IT Support and Hardware for Clinics
32.7K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

New Android 'Certifi-gate' Bug Found

New Android 'Certifi-gate' Bug Found | IT Support and Hardware for Clinics | Scoop.it

Following the news of the discovery of the Stagefright flaw - characterized by many security researchers as the worst vulnerability ever to be found on devices that run Google's Android operating system - details of yet another major flaw in were unveiled August 6 at the Black Hat conference in Las Vegas.


But Google and some original equipment manufacturers have finally promised that they will soon begin releasing monthly platform and security updates for some Android devices, to better safeguard users against such vulnerabilities.


Security vendor Check Point Software Technologies says the new flaw, which it has dubbed "Certifi-gate," is due to components present in the Android operating system that are digitally signed, but vulnerable to attack, and that these flaws could be "very easily exploited" to gain full, unrestricted access to vulnerable devices. As the result of a successful attack, accordingly, attackers could infect the devices with malware, exfiltrate data, remotely activate and monitor microphones or built-in cameras, and track the device's location.


"Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device," Check Point says in a blog post. "[These apps] allow remote personnel to offer customers personalized technical support for their devices by replicating a device's screen and by simulating screen clicks at a remote console."


Check Point says the vulnerabilities are present in hundreds of millions of Android devices, including smartphones and tablets manufactured by HTC, LG, Samsung and ZTE. It says the flaw affects a number of versions of the Android OS, including the latest Android "Lollipop" versions 5.0 and 5.1. The security firm says it has notified Google and all affected manufacturers, and that some related updates are starting to be released. Check Point also launched a free tool - the Check Point Certifi-gate Scanner - that will scan an Android device for the presence of the flaw.


Google did not respond to a request for comment about the flaw or related patches. But Check Point says that the vulnerable Android components' certificates cannot be remotely revoked by OEMs, and that they will have to issue a new, patched version of Android for each device they still support. But while some vendors patch quickly, others have been slow to release fixes - if at all.

Coming Soon: Stagefright Fixes

Google has long maintained Android as an open source project, and stated that it is up to manufacturers and carriers to decide how or if they will patch their own devices. The only exception to that approach has been the Nexus range of devices, which Google manufacturers, and which run a stock version of Android.


But the severity of the Stagefright flaw - and many equipment manufacturers' and carriers' slow or nonexistent patching practices - has triggered serious existential questions about the future of the Android operating system, including whether enterprises should now begin treating unpatched Android devices as a security threat and blocking them.


Appearing to respond to such criticism, Google this week reported that many manufacturers - including Samsung, HTC, LG, Sony, Android One and Google's own Motorola - will begin releasing Stagefright patches later this week. In an Aug. 5 blog post Adrian Ludwig, lead engineer for Android Security, and Venkat Rapaka, director of Nexus product management, reported that patches were already starting to be released for all devices from Nexus 4 to 10, as well as Nexus Player. "This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues," they said. "At the same time, the fixes will be released to the public via the Android Open Source Project."

The same day, speaking at Black Hat, Ludwig also promised that OEMs will soon begin releasing related fixes. "My guess is that this is the single largest software update the world has ever seen," Ludwig said. "Hundreds of millions of devices are going to be updated in the next few days. It's incredible."

Some Monthly Android Patches Promised

But the need for Google to rally manufacturers for a one-off fix for such a serious flaw also highlights how existing approaches too often fail to put fixes for critical bugs on users' devices, at least in a timely manner. Finally, responding to years of criticism from security experts over the paucity of patches for Android devices, Samsung and LG have promised to implement monthly patch updates for their Android devices, as has Google with its Nexus line.


"Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store," Ludwig and Rapaka say in their blog post.


The move echoes a similar monthly patch-release strategy introduced by Microsoft for Windows, beginning in October 2003, to combat the rise in serious vulnerabilities found in its operating system.

Samsung and LG have also promised to release monthly patches, although have not stated how long they will support devices, after they have been released. "With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," says Dong Jin Koh, who leads the mobile research and development group at Samsung Electronics, which makes the popular Galaxy series of smartphones and tablets, amongst other devices that run Android. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected."


Likewise, an LG spokeswoman says in a statement that "LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately" and that "we believe these important steps will demonstrate to LG customers that security is our highest priority." What is not clear, however, is how quickly carriers might then distribute those fixes to their subscribers.

more...
No comment yet.
Scoop.it!

