Everything related to Computer Security - Security Audits, Security Vulnerabilities, Intrusion Detection, Incident Handling, Forensics and Investigation, Information Security Policies, and a whole lot more.
U.S. Plans to Use Spy Law to Battle Corporate Espionage Wall Street Journal (07/24/15) Barrett, Devlin
On Thursday, the Federal Bureau of Investigation announced that it plans to expand its use of the Foreign Intelligence Surveillance Act (FISA) to combat what they characterized as a surge in corporate espionage targeting U.S. firms. Randall Coleman, head of the counterintelligence at the FBI, said that much of the corporate espionage is carried by Chinese companies and that the Chinese government plays a "significant role" in the espionage. This involvement of the Chinese government is what justifies the use of the FISA courts to combat such corporate espionage. The FISA court was established in 1978 and serve as a check on the intelligence community and the FBI, who must receive a court order from the FISA court before they can conduct surveillance of suspected terrorists or spies. Coleman says that the FBI has seen a 53 percent increase in its economic-espionage caseload in the last year, including cases of spies breaking into manufacturing sites and using digital means to exfiltrate data from computer systems. A judge in Iowa recently approved the first use of FISA surveillance evidence in a corporate espionage case. In that situation a Chinese executive was accused of conspiring with others to smuggle high-tech corn seeds to China. The FBI says that companies of all sizes and in almost all industries are being targeted.
4 Ways to Engage Executives in Cyber Risk Wall Street Journal (07/20/15)
A survey of retail executives conducted by Deloitte & Touche last year shows that many retailers are strengthening their cyber risk management programs, and more business executives are realizing that IT cannot be solely accountable for an organization's cyber risk. Two-thirds of survey respondents said that they are actively reviewing the National Institute of Standards and Technology's Cybersecurity Framework, with 21 percent either already using it or planning to adopt it in the near future. Still, retailers have more work to do to boost executive engagement and improve cyber risk management. Seventy-one percent of respondents said that a lack of funding was a primary barrier to more effectively executing cyber risk management programs. Only 37 percent of survey respondents say their organizations report to the board on a quarterly basis regarding their cyber risk posture, and 44 percent say their organizations never report on cyber risk to any stakeholders. To encourage executive interest in and oversight of cyber risk, CIOs can host a cyber risk heat-mapping session to identify the organization's top areas of cyber risk and set key risk and performance indicators. They can also simulate a cyber incident and examine the security implications of new technologies.
Inside the Hack of the Century Fortune (07/01/15) Elkind, Peter
Earlier this year, Sony Pictures experienced a massive hack that resulted long-term ramifications and sent shock waves through the heart of corporate America. The hack revealed some shocking points: the hackers broke into Sony's files and were undetected for months, stealing the company's data; once the malware was launched and the real attack began, half of Sony's global network was crippled in the span of a single hour. Reports show that Sony, a tech-savvy company that sells digital products, should have had the capacity to stop the attack outright, and the lack of a response plan mixed with poor public relations efforts after the hack compounded the already disastrous situation. Experts noted that Sony employed questionable IT practices, including an abject failure to update security software. In fact, prior to this year's breach, Sony experienced 20 hacks in 2011 alone. Emails revealed that the studio's cybersecurity chief even resisted security changes, saying "I will not invest $10 million to avoid a possible $1 million loss." Insiders claim the studio had multiple security weaknesses, including lackadaisical password procedures, prompting an auditor to note that if the company was a bank, it would be out of business. The public relations nightmare came when the studio decided to immediately cease all marketing put toward The Interview, a controversial film depicting the death of North Korean leader Kim Jong Un, and the stated motivation behind the attack. Experts claim that not only was Sony completely and inexcusably unprepared for the attack, but the way they responded by caving to the requests was equally poor and only did more damage in the wake of what could possibly end up being the largest data hack in history.
