Hack of Tech Journalist Reveals Flaws in Cloud Security

Story first reported from USA Today

SEATTLE – The security community is on alert for hackers who might try to emulate the simple trickery used to breach a prominent technology journalist's Amazon, Apple, Google and Twitter accounts. That hacking caper has rekindled concerns about whether Apple's iCloud, Google Apps, Amazon's Cloud Drive, Microsoft's Windows Live and other Internet-delivered services do enough to authenticate users, security analysts say.

"People are being urged to trust their data to the Internet cloud, but then you find that the operational security is alarmingly lax," says Stephen Cobb, security analyst at anti-virus firm ESET.

Hackers devastated Wired reporter Mat Honan's digital life. In doing so, they highlighted how Web companies have been slow to embrace more robust systems for ensuring that users who log into online accounts are who they say.

Merchants, banks, media companies and social networks require varying amounts of information to open and access online accounts. Many ask for only a few bits of information to make changes, such as resetting a password. That makes it easy for hackers to abuse the prevailing systems, which rely on asking users to answer questions.

Many banks and Google Gmail offer an optional service that sends to your cellphone a single-use PIN code that you must enter at their websites, along with your username and password, before you can complete certain transactions.

Such multifactor authentication systems are considered more difficult for the bad guys to subvert but less convenient for account holders to use. Yet the need for wider deployment of stronger systems is intensifying, argues Todd Feinman, CEO of database security firm Identity Finder.

Honan detailed how hackers tricked an Amazon rep over the phone into revealing the last four digits of his credit card number. Next, they used that information to persuade an Apple rep to reset his Apple ID password, which enabled them to wipe clean Honan's iPhone, iPad and MacBook, destroying all of his files, including irreplaceable photos of his daughter. Apple has suspended its phone password-reset service and launched a security review, says spokeswoman Natalie Kerris. Amazon did not respond to interview requests.

Web firms are unlikely to switch to one-time PIN systems anytime soon. "Many … are expensive and difficult to manage," says Chris Brennan, CEO of security firm NetAuthority. "And companies are concerned they could frustrate the user."

Meanwhile, consumer awareness remains low, says Gregg Martin, FishNet Security's directory of mobile security. Consumers will have to demand stronger authentication systems and be prepared to accept "a slight level of inconvenience," Martin says.

ESET's Cobb argues that Web companies should take the initiative. "Improving security is 100% the responsibility of the cloud service providers because they are the ones trying to sign people up to the cloud model."

For more national and worldwide Business News, visit the Peak News Room blog.

For more local and state of Michigan Business News, visit the Michigan Business News  blog.

For more Health News, visit the Healthcare and Medical News blog.

For more Electronics News, visit the Electronics America blog.

For more Real Estate News, visit the Commercial and Residential Real Estate blog.

For more Law News, visit the Nation of Law blog.

For more Advertising News, visit the Advertising, Marketing and Media blog.

For more Environmental News, visit the Environmental Responsibility News blog.

Cybersecurity Touchy Subject for US & China

Story first appeared on Politico.com.

Asserting that cyberattacks against the U.S. don't come only from China, the U.S. and Chinese defense ministers said they agreed Monday to work together on cyber issues to avoid miscalculations that could lead to future crises.

The Defense Secretary said that since China and the United States have advanced cyber capabilities, it is important to develop better cooperation.

There are other countries, actors, others involved in some of the attacks that both of the countries receive. But because the United States and China have developed technological capabilities in this arena it's extremely important that they work together to develop ways to avoid any miscalculation or misconception that could lead to crisis in this area.

China's minister of national defense offered a vigorous defense of his country, saying through an interpreter that, all of the cyber attacks targeting the United States do not come from China.

Just six months ago, however, senior U.S. intelligence officials for the first time publicly accused China of systematically stealing American high-tech data for its own national economic gain.

It was the most forceful and detailed airing of U.S. allegations against Beijing after years of private complaints, and it signaled the opening salvo of a broad diplomatic push to combat cyberattacks that originate in China.

Cybersecurity was just one of the many issues discussed by the two leaders during their meeting, but it is also one of a number of contentious topics that rattle the often rocky relationship between the two nations.

The U.S. needs to start laying the ground work for better understanding by the Chinese of what is expected from them in cyberspace. As well as putting better Security Solutions in place among their own technology.

As an example American officials want to know who to talk to when Chinese hackers breach U.S. computer networks. And if there is a cyber incident in China, the US needs the Chinese to feel confident that they can call up and ask, 'was it you?', and get a straight answer.

Chinese officials have routinely denied the cyberspying, insisting that their own country also is a victim of such attacks. And they note that the hacking is anonymous and often difficult to track.

U.S. cybersecurity experts acknowledge that attribution can be difficult, and that while they can trace an attack to China, it is often difficult to track directly to the Chinese government. Last December's report by U.S. intelligence agencies said America must openly confront China and Russia in a broad diplomatic push to combat cyberattacks that are on the rise and represent a persistent threat to U.S. economic security.

And, separately, several cybersecurity analysts have concluded that as few as 12 different Chinese groups, largely backed or directed by the government there, commit the bulk of the cyberattacks that aim to steal critical data from U.S. companies and government agencies. Officials estimate that the stealthy attacks have stolen billions of dollars in intellectual property and data.

Because people and businesses in both China and American have been victims of cyberattacks, officials have been talking more about building a better relationship so that they can work together.

Law enforcement is one area of cybersecurity where the two nations have begun to build partnerships, but so far it has been extremely limited. Lewis said that in 2011, U.S. authorities requested assistance from the Chinese 11 times, and in seven of the cases received no information. But, he said the Chinese cooperated with U.S. law enforcement in a high profile financial fraud case late last year.


For more technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.

Former FBI Agent Joins IT Startup

Story first appeared in The Wall Street Journal.
The FBI’s former top cyber cop is joining an upstart computer security firm that aims to guard firms targeted by foreign intelligence services.

The cyber cop, who garnered attention last month when he said the U.S. is not winning the battle against hackers, has joined CrowdStrike, Inc., to lead a unit that will provide instant response for hacking incidents, and identify those trying to compromise computer systems.

The formation of Irvine, Calif.-based CrowdStrike was announced earlier this year by the CEO, a former McAfee executive.

A start-up is an unusual choice for someone coming from a senior FBI position. His last three predecessors all took security jobs with Fortune 500 firms.

The former cyber cop states that he wants to stay in the fight against hackers, but in the private sector, which he has long argued does not do enough to protect sensitive corporate data and intellectual property from cyber intruders.

Ideally, CrowdStrike will service all types of corporations, both private sector and government sector, and any entities with wide-ranging networks. The company will focus on security solutions within a network to curb computer hacking.

He will be president of CrowdStrike Services, one of three divisions of the new company. In a statement, the CEO said he and the cyber cop share a belief that industry can’t rely on the government alone to address the problem of targeted intrusions.

The other two parts of the company are an Intelligence team, and a Technology office.


For technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.