Apple Obtains Touch ID-Related Patents From Biometric Security Firm Privaris

Apple Obtains Touch ID-Related Patents From Biometric Security Firm Privaris | IT Support and Hardware for Clinics | Scoop.it

Apple has been working to acquire the intellectual property assets of Charlottesville, Virginia-based biometric security firm Privaris, according to CNN. Privaris recently transferred 26 of its 31 patents to the iPhone maker, including 4 patents in December 2012 and dozens more in October 2014

The patents are primarily related to fingerprint and touchscreen technology that could lead to Touch ID improvements on future devices. Last February, well-informed KGI Securities analyst Ming-Chi Kuo told investors that the next iPhone will have animproved Touch ID with reduced errors.


"For example, one of Privaris' patents covers the ability to use a touchscreen and fingerprint reader at the same time. Another invention of Privaris' could allow you to open a door with your iPhone by scanning your fingerprint and holding your phone up to a reader, similar to how you pay for items with Apple Pay."


While the transferred patents have fueled acquisition rumors, the Privaris website has not been updated since 2010 and seemingly none of the company's senior executives or other employees have updated their LinkedIn profiles with positions at Apple. 

Accordingly, it is more likely that Privaris has scaled down or went out of business and Apple has acquired the company's patent portfolio and other intellectual property. However, the possibility of an acquisition cannot be entirely ruled out. 

Privaris, which reportedly raised $29 million in funding, developed a lineup of PlusID personal biometric devices to access computers, networks, websites, software, VPNs, secured printers and online apps. 

The company has also offered several other products and services related to access control systems, fingerprint authentication, biometric computer security, biometric security software and access cards, all technologies that fall within the realm of Touch ID. 

more...
No comment yet.
Scoop.it!

Security startup finds stolen data on the 'Dark Web'

Security startup finds stolen data on the 'Dark Web' | IT Support and Hardware for Clinics | Scoop.it

Finding stolen data on the Internet is often the first sign of a breach, and a Baltimore-based startup says it has developed a way to find that data faster and more securely.


The company is called Terbium Labs, named after a malleable, silver-gray element. CEO Danny Rogers and CTO Michael Moore say they’re taking a large scale, computational approach to finding pilfered data.

Terbium’s product, Matchlight, uses data fingerprinting techniques to create hashes of an organization’s data in fragments as small as 14 bytes. Only those hashes—which can’t be transformed back into the original data—are stored by Terbium.


The other major component of Terbium’s service is a massive private index of the so-called Dark and Deep Web, both terms for hard-to-find websites and crevices of the Internet where cybercriminals trade and sell data.


The hashes collected from companies by Terbium are then compared with data shared on the Web, “which is a way for us to automatically search for an element of the company’s data without actually knowing what that data is,” Rogers said.


“The number one concern for information security folks at these large enterprises is control and protection of the data, even from their own vendors,” he said. “So this allows them to search for things without having to reveal what those things are.”


Because the hashing and comparing is done in real time, the company said it can shorten the breach discovery time—which in some studies ranges up to six to eight months—down to minutes.


Companies can choose what applications or data stores they want Terbium to monitor. If Matchlight finds something similar on the Dark Web, it can score it, which gives an idea of how similar it may be to the company’s data.


Terbium spiders and indexes obscure parts of the Web, such as Tor hidden services, which are websites using the anonymity system to obscure the sites’ real IP addresses. Hidden sites are increasingly favored by hackers, as it makes it harder for law enforcement to track.


The indexing system naturally follows links posted within the Dark Web. “Where we’re looking at are places where people are leaking or are trying to monetize data,” Rogers said.


The company also monitors some mainstream sites at 30-second intervals such as Reddit, Pastebin and Twitter, which are also used by hackers.


Companies using Matchlight can get alerts when a piece of data is found. A fingerprint ID number can then be looked up to see what original data it corresponds to. Companies can then potentially start the breach mediation process, Rogers said.

more...
No comment yet.
Scoop.it!

Law Banning Default Encryption Unlikely

Law Banning Default Encryption Unlikely | IT Support and Hardware for Clinics | Scoop.it

Laws rarely, if ever, keep up with technology, but even if they could, the consequences could prove more harmful than the benefits.

