IT Support and Hardware for Clinics
31.3K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

US Senate committee advances cyber-surveillance bill

US Senate committee advances cyber-surveillance bill | IT Support and Hardware for Clinics | Scoop.it

The Senate intelligence committee advanced a priority bill for the National Security Agency on Thursday afternoon, approving long-stalled cybersecurity legislation that civil libertarians consider the latest pathway for surveillance abuse.

The vote on the Cybersecurity Information Sharing Act, 14 to 1, occurred in a secret session inside the Hart Senate office building. Democrat Ron Wyden was the dissenter, calling the measure “a surveillance bill by another name”.

Senator Richard Burr, the committee chairman, said the bill would create avenues for private-to-private, private-to-government and government-to-private information sharing.

The bill’s bipartisan advocates consider it a prophylactic measure against catastrophic data theft, particularly in light of recent large-scale hacking of Sony, Target, Home Depot and other companies.

Private companies could share customer data “in a voluntary capacity” with the government, Burr said, “so that we bring the full strength of the federal government to identifying and recommending what anybody else in the United States should adopt”.

“The sharing has to be voluntary, not coercive, and it’s got to be protected,” said Senator Dianne Feinstein, the committee’s vice-chair, adding that the information would pass through the Department of Homeland Security – and “transferred in real time to other departments where it’s applicable”.

Feinstein said the bill’s provisions would “only be used for counterterrorism purposes and certain immediate crimes”.

Several iterations of the cybersecurity bill have failed in recent years, including a post-Edward Snowden effort that the committee, then under Democratic leadership, approved last year. President Obama, renewing the push earlier this year, has called for a bill to enhance information sharing between businesses particularly banks and others in the financial sector and the federal government surrounding indications of malicious network intrusions.

Advertisement

Both the administration and Congress intend the legislation to join a panoply of recent moves to bolster cybersecurity, including February’s announced creation of a consolidated center within the intelligence agencies for analysis of internet-borne threats.

“This bill will not eliminate [breaches] happening,” Burr said. “This bill will hopefully minimize the impact of a penetration because of the real-time response.”

Feinstein said that companies, “reluctant to share with the government because they are subject to suit” would be protected from lawsuits “for cybersecurity purposes” under the bill.

But the bill faces strong opposition inside and outside Congress. Beyond expanding government’s reach into private data outside warrant requirements, it mandates real-time access to that data for intelligence agencies and the military.

‘Significantly undermine privacy and civil liberties’

Privacy advocates consider the bill to provide a new avenue for the NSA to access consumer and financial data, once laundered through the Department of Homeland Security (DHS), the initial public repository for the desired private-sector information. Campaigners consider the emphasis placed by the bill’s backers on DHS’s role to be a misleading way of downplaying NSA access to win congressional support.

A coalition of nearly 50 technologists, privacy groups and campaigners wrote to the committee earlier this month urging rejection of a bill that would “significantly undermine privacy and civil liberties” and potentially permit corporations to “hack back” at perceived network intrusions.

The bill “does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber-threat indicators with the government, a fundamental and important privacy protection,” the 2 March letter reads. Its changes to federal law “would permit companies to retaliate against a perceived threat in a manner that may cause significant harm, and undermine cybersecurity”, particularly given the misattributions of responsibility frequently seen in hacking cases.

Companies can only take “defensive measures” and not “countermeasures against another company”, Feinstein said.

Burr said that language in the bill would require companies to “remove all personal information before that data is transferred to the federal government”, and that the Department of Homeland Security would scrub any data not cleaned by companies. “We’ve tried to minimize in that any personal, identifying data that could be captured,” he said.

But Burr admitted the bill would still allow companies to share directly with the NSA, and could potentially receive liability protections if information is shared “not electronically”. “Our preference is the electronic transfer through the DHS portal,” he said.

While the NSA has labored to convince the public to move on from international condemnation of its digital dragnets – though Congress has passed no legislation to curtail them – acrimony within the tech sector at the surveillance giant persists.

At a Washington forum last month, Yahoo’s chief security officer confronted the NSA’s chief, Admiral Mike Rogers, over a recent push by US security agencies to undermine encryption for government benefit, a revival of the so-called “Crypto Wars” of the 1990s.

