IT Support and Hardware for Clinics
32.6K views | +14 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

9 Healthcare Cyber Security Tips to Help Protect Your Data

9 Healthcare Cyber Security Tips to Help Protect Your Data | IT Support and Hardware for Clinics | Scoop.it

As a forward-thinking individual who wants the most for your medical practice, you already have recognized the importance of using cloud-based healthcare software. The cloud uses multiple redundant facilities to store data to keep it safe in the event of a catastrophic breakdown in any one server center. Its information technology staff is focused on keeping the data safe and secure as well, and is devoted to making sure your patients’ records are available 24/7/365, even when cyber attacks plague institutions that are connected to the Internet.

 

Anyone who has been paying just cursory attention to the news will undoubtedly be aware that healthcare organizations are becoming a huge target for criminal computer hackers. You also know about the potential negative effects that a data breach will have on a practice, including loss of time and money and eroding the trust patients have placed in your organization.

 

Hospitals, doctor offices, and clinics have been exposed to cyber security threats that can cause grave repercussions. A common method of attack is to install ransomware. Once a medical organization’s system has been compromised, often because an employee clicked a link in a sketchy email, all the patient files are held hostage until ransom is paid. Computer viruses can arrive via email, text messages, and websites that are set up just for the purpose of attacking naive and unsophisticated end users.

 

So while the IT department of your cloud services provider will be handling security on their end, you still have to contend with potential security issues in your own office and make sure that your staff knows what to do to protect patient information.

With that in mind, here are 9 tips that will help improve healthcare cyber security in your organization and reduce the chance of attacks.

1. Ensure Staff is Properly Trained on Healthcare Cyber Security Protocols

In most situations, the weakest cyber security link in your medical practice will be the user. Ensuring that your staff knows all proper measures to take (and enforcing these measures) makes the organization as a whole more secure.

You may need to bring in a consultant who can first address the knowledge level of your team and then provide some training to get everyone caught up on the latest security protocols.

2. Don’t Put Off Software Updates

You are busy, and you do not like the idea of taking your computer system offline to conduct basic software updates. However, neglecting to get the latest version of your now outdated software leaves your devices much more vulnerable to attack. Any security patches that come with the update will be unavailable to you.

Criminal hackers take advantage of people’s complacency and can sneak into antiquated systems more easily than systems that have the latest protection.

3. Control Access to Protected Patient Data

You’ve undoubtedly seen news accounts of patients whose private information was stolen by hackers. These sensitive details are protected by the Health Insurance Portability and Accountability or HIPAA act. If you fail to keep this data secure, the results can be disastrous. Criminals hackers use confidential patient details to commit identity theft, take funds from bank accounts, and otherwise cause a great deal of havoc.

Have your security team carefully control access to patient records, only allowing authorized individuals to access the details. You can audit the system to verify who accessed what and when. It’s important to remove access from employees who have been terminated, to keep them from getting into the system and causing problems in their bid for revenge. Healthcare software like electronic health record applications make information access much easier to control.

4. Don’t Use the Same Password for Everything

Using easily guessed passwords or the same password for all platforms significantly increases vulnerabilities. Human nature will motivate your employees to use just one simple password to access their information, but this is a big mistake.

It can be tempting to set up one password to check your email, access your bank, and favorite online store as well as the see patient records, but convenience and ease of logging in instead of following patient security requirements have no place in a modern office’s computer systems.

All a criminal needs to do is discover one working password, and then apply it to all the other accounts that the victim uses. The convenience of one password leads to a catastrophic theft of data. Criminals can cause even more mischief if they get into the system and actually change information in patient files.

An easy solution is to force employees to generate new passwords on a periodic basis. That way, even if a criminal does manage to grab one particular login credential, access will soon be cut off as soon as you do the next update.

5. Store Passwords in a Secure Place

Instruct your team to never include passwords in a shared document or email. They should use a proven password storing system instead. Keep in mind that one common reason people have for skirting password security protocols has to do with their limited memory.

Instead of writing a password on a sticky note and hiding it in a desk drawer, it will be more effective if each user devises a password based on a phrase. For example, a member of your team could use a phrase such as “Every morning I check email while the coffee brews” and use the first letter of each word to make the password “emIcewtcb” with one uppercase letter. Including numbers and other characters helps make the password even more secure.

6. Perform Risk Assessments on a Regular Basis

Not knowing where your vulnerabilities are makes it much harder to protect yourself against attack. You won’t have a clear understanding of your organization’s security issues if you fail to conduct risk assessments on a regular basis.

Complacency is your enemy here. Your own IT team can perform the risk assessment, or you can work with more objective individuals by hiring an outside firm to take care of this task. 

7. Maintain a Layered Defense System

Have layered security protocols in place, so even if an attacker breaks through one layer, they still won’t be able to access the protected data, and your practice might be able to identify the attack before it’s too late. Just as you have multiple locking doors to protect your property, building and equipment, you should have many layers of defense against electronic intrusions. That way, even if a weakness appears in one aspect of your defense system, there will be redundant coverage.

So, in addition to using strong passwords and forcing workers to change them periodically, you can use physical security in the form of locked doors, security guards, and surveillance equipment. Antivirus software, a robust firewall, and whitelisting of approved applications all contribute to the overall security of your institution.

8. Have a Plan to Prevent (and Recover From) Data Breaches

In the unfortunate event of an attack, your practice needs to know what the next steps are. Having a plan in place will help you move forward after an attack. For example, your IT team should regularly review your healthcare cyber security protection to ensure you are always following the latest protocols.

This also means avoiding the practice of automatically allowing software updates before checking out any possible repercussions. And when you do assess an update, it’s best to try it out on a quarantined test computer to ensure a patch or update won’t negatively affect all the computers in your system.

To be ready for the aftermath of a successful intrusion, key members of your team should develop a plan for getting the system back up and running, confident that the cloud-based backup of your data will be clean and safe to use.

9. Install Better Software

Stress the importance of using software from a company that prioritizes cyber security in their software. They will update the software swiftly whenever a new threat has been identified. The surrounding applications used in your office must also be shored up.

High up on your to-do list, according to a report from Healthcare IT News, is to invest in a next-generation firewall to protect all data and your systems, and deploy the latest in anti-malware detection. Robust encryption is called for, and you might need to outsource some of your security information management.

Key Takeaway:

The fact that your healthcare organization has deployed a cloud-based solution for your medical software indicators that you already pay attention to emerging technology issues. Now it is time to take the necessary steps to shore up the sensitive information that you generate, store, and update for all of your patients.

  • Healthcare cyber security is one of the key issues that you and your staff must take great pains to address in order to stay in business.
  • News reports are filled with examples of criminal hackers that take over the computer systems of medical care providers, often locking information and demanding ransom to unlock the data.
  • Because you maintain patient data in the cloud, it’s essential that your organization follow industry best practices for cyber security.
  • Ongoing training of each of your staff members will help strengthen your cyber defenses.
  • Work with a healthcare software provider that has a demonstrated ability and commitment to updating its application on a regular basis.
  • Plan ahead about how your organization will react in the unfortunate event that your information does wind up getting breached.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Obama Signs Cyberthreat Information Sharing Bill

Obama Signs Cyberthreat Information Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

On Dec. 18, both houses of Congress enacted the Cybersecurity Information Sharing Act, which is part of a 2,009-page $1.1 trillion omnibus spending bill (see page 1,729). CISA will establish a process for the government to share cyberthreat information with businesses that voluntarily agree to participate in the program.


The legislation is an important tool to help protect the nation's critical infrastructure, says Daniel Gerstein, former Homeland Security acting undersecretary and a cybersecurity expert at the think tank Rand Corp. "Sharing information between industry and the federal government will allow for development of countermeasure signatures that can be incorporated into networks," Gerstein says. "In the absence of such sharing, protecting networks becomes much more challenging. ... CISA is not intended to be a comprehensive bill for cybersecurity. Rather, it focuses on the exchange of information between industry and the federal government. "


Larry Clinton, president of the industry group Internet Security Alliance, says the approval of the bill by large, bipartisan majorities in both the House and Senate demonstrates the growing realization that the nation faces a major cybersecurity problem. "It speaks to the need to come together in a way rarely evidenced lately in D.C. and begin to attack this problem together," Clinton says. " It's a rare instance of our government system actually working in a bipartisan fashion for the public good."

Winner, Loser

Passage of CISA is seen as a victory for big business and a defeat for privacy and civil liberties advocates.


Consumer advocates say the new law provides limited privacy protections to Americans. They object to the lack of transparency in drafting the measure's provisions in secrecy and then inserting it into a spending bill that keeps the government operational. "This shows disrespect for the people whose privacy is at stake in this process, and who deserve real cybersecurity, not more surveillance," says Drew Mitnick, policy counsel for the advocacy group Access Now. "Simply put, we expect more from our elected leadership."


But business groups generally supported the legislation. "This legislation is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks," says U.S. Chamber of Commerce President Thomas Donohue. "Government and businesses alike are the target of these criminal efforts, and CISA will allow industry to voluntarily work with government entities to better prevent, detect and mitigate threats."

Key Provisions

At CISA's core are provisions designed to get businesses to voluntarily share cyberthreat information with the government. The main incentive is furnishing businesses with liability protections from lawsuits when they share cyberthreat information, such as malicious code, suspected reconnaissance, security vulnerabilities and anomalous activities, and identify signatures and techniques that could pose harm to an IT system. The new law also will provide antitrust exemption for sharing threat data among businesses.


