Latest Gadget News, Technology News, Mobile News, Computer News, Laptop News, Mobile Banking The most important technology news, developments and trends with insightful analysis and commentary. Mobile Banking, Mobile Commerce, Ipad Ipod Mobile Laptop Computer Accessories News.
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
Thursday, 19 Decem ber 2013
How to Build U.S.-China Cyber-Trust Presidents Obama and Xi discuss easing tensions over hacking. A 2010 survey of IT security experts stunned many by naming the United States, not China, as the most feared nation in cyberspace.
When the Center for Strategic and International Studies issued that survey, the "most feared nation" view of the U.S. may have been fueled by media coverage of America's preparation for cyber-warfare, said Stewart Baker, who oversaw the survey. "I'm not sure that's entirely a realistic view of the landscape, but it is an accurate reflection of the opinions provided to us in the report," said Baker, the onetime Department of Homeland Security assistant secretary for policy (see Which Nation is Most Feared in Cyberspace?). I don't think we'll ever completely solve the problem, but we can change the pace of the deterioration.
Today, with the insight of a Monday morning quarterback, we see that those fears may have been justified, given the steady flow of leaks from top-secret U.S. government documents pilfered by former National Security Agency Edward Snowden.
Yet, even with the Snowden revelations, a strong argument could be made that China should be seen as the greater threat in cyberspace, based on reports earlier this year from the security firm Mandiant and the Defense Department about cyber-espionage China has conducted against businesses, the government and military (see Mandiant on Nation-State Threat and DoD Outlines China's Spying on U.S. IT).
But the question shouldn't be about which nation is the most feared in cyberspace, but rather what to do about it. The place to start is for the U.S. and China to build trust between themselves. Although attempts have been made - Presidents Obama and Xi Jinping of China addressed cybersecurity at a summit earlier this year (see Expecations Set Low on Obama-Xi Summit) - rhetoric emanating from both sides recently isn't encouraging.
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
About Me
Elan Jabroot Follow
0
View my complete profile
pdfcrowd.com
"If meaningful action is not taken now, this behavior will undermine the economic relationship that benefits both our nations," National Security Adviser Susan Rice warned China last month about its hacking of U.S. companies to steal intellectual property and trade secrets.
And last month's report from the U.S.-China Economic and Security Review Commission called on Congress to stiffen federal laws that would allow the government and business to defend against cyber-espionage (see Shaming China to Stop Hacks Doesn't Work). "The Chinese government is directing and executing a large scale cyber-espionage campaign that poses a major threat to U.S. industry, critical infrastructure, military operations, personnel, equipment and readiness," commission member Larry Wortzel told the Voice of America, calling for U.S. lawmakers to respond to China's action.
Chinese Foreign Ministry spokesman Hong Lei accused the commission of having a "Cold War" mentality, saying the panel has been releasing reports "brimming with ideological prejudice" for years, according to the VOA. Karl Rauscher, a distinguished fellow and chief technology officer of the global think tank EastWest Institute, says this distrust comes at a time when both nations are "incredibly, pervasively dependent" on one another. "There are accusations made from both sides about how one is taking advantage of the other and not behaving in a way that is trusted," he said in an interview with me. "I don't assume that any of the bad stuff that has been said is not true. It's probably all true. I think it could be a lot worse."
The Samsung Chromebook google.com/chromebook Virus protection built-in. No hassles. Starting at $249.
Blog Archive
â–ź 2013 (59) â–ź 12/15 - 12/22 (20) How to Build U.S.-China Cyber-Trust Why ATM Fraud Losses Will Surge Securing Your Web Site: The Wild Goose Chase How Secure is Virtual Currency? My Data Breach Experience The Analyst's Eye: Top Fraud Threats to Watch in 2...
Article House Panel Issues Terse Letter Regarding October Hack Article Mayor: Efficiency Plus Cost Savings Equals More Security
How Will NIST Framework Affect Banks? Leverage Mobile to Prevent Malware from Impersonat... Creating Role-Based Security Training Major Password Breach: Lessons Learned
Article
2014 State of the Insider Threat
Website, Data Hub Working After Weekend Problems Fixed
FFIEC: Statement on End of Microsoft Support for W...
