IT Support and Hardware for Clinics
32.7K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Why It's Tough to Pass Data Breach Bill

Why It's Tough to Pass Data Breach Bill | IT Support and Hardware for Clinics | Scoop.it

Backers of a national data breach notification law say it would greatly simplify compliance for businesses, which now must comply with laws in 51 different jurisdictions - 47 states, three territories and Washington, D.C.


But does that simplification come at too high a cost? Some federal lawmakers thinks so. They say passing a national data breach notification law would weaken data security protections found in certain states' statutes, thus doing more harm than good.

And those concerns are a major reason why building a consensus that paves the way for enacting a national breach notification law will prove difficult, if not impossible.

'Confusing for Businesses'

Last January, President Obama noted when he proposed his version of national data breach notification: "Right now, nearly every state has a different law on this, and it's confusing for consumers and it's confusing for companies, and it's costly, too, to have to comply to this patchwork.


Almost every bill introduced in Congress over the past decade to create a national data breach notification standard would pre-empt state statutes. But that comes at a price. Several states, most notably Massachusetts, prescribe specific steps businesses must take to safeguard personally identifiable information. Most national data breach notification proposals don't require safeguards beyond saying businesses should take "reasonable" steps to secure PII.


Some industry experts - such as Larry Clinton, president of the trade group Internet Security Alliance - say they have seen no evidence that consumers' PII is more secure in those states that have more stringent security requirements. "To the notion that states can enact strong laws is, from a consumer perspective, a red herring," he says.

Middle Ground?

But some senators strongly disagree with Clinton's point of view.

"There are a number of like-minded senators who are paying attention to this issue and trying to push for a federal law ... that keeps state laws untouched as a middle-ground approach," says Chris Pierson, general counsel and chief security officer at payments provider Viewpost. "While this is more palatable for Congress, it does little to stem the growing diversity of state laws and the burden of conflicting state requirements."


One of those senators seeking a middle-ground approach is Richard Blumenthal, D-Conn., who, along with five other Democratic senators, has introduced legislation creating a national data breach notification law with a proviso: It won't pre-empt more stringent state laws.


"We must ensure consumers have strong protections on the federal level, but in so doing, we must make sure Congress doesn't weaken state protections that consumers rely on to keep their information safe," Blumenthal says. "Importantly, this measure strikes the right balance between state rights and strong federal enforcement and extends consumer privacy protections into a new digital era."

A right balance? Sasha Romanosky, an associate policy researcher at the think tank Rand Corp., characterizes the Democratic senators' bill as a "workaround" that sets a "national floor for breach compliance." But Romanosky is concerned that "then you'd just have the same issue as there is now: 47 potentially distinct state laws."


The Democrats' bill - like the Massachusetts statute - contains a list of security requirements with which businesses would have to comply. That makes the bill unpassable. Nearly every GOP lawmaker opposes any measure that that would place additional requirements on businesses.

60-Vote Threshold

Consumer advocacy groups generally oppose national data breach notification legislation that would weaken states' security standards. And those groups might have the clout to get enough Democratic senators to oppose any measure that would pre-empt state laws.

Sixty votes generally are needed for a bill to be considered by the Senate; the upper chamber has 44 Democrats and two independents who caucus with them. So getting 41 senators to block a vote on a data breach notification bill is possible.


Whether stricter state laws actually provide consumers with better security protections is debatable, but the perception among a number of lawmakers - mostly Democrats - is that they do. If at least 41 senators agree with that notion, then Congress will not enact a national breach notification law.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Obama Plans to Boost American Wages With Tech Training

Obama Plans to Boost American Wages With Tech Training | IT Support and Hardware for Clinics | Scoop.it

The unemployment rate is at the lowest it’s been since President Obama first took office, but American wages remain stagnant. Despite an average of 200,000 jobs created every month for the past 12 months, the highest growth in 37 years, the average American worker hasn’t budged much since the 1970’s, according to the Pew Research Center.

However, there’s an opportunity to boost worker wages in the higher paying technology sector. The average web developer with an associates degree earns $62,000 a year at the beginning of their career. That’s nearly 50 percent more than someone with an equivalent degree, according to PayScale.