The liability protections alone won't get many businesses to share threat information. "A bill is not going to prompt an organization to change," says Chris Pierson, chief security officer at invoicing and payments provider Viewpost. "What it will do is help the internal teams that want to share have better ammunition for their legal counterparts and compliance people to understand that sharing of threat data and indicators is being done in a coordinated fashion. The true win here will be the communication around what to share, how to share and the business benefit for companies that share."


CISA designates the Department of Homeland Security to act as the cyberthreat information-sharing hub between government and business. Civil liberties activists wanted a civilian agency, not a military or intelligence entity such as the National Security Agency, to shepherd the flow of cyberthreat information between government and business. But the legislation will not prevent the NSA and other intelligence agencies from getting hold of the cyberthreat information.


One provision of the law will require DHS to establish an automated system to share cyberthreat information in real time with other government agencies. The law also will allow the president, after notifying Congress, to set up a second information-sharing center if needed.


CISA will require the removal of personally identifiable information from data before it is shared. However, the vagueness of the law's language could result in "more private information [being] shared than the privacy community would prefer," says Paul Rosenzweig, a former Homeland Security deputy assistant secretary for policy, who analyzed the measure's language.

Healthcare Industry Study

The omnibus bill also includes language to require the Department of Health and Human Services to convene a task force 90 days after enactment of the legislation to address the cybersecurity threats facing the healthcare sector. This task force would:


  • Analyze how other industries have implemented cybersecurity strategies;
  • Evaluate challenges and barriers facing private healthcare organizations in defending against cyberattacks;
  • Review challenges the industry confronts in securing networked security devices; and
  • Develop a plan to share cyberthreat information among healthcare stakeholders.


The task force would report its findings and recommendations to appropriate congressional oversight committees.

more...
No comment yet.
Scoop.it!

Can the Power Grid Survive a Cyberattack?

Can the Power Grid Survive a Cyberattack? | IT Support and Hardware for Clinics | Scoop.it

It’s very hard to overstate how important the US power grid is to American society and its economy. Every critical infrastructure, from communications to water, is built on it and every important business function from banking to milking cows is completely dependent on it.

And the dependence on the grid continues to grow as more machines, including equipment on the power grid, get connected to the Internet. A report last year prepared for the President and Congress emphasized the vulnerability of the grid to a long-term power outage, saying “For those who would seek to do our Nation significant physical, economic, and psychological harm, the electrical grid is an obvious target.”

The damage to modern society from an extended power outage can be dramatic, as millions of people found in the wake of Hurricane Sandy in 2012. The Department of Energy earlier this year said cybersecurity was one of the top challenges facing the power grid, which is exacerbated by the interdependence between the grid and water, telecommunications, transportation, and emergency response systems.

So what are modern grid-dependent societies up against? Can power grids survive a major attack? What are the biggest threats today?

The grid’s vulnerability to nature and physical damage by man, including a sniper attack in a California substation in 2013, has been repeatedly demonstrated. But it’s the threat of cyberattack that keeps many of the most serious people up at night, including the US Department of Defense.

Why the grid so vulnerable to cyberattack

Grid operation depends on control systems – called Supervisory Control And Data Acquisition (SCADA) – that monitor and control the physical infrastructure. At the heart of these SCADA systems are specialized computers known as programmable logic controllers (PLCs). Initially developed by the automobile industry, PLCs are now ubiquitous in manufacturing, the power grid and other areas of critical infrastructure, as well as various areas of technology, especially where systems are automated and remotely controlled.

One of the most well-known industrial cyberattacks involved these PLCs: the attack, discovered in 2010, on the centrifuges the Iranians were using to enrich uranium. The Stuxnet computer worm, a type of malware categorized as an Advanced Persistent Threat (APT), targeted the Siemens SIMATIC WinCC SCADA system.

Stuxnet was able to take over the PLCs controlling the centrifuges, reprogramming them in order to speed up the centrifuges, leading to the destruction of many, and yet displaying a normal operating speed in order to trick the centrifuge operators. So these new forms of malware can not only shut things down but can alter their function and permanently damage industrial equipment. This was also demonstrated at the now famous Aurora experiment at Idaho National Lab in 2007.

Securely upgrading PLC software and securely reprogramming PLCs has long been of concern to PLC manufacturers, which have to contend with malware and other efforts to defeat encrypted networks.

The oft-cited solution of an air-gap between critical systems, or physically isolating a secure network from the internet, was precisely what the Stuxnet worm was designed to defeat. The worm was specifically created to hunt for predetermined network pathways, such as someone using a thumb drive, that would allow the malware to move from an internet-connected system to the critical system on the other side of the air-gap.

Internet of many things

The growth of smart grid – the idea of overlaying computing and communications to the power grid – has created many more access points for penetrating into the grid computer systems. Currently knowing the provenance of data from smart grid devices is limiting what is known about who is really sending the data and whether that data is legitimate or an attempted attack.


This concern is growing even faster with the Internet of Things (IoT), because there are many different types of sensors proliferating in unimaginable numbers. How do you know when the message from a sensor is legitimate or part of a coordinated attack? A system attack could be disguised as something as simple as a large number of apparent customers lowering their thermostat settings in a short period on a peak hot day.

Defending the power grid as a whole is challenging from an organizational point of view. There are about 3,200 utilities, all of which operate a portion of the electricity grid, but most of these individual networks are interconnected.

The US Government has set up numerous efforts to help protect the US from cyberattacks. With regard to the grid specifically, there is the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) programs in which utilities voluntarily share information that allows patterns and methods of potential attackers to be identified and securely shared.

On the technology side, the National Institutes for Standards and Technology (NIST) and IEEE are working on smart grid and other new technology standards that have a strong focus on security. Various government agencies also sponsor research into understanding the attack modes of malware and better ways to protect systems.

But the gravity of the situation really comes to the forefront when you realize that the Department of Defense has stood up a new command to address cyberthreats, the United States Cyber Command (USCYBERCOM). Now in addition to land, sea, air, and space, there is a fifth command: cyber.

The latest version of The Department of Defense’s Cyber Strategy has as its third strategic goal, “Be prepared to defend the US homeland and US vital interests from disruptive or destructive cyberattacks of significant consequence.”

There is already a well-established theater of operations where significant, destructive cyberattacks against SCADA systems have taken place.


In a 2012 report, the National Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and an array of devices are connected to the internet, security and protection must be a high priority.

more...
No comment yet.
Scoop.it!

Kaspersky may have been hacked to spy on its research

Kaspersky may have been hacked to spy on its research | IT Support and Hardware for Clinics | Scoop.it

Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.


After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.

“They were not only stupid, but greedy,” Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.


When asked why the attackers—whose malware was dubbed Duqu 2.0 in a nod to2011’s Duqu, which in turn was thought to be an offspring of the infamous Stuxnet—went head-to-head with his company, Kaspersky had theories but nothing more.

“They were not interested in our customers,” he said after asserting that the intrusion did not appear to have touched any customer or partner data.


“I’m pretty sure they were watching,” he said of the hackers during the months they had their malware running undetected on Kaspersky’s network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky’s security technology or how it found and analyzed malware.


Specifically, Kaspersky wondered if they had infected Windows PCs on the company’s network to uncover how researchers decided what malware to manually examine.

A treasure trove of research

The vast bulk of the malware that Kaspersky—and any major antivirus firm—collects is processed, evaluated and categorized by automated systems, which also craft the resulting “fingerprints,” or signatures, that are sent to customers’ devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.


How researchers make the decision to closely evaluate—and root through—one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.


“[The bad guys] absolutely want to know what security researchers are doing, what’s the state of the art on that side,” said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. “They want to know, is it better than what [they] have?”


It’s certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers’ predilections, the other side does the same. “Having a hold in a security company is of great advantage,” Beardsley said. “Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission.”


And with more-than-public knowledge, hackers might be able to come up with ways to steer clear of security defenses like those employed by Kaspersky’s customers.


But Eugene Kaspersky dismissed the idea that the hackers’ presence within his company’s network—he said it had been hidden there at least several months—would give them real clues about the vendor’s technologies, even if they had obtained the source code, which they had not. “These technologies are quickly outdated,” Kaspersky contended, saying that changes were constantly being applied.


“Maybe they were interested in some specific attacks we were working on,” Kaspersky said. “Or maybe they wanted to see if we could catch them.”

"Very awesome" malware

In a long blog post on Forbes, Kaspersky elaborated. “I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk” of being discovered, Kaspersky said.


Which is exactly what happened.


“Now we know how to catch a new generation of stealthy malware developed by them,” Kaspersky wrote. “And the attackers are now back to the drawing board since we exposed their platform to the whole IT security industry. Moral considerations aside, that’s hardly a good return on a serious investment with public money.”


That latter line was a reference to Kaspersky’s contention that Duqu 2.0 was created by a state-sponsored or state-run hacking crew.

Beardsley and Kaspersky agreed on one thing: Duqu 2.0 was top-of-the-line malware.


“It’s very awesome for sure,” said Beardsley. “It is definitely a milestone. It has a very modular framework, is able to swap out one zero-day for another, and uses new techniques for signaling and non-persistence.”


Unlike most malware, Duqu 2.0 resides almost exclusively in memory, making it difficult for security software to detect it.

Which led Eugene Kaspersky to make an odd-but-effective suggestion about how to rid a network of the malware. “Technically, it’s simple: Turn off the power and the system will be clean.”

more...
No comment yet.
Scoop.it!