That was evident at an April 29 hearing of the House Oversight and Government Reform Subcommittee on Information Technology that addressed the encryption - and security - of mobile devices.

 Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger. 


Here's the problem the panel addressed that faces law enforcement: Encryption is the default setting for new Apple iPhone and Google Android mobile devices, meaning that law enforcement cannot gain access to encrypted data on the devices even if they have a search warrant. To gain access, the manufacturers would have to create a so-called "backdoor," and give law enforcement a special key to decrypt data on mobile devices. Without such a key, law enforcement could gain access only with the permission of the devices' owners, an unlikely scenario if the encrypted data contains incriminating evidence.

"We call it 'going dark,' and it means that those charged with protecting the American people aren't always able to access the information necessary to prosecute criminals and prevent terrorism even though we have lawful authority to do so," FBI Executive Assistant Director Amy Hess told lawmakers.

Backdoor Benefits

Hess furnished the subcommittee with examples on how accessing data enabled forensics experts to solve crimes, including kidnaping, false rape accusation and murder.


"Today's encryption methods are increasingly more sophisticated, and pose an even greater challenge to law enforcement," she said. "We are seeing more and more cases where we believe significant evidence resides on a phone, a tablet or a laptop - evidence that may be the difference between an offender being convicted or acquitted - but we cannot access it."


Advocates of giving law enforcement a backdoor key include President Obama and FBI Director James Comey. At the Congressional hearing, Suffolk County (Mass.) District Attorney Daniel Conley voiced strong support: "The Fourth Amendment allows law enforcement access to the places where criminals hide evidence of their crimes, once the legal threshold has been met," Conley testified. "In decades past, these places were car trunks and safety deposit boxes; today they are computers and smartphones."

Questioning Motives of Apple, Google

Conley dismissed Apple's and Google's contention that the default encryption they offer on their devices safeguards consumers' privacy.

"Their nominal commitment to privacy rights would be far more credible if they were forbidding themselves access to their customers' interests, search terms and consumer habits, but as we all know, that's not a step they're willing to take," Conley said. "Instead, they're taking full advantage of their customers' private data for commercial purposes while building an impenetrable barrier around evidence in legitimate, court-authorized criminal investigations."


Hess and Conley make a somewhat sound argument. After all, police, with the proper court order, can break into filing cabinets to retrieve evidence. But the rules of the physical world don't always translate well into the virtual one. And other witnesses at the hearing made more compelling arguments for why creating an electronic backdoor is a very bad idea.


"Unfortunately, harsh technical realities make such an ideal solution [a backdoor] effectively impossible, and attempts to mandate one would do enormous harm to the security and reliability of our nation's infrastructure, the future of our innovation economy and our national security," said cryptographer Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. "We just can't do what the FBI is asking without weakening our infrastructure."

Undermining U.S. Cybersecurity

Providing a backdoor would undermine America's cybersecurity. "While the FBI would have us believe that law enforcement alone will be privy to our sensitive data, history demonstrates that bad actors will always be ahead of the curve and find an avenue to manipulate those openings," said Jon Potter, president of Application Developers Alliance, a trade group. "As one well-regarded cryptographer said, 'You can't build a backdoor that only the good guys can walk through.'"

Creating a backdoor could potentially cost the American economy billions of dollars in lost business. Kevin Bankston, policy director of the think tank New America's Open Technology Institute, says a backdoor would give foreign users, including corporations and governments that especially rely on the security of technologies, even more incentive to avoid American wares and turn to foreign competitors. "To put it bluntly," he said, "foreign customers will not want to buy or use online services, hardware products, software products or any other information systems that have been explicitly designed to facilitate backdoor access for the FBI or the NSA."

Encryption Mitigates Risks

But the most compelling argument for retaining default encryption that's beyond the reach of law enforcement is that it makes everyone safer, especially on smartphones. "The vast amount of personal information on those devices makes them especially attractive targets for criminals aiming to commit identity theft or other crimes of fraud, or even to commit violent crimes or further acts of theft against the phone's owner," Bankston said.


"By taking this step for their customers and turning on encryption by default," he said, "mobile operating system vendors have completely eliminated the risk of those crimes occurring, significantly discouraged thieves from bothering to steal smartphones in the first place, and ensured that those phones' contents will remain secure even if they are stolen."