It’s also a fast-growing industry, full of jobs that didn’t exist ten years ago. According to the White House, about half a million of the 5 million currently available jobs are in IT.

The White House sees this as an opportunity to boost overall wages, particularly in underserved populations. Obama has announced a plan to fast-track American earnings with a $100 million Federal grant-funded technology jobs training initiative called TechHire. This initiative will work with community colleges, universities as well as developer bootcamps and other non-traditional skills training organizations to place Americans in 120,000 open software development, network administration, and cyber security jobs.

About 300 companies in 20 regions throughout the country have already signed on to provide free training through online training slots and developer bootcamps for women, minorities, veterans and those within low-income communities.

“Helping more Americans train and connect to these jobs is a key element of the President’s middle-class economics agenda,” White House Deputy Press Secretary Jennifer Friedman said.


more...
No comment yet.
Scoop.it!

Compromise on Info-Sharing Measure Grows

Compromise on Info-Sharing Measure Grows | IT Support and Hardware for Clinics | Scoop.it

A willingness to compromise expressed at a Feb. 25 House hearing on President Obama's cyberthreat information sharing initiative offered a sign of hope that long sought legislation to get businesses to share such data could pass Congress this year and be signed into law.

The tone of the discussion at the hearing was far different than in the past two congresses, when the White House threatened presidential vetoes of cyberthreat information sharing measures that passed the House of Representatives.


Congressional Republicans and the Democratic president and his supporters differed in the past over how an information sharing law should address liability protections and privacy safeguards. The White House maintained the liability protections in the Republican-sponsored legislation were too broad and that privacy safeguards were too weak. The GOP argued the liability provisions in their bills - which had some Democratic backers - were needed to get the private sector to participate in the voluntary information sharing program and that the privacy protections the White House sought would be too costly for some businesses to implement.

But those differences seem to have narrowed at the Feb. 25 House Homeland Security Committee, where an expression of willingness to seek compromise surfaced from both sides.

Bone of Contention

"It is, sometimes, a bone of contention between both sides of the aisle," House Homeland Security Committee Chairman Mike McCaul, R-Texas, said, referring to differing views on liability protection. But McCaul congratulated administration representatives at the hearing for presenting the president's plan and saw merit in its proposals. "I talked to the private sector; they like the liability protections that are presented here," he said, especially in regards to sharing data with the government.

Still, McCaul said some business leaders had reservations about the liability protection in Obama's plan for businesses that want to share cyberthreat information with other business.

The president's proposal would provide liability protection for businesses that share cyberthreat data with DHS's National Cybersecurity and Communications Integration Center, known as NCCIC. Under Obama's plan, those protections aren't extended to businesses that share information with each other directly but would be covered if the data is shared through newly formed information sharing and analysis organizations, or ISAOs. "What the legislation provides is that the private sector can share among themselves through these appropriate organizations and enjoy the same liability protections for providing that information to those organizations," said Undersecretary Suzanne Spaulding, who runs the National Protection and Programs Directorate, the DHS entity charged with collaborating with business on cybersecurity.

Working Out Legislative Language

McCaul responded that the liability protections to share information with NCCIC could serve as the "construct" to share data among businesses, suggesting specific legislative language could be worked out between Congress and the administration. "We can discuss that more as this legislation unfolds," he said.

Rep. Curt Clawson, a Florida Republican who led several multinational corporations before his election to Congress in 2014, said getting buy-in to share cyberthreat information with the U.S. government from companies with global operations and stakeholders could prove to be "a tough sale."

"My world is all about multiple stakeholders," Clawson said, addressing Spaulding. "We're trying to protect our customers, our suppliers, the communities that we live in, and what I've read so far of what you proposed just doesn't feel like a compelling case that I can take to my multinational board of directors. ... Any private-sector CEO would be negligent to go along on the basis of trust" without the U.S. government providing a detailed plan on what information is being sought and how it would be used.

