IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

New Android 'Certifi-gate' Bug Found

New Android 'Certifi-gate' Bug Found | IT Support and Hardware for Clinics | Scoop.it

Following the news of the discovery of the Stagefright flaw - characterized by many security researchers as the worst vulnerability ever to be found on devices that run Google's Android operating system - details of yet another major flaw in were unveiled August 6 at the Black Hat conference in Las Vegas.


But Google and some original equipment manufacturers have finally promised that they will soon begin releasing monthly platform and security updates for some Android devices, to better safeguard users against such vulnerabilities.


Security vendor Check Point Software Technologies says the new flaw, which it has dubbed "Certifi-gate," is due to components present in the Android operating system that are digitally signed, but vulnerable to attack, and that these flaws could be "very easily exploited" to gain full, unrestricted access to vulnerable devices. As the result of a successful attack, accordingly, attackers could infect the devices with malware, exfiltrate data, remotely activate and monitor microphones or built-in cameras, and track the device's location.


"Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device," Check Point says in a blog post. "[These apps] allow remote personnel to offer customers personalized technical support for their devices by replicating a device's screen and by simulating screen clicks at a remote console."


Check Point says the vulnerabilities are present in hundreds of millions of Android devices, including smartphones and tablets manufactured by HTC, LG, Samsung and ZTE. It says the flaw affects a number of versions of the Android OS, including the latest Android "Lollipop" versions 5.0 and 5.1. The security firm says it has notified Google and all affected manufacturers, and that some related updates are starting to be released. Check Point also launched a free tool - the Check Point Certifi-gate Scanner - that will scan an Android device for the presence of the flaw.


Google did not respond to a request for comment about the flaw or related patches. But Check Point says that the vulnerable Android components' certificates cannot be remotely revoked by OEMs, and that they will have to issue a new, patched version of Android for each device they still support. But while some vendors patch quickly, others have been slow to release fixes - if at all.

Coming Soon: Stagefright Fixes

Google has long maintained Android as an open source project, and stated that it is up to manufacturers and carriers to decide how or if they will patch their own devices. The only exception to that approach has been the Nexus range of devices, which Google manufacturers, and which run a stock version of Android.


But the severity of the Stagefright flaw - and many equipment manufacturers' and carriers' slow or nonexistent patching practices - has triggered serious existential questions about the future of the Android operating system, including whether enterprises should now begin treating unpatched Android devices as a security threat and blocking them.


Appearing to respond to such criticism, Google this week reported that many manufacturers - including Samsung, HTC, LG, Sony, Android One and Google's own Motorola - will begin releasing Stagefright patches later this week. In an Aug. 5 blog post Adrian Ludwig, lead engineer for Android Security, and Venkat Rapaka, director of Nexus product management, reported that patches were already starting to be released for all devices from Nexus 4 to 10, as well as Nexus Player. "This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues," they said. "At the same time, the fixes will be released to the public via the Android Open Source Project."

The same day, speaking at Black Hat, Ludwig also promised that OEMs will soon begin releasing related fixes. "My guess is that this is the single largest software update the world has ever seen," Ludwig said. "Hundreds of millions of devices are going to be updated in the next few days. It's incredible."

Some Monthly Android Patches Promised

But the need for Google to rally manufacturers for a one-off fix for such a serious flaw also highlights how existing approaches too often fail to put fixes for critical bugs on users' devices, at least in a timely manner. Finally, responding to years of criticism from security experts over the paucity of patches for Android devices, Samsung and LG have promised to implement monthly patch updates for their Android devices, as has Google with its Nexus line.


"Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store," Ludwig and Rapaka say in their blog post.


The move echoes a similar monthly patch-release strategy introduced by Microsoft for Windows, beginning in October 2003, to combat the rise in serious vulnerabilities found in its operating system.

Samsung and LG have also promised to release monthly patches, although have not stated how long they will support devices, after they have been released. "With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," says Dong Jin Koh, who leads the mobile research and development group at Samsung Electronics, which makes the popular Galaxy series of smartphones and tablets, amongst other devices that run Android. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."


Likewise, an LG spokeswoman says in a statement that "LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately" and that "we believe these important steps will demonstrate to LG customers that security is our highest priority." What is not clear, however, is how quickly carriers might then distribute those fixes to their subscribers.

more...
No comment yet.
Scoop.it!

Apple Obtains Touch ID-Related Patents From Biometric Security Firm Privaris

Apple Obtains Touch ID-Related Patents From Biometric Security Firm Privaris | IT Support and Hardware for Clinics | Scoop.it

Apple has been working to acquire the intellectual property assets of Charlottesville, Virginia-based biometric security firm Privaris, according to CNN. Privaris recently transferred 26 of its 31 patents to the iPhone maker, including 4 patents in December 2012 and dozens more in October 2014

The patents are primarily related to fingerprint and touchscreen technology that could lead to Touch ID improvements on future devices. Last February, well-informed KGI Securities analyst Ming-Chi Kuo told investors that the next iPhone will have animproved Touch ID with reduced errors.


"For example, one of Privaris' patents covers the ability to use a touchscreen and fingerprint reader at the same time. Another invention of Privaris' could allow you to open a door with your iPhone by scanning your fingerprint and holding your phone up to a reader, similar to how you pay for items with Apple Pay."


While the transferred patents have fueled acquisition rumors, the Privaris website has not been updated since 2010 and seemingly none of the company's senior executives or other employees have updated their LinkedIn profiles with positions at Apple. 

Accordingly, it is more likely that Privaris has scaled down or went out of business and Apple has acquired the company's patent portfolio and other intellectual property. However, the possibility of an acquisition cannot be entirely ruled out. 

Privaris, which reportedly raised $29 million in funding, developed a lineup of PlusID personal biometric devices to access computers, networks, websites, software, VPNs, secured printers and online apps. 

The company has also offered several other products and services related to access control systems, fingerprint authentication, biometric computer security, biometric security software and access cards, all technologies that fall within the realm of Touch ID. 

more...
No comment yet.
Scoop.it!

Kaspersky may have been hacked to spy on its research

Kaspersky may have been hacked to spy on its research | IT Support and Hardware for Clinics | Scoop.it

Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.


After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.

“They were not only stupid, but greedy,” Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.


When asked why the attackers—whose malware was dubbed Duqu 2.0 in a nod to2011’s Duqu, which in turn was thought to be an offspring of the infamous Stuxnet—went head-to-head with his company, Kaspersky had theories but nothing more.

“They were not interested in our customers,” he said after asserting that the intrusion did not appear to have touched any customer or partner data.


“I’m pretty sure they were watching,” he said of the hackers during the months they had their malware running undetected on Kaspersky’s network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky’s security technology or how it found and analyzed malware.


Specifically, Kaspersky wondered if they had infected Windows PCs on the company’s network to uncover how researchers decided what malware to manually examine.

A treasure trove of research

The vast bulk of the malware that Kaspersky—and any major antivirus firm—collects is processed, evaluated and categorized by automated systems, which also craft the resulting “fingerprints,” or signatures, that are sent to customers’ devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.


How researchers make the decision to closely evaluate—and root through—one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.


“[The bad guys] absolutely want to know what security researchers are doing, what’s the state of the art on that side,” said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. “They want to know, is it better than what [they] have?”


It’s certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers’ predilections, the other side does the same. “Having a hold in a security company is of great advantage,” Beardsley said. “Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission.”


And with more-than-public knowledge, hackers might be able to come up with ways to steer clear of security defenses like those employed by Kaspersky’s customers.


But Eugene Kaspersky dismissed the idea that the hackers’ presence within his company’s network—he said it had been hidden there at least several months—would give them real clues about the vendor’s technologies, even if they had obtained the source code, which they had not. “These technologies are quickly outdated,” Kaspersky contended, saying that changes were constantly being applied.


