Posts Tagged ‘Data’

5 ways to protect yourself from data breaches

September 22nd, 2014

Data breaches at retailers aren’t going away but there are ways consumers can protect themselves from future heists of their payment card information.

Home Depot in the US said on Thursday that malicious software lurking in its check-out terminals between April and September affected 56 million debit and credit cards that customers swiped at its stores. Target, Michaels and Neiman Marcus have also been attacked by hackers in the past year.

More breaches are likely. The US Department of Homeland Security warned last month that more than 1,000 retailers could have malware in their cash-register computers.

Here are five ways to protect yourself:

1. Consider another way to pay

Try newer ways to pay, such as PayPal or Apple Pay.

“Any technology that avoids you having your credit card in your hand in a store is safer,” says Craig Young, security researcher for software maker Tripwire.

Those services store your credit card information and it’s not given to the retailer when you make a payment. Many big retailers, including Home Depot, accept PayPal at their stores, but many others don’t. Apple Pay, which was only introduced this month, has even more limitations: It is available in just a small number of stores so far and only people with an iPhone 6 can use it.

Stored-value cards or apps, such as the ones used at coffee chains Starbucks and Dunkin Donuts, are also a safer bet, says Gartner security analyst Avivah Litan. That’s because they don’t expose credit card information at the register.

2. Sign it, don’t pin it

If you’re planning on paying with a debit card, sign for your purchase instead of typing in your personal identification number at the cash register. You can do this by asking the cashier to process the card as a credit card or select credit card on the display. Not entering your PIN into a keypad will help reduce the chances of a hacker stealing that number too, Young says.

Crooks can do more damage with your PIN, possibly printing a copy of the card and taking money out of an ATM, he says. During Target’s breach last year, the discount retailer said hackers gained access to customers’ PINs. Home Depot, however, said there was no indication that PINs were compromised in the breach at its stores.

3. Beware of email scammers

After big data breaches are exposed, and get a lot of media attention, scammers come out of the woodwork looking to steal personal information. Some emails may mention Home Depot or offer free credit monitoring, but you should never click on the links. Many are for fake sites that try to steal bank information or passwords. “Avoid these entirely,” Young says. If an email looks credible, go to Home Depot’s site directly instead of clicking on links.

4. Keep up with statements

Scan credit card statements every month for any unauthorised charges. And keep an eye out for smaller charges. Thieves will charge smaller amounts to test to see if you notice and then charge a larger amount later, Litan says. They may also steal a small amount from millions of accounts, scoring a big payday, she says.

And check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free or for a reasonable charge if you want the information quickly. The following credit reporters operate in New Zealand – Veda Advantage, Dun and Bradstreet and Centrix. Home Depot in the United States is also offering free credit monitoring and identity protection services to customers. Customers can go to the company’s website for more information.

5. Go old school

Use cash. When possible, the safest bet is to not swipe a card at all. Even if security gets stronger at stores, hackers are likely to figure out a way around it. “It’s always a cat and mouse game,” Young says.


Israel’s SiSense sees surging demand for data analytics software

May 28th, 2014

Business intelligence software provider SiSense said it expects sales to triple in 2014, boosted by soaring demand from small- and medium-sized businesses seeking to analyze growing amounts of data.

Israel-based SiSense’s software helps companies understand their data, enabling non-technical staff to connect multiple data sources and prepare professional reports.

SiSense Chief Executive Amit Bendov said a number of trends are driving this $20 billion a year market. The volume of data is outgrowing the capabilities of existing software and companies are increasingly demanding that employees have facts and data from various sources at their fingertips during meetings and when making decisions.

“Our sales growth tripled three years in a row and will continue to triple this year,” Bendov said, adding that the firm’s sales are in the high single-digit millions of dollars.

“Our goal is to invest every dollar we make in growth. We’ll be profitable in 2015,” he told Reuters.

SiSense, which has offices in Tel Aviv and New York, plans to open an office in Silicon Valley by early next year, when it will also expand in Europe. About 70 percent of its sales are in the United States and clients range from small firms to individual departments at eBay, Carlsberg and ESPN.

Since the 1990s, several companies have been providing business intelligence technology, including IBM’s Cognos, SAP’s BusinessObjects and MicroStrategy, one of the few remaining independent providers.

In the mid-2000s, companies such as Qlik Technologies and Tableau Software – which went public last year – created products using in-memory technology that were simpler and faster to run, Bendov said.

The drawback was that a computer’s memory is limited in the amount of data it can process. SiSense sought to address that limitation by using data inside chips that can store more memory.

The company, which raised $10 million last year from venture capital funds Battery Ventures, Genesis Partners and Opus Capital, says its goal is an initial public offering.

“If we continue this growth pace we’re seeing, we’ll be getting there pretty quickly,” Bendov said.


An eloquent argument for telco data retention

May 14th, 2014

Princeton academic puts forward model for greater accountability.

Princeton academic Edward Felten has urged the information security and wider technology community to engage with intelligence agencies and governments in a constructive way to drive better privacy outcomes, even if it requires active participation in intelligence activities.

Felten, the director of the Centre for Information Technology Policy at Princeton University, provided attendees at his keynote address at the AusCERT conference this morning a five-step plan for restoring trust in computing in the wake of Edward Snowden’s expose of the NSA’s online espionage activities.

The professor argued that NSA overreach – driven by the idea that the US and its allies are safer if it “collects as much info as legally and technically possible”, even if that means building exploits and backdoors into systems and standards – had created an environment of “pervasive insecurity”.

