Alexander’s Blog

The US government is giving federal civilian agencies just 45 days to comply with new recommendations for laptop encryption and two-factor authentication. The official memo (PDF) from the executive office of the U.S. president stipulates that all mobile devices containing sensitive information must have their data encrypted. The recommendations also say that two-factor authentication must be used for remote access, that remote access must time out after 30 minutes of inactivity, and that all data extracts must be logged. The memo does not detail any specific technology recommendations beyond this broad outline, presumably leaving agencies to decide on their own specific implementations.

The memo follows a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information. Recent incidents involved the theft of 26,000 SSNs and photos at U.S. Department of Agriculture, a laptop containing fingerprints of 291 employees of the Internal Revenue Service, the Energy Department’s loss of 1,500 employee and contractor’s personal records at the National Nuclear Security Administration, a compromise of the identities of 2.2 million active-duly military personnel at the Department of Veteran Affairs, a stolen laptop at the Federal Trade Commission with data on 110 people, the Navy discovered 28,000 personal records one day on a website, and finally, an insurance company employee exposed 17,000 personal Medicare records according to the Department of Health and Human Services.

Five of these seven incidents involved laptop computers without encryption, and the others involved remote access to private systems via the Internet that may have been prevented or made more difficult with two-factor authentication. Click here for more information.

Online codebreaking enthusiasts working to solve a series of German World War II ciphers have cracked the second of three codes. Thousands of users around the world have joined the M4 Project, using spare computing power to crack the codes.

The messages were encoded using the German Enigma machine, and outfoxed wartime experts at Bletchley Park. Project leaders have already failed to crack the last remaining message, but insist it can be broken.

The three messages were unearthed by amateur historian Ralph Erskine, who submitted them to a cryptology journal in 1995 as a challenge for codebreakers. Click here for more information.

Downloading software from Microsoft used to be fairly simple in the past. No passport mess, no sales call, no hassles. Now Microsoft requires you to register when you download certain products so you can receive calls from Microsoft or third-party representatives. Here’s something interesting. Try downloading a trial version of Microsoft’s Data Protection Manager here. You must agree to register or else you cannot download the software. Okay, that sounds fine as long as you are given an option to opt-out of e-mails and phone calls, right? Well, not exactly. The registration process gives the following six options for you to check or uncheck.

1. Microsoft may use the e-mail address I have provided above to contact me regarding important security, product, and event information.

2. Microsoft Partners may use the e-mail address I have provided above to contact me regarding important security, product, and event information.

3. Microsoft may use the address I have provided above to contact me regarding important security, product, and event information.

4. Microsoft Partners may use the address I have provided above to contact me regarding important security, product, and event information.

5. Microsoft may use the phone number I have provided above to contact me regarding important security, product, and event information.

6. Microsoft Partners may use the phone number I have provided above to contact me regarding important security, product, and event information.

So you must be glad that you unchecked all these boxes and Microsoft has now promised not to contact you by e-mail, address, or phone numbers, which by the way are all REQUIRED items on that page that must be filled out. But did you actually read what’s on that download page? Here’s what it says.

“Regardless of any contact preferences you might have previously made on this Microsoft site or on other Microsoft sites or services, by registering for trial software, you consent and agree to allow Microsoft or one of its third-party agents to contact you no more than three (3) instances during the software’s trial period for the purpose of soliciting feedback on the trial software or to supply you with additional evaluation content and information about trial software. Any other use of the personal information in your .NET Passport profile is subject to the Microsoft Privacy Statement.”

In other words, the checking or unchecking of these boxes has absolutely no meaning whatsoever. You still agreed that you should be contacted via e-mail, address, and phone number. Notice it also states that “Any other use of the personal information in your.NET Passport profile is subject to the Microsoft Privacy Statement.” Take a minute and think about this last statement. It is very telling.

A new Trojan horse is so good at hiding itself that some security researchers claim a new chapter has begun in their battle against malicious-code authors. The new pest, dubbed “Rustock” by Symantec and “Mailbot.AZ” by F-Secure, uses “rootkit” techniques crafted to avoid the detection technology used by security software.

Rootkits are considered an emerging threat. They are used to make system changes to hide software, which may be malicious. In the case of Rustock or Mailbot.AZ, rootkit technology was used to hide a Trojan horse that opens a backdoor on an infected system, putting it at the beck and call of an attacker, according to Symantec. Click here for more information.

China’s population of Internet users, already the world’s second-biggest after the U.S., has jumped by nearly 20 percent over the past year to 123 million, with broadband access soaring, the government said Wednesday.

The United States has some 204 million Internet users. The number of Web sites in China rose by more than 110,000 to a total of 788,400, the official China Internet Network Information Center said in an annual survey. China encourages Internet use for business and education and has invested heavily in broadband service, though the communist government tries to bar access to material considered pornographic or subversive.

The number of Internet users in China with broadband service jumped by 45 percent over the past year to 77 million, or about two-thirds of the total online population, the Internet agency said. The average Chinese Internet user now spends 16.5 hours per week online, a new record high, the agency said. More info…