It's an argument that can persuade even the most ardent supporters of law enforcement and intelligence agencies. The subcommittee's chairman - freshman Republican William Hurd of Texas, a former undercover CIA agent and cybersecurity strategist, concluded the hearing by opposing offering law enforcement a backdoor. "I hold everyone in law enforcement and the intelligence community to a higher standard," he said. "Upholding civil liberties and civil rights are not burdens. They make all of us safer and stronger."


more...
Jan Vajda's curator insight, May 2, 2015 1:53 PM

Přidejte svůj pohled ...

Scoop.it!

Info-Sharing Bills: What Happens Next?

Info-Sharing Bills: What Happens Next? | IT Support and Hardware for Clinics | Scoop.it

As the House prepares to vote this week on two cyberthreat information sharing bills, their fates will rest as much on the White House's reaction to the proposals as on what happens in Congress.

The House Rules Committee on April 21 will consider amendments to both bills, the Protecting Cyber Networks Act that the Intelligence Committee approved on March 26 in a secret session and the National Cybersecurity Protection Advancement Act that the Homeland Security Committee passed unanimously on April 14. A vote by the full House is slated to occur on April 23 for the Intelligence Committee version of the bill and on April 24 on the Homeland Security version.

 Although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what President Obama seeks than did CISPA. 


Before the floor votes take place, the White House could issue a Statement of Administration Policy, which provides the administration's view on whether President Obama should sign or veto the legislation. The administration usually issues SAPs after a committee approves the bill but before the full chamber votes on it.

Recalling CISPA

The House in the past two congresses had passed cyberthreat information sharing bills, both known as the Cyber Intelligence Sharing and Protection Act, or CISPA, and in each case the White House threatened a presidential veto. The administration, in both instances, contended the legislation failed to provide sufficient privacy and civil liberties safeguards for citizens' personal information while furnishing businesses with too broad liability protections when they voluntarily share cyberthreat information with the government and each other.

For the White House, the Intelligence Committee version of the information sharing bill could prove more problematic. It's closer to CISPA than is the Homeland Security Committee's version and has attracted the wrath of civil liberties and privacy advocates. The Protecting Cyber Networks Act would allow the sharing of citizens' information with intelligence agencies such as the National Security Agency and law enforcement.


On the other hand, the Homeland Security Committee's National Cybersecurity Protection Advancement Act incorporates language that explicitly states that sharing such information with intelligence and law enforcement agencies would be prohibited, except if it should help mitigate a cyber-attack. Some privacy experts contend that even with that proviso, some private information could find its way to intelligence and law enforcement agencies.

Added Privacy Protections

Still, the National Cybersecurity Protection Advancement Act has been amended to provide many more privacy and civil liberties' protections to citizens than does the Intelligence Committee's bill. And both bills furnish businesses with broad liability protections that would extend such safeguards to companies even if they choose not to share cyberthreat information with the government. It's unclear whether changes that appear in these bills pass muster with the administration and address its concerns regarding privacy and civil liberties' safeguards and business liability protections.


Businesses want those broad protections, and the Financial Services Roundtable, a banking industry lobbying group, has posted a Web advertisement, titled Stop Cyber Threats, calling on voters to lobby Congress to take swift action on cyberthreat sharing legislation.

It's likely, but not inevitable, that if the White House issues an SAP on the Protecting Cyber Networks Act, it would say that senior administration officials would recommend an Obama veto. As for the National Cybersecurity Protection Advancement Act, it's less clear what the White House will say. The committee members did meet many of the objections raised over CISPA regarding privacy and civil liberties' projections, although the bill doesn't seem to meet the concerns raised about broad liability protection.

What Will Obama Do?

Remember, lawmaking involves compromise, and although the White House is not getting everything it seeks in a cyberthreat information sharing law, the legislation offers more of what Obama seeks than did CISPA, and the president might support it, perhaps conditionally.

Of course, the Senate has to take action as well.


On March 12, the Senate Intelligence Committee approved a bill more similar to the Protecting Cyber Networks Act from its House counterpart than the National Cybersecurity Protection Advancement Act offered by the House Homeland Security panel. Senate Majority Leader Mike McConnell, R-Ky., says he hopes to bring that measure up for a vote shortly, though he provided no specific timeframe.