Article
Live Cybercrime Q&A with Federal
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
Prosecutor Erez L...
GAO: 1 in 5 IT Security-Related Jobs Vacant at Key Directorate Article
FDIC: Supervisory Approach to Payment Processing R... Details Behind a Very Costly Breach
Leveraging EHR Audit Logs; Getting Patients Involved
Protecting Banks That Share Threat Info
Interview
FFIEC Clarifies Social Media Risks
Former OCR Official Discusses 2014 Compliance Issues Article 59,000 Clients of L.A. Gay & Lesbian Center Affected
Launching State 'Cyber National Guard' FDIC: Institutions Encouraged to Work with Borrowe... FDIC Issues Guidance to Areas in Illinois Impacted... ► 12/08 - 12/15 (35)
Interview Researcher Describes 'Adversarial Security Analysis'
► 12/01 - 12/08 (3) ► 11/10 - 11/17 (1)
Article House Panel Issues Terse Letter Regarding October Hack prev next View the original article here Posted by Elan Jabroot at 08:53
No comments:
Recommend this on Google Labels: Build, CyberTrust, USChina
Why ATM Fraud Losses Will Surge For months, experts have warned about upticks in global card fraud as U.S. banking institutions gear up for rollout of EMV chip cards. That's a key step toward the eventual worldwide elimination of the easy-to-compromise magnetic stripes on cards.
And it seems the predictions of a fraud surge have come true, as attackers focus more effort toward capitalizing on current magnetic-stripe vulnerabilities while they can.
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
More fraud will be pushed to the U.S. It's the fraudsters' last market, and the crime world's most profitable.
Skimming at ATMs was reported by 20 European countries in the third quarter, with attacks increasing from the previous quarter in eight of them, according to the European ATM Security Team, a not-for-profit group that collects security and fraud information about ATMs, networks and payment terminals.
Experts expect skimming schemes to increase worldwide over the next 18 to 24 months as the United States' migration toward enhanced payments technology that complies with the Europay, MasterCard, Visa standard for chip cards ramps up, moving the world a step closer to the elimination of magnetic stripes (see ATM Skimming Arrests: Sign of the Times?).
In the meantime, banking institutions should brace for more financial losses related to skimming and take steps now to shore up their cross-channel fraud detection strategies (see How to Fight Cross-Border ATM Fraud).
"The U.S. will continue to see skimming until the majority of ATMs and POS devices in this country are protected [by EMV]," says Jerry Silva, who oversees the global retail banking practice at the advisory firm International Data Corp.
Julie Conroy, a fraud expert and analyst for the consultancy Aite, tells me that the strikes against U.S. banks will be the most damaging in the next several months.
"When I did the research for my EMV report earlier this year, most of the large issuers I spoke with told me that they are seeing 30 percent to 50 percent year-over-year increases in counterfeit [card] fraud, thanks to the fact that we are still mag-stripe dependent," she says.
In November, the European ATM Security Team noted that skimming attacks and fraud losses linked to skimmed card data continue to plague European banks. But some European banks
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
are taking action to reduce their losses by blocking mag-stripe transactions - the only types of transactions that can be conducted at ATMs with counterfeited mag-stripe cards.
Why? Because fraudulent withdrawals linked to skimmed card data have continued to adversely impact European cardholders, even in markets where EMV technology is now the standard. Attackers have continued to drain those accounts by using counterfeit cards at ATMs in non-EMV compliant countries, such as the U.S.
Card transactions that conform to EMV rely on a micro-processing chip, not a mag-stripe. Data saved to that chip cannot be skimmed.
Until worldwide conformance with the EMV standard for chip cards is complete, card readers on ATMs and POS devices have to continue to accept mag-stripe transactions, and EMV cards also have to retain mag-stripes. And any card with a mag-stripe runs the risk of having data skimmed.
