It’s time to turn on HTTPS: The benefits are well worth the effort

After Edward Snowden revealed that online communications were being collected en masse by some of the world’s most powerful intelligence agencies, security experts called for encryption of the entire web. Four years later, it looks like we’ve passed the tipping point.
The number of websites supporting HTTPS — HTTP over encrypted SSL/TLS connections — has skyrocketed over the past year. There are many benefits to turning on encryption, so if your website does not yet support the technology it’s time to make the move.
Recent telemetry data from Google Chrome and Mozilla Firefox shows that over 50 percent of web traffic is now encrypted, both on computers and mobile devices. Most of that traffic goes to a few large websites, but even so, it’s a jump of over 10 percentage points since a year ago.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3180690/security/its-time-to-turn-on-https-the-benefits-are-well-worth-the-effort.html#tk.rss_all

Original article

Firefox blocks websites with vulnerable encryption keys

To protect users from cryptographic attacks that can compromise secure web connections, the popular Firefox browser will block access to HTTPS servers that use weak Diffie-Hellman keys.Diffie-Hellman is a key exchange protocol that is slowly replacing the widely used RSA key agreement for the TLS  (Transport Layer Security) protocol. Unlike RSA, Diffie-Hellman can be used with TLS’s ephemeral modes, which provide forward secrecy — a property that prevents the decryption of previously captured traffic if the key is cracked at a later time.However, in May 2015, a team of researchers devised a downgrade attack that could compromise the encryption connection between browsers and servers if those servers supported DHE_EXPORT, a version of Diffie-Hellman key exchange imposed on exported cryptographic systems by the National Security Agency in the 1990s and which limited the key size to 512 bits. In May 2015 around 7 percent of websites on the internet were vulnerable


Original URL: http://www.computerworld.com/article/3126030/security/firefox-blocks-websites-with-vulnerable-encryption-keys.html#tk.rss_all

Original article

Here’s what you should know, and do, about the Yahoo breach

Yahoo’s announcement that state-sponsored hackers stole the details of at least 500 million accounts shocks both through scale — it’s the largest data breach ever — and the potential security implications for users.
That’s because Yahoo, unlike MySpace, LinkedIn and other online services that suffered large breaches in recent years, is an email provider; and email accounts are central to users’ online lives. Not only are email addresses used for private communications, but they serve as recovery points and log-in credentials for accounts on many other websites.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3123399/security/heres-what-you-should-know-and-do-about-the-yahoo-breach.html#tk.rss_all

Original article

Massive Yahoo hack is the world’s biggest — for now

When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn’t just admitting to a huge failing in data security — it was admitting to the biggest hack the world has ever seen.
Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the “Have I been pwned” website. Like the Yahoo breach, the hack was only publicly disclosed this year after data was offered on a hacker forum.
And only three breaches had ranked above the 100 million level:
LinkedIn reported a loss of 167 million email addresses and passwords. They were originally stolen in 2012 but not publicly disclosed until 2016, again after the data was offered on an underground “dark market” site.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3123421/security/massive-yahoo-hack-is-the-worlds-biggest-for-now.html#tk.rss_all

Original article

Yahoo reportedly to confirm massive data breach

Following reports that Yahoo will confirm a data breach that affects hundreds of millions of accounts, some users reported Thursday on Twitter and elsewhere that they were prompted to change their email password when trying to log in.
Yahoo launched an investigation into a possible breach in early August after someone offered to sell a data dump of more than 200 million Yahoo accounts on an underground market, including usernames, easy-to-crack password hashes, dates of birth and backup email addresses.
The company has since determined that the breach is real and that it’s worse than initially believed, news website Recode reported Thursday, citing unnamed sources familiar with the investigation.To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3123149/security/yahoo-reportedly-to-confirm-massive-data-breach.html#tk.rss_all

Original article

Google turns on HTTPS for all blogspot blogs

All blogs hosted on Google’s blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy.

Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.

Instead of the “HTTPS Availability” option, blog owners can now use a setting called “HTTPS Redirect,” which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version.

To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3065359/security/google-turns-on-https-for-all-blogspot-blogs.html#tk.rss_all

Original article

Identity thieves obtain 100,000 electronic filing PINs from IRS system

The Internal Revenue Service was the target of an attack that used stolen Social Security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically.

The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.

Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it.

The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft.

To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/3031846/security/identity-thieves-obtain-100000-electronic-filing-pins-from-irs-system.html#tk.rss_all

Original article

Ashley Madison coding blunder made 11M passwords easy to crack

Until today, the creators of the hacked AshleyMadison.com infidelity website appeared to have done at least one thing well: protect user passwords with a strong hashing algorithm. That belief, however, was painfully disproved by a group of hobbyist password crackers.

The 16-man team, called CynoSure Prime, sifted through the Ashley Madison source code that was posted online by hackers and found a major error in how passwords were handled on the website.

They claim that this allowed them to crack over 11 million of the 36 million password hashes stored in the website’s database, which has also been leaked.

A few weeks ago such a feat seemed impossible because security experts quickly observed from the leaked data that Ashley Madison stored passwords in hashed form — a common security practice — using a cryptographic function called bcrypt.

To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/2982959/cybercrime-hacking/ashley-madison-coding-blunder-made-11m-passwords-easy-to-crack.html#tk.rss_all

Original article

New York threatens action if RadioShack sells customer data

New York’s attorney general said his office will take “appropriate action” if personal data on millions of RadioShack customers is handed over as part of a just-concluded bankruptcy sale.

The names and physical addresses of 65 million customers and email addresses of 13 million customers were among the assets listed as part of the sale, which concluded this week but has yet to be approved by a bankruptcy court.

RadioShack’s March 2015 privacy policy promised: “We will not sell or rent your personally identifiable information to anyone at any time.”

To read this article in full or to leave a comment, please click here


Original URL: http://www.computerworld.com/article/2901691/new-york-threatens-action-if-radioshack-sells-customer-data.html#tk.rss_all

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: