Security & Privacy Weekly News Roundup, Vol. 1, Issue 8

Security & Privacy Weekly News Roundup, Vol. 1, Issue 8

Open or shut? The balance between security and privacy has been a dominant theme at RSA 2015, with a lot of discussion about the government’s desire for a “back door” to access data and cryptographers’ efforts to preserve privacy Massachusetts Institute of Technology professor Ron Rivest argued that if the U.S. government gets a key to private data, other governments would demand the same access. Source: SC Magazine

Commonwealth shares: Virginia is the first state to set up a cyber attack threat intelligence-sharing organization, the Information Sharing and Analysis Organization (ISAO). At the RSA conference in San Francisco, Virginia Secretary of Technology Karen Jackson said: “With Gov. (Terry) McAuliffe’s leadership of both the National Governors Association, Homeland Security and Public Safety Committee, and the NGA Resource Center for State Cybersecurity, it just makes sense for Virginia to leverage our … information-sharing efforts.” Source: Dark Reading

Charges to charge it: Retailers that accept credit and debit cards could face claims from financial institutions seeking to recover losses associated with issuing replacement cards following a data breach. Card issuers can allege negligence, breach of data-protection statutes and noncompliance with payment card industry security standards. Organizations that could face claims from brands such as MasterCard, Visa and Discover are looking at cyber insurance policies with coverage of issues that an organization confronts after a data breach. Source: JDSupra

Whistling in the dark? Nope: The government’s online systems to collect complaints about federal waste, fraud or corruption may promise confidentiality, but for years have sent names, addresses and phone numbers of whistle-blowers across the Internet in a way that could be intercepted by hackers. Twenty-nine sites, set up by inspectors general required by law to protect whistle-blowers’ identities, do not use encryption technology that has become a standard across much of the Internet, according to a review by the ACLU. Source: The Washington Post

They know how to hide: While high-profile attacks like the Sony hack draw attention, the rising cyber threat to U.S. business often is underestimated. Cyber attacks on large companies are up by roughly 40 percent, according to a Symantec study, and other surveys suggest most corporations don’t know when they’ve been hacked. Breaches can go undetected for months. “In 70 percent of the cases, the breach is not detected by the victim,” the FBI’s Leo Taddeo says. The FBI is building up its cyber forensics department, including a national Computer Analysis Response Team, CART. Source: MSNBC

A few good digit heads: The U.S. Marine Corps is drafting a doctrine to help commanders build cyber operations into battle plans. Cyber tools would be managed by commanders just like any other fighting tool. Col. Gregory Breazile, commander of the Marines’ cyber and electronic warfare integration division, said his service is adjusting the professional military education courses it offers to its senior leaders so they consider cyber as a domain they need to assume responsibility for, on par with air, ground and sea. Source: Federal News Radio

New in the toolbox: Security start-up Tanium’s software creates an IT central nervous system that can quickly scan and report back on suspicious behavior or programs. The method of controlling the security of thousands of devices at once is in use by Visa, Amazon, Best Buy, the Department of Defense and Nasdaq. The company employs a peer-to-peer system, with each computer on a network talking to the computer next to it, relaying information along a chain before sending it back to a single server quickly. Source: Forbes

Ice, ice, maybe: “Freeze It,” a security feature from Discover, lets cardholders deactivate cards temporarily. Users who misplace a card or leave it at a retail store or restaurant, have the security of knowing unauthorized charges won’t be made, but they don’t have to go to the trouble of canceling a card and getting it replaced. The cardholder can freeze the account with a mobile app, via the Web or by calling a toll-free number. Automatic charges to the card will continue as scheduled. Source: NBC News

An invitation to steal: With identity theft on the rise, Medicare soon will halt the use of Social Security numbers on Medicare cards. More than 4,500 people a day sign up for Medicare, and 18 million more are expected to qualify in the next 10 years. Medicare officials have up to four years to start issuing cards with new randomly generated identification numbers. Source: The New York Times

Talking in code: Google is moving its ad-serving and ad-buying platforms to HTTPS and plans to serve most of its ads over encrypted links by the end of June. The tech giant plans a similar change for advertisers buying ads through Google. Advertisers who use platforms such as AdWords will be able to serve encrypted display ads to all Google properties that are HTTPS-enabled, such as Gmail. The company wants to encrypt as much content and services as possible. Source: ThreatPost

Patchwork: More than a dozen WordPress plugins have been patched to seal vulnerabilities allowing hackers to insert potentially dangerous commands into browsers. The cross-site scripting (XSS) vulnerabilities let hackers create special URLs that inject client-side code into Web pages. Exploits can steal authentication cookies, which give users access to private accounts without having to enter a password. XSS attacks also can change the content inside a vulnerable Web page. Source: ArsTechnica

And stay out! A Ponemon Institute survey of encryption in businesses finds that more firms have a comprehensive strategy, with retail and health care companies citing the biggest gains. After significant breaches in 2014, organizations have increasingly adopted encryption strategies, with 64 percent having an encryption strategy that is either consistently applied across all data or that secures different data types in different ways. More than a third of companies had extensively deployed encryption technologies, the report said. Source: eWeek

This article originally appeared on