Sen. Ron Wyden, D-Ore., the only Senate Intelligence Committee member who voted against the bill in committee, said last week that "a good group of senators" seeks to amend the measure to add privacy protection when it comes up for a vote before the entire Senate, according to The Hill.

Limits of Executive Order

Obama earlier this year issued an executive order to establish a process for businesses to share cyberthreat information through the Department of Homeland Security's National Cybersecurity & Communications Integration Center. But Obama on his own cannot provide businesses with the protection from legal actions for sharing cyberthreat information; that requires a new law enacted by Congress.

Passage of both House bills in the lower chamber is almost a certainty, and if - and that's a big if because the Senate never voted on a cyberthreat information sharing bill in the past two congresses - the upper chamber approves information sharing legislation, a conference between the House and Senate would iron out differences among the various measures, and produce a final bill. By then, the president's views on how far he'd compromise would be known, and a bill acceptable to the House, Senate and White House could become law.


more...
No comment yet.
Scoop.it!

Breach Exposed Obama Records

Breach Exposed Obama Records | IT Support and Hardware for Clinics | Scoop.it

 A breach of the White House IT system last October, believed to be by Russian hackers, exposed sensitive details about White House operations, such as the president's schedule, CNN reports.

Investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, CNN reports, citing several U.S. officials briefed on the investigation into the breach.

The State Department revealed in October that the breach of its system and that of the White House were linked (see State Department, White House Hacks Linked).

The White House downplayed the report. "This report is not referring to a new incident - it is speculating on the attribution of the activity of concern on the unclassified EOP (Executive Office of the President) network that the White House disclosed last year," Mark Stroh, National Security Council spokesman said April 7. "Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity. As has been our position, we are not going to comment on the referenced article's attribution to specific actors."
Alternative to Email

Jerry Irvine - a member of the National Cybersecurity Task Force, a joint operation between the Department of Homeland Security and the U.S. Chamber of Commerce - says phishing and spear phishing attacks are increasingly plaguing governments and businesses, and suggests that if they persist, organizations might need to limit email communications.

"It can happen to anyone, and it did," Irvine says, referring to the White House breach. "This is the way of the world. Organizations now are starting to look at the value of email and are questioning whether it's worth the risk. Are there other methods to share information other than email?"

Irvine, partner and chief information officer at IT outsourcer Prescient Solutions, says governments and businesses should look to email alternatives, such as instant messaging, which he contends poses fewer risks.


more...
No comment yet.
Scoop.it!

Why Cyber Security Is All About The Right Hires

Why Cyber Security Is All About The Right Hires | IT Support and Hardware for Clinics | Scoop.it

The United Kingdom has estimated the global cyber security industry to be worth around US$200 billion per annum, and has created a strategy to place UK industry at the forefront of the global cyber security supply base, helping countries to combat cybercrime, cyber terrorism and state-sponsored espionage.

Likewise, the United States government is facilitating trade missions to emerging markets for companies that provide cyber security, critical infrastructure protection, and emergency management technology equipment and services with the goal of increasing US exports of these products and services.

Meanwhile, Australia is going through yet another iteration of a domestic cyber security review. Australia can’t afford to wait any longer to both enhance domestic capability and grasp international leadership.

The recent Australian debate about the government’s proposed data retention scheme has seen heavy focus on the security aspects of collecting, retaining and where authorised, distributing such data.

But much of this debate masks the broader issue facing the information security industry.

Failing to keep up

The constant evolution of the online environment presents cyber threats which are constantly evolving with increasing volume, intensity and complexity.

While organisations of all shapes and sizes are considering spending more money on cyber security, the supply side of information security professionals is not keeping up with the current, let alone future demand. High schools are not encouraging enough students (particularly girls) to get interested in the traditional STEM (science, technology, engineering and maths) subjects. The higher education and vocational sectors are likewise not creating enough coursework and research options to appeal to aspiring students who are faced with evermore study options.

One example of the types of programs needed to address the shortage is the Australian Government’s annual Cyber Security Challenge which is designed to attract talented people to become the next generation of information security professionals. The 2014 Challenge saw 55 teams from 22 Australian higher education institutions take part. At 200 students, this is but a drop in the ocean given what is required.

