisitions of sensitive American technologies, a softer approach than imposing China-specific investment restrictions.

FILE PHOTO: U.S. President Donald Trump speaks during a lunch meeting with Republican members of Congress at the White House in Washington, U.S., June 26, 2018. REUTERS/Kevin Lamarque

The Treasury Department has recommended that Trump use the Committee on Foreign Investment in the United States (CFIUS), whose authority would be enhanced by new legislation in Congress, to control investment deals. The legislation expands the scope of transactions reviewed by the interagency panel to address security concerns, Trump said.

The decision marks a victory for Treasury Secretary Steven Mnuchin in a fierce White House debate over the scope of such curbs.

Mnuchin had favored a more measured and global approach to protecting U.S. technology, using authority approved by Congress, while White House trade adviser Peter Navarro, the administration’s harshest China critic, had argued for China-specific restrictions.

“We are not, on a wholesale basis, discriminating against China as part of a negotiation,” Mnuchin said on CNBC on Wednesday.

The investment restrictions are part of the administration’s efforts to pressure Beijing into making major changes to its trade, technology transfer and industrial subsidy policies after U.S. complaints that China has unfairly acquired American intellectual property through joint venture requirements, unfair licensing and strategic acquisitions of U.S. tech firms.

“I have concluded that such (CFIUS) legislation will provide additional tools to combat the predatory investment practices that threaten our critical technology leadership, national security, and future economic prosperity,” Trump said in a statement that did not specifically name China.

U.S. stocks rose after Trump announced the new approach to U.S. investment restrictions but reversed gains in afternoon trading.

Senior administration officials told reporters on a conference call that sticking with CFIUS, a process companies are familiar with, would ensure strong inward investment into the United States while protecting the “crown jewels” of U.S. intellectual property.

Trump said in his statement that upon final passage of the legislation, known as the Foreign Investment Risk Review Modernization Act, he will direct his administration “to implement it promptly and enforce it rigorously, with a view toward addressing the concerns regarding state-directed investment in critical technologies.”

If Congress fails to pass the legislation quickly, Trump said, he would direct the administration to implement new restrictions under executive authority that could be applied globally.

The decision to stick with CFIUS was a pragmatic move because the new CFIUS legislation “will put a crimp in China’s efforts to move up the value chain in high tech,” said Scott Kennedy, head of China studies at the Center for Strategic and International Studies in Washington.

But it will likely do little to stop the activation of U.S. tariffs on $ 34 billion worth of Chinese goods, scheduled for July 6, or jump-start trade negotiations between the two economic superpowers, Kennedy said.

And the mixed messages from the administration do not help Trump’s negotiating position, he said.

“It shows the Chinese that the Trump administration is still undependable and can be moved back from the most hardline positions,” Kennedy added.

Mnuchin on CNBC downplayed the dissent within the administration, saying that Trump wants to hear differing views on important issues, but the administration’s economic team typically comes together on major recommendations such as the investment restrictions.

Mnuchin said the new CFIUS legislation, passed 400-2 in the House of Representatives on Tuesday, would broaden the types of transactions that could be reviewed by the panel on national security grounds, including minority stakes, joint ventures and property purchases near U.S. military bases.

“This isn’t a question about being weak or strong, this is about protecting technology. We have the right tools under this legislation to protect technology,” Mnuchin said.

COMMERCE EXPORT CURBS

Trump also said that he has directed Commerce Secretary Wilbur Ross to examine U.S. export controls and recommend modifications that may be needed “to defend our national security and technological leadership.”

A Commerce Department spokesman could not be immediately reached for comment on the study.

The CFIUS legislation is headed for negotiations between U.S. House and Senate lawmakers in the coming weeks to craft a final version, with guidance from the Treasury.

A sticking point that could emerge is language in the Senate version that would reinstate the ban on Chinese telecom equipment maker ZTE Corp (000063.SZ) from purchasing U.S. components for a year. The Commerce Department ban had effectively shut the Shenzhen-based company down, angering Beijing.

The House version has less stringent language prohibiting the U.S. Department of Defense from purchasing any ZTE communications gear.

Reporting by David Lawder; Editing by Jeffrey Benkoe and Steve Orlofsky

Tech

Posted in: Cloud Computing|Tags: , , , , , , , ,
WPA3 Wi-Fi Security Will Save You From Yourself
June 26, 2018 6:17 am|Comments (0)

There are more Wi-Fi devices in active use around the world—roughly 9 billion—than there are human beings. That ubiquity makes protecting Wi-Fi from hackers one of the most important tasks in cybersecurity. Which is why the arrival of next-generation wireless security protocol WPA3 deserves your attention: Not only is it going to keep Wi-Fi connections safer, but also it will help save you from your own security shortcomings.

It’ll take time before you can enjoy the full benefits of WPA3; the Wi-Fi Alliance, a trade group that oversees the standard, is releasing full details today but doesn’t expect broad implementation until late 2019 at the earliest. In the course that WPA3 charts for Wi-Fi, though, security experts see critical, long-overdue improvements to a technology you use more than almost any other.

“If you ask virtually any security person, they’ll say don’t use Wi-Fi, or if you do, immediately throw a VPN connection on top of it,” says Bob Rudis, chief data officer at security firm Rapid 7. “Now, Wi-Fi becomes something where we can say hey, if the place you’re going to uses WPA3 and your device uses WPA3, you can pretty much use Wi-Fi in that location.”

Password Protections

Start with how WPA3 will protect you at home. Specifically, it’ll mitigate the damage that might stem from your lazy passwords.

A fundamental weakness of WPA2, the current wireless security protocol that dates back to 2004, is that it lets hackers deploy a so-called offline dictionary attack to guess your password. An attacker can take as many shots as they want at guessing your credentials without being on the same network, cycling through the entire dictionary—and beyond—in relatively short order.

“Let’s say that I’m trying to communicate with somebody, and you want to be able to eavesdrop on what we’re saying. In an offline attack, you can either passively stand there and capture an exchange, or maybe interact with me once. And then you can leave, you can go somewhere else, you can spin up a bunch of cloud computing services and you can try a brute-force dictionary attack without ever interacting with me again, until you figure out my password,” says Kevin Robinson, a Wi-Fi Alliance executive.

This kind of attack does have limitations. “If you pick a password that’s 16 characters or 30 characters in length, there’s just no way, we’re just not going to crack it,” says Joshua Wright, a senior technical analyst with information security company Counter Hack. Chances are, though, you didn’t pick that kind of password. “The problem is really consumers who don’t know better, where their home password is their first initial and the name of their favorite car.”

If that sounds familiar, please change your password immediately. In the meantime, WPA3 will protect against dictionary attacks by implementing a new key exchange protocol. WPA2 used an imperfect four-way handshake between clients and access points to enable encrypted connections; it’s what was behind the notorious KRACK vulnerability that impacted basically ever connected device. WPA3 will ditch that in favor of the more secure—and widely vetted—Simultaneous Authentication of Equals handshake.

There are plenty of technical differences, but the upshot for you is twofold. First, those dictionary attacks? They’re essentially done. “In this new scenario, every single time that you want to take a guess at the password, to try to get into the conversation, you have to interact with me,” says Robinson. “You get one guess each time.” Which means that even if you use your pet’s name as your Wi-Fi password, hackers will be much less likely to take the time to crack it.

The other benefit comes in the event that your password gets compromised nonetheless. With this new handshake, WPA3 supports forward secrecy, meaning that any traffic that came across your transom before an outsider gained access will remain encrypted. With WPA2, they can decrypt old traffic as well.

Safer Connections

When WPA2 came along in 2004, the Internet of Things had not yet become anything close to the all-consuming security horror that is its present-day hallmark. No wonder, then, that WPA2 offered no streamlined way to safely onboard these devices to an existing Wi-Fi network. And in fact, the predominant method by which that process happens today—Wi-Fi Protected Setup—has had known vulnerabilities since 2011. WPA3 provides a fix.