Alex Stamos of Yahoo challenged Rogers to explain why his company should not do the same thing on behalf of US adversaries or competitors to facilitate their spying on the United States. Rogers, in what was seen as a heated exchange, resisted the comparison.

Against that backdrop of suspicion, it is uncertain if the new cybersecurity bill can garner the votes in the broader Senate and House that its predecessors could not. The digital-rights group Access on Thursday was already seeking to mobilize its membership to call legislators in objection to the bill.

Wyden declined to comment to reporters, saying as he left the meeting: “You guys know I like talking about this stuff but I can’t say anything.”

He later articulated his dissent in a statement: “The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order US hardware and software companies to build weaker products, as senior FBI officials have proposed.”



Via Paulo Félix
more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

Congress Averts DHS Partial Shutdown

Congress Averts DHS Partial Shutdown | IT Support and Hardware for Clinics | Scoop.it

Congress, at the 11th hour, passed a bill to fund the Department of Homeland Security for the next seven days, averting for now a partial shutdown that would have curtailed some cybersecurity programs.

Funding of the department was to expire at midnight Feb. 27. Hours before the money was to run out, the Senate voted to fully fund DHS through September, the end of the fiscal year. The House, however, refused to take up that measure, and instead rejected a bill that would have funded DHS for three weeks. After the House failed to pass a funding bill, the Senate approved "a one-week patch," which the House enacted around 10 p.m. EST.


Without the temporary funding, a partial shutdown of DHS would have occurred. Critical IT security operations such as those that defend against cyber-attacks aimed at the government and the nation's critical infrastructure would have continued to function. But other cybersecurity initiatives, such as the rollout to agencies of the Einstein 3 intrusion prevention system and continuous diagnostic and mitigation systems to identify IT vulnerabilities, would have been placed on hold.

Still, Congress will have to pass a new appropriation if DHS is to continue fully operating beyond March 6.

DHS funding is caught in a political battle between Democrats and Republicans over immigration reform. The House last month approved a DHS funding bill without appropriating money for an executive action President Obama took on immigration, a move opposed by nearly all Republicans. The Senate, as a compromise, agreed to vote on two bills; one to fully fund DHS through September, which passed, and a second measure to strip the immigration provisions, which failed to muster the 60 votes needed to break a Democratic filibuster.

An estimated 80 percent of DHS employees would have worked during the partial shutdown, but without pay, with the remainder of the staff being told not to report to work. At the National Protection and Programs Directorate, the department unit responsible for cybersecurity and infrastructure protection, 57 percent of personnel would have remained on the job. In the 2013 federal government shutdown, all employees were paid once Congress funded operations.

Mark Weatherford, the former DHS deputy undersecretary for cybersecurity, said even with the shutdown being averted, at least temporarily, the potential exists of losing skilled IT security staffers, a matter that "is a more important issue than the stopping of the Einstein 3 or the CDM funding programs."

Even the threat to fail to fund DHS could drive key IT security personnel from the department, Weatherford said, adding that he knows of private-sector recruiters waiting to "pluck these people" out of DHS because they feel disgruntled by being victims of a political skirmish over immigration.

"The impact on morale is tremendous," says Weatherford, a principal at the security advisory firm The Chertoff Group. "To be treated like you really have no value, like you're a pawn in this game, is just not right. These people have greater value than that. They have opportunities, and you don't treat people with opportunities like this."


more...
No comment yet.
Scoop.it!

Creating cybersecurity that thinks

Creating cybersecurity that thinks | IT Support and Hardware for Clinics | Scoop.it

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Among the many definitions of data science that have emerged in the last few years, “gaining knowledge from data using a scientific approach” best captures some of the different components that characterize it.

In this series of posts, we will investigate how data science can be used to extract knowledge that identifies malware and potential persistent cybersecurity threats.

The unprecedented number of companies that have reported breaches in 2014 are evidence that existing cybersecurity solutions are not effective at identifying malware or detecting attackers inside an organization’s network. The list of companies that have reported breaches and exfiltration of sensitive data grows at an alarming rate: from the large volume data breaches at Target and Home Depot earlier in 2014, to the recent breaches at Sony Entertainment, JP Morgan and the most recent attack at Anthem in February, where personally identifiable Information (PII) for 80 million Americans was stolen. Breaches involve big and small companies, showing that the time has come for a different approach to the identification and prevention of malware and malicious network activity.

