Links to News from the Media, Cipher Issue E125, March 2015




Why Health Insurers Are Frequent Targets


  • China suspected in major hacking of health insurer
    The Washington Post
    Drew Harwell and Ellen Nakashima
    Feb 5, 2015

    Health insurance company Anthem said it had been the victime of 'a very sophisticated attack'. There is a potential for hackers to steal private health data that is valued on the black market as tools for extortion, fraud or identity theft. Anthem said this attack did not reveal health data, but it did compromise identifying information for members and employees. Chinese hackers are suspected, perhaps because of the level of expertise shown in the attack.

    Related story:

  • Massive data hack of health insurer Anthem potentially exposes millions
    The Washington Post
    Fred Barbash and Abby Phillip
    Feb 5, 2015
    Related story:
  • Data Breach at Anthem May Lead to Others
    NYTimes.com
    Reed Abelson and Julie Creswell
    Feb 6, 2015

  • Obama to create new agency to examine cyberthreats
    AP via KSL.com
    Ken Dilanian, Associated Press
    February 10th, 2015

    Can the creation of a new "Cyber Threats Intelligence Integration Center" help the Federal government deal with cyberattacks like the Sony hack? White House cybersecurity coordinator Michael Daniel thinks that coordinating the many individual cybersecurity efforts in the government will help streamline detection and response.
  • The 'JASBUG' Windows hole - beyond the hype, what you need to know
    Naked Security
    Paul Ducklin
    Feb 12, 2015

    Downgrade attacks on Windows SMB and Active Directory Group Policy have been fixed, a year after their discovery, and some years after their origination.
  • Bank Hackers Steal Millions via Malware
    NYTimes.com
    David E. Sanger and Nicole Perlroth
    Feb. 14, 2015

    Kaspersky Labs scored another expose last month in uncovering malware that surreptiously redirected millions of dollars of funds without detection. The software afflicted 100 financial institutions in 30 countries. Keeping a very low profile, the software enabled remote monitoring and execution.

    The Best Hackers Ever Are the Ones You Never Heard Of: The Equation Group


    Kaspersky Labs released a report about an unknown group reponsible for the widespread distribution of malware that was so stealthy that it resisted detection for 14 years.

    Omnipotent Hackers
    Arstechnica
    Dan Goodin
    Feb 16, 2015 12:00pm MST

    Report:
    Equation Group Questions and Answers

    Related story:
    Russian researchers expose breakthrough in U.S. spying program
    Reuters
    Joseph Menn
    February 17, 2015

    Related story:
    U.S. Embedded Spyware Overseas, Report Claims
    NYTimes.com
    Nicole Perlroth and David E. Sanger
    Feb. 16, 2015

  • Lenovo to stop pre-installing controversial software , Reuters
    Paul Carsten
    Feb 19, 2015

    The world's largest PC maker, Lenovo, reacted to the discovery that notebooks sold in late 2014 had a piece of software that hijacked web connections. The purpose was to display ads. The objectionable feature was that it injected ads into what otherwise appeared to be a connection with authentication and encryption, i.e. "trusted".
  • Secrecy around police surveillance equipment proves a case's undoing
    The Washington Post
    Ellen Nakashima
    February 22, 2015

    Rather than reveal information about "fake cellphone tower" equipment, the FBI scuttled a case against a small time pot dealer. The devices can find detailed location information for phones, down to the room in a house.
  • Here's how the clash between the NSA Director and a senior Yahoo executive went down.
    The Washington Post
    Andrea Peterson Feb 23, 2015

    At a public cybersecurity meeting, the NSA director spoke about the need for the government to have access to all encrypted material on the Internet. In case you think this is impossible, review the history of "key escrow".

    SIM Chip Encryption Key Compromised?


    Cell phone maker Gemalto said that persons unknown tried to get information that would let them compromise the SIM card encryption. The attacks occurred in 2010. Recent information has led the company to connect them to the US and British governments. But, were they successful?

    Chip Maker to Investigate Claims of Hacking by N.S.A. and British Spy Agencies
    New York Times
    Mark Scott
    Feb. 20, 2015

  • U.S. and British Agencies May Have Tried to Get SIM Encryption Codes, Gemalto Says
    NYTimes.com
    Mark Scott and Aurelien Breeden
    Feb 25, 2015

  • How To Sabotage Encryption Software (And Not Get Caught)
    WIRED
    Andy Greenberg
    Feb 27, 2015

    This article is about a new paper and a book by Bruce Scheier. The integrity of standards for Internet cryptography was called into question a few years ago with news that NSA seemed to have used its influence to introduce a weakness into a standard for random number generation. In the interim, there has been a great deal of thought put into how to produce standards that are free from undermining. The papers discusses the avenues by which weaknesses can be introduced.
    The paper:
    "Surreptitiously Weakening Cryptographic Systems"
    by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart

    The article mentions Bruce Scheier's book "Data and Goliath", reviewed in this Cipher issue.

    A "Zombie from the 90's": FREAK, the Vulnerability Against Apple and Google Users


    Secure access to websites is something that we have begun to take for granted, but it seems that a combination of man-in-the-middle and downgrade attacks can force many websites into using encryption so weak that an eavesdropper can read it without an extraordinary amount of work.

  • 'FREAK' flaw undermines security for Apple and Google users, researchers discover
    The Washington Post
    Craig Timberg
    Mar 3, 2015

  • Microsoft reacted to the FREAK vulnerability later than Apple and Google
    Slate.com
    Lily Hay Newman
    Mar 7, 2015


  • So much for the claim that Apple Pay would be 'secure'
    Los Angeles Times
    Michael Hiltzik Mar 8, 2015

    This article shows that "security" is a bigger concept than just authentication and encryption. By shifting some responsibility for safeguards for credit card registration from itself to banks, Apple enabled a corridor for easy use of stolen credit cards.
  • Samsung tablets spy-proof with IBM software
    Bloomberg Business News
    March 14, 2015
    At CeBIT 2015, Secusmart announced its high-security tablet based the Samsung Galaxy Tab S 10.5. The device allows non-secure apps to exist alongside "wrapped" secure apps. The device is targeted at government officials.