Law Banning Default Encryption Unlikely

Law Banning Default Encryption Unlikely | IT Support and Hardware for Clinics | Scoop.it

Laws rarely, if ever, keep up with technology, but even if they could, the consequences could prove more harmful than the benefits.

That was evident at an April 29 hearing of the House Oversight and Government Reform Subcommittee on Information Technology that addressed the encryption - and security - of mobile devices.

 Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger. 


Here's the problem the panel addressed that faces law enforcement: Encryption is the default setting for new Apple iPhone and Google Android mobile devices, meaning that law enforcement cannot gain access to encrypted data on the devices even if they have a search warrant. To gain access, the manufacturers would have to create a so-called "backdoor," and give law enforcement a special key to decrypt data on mobile devices. Without such a key, law enforcement could gain access only with the permission of the devices' owners, an unlikely scenario if the encrypted data contains incriminating evidence.

"We call it 'going dark,' and it means that those charged with protecting the American people aren't always able to access the information necessary to prosecute criminals and prevent terrorism even though we have lawful authority to do so," FBI Executive Assistant Director Amy Hess told lawmakers.

Backdoor Benefits

Hess furnished the subcommittee with examples on how accessing data enabled forensics experts to solve crimes, including kidnaping, false rape accusation and murder.


"Today's encryption methods are increasingly more sophisticated, and pose an even greater challenge to law enforcement," she said. "We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet or a laptop - evidence that may be the difference between an offender being convicted or acquitted - but we cannot access it."


Advocates of giving law enforcement a backdoor key include President Obama and FBI Director James Comey. At the Congressional hearing, Suffolk County (Mass.) District Attorney Daniel Conley voiced strong support: "The Fourth Amendment allows law enforcement access to the places where criminals hide evidence of their crimes, once the legal threshold has been met," Conley testified. "In decades past, these places were car trunks and safety deposit boxes; today they are computers and smartphones."

Questioning Motives of Apple, Google

Conley dismissed Apple's and Google's contention that the default encryption they offer on their devices safeguards consumers' privacy.

"Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customers' interests, search terms and consumer habits, but as we all know, that's not a step they're willing to take," Conley said. "Instead, they're taking full advantage of their customers' private data for commercial purposes while building an impenetrable barrier around evidence in legitimate, court-authorized criminal investigations."


Hess and Conley make a somewhat sound argument. After all, police, with the proper court order, can break into filing cabinets to retrieve evidence. But the rules of the physical world don't always translate well into the virtual one. And other witnesses at the hearing made more compelling arguments for why creating an electronic backdoor is a very bad idea.


"Unfortunately, harsh technical realities make such an ideal solution [a backdoor] effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation's infrastructure, the future of our innovation economy and our national security," said cryptographer Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. "We just can't do what the FBI is asking without weakening our infrastructure."

Undermining U.S. Cybersecurity

Providing a backdoor would undermine America's cybersecurity. "While the FBI would have us believe that law enforcement alone will be privy to our sensitive data, history demonstrates that bad actors will always be ahead of the curve and find an avenue to manipulate those openings," said Jon Potter, president of Application Developers Alliance, a trade group. "As one well-regarded cryptographer said, 'You can't build a backdoor that only the good guys can walk through.'"

Creating a backdoor could potentially cost the American economy billions of dollars in lost business. Kevin Bankston, policy director of the think tank New America's Open Technology Institute, says a backdoor would give foreign users, including corporations and governments that especially rely on the security of technologies, even more incentive to avoid American wares and turn to foreign competitors. "To put it bluntly," he said, "foreign customers will not want to buy or use online services, hardware products, software products or any other information systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA."

Encryption Mitigates Risks

But the most compelling argument for retaining default encryption that's beyond the reach of law enforcement is that it makes everyone safer, especially on smartphones. "The vast amount of personal information on those devices makes them especially attractive targets for criminals aiming to commit identity theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phone's owner," Bankston said.


"By taking this step for their customers and turning on encryption by default," he said, "mobile operating system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones' contents will remain secure even if they are stolen."


It's an argument that can persuade even the most ardent supporters of law enforcement and intelligence agencies. The subcommittee's chairman - freshman Republican William Hurd of Texas, a former undercover CIA agent and cybersecurity strategist, concluded the hearing by opposing offering law enforcement a backdoor. "I hold everyone in law enforcement and the intelligence community to a higher standard," he said. "Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger."


more...
Jan Vajda's curator insight, May 2, 2015 1:53 PM

Přidejte svůj pohled ...

Scoop.it!

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data | IT Support and Hardware for Clinics | Scoop.it

The House is expected to pass a bill Wednesday that is intended to compel private companies to give investigators access to their computer records and networks in the event of a data breach. The bill has been in the making for years, and comes after a series of embarrassing, high-profile hacks at companies such as Sony and Anthem health insurance.


The vote, which coincides with that for a similar Senate bill, is an assertive response from the federal government after major intrusions have resulted in a delayed movie release, lost credit card information, stolen medical records and a shaken faith in corporate America’s ability to protect itself online. Yet debate over the House bill has raised concerns from privacy and transparency advocates, including initial resistance from President Barack Obama and prominent congressional Democrats.


The House bill provides hacked companies with legal liability protection if they share sensitive information with the government. Privacy advocates demanded, and obtained, assurances under this provision that require data to undergo two rounds of scrubbing -- the removal of personal information -- when they're turned over to a government agency. The data will not be sent to the National Security Agency or the Department of Defense first, though it could ultimately end up there.

The privacy changes were enough to win over prominent Democrats, with Obama expected to sign a modified version of the House and Senate bills. Yet the White House still expressed reservations in a statement Tuesday, suggesting that the liability protections that are meant to protect companies from penalties that come with unauthorized use of customer data go too far.


“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said. Overly broad liability protections might “remove incentives for companies to protect their customers’ personal information and may weaken cybersecurity writ large,” the statement went on.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

Hackers have found a way to get into nearly every computer

Hackers have found a way to get into nearly every computer | IT Support and Hardware for Clinics | Scoop.it

Hacking even the most secure data is easier than previously thought. This was evidenced by two researchers at the CanSecWest security conference in Vancouver last week.

The two computer security experts, Xeno Kovah and Corey Kallenberg, exhibited a proof-of-concept, showing how to hack into BIOS chips, which are microchips containing the firmware of a computer’s motherboard.

"The BIOS boots a computer and helps load the operating system," Wired explained. "By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed. "

The attacks can be levied either through remote exploitation — such as phishing emails — or through “physical interdiction of a system,” Wired reports. The researchers discovered what they called "incursion vulnerabilities," giving them access to the BIOS. Once the BIOS is compromised, they can grant themselves the highest of system privileges. Then, they are able to gain all sorts of control over the system. This includes the ability to steal passwords as well as surveil other data. 

Kovah told Business Insider that of the 10,000 enterprise-grade machines they analyzed, 80% of them had at least one BIOS vulnerability.

Most alarming is that any and all data is up for grabs once the BIOS is compromised. This means encrypted data is accessible — even if the computer user is using privacy-oriented security software.

For example, the researchers said that the Tails system — a widely used OS known for its immense security — could be hijacked. Edward Snowden and Glenn Greenwald use Tails to share data. Kovah and Kallenberg say that their malware could subvert Tails making it possible to gain access to any of its data. 

The ramifications for computer security are huge. For one, it was previous thought that only the most well-equipped hacking guns, like deep-pocketed governments, were able to compromise BIOS chips. This was most recently evidenced by findings from the Kaspersky Lab, which discovered a series of attacks targeting computers' firmware from what appears to be the NSA.

Now, given that Kovah and Kallenberg were able to hack these chips without a billion dollar government budget, things have changed. Already vendors are working on patches to deal with the vulnerability, but there's no way to know what sort of damage has already been done.

While the vectors for attack are numerous, Kovah and Kallenberg hope their findings bring awareness to how critical firmware security truly is. At the very least, they hope this forces companies to patch their systems. As Kovah explained, even when new patches are issued, "we keep finding new vulnerabilities."


more...
No comment yet.
Scoop.it!

Why Cyber Security Is All About The Right Hires

Why Cyber Security Is All About The Right Hires | IT Support and Hardware for Clinics | Scoop.it

The United Kingdom has estimated the global cyber security industry to be worth around US$200 billion per annum, and has created a strategy to place UK industry at the forefront of the global cyber security supply base, helping countries to combat cybercrime, cyber terrorism and state-sponsored espionage.

Likewise, the United States government is facilitating trade missions to emerging markets for companies that provide cyber security, critical infrastructure protection, and emergency management technology equipment and services with the goal of increasing US exports of these products and services.

Meanwhile, Australia is going through yet another iteration of a domestic cyber security review. Australia can’t afford to wait any longer to both enhance domestic capability and grasp international leadership.

The recent Australian debate about the government’s proposed data retention scheme has seen heavy focus on the security aspects of collecting, retaining and where authorised, distributing such data.

But much of this debate masks the broader issue facing the information security industry.

Failing to keep up

The constant evolution of the online environment presents cyber threats which are constantly evolving with increasing volume, intensity and complexity.

While organisations of all shapes and sizes are considering spending more money on cyber security, the supply side of information security professionals is not keeping up with the current, let alone future demand. High schools are not encouraging enough students (particularly girls) to get interested in the traditional STEM (science, technology, engineering and maths) subjects. The higher education and vocational sectors are likewise not creating enough coursework and research options to appeal to aspiring students who are faced with evermore study options.