He agreed with fellow speaker Felix Lindner (head of Recurity Labs) that a drying up of public information about vulnerabilities, again in the name of ‘national security’, was a dangerous trend.

The current response from the information security community – to simply throw more kit at protecting its perimeter – was no longer effective.

Felten gave five key strategies to restoring trust in security:

Strategy #1 – Take trust seriously

Felten used HTTPS as an example of where ‘trust’ is mislaid on the internet. The cascading chain of certificates upon which browsers choose to place trust is based on the idea that “somebody made a list of 100 entities trusted by everyone in the world”.

“There is no entity, certainly not 100, that everyone in the world truly trusts,” Felten argued. “But that’s the basis on which this system is built.”

The number of forged SSL certificates Carnegie Mellon researchers found in the wild [pdf] proved the idea of trust in this model needs to be revised, he said.

The technology that underpins HTTPS – crypto – is effective, he said, but the system suffers from “horrible institution design.

Strategy #2 – Force adversary to target

Felten argued that – assuming users consider the NSA or indeed Australia’s intelligence community to be “adversaries” – the IT security community needs to make it harder for these agencies to hoover up communications en masse.

“We need to exploit the scale problem an all-seeing adversary has,” he said.

He advocated the use of simple puzzle encryption when sending messages. This would encrypt a message such that it can only be unlocked by the recipient after solving a hash puzzle.

A deliberate actor would only need to devote half a CPU second of time to solve the puzzle, but the more communications secured in such a way makes it computationally more expensive for intelligence agencies to hoover up all communications, and thus more attractive to restrict surveillance to legitimate targets.

“It’s not as good as end-to-end encryption of our messages, of course, but in many real world scenarios it is either impractical or we simply can’t encrypt communications in this way.”

Felten urged IT administrators not to make any promises to users when employing such simple techniques, but to simply offer it “as a matter of course, silently, as a defence against non-targeted surveillance”.

Strategy #3 – Improve agencies’ systems

Felten’s most controversial advice was for the industry to engage with governments and actively participate in intelligence gathering activities, in order for civil liberties and privacy to be better considered.

He advocated for a recommendation made by the US President’s Review of signals intelligence in the wake of the NSA scandal, endorsed in principle by President Obama’s response, that co-opts telecommunications companies into the intelligence community’s data retention programs.

“We recommend that legislation should be enacted that terminates the storage of bulk telephony metadata by the government under section 215, and transitions as soon as reasonably possible to a system in which such metadata is held instead either by private providers or by a private third party. Access to such data should be permitted only with a section 215 order from the Foreign Intelligence Surveillance Court that meets the requirements set forth in Recommendation 1.”

– Recommendation No. 5, ‘Liberty and Security in a Changing World’ [pdf]

While it is “certainly not the ideal solution”, Felten said there were pros to having telcos and hosts act as a network of data custodians, with that data available via a query interface to intelligence analysts under strict conditions.

“One of the advantages of retaining data in the telecom providers is that it offers better visibility to the public, who can better influence providers on how long they keep the data.”

From a computer science perspective, an intelligence system should be designed to optimise performance, cost and reliability, but Felten added a fourth optimisation currently missing in the intelligence community’s systems today – oversight.

The system should ideally avoid the replication and aggregation of data and be designed with accountability in mind, he said.

A distributed network of telcos would best meet these design principles, he said.

Opponents of telco data retention – including the other keynote speaker at AusCERT’s first day, Recurity Labs’ Lindner – argued that so long as data retention is a “cost centre” for telcos, it will be the least protected data they hold.

”If data retention becomes a cost centre, maybe [the telcos] will in the very least join the discussion as to whether these intelligence activities happen at all,” Felten retorted.

Strategy #4 – Changing the debate

Felten said the technology community needs to shift the debate – which today talks of a trade-off between security and privacy in the name of national security – to a discussion about accountability and transparency.

Technologies need to be developed to provide the same accountability in the online world that a simple warrant provides in the physical world, he said.

Felten’s students and Microsoft Research have both been working on ways to implement court-ordered access to an individual’s information in a secure way.

“You want to make sure that information is released only if there is a valid warrant or court order and yet at the same time there is the need to keep that court order secret so the targets are not tipped off,” Felton told SC in the lead-up to his keynote.

“We have researched how to use cryptography to get all of the desired properties so that there is no access to information without a valid court order, and yet the court order is cryptographically sealed so that the target cannot see it.”

By using encryption in this way, he said, computer science can be used to combine goals that would otherwise be impossible to achieve at the same time.

The Microsoft Research model argues that telecommunication providers should encrypt every customer or transaction record with a random key, and send the encrypted database to the intelligence community.

It is only when a court publishes a request for specific data that the parties engage in a secure multi-party computation, under which the system verifies that warrant matches the requested account ID the intelligence agency is asking for, and provides the agency a decryption key for the requested account ID.

Felten’s team is looking to improve on this model in the name of accountability, narrowing the range of communication and suggesting more robust encryption that would be harder for intelligence agencies to break if an agent can’t get a warrant.

#Strategy 5 – More public engagement

Felten said these ideas need to be taken to governments – even if that means IT security staff “donning their suits” and travelling to the capital to meet with lawmakers, agencies and regulators to build political support for more accountability.

“That opportunity is starting to open,” he said.

He was buoyed by US director of national intelligence James Clapper’s reflection that offering more transparency about the NSA’s programs from the beginning would have reduced the impact of the Snowden leaks.

“This is the window opening for us as security professionals and citizens to help governments recognise the public interest we are advocating for.”


Get Adobe Flash player