Everything related to Computer Security - Security Audits, Security Vulnerabilities, Intrusion Detection, Incident Handling, Forensics and Investigation, Information Security Policies, and a whole lot more.
Hackers Trick Email Systems Into Wiring Them Large Sums Wall Street Journal (07/29/15) Simon, Ruth
In what is known as “corporate account takeover” or “business email fraud,” many cybercriminals use publicly available information and flawed email systems to trick businesses into transferring money into fraudulent bank accounts. Malicious computer software can allow criminals to collect passwords to email systems, and then to falsify wire-transfer instructions. Although companies of all sizes have been targeted by these scams, small businesses are especially vulnerable because they lack the budget for security and investigations. Some insurers now offer “social engineering fraud” coverage as an add-on to standard crime policies. The schemes cost companies more than $1 billion from October 2013 through June 2015, the FBI reports, based on complaints from businesses in 64 countries. A recent advisory says that the FBI's Dallas office identified six Nigerians who had targeted about 25 local companies with emails that appeared to come from the companies' high-level executives. A spokeswoman for Nacha, the industry-run group overseeing ACH transactions, says that businesses are strongly advised to “work together with their financial institutions to understand and use sound business practices to prevent and mitigate the risk of corporate account takeover.”
Shadow IT on the Rise but Feds Unsure How to Tackle Security Risks NextGov.com (07/29/15) Golden, Hallie
Despite the increasing prevalence of unauthorized apps and devices, known as shadow IT, in the federal technology workspace, few decision-makers feel confident they can control its accompanying security risks. A recent SolarWinds survey of 200 federal IT officials found about 90 percent of respondents said they have noticed at least some shadow IT use in their organization. However, only 13 percent said they are “very confident” in their ability to protect their systems from the security risks that could come from the practice, according to the report. More than 50 percent of those polled said they predict shadow IT will become more popular over the next two years. The survey also examined the increasing popularity of IT shared services. "I think there's still a lot of opportunity for agencies to improve their offering of shared services, so that it is not just about cutting costs but it's actually about improving services," says SolarWinds' Mav Turner. The survey also examined the security concerns surrounding mobile devices in the workplace. Although most respondents said their agency does not give personal devices access to their system, 80 percent said they still worry about the security risks from mobile devices, according to the report.
Neglect Is Still the Biggest Threat to Data Security TechCrunch (07/27/15) Childs, Dustin
Research from multiple sources confirms that one of the greatest cybersecurity threats is the failure to properly patch systems. HP Security Research's 2015 Cyber Risk Report says nine of the most dangerous vulnerabilities currently active in the wild are more than three years old. US-CERT came to a similar conclusion after studying the 30 most-used network exploits, finding that 85 percent of them were easily preventable, in most cases by keeping systems patched. Although it is tempting to blame inadequate patching on laxity on the part of security professionals, many can defend failing to patch their systems as a reasonable, if risky, decision to make. Vendors frequently do a poor job of informing users when patches are available and what they will do, which is a problem because patches of crucial software have not infrequently caused problems. Microsoft, Apple, and Oracle all saw major patches cause problems for users last year. In Apple's case, an iOS update in September crippled several iPhone functions, leaving some users unable to make phone calls. One answer is greater automation of patching functions and greater effort on the part of vendors to ensure their patches won't cause problems and effectively communicating with users if that possibility remains.
U.S. Government Guide Aims to Bolster Security of Mobile Devices Used in Health Care IDG News Service (07/24/15) O'Connor, Fred
The U.S. National Institute of Standards and Technology’s cybersecurity center last week released a draft guide to help health IT professionals shore up the security of the mobile devices they use in their practice. The guide offers a thorough explanation of how to implement security procedures across a health care organization’s entire IT system, with sections explaining how to connect mobile devices to a cloud-based mobile device management service, how to set up a Linux-based firewall, and more. The guide also examines the potential security risks faced by health care organizations, with weak passwords, network sniffing, and stolen mobile devices ranked among the top issues. There is also advice on how to react to various security situations, such as losing a mobile device that can remotely access electronic health records. Other scenarios described in the report include implementing access controls to prevent hackers from being able to access patient information once they have infiltrated an organization’s network, for example through phishing attacks. Other suggestions in the report include using encryption to protect sensitive data and balancing security measures with ease-of-use for health care workers. The guide is open to public comment until Sept. 25.
Most Employees Don't Understand the Value of Data Help Net Security (07/27/15)
Fujitsu recently found only 7 percent of employees rate their business data higher than their personal information, highlighting the fact that employees do not understand the value of data. The report estimated 52 percent of employees admitted they value their own data more than their work data, and 43 percent either somewhat or completely agree they have no idea of the value of business data. In addition, 89 percent of consumers trust the security of personal emails over work emails. Although 58 percent of employees understand the risks associated with identity theft, more needs to be done from both organizations and employees, according to the report. "With one in three [30 percent] employees agreeing that they worry more about losing personal data than business data organizations have a challenge on their hands," says Fujitsu's Andy Herrington. He notes educating employees about the value of and how to protect their personal data is a good starting point for organizations.