One example of the types of programs needed to address the shortage is the Australian Government’s annual Cyber Security Challenge which is designed to attract talented people to become the next generation of information security professionals. The 2014 Challenge saw 55 teams from 22 Australian higher education institutions take part. At 200 students, this is but a drop in the ocean given what is required.

Even for those who graduate in this field, there is a lack of formal mentoring programs (again particularly for girls), and those which are available are often fragmented and insufficiently resourced. The information security industry is wide and varied, catering for all interests and many skill sets. It is not just for technical experts but also for professionals from other disciplines such as management, accounting, legal, etc, who could make mid-career moves adding to the diversity of thinking within the industry.

More and more organisations are adopting technology to create productivity gains, improve service delivery and drive untapped market opportunities. Their success, or otherwise, will hinge on a large pool of talented information security professionals.

We need to attract more people into cyber security roles. Universities need to produce graduates who understand the relationship between the organisation they work for, its people, its IT assets and the kinds of adversaries and threats they are facing. The vocational education sector needs to train technically adept people in real-world situations where a hands-on approach will enable them to better combat cyber attacks in their future employment roles.

Industry associations should focus on their sector — analysing the emerging information security trends and issues, and the governance surrounding information security strategy — to determine their own unique skills gap.

The government should develop a code of best practice for women in information security in collaboration with industry leaders, promoting internal and external mentoring services.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

'Freak' Flaw Also Affects Windows

'Freak' Flaw Also Affects Windows | IT Support and Hardware for Clinics | Scoop.it

Microsoft is warning that all Windows operating systems are at risk from the vulnerability known as Freak, for "Factoring RSA-EXPORT Keys." The flaw exists in SSL, which is used to secure online communications, and could be abused by an attacker to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

A new Microsoft security advisory (KB3046015) warns that Secure Channel, or Schannel, which encrypts traffic and transactions on most Windows platforms, is at risk from the Freak flaw.


"Microsoft is aware of a security feature bypass vulnerability in Secure Channel that affects all supported releases of Microsoft Windows," the alert says. "Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system."

As yet, there's no patch available for vulnerable Windows systems, although information security experts say they expect Microsoft to release related fixes quickly. In the interim, Microsoft has detailed a temporary workaround that can be used for most Windows systems. "You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor," it says. But it warns: "Windows will fail to connect to systems that do not support any of the ciphers listed in the workaround."

To date, however, there's no fix or workaround available for Windows Server 2003. "The cipher management architecture on Windows Server 2003 does not allow for the enabling or disabling of individual ciphers," Microsoft says.

Risks to Apple, Android, Cloud

After quietly warning security vendors, government agencies and other organizations in recent weeks, security researchers first sounded a public alert about the Freak vulnerability on March 3. They've warned that the vulnerability exists in versions of OpenSSL prior to 1.0.1k, all Android devices that ship with the standard browser, as well as in Apple SSL/TLS clients, which are used by both Mac OS X clients and iOS mobile devices, among other operating systems. The vulnerability has been designated as CVE-2015-0204.

The Freak flaw could be exploited to downgrade a browser or other client's Internet connection from a relatively secure cipher, to an outdated - and weak - "export cipher," which attackers could then crack, allowing them to intercept communications or inject attack code into browsers. "What Freak allows you to do is, if you can break the RSA export-strength key, then you can provide a 'valid' certificate for a man-in-the-middle attack," says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. Tenable, which sells the widely used Nessus vulnerability scanner, has released a Nessus plug-in that will scan for Windows clients and servers that are vulnerable to Freak.

No Attacks Seen

But to date, there have been no signs that the Freak flaw has ever been exploited in the wild - against Windows servers and systems, or any other device. "The reality is, it's still really difficult to do - to break a key, it would still take a few hours or $100 of Amazon EC2 time," Millard says, referring to Amazon's Elastic Compute Cloud, which offers on-demand processing power. "There are so many other ways to break into a site. Hackers are smart; they don't use a sledgehammer to crack a walnut."

Still, related vulnerabilities remain widespread. The Freak Attack website, which is run by researchers at the University of Michigan, has been tracking the extent of the Freak vulnerability. The site reports that as of March 6, 9.5 percent of the websites on the Alexa index of the 1 million most popular top-level domains remained vulnerable to Freak, although that was a decrease from 12.2 percent of all such sites when the Freak vulnerability was first publicized on March 3. But 37 percent of all HTTPS servers with browser-trusted certificates remained vulnerable to Freak, as did 26 percent of all HTTPS servers, and neither of those statistics had declined since Freak was first publicized, the researchers say.

As of March 6, the Freak Attack website reported that the following client software remained vulnerable to the Freak flaw:

  • Internet Explorer
  • Chrome on Mac OS (patch available now)
  • Chrome on Android
  • Safari on Mac OS (patch due week of March 9)
  • Safari on iOS (patch due week of March 9)
  • Stock Android Browser
  • BlackBerry Browser
  • Opera on Mac OS
  • Opera on Linux

Cloud security firm Skyhigh Networks reported that as of March 4, 766 cloud providers also remained unpatched against the vulnerability, thus leaving their users at risk. "These services include some of the leading backup, HR, security, collaboration, CRM, ERP, cloud storage, and backup services," Sekhar Sarukkai, vice president of engineering at Skyhigh, says in a March 5 blog post. Across the company's 350 customers, meanwhile, he reports that 99 percent use at least one cloud provider that's vulnerable to the Freak flaw, while the average company uses 122 vulnerable services.

Don't Freak: How to Mitigate

The Freak Attack site says that to mitigate the vulnerability, anyone running a server "should immediately disable support for TLS export cipher suites," and that anyone who uses a browser should ensure that they have the latest version installed, and keep checking for new upgrades, since all major browsers should soon see a fix.

Finally, Freak Attack recommends that all systems administrators and developers ensure that their TLS libraries are fully updated. "Both OpenSSL and Microsoft Schannel are known to be vulnerable," it says. "Note that these libraries are used internally by many other programs." The site offers a number of tools that can be used to test for related flaws.

This is not the first time that the Microsoft Schannel has been at risk from a newly discovered vulnerability. In particular, a zero-day vulnerability in Schannel was discovered in November 2014. Before that, Schannel was at risk from the so-called POODLE flaw - first publicly revealed Oct. 14 - in SSL, and which was later found in TLS. The flaw could be exploited to intercept and read encrypted Internet communications, steal session cookies and impersonate users.


more...
No comment yet.
Scoop.it!

Despite High-Profile Data Breaches, Fraud is Down

Despite High-Profile Data Breaches, Fraud is Down | IT Support and Hardware for Clinics | Scoop.it

Home Depot, Staples, Neiman Marcus — 2014 was a blockbuster year for the high-profile data breaches, with at least $16 billion stolen from a reported 12.7 million fraud victims.

But those numbers are actually an improvement, according to a new study by Javelin Strategy & Research. Last year, the amount of money lost to fraud dropped 11 percent, down from $18 billion in 2013. And in 2012, the amount was even higher, at $21 billion.

The number of victims is down too, dipping 3 percent in 2014.

Though hacks appear to be growing in size and targeting larger retailers, financial institutions have also gotten better at performing triage after such an attack occurs.

“The combined efforts of industry, consumers, and monitoring and protection systems that are catching fraud more quickly helped reduce the incidence of fraud and the amount stolen over the past year,” said Al Pascual, director of fraud and security at Javelin, a consulting firm that analyzes consumer transactions. “When detected, fraud is being resolved quicker than ever before.”

After 110 million credit card numbers were stolen in the December 2013 Target breach, for example, banks went on the offensive, spending more than $200 million to replace consumer credit and debit cards.

In 2014, 1 in 4 consumers received data breach notifications, but a smaller proportion of those people became fraud victims than in 2013. Last year, fraud incidents among notified breach victims dropped 17 percentage points to 13.7 percent, the lowest rate since Javelin began conducting its annual study in 2004.

The report hypothesized that the huge number of data breaches in 2014 may have spurred banks and retailers to take such attacks more seriously, driving down the incidents of fraud. Improvements in technology that can help detect fraud also contributed to the decline, the report said.

Pascual warned that despite dropping reports of fraud, consumers should still be wary of identity theft.

“We have seen declines in the past, but they have reversed as fraudsters try new approaches or when new technologies make it easier for fraudsters to get consumer information,” he said.

For instance, while new-account fraud (in which a fraudster uses stolen information to open an account in a victim’s name) reached record lows in 2014 according to the Javelin report, this year such incidents have increased due to security weaknesses in Apple’s new mobile payments system, Apple Pay.

In the Javelin report, 13 percent of victims of new-account fraud did not detect the identity theft for more than a year.

Though 2014’s number of victims was down, 2013 had the second-highest number of identity theft victims since Javelin began its annual study.

In the end, said Pascual, more breaches will result in more victims of identity theft. In 2014, two-thirds of identity fraud victims had previously received a data breach notification that year.

“This is a long, drawn-out battle against identity thieves,” he said. “While there have been some victories this year, there have also been some discouraging setbacks. It really reinforces why we need the combined efforts of industry, consumers, and monitoring and protection systems working together to continue the downward trend.”


Via Paulo Félix
more...
No comment yet.
Scoop.it!

How to stop ransomware: It's really not that complicated

How to stop ransomware: It's really not that complicated | IT Support and Hardware for Clinics | Scoop.it

Ransomware. The word itself is scary enough, let alone the glimpse of just how damaging such attacks could be that the world saw in WannaCry and NotPetya during May and June. But cybersecurity experts counter that ransomware shouldn’t actually be so overwhelming to information security professionals -- if they adhere to simple best practices. 