Spaulding said the government will build that trust and agreed with Clawson that the "devil is in the details" of a final legislative plan. She said information to be shared would be minimal and technical, such as explicit cyberthreat indicators, IP address and specific types of malware. The undersecretary said the government would be transparent on the types of information it seeks and receives and develop policies and protocols to protect proprietary as well as personally identifiable information. "This isn't going to make every company open its doors," Spaulding said. "But it does address concerns that we've heard from the private sector, and there will be a fair amount of detail about precisely what we're talking about sharing here."

Though not totally persuaded, Clawson offered to work with DHS on the legislation, an offer Spaulding accepted.

Stripping PII from Shared Data

Another partisan difference is the Obama administration's insistence that companies strip personally identifiable information from data before it's shared, an act that some Republicans say puts a financial burden on businesses. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, explained that under Obama's proposal, companies would need to make a "good-faith effort" to remove PII, conceding that it is a "policy puzzle" that needs to be solved by the private sector working with law enforcement and the intelligence community. "We're doing our best to get everybody to design that," Schneck said.

Regardless of how the final language of a cyberthreat sharing bill reads, such legislation is only one part of a solution to mitigate cyberspace risks. "Information sharing is no silver bullet," said Eric Fischer, senior specialist for science and technology at the Congressional Research Service. "It's an important tool for protecting systems and their contents. As long as organizations are not implementing even basic cyber hygiene, there are going to be some significant difficulties."

Fischer cited a Hewlett-Packard study that shows 45 percent of companies lack basic cyber hygiene. "There have been cases where companies had the information, but nevertheless did not pay sufficient attention to it," he said. "They had information that could have prevented an attack. If a company is not prepared to implement threat assessments that they receive, then that's going to be a problem."


more...
No comment yet.
Scoop.it!

White House Creates Cybersecurity Agency

White House Creates Cybersecurity Agency | IT Support and Hardware for Clinics | Scoop.it

The White House announced Feb. 10 that it's creating a federal agency to analyze information culled from other agencies to battle cyberthreats posed to the government and the private sector.

But some cybersecurity experts already are saying that they see the new agency as being duplicative of other government cyberthreat analysis initiatives.

Lisa Monaco, assistant to the president for homeland security and counterterrorism, unveiled the Cyber Threat Intelligence Integration Center, which will be run out of the Office for the Director of National Intelligence.

"No single government entity is responsible for producing coordinated cyberthreat assessments, ensuring information is shared rapidly among existing cyber centers and other elements of our government, and supporting the work of operators and policymakers with timely intelligence about the latest cyberthreats and threat actors," Monaco said in a speech at the Wilson Center, a Washington think tank. "The CTIIC is intended to fill these gaps."


more...
No comment yet.
Scoop.it!

How NSA Hacked North Korean Hackers

How NSA Hacked North Korean Hackers | IT Support and Hardware for Clinics | Scoop.it

The U.S. government's attribution of the Sony Pictures Entertainment hack attack to North Korea stems, in part, from the U.S. National Security Agency having infected a significant number of North Korean PCs with malware, which the intelligence agency has been using to monitor the country's hacking force.


So says The New York Times, which bases its report, in part, on interviews with unnamed former U.S. and foreign officials, as well as a newly leaked NSA document. The document, published Jan. 17 by German newsmagazine Der Spiegel - and obtained via former NSA contractor Edward Snowden - details how the NSA worked with South Korea - and other allies - to infiltrate North Korea. The agency reportedly infiltrated at least some of these computers by first exploiting systems in China and Malaysia that help manage and administer North Korea's connection to the Internet.

According to the Times report, the hacked computers have given the NSA an "early warning radar" against attacks launched by the Pyongyang-based government of North Korea. Related intelligence gathered by the NSA also reportedly helped convince President Obama that North Korea was behind the Sony Pictures hack.

North Korea's Reconnaissance General Bureau intelligence service, as well as its Bureau 121 hacking unit, control the vast majority of the country's 6,000-strong hacking force, some of which operates from China, according to news reports.

Fourth Party Collection

Some of the evidence of the NSA's ability to monitor North Korean systems comes from a leaked NSA document, which appears to be a transcript of an internal NSA question-and-answer discussion that's marked "top secret" and is restricted to the U.S. and its Five Eyes spying program partners: Australia, Canada, New Zealand and the United Kingdom. The document refers to the NSA's practice of "fourth party collection," which involves hacking into someone else's hack, according to a Der Spiegel report.