Cyberthreats Take Aim at Individuals and Roles Inside Organizations Wall Street Journal (07/20/15)
Cybercrime has advanced beyond simply attacking a company and its data. Individuals with access to privileged information—such as chief financial officers, heads of HR and other senior leadership and boards of directors across enterprises—are now finding themselves at risk as well. Mike Denning, vice president of global security at Verizon Enterprise Solutions, and Ed Powers, Deloitte Advisory U.S. managing principal for Cyber Risk Services at Deloitte & Touche LLP, released their 2015 Data Breach Investigations Report (DBIR) which goes over preparing for and responding to security breaches. Both agree that targeted attacking is one of the fastest-evolving trends in cybercrime. They believe that these attacks, which target individuals of stature, can be stopped by a fully-cooperative process involving every level of management. Engaging other parties is critical. For example, organizations and their executives will want to have in advance a plan for how to engage with law enforcement, and to what degree, before they’re at the door. In the event of a breach, chances are that an organization will need to make some decisions in a pretty heated and intense environment. There are few ways to stop a breach completely, but by involving every possible party, the damage can be controlled and future attacks can be prepared for before they even begin.
Minimizing Risks from Contractors and Temporary Employees Security Magazine (07/01/15) Zalud, Bill
Companies rarely consider the negative security implications that come with working with contractors and subcontractors. This can be a very big mistake. There have been multiple high-impact examples of contractors revealing sensitive information, most famously Edward Snowden burning the NSA. There are a few ways for companies to make sure they are hiring only the best contractors. Make background checks a priority. Thomson Reuters has a tool called CLEAR, which provides public and proprietary records with real-time data, graphical connections between people, addresses, and numbers, integrated web searching, and customized reports. Another firm called HireRight provides criminal background checks, verifications, and drug and health screening. Companies should also check social media before contracting anyone. Ultimately, the goal should be to treat temps and contract workers the same way you would in-house employees. They all bring the same potential threats the table and only a thorough review can weed out the good options from the very bad ones.
FBI Director Says Islamic State Poses Greater Threat to U.S. Than al-Qaeda Los Angeles Times (07/23/15) Bennett, Brian
Speaking at the Aspen Security Forum on Wednesday, Federal Bureau of Investigation Director James B. Comey told the audience that the Islamic State now poses a larger threat to the American homeland than al-Qaida. Comey explained that this is due to the weakening of al-Qaida in the face of American military strikes targeting the group, and IS’s increasing output of social media messages exhorting Muslim’s to violence against the U.S. Al-Qaida’s Syria-based Khorasan Group had been a major source of concern for the U.S., with intelligence suggesting the group was trying to recruit fighters with European or American passports to carry non-metallic explosives onto passenger planes. However, Comey says that U.S. airstrikes targeting the group have severely limited their ability to operate. One of the group’s senior leaders, Muhsin Fadhli, was recently killed in a U.S. drone strike. Comey says that IS, on the other hand, has learned how to “crowdsource terrorism,” producing thousands of online messages each month exhorting Americans to launch attacks within the U.S. Comey says that the “sheer volume” of such content generated by IS’s social media team is a major concern, with 21,000 people currently following English-language Twitter accounts promoting IS.
Obama's Trip Raises Security Concerns CNN (07/23/15) Starr, Barbara
President Barack Obama's trip to Kenya this week has created security concerns due to the possibility of an attack staged by Al-Shabaab militants in East Africa. In the last week alone, the U.S. military has conducted nearly half a dozen secret air strikes in Somalia against the group, considered al-Qaida's Africa affiliate, after intelligence indicated an imminent attack against Kenyan troops there. Although the Pentagon is offering little information, the terror group's strikes may be timed to the President's visit. While U.S. officials do not believe Al-Shabaab can get near Obama, Rand Corporation analyst Seth Jones suggests that the group could seek out for more vulnerable targets for attack to send a message to Kenyans that their government cannot keep them safe. Such targets could include shopping malls and schools, which Al-Shabaab has attacked in the past. A Kenyan flight bulletin outlining some details of the President's trip has been released, but although such details are usually kept secret, administration officials say there are no public details that pose a risk to Obama's security.