For starters, backup files are crucial and those should be both encrypted and kept offline -- separate from the main network, according to Engin Kirda, professor of electrical and computer engineering and computer and information science at Northeastern University.

 

Lee Kim, HIMSS’ director of privacy and security said the real problem is that hospitals are often stuck running outdated, legacy systems. And even keeping pace with software patches is not always completely effective. Both NotPetya and WannaCry, for instance, leveraged vulnerabilities in these legacy systems.

In fact, Kim explained that when hospitals system must run these outdated systems, including those upon which medical devices are built, it’s necessary to make sure the ports of entry are as closed off as possible. 

 

“If an organization needs to run these systems, shelter the technology from the outside world and segment it from the network,” Lee said. “It’s always best practice to segment the network and not make it possible for one hacker to get in and pivot around your system.”

After patching, segmenting and software needs, Kim said that hospitals can increase defenses with pen testing, which actively scans the system or network for exploitable vulnerabilities.

“I can’t think of a better way to be prepared,” said Kim. “[Pen testing] should be done not just once in a blue moon, it needs to be done regularly. 

Hospitals should authorize the testing with a vendor or security employee with experience to ensure there are no disruptions due to high traffic. 

Risk assessments can also help reveal weaknesses and build defenses. 

 

“We want to make things more difficult for the attackers and reduce the volume of attacks,” she said.

Not surprisingly, the crux of the ransomware issue boils down to the biggest weakness to all networks: the user.

It’s a simple technique, hackers craft emails and trick users into action, Kirda said. “It’s just that some users don’t understand ransomware, and they end up doing things that allow a successful attack.”

 

So phishing training is critical, explained Kim. “It’s the adage of you’re only as strong as your weakest link. You can’t ignore teaching employees what to do and what not to do.”

Fortunately, there’s a lot that can be done with the human element. Naturally, employees should be trained to be cautious about opening attachments. “For an attack to be successful,” Kim said, “they just need a door or one hole to squeeze through.”

Some organizations are also labeling email as external, which can help employees determine the validity of an email sent supposedly from a member within the company. IT can add it to the bottom of every email in red. If an email is sent from outside it will push through the designated filter and notify the user it’s from an outside party.

 

Anti-phishing, user education and clearly marking emails as external or internal are basic blocking and tackling that can go a long way to thwarting attacks. Kim also recommended seeking outside help when you need it.

 

“Study up or hire someone experienced in cybersecurity,” Kim said. There are plenty of ethical hacking pointers available online, and “yet there are so many health organizations vulnerable to attacks. It’s really a twilight zone experience.” 

Ultimately, the issue lies with infosec professionals explaining why cybersecurity needs to be at the forefront of budget discussions and planning -- because it’s a safe bet that the attacks will keep on coming due to profitability. 

“Healthcare is low-hanging fruit,” Kim said. “That’s the unfortunate reality: the dragon is at the door.” 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Will Sony Settle Cyber-Attack Lawsuit?

Will Sony Settle Cyber-Attack Lawsuit? | IT Support and Hardware for Clinics | Scoop.it

Did Sony underspend on information security, thus contributing to the success of the devastating hack attack against it, which came to light in November 2014? And can a business be held legally accountable by employees for their employer's information security shortcomings?


Those questions are central to a lawsuit filed by Michael Corona and eight other former Sony employees in the wake of what plaintiffs rightly dub a data breach "epic nightmare, much better suited to a cinematic thriller than to real life." Their suit accuses Sony of having failed to put an effective information security program in place, despite having previously suffered repeated, serious attacks.


 An epic nightmare, much better suited to a cinematic thriller than to real life. 


"Sony failed to secure its computer systems, servers and databases, despite weaknesses that it has known about for years," the lawsuit alleges, citing in part a September 2014 audit by PricewatershouseCoopers, which found that Sony's information security and monitoring practices fell below "prudent industry standards."


The lawsuit further alleges that nearly 100 terabytes of data was stolen, including 47,000 Social Security numbers and personally identifiable information for at least 15,000 current and former employees, some of whom had not worked for the studio since 1955. As a result, breach victims "face ongoing future vulnerability to identity theft, medical theft, tax fraud, and financial theft," the lawsuit plaintiffs allege. "In fact, plaintiffs' PII has already been traded on black market websites and used by identity thieves."

Lawsuit Ruling

Sony asked a court to dismiss the suit, and U.S. District Judge R. Gary Klausner this week did dismiss some parts, including allegations of breach of contract and that Sony failed to notify breach victims in a timely manner.


But in a setback for Sony, the judge ruled that other parts of the lawsuit can proceed, although he has yet to rule on the merits of these claims, including plaintiffs' allegation that Sony "made a business decision to accept the risk of losses associated with being hacked." The federal judge also agreed with the former employees' allegation that "to receive compensation and employment benefits, they were required to provide their PII to Sony." While many data breach lawsuits get dismissed on the grounds that the breach did not cause any economic harm to people whose information was stolen, Klausner said that by requiring employees' PII, Sony created a "special relationship that provides an exception to the economic loss doctrine."


Michael Sobol, an attorney for the plaintiffs, told the BBC, "We are pleased that the court has properly recognized the harm to Sony's employees."


A spokeswoman for Sony Pictures Entertainment did not immediately respond to a request for comment on the ruling.


In the wake of the 2014 attack, at least nine other lawsuits were filed against Sony by individual former employees. Like the Corona suit, all of these lawsuits seek class-action status, meaning they would include all current and former employees who were affected by the cyber-attack.

Wiper Malware Attack

To recap: Sony suffered a devastating wiper malware attack in November 2014, ostensibly designed to punish the company for releasing "The Interview," a satiric film starring James Franco and Seth Rogan that featured the fictional death of North Korean leader Kim Jong-un.


But before the attackers unleashed their wiper malware and began erasing Sony hard drives and bricking laptops, they penetrated Sony's network and stolen tens of terabytes of data, including copies of unreleased movies and the script for the upcoming James Bond film "Spectre," as well as numerous private email exchanges, all of which the attackers began leaking.


Sony, in a December 2014 breach notification filed with California state authorities, reported that the breach appeared to compromise current and former employees' names, addresses, Social Security numbers, driver's licenses and passport numbers, corporate credit card information, usernames and passwords, and salaries. Sony also warned that individuals' "HIPAA-protected health information" may have been exposed, including medical diagnoses, dates of birth, health plan identification numbers, and personal and health-related information.


As noted in Corona's lawsuit, large amounts of this information were leaked to the Internet by attackers and likely remain in circulation.

Lawsuit Resolution: Unclear

What will happen next in the Sony class-action lawsuit saga, of course, is not clear. But based on past breach-related lawsuits, it's likely that unless the lawsuit gets dismissed, Sony will ultimately settle, rather than risk a jury trial and ruling that might give breach victims more rights.


If Sony did make a business decision to underspend on security, it was a costly move. In February, Sony said in an earnings report that it expected to spend $35 million in cleanup costs through the end of its fiscal year in March, largely related to restoring the company's "financial and IT systems." But as the multiple lawsuits highlight, Sony faces continuing legal costs, as well as the risk that it will eventually have to pay damages or settlements.


But any such settlement likely would not happen soon. Indeed, Sony only settled a lawsuit filed in the wake of its April 2011 breach - a year in which the company fell victim to more than a dozen breaches - in June 2014. That breach exposed personal information for 77 million users of the Sony PlayStation Network and Qriocity services.


By that timeline, the lawsuits stemming from the 2014 Sony cyber-attack may not be resolved until at least 2017.

more...
No comment yet.
Scoop.it!

LastPass Sounds Breach Alert

LastPass Sounds Breach Alert | IT Support and Hardware for Clinics | Scoop.it

Warning to all LastPass users: Change your master password for the service now and ensure you're using multi-factor authentication. There has been a data breach that might allow attackers to crack master passwords and password reminders.


"Our team discovered and blocked suspicious activity on our network," reads a security notice from Joe Siegrist, the CEO of online password management service LastPass, which allows people to store multiple passwords inside a single, cloud-based password vault.


Siegrist says the intrusion was discovered June 12. "In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised."


This is not the first time that LastPass has reported that passwords or data might have been hacked. In 2011, the firm reported finding a "traffic anomaly from one of our databases" that could have resulted in data exfiltration. In response, the firm said it took a number of steps to tighten security, including registering domains that might be used by phishing attackers, as well as removing non-core services from the LastPass network.


In the wake of this newly announced breach, Siegrist says that the company is "confident that our encryption measures are sufficient to protect the vast majority of users," noting that the site's techniques for creating users' authentication hashes - in essence, how their authentication credentials get protected - would make it very difficult for an attacker to crack those hashes "with any significant speed." But because that is a possibility, the company says it has now "locked down" all accounts, meaning that any attempt to access an account from a new device or IP address will require the user to first verify their identity via email, unless they're already using multi-factor authentication.


"We will also be prompting all users to change their master passwords," Siegrist says. "You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites." He adds that because encrypted user data wasn't stolen, users do not need to change the passwords for any sites stored inside their LastPass password vault.


LastPass also offers multi-factor authentication - including Google Authenticator, Yubikey and the Duo Security Authenticator - to safeguard accounts. And in the wake of the breach, multiple information security experts recommend that all LastPass users ensure that they are using this feature.

Rethink Password Reset Questions

"Should I panic because LastPass was hacked?" asks Robert David Graham, head of information security research firm Errata Security. "If you chose a long, non-dictionary password, nobody can crack it," he says, thanks to the way LastPass creates its hashing algorithms. "Conversely, if you haven't, then yes, you need to change it."


