Information Security News
The National Security Agency can easily defeat the world's most widely used cellphone encryption, a capability that means the agency can decode most of the billions of calls and texts that travel over public airwaves each day, according to published report citing documents leaked by Edward Snowden.
The NSA "can process encrypted A5/1" calls even when agents don't have the underlying cryptographic key, The Washington Post reported Friday, citing this top-secret document provided by former NSA contractor Snowden. A5/1 is an encryption cipher developed in the 1980s that researchers have repeatedly cracked for more than a decade. It remains widely used to encrypt older, 2G cellphone calls. Newer phones can still use A5/1, even when showing they're connected to 3G or 4G networks.
In the past five years, cracking A5/1 has grown increasingly easier and less costly. In 2010 researchers unveiled a technique that cost about $650 and relied on open-source software and off-the-shelf hardware. Next-generation spy devices sold to militaries and law-enforcement groups have long marketed the ability to eavesdrop on A5/1-protected calls, too. Despite the growing susceptibility of A5/1, it remains widely used, Karsten Nohl, chief scientist at Security Research Labs in Berlin, told The Washington Post. Reporters Craig Timberg and Ashkan Soltani explained:
Microsoft has joined the board of directors of the FIDO ("Fast IDentity Online") Alliance, an industry consortium that is attempting to create a set of protocols to enable consistent, secure, passwordless access to Web-based applications. Other members include Google, BlackBerry, PayPal, Lenovo, and MasterCard.
The problems with passwords are well-known. They're poorly chosen, regularly stolen, and routinely reused across sites, meaning that a compromise of one account can lead to compromises of many others.
FIDO hopes to replace passwords with a system built around public key cryptography. To register with a FIDO site, you won't enter a password into the site. Instead, hitting register will alert your authentication devices—typically an app on your smartphone—of the attempt to register. If that attempt is approved (for example, by using a registered fingerprint or entering a PIN), the device will generate a public/private key pair. The public key will be sent to the online service; the private key will be retained on the authentication device.
The magical list of security predictions for 2014
About this time every year, journalists covering the InfoSec beat start seeing prediction lists being pitched. Sadly, we will see the same pitch, from the same vendor, several times, often because we're on multiple blast lists. Thus, our inbox is ...
A presidential advisory committee set up to examine the National Security Agency (NSA) is recommending the continuation of "a program to collect data on every phone call made in the United States," but with new restrictions "intended to increase privacy protections," The New York Times reported yesterday.
The report by the Review Group on Intelligence and Communications Technology, expected to be delivered to the White House by Sunday, wasn't released publicly, but officials described its contents to newspapers. The group concluded that NSA surveillance programs are legal but recommended various changes to their structure, transparency, and security.
The Wall Street Journal reported that the panel's draft proposals "would change the spy agency's leadership from military to civilian and limit how it gathers and holds the electronic information of Americans. The task force, for example, proposed that the records of nearly every US phone call now collected in a controversial NSA program be held instead by the phone company or a third-party organization." There would be "stricter standards" for allowing NSA officials to search the data.
World Federation of Exchanges launch global cyber-security committee
Bobsguide (press release)
The role of the new WFE cyber-security committee is to identify and communicate global infosec best practice in regard to protecting market infrastructures against cyber-attacks and to protect the world's critical capital markets. The working group ...
PCI-DSS 30 Brings New Penetrating Testing Requirements, Explains Rhino ...
IT Business Net
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary infosec standard for organizations that handle payment card information, including debit, credit, 'e-purse', and POS cards. It was founded by the Payment Card Industry Security ...