Wi-Fi Easy Connect, as the Wi-Fi Alliance calls it, makes it easier to get wireless devices that have no (or limited) screen or input mechanism onto your network. When enabled, you’ll simply use your smartphone to scan a QR code on your router, then scan a QR code on your printer or speaker or other IoT device, and you’re set—they’re securely connected. With the QR code method, you’re using public key-based encryption to onboard devices that currently largely lack a simple, secure method to do so.

“Right now it’s really hard to deploy IoT things fairly securely. The reality is they have no screen, they have no display,” says Rudis. Wi-Fi Easy Connect obviates that issue. “With WPA3, it’s automatically connecting to a secure, closed network. And it’s going to have the ability to lock in those credentials so that it’s a lot easier to get a lot more IoT devices rolled out in a secure manner.”

Here again, Wi-Fi Easy Connect’s neatest trick is in its ease of use. It’s not just safe; it’s impossible to screw up.

That trend plays out also with Wi-Fi Enhanced Open, which the Wi-Fi Alliance detailed a few weeks before. You’ve probably heard that you should avoid doing any sensitive browsing or data entry on public Wi-Fi networks. That’s because with WPA2, anyone on the same public network as you can observe your activity, and target you with intrusions like man-in-the-middle attacks or traffic sniffing. On WPA3? Not so much. When you log onto a coffee shop’s WPA3 Wi-Fi with a WPA3 device, your connection will automatically be encrypted without the need for additional credentials. It does so using an established standard called Opportunistic Wireless Encryption.

“By default, WPA3 is going to be fully encrypted from the minute that you begin to do anything with regards to getting on the wireless network,” according to Rudis. “That’s fundamentally huge.”

As with the password protections, WPA3’s expanded encryption for public networks also keeps Wi-Fi users safe from a vulnerability they may not realize exists in the first place. In fact, if anything it might make Wi-Fi users feel too secure.

“The heart is in the right place, but it doesn’t stop the attack,” says Wright. “It’s a partial solution. My concern is that consumers think they have this automatic encryption mechanism because of WPA3, but it’s not guaranteed. An attacker can impersonate the access point, and then turn that feature off.”

Switching On

Even with the added technical details, talking about WPA3 feels almost still premature. While major manufacturers like Qualcomm already have committed to its implementation as early as this summer, to take full advantage of WPA3’s many upgrades, the entire ecosystem needs to embrace it.

That’ll happen in time, just as it did with WPA2. And the Wi-Fi Alliance’s Robinson says that backward interoperability with WPA2 will ensure that some added security benefits will be available as soon as the devices themselves are. “Even at the very beginning, when a user has a mix of device capabilities, if they get a network with WPA3 in it, they can immediately turn on a transitional mode. Any of their WPA3-capable devices will get the benefits of WPA3, and the legacy WPA2 devices can continue to connect,” Robinson says.

Lurking inside that assurance, though, is the reality that WPA3 will come at a literal cost. “The gotcha is that everyone’s got to buy a new everything,” says Rudis. “But at least it’s setting the framework for a much more secure setup than what we’ve got now.”

Just as importantly, that framework mostly relies on solutions that security researchers already have had a chance to poke and prod for holes. That hasn’t always been the case.

“Five years ago the Wi-Fi Alliance was creating its own protocols in secrecy, not disclosing the details, and then it turns out some of them have problems,” says Wright. “Now, they’re more adopting known and tested and vetted protocols that we have a lot more confidence in, and they’re not trying to hide the details of the system.”

Which makes sense. When you’re securing one of the most widely used technologies on Earth, you don’t want to leave anything to chance.


More Great WIRED Stories

Tech

Posted in: Cloud Computing|Tags: , , , , ,
Even After Multiple Cyberattacks, Many Businesses Fail to Bolster Security. Here's What You Need to Do
June 18, 2018 6:05 pm|Comments (0)

Small businesses suffered a barrage of computer invasions last year but most took no action to shore up their security afterward, according to a survey by insurer Hiscox.

It found that 47 percent of small businesses reported that they had one attack in 2017, and 44 percent said they had two to four attacks.