“Maybe they were interested in some specific attacks we were working on,” Kaspersky said. “Or maybe they wanted to see if we could catch them.”

"Very awesome" malware

In a long blog post on Forbes, Kaspersky elaborated. “I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk” of being discovered, Kaspersky said.


Which is exactly what happened.


“Now we know how to catch a new generation of stealthy malware developed by them,” Kaspersky wrote. “And the attackers are now back to the drawing board since we exposed their platform to the whole IT security industry. Moral considerations aside, that’s hardly a good return on a serious investment with public money.”


That latter line was a reference to Kaspersky’s contention that Duqu 2.0 was created by a state-sponsored or state-run hacking crew.

Beardsley and Kaspersky agreed on one thing: Duqu 2.0 was top-of-the-line malware.


“It’s very awesome for sure,” said Beardsley. “It is definitely a milestone. It has a very modular framework, is able to swap out one zero-day for another, and uses new techniques for signaling and non-persistence.”


Unlike most malware, Duqu 2.0 resides almost exclusively in memory, making it difficult for security software to detect it.

Which led Eugene Kaspersky to make an odd-but-effective suggestion about how to rid a network of the malware. “Technically, it’s simple: Turn off the power and the system will be clean.”

more...
No comment yet.
Scoop.it!

Five Steps to Secure Your Data After I.R.S. Breach

Five Steps to Secure Your Data After I.R.S. Breach | IT Support and Hardware for Clinics | Scoop.it

The Internal Revenue Service has been added to a long list of companies and government agencies that hackers have breached in the last year.

And so, if there is any advice security experts have for those trying to keep their personal information safe, it is simply: You can’t.

“Your information has already been out there for years, available to anyone who wants to pay a couple dollars,” Brian Krebs, a security blogger who has been a frequent target of hackers, said Wednesday.

The attack on the I.R.S. is just the latest evidence that hackers already have all the information necessary to steal your identity. The agency said Tuesday that hackers used information stolen from previous breaches — including Social Securitynumbers, birth dates, street addresses and passwords — to complete a multistep authentication process and 


But consumers can make things harder for criminals. There may be a trade-off in convenience, but experts say the alternative is a lot worse.

1. Turn on multifactor authentication.

If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.

Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.

2. Change your passwords again.

Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.

Password managers like LastPass or Password Safe create long, unique passwords for the websites you visit and store them in a database that is protected by a master password you have memorized.

It may sound counterintuitive, but the truly paranoid write down their passwords.

Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.

Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.

3. Forget about security questions.

Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.

These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.

In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)

With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.

Jonathan Zdziarski, a computer forensics expert, said he often answers these questions with an alternate password. If a site offers only multiple choice answers, or only requires short passwords, he won’t use it.

“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.

4. Monitor your credit.

Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.

It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.

5. Freeze your credit.

In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.

To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.

The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.

But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

NetUSB Flaw Affects Router Makers

NetUSB Flaw Affects Router Makers | IT Support and Hardware for Clinics | Scoop.it

Many router manufacturers use a third-party software component in their products called NetUSB, which can be exploited to bypass authentication checks and remotely take control of the devices, warns information security researcher Stefan Viehböck at SEC Consult.


The research firm has verified the flaw in firmware used by 92 products manufactured by D-Link, Netgear, TP-Link, Trendnet and ZyXEL, Viehböck says. The firmware flaw is likely also present in multiple products manufactured by 21 other vendors that use NetUSB, he adds. That count is based on the "NetUSB.inf" file, which is part of the client-driver setup for Windows, and which contains a list of 26 vendors. Accordingly, "it is likely that these vendors have licensed the NetUSB technology and are using it in some of their products," SEC Consult says, suggesting that "millions of devices" are now at risk.


U.S. CERT has issued a related alert, saying that "NetUSB is vulnerable to a buffer overflow via the network that may result in a denial of service or code execution." The SEC Consult researchers did not report seeing any related attacks against NetUSB-using devices. But their security alert follows the recent warning that attackers had compromised 40,000 routers that used default credentials, and turned them into distributed denial-of-service attack platforms.


NetUSB is developed by Kcodes, based in Taiwan, which bills itself as "the world's premier technology provider of mobile printing, audio and video communication, file sharing, and USB applications for iPhones, iPads, smart phones and tablets (Android and Windows), MacBooks, and Ultrabooks." Kcodes did not immediately respond to a request for comment on the firmware vulnerability.


NetUSB is designed to provide "USB over IP" functionality. "USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated "USB over IP" box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005)," SEC Consult says in a blog post. "The client side is implemented in software that is available for Windows and OS X. It connects to the server and simulates the devices that are plugged into the embedded system locally. The user experience is like that of a USB device physically plugged into a client system."


But SEC Consult warns that when installed, NetUSB always appears to be active by default. "The NetUSB feature was enabled on all devices that we checked, and the server was still running even when no USB devices were plugged in," it says.

NetUSB: Some Mitigations

U.S. CERT says the NetUSB flaw can be mitigated by installing firmware updates - if available - and that blocking port 20005, which is used by NetUSB, may also mitigate the flaw. It adds that attacks may also be potentially mitigated by disabling device-sharing features. "Consult your device's vendor and documentation as some devices may allow disabling the USB device sharing service on your network."


SEC Consult, however, cautions in a related security advisory that deactivating NetUSB in a Web interface does not always disable it. "Sometimes NetUSB can be disabled via the Web interface, but at least on Netgear devices this does not mitigate the vulnerability," it says. "Netgear told us that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices."


That security alert contains proof-of-concept attack code and a list of devices that it has confirmed are vulnerable to the flaw. To date, SEC Consult says that of affected vendors, only TP-LINK has released some related firmware updates, as well as outlined an update schedule for about 40 of its products.

Safety Alert: Internet of Things

The discovery that a single third-party component with an easily exploitable flaw has apparently been employed by many router manufacturers points to the challenge of attempting to keep so-called "Internet of Things" devices secure, says Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security. "One of the biggest issues we're going to face with the explosion of IoT or IP-enabled devices is the lack of foundational secure coding best practices that are followed," he says.


"Unfortunately, when cost is such a driver for manufacturers of these technologies, poor code is often reused and when found by researchers, they are often faced with an apathetic response from the vendors."


Indeed, SEC Consult says that on February 28, it first approached Kcodes to warn it about the flaw, and later provided proof-of-concept exploit code. But after communication problems and Kcodes missing meetings, SEC Consult says that on March 26, it approached U.S. CERT and requested that it coordinate efforts with the vendor, as well as Netgear and TP-Link. Then a coordinated vulnerability announcement was released on May 19.


Kcodes did not immediately respond to a request for comment about SEC Consult's timeline.


Even with related fixes now beginning to appear, however, Millard says it's likely that most consumers will never hear about the NetUSB vulnerability or patch related devices. But he says the overall situation is even more troubling for corporate environments. "The burden on admins to find all these devices and reduce the risk of it being utilized by attackers is an almost impossible job, and the task will only get harder as the market pushes for cheaper, more connected devices," he says. "Unless we address the foundational issue of good coding practices in embedded systems, we'll continue to see simple bugs like weak authentication, default passwords, buffer overflows and directory traversal attacks being reintroduced into our environments."


more...
No comment yet.
Scoop.it!

New Rombertik malware destroys master boot record if analysis function detected

New Rombertik malware destroys master boot record if analysis function detected | IT Support and Hardware for Clinics | Scoop.it

While detection scanning malware is nothing new, Cisco researchers have identified a new malwaresample that takes its detection evasion features one step further than the average malware.


Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device's master boot record (MBR), researchers wrote in a blog post


This malware spreads through spam and phishing messages sent to possible victims.


In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.