Some security experts, meanwhile, say that the biggest risk now facing LastPass users will bephishing attacks, especially because users' email addresses have been compromised. "LastPass is advising users to change the master password. While this is a good idea, it should not be the top priority," says Martin Vigo, a product security engineer for salesforce.com who's due to present the talk "Breaking Vaults: Stealing LastPass protected secrets" at the July Shakacon conference in Hawaii. "You should pay more attention to the password hint you set up and be on the lookout for any possible phishing email in the next weeks pretending to be LastPass."


Vigo says many users undercut their security by using password reminders - he recommends never using them, if possible - or else creating weak ones. "While the password reminder cannot be the password itself, it can contain it. This means that password reminders such as 'My password is correct horse battery staple' are possible," he says. "Other more common passwords reminders such as 'My dogs name' can help attackers guess your master password. Remember that they have your email, which leads to your Twitter, Facebook, etc., where possibly that information can be found."

Password Vaults: Pros and Cons

The LastPass breach begs the question of whether people should ever use password managers, a.k.a. password vaults. "If a crook gets hold of your master password, then that's like getting the crown jewels - because now the crook has access to all your accounts at once," says Paul Ducklin, a senior security adviser for anti-virus firm Sophos, in a blog post. As a result, some security experts decry their use, on the grounds that the password manager master password creates a potential single point of failure.


But many security experts, including Bruce Schneier, have long advocated using such tools, saying that it is much more likely that users will get hacked if they reuse passwords, or select weak ones, than have their encrypted password database stolen and cracked.

F-Secure security adviser Sean Sullivan, for example, has said he "can't imagine life" without using one, because such tools can ensure that a user only uses strong passwords, and never repeats them across sites. But Sullivan also takes certain precautions, such as never entering the master password for his password manager when he's using an untrusted system - such as the shared family PC at home - in case a keylogger might be in operation.

Cloud Versus PC-Based

Users can also choose between PC-based, cloud-based or hybrid password managers. Some encryption experts, such as Johns Hopkins cryptographer Matthew Green, have voiced concerns about the security of cloud-based password management services.

more...
No comment yet.
Scoop.it!

President Obama calls for stronger American cybersecurity

President Obama calls for stronger American cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Citing a series of embarrassinghigh profile incursions against US computer networks in recent months, President Obama called for "much more aggressive" efforts to shore up the government's vulnerable cyber-infrastructure. "This problem is not going to go away," the President told reporters at a G7 press conference in Germany. "It is going to accelerate. And that means that we have to be as nimble, as aggressive and as well-resourced as those who are trying to break into these systems." As such, he urged Congress to pass its pending cybersecurity legislation, such as the Cybersecurity Information Sharing Act of 2015.

more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

Info-Sharing Bills: What Happens Next?

Info-Sharing Bills: What Happens Next? | IT Support and Hardware for Clinics | Scoop.it

As the House prepares to vote this week on two cyberthreat information sharing bills, their fates will rest as much on the White House's reaction to the proposals as on what happens in Congress.

The House Rules Committee on April 21 will consider amendments to both bills, the Protecting Cyber Networks Act that the Intelligence Committee approved on March 26 in a secret session and the National Cybersecurity Protection Advancement Act that the Homeland Security Committee passed unanimously on April 14. A vote by the full House is slated to occur on April 23 for the Intelligence Committee version of the bill and on April 24 on the Homeland Security version.

 Although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what President Obama seeks than did CISPA. 


Before the floor votes take place, the White House could issue a Statement of Administration Policy, which provides the administration's view on whether President Obama should sign or veto the legislation. The administration usually issues SAPs after a committee approves the bill but before the full chamber votes on it.

Recalling CISPA

The House in the past two congresses had passed cyberthreat information sharing bills, both known as the Cyber Intelligence Sharing and Protection Act, or CISPA, and in each case the White House threatened a presidential veto. The administration, in both instances, contended the legislation failed to provide sufficient privacy and civil liberties safeguards for citizens' personal information while furnishing businesses with too broad liability protections when they voluntarily share cyberthreat information with the government and each other.

For the White House, the Intelligence Committee version of the information sharing bill could prove more problematic. It's closer to CISPA than is the Homeland Security Committee's version and has attracted the wrath of civil liberties and privacy advocates. The Protecting Cyber Networks Act would allow the sharing of citizens' information with intelligence agencies such as the National Security Agency and law enforcement.


On the other hand, the Homeland Security Committee's National Cybersecurity Protection Advancement Act incorporates language that explicitly states that sharing such information with intelligence and law enforcement agencies would be prohibited, except if it should help mitigate a cyber-attack. Some privacy experts contend that even with that proviso, some private information could find its way to intelligence and law enforcement agencies.

Added Privacy Protections

Still, the National Cybersecurity Protection Advancement Act has been amended to provide many more privacy and civil liberties' protections to citizens than does the Intelligence Committee's bill. And both bills furnish businesses with broad liability protections that would extend such safeguards to companies even if they choose not to share cyberthreat information with the government. It's unclear whether changes that appear in these bills pass muster with the administration and address its concerns regarding privacy and civil liberties' safeguards and business liability protections.


Businesses want those broad protections, and the Financial Services Roundtable, a banking industry lobbying group, has posted a Web advertisement, titled Stop Cyber Threats, calling on voters to lobby Congress to take swift action on cyberthreat sharing legislation.

It's likely, but not inevitable, that if the White House issues an SAP on the Protecting Cyber Networks Act, it would say that senior administration officials would recommend an Obama veto. As for the National Cybersecurity Protection Advancement Act, it's less clear what the White House will say. The committee members did meet many of the objections raised over CISPA regarding privacy and civil liberties' projections, although the bill doesn't seem to meet the concerns raised about broad liability protection.

What Will Obama Do?

Remember, lawmaking involves compromise, and although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what Obama seeks than did CISPA, and the president might support it, perhaps conditionally.

Of course, the Senate has to take action as well.


On March 12, the Senate Intelligence Committee approved a bill more similar to the Protecting Cyber Networks Act from its House counterpart than the National Cybersecurity Protection Advancement Act offered by the House Homeland Security panel. Senate Majority Leader Mike McConnell, R-Ky., says he hopes to bring that measure up for a vote shortly, though he provided no specific timeframe.


Sen. Ron Wyden, D-Ore., the only Senate Intelligence Committee member who voted against the bill in committee, said last week that "a good group of senators" seeks to amend the measure to add privacy protection when it comes up for a vote before the entire Senate, according to The Hill.

Limits of Executive Order

Obama earlier this year issued an executive order to establish a process for businesses to share cyberthreat information through the Department of Homeland Security's National Cybersecurity & Communications Integration Center. But Obama on his own cannot provide businesses with the protection from legal actions for sharing cyberthreat information; that requires a new law enacted by Congress.

Passage of both House bills in the lower chamber is almost a certainty, and if - and that's a big if because the Senate never voted on a cyberthreat information sharing bill in the past two congresses - the upper chamber approves information sharing legislation, a conference between the House and Senate would iron out differences among the various measures, and produce a final bill. By then, the president's views on how far he'd compromise would be known, and a bill acceptable to the House, Senate and White House could become law.


more...
No comment yet.
Scoop.it!

How DNS is Exploited

How DNS is Exploited | IT Support and Hardware for Clinics | Scoop.it

The Internet is a global engine of commerce today, but it was never designed with such grandiose applications in mind. In the underlying architecture of the Internet, hostility was never a design criterion, and this has been extensively exploited by criminals, who capitalize on the Domain Name System infrastructure - the map of the Internet - which is indispensable for the Internet as we know it to function.

"Right now the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole," says Internet pioneer and DNS thought leader Dr. Paul Vixie, CEO of Farsight Security, a provider of real-time passive DNS solutions that provide contextual intelligence to threat and reputation feeds.

The Internet was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal, he says. But the DNS is proving essential to both the good guys and the bad guys - almost a unifying field theory.

"Everything you need to do on the Internet requires DNS - regardless of intent," says Vixie, who is also the principal author of version 8 of BIND, the most widely used DNS software on the Internet. "I think this makes DNS an interesting place to look for criminals and signs that criminals must leave," he says.

In part one of an exclusive two-part interview with Information Security Media Group (transcript below), Vixie talks about DNS and the impact it has on the Internet's security landscape. He shares insights on:

Part two of this interview will feature Vixie's views on the evolution of the Internet as an ecosystem that has evolved to make crime easier.

Vixie, CEO of Farsight Security, previously served as president, chairman and founder of the Internet Systems Consortium. He has served on the ARIN board of trustees since 2005, where he served as chairman in 2008 and 2009, and is a founding member of the ICANN Root Server System Advisory Committee and the ICANN Security and Stability Advisory Committee. He has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8. He has authored or co-authored about a dozen Request for Comments, a publication of the principal technical development and standards-setting body for the Internet, the Internet Engineering Task Force - mostly on DNS and related topics. He was named to the Internet Hall of Fame in 2014.

Varun Haran: How are criminals exploiting DNS infrastructure to perpetrate crime today?

Dr. Paul Vixie: One main area where DNS is facilitating crime is denial-of-service attacks, where the purpose may be economic or ideological to prevent the victim from being able to use the Internet. This is achieved by filling their Internet connection with unsolicited traffic so that they cannot use their connection for good traffic.