FBI Emphasizes Speed as ISIS Exhorts Individuals to Attack New York Times (07/28/15) P. A11 Apuzzo, Matt; Schmidt, Michael S.
As Islamic State (ISIS) tries to inspire its followers to stage violent attacks, including those on U.S. soil, law-enforcement officials have picked up the speed in their arrests of suspected terrorists and ISIS sympathizers. Court records show that the FBI has arrested and charged at least 25 people in the last three months with having ties to militant groups such as ISIS, compared with 20 arrests over the previous year. Critics argue that this more rapid approach runs the risk of the government jeopardizing criminal cases and missing chances to gather intelligence. Thomas A. Durkin, a Chicago defense lawyer who has represented clients accused of supporting al-Qaida and ISIS, said the new cases are rushed and weaker. Justice Department and FBI officials argue that their chief mission is to prevent violence, although they acknowledge that ISIS has shown no ability to stage significant attacks within the United States. They note, however, that many sympathizers are willing to undertake small-scale attacks, such as stabbings and shootings that do not receive much planning. This means that FBI investigators are now trying to identify and prevent small-scale shootings and stabbings, which are more common in major U.S. cities and were not previously a priority for the FBI.
NSA to Destroy Records Collected Under Phone Spying Program Wall Street Journal (07/28/15) Paletta, Damian
The National Security Agency (NSA) intends to destroy the phone records of millions of Americans collected over almost 10 years. The Office of the Director of National Intelligence announced Monday that this will be done once NSA has resolved pending litigation and implemented a new surveillance law. President Barack Obama on June 2 signed the USA Freedom Act. The new law forbids bulk collection of Americans' records and requires that intelligence agencies obtain specific records directly from telephone companies. Under the new act, NSA has six months to wind down its existing program, which swept up almost all records from phone companies and stored the data on government servers. Those phone records that are part of pending lawsuits will be preserved until legal issues are resolved.
U.S. Security Conference Reveals Islamic State as Confounding Foe Wall Street Journal (07/27/15) Paletta, Damian
At the multi-day Aspen Security Forum in Colorado, U.S. national security officials said that Islamic State (ISIS) has had experts baffled by its immunity to many counterterrorism methods. Some experts say that the militant group operates quickly and stealthily, especially on social media, and the U.S. government is unprepared for it. One major challenge is a lack of intelligence in northern Iraq, Syria, and Libya, where ISIS thrives and the U.S. government has no military or diplomatic presence. “We didn't perfect the process of sharing information and sharing intelligence until this emergency really exploded in our faces,” said retired Marine Gen. John Allen, now a top State Department official. A second challenge is the use of social media by ISIS to recruit and inspire supporters and call for attacks in the United States. Although U.S. officials had successfully tracked and disrupted al-Qaida networks, ISIS militants tend to have looser bonds between them. FBI Director James Comey said that ISIS connects with possible sympathizers on social media, then hold conversations under encrypted technology that is difficult to monitor.
U.S. Psychologists Urged to Curb Questioning Terror Suspects New York Times (07/31/15) P. A1 Risen, James
The board of the American Psychological Association (APA) plans to recommend a stricter ethics policy that would prohibit psychologists from participating in national security interrogations. Under the proposal, it would be a violation of APA ethical policies for psychologists to participate in any national security interrogations involving military or intelligence personnel, even those that use noncoercive interrogations. The recommendation is based on a recent report on the involvement of psychologists and APA officials in the harsh interrogation programs of the Bush administration. An investigation found that APA officials colluded with the Pentagon to allow psychologists to be involved in harsh interrogations, and that prominent psychologists helped shield the CIA's interrogation program from ethical challenges. Although President Obama in 2009 signed an executive order banning the use of harsh techniques like waterboarding, administration officials say that psychologists still have roles in national security interrogations. It remains unclear how the proposed ban would affect current interrogation programs.
Lafayette Shooter Able to Buy Gun Because He Was Never Involuntarily Committed Washington Post (07/27/15) Brittain, Amy; Kovak, Joe
Georgia officials on Monday said that, despite having been ordered to a psychiatric hospital in 2008, John Russell Houser, the man who killed two women in a Louisiana movie theater last week before killing himself, was able to legally purchase a gun because he had not been involuntarily committed for treatment. Houser was ordered by a judge to a Georgia psychiatric hospital for evaluation in 2008 after appearing unannounced at his daughter's workplace in New Carrolton, Ga., to angrily object to her upcoming wedding. Houser's family sought a temporary protective order against him, citing his "volatile mental state." He was ordered to the West Central Georgia Regional Hospital in Columbus, but was not involuntarily committed, meaning he either submitted to treatment or was released. Under federal gun laws passed after the mass shooting at Virginia Tech in 2007, those who have been involuntarily committed are barred from owning guns, but Houser's case did not rise to that level. There are currently efforts underway to strengthen these laws, but they are opposed by many gun rights advocates and advocates for the mentally ill. Houser purchased the gun he used in last week's shooting spree at a pawn shop in Phenix City, Ala. last year.