The invasions included ransomware, which makes a computer’s files unusable unless the device’s user or owner pays a ransom, and phishing, in which emails that look legitimate are used to steals information. The invasions also include what are called drive-by attacks, which infect websites and in turn the computers that visit them.

Despite the prevalence of the data invasions, only about half of small businesses said they had a clear cybersecurity strategy, the report found. And nearly two-thirds said they didn’t bolster their security after an attack.

Hiscox estimates that seven out of 10 businesses aren’t prepared to handle cyber attacks, although they can cost a company thousands of dollars or more and ransomware can shut down operations. Cybersecurity tends to get pushed to the back burner while owners are busy developing products and services and working with clients and employees. Or owners may see it as an expense they can’t afford right now.

Some basic cybersecurity advice:

–Back up all of a company’s data securely. This means paying for a service that keeps a duplicate of all files on an ongoing basis. The best backups keep creating versions of a company’s files that can be accessed in the event of ransomware — eliminating the need to pay data thieves. Some backups cost just a few hundred dollars a year.

–Install software that searches for and immobilizes viruses, malware and other harmful programs. Also install firewalls and data encryption programs.

–Make sure you have all the updates and patches for your operating systems for all your devices. They often include security programs.

–If you have a website, learn how to protect it from hackers, using software including firewalls. But you might be better off hiring a service that will monitor your site with sophisticated tools that detect and disable intruders.

–Tell your staffers, and keep reminding them, about the dangers of clicking on links or attachments in emails unless they’re completely sure the emails are from a legitimate source. Educate your employees about phishing attacks and the tricks they use. Phishers are becoming increasingly sophisticated and are creating emails that look like they really could have come from your bank or a company you do business with.

–Hire an information technology consultant who will regularly look at your systems to be sure you have the tools you need to keep your data safe.

–The Associated Press

Tech

Posted in: Cloud Computing|Tags: , , , , , , , , , ,
Apple Loop: Latest Leak 'Confirms' New iPhone, iOS 12 Drops Sexy For Security, WWDC Fails MacBooks
June 9, 2018 6:00 am|Comments (0)

Taking a look back at another week of news from Cupertino, this week’s Apple Loop includes the latest renders of the new iPhone X for 2018, the hardware that wasn’t announced at WWDC, why iOS 12 stands for stability, the renewed focus on iPhone security, the disappointment of no new MacBooks at WWDC, and all the spoof products announced on the internet.

Apple Loop is here to remind you of a few of the very many discussions that have happened around Apple over the last seven days (and you can read my weekly digest of Android news here on Forbes).

First Renders Of The New iPhone X

As part of Apple’s push to expand the iPhone line-up (and increase sales of the iPhone family after years of declining share), the geekerati are expecting a budget version of the iPhone X (not to be confused with an update of the iPhone SE). What will it look like? Forbes’ Gordon Kelly reveals new renders of the budget iPhone X:

What Hemmerstoffer’s images and video (embedded below) show, is a 6.1-inch design which blends the chassis of the iPhone 8 and a single rear camera with the fascia of the iPhone X, complete with Face ID facial recognition module and the distinctive notch. On the flipside, this means no Touch ID fingerprint sensor.

…Hemmerstoffer notes this currently unnamed budget iPhone X (my naming bet is simply ‘iPhone’), will also pack wireless charging, stereo speakers and a new A12 chipset. So this is basically a single-camera iPhone X for over $ 200 less.

More here on Forbes.

OnLeaks/ MySmartPrice

Budget’ 6.1-inch iPhone and 6.5-inch iPhone X Plus (OnLeaks/ MySmartPrice)

What Wasn’t Announced At WWDC

Lots of news to come out of this week’s Worldwide Developer Conference from Apple, but before we get to what did appear, it’s important to realise what was not on show. Apple refused the opportunity to show off any new hardware. No iPads, no Macs, no MacBooks, no peripherals, and perhaps most importantly, no mid-range iPhones to replace the iPhone SE. And WWDC was the best time to announce this upcoming smartphone, as I discussed earlier this week:

Assuming Taniyama-Shimura, there are enough signs in the supply chain that an update to the iPhone SE is coming. So the question becomes not of ‘will it arrive’ but ‘when will it arrive.’