Now, unfortunately, the Internet was designed by scientists and engineers to work in a completely friendly environment. Hostility was never one of the design criteria for the Internet. What that means is it is trivial to send packets forging someone else's address as the source. Which means that if you direct the packets forged with a victim's address towards a powerful server, a lot of response traffic will go to your victim. And because the victim did not solicit it, they cannot turn it off. This is a very popular attack, and anytime that you hear that Google or Spamhaus has been hit with a 400 Gbit/s DDoS attack, it is the exact same method being employed - IP source forgery.

This is not only something the Internet was designed without, it is something that the current Internet economy is resisting fixing, because in order to fix this problem, an ISP has to turn on some new features in their Internet routing equipment. Those features need to be tested, there needs to be documentation, there has to be monitoring, so there is a small cost - there may even be a performance cost in the routing equipment if you turn on this feature.

The cost is trivial, but not zero. The benefit that the operator will see, in exchange for that investment will be measurably zero, because what they are doing is protecting the rest of the Internet against their customers. So if an ISP does this, it is only for the greater good and it is very difficult to get an ISP - who has investors, shareholders, board of directors, management chain etc. - to act for the greater good at their own expense. It simply does not make good business sense to fix this problem.
Internet Vulnerabilities

Haran: The Internet wasn't designed for all the purposes it's being put to today. What are some of the security issues that the current nature of the Internet, in terms of infrastructure and architecture, gives rise to?

Vixie: I gave you one example, which is the lack of source address validation. But there are other admission control problems also. For example, there are control packets that you can transmit that can potentially interrupt other people's conversations. Various TCP and ICMP packets can be transmitted toward parts of the network that will respond by denying other people the ability to communicate for a few seconds.

This comes from when the Internet was just a collection of universities and government contractors. Everybody on the Internet for the first 10 years had a contract with the U.S. government. None of them had any incentive to transmit damaging traffic. The nature of the Internet took that into account. It was a very fragile network, which was intended only for mature computer science professionals to interact.

So, if we turn our attention now to spam, the email system has no admission control. Anyone can send an email to anyone. That was, in fact, an important design criteria to avoid central clearinghouses and make email an end-to-end activity. But what that means is that spammers are also endpoints and have the same right to transmit email to anyone. There is no differentiation, there is no privilege required.

Add to that the fact that, just like IP packets can have their sources forged, even email sources can be forged. And unless you are a technology expert or have a high-end email firewall appliance, you won't be able to tell the difference. This works at scale. Right now, the Internet is being used to transfer hundreds of billions of dollars per year from the productive part of the world's economy toward the unproductive part because it is such a gaping hole. The Internet is the backbone of global commerce today, and yet it was built without any thought of authentication, admission control or security, and so almost any application or website can be abused by a creative criminal.
The Internet's Map

Haran: You have said that DNS is like a unified field theory between the good guys and the bad guys. Can you elaborate? How indispensable is DNS to the structure of the Internet?

Vixie: If the Internet were a territory, the DNS would be its map. We who have grown up in a world that is completely mapped, completely discovered, find it impossible to conceptualize the idea of a territory without a map. Without DNS, the Internet would be a trackless wild, where things would exist but you wouldn't know how to get there or the cost of admission. So I mean it when I say that all Internet communication begins with a DNS transaction - at least in order for the initiator to discover the responder and to find out where to send the packets that will represent their conversation.

But there may be other things as well, such as looking up a key, so that they can build a secure conversation by sharing key-in information or for looking up directory servers for authentication and authorization. Pretty much everything you need to do on the Internet is going to be a TCP/IP session. And every TCP/IP session is going to begin with one or more DNS transactions. This is true regardless of your intent. You intent might be to create wealth, to innovate, to make the world a better place, or it could be that your intent is criminal and you want to lie, cheat, take, force, defraud and you have purposes which would be seen as evil in the eyes of your fellow man. Your intent does not matter - you are not going to be able to do anything on the Internet without DNS. And it is that that I think makes DNS such an interesting place to look for criminals and signs that criminals must leave.
DNS Response Rate Limiting

Haran: You are a strong advocate of DNS Response Rate Limiting, which is something that you have worked on yourself. What can you tell me about DNS RRL?

Vixie: In DNS, there are many different kinds of DNS agents. Some only ask questions and receive answers and some only provide answers. It is that second type that concerns rate limiting, because a server in the DNS - the so-called authority server, which is where DNS content comes from - must be very powerfully built, having a lot of capability. Otherwise, if someone sends you a DDoS, they will make your content unreachable because your network pipe would be full of attack traffic.

It is common to buy an extra-large connection to your authority servers and to buy not just one authority server, but maybe a dozen and put them behind load balancers, with redundant power and so forth, because you want to make sure that no matter what happens, you can address queries and your content is reachable.

The difficulty that this presents to the rest of us is that in DNS, a response is larger than a request and that means that you are a potential amplifier. And if you are hearing a question that was forged - the IP address used by the attacker is forged to become the IP address of their intended victim - then you as a very powerful content server would be willing to help that attacker DDoS that victim simply because you are a powerful content server, and you have to be powerful for reasons of your own.

So when we designed response rate limiting, it was to allow those servers to differentiate between attack flows and non-attack flows so that they would be not as usable as an amplifier of third-party attacks. The tricky part is that you have to be very careful not to drop legitimate queries. So there is a little bit of mathematical trickery involved in the DNS RRL system that helps to make sure that you can stop most DDoS attacks without causing collateral damage.

more...
No comment yet.
Scoop.it!

Cybersecurity Bills: Latest Developments

Cybersecurity Bills: Latest Developments | IT Support and Hardware for Clinics | Scoop.it

The House Intelligence Committee has approved cyberthreat information sharing legislation that its leaders developed, one of four such proposals pending before Congress.


Meanwhile, the co-chairman of the House Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., has introduced a national data breach notification bill modeled on language proposed earlier this year by the White House.


The leaders of the House Intelligence Committee recently introduced the cyberthreat information sharing bill known as the Protecting Cyber Networks Act. After incorporating some additional privacy protections proposed by the White House and committee remembers, the bill was unanimously approved by the panel in a closed session on March 26. It now goes to the full House for consideration.


"This bill will help defend U.S. networks against a wide array of cybercriminals who are becoming more active and more threatening every day," committee chairman Devin Nunes, R-Calif., said in a statement after the bill was approved. "It's a bipartisan approach with strong privacy protections that will have a deep impact on this growing problem."


Nunes told reporters that the approved version of the bill included a manager's amendment - a single amendment that contains a number of smaller amendments from several committee members from both sides of the aisle, as well as the White House - aimed at strengthening the bill's privacy protections, The Hill reports.


Committee ranking member Adam Schiff, D-Calif., said in a statement that he's "optimistic about its prospects for passage," especially in light of the bill having been updated to reflect requests from the White House, although he did not identify what those requests or resulting changes were.


Four information-sharing bills are currently pending, including the Senate's Cybersecurity Information Sharing Act. The Senate Intelligence Committee approved CISA in a closed session on March 12. CISA offers liability protection to businesses that share cyberthreat information with each other, as well as with the government.


Earlier this month, Rep. Mike McCaul, R-Texas, introduced competing draft legislation called the National Cybersecurity Protection Advancement Act, which gives businesses that share such information immunity from related lawsuits, provided they have not committed "willful misconduct or gross negligence." Meanwhile a fourth measure, the Cyber Threat Sharing Act, sponsored by Sen. Tom Carper, D-Del., hews more closely to a White House proposal. It designates the Department of Homeland Security's National Cybersecurity and Communications Integration Center as the key government agency to collaborate with the private sector through information sharing and analysis organizations, known as ISAOs, to share cyberthreat information.

New Data Breach Notification Bill

Beyond its consideration of cyberthreat information-sharing bills, Congress has been increasingly focused on the prospect of passing national data breach notification legislation.


On March 26, Rep. Jim Langevin, D-R.I., introduced the Personal Data Notification and Protection Act of 2015, which is modeled on a January 2015 proposal from the White House. It includes a 30-day notification requirement after an organization discovers a breach. But the U.S. Secret Service or FBI would be able to delay such notifications on national security grounds, or if it would jeopardize related investigations.


"We have seen time and again the vulnerability of companies large and small, and consumers deserve to know as quickly as possible when their personal information has been compromised," Langevin said in a statement.


His bill would apply to any business that maintains records on 10,000 or more people in a 12-month period. Breached businesses would also be required to not only notify consumers whose personal information was exposed, but also media outlets if more than 5,000 records are breached that relate to consumers in a single state. They also would be required to notify credit-reporting agencies for any breach involving 5,000 records or more. The measure would expand the Federal Trade Commission's definition of deceptive acts or practices to include noncompliance with the law.


Organizations would be exempt from breach notifications - though only with the FTC's approval - if they determined that there was no risk that consumers would actually be harmed by the breach.

Rival Breach Notification Bill

Langevin's bill competes with the Data Security and Breach Notification Act of 2015, which the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade approved March 25. Its provisions include a requirement for organizations to report any breaches that expose personal information, no matter how many records they maintain. Such notifications would not be required within 30 days of the breached organization having concluded a related digital forensics investigation and repaired affected systems. The bill would also require businesses to "implement and maintain reasonable security measures and practices to protect and secure personal information" and supplant any such requirements at the state level.

Some Democratic members of the House subcommittee had attempted to amend the Data Security and Breach Notification Act of 2015 so states could retain stronger breach-protection and notification requirements than the bill proposes. But those amendments were voted down before the subcommittee approved the bill, which now advances to the full Energy and Commerce Committee.