Three technological advances enable data science to deliver new innovative cybersecurity solutions:

Storage – the ease of collecting and storing large amount of data on which analytics techniques can be applied (distributed systems as cluster deployments).
Computing – the prompt availability of large computing power allows easy use of sophisticated machine learning techniques to build models for malware identification.
Behavior – the fundamental transition from identifying malware with signatures to identifying the particular behaviors an infected computer will exhibit.

Let's discuss more in depth how each of the items above can be used for a rigorous application of data science techniques to solve today's cybersecurity problems.

Having a large amount of data is of paramount importance in building analytical models that identify cyber attacks. For either a heuristic or refined model based on machine learning, large numbers of data samples need to be analyzed to identify the relevant set of characteristics and aspects that will be part of the model – this is usually referred to as “feature engineering”. Then data needs to be used to cross check and evaluate the performance of the model – this should be thought of as a process of training, cross validation and testing a given “machine learning” approach.

In a separate post, we will discuss in more detail how and why data collection is a crucial part in the data science approach to cybersecurity, and why it presents unique challenges.

One of the reasons for the recent increase in machine learning’s popularity is the prompt availability of large computing resources: Moore’s law holds that the processing power and storage capacity of computer chips double approximately every 24 months.

These advances have enabled the introduction of many off-the-shelf machine learning packages that allow training and testing of machine learning algorithms of increasing complexity on large data samples. These two factors make the use of machine learning practical for use in cybersecurity solutions.

There is a distinction between data science and machine learning, and we will discuss in a dedicated post how machine learning can be used in cybersecurity solutions, and how it fits into the more generic solution of applying data science in malware identification and attack detection.

The fundamental transition from signatures to behavior for malware identification is the most important enabler of applying data science to cybersecurity. Intrusion Prevention System (IPS) and Next-generation Firewall (NGFW) perimeter security solutions inspect network traffic for matches with a signature that has been created in response to analysis of specific malware samples. Minor changes to malware reduce the IPS and NGFW efficacy. However, machines infected with malware can be identified through the observation of their abnormal, post-infection, behavior. Identifying abnormal behavior requires primarily the capability of first identifying what's normal and the use rigorous analytical methods – data science – to identify anomalies.

We have identified several key aspects that innovative cybersecurity solutions need to have. These require analysis of large data sample and application of advanced analytical methods in order to build data-driven solutions for malware identification and attack detection. A rigorous application of data science techniques is a natural solution to this problem, and represents a dramatic advancement of cybersecurity efficacy.

more...
sudo_reboot's curator insight, April 11, 2015 10:02 AM

I always find it interesting when the promise of “big data’, “cloud’, ‘on-demand compute resources’ - are touted as the solution. Where are the actual algorithms?  Where is the perfect blend of dev and analyst that can actually make full use of the technology who also knows the adversaries tradecraft?

Scoop.it!

Cybercrime Affects More Than 431 Million Adult Victims Globally

Cybercrime Affects More Than 431 Million Adult Victims Globally | IT Support and Hardware for Clinics | Scoop.it

Cybercrime affects more than 431 million adult victims around the world. Since the internet has become such an integral part of governments, businesses, and the lives of millions of people, cyberspace has become an ideal place, allowing criminals to remain anonymous while they prey on victims.

The most common forms of cybercrime are offences related to identity, such as malware, hacking, and phishing. Criminals use these methods of cybercrime to steal money and credit card information. Additionally, cybercriminals use the internet for crimes related to child pornography, abuse material, and intellectual and copyright property.

As technology advances, criminals are finding it much easier to perform a cybercrime; advanced techniques and skills to perpetrate threats are no longer required. For instance, software that allows criminals to override passwords and locate access points of computers are easily purchased online. Unfortunately, the ability to find cyber criminals is becoming more difficult.


Cybercrime is a rapidly growing business, exceeding $3 trillion a year. Victims and perpetrators are located anywhere in the world. The effects of cybercrime are seen across societies, stressing the need for a pressing and strong international response.

However, many countries do not have the capacity or regulations to combat cybercrime. A global effort is required to make available firmer regulations and improved protection because cyber criminals hide within legal loopholes in countries with less stringent regulation.

Criminals perpetrate a cybercrime by taking advantage of a country’s weak security measures. Additionally, the lack of cooperation between developing and developed countries can also result in safe havens for individuals and groups who carry out a cybercrime.