ISIS Transforming Into Functioning State That Uses Terror as Tool New York Times (07/21/15) Arango, Tim
There is a growing belief among those who study the Islamic State (IS) that the group is laying the groundwork to become a functioning state and that its defeat is not nearly as inevitable as many in the outside world may believe. Despite the group's well-known brutality, enforcing an austere and violent interpretation of Islamic law among the populace, it has also brought a degree of stability and integrity that those living under their rule have rarely, if ever, seen in the region. The territory in Iraq and Syria controlled by IS has been ruled over the last several decades by alternately violent and corrupt regimes, and the immediate history of both countries is full of the arbitrary violence of civil war and sectarian conflict. By comparison, IS officials refuse to take bribes and the group's justice, while brutal, is consistent. Those who follow the rules often find they can live in relative peace, something most people in the region haven't known for years. At the same time, IS is building up the institutions of a functioning state, instituting and enforcing laws and regulations, providing identity cards, and maintaining infrastructure. Many experts worry that should the conflict with the group drag on without any serious changes, IS will only grow more established, the way the Taliban did in Afghanistan during the 1990s.
Pentagon Rejects Calls to Arm all U.S.-Based Military Personnel Associated Press (07/22/15)
On Wednesday, Department of Defense spokesman Capt. Jeff Davis told reporters that the Pentagon has no intention of changing its policy forbidding service members from being armed while on U.S. soil. American soldiers are prohibited by law from carrying weapons while on U.S. soil, with some exceptions. Calls have gone up among some politicians and military leaders to arm troops in the U.S. following the attacks on a recruiting station and a Navy and Marine's reserve station in Chattanooga, Tenn., that left four Marines and one sailor dead last week. Gen. Mark Milley, who has been tapped to be the next Army chief of staff, told the Senate Armed Services Committeee this week that he would support arming soldiers manning recruiting stations in some situations. At least seven governors have taken actions authorizing their state National Guard members to carry weapons while on duty. Citizens groups around the country, including many veterans, have taken to standing openly armed outside of military recruiting stations while demanding that troops be allowed to be armed. Tennessee's congressional delegation has introduced a bill that would allow troops stationed in the U.S. to carry weapons. However, the military has largely resisted these efforts, saying that arming troops in the U.S. would create more problems than it would solve.
David Cameron Calls on Muslims in Britain to Help End Extremism New York Times (07/21/15) Erlanger, Steven
British Prime Minister David Cameron on Monday called on his government and Britain's Muslim community to work together to counter the threat of Islamic extremism, which he called "the struggle of our generation." Cameron called on British Muslims to reject violence, "condemn conspiracy theories," and challenge extremism. Cameron said that it was important to understand and directly address the reasons some young Muslims are drawn to extremism, naming some of these reasons as the forcefulness of its message and a sense of alienation from British culture felt by some Muslims. "The extremist worldview, both violent and nonviolent, is what we have to defeat," said Cameron. However, Cameron also said that the British government had to be more forceful in pushing back in faith-based debates about contentious issues like forced marriage, female genital cutting, and the legitimacy of Shariah courts. He also called on Internet and social media companies to do more to counter extremists' efforts to use their services to spread a message hate and violence. The speech was ostensibly to announce a new five-year strategy to counter extremism, but Cameron's speech had few specifics, and the Prime Minister said the actually strategy would not be released until later this year.
Security Researchers Find a Way to Hack Cars New York Times (07/21/15) Perlroth, Nicole
After two years of labor, security researchers Charlie Miller and Chris Valasek plan to demonstrate a method to hack into and control hundreds of thousands of vehicles at the annual Black Hat and Def Con hacking conferences in August. They used the Internet to monitor cars by their location, determine their rates of speed, turn their blinkers and lights on and off, and manipulate their windshield wipers, radios, navigation, and, in some instances, control brakes and steering. An earlier technique in which Miller and Valasek controlled certain vehicles' steering and speed by plugging into a diagnostic port was of little use to automakers. The researchers tinkered with a Jeep equipped with a car stereo head unit that linked to the Internet via a hardware chip that provides a wireless and a cellular network connection. A defect in the chip enabled Miller and Valasek to scan the Internet for affected vehicles, break into the car stereo head unit, and run their own code. They followed this with a successful hack into another chip in the same head unit that controlled the vehicle's electronics, and they found any car with the same head unit was hackable. Their research will likely be an initial discovery into vulnerabilities and attacks targeting the Internet of Things.