At this point Rombertik will first run anti-analysis checks to determine whether it is running within a sandbox. If it isn't, it will then decrypt and install itself, which then allows it to launch a second copy of itself and to overwrite the second copy with the malware's core functionality. Then, again, it will check to make sure it isn't being analyzed in memory. If it is, the attack takes an even more malicious turn with the malware attempting to destroy the Master Boot Record and restart the computer to make it inoperable.


To make actual analysis even more difficult, in the unpacked Rombertik sample used by Cisco more than 97 percent of the packed file dedicated to useless files, including 75 images and more than 8,000 functions that are never used.


Plus, instead of evading sandbox detection by sleeping for a certain amount of time and forcing the sandbox to time out, Rombertik writes a byte of random data to memory more than 900 million times. If an analysis tool attempted to document all these write instructions, the log would be more than 100 gigabytes.


All this occurs before the malware actually gets down to its true purpose of capturing a victim's plain-text data sent over a browser. Rombertik injects itself into the user's preferred browser's process and hooks API functions that handle plain text data. The attackers can then see usernames and passwords from almost any website a user visits.

“This is the perfect example where layered defense makes a lot of sense,” said Craig Williams, technical leader, Cisco Talos, in an interview with SCMagazine.com.


Although the malware may beat one detection system it's unlikely to detect or avoid them all, he said, making layered defense an important method to mitigate the risk. However, he noted, it's possible more exploit kits will begin adopting Rombertik's evasion tactics, making defense even more difficult.


Via Danen Raas, Paulo Félix
more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

Info-Sharing Bills: What Happens Next?

Info-Sharing Bills: What Happens Next? | IT Support and Hardware for Clinics | Scoop.it

As the House prepares to vote this week on two cyberthreat information sharing bills, their fates will rest as much on the White House's reaction to the proposals as on what happens in Congress.

The House Rules Committee on April 21 will consider amendments to both bills, the Protecting Cyber Networks Act that the Intelligence Committee approved on March 26 in a secret session and the National Cybersecurity Protection Advancement Act that the Homeland Security Committee passed unanimously on April 14. A vote by the full House is slated to occur on April 23 for the Intelligence Committee version of the bill and on April 24 on the Homeland Security version.

 Although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what President Obama seeks than did CISPA. 


Before the floor votes take place, the White House could issue a Statement of Administration Policy, which provides the administration's view on whether President Obama should sign or veto the legislation. The administration usually issues SAPs after a committee approves the bill but before the full chamber votes on it.

Recalling CISPA

The House in the past two congresses had passed cyberthreat information sharing bills, both known as the Cyber Intelligence Sharing and Protection Act, or CISPA, and in each case the White House threatened a presidential veto. The administration, in both instances, contended the legislation failed to provide sufficient privacy and civil liberties safeguards for citizens' personal information while furnishing businesses with too broad liability protections when they voluntarily share cyberthreat information with the government and each other.

For the White House, the Intelligence Committee version of the information sharing bill could prove more problematic. It's closer to CISPA than is the Homeland Security Committee's version and has attracted the wrath of civil liberties and privacy advocates. The Protecting Cyber Networks Act would allow the sharing of citizens' information with intelligence agencies such as the National Security Agency and law enforcement.


On the other hand, the Homeland Security Committee's National Cybersecurity Protection Advancement Act incorporates language that explicitly states that sharing such information with intelligence and law enforcement agencies would be prohibited, except if it should help mitigate a cyber-attack. Some privacy experts contend that even with that proviso, some private information could find its way to intelligence and law enforcement agencies.

Added Privacy Protections

Still, the National Cybersecurity Protection Advancement Act has been amended to provide many more privacy and civil liberties' protections to citizens than does the Intelligence Committee's bill. And both bills furnish businesses with broad liability protections that would extend such safeguards to companies even if they choose not to share cyberthreat information with the government. It's unclear whether changes that appear in these bills pass muster with the administration and address its concerns regarding privacy and civil liberties' safeguards and business liability protections.


Businesses want those broad protections, and the Financial Services Roundtable, a banking industry lobbying group, has posted a Web advertisement, titled Stop Cyber Threats, calling on voters to lobby Congress to take swift action on cyberthreat sharing legislation.

It's likely, but not inevitable, that if the White House issues an SAP on the Protecting Cyber Networks Act, it would say that senior administration officials would recommend an Obama veto. As for the National Cybersecurity Protection Advancement Act, it's less clear what the White House will say. The committee members did meet many of the objections raised over CISPA regarding privacy and civil liberties' projections, although the bill doesn't seem to meet the concerns raised about broad liability protection.

What Will Obama Do?

Remember, lawmaking involves compromise, and although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what Obama seeks than did CISPA, and the president might support it, perhaps conditionally.

Of course, the Senate has to take action as well.


On March 12, the Senate Intelligence Committee approved a bill more similar to the Protecting Cyber Networks Act from its House counterpart than the National Cybersecurity Protection Advancement Act offered by the House Homeland Security panel. Senate Majority Leader Mike McConnell, R-Ky., says he hopes to bring that measure up for a vote shortly, though he provided no specific timeframe.


Sen. Ron Wyden, D-Ore., the only Senate Intelligence Committee member who voted against the bill in committee, said last week that "a good group of senators" seeks to amend the measure to add privacy protection when it comes up for a vote before the entire Senate, according to The Hill.

Limits of Executive Order

Obama earlier this year issued an executive order to establish a process for businesses to share cyberthreat information through the Department of Homeland Security's National Cybersecurity & Communications Integration Center. But Obama on his own cannot provide businesses with the protection from legal actions for sharing cyberthreat information; that requires a new law enacted by Congress.

Passage of both House bills in the lower chamber is almost a certainty, and if - and that's a big if because the Senate never voted on a cyberthreat information sharing bill in the past two congresses - the upper chamber approves information sharing legislation, a conference between the House and Senate would iron out differences among the various measures, and produce a final bill. By then, the president's views on how far he'd compromise would be known, and a bill acceptable to the House, Senate and White House could become law.


more...
No comment yet.
Scoop.it!

Breach Exposed Obama Records

Breach Exposed Obama Records | IT Support and Hardware for Clinics | Scoop.it

 A breach of the White House IT system last October, believed to be by Russian hackers, exposed sensitive details about White House operations, such as the president's schedule, CNN reports.

Investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, CNN reports, citing several U.S. officials briefed on the investigation into the breach.

The State Department revealed in October that the breach of its system and that of the White House were linked (see State Department, White House Hacks Linked).

The White House downplayed the report. "This report is not referring to a new incident - it is speculating on the attribution of the activity of concern on the unclassified EOP (Executive Office of the President) network that the White House disclosed last year," Mark Stroh, National Security Council spokesman said April 7. "Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity. As has been our position, we are not going to comment on the referenced article's attribution to specific actors."
Alternative to Email

Jerry Irvine - a member of the National Cybersecurity Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce - says phishing and spear phishing attacks are increasingly plaguing governments and businesses, and suggests that if they persist, organizations might need to limit email communications.

"It can happen to anyone, and it did," Irvine says, referring to the White House breach. "This is the way of the world. Organizations now are starting to look at the value of email and are questioning whether it's worth the risk. Are there other methods to share information other than email?"

Irvine, partner and chief information officer at IT outsourcer Prescient Solutions, says governments and businesses should look to email alternatives, such as instant messaging, which he contends poses fewer risks.


more...
No comment yet.
Scoop.it!

Compromise on Info-Sharing Measure Grows

Compromise on Info-Sharing Measure Grows | IT Support and Hardware for Clinics | Scoop.it

A willingness to compromise expressed at a Feb. 25 House hearing on President Obama's cyberthreat information sharing initiative offered a sign of hope that long sought legislation to get businesses to share such data could pass Congress this year and be signed into law.

