Everything related to Computer Security - Security Audits, Security Vulnerabilities, Intrusion Detection, Incident Handling, Forensics and Investigation, Information Security Policies, and a whole lot more.
Need Some Espionage Done? Hackers Are for Hire Online New York Times (01/15/15) Goldstein, Matthew
Hacking is often associated with intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled "hacktivists," but it has increasingly become a personal enterprise. A website that opened for business in early November shows that ordinary people are also looking to hire hackers for smaller acts of espionage. Users of Hacker's List have posted job offers looking for hackers to check to see if a loved one is cheating on them, retrieve a lost password, change a school grade, and scrub the Internet of embarrassing photos and stories. Other customers want to break into a landlord's website or get a list of clients from a competitor's database. More than 500 hacking jobs have been put out to bid. The matter-of-fact nature of the job postings shows how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.
France Pushes for Tighter Online Surveillance Wall Street Journal (01/14/15) Schechner, Sam; Gross, Jenny
In response to the recent Charlie Hebdo attack, France wants to boost domestic surveillance to track terror threats by seeking greater assistance from technology companies. The French government will propose a new surveillance law aimed at giving intelligence services "all the legal means to accomplish their mission," Prime Minister Manuel Valls said Tuesday. France’s moves to tighten surveillance since the Paris attacks add to pressure on U.S. tech firms in Europe to do more to help authorities combat terrorism. Particularly in the U.K. and France, security and intelligence officials have expressed frustration at what they say is some firms’ reluctance to comply with orders requesting information about users and their communications. In recent months, European Union officials and national governments have met with companies including Google Inc., Facebook Inc. and Twitter Inc. to discuss the topic. Technology companies, keen to assure users that they safeguard their privacy, have pushed back on some requests to turn over user data. They also cite conflicts with U.S. laws that they say prohibit them from sharing data. "This has been a point of tension with EU governments," one U.S. tech executive said.
Big Corporations Want to Know How You Feel Washington Post (01/12/15) Jayakumar, Amrita
The public backlash against Sony after its response to being hacked, criticism of Target’s handling of its 2013 cyberattack, and other examples of corporate embarrassment have put a spotlight on measuring public sentiment about a business. Now, contractors that traditionally performed this type of work for government intelligence agencies are offering their skills to large corporations. BAE Systems, which spent more than $200 million acquiring analytics companies last year, is the latest example of a defense contractor branching out into commercial work as federal spending shrinks. The company announced a social media monitoring service for businesses last week that would "detect malicious or inadvertent leaks of sensitive information and intellectual property, potential insider threats, social engineering attempts, smear campaigns, and other issues of concern." Corporations are increasingly looking for early warnings to manage potential disruptions, says Peder Jungck, vice president and chief technology officer for BAE’s intelligence and security sector. "Companies go into crisis-management mode when something happens, but now they want to get ahead of an incident," Jungck says. The service is based on a pilot project BAE conducted during the 2014 Sochi Olympics. Special software scrutinizes what people are saying about a company on social media, Web forums, discussion boards and other corners of the Internet. Data analysts put the findings into context — separating “normal” online outrage from something more serious — to identify risks for a business, from the threat of cyberattacks to online activism.
Obama Seeks to Nationalize Breach Notification BankInfoSecurity.com (01/12/15) Chabrow, Eric
Businesses targeted by data breaches would have a 30-day window to alert consumers of intrusions following their discovery under a national law proposed by President Barack Obama. If enacted, the personal Data Notification and Protection Act would preempt 47 state data breach notification laws. Lawmakers previously have proposed a national mandate for data breach notification, but none of the proposals were ever brought to the floor of the House or Senate. Analysts say the key to ensuring the law's enactment is getting businesses to agree on the bill's provisions, such as how soon they would have to notify customers of a breach and what types of breaches would justify an alert. "Particularly with the number of high-profile breaches over the past year, many companies are reticent to notify consumers when credit card and other data are compromised, simply because of the effect it can have on the business, from loss of trust, lawsuits, fines and fees, and other related expenses to clean up the mess after a breach occurs," notes Tripwire analyst Ken Westin. Obama also outlined new governmental steps to help identity theft victims, including broadening information sharing to ensure federal investigators regularly report evidence of stolen financial and other data to companies whose customers are directly affected.