Adobe Patches Flash to Quash Last Two Zero-Days Unearthed in Hacking Team's Cache Computerworld (07/14/15) Keizer, Gregg
The makers the of the largest Internet browsers are scrambling to respond following the public disclosure of at least three new zero-day exploits affecting Adobe's Flash software that were part of a cache of data stolen from Italian surveillance firm Hacking Team that was posted online last week. Both Google and Mozilla updated their browsers, Chrome and Firefox, on Tuesday. Google released an updated version of Chrome with a patched version of Flash, while Mozilla took the unusual step of disabling Flash by default in its Firefox browser. However, Microsoft was criticized for failing to update its Internet Explorer and Edge browsers, as well as for failing to even mention the new Flash zero-days in a Tuesday blog post from the Microsoft Security Response Center. Meanwhile, Abode released an updated version of Flash, version 220.127.116.11, which patched two of the three zero days that have been uncovered from the Hacking Team leak. Users should immediately download the new version of Flash from Adobe's website.
U.S. vs. Hackers: Still Lopsided Despite Years of Warnings and Recent Push New York Times (07/18/15) Shear, Michael D.; Perlroth, Nicole
Senior cybersecurity officials, lawmakers, and technology experts say even after an intensive 30-day "cybersprint," the federal government remains riddled with cybersecurity issues. The cybersprint, an effort bringing together federal employees and volunteer hackers, was a reaction to the major data breach announced last month that exposed the records of more than 20 million people, and sought to tackle some of the most basic cybersecurity issues at the federal level. The government is expected to tout the effort as a success, and it has managed to get two-factor authentication up and running in several places and helped plug several serious holes at various agencies. However, critics say a much more massive and long-term effort will be needed to address the chronic cybersecurity issues facing federal agencies. Many agencies have repeatedly had their flaws and vulnerabilities pointed out in audits and investigations only to do nothing and subsequently be breached. Insiders and former insiders say the problems are many, ranging from a lack of funding and vision among agency leadership to trouble recruiting top talent and a frustrating bureaucracy that makes retaining that talent challenging.
6 Encryption and Cryptography Pitfalls to Avoid Information Management (07/07/15) Panettieri, Joe
Cryptography can ensure the confidentiality of data, protect data from unauthorized modification, and authenticate the source of the data, according to IEEE. However, there also are common, easily avoidable pitfalls to mastering cryptography. Designing customized cryptographic algorithms can have subtle problems that lead to weaknesses, so it is better to use standard algorithms and libraries. Developers using standard libraries can sometimes make incorrect assumptions about how to leverage the library routines, and understanding the nuances of algorithm and library usage is an important skill for applied cryptographers, IEEE says. Organizations should be wary of key management systems that fail to allow for the revocation or rotation of keys, or systems that use cryptographic keys that are too short or predictable. "In addition to obtaining numbers with strong cryptographic randomness properties, care must be taken not to re-use the random numbers," IEEE notes. Successful practices should be used throughout an organization instead of having different teams implement their own cryptographic routines. Finally, organizations should adapt and evolve by keeping up with the latest industry trends.
Federal Researchers Developing New Spoof-Proof Email Security System NextGov.com (07/07/15) Ravindranath, Mohana
The National Institute of Standards and Technology (NIST) is designing a security platform to authenticate mail servers using cryptographic keys. The platform would let individual users encrypt emails to ensure "entities to which they believe they are connecting are the entities to which they are actually connecting," according to a NIST draft report on the topic. NIST also plans to soon issue Federal Register notices to vendors developing individual parts of the end-to-end system, according to NIST adviser Curt Barker. He says NIST has identified vendors for such components as "office automation environment" and "server-based electronic mail security products." Baker says the vendors will be requested to take part in a collaborative relationship with NIST without being directly compensated. He notes NIST hopes to demonstrate to users that "they can integrate the security platform into an existing system." The draft warns that using a sub-par system could result in "unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system," among other consequences.