source: securityweek.com

US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.

Rob Joyce, the White House cybersecurity coordinator, told a forum at the Washington Postthat officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers.

Joyce's comments come after news that some 145 million Americans may have had personal information leaked, including the important social security numbers, in a breach at Equifax, one of three big US firms which collect data for credit applications.

"I feel very strongly that the social security number has outlived its usefulness," Joyce said.

"It's a flawed system."

For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft.

"If you think about it, every time we use the social security number we put it at risk," Joyce said.

"That is the identifier that connects you to all sort of credit and digital and information online."

He said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography.

This may involved "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.

The official spoke as US lawmakers opened hearings on the Equifax breach, believed to be one of the worst because of the sensitivity of data leaked.

Former Equifax chief executive Richard Smith told a congressional panel that the breach stemmed from both human and technological error, while offering a fresh apology to consumers affected.

 source: technewsworld.com

Malicious code has been discovered in two versions of Piniform's CCleaner housekeeping utility, the company disclosed on Monday. Piniform is owned by Avast, whose security products are used by more than 400 million people.

The malware infecting CCleaner could give hackers control over the devices of more than 2 million users. CCleaner is designed to rid computers and mobile phones of junk, such as unwanted applications and advertising cookies.

Two versions of the program were modified illegally before they were released to the public, Piniform said.

However, the threat has been neutralized, according to Piniform Vice President Paul Yung, who explained that the rogue server the hackers used to control the code is down, and other servers no longer are in the attackers' control.

All users who downloaded the infected version of the program for Windows, CCleaner v5.33.6162, have received the latest version of the software. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.

"In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm," Yung said.

Machine Wipe Recommended

Despite those reassurances from Piniform, more drastic action may be necessary, suggested Craig Williams, the senior technical leader at Cisco Talos.

"Because the malware remains present, even after users update the CCleaner software, Talos advises all users to wipe their entire computer -- remove and reinstall everything on the machine -- and to restore files and data from a pre-August 15, 2017 backup, before the current version was installed," he told the E-Commerce Times.

"It is critical to remove this version of the CCleaner software and associated malware, since it's structure means it has the ability to hide on the user's system and call out to check for new malware updates for up to a year," Williams explained.

Beyond the immediate threat, there may be problems with data loss, noted Morey Haber, vice president of technology at BeyondTrust.

"While the upgrade may remove the malware, leaked data has potentially been transmitted and could be used at a future time," he told the E-Commerce Times.

 source: infosecurity-magazine.com

Understanding your users is a pre-requisite for security, as users do care about security and are willing to take actions to improve security.

In the opening keynote presentation at Infosecurity North America on “Psychologist Insight: Getting to Grips with the Psychology of User Behavior”, Dr Kelly Caine, Director of the Humans and Technology Lab & Associate Professor at Clemson University, said that often users are seen as the weakest link in the security chain and executives think that human error is to blame for human issues, and usually users are blamed for systems to be insecure.

“Users do care about security, we had a huge spike in number of credit freezes and watched as a result of the 2012 credit breach in South Carolina,” Caine said. “We have data to suggest that 20% of people in South Carolina increased by 2000% after the data breach. So if we take that data and compare to Equifax, we may extrapolate that data and probably 100 million people will have a credit freeze, people are 34% more likely to freeze their credit in South Carolina and there’s no reason to think people won’t do it after Equifax.”

Caine said people do care about security and take onerous steps to protect security. She also said that users are constantly learning to act more securely, but obstacles are put in the way by technology. She also said that average privacy policy takes 10 minutes to read, meaning a day can be lost just to reading privacy policies.

Caine also challenged the audience to remove the term “user error” from vocabulary, and think about how humans behave. 

“There is a buzzword of 'behavior change' and how to change users’ behavior, and before we change users’ behavior from a security perspective, we need to understand existing behaviors to change behavior as we need to know what they are doing, and why they are doing what they are doing.”

Concluding, Caine said that understanding users is “key to information security, and experts are here to help you and help you understand how to design systems and train users”, and every interaction with users is training users to behave more or less securely, “there’s no middle ground”. 

“Also usability is a pre-requisite for security, you cannot have a secure system without it being a usable system.”

 source:  reuters.com

Allowing foreign governments to require reviews of software secrets of technology products built by U.S. companies is “problematic,” the top White House cyber security official said on Tuesday, adding that the increasingly common arrangements presented both security and intellectual property risks.

Rob Joyce, the White House cyber security coordinator, said that letting countries inspect source code, the closely guarded internal instructions of software, as a condition for entry into foreign markets was a protectionist effort by certain regimes that threatened a “free and open internet” and could “hobble” a product’s security and privacy features.

Reuters on Monday reported that Hewlett Packard Enterprise (HPE) last year allowed a Russian defense agency to review the inner workings of cyber defense software known as ArcSight that is used by the Pentagon to guard its computer networks.

Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the practice could help Moscow discover weaknesses in the software, potentially helping attackers to blind the U.S. military to a cyber attack.
 

“There are security aspects of those disclosures (and) they are problematic,” Joyce, a former hacker at the U.S. National Security Agency, said at a Washington Post Cybersecurity Summit when asked specifically about the story.

He added that he was more concerned about the intellectual property risks associated with the reviews, however.