Traditional Defenses Not Stopping Breaches, Claims Real-World FireEye Study Techworld (01/12/15) Dunn, John E.
FireEye recently conducted an analysis of 48 entertainment and media firms running its sensors during a six-month real-world test phase between January and June 2014 and found 91 percent were believed to have suffered some kind of breach caused by a failure in conventional defenses. That figure was actually a small improvement on the 98-percent rate FireEye reported from an earlier 2013 study. FireEye also found advanced malware is now being used in almost 20 percent of security breaches. The report also examined 1,214 other firms in a range of sectors, and found the retail, agriculture, transportation, education, and healthcare industries suffered breaches in 100 percent of networks during the period, while federal and state governments recorded a 95 percent figure, services 94 percent, and high-tech 97 percent. However, the aerospace and defense industry did relatively well, achieving a still-high breach score of 76 percent. "The results of our Maginot studies clearly show that there are gaps in the way many global businesses are secured, opening the door for aggressive threat actors to conduct anything from state-sponsored espionage to cybercrime," says FireEye CEO Dave DeWalt.
Qaeda Group in Yemen Claims Responsibility for Charlie Hebdo Attack New York Times (01/14/15) Callimachi, Rukmini; Cowell, Alan
Al-Qaida in the Arabian Peninsula, which is based in Yemen, released a statement that formally claimed responsibility for last week's fatal attack at the offices of the newspaper Charlie Hebdo. The event, which killed 12 people at the newspaper and launched three days of violence that killed five more, has been labeled France’s equivalent of the 9/11 attacks. The statement by Al Malahem, the group's official publication arm, indicated that Charlie Hebdo had been targeted in response to its frequent caricatures of the Prophet Muhammad. The statement called Saïd and Chérif Kouachi “two heroes of Islam,” but said that the actions of Amedy Coulibaly, who took hostages at a kosher supermarket in Paris after the attack, were a coincidence, as he was a supporter of the rival group Islamic State. Al-Qaida leader Ayman al-Zawahri ordered the attack, following the wishes of his predecessor, Osama bin Laden, the document said. It is unknown why the group waited to claim responsibility, and there has been no independent confirmation that al-Qaida in the Arabian Peninsula was really responsible, but it can take days for organization leaders to grant approval of the claim and to prepare videos and documents. Analysts say that the attacks appear to demonstrate an evolution in al-Qaida tactics; heightened surveillance now means that operatives are trained and assigned general targets, but the organization does not address the details of how to actually carry out the operation. This looser command structure can reduce the chance of interception by intelligence and law enforcement agencies.
New Security Realities Revealed by Al-Qaeda's First Western Attack in a Decade Bloomberg BusinessWeek (01/14/15) Simpson, Cam
The claim this week by al-Qaida's Yemen affiliate that it was responsible for last week's deadly attack on the offices of Charlie Hebdo would make that incident al-Qaida's first successful attack on Western soil in nearly a decade. While al-Qaida in the Arabian Peninsula (AQAP), the group that claimed responsibility for the Charlie Hebdo attack, has mounted several attempts to attack the West recently, they have all failed or been thwarted. This has contributed to AQAP and the core al-Qaida leadership in Pakistan fading from public awareness, especially with the rise of the Islamic State. But the Charlie Hebdo attack, if it was indeed the work of AQAP, would prove that the terror network founded by Osama bin Laden is still a major threat and has found a way to adapt itself to fit modern day realities. Where the terror group was once known for a very centralized and top-down command structure that made it relatively easy to disrupt, the Charlie Hebdo attack suggests that the group, and AQAP in particular, has become much more decentralized, making the work of intelligence agencies hoping to track its members much more difficult. This is especially true in Europe where intelligence officials are also trying to keep track of the thousands of Europeans that have left to join the fight in Syria and Iraq and may be returning with military training and radical, violent beliefs.