The United Nations is actively involved in fighting cybercrime. The organization set up the United Nations Office on Drugs and Crime (UNODC) following the 12th Crime Congress to study cybercrime. The UNODC is a global leader in the fight against illicit drugs and international crime.

Cybercrime affects one million victims every single day. More than 431 million people are affected by cybercrime, that’s 14 adult victims every second.

In addition, there are up to 80 million automated hacking attacks every day. The most common and fastest growing forms of consumer fraud on the Internet are identity-related offences, especially through the misuse of credit card information.

Learning online protection methods is one of the simplest means of defense from becoming victim to a cybercrime. When purchasing products online, always be aware of the trustworthiness of the websites.

Avoid using public computers for anything that requires a credit card payment. By all means, be sure online purchases and banking are facilitated with a fully legitimate and safe business.

Computers should have up-to-date security software; choose strong passwords, and do not open suspicious emails or special offers that ask for personal information, which are often in the form of sales, contests, or fake banks.

Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime.


Via Paulo Félix
more...
purushothamwebsoftex's curator insight, February 24, 2015 3:05 AM

Websoftex Software extending its services in Website Designing, Web Development, MLM Software,HR Payroll Software, TDS Software, Micro Finance Software, RD FD Software, ERP Software, Chit Fund Software. With the help of our experienced software team and insights of clients MLM Software is continuously updated to latest technologies and demands. Websoftex pays special attention to its Research & Development.

Scoop.it!

Every internet-connected device is a potential privacy risk

Every internet-connected device is a potential privacy risk | IT Support and Hardware for Clinics | Scoop.it

Samsung has caused controversy with the revelation its voice-recognition system enables internet TVs to collect sounds and send them to a third party, including any sensitive information you might happen to talk about in front of the box.

While this warning is alarming for the privacy-conscious, it's a microcosm of a much larger threat that many in the consumer security business have been warning against  and which you can expect to hear more often.

Devices that require personal input and the collection of personal data to function — be it via voice, camera, location or otherwise — have been a part of our lives for years, and are only increasing.

Here is a list of some of the household and personal items snooping on you:

Smartphones

A small box that can collect location data, detect motion, store audio and video plus keeps track of your online activities, your phone provides a way for most of your apps and services to "listen in" on you in one way or another, not to mention a microphone which researchers have manipulated to spy .


You can easily control when a Samsung Smart will and will not collect voice data, the company says.

Apple's Siri, for example, functions almost identically to Samsung's voice recognition.

These services rely on a dedicated voice-recognition service somewhere in the cloud to take your complex requests and queries, translate them into understandable text, and send them back to your phone or TV.

While they may not be actively listening 24 hours a day, at the very least they are monitoring the microphone's feed in expectation of a command.

Video game consoles

Microsoft's Xbox One and its attached Kinect sensor works the same way, but adds video to the mix as well. Kinect keeps track of the people in a room so it can detect who's present and load their preferences accordingly, or zoom and pan the camera to make sure everybody is in frame during a Skype call.

Microsoft faced backlash in 2013 for its zealous attitude toward collecting data from Kinect (which eventually forced it to dial back its plans) and, coincidentally in the same year, LG landed in some strife for a voice-activated TV that was found to send voice recordings online.


The Smarter Wi-Fi Coffee Machine. It knows when you wake up or when you're likely to get home so it can greet you with sweet caffeine. Photo: Smarter

Coffee machines and airconditioners

A device that "listens" before using the internet to provide us with a service is not a new idea. The trigger for controversy, it seems, is the revelation that a device could do that without us explicitly telling it to. Yet this is the cornerstone of many devices and services we use every day (including web browsers, social media, smart public transport cards, Google Now etc) and will continue to be so as we move towards the all-connected "internet of things". 

A connected coffee-maker, for example, collates data about when you're home so it knows when to make coffee. Ditto for connected airconditioners. Both devices are soon to be (or already are) on the market, and necessarily "listen in" on your life and activities, collecting data on you so they can do their job. LG already has an voice-command airconditioner that literally "listens in", cooling the room if you yell out that it's too hot.