The document relays an episode that involves North Korea: "We found a few instances where there were NK [North Korea] officials with SK [South Korea] implants [malware] on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data," the document reads.

Der Spiegel reports that this practice, which is employed by the NSA's Tailored Access Operations team, has been used extensively to undermine many hack attacks emanating from Russia and China and has allowed the NSA to obtain the source code for some Chinese malware tools.

But some attacks against U.S. systems did succeed, and one leaked NSA document says that as of several years ago, 30,000 separate attacks had been detected against U.S. Defense Department systems, 1,600 systems had been hacked, and related "damage assessment and network repair" costs had exceeded $100 million.

The NSA document also discloses that South Korea in recent years has begun attempting to hack into some U.S. government systems.

The FBI has previously said that its attribution of the Sony Pictures hack was based in part on intelligence shared by the NSA, although that attribution did not single out the North Korean government, thus leaving open the possibility that pro-Pyongyang hackers or even mercenaries may have also been involved.

The Role of Botnets

On the attribution front, meanwhile, documents newly published by Der Spiegel - and leaked by Snowden - have detailed an NSA program, code-named "Defiantwarrior," which involves the NSA using infected nodes - or zombies - in a botnet. When such nodes are traced to U.S. computers, the FBI reportedly uses the information to help shut down those parts of the botnet. But when nodes are discovered on computers in countries outside the Five Eyes program, the NSA - according to the leaked documents - may use these to launch attacks against targets. While such attacks might be traced back to the botnet node, this practice reportedly helps the agency launch attacks that are difficult - if not impossible - to attribute back to the NSA.

Did NSA Keep Quiet?

The report that the NSA had hacked into many of the systems employed by the North Korean military, and was monitoring them, has prompted information security experts to question whether the agency knew about the Sony Pictures hack and failed to stop it.

"If the NSA were secretly spying so comprehensively on the networks used by North Korea's hackers, how come they didn't warn Sony Pictures?" asks independent security expert Graham Cluley in a blog post.

If the NSA did detect signs of the Sony hack planning, reconnaissance and actual attack unfolding, however, then it might have declined to warn the television and movie studio to avoid compromising that monitoring ability, says Europol cybersecurity adviser Alan Woodward, who's a visiting computing professor at the University of Surrey in England. Similar questions have been raised in the past, for example, over the World War II bombing of Coventry, England, by the Germans, and why - if the British had cracked the Nazis' secret Enigma codes - the U.K. government didn't evacuate the city.

Another outstanding question is the extent to which the leadership of North Korea suspected - or knew - that their computer systems may have been infiltrated by foreign intelligence services. "Presumably, the cat is now out of the bag," Cluley says. "These news stories may take some of the heat off the [United] States from some of those in the IT security world who were skeptical about the claims of North Korean involvement, but it also tips off North Korea that it may want to be a little more careful about its own computer security."


more...
Szymon Mantey's curator insight, January 19, 2015 2:28 PM

Poradnik w jak łatwy sposób zostac shakowanym przez skośnookich  w ktorym to kradną nasze dane osobowe a NSA nie ejst wstanie nic z tym zrobić...

Scoop.it!

Info-Sharing Bills: What Happens Next?

Info-Sharing Bills: What Happens Next? | IT Support and Hardware for Clinics | Scoop.it

As the House prepares to vote this week on two cyberthreat information sharing bills, their fates will rest as much on the White House's reaction to the proposals as on what happens in Congress.

The House Rules Committee on April 21 will consider amendments to both bills, the Protecting Cyber Networks Act that the Intelligence Committee approved on March 26 in a secret session and the National Cybersecurity Protection Advancement Act that the Homeland Security Committee passed unanimously on April 14. A vote by the full House is slated to occur on April 23 for the Intelligence Committee version of the bill and on April 24 on the Homeland Security version.

 Although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what President Obama seeks than did CISPA. 


Before the floor votes take place, the White House could issue a Statement of Administration Policy, which provides the administration's view on whether President Obama should sign or veto the legislation. The administration usually issues SAPs after a committee approves the bill but before the full chamber votes on it.