The tone of the discussion at the hearing was far different than in the past two congresses, when the White House threatened presidential vetoes of cyberthreat information sharing measures that passed the House of Representatives.


Congressional Republicans and the Democratic president and his supporters differed in the past over how an information sharing law should address liability protections and privacy safeguards. The White House maintained the liability protections in the Republican-sponsored legislation were too broad and that privacy safeguards were too weak. The GOP argued the liability provisions in their bills - which had some Democratic backers - were needed to get the private sector to participate in the voluntary information sharing program and that the privacy protections the White House sought would be too costly for some businesses to implement.

But those differences seem to have narrowed at the Feb. 25 House Homeland Security Committee, where an expression of willingness to seek compromise surfaced from both sides.

Bone of Contention

"It is, sometimes, a bone of contention between both sides of the aisle," House Homeland Security Committee Chairman Mike McCaul, R-Texas, said, referring to differing views on liability protection. But McCaul congratulated administration representatives at the hearing for presenting the president's plan and saw merit in its proposals. "I talked to the private sector; they like the liability protections that are presented here," he said, especially in regards to sharing data with the government.

Still, McCaul said some business leaders had reservations about the liability protection in Obama's plan for businesses that want to share cyberthreat information with other business.

The president's proposal would provide liability protection for businesses that share cyberthreat data with DHS's National Cybersecurity and Communications Integration Center, known as NCCIC. Under Obama's plan, those protections aren't extended to businesses that share information with each other directly but would be covered if the data is shared through newly formed information sharing and analysis organizations, or ISAOs. "What the legislation provides is that the private sector can share among themselves through these appropriate organizations and enjoy the same liability protections for providing that information to those organizations," said Undersecretary Suzanne Spaulding, who runs the National Protection and Programs Directorate, the DHS entity charged with collaborating with business on cybersecurity.

Working Out Legislative Language

McCaul responded that the liability protections to share information with NCCIC could serve as the "construct" to share data among businesses, suggesting specific legislative language could be worked out between Congress and the administration. "We can discuss that more as this legislation unfolds," he said.

Rep. Curt Clawson, a Florida Republican who led several multinational corporations before his election to Congress in 2014, said getting buy-in to share cyberthreat information with the U.S. government from companies with global operations and stakeholders could prove to be "a tough sale."

"My world is all about multiple stakeholders," Clawson said, addressing Spaulding. "We're trying to protect our customers, our suppliers, the communities that we live in, and what I've read so far of what you proposed just doesn't feel like a compelling case that I can take to my multinational board of directors. ... Any private-sector CEO would be negligent to go along on the basis of trust" without the U.S. government providing a detailed plan on what information is being sought and how it would be used.

Spaulding said the government will build that trust and agreed with Clawson that the "devil is in the details" of a final legislative plan. She said information to be shared would be minimal and technical, such as explicit cyberthreat indicators, IP address and specific types of malware. The undersecretary said the government would be transparent on the types of information it seeks and receives and develop policies and protocols to protect proprietary as well as personally identifiable information. "This isn't going to make every company open its doors," Spaulding said. "But it does address concerns that we've heard from the private sector, and there will be a fair amount of detail about precisely what we're talking about sharing here."

Though not totally persuaded, Clawson offered to work with DHS on the legislation, an offer Spaulding accepted.

Stripping PII from Shared Data

Another partisan difference is the Obama administration's insistence that companies strip personally identifiable information from data before it's shared, an act that some Republicans say puts a financial burden on businesses. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, explained that under Obama's proposal, companies would need to make a "good-faith effort" to remove PII, conceding that it is a "policy puzzle" that needs to be solved by the private sector working with law enforcement and the intelligence community. "We're doing our best to get everybody to design that," Schneck said.

Regardless of how the final language of a cyberthreat sharing bill reads, such legislation is only one part of a solution to mitigate cyberspace risks. "Information sharing is no silver bullet," said Eric Fischer, senior specialist for science and technology at the Congressional Research Service. "It's an important tool for protecting systems and their contents. As long as organizations are not implementing even basic cyber hygiene, there are going to be some significant difficulties."

Fischer cited a Hewlett-Packard study that shows 45 percent of companies lack basic cyber hygiene. "There have been cases where companies had the information, but nevertheless did not pay sufficient attention to it," he said. "They had information that could have prevented an attack. If a company is not prepared to implement threat assessments that they receive, then that's going to be a problem."


more...
No comment yet.
Scoop.it!

Creating cybersecurity that thinks

Creating cybersecurity that thinks | IT Support and Hardware for Clinics | Scoop.it

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Among the many definitions of data science that have emerged in the last few years, “gaining knowledge from data using a scientific approach” best captures some of the different components that characterize it.

In this series of posts, we will investigate how data science can be used to extract knowledge that identifies malware and potential persistent cybersecurity threats.

The unprecedented number of companies that have reported breaches in 2014 are evidence that existing cybersecurity solutions are not effective at identifying malware or detecting attackers inside an organization’s network. The list of companies that have reported breaches and exfiltration of sensitive data grows at an alarming rate: from the large volume data breaches at Target and Home Depot earlier in 2014, to the recent breaches at Sony Entertainment, JP Morgan and the most recent attack at Anthem in February, where personally identifiable Information (PII) for 80 million Americans was stolen. Breaches involve big and small companies, showing that the time has come for a different approach to the identification and prevention of malware and malicious network activity.

Three technological advances enable data science to deliver new innovative cybersecurity solutions:

Storage – the ease of collecting and storing large amount of data on which analytics techniques can be applied (distributed systems as cluster deployments).
Computing – the prompt availability of large computing power allows easy use of sophisticated machine learning techniques to build models for malware identification.
Behavior – the fundamental transition from identifying malware with signatures to identifying the particular behaviors an infected computer will exhibit.

Let's discuss more in depth how each of the items above can be used for a rigorous application of data science techniques to solve today's cybersecurity problems.

Having a large amount of data is of paramount importance in building analytical models that identify cyber attacks. For either a heuristic or refined model based on machine learning, large numbers of data samples need to be analyzed to identify the relevant set of characteristics and aspects that will be part of the model – this is usually referred to as “feature engineering”. Then data needs to be used to cross check and evaluate the performance of the model – this should be thought of as a process of training, cross validation and testing a given “machine learning” approach.

In a separate post, we will discuss in more detail how and why data collection is a crucial part in the data science approach to cybersecurity, and why it presents unique challenges.

One of the reasons for the recent increase in machine learning’s popularity is the prompt availability of large computing resources: Moore’s law holds that the processing power and storage capacity of computer chips double approximately every 24 months.

These advances have enabled the introduction of many off-the-shelf machine learning packages that allow training and testing of machine learning algorithms of increasing complexity on large data samples. These two factors make the use of machine learning practical for use in cybersecurity solutions.

There is a distinction between data science and machine learning, and we will discuss in a dedicated post how machine learning can be used in cybersecurity solutions, and how it fits into the more generic solution of applying data science in malware identification and attack detection.

The fundamental transition from signatures to behavior for malware identification is the most important enabler of applying data science to cybersecurity. Intrusion Prevention System (IPS) and Next-generation Firewall (NGFW) perimeter security solutions inspect network traffic for matches with a signature that has been created in response to analysis of specific malware samples. Minor changes to malware reduce the IPS and NGFW efficacy. However, machines infected with malware can be identified through the observation of their abnormal, post-infection, behavior. Identifying abnormal behavior requires primarily the capability of first identifying what's normal and the use rigorous analytical methods – data science – to identify anomalies.

We have identified several key aspects that innovative cybersecurity solutions need to have. These require analysis of large data sample and application of advanced analytical methods in order to build data-driven solutions for malware identification and attack detection. A rigorous application of data science techniques is a natural solution to this problem, and represents a dramatic advancement of cybersecurity efficacy.

more...
sudo_reboot's curator insight, April 11, 2015 10:02 AM

I always find it interesting when the promise of “big data’, “cloud’, ‘on-demand compute resources’ - are touted as the solution. Where are the actual algorithms?  Where is the perfect blend of dev and analyst that can actually make full use of the technology who also knows the adversaries tradecraft?