Your phone provides data on your movements, purchases, preferences, searches, and communications to countless apps and services. Photo: Reuters

Is this form of data collection really so scary considering the reams of information we already gladly hand over to the companies that provide our email, maps or ride-share services? Are we really concerned about Samsung's microphones in our house and fine with the microphone, GPS and camera we take around in our pocket literally every day?

A common piece of advice when it comes to the internet is "if you don't want the whole world to hear about it, don't say it online". Increasingly, we not only have to apply this test to emails and facebook messages but to the data we allow our appliances and devices to collect as well. If it's connected to the internet, assume this data is being transmitted online.

Some privacy-minded folks advocate active avoidance, keeping the use of these devices to a minimum, disabling settings or placing a piece of sticky tape over your device's data-collecting apparatus.

Others take pride in their old-school Nokia phones, dumb TVs and ability to "stay off the grid".

But most of us give up information about ourselves constantly because it gives us access to incredible conveniences and technology, and we can't have our cake and eat it too.

Yes, companies like Samsung and Apple and Microsoft must be transparent about what they do with our data, and to whom they give it. But if the last year or so of data breaches, wide-scale hacks and government snooping has taught us anything, it's that no data stored or transmitted online is safe from prying eyes.

In the end we have no absolute control over where our data goes.

The best we can do is be informed about what data our devices are collecting, and if you really don't want something transmitted online, take Samsung's advice and don't say it where an internet-connected TV can hear you.



Via Dr. Dea Conrad-Curry, Gust MEES, Oksana Borukh, Paulo Félix
more...
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

Apple, Android Prep 'Freak' Fix

Apple, Android Prep 'Freak' Fix | IT Support and Hardware for Clinics | Scoop.it

Numerous Apple and Android devices, as well as websites, are vulnerable to a serious flaw, which an attacker could exploit to subvert secure Web connections. The flaw exists in SSL and TLS and results from the ability to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

The researchers who discovered the vulnerability have dubbed it "Freak," for "Factoring RSA-EXPORT Keys," and warn that it can be used to crack a cipher key and then impersonate legitimate sites - such as the public-facing National Security Agency website - to vulnerable clients. In some cases it could also be used to hijack third-party tools, such as the Facebook "like" button functionality, and inject JavaScript into vulnerable clients and steal passwords.


"In case you're not familiar with SSL and its successor TLS, what you should know is that they're the most important security protocols on the Internet," Johns Hopkins University cryptographer Matthew D. Green says in a blog post. "In a world full of untrusted networks, SSL and TLS are what makes modern communication possible."

Security researchers warn that the flaw exists in versions of OpenSSL prior to 1.0.1k, and affects all Android devices that ship with the standard browser, although they say Google Chrome is immune. The flaw also exists in Apple TLS/SSL clients, which are used by both Mac OS X clients, as well as iOS mobile devices. The vulnerability has been designated as CVE-2015-0204.

Researchers say it's not clear how many users, devices or websites are vulnerable to the Freak flaw, or if it has yet been exploited in the wild. But 6 percent - or 64,192 - of the world's 1 million most popular websites (as ranked by Amazon.com Web traffic monitoring subsidiary Alexa) are currently vulnerable to the flaw, according to the Tracking the Freak Attack site, which is run by researchers at the University of Michigan, and can be used to check if clients are vulnerable to Freak attacks.

Researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research have been credited with discovering the flaw and detailing how it can be exploited. "You are vulnerable if you use a Web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites," they say. "If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."

In recent weeks, the researchers - together with Green - have been alerting affected organizations and governments. Websites such as Whitehouse.gov, FBI.gov, and connect.facebook.net - which implements the Facebook "like" functionality - were vulnerable to related attacks, but have now been fixed, Green says. But he notes that numerous sites, including the public-facing NSA.gov website, remain vulnerable.

Apple, Google Prep Patches

Apple tells Information Security Media Group that it is prepping a patch, which it plans to release next week. OpenSSL released a related patch in January, and content delivery networks - such as Akamai - say they've either put fixes in place or will do so soon.

While Google didn't immediately respond to a related request for comment, a spokeswoman tells Reuters that the company has already prepped an Android patch and distributed it via the Android Open Source Project to its business partners. She notes that it's now up to those businesses - which include such equipment manufacturers as Samsung, HTC, Sony, Asus and Acer - to prep and distribute patches to their customers. But while some OEMs have a good track record at prepping and releasing patches in a timely manner, others delay, or never release patches.