Recalling CISPA

The House in the past two congresses had passed cyberthreat information sharing bills, both known as the Cyber Intelligence Sharing and Protection Act, or CISPA, and in each case the White House threatened a presidential veto. The administration, in both instances, contended the legislation failed to provide sufficient privacy and civil liberties safeguards for citizens' personal information while furnishing businesses with too broad liability protections when they voluntarily share cyberthreat information with the government and each other.

For the White House, the Intelligence Committee version of the information sharing bill could prove more problematic. It's closer to CISPA than is the Homeland Security Committee's version and has attracted the wrath of civil liberties and privacy advocates. The Protecting Cyber Networks Act would allow the sharing of citizens' information with intelligence agencies such as the National Security Agency and law enforcement.


On the other hand, the Homeland Security Committee's National Cybersecurity Protection Advancement Act incorporates language that explicitly states that sharing such information with intelligence and law enforcement agencies would be prohibited, except if it should help mitigate a cyber-attack. Some privacy experts contend that even with that proviso, some private information could find its way to intelligence and law enforcement agencies.

Added Privacy Protections

Still, the National Cybersecurity Protection Advancement Act has been amended to provide many more privacy and civil liberties' protections to citizens than does the Intelligence Committee's bill. And both bills furnish businesses with broad liability protections that would extend such safeguards to companies even if they choose not to share cyberthreat information with the government. It's unclear whether changes that appear in these bills pass muster with the administration and address its concerns regarding privacy and civil liberties' safeguards and business liability protections.


Businesses want those broad protections, and the Financial Services Roundtable, a banking industry lobbying group, has posted a Web advertisement, titled Stop Cyber Threats, calling on voters to lobby Congress to take swift action on cyberthreat sharing legislation.

It's likely, but not inevitable, that if the White House issues an SAP on the Protecting Cyber Networks Act, it would say that senior administration officials would recommend an Obama veto. As for the National Cybersecurity Protection Advancement Act, it's less clear what the White House will say. The committee members did meet many of the objections raised over CISPA regarding privacy and civil liberties' projections, although the bill doesn't seem to meet the concerns raised about broad liability protection.

What Will Obama Do?

Remember, lawmaking involves compromise, and although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what Obama seeks than did CISPA, and the president might support it, perhaps conditionally.

Of course, the Senate has to take action as well.


On March 12, the Senate Intelligence Committee approved a bill more similar to the Protecting Cyber Networks Act from its House counterpart than the National Cybersecurity Protection Advancement Act offered by the House Homeland Security panel. Senate Majority Leader Mike McConnell, R-Ky., says he hopes to bring that measure up for a vote shortly, though he provided no specific timeframe.


Sen. Ron Wyden, D-Ore., the only Senate Intelligence Committee member who voted against the bill in committee, said last week that "a good group of senators" seeks to amend the measure to add privacy protection when it comes up for a vote before the entire Senate, according to The Hill.

Limits of Executive Order

Obama earlier this year issued an executive order to establish a process for businesses to share cyberthreat information through the Department of Homeland Security's National Cybersecurity & Communications Integration Center. But Obama on his own cannot provide businesses with the protection from legal actions for sharing cyberthreat information; that requires a new law enacted by Congress.

Passage of both House bills in the lower chamber is almost a certainty, and if - and that's a big if because the Senate never voted on a cyberthreat information sharing bill in the past two congresses - the upper chamber approves information sharing legislation, a conference between the House and Senate would iron out differences among the various measures, and produce a final bill. By then, the president's views on how far he'd compromise would be known, and a bill acceptable to the House, Senate and White House could become law.


more...
No comment yet.
Scoop.it!

Will Executive Order Impact Cybercrime?

Will Executive Order Impact Cybercrime? | IT Support and Hardware for Clinics | Scoop.it

President Obama on April 1 issued an executive order that allows the U.S. government to block or seize the assets of suspected "malicious cyber actors." But some legal and security experts already are questioning whether the order is legally defensible or will have any meaningful impact on either cybercrime or online espionage.