Scoop.it!

Cybercrime Affects More Than 431 Million Adult Victims Globally

Cybercrime Affects More Than 431 Million Adult Victims Globally | IT Support and Hardware for Clinics | Scoop.it

Cybercrime affects more than 431 million adult victims around the world. Since the internet has become such an integral part of governments, businesses, and the lives of millions of people, cyberspace has become an ideal place, allowing criminals to remain anonymous while they prey on victims.

The most common forms of cybercrime are offences related to identity, such as malware, hacking, and phishing. Criminals use these methods of cybercrime to steal money and credit card information. Additionally, cybercriminals use the internet for crimes related to child pornography, abuse material, and intellectual and copyright property.

As technology advances, criminals are finding it much easier to perform a cybercrime; advanced techniques and skills to perpetrate threats are no longer required. For instance, software that allows criminals to override passwords and locate access points of computers are easily purchased online. Unfortunately, the ability to find cyber criminals is becoming more difficult.


Cybercrime is a rapidly growing business, exceeding $3 trillion a year. Victims and perpetrators are located anywhere in the world. The effects of cybercrime are seen across societies, stressing the need for a pressing and strong international response.

However, many countries do not have the capacity or regulations to combat cybercrime. A global effort is required to make available firmer regulations and improved protection because cyber criminals hide within legal loopholes in countries with less stringent regulation.

Criminals perpetrate a cybercrime by taking advantage of a country’s weak security measures. Additionally, the lack of cooperation between developing and developed countries can also result in safe havens for individuals and groups who carry out a cybercrime.

The United Nations is actively involved in fighting cybercrime. The organization set up the United Nations Office on Drugs and Crime (UNODC) following the 12th Crime Congress to study cybercrime. The UNODC is a global leader in the fight against illicit drugs and international crime.

Cybercrime affects one million victims every single day. More than 431 million people are affected by cybercrime, that’s 14 adult victims every second.

In addition, there are up to 80 million automated hacking attacks every day. The most common and fastest growing forms of consumer fraud on the Internet are identity-related offences, especially through the misuse of credit card information.

Learning online protection methods is one of the simplest means of defense from becoming victim to a cybercrime. When purchasing products online, always be aware of the trustworthiness of the websites.

Avoid using public computers for anything that requires a credit card payment. By all means, be sure online purchases and banking are facilitated with a fully legitimate and safe business.

Computers should have up-to-date security software; choose strong passwords, and do not open suspicious emails or special offers that ask for personal information, which are often in the form of sales, contests, or fake banks.

Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime.


Via Paulo Félix
more...
purushothamwebsoftex's curator insight, February 24, 2015 3:05 AM

Websoftex Software extending its services in Website Designing, Web Development, MLM Software,HR Payroll Software, TDS Software, Micro Finance Software, RD FD Software, ERP Software, Chit Fund Software. With the help of our experienced software team and insights of clients MLM Software is continuously updated to latest technologies and demands. Websoftex pays special attention to its Research & Development.

Scoop.it!

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication

Apple Adds More Security To iMessage And FaceTime With Two-Factor Authentication | IT Support and Hardware for Clinics | Scoop.it

Apple has improved the security of FaceTime and iMessage, its voice/video and multimedia chat communication tools. The services got two-factor authentication today as an option for users to enable, meaning that even if someone uses their Apple ID email and password to enable iMessage or FaceTime on a new device, they’ll still need to use a pin code from an existing trusted device to gain access to those services.

You may recognize the system from iCloud’s two-factor authentication, or if you’ve tried to set up Keychain to keep your passwords in sync between Apple devices. If you’ve previously enabled two-factor for iCloud, it’ll also be enabled to FaceTime and iMessage. The additional level of protection applied to these services helps ensure that people will have a harder time grabbing potentially private images from your iMessage history, or pretending to be you via online communication methods.

Two-step comes into play when users log out of an account on their device and try to log back in, as well, meaning you’ll have to get that trusted device out should you temporarily disable your account on the device, or in some cases if you run a system update or switch SIMs. This is a good step for Apple, and hopefully an indication that it intends to roll out two-step security to all of its services in good time.

more...
Gabriela Atuesta's curator insight, February 17, 2015 12:25 AM

Nuevo sistema de seguridad para el uso de IMessage y de FaceTime en los dipositivos Apple. 

Scoop.it!

More Retailers Hit by New Third-Party Breach?

More Retailers Hit by New Third-Party Breach? | IT Support and Hardware for Clinics | Scoop.it

CVS, Rite-Aid, Sam's Club, Walmart Canada and other large retail chains have suspended their online photo services following a suspected hack attack against a third-party service provider that may, in some cases, have resulted in the compromise of payment card data.


The suspected breach centers on PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous retailers. The incident serves as a reminder of the security challenges that organizations face when it comes to managing their third-party vendors and entrusting them with sensitive customer information.


Numerous chains have confirmed that they are investigating potential breaches - some involving payment card data - after being warned by PNI Digital Media that it may have suffered a hack attack that resulted in the compromise of retailers' customers' names, addresses, phone numbers, email addresses, photo account passwords and credit card information. But none of the retailers involved have so far reported that they believe the breach would affect any of their in-store customers, including anyone who used in-store photo services.


PNI Digital Media did not immediately respond to a request for comment on its reported breach investigation. Until July 17, the company's investors page reported that it worked with numerous retailers, and while that page is now blank, a recent version cached by Google's search engine reads: "PNI Digital Media provides a proprietary transactional software platform that is used by leading retailers such as Costco, Walmart Canada, and CVS/pharmacy to sell millions of personalized products every year. Last year, the PNI Digital Media platform worked with over 19,000 retail locations and 8,000 kiosks to generate more than 18M transactions for personalized products."

CVS Confirms Investigation

On July 17, CVS spokesman Mike DeAngelis confirmed that CVSPhoto.com may have been affected by the suspected PNI Digital Media breach. "We disabled the site as a matter of precaution while this matter is being investigated," DeAngelis tells Information Security Media Group.


The cvsphoto.com site now reads in part: "We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised. As a precaution, as our investigation is underway we are temporarily shutting down access to online and related mobile photo services. We apologize for the inconvenience."

CVS says PNI Digital Media collects credit and debit information for customers who purchase online photo services through CVSPhoto.com. Accordingly, CVS recommends that all customers of its online photo service review their credit card statements "for any fraudulent or suspicious activity" and notify their bank or card issuer if anything appears to be amiss. "Nothing is more central to us than protecting the privacy and security of our customer information, including financial information," CVS says. "We are working closely with the vendor and our financial partners and will share updates as we know more."

Rite Aid: No Suspected Card Theft

Drugstore chain Rite Aid has also taken its online and mobile photo services offline. "We recently were advised by PNI Digital Media, the third party that manages and hosts mywayphotos.riteaid.com, that it is investigating a possible compromise of certain online and mobile photo account customer data," Rite Aid's site reads. "The data that may have been affected is name, address, phone number, email address, photo account password and credit card information."


Unlike CVS, however, Rite Aid reports that it does not believe that its customers' payment-card data is at risk. "Unlike for other PNI customers, PNI does not process credit card information on Rite Aid's behalf and PNI has limited access to this information," it says, adding that it has received no related fraud reports from its customers.

Sam's Club has also taken its online photo service offline, "in an abundance of caution and as a result of recent reports suggesting a potential security compromise of the third-party vendor that hosts Sam's Photo website." As with Rite Aid, however, Sam's Club reports that "at this time, we do not believe customer credit card data has been put at risk."