…its non-appearance at WWDC tells us a lot about the handset.  iPhone sales this year need a boost. The iPhone X has not delivered the super-cycle it promised and sales are flat to slightly down year-on-year. Market share is approaching single figures, and relying on high-end handsets with high margins may be delivering financial success… but it doesn’t provide for growth or entry into new markets. The iPhone SE 2 can help balance the equation of revenue and market share by offering a low-priced gateway into Apple’s world of smartphones.

More on why Apple hid the SE 2 here.

Twelve Stands For Stability

Almost all of the focus at WWDC was on software, and the vast majority of that focus was on iOS. There have not been any major changes or additions, Apple has focused on the stability of the code to rebuild the bulletproof perception of the iPhone’s operating system. Zach Epstein is glad the new release is just ‘meh’:

It’s no secret that iOS 11 has been a complete mess for Apple. It’s not the travesty that whiny anti-Apple bloggers would have you believe, of course, but there’s no question that Apple made some big mistakes in iOS 11. It has had more security holes, annoying bugs, and performance issues than any version of iOS from recent history, and many of those problems still exist in iOS 11.3 and iOS 11.4 now, more than 8 months after the software’s initial release.

We learned many months ago that performance and overall user experience were going to be Apple’s main points of focus in iOS 12. In fact, insider reports stated that Apple decided to delay the addition of several big new features in iOS 12 and push them back to subsequent releases, or maybe even until next year’s iOS 13 update. This way, Apple’s various iOS engineering teams could focus on improving performance in iOS and on refining the user experience, rather than on integrating complex new features.

More at BGR.

Next: Security is key, a requiem for macOS, and Conan O’Brien’s new iPhone…

Tech

Posted in: Cloud Computing|Tags: , , , , , , , , , , ,
Security Expert Frank Abagnale: ‘You’ll See Banks All Move to Blockchain’
May 29, 2018 6:05 pm|Comments (0)

Frank Abagnale, the once-notorious confidence trickster portrayed by Leonardo DiCaprio in the film Catch Me If You Can, said blockchain is the future of secure information processing and data settlement.

A video has surfaced from Abagnale’s speech at a blockchain conference in April in which he shares his thoughts on the burgeoning technology.

“I think you have to be pretty ignorant not to realize that blockchain is the way of the future,” he said at the Blockchain Nation Miami conference. “It is the best way to secure information, to secure it 100%.”

For more than 40 years, Abagnale has worked with and advised hundreds of financial institutions, corporations, and government agencies. In his opinion, these institutions will begin embracing the technology. Blockchain is often defined as “an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way.” Communication occurs between peers instead of through a central authority, and every transaction is visible to anyone with access to the system.

“I think you’ll see banks—especially accounting practices and accounting firms—all move to blockchain,” he said about keeping records on the decentralized network technology. “You cannot break the blockchain. You cannot hack into the blockchain. You can’t change anything on the blockchain.”

He outlines some privacy issues that need to be worked out when using the technology, but Abagnale said it is a technology that will “eventually be adopted by all types of governments, businesses, and corporations.”

Abagnale is alluding to a trend that is already in motion.

HSBC recently said it performed the world’s first trade finance transaction using blockchain technology. Santander last month launched a foreign exchange service that uses the distributed ledger tech to make same-day international money transfers. J.P. Morgan recently applied for a patent to facilitate payments between banks using the blockchain.

Tech

Posted in: Cloud Computing|Tags: , , , , , , ,
Homeland Security unveils new cyber security strategy amid threats
May 15, 2018 6:02 pm|Comments (0)

WASHINGTON (Reuters) – The U.S. Department of Homeland Security on Tuesday unveiled a new national strategy for addressing the growing number of cyber security risks as it works to assess them and reduce vulnerabilities.

FILE PHOTO: U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC) located just outside Washington in Arlington, Virginia September 24, 2010. REUTERS/Hyungwon Kang

“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” DHS chief Kirstjen Nielsen said in a statement. “It is clear that our cyber adversaries can now threaten the very fabric of our republic itself.”

The announcement comes amid concerns about the security of the 2018 U.S. midterm congressional elections and numerous high-profile hacking of U.S. companies.

“The United States faces threats from a growing set of sophisticated malicious actors who seek to exploit cyberspace. Motivations include espionage, political and ideological interests, and financial gain,” according to the 35-page report reviewed by Reuters before its public release. “Nation-states continue to present a considerable cyber threat. But non-state actors are emerging with capabilities that match those of sophisticated nation-states.”

The report noted that by 2020 more than 20 billion devices are expected to be connected to the internet. “The risks introduced by the growing number and variety of such devices are substantial,” it said.

Nielsen said the government “must think beyond the defense of specific assets — and confront systemic risks that affect everyone from tech giants to homeowners.”

The report also noted the 2015 intrusion into a federal agency resulted in the compromise of personnel records of over 4 million federal employees and in total impacted nearly 22 million people.

The DHS report said the agency “must better align our existing law enforcement efforts and resources to address new and emerging challenges in cyberspace, to include the growing use of end-to-end encryption, anonymous networks, online marketplaces, and cryptocurrencies.”

Nielsen will testify Tuesday at a Senate hearing.

In March, Nielsen said the department was prioritizing election cyber security above all other critical infrastructure it protects, such as the financial, energy and communications systems.

U.S. intelligence officials have repeatedly warned that Russia will attempt to meddle in the 2018 contests after doing so during the 2016 presidential campaign.

Nielsen said that more than half of U.S. states have signed up for the agency’s cyber scanning services, designed to detect potential weaknesses that could be targeted by hackers.

DHS said in 2016 that 21 states had experienced initial probing of their systems from Russian hackers in 2016 and that a small number of networks were compromised, but that there was no evidence any votes were actually altered.

Reporting by David Shepardson; Editing by Dan Grebler

Tech

Posted in: Cloud Computing|Tags: , , , , , ,
Indian agency denies security lapse in ID card project; ZDNet defends report
March 25, 2018 6:02 pm|Comments (0)

NEW DELHI (Reuters) – Tech news site ZDNet said on Sunday it stood by its report that identified a security vulnerability in data-linked to Aadhaar – India’s national identity card project, after a semi-government agency that manages the database sought to discredit the report.

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi, India, January 17, 2018. Picture taken January 17, 2018. REUTERS/Saumya Khandelwal

ZDNet reported here that a data leak on a system run by a state-owned utility company could allow access to private information of holders of the biometric “Aadhaar” ID cards, exposing their names, their unique 12-digit identity numbers, and their bank details.

The Unique Identification Authority of India (UIDAI), which manages the Aadhaar program, said “there is no truth in this story,” in a statement late on Saturday.

ZDNet’s global editor-in-chief Larry Dignan said in an email to Reuters on Sunday the publication stood by its report. Dignan said they spent weeks compiling evidence and verifying facts.

“We spent weeks reaching out to the Indian authorities, specifically UIDAI, to responsibly disclose the security issue, and we heard nothing back — and no action was taken until after we published our story,” said Dignan.

UIDAI sought to downplay the report stating that even if the claims in the story were true, it would raise security concerns with the database of the utility company and not with the security of UIDAI’s Aadhaar database. UIDAI said it is “contemplating legal action against ZDNet”.

Multiple researchers and journalists, who have identified loopholes in India’s massive national identity card project, say they have been harassed here by some government agencies and slapped with criminal cases because of their work.

Aadhaar is a biometric identification card that is becoming integral to the digitisation of India’s economy, with over 1.1 billion users it is the world’s largest such database.

Indians have been asked to furnish their Aadhaar numbers for a host of transactions including accessing bank accounts, paying taxes, receiving subsidies, acquiring a mobile number, settling a property deal and registering a marriage.

The government’s demands for Aadhaar linkage for multiple services is currently being challenged here in India’s Supreme Court.

At the same time, security researchers and journalists have highlighted multiple vulnerabilities and data leaks tied to the program. UIDAI has sought to downplay the reports and last week it said the biometric data was safe from hacking as the storage facility was not connected to the internet.