"There are so many problems with this," attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group, citing, for example, the government's ability to presume someone is guilty, without first having to prove it. "In general, sanctions are a political tool for putting pressure on recalcitrant governments to change their ways, [but] these sanctions are a legal tool to impose punishment without trial on persons we believe to be criminals and hackers."


The Obama administration, however, says that the executive order - officially titled "Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities" is necessary to give the U.S. government much-needed new legal tools in its fight against cybercrime and online espionage. The executive order represents the first time that the White House has authorized broad sanctions to be imposed specifically for cyber-attacks, and regardless of the location of whoever is behind the attacks.


"Our primary focus will be on cyberthreats from overseas, Obama writes on news website Medium. "In many cases, diplomatic and law enforcement tools will still be our most effective response. But targeted sanctions, used judiciously, will give us a new and powerful way to go after the worst of the worst."


The executive order authorizes the Secretary of the Treasury - in consultation with the Attorney General and the Secretary of State - to impose such sanctions "on individuals or entities that engage in malicious cyber-enabled activities that create a significant threat to the national security, foreign policy or economic health or financial stability of the United States," Obama says in an April 1 statement distributed by the White House.


While the executive order doesn't define "significant," it says sanctions can be imposed for a variety of reasons, for example, in response to attacks that target critical infrastructure, which disrupt networks - via distributed denial-of-service attacks, for instance - as well as for targeting or stealing trade secrets or personally identifiable information, and for computer crime in general.

Intent: To Fill Gaps

White House Cybersecurity Coordinator Michael Daniel says the executive order is meant to expand the "spectrum of tools" that the government can use to combat cyber-attacks, by supplementing current diplomatic, law enforcement, military, economic and intelligence capabilities.


"It is designed to fill in a gap that we have identified where individuals carrying out significant malicious cyber-attacks are located in places that it's difficult for our diplomatic and law enforcement tools to reach - whether because they're behind the borders of a country that has weak cybersecurity laws, or the government is complicit in or turning a blind eye to the activity that is happening, and we don't have good law enforcement relationships or other kinds of relationships," he said on an April 1 a press call. "So what we're doing is putting in place a tool that will enable us to impose costs on those actors."


John Smith, the Treasury Department's acting director of the Office of Foreign Assets Control, or OFAC, which administers and enforces U.S. economic sanctions programs, said on the press call that the executive order elevates cyber-attacks to the realm of such activities as counterterrorism, narcotics trafficking and transnational crime, which the United States targets, regardless of where they're based. Smith says the administration is hoping that by designating cybercrime and online espionage in this manner, more countries will be spurred to put a stop to related activities inside their borders, or which touches their financial system.

Sony Hack Inspired Order

The Washington Post reports that the executive order has been under development for the past two years. But Daniel says the need for the executive order was highlighted after the president called for a "proportional response" to the hack attack against Sony Pictures. "That process informed us as we were finishing up this executive order and highlighted the need for us to have this capability and to have this tool."


The move follows another executive order, signed by the president in January, that imposed sanctions on 10 individuals and three entities associated with the North Korean government, after the FBI attributed the November 2014 hack and wiper malware attack against Sony Pictures Entertainment to "North Korea actors." But numerous information security experts have continued to question that attribution.

Questioning the Rationale

And some legal and security experts are now questioning the rationale behind the new executive order. "It's really built out of frustration, because the international legal process does not deal effective with cybercrime," says Rasch, the former DOJ official. "So there's the urge to take the law into your own hands. Resist that urge."


Rasch adds that another problem with the executive order is that it's not aimed just at state sponsors - or nation-state-backed attackers - but anyone who the U.S. believes has broken the law. Furthermore, it allows the government to impose punishments, such as seizing U.S. citizens' assets, without any due process, or having to first prove the government's case.


The administration says that anyone who wants to contest sanctions that get imposed using this executive order can do so with OFAC, or by filing a lawsuit against the federal government.

Cybercrime Impact?

But will the executive order lead to any meaningful reduction in cybercrime or online espionage? "I'm somewhat skeptical, to say the least," Sean Sullivan, a security adviser for Helsinki, Finland-based anti-virus firm F-Secure, tells ISMG. "There's a great deal of Russian-speaker-based 'espionage as a service' that would be very difficult to do much about. And China seems even more of a challenge. But then again, maybe there are some officials who do actually have American assets to go after - New York real estate, for example."


James A. Lewis, a cyberpolicy expert at the Center for Strategic and International Studies, believes that the new program could have an impact, for example to combat Chinese-promulgated economic espionage. "You have to create a process to change the behavior of people who do cyber-economic espionage," he tells The Washington Post. "Some of that is to create a way to say it's not penalty free. This is an effective penalty. So it moves them in the right direction."

But Rasch thinks it's unlikely that the executive order would fulfill the stated White House purpose of deterring future cybercrime, espionage and large-scale attacks. "The rogues are not going to be deterred by this," he says. "The state sponsors are not going to be deterred by this."


more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling | IT Support and Hardware for Clinics | Scoop.it
One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.Here’s what we know about the firmware-flashing module.How It WorksHard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.Hidden Storage Is the Holy GrailThe revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.
Via Paulo Félix
more...
No comment yet.
Scoop.it!

Congress Takes Up Email Privacy Reform. Again.

Congress Takes Up Email Privacy Reform. Again. | IT Support and Hardware for Clinics | Scoop.it

Two related bills, one apiece in the upper and lower chambers of Congress, were introduced today aimed at reforming email privacy. They mark another attempt by the nation’s legislative body at reforming the requirements that the government must meet to read your digital missives.

Current protections are minimal. As TechCrunch previously reported, under the Electronic Communications Privacy Act (ECPA), the government can read your email with a mere subpoena if a letter is more than 180 days old or has been opened.

Why those two requirements? Think back decades to a time when storage was expensive.

Storage is now ubiquitous and nearly free. The old rules, which made little sense before, make zero now. So it is time to reform the ECPA. That’s to say that it has long been the time to reform the ECPA, making every day the correct time to finally get the damn job done.

The House bill has more than 220 co-sponsors, the EFF notes, a towering initial tally. The bill also has bipartisan support in both chambers. Last time we did this, however, the bills did not manage to secure a floor vote. Congress’s arcanity is strange to behold.

If this all feels like a repeat, you have a good memory. For flavor, a paragraph from last year, following a report from the White House:

That, coupled with the simple fact that email privacy is so popular, you might think that we could get this done.

Reforming the rules regarding email privacy is a mere step in the walk towards correcting the mass surveillance that the United States government executes, but it is an important piece of progress all the same.

It makes no sense that the government doesn’t have to have a warrant to burrow into your email makes no sense. NSA reform may have failed in 2014 for a host of reasons, and immigration reform is stuck fast, and on and on and on. But can we at least all agree, and vote on the fact, that warrants are a pretty good thing, and that we the citizenry deserve higher walls around their digital papers?

Let’s see if 2015 will be just another 2014 in a new suit.


more...
No comment yet.
Scoop.it!

Congress will hold a public hearing on North Korea's hacking powers next week

Congress will hold a public hearing on North Korea's hacking powers next week | IT Support and Hardware for Clinics | Scoop.it

In the wake of the Sony Pictures hack, Washington is showing a new focus on the threat posed by North Korea. The House Foreign Affairs Committee has called for a public briefing on Tuesday that will examine the country's hacking capabilities, with testimony from the Departments of State, Treasury and Homeland Security. The briefing will focus on steps the US is taking to curtail or protect against the country's apparent capabilities. "There can be no doubt that the Kim regime means America harm," Chairman Ed Royce (R-CA) said in a statement, "and as we saw last month, Pyongyang can deliver on its threats."

President Obama has already ordered new sanctions against North Korea in direct response to the attack, but has also hinted at further measures yet to come, calling the sanctions the "first aspect" of the government's response. Others in Congress are also calling for new defensive measures, resurrecting the controversial CISPA cybersecurity bill. Given the newfound interest in digital defense, supporters see this as the bill's best chance to get through Congress. On Wednesday, FBI director James Comey reiterated his confidence that the nation was responsible, saying, "we know who hacked Sony. It was the North Koreans."


more...
No comment yet.