Costco and Tesco Photo have also suspended their online photo services.


Walmart Canada, which also outsources online photo services to PNI, also may have been affected by the possible breach, according to the The Toronto Star, and the retailer has since suspended its online photo services website. "We were recently informed of a potential compromise of customer credit card data involving Walmart Canada's Photocentre website, www.walmartphotocentre.ca," Walmart states. "We immediately launched an investigation and will be contacting customers who may be impacted. At this time, we have no reason to believe that Walmart.ca, Walmart.com or in-store transactions are affected.


Walmart did not respond to Information Security Media Group's request for comment. ISMG also reached out to office supplier Staples, which owns PNI, but did not get a response.

"PNI is investigating a potential credit card data security issue," a Staples spokesperson told The Toronto Star.

Growing Third-Party Breach Concerns

PNI's potential breach comes just a week after Denver-based managed services provider Service Systems Associates announced that a breach linked to a malware attack against its network had likely affected about 12 of the payments systems it operates for gifts shops at retail locations, which include zoos, museums and parks, across the country.


Service Systems Associates says debit and credit purchases made between March 23 and June 25 may have been compromised.

On July 7, the Financial Services Information Sharing and Analysis Center, along with Visa, the U.S. Secret Service and The Retail Cyber Intelligence Sharing Center, which provides threat intelligence for retailers, issued a cybersecurity alert about risks merchants face when dealing with third parties.


The alert lists a number of security recommendations for managing third-party risks, including using multifactor authentication for remote-access login to point-of-sale systems and including specific policies related to outdated operating systems and software in contracts with vendors.


Earlier this month, Chris Bretz, director of payment risk at the FS-ISAC, warned that managed service providers that offer outsourced services to numerous merchants are increasingly being targeted by cybercriminals.


"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz said in an interview with ISMG. "Merchants in industry verticals often use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."

more...
No comment yet.
Scoop.it!

Can the Power Grid Survive a Cyberattack?

Can the Power Grid Survive a Cyberattack? | IT Support and Hardware for Clinics | Scoop.it

It’s very hard to overstate how important the US power grid is to American society and its economy. Every critical infrastructure, from communications to water, is built on it and every important business function from banking to milking cows is completely dependent on it.

And the dependence on the grid continues to grow as more machines, including equipment on the power grid, get connected to the Internet. A report last year prepared for the President and Congress emphasized the vulnerability of the grid to a long-term power outage, saying “For those who would seek to do our Nation significant physical, economic, and psychological harm, the electrical grid is an obvious target.”

The damage to modern society from an extended power outage can be dramatic, as millions of people found in the wake of Hurricane Sandy in 2012. The Department of Energy earlier this year said cybersecurity was one of the top challenges facing the power grid, which is exacerbated by the interdependence between the grid and water, telecommunications, transportation, and emergency response systems.

So what are modern grid-dependent societies up against? Can power grids survive a major attack? What are the biggest threats today?

The grid’s vulnerability to nature and physical damage by man, including a sniper attack in a California substation in 2013, has been repeatedly demonstrated. But it’s the threat of cyberattack that keeps many of the most serious people up at night, including the US Department of Defense.

Why the grid so vulnerable to cyberattack

Grid operation depends on control systems – called Supervisory Control And Data Acquisition (SCADA) – that monitor and control the physical infrastructure. At the heart of these SCADA systems are specialized computers known as programmable logic controllers (PLCs). Initially developed by the automobile industry, PLCs are now ubiquitous in manufacturing, the power grid and other areas of critical infrastructure, as well as various areas of technology, especially where systems are automated and remotely controlled.

One of the most well-known industrial cyberattacks involved these PLCs: the attack, discovered in 2010, on the centrifuges the Iranians were using to enrich uranium. The Stuxnet computer worm, a type of malware categorized as an Advanced Persistent Threat (APT), targeted the Siemens SIMATIC WinCC SCADA system.

Stuxnet was able to take over the PLCs controlling the centrifuges, reprogramming them in order to speed up the centrifuges, leading to the destruction of many, and yet displaying a normal operating speed in order to trick the centrifuge operators. So these new forms of malware can not only shut things down but can alter their function and permanently damage industrial equipment. This was also demonstrated at the now famous Aurora experiment at Idaho National Lab in 2007.

Securely upgrading PLC software and securely reprogramming PLCs has long been of concern to PLC manufacturers, which have to contend with malware and other efforts to defeat encrypted networks.

The oft-cited solution of an air-gap between critical systems, or physically isolating a secure network from the internet, was precisely what the Stuxnet worm was designed to defeat. The worm was specifically created to hunt for predetermined network pathways, such as someone using a thumb drive, that would allow the malware to move from an internet-connected system to the critical system on the other side of the air-gap.

Internet of many things

The growth of smart grid – the idea of overlaying computing and communications to the power grid – has created many more access points for penetrating into the grid computer systems. Currently knowing the provenance of data from smart grid devices is limiting what is known about who is really sending the data and whether that data is legitimate or an attempted attack.


This concern is growing even faster with the Internet of Things (IoT), because there are many different types of sensors proliferating in unimaginable numbers. How do you know when the message from a sensor is legitimate or part of a coordinated attack? A system attack could be disguised as something as simple as a large number of apparent customers lowering their thermostat settings in a short period on a peak hot day.

Defending the power grid as a whole is challenging from an organizational point of view. There are about 3,200 utilities, all of which operate a portion of the electricity grid, but most of these individual networks are interconnected.

The US Government has set up numerous efforts to help protect the US from cyberattacks. With regard to the grid specifically, there is the Department of Energy’s Cybersecurity Risk Information Sharing Program (CRISP) and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) programs in which utilities voluntarily share information that allows patterns and methods of potential attackers to be identified and securely shared.

On the technology side, the National Institutes for Standards and Technology (NIST) and IEEE are working on smart grid and other new technology standards that have a strong focus on security. Various government agencies also sponsor research into understanding the attack modes of malware and better ways to protect systems.

But the gravity of the situation really comes to the forefront when you realize that the Department of Defense has stood up a new command to address cyberthreats, the United States Cyber Command (USCYBERCOM). Now in addition to land, sea, air, and space, there is a fifth command: cyber.

The latest version of The Department of Defense’s Cyber Strategy has as its third strategic goal, “Be prepared to defend the US homeland and US vital interests from disruptive or destructive cyberattacks of significant consequence.”

There is already a well-established theater of operations where significant, destructive cyberattacks against SCADA systems have taken place.


In a 2012 report, the National Academy of Sciences called for more research to make the grid more resilient to attack and for utilities to modernize their systems to make them safer. Indeed, as society becomes increasingly reliant on the power grid and an array of devices are connected to the internet, security and protection must be a high priority.

more...
No comment yet.
Scoop.it!

Security startup finds stolen data on the 'Dark Web'

Security startup finds stolen data on the 'Dark Web' | IT Support and Hardware for Clinics | Scoop.it

Finding stolen data on the Internet is often the first sign of a breach, and a Baltimore-based startup says it has developed a way to find that data faster and more securely.


The company is called Terbium Labs, named after a malleable, silver-gray element. CEO Danny Rogers and CTO Michael Moore say they’re taking a large scale, computational approach to finding pilfered data.

Terbium’s product, Matchlight, uses data fingerprinting techniques to create hashes of an organization’s data in fragments as small as 14 bytes. Only those hashes—which can’t be transformed back into the original data—are stored by Terbium.


The other major component of Terbium’s service is a massive private index of the so-called Dark and Deep Web, both terms for hard-to-find websites and crevices of the Internet where cybercriminals trade and sell data.


The hashes collected from companies by Terbium are then compared with data shared on the Web, “which is a way for us to automatically search for an element of the company’s data without actually knowing what that data is,” Rogers said.


