LifeLock Bug Exposed Millions of Customer Email Addresses

Identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers.

Source: LifeLock Bug Exposed Millions of Customer Email Addresses

DHS – Russian APT groups are inside US critical infrastructure

The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks. According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them.

Source: DHS – Russian APT groups are inside US critical infrastructure

Why No HTTPS? Here’s the World’s Largest Websites Not Redirecting Insecure Requests to HTTPS

As of today, Google begins shipping Chrome 68 which flags all sites served over the HTTP scheme as being “not secure”. This is because the connection is, well, not secure so it seems like a fairly reasonable thing to say! We’ve known this has been coming for a long time now both through observing the changes in the industry and Google specifically saying “this is coming”. Yet somehow, we’ve arrived at today with a sizable chunk of the web still serving traffic insecurely .

Source: Why No HTTPS? Here’s the World’s Largest Websites Not Redirecting Insecure Requests to HTTPS

UN SecCouncil Requires PNR Sharing

Somehow or other, the US managed to get the Security Council to approve the sharing of Passenger Name Records (PNR) of travelers with other countries.  As with much of what happens in the U.S. these days, other events have obscured this meaningful news. Yes, the rest of the world has expressed their displeasure with our stated desire to move our Israeli embassy to Jeruselum.  But then the Security Council voted to support this US proposal.


DNS Security

This article, describing how a Brazilian Bank with $27 Billion in assets and hundreds of branches was taken over by a criminal hacking group for a single day in 2016, illustrates the need to secure your web resources all the way back to the registrar.  The undisclosed bank in question had all of its DNS traffic redirected to a clone of the bank’s actual website.  Customers used the site the entire day, entering their password and account information into the fake site – resulting in an undisclosed but likely significant loss of funds for the affected individuals, the bank and the Brazilian government’s insurance fund.

DNS Security is an overlooked component in the chain of digital services required to deliver internet services.  If you are interested in ensuring you maintain control over your domain, you need to evaluate the security of your domain registrar.  Like any other third-party service provider, they need to meet your security expectations.  You need to assess their service offerings and their ability to protect your data.

While not an endorsement on my part, CloudFlare has announced they intend on meeting this emerging market.  They have started offering their services as a Registrar and include a handful of features designed to ensure domains are protected from hijacking.  I assume Registrars will look at these new offerings and see the market opportunities they represent.  Like many other services, until they become commodities, the provider can charge a premium.  I’m hoping these offerings will become ubiquitous and affordable for all website operators.

Until then, you should consider using CloudFlare’s security tool to understand the features you need to enable to ensure your website is secure.

Lavabit Suit As a Precedent?

“The government’s citation of the Lavabit case, and their description of its outcome, is disturbingly disingenuous,” Levison wrote on Facebook. “The language used [in the footnote] is incredibly misleading, as it insinuates a precedent unsupported by the appellate court’s ruling…. This verbiage suggests the seizure of third party encryption keys was found lawful by the appellate court, which is wholly unsupported by the appellate court’s opinion.”