Reporting by Malini Menon; Writing by Malini Menon and Krishna N. Das; Editing by Andrew Bolton, Euan Rocha and David Evans

Tech

Posted in: Cloud Computing|Tags: , , , , , , , , ,
Indian agency denies reported security lapse in ID card project
March 24, 2018 6:01 pm|Comments (0)

NEW DELHI (Reuters) – The semi-government agency behind India’s national identity card project on Saturday denied a report by news website ZDNet that the program has been hit by another security lapse that allows access to private information.

A woman goes through the process of finger scanning for the Unique Identification (UID) database system, also known as Aadhaar, at a registration centre in New Delhi, India, January 17, 2018. Picture taken January 17, 2018. REUTERS/Saumya Khandelwal

ZDNet reported that a data leak on a system run by a state-owned utility company, which it did not name, could allow access to private information of holders of the biometric “Aadhaar” ID cards, exposing their names, their unique 12-digit identity numbers, and their bank details.

But the Unique Identification Authority of India (UIDAI), which runs the Aadhaar program, said “there is no truth in this story” and that they were “contemplating legal action against ZDNet”.

ZDNet could not immediately be contacted for comment on the UIDAI’s response.

“There has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the agency said in a statement late on Saturday.

“Even if the claim purported in the story were taken as true, it would raise security concerns on database of that utility company and has nothing to do with the security of UIDAI’s Aadhaar database,” it said.

MORE THAN BILLION USERS

ZDNet had reported that even though the security lapse had been flagged to some government agencies over a period of time, it has yet to be fixed. It said it was withholding the name of the utility and other details.

Karan Saini, a New Delhi-based security researcher, said that anyone with an Aadhaar number was affected.

“This is a security lapse. You don’t have to be a consumer to access these details. You just need the Uniform Resource Locator where the Application Programming Interface is located. These can be found in less than 20 minutes,” Saini told Reuters.

In recent months researchers and journalists who have identified loopholes in the identity project have said they have been slapped with criminal cases or harassed by government agencies because of their work.

Aadhaar, a biometric identification card with over 1.1 billion users, is the world’s biggest database.

But it has been facing increased scrutiny over privacy concerns following several instances of breaches and misuse.

Last Thursday, the CEO of the UIDAI said the biometric data attached to each Aadhaar was safe from hacking as the storage facility was not connected to the internet.

“Each Aadhaar biometric is encrypted by a 2048-key combination and to decode it, the best and fastest computer of our era will take the age of the universe just to hack into one card’s biometric details,” Ajay Bhushan Pandey said.

Reporting by Malini Menon; Writing by Malini Menon and Krishna N. Das; Editing by Andrew Bolton

Tech

Posted in: Cloud Computing|Tags: , , , , , , ,
Tanium CEO’s Refreshingly Honest Take on the State of Internet Security
October 22, 2017 12:00 am|Comments (0)

This is your Cyber Saturday edition of Fortune’s tech newsletter for October 7, 2017.

On Tuesday, the wood-smoke air of California’s wildfires descended on the Bay Area as cybersecurity professionals gathered at the Palace Hotel for an industry event.

I spent the morning interviewing Orion Hindawi, CEO of Tanium, the world’s highest privately valued cyber startup (worth $ 3.75 billion at last appraisal in May), for a fireside chat at his company’s second annual conference, Converge 2017. Hindawi has a no-nonsense approach to business—a suffer-no-fools attitude that landed him in the sights of a couple of unflattering stories about his management style earlier this year. (He later apologized for being “hard-edged.”)

On stage the chief exec delivered his peculiarly unvarnished view of the state of Internet security. “The idea that we’re going to give you a black box and it auto-magically fixes everything, that’s a lie,” Hindawi told the audience. (One could almost hear a wince from part of the room seating his PR team.) “All I can tell you is we can give you better and better tooling every day. We can make it harder for the attackers to succeed. That’s the best I can offer.”

Hindawi is a realist through-and-through. His outlook is perhaps best summed up by his response to a question about whether he subscribes to a glass-half-full or glass-half-empty view of the cyber threatscape. His reply would become a running joke for the rest of the conference. He said simply, “It’s just a glass, dude.”