“The number one concern for information security folks at these large enterprises is control and protection of the data, even from their own vendors,” he said. “So this allows them to search for things without having to reveal what those things are.”


Because the hashing and comparing is done in real time, the company said it can shorten the breach discovery time—which in some studies ranges up to six to eight months—down to minutes.


Companies can choose what applications or data stores they want Terbium to monitor. If Matchlight finds something similar on the Dark Web, it can score it, which gives an idea of how similar it may be to the company’s data.


Terbium spiders and indexes obscure parts of the Web, such as Tor hidden services, which are websites using the anonymity system to obscure the sites’ real IP addresses. Hidden sites are increasingly favored by hackers, as it makes it harder for law enforcement to track.


The indexing system naturally follows links posted within the Dark Web. “Where we’re looking at are places where people are leaking or are trying to monetize data,” Rogers said.


The company also monitors some mainstream sites at 30-second intervals such as Reddit, Pastebin and Twitter, which are also used by hackers.


Companies using Matchlight can get alerts when a piece of data is found. A fingerprint ID number can then be looked up to see what original data it corresponds to. Companies can then potentially start the breach mediation process, Rogers said.

more...
No comment yet.
Scoop.it!

Over 4 billion people still have no Internet connection

Over 4 billion people still have no Internet connection | IT Support and Hardware for Clinics | Scoop.it

The number of people using the Internet is growing at a steady rate, but 4.2 billion out of 7.4 billion will still be offline by the end of the year.

Overall, 35.3 percent of people in developing countries will use the Internet, compared to 82.2 percent in developed countries, according to data from the ITU (International Telecommunication Union). People who live in the so-called least developed countries will the worst off by far: In those nations only 9.5 percent will be connected by the end of December.


This digital divide has resulted in projects such as the Facebook-led Internet.org. Earlier this month, Facebook sought to address some of the criticism directed at the project, including charges that it is a so-called walled garden, putting a limit on the types of services that are available.


Mobile broadband is seen as the way to get a larger part of the world’s population connected. There are several reasons for this. It’s much easier to cover rural areas with mobile networks than it is with fixed broadband. Smartphones are also becoming more affordable.

But there are still barriers for getting more people online, especially in rural areas in poor countries.


The cost of maintaining and powering cell towers in remote, off-grid locations, combined with lower revenue expected from thinly spread, low income populations, are key hurdles, according to the GSM Association. Other barriers include taxes, illiteracy and a lack of content in local languages, according to the organization.


At the end of 2015, 29 percent of people living in rural areas around the world will be covered by 3G. Sixty-nine percent of the global population will be covered by a 3G network. That’s up from 45 percent four years ago.


The three countries with the fastest broadband speeds in the world are South Korea, France and Ireland, and at the bottom of the list are Senegal, Pakistan and Zambia, according to the ITU.

more...
No comment yet.
Scoop.it!

Lenovo Patches Critical PC Flaws

Lenovo Patches Critical PC Flaws | IT Support and Hardware for Clinics | Scoop.it

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.


The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.


The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.


One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.


To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.


Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."


While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.


Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.


To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.


"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.


For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.


But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."


Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


more...
No comment yet.
Scoop.it!

Law Banning Default Encryption Unlikely

Law Banning Default Encryption Unlikely | IT Support and Hardware for Clinics | Scoop.it

Laws rarely, if ever, keep up with technology, but even if they could, the consequences could prove more harmful than the benefits.

That was evident at an April 29 hearing of the House Oversight and Government Reform Subcommittee on Information Technology that addressed the encryption - and security - of mobile devices.

 Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger. 


Here's the problem the panel addressed that faces law enforcement: Encryption is the default setting for new Apple iPhone and Google Android mobile devices, meaning that law enforcement cannot gain access to encrypted data on the devices even if they have a search warrant. To gain access, the manufacturers would have to create a so-called "backdoor," and give law enforcement a special key to decrypt data on mobile devices. Without such a key, law enforcement could gain access only with the permission of the devices' owners, an unlikely scenario if the encrypted data contains incriminating evidence.

"We call it 'going dark,' and it means that those charged with protecting the American people aren't always able to access the information necessary to prosecute criminals and prevent terrorism even though we have lawful authority to do so," FBI Executive Assistant Director Amy Hess told lawmakers.

Backdoor Benefits

Hess furnished the subcommittee with examples on how accessing data enabled forensics experts to solve crimes, including kidnaping, false rape accusation and murder.


"Today's encryption methods are increasingly more sophisticated, and pose an even greater challenge to law enforcement," she said. "We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet or a laptop - evidence that may be the difference between an offender being convicted or acquitted - but we cannot access it."


Advocates of giving law enforcement a backdoor key include President Obama and FBI Director James Comey. At the Congressional hearing, Suffolk County (Mass.) District Attorney Daniel Conley voiced strong support: "The Fourth Amendment allows law enforcement access to the places where criminals hide evidence of their crimes, once the legal threshold has been met," Conley testified. "In decades past, these places were car trunks and safety deposit boxes; today they are computers and smartphones."

Questioning Motives of Apple, Google

Conley dismissed Apple's and Google's contention that the default encryption they offer on their devices safeguards consumers' privacy.

"Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customers' interests, search terms and consumer habits, but as we all know, that's not a step they're willing to take," Conley said. "Instead, they're taking full advantage of their customers' private data for commercial purposes while building an impenetrable barrier around evidence in legitimate, court-authorized criminal investigations."


Hess and Conley make a somewhat sound argument. After all, police, with the proper court order, can break into filing cabinets to retrieve evidence. But the rules of the physical world don't always translate well into the virtual one. And other witnesses at the hearing made more compelling arguments for why creating an electronic backdoor is a very bad idea.


"Unfortunately, harsh technical realities make such an ideal solution [a backdoor] effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation's infrastructure, the future of our innovation economy and our national security," said cryptographer Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. "We just can't do what the FBI is asking without weakening our infrastructure."

Undermining U.S. Cybersecurity

Providing a backdoor would undermine America's cybersecurity. "While the FBI would have us believe that law enforcement alone will be privy to our sensitive data, history demonstrates that bad actors will always be ahead of the curve and find an avenue to manipulate those openings," said Jon Potter, president of Application Developers Alliance, a trade group. "As one well-regarded cryptographer said, 'You can't build a backdoor that only the good guys can walk through.'"

Creating a backdoor could potentially cost the American economy billions of dollars in lost business. Kevin Bankston, policy director of the think tank New America's Open Technology Institute, says a backdoor would give foreign users, including corporations and governments that especially rely on the security of technologies, even more incentive to avoid American wares and turn to foreign competitors. "To put it bluntly," he said, "foreign customers will not want to buy or use online services, hardware products, software products or any other information systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA."

Encryption Mitigates Risks

But the most compelling argument for retaining default encryption that's beyond the reach of law enforcement is that it makes everyone safer, especially on smartphones. "The vast amount of personal information on those devices makes them especially attractive targets for criminals aiming to commit identity theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phone's owner," Bankston said.


"By taking this step for their customers and turning on encryption by default," he said, "mobile operating system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones' contents will remain secure even if they are stolen."


It's an argument that can persuade even the most ardent supporters of law enforcement and intelligence agencies. The subcommittee's chairman - freshman Republican William Hurd of Texas, a former undercover CIA agent and cybersecurity strategist, concluded the hearing by opposing offering law enforcement a backdoor. "I hold everyone in law enforcement and the intelligence community to a higher standard," he said. "Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger."


more...
Jan Vajda's curator insight, May 2, 2015 1:53 PM

Přidejte svůj pohled ...

Scoop.it!

