Why LivingSocial’s 50-million password breach is graver than you may think | Ars Technica: " . . . SHA1, the algorithm used by LivingSocial, is an extremely poor choice for secure password storage. Like MD5 and even the newly adopted SHA3 algorithms, it's designed to operate quickly and with a minimal amount of computing resources. A far better choice would have been bcrypt, scrypt, or PBKDF2. In another understatement, O'Shaughnessy added: "We also encourage you, for your own personal data security, to consider changing password(s) on any other sites on which you use the same of similar password(s)." It's unfortunate company officials weren't more insistent on this point. Based on everything we know about modern password cracking, it will be trivial for the attackers to crack a large percentage of the LivingSocial passwords. Since the breach also exposed customer names and e-mail addresses, attackers can then try those passwords on other accounts held by the victims and easily access those that match. (The Washington, DC-based LivingSocial, which is partly owned by Amazon, is requiring all account holders to change their passwords.) . . ."
Top Five Small Business Internet Security Threats | Small Business Trends: "In order to begin development of a cyber security plan, you must understand the Internet threats and how protecting your business from those threats directly affects your bottom-line. As a result, the National Cyber Security Alliance, whose partners include the Department of Homeland Security, the Federal Bureau of Investigations, Small Business Administration, National Institute for Standards and Technology, Symantec, Microsoft, CA, McAfee, AOL and RSA, developed top 5 threats your small business may face on the Internet, business cases on how those threats can hurt you and practical measures you can take to avoid these threats. Here is a summary of the top five threats . . . " (read more at link above)
Right to erasure protects people's freedom to forget the past, says expert | Technology | guardian.co.uk: "Mayer-Schönberger, who advises companies, governments and international organisations on the societal effects of the use of data, advocates an "expiration date" (a little like a supermarket use-by date) for all data so that it can be deleted once it has been used for its primary purpose. "Otherwise companies and governments will hold on to it for ever." He cites surveys showing that people increasingly approve of the right to be forgotten. A survey by the University of Berkeley two years ago, he said, "clearly shows that people want the right to be forgotten to be legislated by US congress." He said the survey found 90% of the 60+ generation want this."
Hackers Point Large Botnet At WordPress Sites To Steal Admin Passwords: "If you’re running a WordPress site, now would be a good time to ensure you are using very strong passwords and to make sure your username is not “admin.” According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default."
Google Says No To FBI's National Security Letter, At Least This Time: "Bloomberg News reports Google has filed a petition against a government request for information after receiving a “National Security Letter.”
The details of the requested information are currently not disclosed, as you would imagine. Bloomberg says it is rare for a company to fight back after receiving such a request from a government agency. Reportedly the push back from Google comes three weeks after San Francisco federal judge ruled that National Security Letters, which are issued without a warrant, are unconstitutional. . . ."
U.S. law to restrict government purchases of Chinese IT equipment | Reuters: " . . . A provision in the 240-page spending law requires the agencies to make a formal assessment of "cyber-espionage or sabotage" risk in consultation with law enforcement authorities when considering buying information technology systems. The assessment must include "any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized" by China. The United States imports about $129 billion worth of "advanced technology products" from China, according to a May 2012 report by the nonpartisan Congressional Research Service. . . ."
A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them. - Forbes: "Bejtlich does say that some of the best defensive teams he’s seen–usually companies that have dozens of staff devoted exclusively to network defense, such as military contractors–have the capabilities to quarantine attackers and feed them false information. But most companies should stick to the basics of defense rather than risk aggravating a breach. “The only time this works is when you have very high control of what the intruders are doing,” says Bejtlich. “You have to have your ‘A game’ down before you try trick plays.”" (read more at link above)
Government itself is not secure--why should it dictate to others?
Telecom firms dig in their heels over cybersecurity reform | ZDNet: " . . . The U.S. government recently declared cybercrime more of a threat than terrorism, but implementing ways to combat the problem may not be so easy. According to Reuters, both Internet service providers and a number of large telecommunications firms have convinced the Obama Administration that making security measures compulsory is not the correct step to take. In a report released Monday (.pdf) by the FCC on cybersecurity, 20 "controls" are documented with the protection of telecommunications in mind for both businesses and consumers. However, representatives on the advisory panel — from firms and bodies including AT&T, Sprint, Verizon and Comcast — argued against an FCC recommendation that telecom companies should be made to abide by these security protocols. . . . " (read more at link above)
New BlackBerry OS likely less secure than iOS or Android--
BlackBerry 10 suffers security approval setback by UK gov't | ZDNet: "Summary: UPDATED: Despite a strong hold of the worldwide public sector market, the UK government doesn't believe the latest BlackBerry 10 software is safe enough for secure communications. For now, the only modern day smartphone capable of government use in the UK is the iPhone. The UK government may have deemed BlackBerry 10 not as secure as previous iterations of the smartphone platform. It comes at a time when the Canadian smartphone maker is attempting to claw back vital market share in order to compete with rival smartphone makers, while at the same time aggressively targeting the enterprise and government market with its BlackBerry branding. . . . " (read more at link above)
South Korea suffered a full cyber attack--most likely perpetrated by North Korea:
Your hard drive will self-destruct at 2pm: Inside the South Korean cyberattack | Ars Technica: " . . . As we reported earlier, at about 2pm Seoul time, the networks of three broadcasters and three banks were affected by an attack that disrupted their networks, possibly caused by malware. But while malware was initially blamed for the outage, the malware that's been discovered thus far could not have taken networks down by itself. There was a lot more going on than just a malware attack; the convergence of multiple types of attacks suggests a coordinated effort by an organized attacker. The latest update from South Korean officials is that the attack emanated from a Chinese IP address. But the identity of the attackers is still unclear. . . " (read more at link above)