Lingering mag-stripe technology is why European card data can still be skimmed and copied, and it's becoming an increasingly touchy subject for European banks. It's also why more and more banks in European nations are fully blocking mag-stripe transactions. Article Leveraging EHR Audit Logs; Getting Patients Involved Article Horizon Blue Cross Blue Shield Reveals Incident Article HHS Progress Report Cites 'Bug Fixes,' But Not Security Interview Considering Adequate Security and Ease of Use Article
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
Two Essential Steps That All Organizations Should Take Article Experts Analyze Latest Federal Tally Interview A New Way for Researchers to Get Medicare, Medicaid Records Interview CIO Discusses What State Did Right Interview National Strategy for Trusted Identities in Cyberspace Update prev next View the original article here Posted by Elan Jabroot at 04:28
No comments:
Recommend this on Google Labels: Fraud, Losses, Surge
Wednesday, 18 Decem ber 2013
Securing Your Web Site: The Wild Goose Chase By Motty Alon, December 9, 2013. The revised Payment Cards Industry Data Security Standard (PCI-DSS) that was released recently did not provide any ground-breaking news regarding the requirement for the protection of publicly-facing web applications against vulnerabilities and web-application attacks. Theoretically, merchants that are bound to PCI-DSS compliance still have two options: Either use an automated technical solution (this is the new term the PCI Security Standards Council gives to Web Application Firewalls) to protect the merchant's publicly facing Web applications; or alternatively, merchants can review all of their public-facing web applications with vulnerability security assessment tools and ensure that there are no known vulnerabilities.
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
Here lies the difference between theory and reality. PCI requires merchants to review their web applications after each change (or at least once annually). This turns the vulnerability assessment and fixing process into a non-practical solution. To better understand this, let's refer to the 2013 WhiteHat Web Site Security Statistics Report. In that survey, 91 percent of eretail sites that were analyzed had at least one serious vulnerability. On average, e-retail web sites had 106 serious vulnerabilities per year. The most interesting data point from this report is that it took 224 days to fix these vulnerabilities. This has several implications. If it takes 224 days to fix these vulnerabilities, this means that for almost two-thirds of the year the site is vulnerable to attacks and is not compliant with PCIDSS requirements. More importantly, reading further in the WhiteHat's report, we find out that 60 percent of the e-retailers change their applications once a month, and 40 percent of eretailers update their sites once a week or more. This means that it takes more than seven months to fix the vulnerabilities, while applications are changing, which in turn, can potentially create new vulnerabilities on a daily, weekly or monthly basis. Don't get me wrong. I'm all for secure development of web sites and applications. I feel web sites should be scanned for vulnerabilities and, once found, they should be fixed. However, this can be a little complicated. If you are part of the security group on the retailer's side, you are not always aware of changes the application team is making. Even if you are aware, the code is sometimes written by a third party, or it is a legacy code that no one knows how to change anymore. The bottom line: Building your website security infrastructure on vulnerabilities scanning and fixing is not practical. Making your PCI-DSS compliance rely on scanning and fixing may cause your company not to pass PCI-DSS audits and not to comply with the regulation. Complying with PCI-DSS requirements for secure Web applications (requirement 6.6) and securing your Web application only has one practical solution: Web Application Firewall (or to follow the new term used by the PCI Security Council - "automated technical solution.") All WAF solutions offer web protection at the application level, most of them comply with the Open Web Application Security Project (OWASP) Top Ten Threats, and they all offer a combination between Positive and Negative security models. On the other hand, WAF solutions are known to consume lots of application management resources (that's you and your workers). This is where the difference between a practical WAF solution and a not-so-practical one lies. One of the key selection criteria for your next WAF solutions should be the ability to automatically adapt the solution's protection policies without human intervention and with as few as possible false-positives and false negatives. With so many rapid changes, the automatic ability to adapt the WAF policies is the only way to ensure that your site is protected even as it is evolved and changed, without investing too
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
many resources in keeping its security mechanisms up to date. It allows alignment of the Web application life cycle development process with the protection process. It ensures that the Web application security is applied in a timely manner and enables protection while applying new changed.
View the original article here Posted by Elan Jabroot at 23:50
No comments:
Recommend this on Google Labels: Chase, Goose, Securing
Home
Older Posts
Subscribe to: Posts (Atom)
Powered by Blogger.
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com
open in browser PRO version
Are you a developer? Try out the HTML to PDF API
pdfcrowd.com