Businesses and users should install related patches as quickly as possible, says information security consultant and SANS Institute instructor Mark Hofman in a blog post. "To prevent your site from being used in this attack you'll need to patch OpenSLL - yes, again. This issue will remain until systems have been patched and updated, not just servers, but also client software," he says. "Client software should be updated soon - hopefully - but there will no doubt be devices that will be vulnerable to this attack for years to come - looking at you Android.

Crypto Wars 1.0 Legacy

Experts say that the Freak flaw is a legacy of the days when the U.S. government restricted the export of strong encryption. "The SSL protocol itself was deliberately designed to be broken," Green says, because when SSL was first invented at Netscape, the U.S. government regulated the export of strong crypto. Businesses were required to use the relatively weak maximum key length of 512 bits if they wanted to ship their products outside the country.

While those export restrictions were eventually lifted, and many developers began using strong crypto by default, the export-grade ciphers still linger - for example in previous versions of OpenSSL - and can be used to launch man-in-the-middle attacks that force clients to downgrade to the weak crypto, which attackers can crack. "The researchers have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not 'officially' supported," Hofman says.

Hacking NSA.gov

The researchers who discovered the Freak flaw have published a proof-of-concept exploit on the SmackTLS website, demonstrating a tool they developed, together with a "factoring as a service" capability they built and hosted on a cluster of Amazon Elastic Compute Cloud - EC2 - servers. The exploit was first used against the NSA.gov website. "Since the NSA was the organization that demanded export-grade crypto, it's only fitting that they should be the first site affected by this vulnerability," Green says. Cracking the key for the NSA.gov website - which, it should be noted, is hosted by Akamai - took 7.5 hours, and cost $104 in EC2 power, he adds. Were the researchers to refine their tools, both the required time and cost to execute such attacks would likely decrease.

The researchers have reportedly been quietly sounding related alerts about the Freak flaw in recent weeks to vulnerable governments and businesses, hoping to keep it quiet so that patches could be rolled out in a widespread manner before news of the flaw went fully public. But The Washington Post reports that Akamai published a blog post on March 2, written by its principal engineer, Rich Salz, which brought attention to the problem sooner than the researchers had hoped.

Still, the Freak flaw has existed for well over a decade, and follows the 2014 discovery of such new "old" bugs as Heartbleed, POODLE and Shellshock, which existed for years before being found.

Moral: Encryption Backdoors

In the post-Snowden era, many technology giants have moved to use strong encryption wherever possible, in part to assuage customers' concerns that the NSA could easily tap their communications. Apple and Google also began releasing mobile devices that use - or could be set to use - strong crypto by default. And many U.S. and U.K. government officials have reacted with alarm to these moves. Often citing terrorism and child-abuse concerns, many have demanded that the technology firms weaken their crypto by building in backdoors that government agencies could access.

But Green says the Freak flaw demonstrates how any attempt to meddle with strong crypto can put the user of every mobile device, Internet browser or website at risk. "To be blunt about it, the moral is pretty simple: Encryption backdoors will always turn around and bite you ..." he says. "They are never worth it."


more...
No comment yet.
Scoop.it!

Time to Ban the 'Bloatware'

Time to Ban the 'Bloatware' | IT Support and Hardware for Clinics | Scoop.it

What will it take to make hardware manufacturers ditch "bloatware"?

That's one of the more charitable names for the software that so many manufacturers - Apple and Google being notable exceptions - preinstall on the devices they sell. Such software includes screensavers, toolbars, utilities or even Superfish Visual Discovery. That's the adware that Lenovo, the world's biggest PC manufacturer, was preinstalling on many of its consumer laptops until earlier this month, when security experts - including the U.S. Computer Emergency Response Team - began warning that the software poses an information security risk to users.

 Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled. 

The practice of adding bloatware - a.k.a. junkware or trialware - to PCs is common, Microsoft says, warning that such software may "slow down your computer and junk up your Start screen or desktop." That's why Microsoft in 2012 began selling "Signature" Windows systems that come with a vanilla version of Windows, with no such bloatware or trialware preinstalled, for the added price of just $99.

And therein lies the bloatware flaw: Too often, such software isn't designed to make life easier for paying customers, but rather operates at their expense. Indeed, some users reported that it took them days to track down odd behavior on their PC to the Superfish software, which was relatively hidden on their device, and which can be difficult to fully eradicate.