Both pending breach notification bills, if enacted, would usurp the patchwork of breach notification laws now in place across 51 different jurisdictions - 47 states, three territories and Washington, D.C. - in favor of a single federal statute.

Both of the bills would also exempt from compliance organizations that must comply with the Health Insurance Portability and Accountability Act's breach notification requirements.

Proposal: Cyberspace Office

Langevin this week also reintroduced his Executive Cyberspace Coordination Act - first proposed in August 2013 - which would create a new National Office for Cyberspace at the White House to coordinate all government-level cyberspace-related initiatives, as well as review all related budgets.


"A cybersecurity coordinator, freed from other budgetary pressures, would be able to offer independent analysis as to whether departments and agencies are adequately defended," Langevin said in a statement. "Making these smart investments now will save us paying a much higher price later."


more...
No comment yet.
Scoop.it!

Brave New World: The Future of Cyberspace & Cybersecurity

Brave New World: The Future of Cyberspace & Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

“Since this is a challenge that we can only meet together, I’m announcing that next month we’ll convene a White House summit on cybersecurity and consumer protection. It’s a White House summit where we’re not going to do it at the White House; we’re going to go to Stanford University. And it’s going to bring everybody together — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who are specialists in the field, as well as students — to make sure that we work through these issues in a public, transparent fashion.” – President Barack Obama, Jan. 13, 2015.

The future of cyberspace and cybersecurity has been debated by many theorists and academicians have rendered opinions and studies on the topic. Cyberspace and cybersecurity issues have retaken the center stage of national and homeland security discourse after having taken a sideline to the natural reaction against al-Qaida’s 9/11 attack on the homeland. Despite the renewed sense of purpose and the recognized need to mitigate the ills found in cyberspace, the issue of cybersecurity and the way ahead remain as unclear and obscure since these same theorists and academicians were predicting an “electronic Pearl Harbor” in the 1990s and the events leading up to the hype posed by the Y2K bug.

The Obama administration’s renewed sense of purpose in dealing with cybersecurity issues by calling for the Summit on Cybersecurity and Consumer Protection at Stanford University promises to reinvigorate the discussion on a vital topic of national security. That said, this initiative also sounds oddly familiar to similar initiatives from past administrations voicing similar concerns.

In Brave New World, Aldous Huxley portrayed a dystopian future where mankind was largely driven by the need for pleasure as a means to distract them from the weightier issues of their everyday lives. Huxley also stated one universal truism in that, “Most human beings have an almost infinite capacity for taking things for granted.”

In terms of cybersecurity, what have we taken for granted? The renewed focus on cyberspace and security issues, while laudable in the sense that it can promise a debate on issues that must be addressed, will ultimately fail if it does not fundamentally address the question: What are we taking for granted in terms of our understanding of cyberspace and cybersecurity? In other words, are we framing the current debate on flawed conceptions of the issue in general? Are our assumptions flawed? Without considering some of these questions, we risk missing the true and weightier questions that we need to address on an issue that is constantly changing in terms of its impact on humanity.

The question before us is a simple one, but harder in terms of envisioning or defining. As Anthony Codevilla and Paul Seabury clearly stated in their book War: Ends and Means: “Strategy is a fancy word for a road map for getting from here to there, from the situation at hand to the situation one wishes to attain.” While this does not mean that we need to quickly create another national strategy on cybersecurity or cyberspace with glossy photos and sweeping language that promises a utopian future, it does mean that we need to fundamentally address the more difficult question first, “What do we ultimately need to attain in terms of cybersecurity?”

In this sense, President Obama’s speech on the future of cyber issues is appropriately framed in that this really is a challenge that we can only meet together. Envisioning the future in a world that will become increasingly dominated by technology and the Digital Age also addresses the type of future that we want to create for subsequent generations. In short, what future are we giving our children and our grandchildren? While blatantly sophomoric, as a parent and grandparent, it also happens to be true.

By envisioning our future, we are forced to recognize where we are. The continued reports on data breaches, identity theft, insufficient cybersecurity protections for health care records, controversies over data retention by the U.S. government and private industry, terrorist recruitment via social media, and the implications of active targeting by foreign entities on U.S. intellectual property are just a few of the many concerns that define the cyberspace issue in the present age.

To date, we have embarked on a journey with no destination. We have not chartered the course to take us to where we want to go. As such, while we must bring national security specialists, policy-makers, private industry, academicians and civil liberty advocates together, we also need to recognize that these issues are the result of failed initiatives and incremental approaches to the overall topic of cyberspace and cybersecurity in general. If this incremental approach to cybersecurity remains unchecked, our generation will be the first to face the brave new world of cyberspace defined by the nefarious drivers that are presently framing the topic. As the noted philosopher, John Stuart Mill appropriately stated, “When we engage in a pursuit, a clear and precise conception of what we are pursuing would seem to be the first thing we need, instead of the last we are to look forward to.”

While the answers to this basic truism can take on a highly technical tone in terms of the development of cybersecurity standards, technologies and processes, the true nature of the answer centers on the ideals and cultural norms that we wish to preserve while advancing into the future that will be defined by technology. How do we preserve privacy in the Digital Age? What type of culture do we wish to establish for ourselves—innocent until proven guilty or questionable until we can verify who you are? What is the role of the government in terms of ensuring security and where does the responsibility for the private sector begin in terms of its obligation to protect its intellectual property?

The answers to these questions represent but a fraction of the answers that are necessary to define our future. The answers to these questions, however, are the ones that begin to define the parameters for how we get from here to there. The sooner we engage in this dialogue, the better off we will be in defining that future for subsequent generations.




Via Paulo Félix
more...
No comment yet.
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Should we hack the hackers? - The Guardian

Should we hack the hackers? - The Guardian | IT Support and Hardware for Clinics | Scoop.it

If we’re losing the war against cybercrime, then should we take off the gloves and strike back electronically against hackers?

As banks reel from another major hacking revelation, a former US director of intelligence has joined some of them in advocating for online counterstrikes against cybercriminals.

In February, security firm Kaspersky detailed a direct hack against 100 banks, in a co-ordinated heist worth up to $1bn. This follows growing sentiment among banks, expressed privately, that they should be allowed to hack back against the cybercriminals penetrating their networks.

At February’s Davos forum, senior banking officials reportedly lobbied for permission to track down hackers’ computers and disable them. They are frustrated by sustained hacking campaigns from attackers in other countries, intent on disrupting their web sites and stealing their data.

Dennis Blair, former director of national intelligence in the Obama administration, has now spoken out in favour of electronic countermeasures, known in cybersecurity circles as hacking back, or strikeback.

Blair co-authored a 2013 report from the US Commission on the Theft of American Intellectual Property. It considered explicitly authorising strikeback operations but stopped short of endorsing this measure at the time.

Instead, the report suggested exploring non-destructive alternatives, such as electronically tagging stolen data for later detection. It also called for a rethinking of the laws that forbid hacking, even in self-defence.

Western law enforcers don’t have jurisdiction in the countries where cybercriminals operate. Ideally, they would pass information about hackers onto their counterparts there, said Blair, but in many cases local police are un-cooperative. It’s time to up the ante, he suggested.

“I am more leaning towards some controlled experiments in officially conducting aggressive cyber-tracking of where attacks come from, discovering their origin, and then taking electronic action against them,” he told the Guardian.

Legal problems

There’s just one problem with strikeback operations, said Mark Rasch, a former federal cybercrime prosecutor and the head of Maryland-based Rasch Technology and Cyber-law: it’s against the law. “You have to start with the general assumption that hacking back is most likely illegal,” he said.

Long-standing laws on both sides of the Atlantic clearly forbid unauthorised tampering with a computer, even if someone is using that computer to attack you. In the UK, the Computer Misuse Act sets those rules. In the US, the Computer Fraud and Abuse Act does the same.

Even without this legislation, the law generally frowns upon what Rasch calls “self help”. Judges dislike vigilante justice.

The stakes are getting higher, though. Since the report’s release, corporate America has seen several devastating cyber-attacks. JP Morgan suffered a breach affecting 76 million households. Home Depot and Target were also hacked, and most recently, Sony Entertainment was embarrassed by the theft of internal documents.

“I’ve been seeing the way that technology is developing. I think it’s worth some limited legislation to post penalties back to hackers,” Mr Blair said, adding that companies should work with law enforcement rather than taking matters into their own hands.

“Law enforcement authorities can go back down the same route that [the hackers] use to attack, and cause physical damage to their equipment,” he added.



Via Paulo Félix
more...
No comment yet.
Scoop.it!

New Approach to DDOS Protection

New Approach to DDOS Protection | IT Support and Hardware for Clinics | Scoop.it

Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of today's distributed-denial-of-service attacks, and organizations need a new approach to protection, says Verisign's Ramakant Pandrangi.

Pandrangi, VP of Technology at Verisign, has studied DDoS attacks, and he's concerned about recent trends.

"Large volumetric DDoS attacks are becoming more common," Pandrangi says. "And as that happens, on-premise solutions will not be able to handle these types of attacks."


What's needed, then, is an entirely new approach to protecting against DDoS. Pandrangi advocates what he calls an open/hybrid approach that relies on on-premise solutions to mitigate attacks locally, while leveraging cloud-based services when attacks are likely to overwhelm the defenses. At the core of this new approach is an open platform that allows multiple vendors to act in concert on the customer's behalf.

"This [approach], we believe, will allow businesses to have a wide range of options without the limitations of having vendor lock-in," he says.


more...
No comment yet.