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data

House Expected To Pass Cybersecurity Bill, Indemnifying Companies That Share Breach Data | IT Support and Hardware for Clinics | Scoop.it

The House is expected to pass a bill Wednesday that is intended to compel private companies to give investigators access to their computer records and networks in the event of a data breach. The bill has been in the making for years, and comes after a series of embarrassing, high-profile hacks at companies such as Sony and Anthem health insurance.


The vote, which coincides with that for a similar Senate bill, is an assertive response from the federal government after major intrusions have resulted in a delayed movie release, lost credit card information, stolen medical records and a shaken faith in corporate America’s ability to protect itself online. Yet debate over the House bill has raised concerns from privacy and transparency advocates, including initial resistance from President Barack Obama and prominent congressional Democrats.


The House bill provides hacked companies with legal liability protection if they share sensitive information with the government. Privacy advocates demanded, and obtained, assurances under this provision that require data to undergo two rounds of scrubbing -- the removal of personal information -- when they're turned over to a government agency. The data will not be sent to the National Security Agency or the Department of Defense first, though it could ultimately end up there.

The privacy changes were enough to win over prominent Democrats, with Obama expected to sign a modified version of the House and Senate bills. Yet the White House still expressed reservations in a statement Tuesday, suggesting that the liability protections that are meant to protect companies from penalties that come with unauthorized use of customer data go too far.


“Appropriate liability protections should incentivize good cybersecurity practices and should not grant immunity to a private company for failing to act on information it receives about the security of its networks,” the White House said. Overly broad liability protections might “remove incentives for companies to protect their customers’ personal information and may weaken cybersecurity writ large,” the statement went on.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

Apple Spending $2 Billion to Build Two New Data Centers in Europe

Apple Spending $2 Billion to Build Two New Data Centers in Europe | IT Support and Hardware for Clinics | Scoop.it

Apple announcedon Monday that it will invest €1.7 billion to build and operate two new data centers in Europe. The state-of-the-art facilities will be located in County Galway, Ireland and the Central Jutland Region of Denmark, powering Apple's online services such as the App Store, iTunes Store, iMessage, Maps and Siri for European customers.

“We are grateful for Apple’s continued success in Europe and proud that our investment supports communities across the continent,” said Tim Cook, Apple’s CEO. “This significant new investment represents Apple’s biggest project in Europe to date. We’re thrilled to be expanding our operations, creating hundreds of local jobs and introducing some of our most advanced green building designs yet.”

The data centers will be powered by 100% clean and renewable energy sources, with each having the lowest environmental impact yet for any Apple data center. Apple will also work with local partners to develop additional renewable energy projects derived from wind and other sources for future usage.

“We believe that innovation is about leaving the world better than we found it, and that the time for tackling climate change is now,” said Lisa Jackson, Apple’s vice president of Environmental Initiatives. “We’re excited to spur green industry growth in Ireland and Denmark and develop energy systems that take advantage of their strong wind resources. Our commitment to environmental responsibility is good for the planet, good for our business and good for the European economy.”

The 166,000-square-meter data centers are expected to be begin operations by 2017 and help support nearly 672,000 jobs in Europe, a large portion of which relate to the development of iOS apps. Apple claims that developers have earned more than €6.6 billion through app sales since the App Store launched in 2008.


more...
No comment yet.
Scoop.it!

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling | IT Support and Hardware for Clinics | Scoop.it
One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen.The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered.It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted.Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption.Here’s what we know about the firmware-flashing module.How It WorksHard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides.When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish.The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system.Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one.The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered.The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba.“You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.”Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation.Hidden Storage Is the Holy GrailThe revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised.The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal.This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption.“Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says.Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk.Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications.“[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.”Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.”They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space.An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.”Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage.To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “[b]y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail.One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem.
Via Paulo Félix
more...
No comment yet.
Scoop.it!

Every internet-connected device is a potential privacy risk

Every internet-connected device is a potential privacy risk | IT Support and Hardware for Clinics | Scoop.it

Samsung has caused controversy with the revelation its voice-recognition system enables internet TVs to collect sounds and send them to a third party, including any sensitive information you might happen to talk about in front of the box.

While this warning is alarming for the privacy-conscious, it's a microcosm of a much larger threat that many in the consumer security business have been warning against  and which you can expect to hear more often.

Devices that require personal input and the collection of personal data to function — be it via voice, camera, location or otherwise — have been a part of our lives for years, and are only increasing.

Here is a list of some of the household and personal items snooping on you:

Smartphones

A small box that can collect location data, detect motion, store audio and video plus keeps track of your online activities, your phone provides a way for most of your apps and services to "listen in" on you in one way or another, not to mention a microphone which researchers have manipulated to spy .


You can easily control when a Samsung Smart will and will not collect voice data, the company says.

Apple's Siri, for example, functions almost identically to Samsung's voice recognition.

These services rely on a dedicated voice-recognition service somewhere in the cloud to take your complex requests and queries, translate them into understandable text, and send them back to your phone or TV.

While they may not be actively listening 24 hours a day, at the very least they are monitoring the microphone's feed in expectation of a command.

Video game consoles

Microsoft's Xbox One and its attached Kinect sensor works the same way, but adds video to the mix as well. Kinect keeps track of the people in a room so it can detect who's present and load their preferences accordingly, or zoom and pan the camera to make sure everybody is in frame during a Skype call.

Microsoft faced backlash in 2013 for its zealous attitude toward collecting data from Kinect (which eventually forced it to dial back its plans) and, coincidentally in the same year, LG landed in some strife for a voice-activated TV that was found to send voice recordings online.


The Smarter Wi-Fi Coffee Machine. It knows when you wake up or when you're likely to get home so it can greet you with sweet caffeine. Photo: Smarter

Coffee machines and airconditioners

A device that "listens" before using the internet to provide us with a service is not a new idea. The trigger for controversy, it seems, is the revelation that a device could do that without us explicitly telling it to. Yet this is the cornerstone of many devices and services we use every day (including web browsers, social media, smart public transport cards, Google Now etc) and will continue to be so as we move towards the all-connected "internet of things". 

A connected coffee-maker, for example, collates data about when you're home so it knows when to make coffee. Ditto for connected airconditioners. Both devices are soon to be (or already are) on the market, and necessarily "listen in" on your life and activities, collecting data on you so they can do their job. LG already has an voice-command airconditioner that literally "listens in", cooling the room if you yell out that it's too hot.


Your phone provides data on your movements, purchases, preferences, searches, and communications to countless apps and services. Photo: Reuters

Is this form of data collection really so scary considering the reams of information we already gladly hand over to the companies that provide our email, maps or ride-share services? Are we really concerned about Samsung's microphones in our house and fine with the microphone, GPS and camera we take around in our pocket literally every day?

A common piece of advice when it comes to the internet is "if you don't want the whole world to hear about it, don't say it online". Increasingly, we not only have to apply this test to emails and facebook messages but to the data we allow our appliances and devices to collect as well. If it's connected to the internet, assume this data is being transmitted online.

Some privacy-minded folks advocate active avoidance, keeping the use of these devices to a minimum, disabling settings or placing a piece of sticky tape over your device's data-collecting apparatus.

Others take pride in their old-school Nokia phones, dumb TVs and ability to "stay off the grid".

But most of us give up information about ourselves constantly because it gives us access to incredible conveniences and technology, and we can't have our cake and eat it too.

Yes, companies like Samsung and Apple and Microsoft must be transparent about what they do with our data, and to whom they give it. But if the last year or so of data breaches, wide-scale hacks and government snooping has taught us anything, it's that no data stored or transmitted online is safe from prying eyes.

In the end we have no absolute control over where our data goes.

The best we can do is be informed about what data our devices are collecting, and if you really don't want something transmitted online, take Samsung's advice and don't say it where an internet-connected TV can hear you.



Via Dr. Dea Conrad-Curry, Gust MEES, Oksana Borukh, Paulo Félix
more...