As the Superfish saga has unfolded, with Lenovo apologizing and saying it "messed up," you might think the company would distance itself from bloatware and offer customers the choice of a "clean" install of Windows. "Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled," says Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, which is the association of European police agencies.

"Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device," he says.

Lenovo Promises Listening Sessions

But Lenovo's chief technology officer, Peter Hortensius, tells the The Wall Street Journal that "in general, we get pretty good feedback from users on what software we preinstall on computers."

Hortensius paints a picture of customers clamoring for more of these add-ons. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers," he says. "The outcome could be a clearer description of what software is on a user's machine, and why it's there."

Likewise, Lenovo spokeswoman Wendy Fung tells me Superfish was preinstalled "in our effort to enhance our user experience." But that's false logic. When Apple, for example, wants to improve its Mac OS X user-experience design, does it preinstall software that alters the images displayed in search results, even for supposedly secure HTTPS pages? That's what Superfish Visual Discovery was designed to do.

Fung also confirms that Lenovo received compensation from Superfish to preinstall its software, although it claims it wasn't a "financially significant" arrangement.

But following the bloatware money suggests a lot - including manufacturers taking advantage of consumers and small businesses who don't know better. One defense of PC manufacturers' bloatware practices could be that their profit margins are razor-thin, and that unless consumers want to pay more, they should expect to see privacy or even security tradeoffs. Consumers, however, aren't being clearly presented with that choice.

Can Bloatware Be Battled?

Unfortunately, it's not clear how we might rid the world of bloatware. In the U.S., the Federal Trade Commission could get involved and investigate bloatware-bundling practices, per its ability to police "unfair or deceptive acts." So far, one U.S. lawsuit has been filed that takes aim at Lenovo having preinstalled Superfish. In the United Kingdom, meanwhile, the Information Commissioner's Office, which enforces EU privacy protections, says it's planning to demand Superfish-related answers from Lenovo.

With luck, sharp questions from regulators and Lenovo's Superfish debacle will lead more manufacturers to rethink their business practices, and begin offering consumers a clean install. But too many will likely just default to offering the same old raw deal.


more...
No comment yet.
Scoop.it!

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling | IT Support and Hardware for Clinics | Scoop.it
One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.Here’s what we know about the firmware-flashing module.How It WorksHard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.Hidden Storage Is the Holy GrailThe revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.
Via Paulo Félix
more...
No comment yet.
Scoop.it!

Ramping Up Automobile Cybersecurity

Ramping Up Automobile Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

In late 2014, signs emerged that the automobile industry was taking the first steps toward addressing cybersecurity and privacy risks.

See Also: Solving the Mobile Security Challenge

For instance, General Motors hired its first chief product cybersecurity officer, and the automobile industry set up an automobile Information Sharing and Analysis Center to collect and share information about cyber-related threats and vulnerabilities in motor vehicle electronics.


Heading into 2015, efforts to mitigate cybersecurity and privacy risks affecting automobiles continue to gain traction. Recently, Senator Edward Markey, D-Mass., issued a report detailing various automobile security and privacy vulnerabilities. Then, on Feb. 11, Markey confirmed that he, along with Senator Richard Blumenthal, D-Conn., will introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards for improving the security of vehicles and protecting drivers' privacy.

"We need the electronic equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century," Markey says.

The senators' efforts come after auto manufacturer BMW recently addressed a potential security gap affecting data transmissions to and from the company's connected vehicles via the mobile phone network.

But while early steps are being taken by the industry to get on top of the risks, progress around securing automobiles may not come as quickly as some would hope. "Sure, proof of concept exploits are there - and they are real - but there is not even a semblance of exploitation by the criminals in the wild," says Anton Chuvakin, research vice president for security and risk management at Gartner.

"We do have a chance to prepare for this now by starting early with car and other device security," he says. "However, the history of information security teaches us that we probably won't. Today the threat is mostly 'not' real, but all signs point that it will become real."

Key Risks

Chris Valasek, director of vehicle security research at IOActive, a computer security services firm, has researched cyber vulnerabilities in automobiles through funding from the Cyber Fast Track initiative from the Defense Advanced Research Projects Agency, or DARPA.