Parallel Killings Merge Rival Groups' Terror Agenda's in Paris Wall Street Journal (01/12/15) Trofimov, Yaroslav
The Islamic State and al-Qaida are currently fighting for the ideological hearts and minds of of militant Islamists around the world, yet the men responsible for last weeks attacks in Paris claimed allegiance to both groups. Before being killed by French police on Friday, Chérif Kouachi, one of the men who attacked the offices of Charlie Hebdo, claimed he and his brother Said had been sent by al-Qaida's affiliate group in Yemen. Meanwhile, Amedy Coulibaly, the man authorities say killed a police woman and later took hostages at a Paris kosher supermarket before being killed himself, appeared in a video released by the Islamic State in which he pledges allegiance to the Islamic State's self-proclaimed caliph, Abu Bakr al-Baghdadi. In the video, Coulibaly claims that he lent the Kouachi's money and that they were, "a bit together, a bit separate," in their efforts. At the same time, the Islamic State dedicated the latest issue of its propaganda magazine Dabiq to criticizing al-Qaida and the leader of its Yemeni branch, even as that leader criticized al-Baghdadi for unilaterally appointing himself Caliph. The Islamic State is also still locked in combat with al-Qaida's Syrian affiliate, the Nusra Front. Experts say the scenario shows that while the two groups are jockeying for power and influence, their aims remain similar enough that their lower-level followers can feel comfortable collaborating, especially outside of the warzone in Iraq and Syria.
FBI Is Broadening Surveillance Role, Report Shows New York Times (01/12/15) Savage, Charlie
A newly declassified report by the Justice Department's inspector general shows that the FBI has gradually emerged as a significant player in administering the government's warrantless surveillance program. In 2008, the Bureau assumed the authority to review e-mail accounts that the NSA wanted to collect via the "Prism" system, which collects the online correspondence of foreigners from such providers as Google and Yahoo. Valerie E. Caproni, the FBI's top attorney, developed procedures to ensure no such accounts belonged to Americans. Then, in the fall of 2009, FBI officials began retaining copies of unprocessed communications gathered without a warrant to analyze for its own purposes. Less than three years later, the Bureau started nominating new e-mail accounts and phone numbers belonging to foreigners for collection. That information is in a 231-page study about the FBI's activities under the FISA Amendments Act of 2008, which authorized the surveillance program. In response to a Freedom of Information Act lawsuit filed by the New York Times, the U.S. government has made a semi-redacted version of the report public. The report, which was delivered late last week to the Times' offices, concluded that the FBI was doing a good job in making sure the e-mail accounts targeted for warrantless collection belonged only to noncitizens abroad. However, portions of the study were heavily redacted. There was just one uncensored reference to the Prism system, for example, and it was unclear why.
Heightened Security Checks Coming to U.S. Airports After AQAP Calls for Lone Wolf Plane Bombers CNN (01/14/15) Cruickshank, Paul; Brown, Pamela; Marsh, Rene
The Department of Homeland Security is increasing security at American airports on the heals of renewed calls from al-Qaida's Yemen-based associate for lone wolf attackers to target American airports and airliners. In the latest issue of its online magazine Inspire, al-Qaida in the Arabian Peninsula (AQAP) shared instructions for how to make a "hidden bomb" comparable to the bomb an AQAP member attempted to use to blow up an airliner over Detroit in 2009. That infamous "underwear bomb" used a sophisticated explosive called PETN, but the design published in the latest issue of Inspire uses more common and easily obtainable materials. Also included in the latest issue of Inspire, released Dec. 24, were instructions on how to evade airport security scanners and sniffer dogs and exhortations to readers to attack the U.S. with the goal of spreading terror and causing economic damage. The new security measures being put in place by DHS are likely to include additional random checks, passenger pat-downs, bag checks, and hand swabs to detect traces of explosives. DHS says that existing scanners should be able to detect the explosives outlined in the Inspire article, but note that some smaller U.S. airports are not equipped with the latest scanners.