Senators Call for Investigation of Potential Safety, Security Threats From Connected Cars Computerworld (07/28/15) Mearian, Lucas
U.S. Sens. Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) are calling for the National Highway Traffic Safety Administration (NHTSA) to investigate auto information and entertainment systems for potential consumer risks. The senators wrote a letter to NHTSA Administrator Mark Rosekind, saying that they see potential vulnerabilities from connected cars. Last week, it was revealed that a Chrysler Jeep could be hacked and remotely controlled. Security professionals used a cellular connection to demonstrate how they could gain remote access to the UConnect telematics system in a 2014 Jeep Cherokee and control the brakes, transmission, and ignition. Fiat Chrysler Automobiles issued a recall notice for 1.4 million vehicles to fix the software vulnerability, and NHTSA said last week that it plans to examine the effectiveness of the software patch. The senators in their letter asked the agency to look into cybersecurity vulnerabilities in other wireless connected cars. Andrew McLennan, president of embedded security vendor Inside Secure's mobile division, said that automakers must add cryptography to ensure that communications between software inside a device and between devices are authenticated.
Bank of America Tech Chief Says Metrics Are Key to Security Wall Street Journal (07/28/15) Nash, Kim S.
Bank of America Corp. has developed a set of metrics that applies analytics to improve cybersecurity processes. While no data analytics can precisely predict the next cyberattack, measuring progress in specific areas can better position the company to stop or respond to problems, said Catherine Bessant, chief operations and technology officer for Bank of America. The cybersecurity metrics include one for tracking the frequency of system scans, and one that counts the potential problems found in those scans. The bank studies the correlations among those metrics, as well as the length of time it takes to identify and remove trouble, known as the “dwell time.” Correlating data about such measures allows the bank to better tweak its processes, Bessant says. Most important, she says, is a focus on the bank's record for finding and keeping cybersecurity staff, as the bank must compete with other financial firms for security professionals. Bessant observes the percentage of vital security positions filled by top talent, and also monitors bench strength in those jobs.
Social-Media Firms Resist Role of Policing Terror Talk Wall Street Journal (07/27/15) Zakrzewski, Cat
The Senate Intelligence Committee added language to an annual intelligence-funding reauthorization bill last month that would require online companies such as Google, Facebook, and Twitter to disclose content found on their networks that could indicate terrorist activity. The content could include emails, tweets, and videos. Although the companies have declined to state a position on the new proposal, a recent post from the nonprofit Center for Democracy and Technology said the bill “would turn online service providers into law-enforcement watchdogs.” The new provision is modeled on existing federal requirements for policing child pornography, but tech company officials say that weeding out terrorist messages is more complicated. Monika Bickert, Facebook's head of policy management, noted that social-media activity that may be associated with terrorism is more subjective and depends on context. Law-enforcement agencies have struggled to deal with terrorist groups' growing use of social networks for recruitment and planning. FBI Director James Comey said at a recent hearing that technology companies “are pretty good about telling us what they see,” but declined to comment specifically on the provision.
Kill Switch Is No Dead Certainty to Stop Phone Theft Wall Street Journal (07/27/15) Elinson, Zusha; Ovide, Shira
Although smartphone “kill switches” that lock and deactivate the phone have been praised as a deterrent to phone theft, new data shows that the technology is not as effective as experts hoped. California this month became the first state to require that new smartphones be sold with the kill switches, introduced by Apple Inc. in 2013, enabled by default. Data collected by the Wall Street Journal show that iPhone thefts and robberies in Seattle rose by more than 30 percent in the year after the Apple kill switch was introduced. Older iPhones require owners to set up the kill-switch capability. Some criminals have figured out ways to impersonate the phone's true user and revive it, or know to turn off a stolen phone immediately to prevent owners or police from tracking its location. Deactivated phones can still be sold, although for a lower price than usable ones. These devices may be sold for parts, reactivated by those who know how, or sold to people unaware that they are stolen.
Over 10 Million Web Surfers Possibly Exposed to Malvertising CIO (07/27/15) Kirk, Jeremy
As many as 10 million people in the last 10 days may have been exposed to website advertisements that could have infected their computers with malware, security company Cyphort reported. If someone views a malicious advertisement, it may cause their browser to be automatically redirected to another site that attacks the computer. Nick Bilogorskiy, director of security research at Cyphort, wrote that his company has found that a number of highly trafficked websites still carry malicious ads that redirect people to websites rigged with the Angler exploit kit. An exploit kit probes a computer for software vulnerabilities that allow it to deliver malware. The redirection code planted in the malicious advertisements uses SSL/TLS encryption, making it more difficult for researchers to determine how users are redirected to the webpage hosting an exploit kit. The malicious ads were delivered to website publishers by a company called E-planning, which has been contacted and is working to fix the problem.