Other tidbits of wisdom from Hindawi: not all hackers are Russian spies (the majority are lowly criminals). Unsecured Internet of Things devices pose a risk to everyone. And sometimes cyber insurance is the way to go when old systems are all but impossible to patch; the decision boils down to managing “operational risk, like earthquakes,” he said.

Hacking is not a dark miasma that penetrates all things, although it can sometimes feel that way. Companies, like Tanium, that are building the tools to swing the balance back in defenders’ favor without over-promising provide hope. Enjoy the weekend; I will be heading north of San Francisco, visiting friends who, luckily, were unharmed by the area’s recent conflagrations.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Always use (advanced) protection. Google debuted an opt-in mode for high-risk users who wish to lock down their accounts on services such as Gmail, Google Drive, and YouTube with extra security. (Paging John Podesta.) The feature requires people to log-in using a special USB key (or Bluetooth dongle for mobile devices), it prevents third-party applications from accessing your Google data, and it adds beefed up malware-scanning of incoming documents. This author plans to sign up.

Gather ’round the good stuff. Pizza Hut warned customers that their personal information and payment card data may be at risk after hackers gained access to the company’s website and app for a 28-hour period starting on Oct. 1. An estimated 60,000 customers are thought to have been impacted. The company is offering victims free credit monitoring for a year.

Unicorn? More like Duo-corn. Duo Security, a Mich.-based cybersecurity startup whose tools help companies manage people’s digital identities, said it raised $ 70 million at a $ 1.17 billion valuation (including the capital raised) this week. Th round catapults the firm into “unicorn” territory, the swelling ranks of private firms occupied by young guns valued at $ 1 billion or more. Alex Stamos, Facebook’s security chief, recently praised Duo as the maker of his favorite cybersecurity product.

KRACKing Wi-Fi. A couple of Belgian researchers published a paper containing proof of concept code that exploits vulnerabilities in the way cryptographic keys are exchanged over Wi-Fi, allowing hackers to steal people’s data. Big tech companies like Microsoft issued a patch for the so-called KRACK bug on Oct. 10, Apple is in the middle of testing patches for iOS and macOS, and Google, whose Android 6.0 devices are the most vulnerable, said it would release a patch in early Nov.

Cyber insurers are going to get Mercked. Cyber insurers might be on the hook to cough up $ 275 million to cover damage to drugmaker Merck as a result of a June cyber attack, dubbed “NotPetya,” according to one firm’s forecast. The companies at issue have not yet disclosed figures themselves.

Surprise! It is depressingly easy for penetration testers to break into places where they are not supposed to be.

Share today’s Data Sheet with a friend:

http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

Boycotts are hardly an option: To opt out of a credit score is to opt out of modern financial life itself. As Equifax’s now former CEO Richard Smith testified in October, if consumers were allowed to abandon the credit system, it would be “devastating to the economy.” The better answer is systemic reform to the credit oligopoly.

—Fortune’s Jeff John Roberts and Jen Wieczner explain what practical recourse consumers and regulators have when it comes to dealing with the major credit bureaus in the wake of a massive data breach at Equifax. 

ONE MORE THING

The adventures of John Titor.  Namesake of a bygone Internet hoax, “John Titor” claimed to be a man sent from the future to retrieve a portable computer. Titor sent faxes to an eccentric radio program, Coast to Coast AM, that specialized in the paranormal. Here’s an oral history of that running joke; the pseudo-scientific explanations of time travel are delightful.

Tech

Posted in: Cloud Computing|Tags: , , , , , , ,
Security News This Week: Hoo-Boy, Mar-a-Lago’s Internet Is Insecure
August 10, 2017 9:45 am|Comments (0)

Security News This Week: Hoo-Boy, Mar-a-Lago’s Internet Is Insecure

Each weekend we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. The post Security News This Week: Hoo-Boy, Mar-a-Lago’s Internet Is Insecure appeared first on WIRED.
RSS-3

Posted in: Web Hosting News|Tags: , , , , , , ,