Secret U.S. Cybersecurity Report: Encryption Vital to Protect Private Data The Guardian (01/15/15) Ball, James
A newly uncovered U.S. National Intelligence Council cybersecurity report from 2009 warned that government and private computers were being left vulnerable to online attacks from Russia, China, and unaffiliated criminals because encryption technologies were not being implemented fast enough. One of the biggest challenges is an imbalance between offensive versus defensive capabilities due to the slower than expected adoption of encryption and other technologies, according to the report. The National Intelligence Council document made clear that encryption was the "best defense" for computer users to protect private data. An unclassified table accompanying the report states that encryption is the "[b]est defense to protect data," especially if made particularly strong through "multi-factor authentication" or biometrics. These measures remain all but impossible to crack, even for the NSA. The report warned: "Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled U.S. and allied information systems." It further noted that the "scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries."
U.K. and U.S. Intelligence Agencies to up Cyber Security Cooperation Reuters (01/16/15)
Britain and the United States are planning to strengthen their cooperation over cybersecurity by establishing "cyber cells" for sharing intelligence and conducting simulated attacks to test defenses, says British Prime Minister David Cameron. The cooperation will specifically be between Britain's GCHQ spy agency and the U.S. National Security Agency, which will conduct joint war games. The first exercise, to be completed later this year, will involve the Bank of England and commercial banks in both the City of London and Wall Street. Cameron is visiting Washington for two days to discuss the economy and security, and to meet with President Barack Obama over how the two nations can work more closely with big Internet companies to monitor communications between terror suspects.
Obama Rolls Out Multifront Strategy Against Cyberattacks Wall Street Journal (01/14/15) P. A4 Paletta, Damian; Nelson, Colleen McCain; Schwartz, Felicia; et al.
The White House has launched a strategy for dealing with cyberattacks that will include legislation to bolster corporate defenses and a summit to repair trust between the government and the private sector, among other things. The strategy comes as cyberattacks increase in frequency and complexity. President Barack Obama has proposed new, voluntary information-sharing directives between the government and companies to ensure parties have up-to-date information on cyberthreats. The White House also proposed stronger criminal penalties for certain cyberattacks and tougher laws against the overseas sale of stolen U.S. credit-card and bank-account numbers. Moreover, $25 million will be used to create a program through the Department of Energy to grant funds to historically black universities over five years to train more students in the field of cybersecurity. Many of the proposals will require congressional approval, but Republicans say they agree that cyberthreats must be addressed and that bipartisan legislation will be drafted soon.
Google Isn't Fixing Some Old Android Bugs Wall Street Journal (01/12/15) Yadron, Danny
Google recently stopped fixing security flaws in older versions of its mobile Internet browser, according to Pakistani security researcher Rafay Baloch. He discovered several bugs affecting the Internet browser in Google’s Android 4.3 Jelly Bean, which was originally released in mid-2013. Although the bugs he submitted in September were patched by Google, bugs he submitted a few months later prompted a response from Google support informing Baloch that Google was no longer developing patches for the browser on Android 4.3 and earlier. Android 4.3 was succeeded by Android 4.4 KitKat in October 2014 and Android 5.0 Lollipop released this past November. The browser in those later versions of Android changed the way websites are opened, making them immune to many of the bugs affecting the browser in earlier versions of the mobile OS. However, Rapid7's Todd Beardsley says Google has put many users of older Android devices at risk. About two-thirds of Android devices currently run Android 4.3 or earlier versions, leaving them potentially vulnerable to new exploits.
Hackers Could Make Smart Homes Stupid--or Worse Michigan Tech News (01/06/15) Donovan, Jennifer
Michigan Technological University professor Shiyan Hu is working to bolster smart-home security. He says now is the time to start thinking about cybersecurity nightmares, such as people gaining control of a home's central controller to play pranks like turning on all the lights in the middle of the night. Hackers also could potentially access every smart home in a neighborhood, wreak havoc on utility bills, and cause brownouts, if not blackouts. Hu's team is using machine-learning and data-mining techniques to develop algorithms that can determine if a central controller is getting accurate data and making good decisions. The algorithms would be built into the controller and the smart devices. The team is focused on both the local devices and the systems they control. "We need to analyze the security issues in each device and design ways to cross-check the devices and the systems," Hu says. He notes smart appliances learn from repeated behavior, and one form of cyberattack Hu describes is the pricing curve attack. A hacker could deceive a central controller into thinking that electricity rates are lower at peak time, so everything that was supposed to run at one time would come on at a later time instead. Multiple attacks potentially could cripple an entire neighborhood or town.