Based on his research, Valasek says hackers could gain access to a vehicle's systems and potentially take private information, such as GPS coordinates or the driver's username and password for various in-car applications. Also, cybercriminals potentially could obtain control of computers within the car that operate certain features, such as cruise control, Valasek says.

"[Through our research], we showed that if you're on the car's computer network, you could send messages to completely stop the car and immobilize it," he says. "If an attacker found a way to break in remotely - through Bluetooth, cellular or an application - and was able to be on the right portion of the car's network, they could stop the car, disengage breaks or steer the steering wheel."

Down the road, automakers also need to worry about the potential cyberthreats concerning so-called "autonomous" or driverless vehicles now in development, says Stephen Wu, an attorney at the Silicon Valley Law Group, who has been researching the legal concerns regarding autonomous driving. "If cars crash because of information security vulnerabilities, it could lead to liability for the manufacturers," he says. "They need not only be concerned about safety, but also the governance of information security, privacy and the management of information that's being generated and communicated by cars."

Security Gaps Remain

The recent report from Senator Markey is based on a survey of 16 major automobile manufacturers about how vehicles may be vulnerable to hackers and how driver information is collected and protected.

Among the findings:

  • Nearly 100 percent of vehicles on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions;
  • Most automobile manufacturers were unaware of or unable to report on past hacking incidents;
  • Security measures to prevent remote access to vehicle electronics are inconsistent and haphazard across the different manufacturers;
  • Only two automobile manufacturers were able to describe any capabilities to diagnose or meaningfully respond to an infiltration in real time, and most said they rely on technologies that cannot be used for this purpose at all.

Valasek at IOActive says the biggest takeaway from the report is how most of the manufacturers couldn't answer many questions. "This means that not only are they behind on their security efforts, but probably don't have a good idea of the attack landscape or where to start," he says.

Legislation

The new legislation proposed by Markey would include three key requirements:

  • All wireless access points in cars must be protected against hacking attacks and evaluated using penetration testing;
  • All collected information must be appropriately secured and encrypted to prevent unwanted access; and
  • The manufacturer or third-party feature provider must be able to detect, report and respond to real-time hacking events.

To address privacy issues, Markey is seeking a transparency requirement that drivers be made explicitly aware of data collection, transmission and use. He also wants consumers to have the ability to choose whether data is collected, without having to disable navigation. And he's seeking prohibition of the use of personal driving information for advertising or marketing purposes.

"In essence, the proposed legislation codifies what have been best practices in privacy and security for years," says Scot Ganow, a privacy and security attorney at the law firm Faruki Ireland and Cox PLL.

But that doesn't mean the proposed law won't face challenges similar to those that have arisen in previous failed attempts to adopt federal data breach legislation, Ganow says. "As with all laws seeking to regulate commerce and, in particular, the flow of information, the struggle will exist over balancing appropriate regulation while not choking innovation and corporate independence."

Proactive Approach

As the security and privacy landscape around automobiles continues to take shape, manufacturers can start taking the necessary steps to get ahead of the challenge before it becomes a real problem.

Right now, hacking a vehicle is still very hard and very expensive, Valasek says. "That's not to say that won't change in the future. But you want to start implementing security measures before there is an actual problem."

Valasek argues that manufacturers "will have to accept that security is required as part of the process and not an after-thought. Only then can we truly talk about mitigating risks."

In addition, automakers should hire more cybersecurity experts and attempt to integrate security into the automotive software development lifecycle, says Ben Johnson, chief security strategist at Bit9 + Carbon Black, an endpoint security firm. "Immediately, I would be hiring penetration-testers and security consultants to do as much assessment and analysis of the existing systems as possible," he says.

It may also be in the best interest of the automobile industry - and consumers - if manufacturers adopt a model similar to PCI-DSS, the independently developed standards in the payments card industry, says Andreas Mai, director for smart connected vehicles at Cisco. "If an independent body devised a list of security features and controls that a vehicle and its computer systems should have, and the body audited vehicles for adherence, even if it was voluntary, like Consumer Reports, it would at least provide consumers with the notion someone has looked at security and provide a baseline level of confidence," he says.


more...
Secunoid's curator insight, February 19, 2015 1:52 PM

The next frontier to keep an eye out for from security perspective, Automobiles.

Sandesh's curator insight, March 23, 2015 9:55 AM

They have introduced the cybersecurity which is attached withh audio player