Even for those who graduate in this field, there is a lack of formal mentoring programs (again particularly for girls), and those which are available are often fragmented and insufficiently resourced. The information security industry is wide and varied, catering for all interests and many skill sets. It is not just for technical experts but also for professionals from other disciplines such as management, accounting, legal, etc, who could make mid-career moves adding to the diversity of thinking within the industry.

More and more organisations are adopting technology to create productivity gains, improve service delivery and drive untapped market opportunities. Their success, or otherwise, will hinge on a large pool of talented information security professionals.

We need to attract more people into cyber security roles. Universities need to produce graduates who understand the relationship between the organisation they work for, its people, its IT assets and the kinds of adversaries and threats they are facing. The vocational education sector needs to train technically adept people in real-world situations where a hands-on approach will enable them to better combat cyber attacks in their future employment roles.

Industry associations should focus on their sector — analysing the emerging information security trends and issues, and the governance surrounding information security strategy — to determine their own unique skills gap.

The government should develop a code of best practice for women in information security in collaboration with industry leaders, promoting internal and external mentoring services.


Via Paulo Félix
more...
No comment yet.
Scoop.it!

US Senate committee advances cyber-surveillance bill

US Senate committee advances cyber-surveillance bill | IT Support and Hardware for Clinics | Scoop.it

The Senate intelligence committee advanced a priority bill for the National Security Agency on Thursday afternoon, approving long-stalled cybersecurity legislation that civil libertarians consider the latest pathway for surveillance abuse.

The vote on the Cybersecurity Information Sharing Act, 14 to 1, occurred in a secret session inside the Hart Senate office building. Democrat Ron Wyden was the dissenter, calling the measure “a surveillance bill by another name”.

Senator Richard Burr, the committee chairman, said the bill would create avenues for private-to-private, private-to-government and government-to-private information sharing.

The bill’s bipartisan advocates consider it a prophylactic measure against catastrophic data theft, particularly in light of recent large-scale hacking of Sony, Target, Home Depot and other companies.

Private companies could share customer data “in a voluntary capacity” with the government, Burr said, “so that we bring the full strength of the federal government to identifying and recommending what anybody else in the United States should adopt”.

“The sharing has to be voluntary, not coercive, and it’s got to be protected,” said Senator Dianne Feinstein, the committee’s vice-chair, adding that the information would pass through the Department of Homeland Security – and “transferred in real time to other departments where it’s applicable”.

Feinstein said the bill’s provisions would “only be used for counterterrorism purposes and certain immediate crimes”.

Several iterations of the cybersecurity bill have failed in recent years, including a post-Edward Snowden effort that the committee, then under Democratic leadership, approved last year. President Obama, renewing the push earlier this year, has called for a bill to enhance information sharing between businesses particularly banks and others in the financial sector and the federal government surrounding indications of malicious network intrusions.

Advertisement

Both the administration and Congress intend the legislation to join a panoply of recent moves to bolster cybersecurity, including February’s announced creation of a consolidated center within the intelligence agencies for analysis of internet-borne threats.

“This bill will not eliminate [breaches] happening,” Burr said. “This bill will hopefully minimize the impact of a penetration because of the real-time response.”

Feinstein said that companies, “reluctant to share with the government because they are subject to suit” would be protected from lawsuits “for cybersecurity purposes” under the bill.

But the bill faces strong opposition inside and outside Congress. Beyond expanding government’s reach into private data outside warrant requirements, it mandates real-time access to that data for intelligence agencies and the military.

‘Significantly undermine privacy and civil liberties’

Privacy advocates consider the bill to provide a new avenue for the NSA to access consumer and financial data, once laundered through the Department of Homeland Security (DHS), the initial public repository for the desired private-sector information. Campaigners consider the emphasis placed by the bill’s backers on DHS’s role to be a misleading way of downplaying NSA access to win congressional support.

A coalition of nearly 50 technologists, privacy groups and campaigners wrote to the committee earlier this month urging rejection of a bill that would “significantly undermine privacy and civil liberties” and potentially permit corporations to “hack back” at perceived network intrusions.

The bill “does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber-threat indicators with the government, a fundamental and important privacy protection,” the 2 March letter reads. Its changes to federal law “would permit companies to retaliate against a perceived threat in a manner that may cause significant harm, and undermine cybersecurity”, particularly given the misattributions of responsibility frequently seen in hacking cases.

Companies can only take “defensive measures” and not “countermeasures against another company”, Feinstein said.

Burr said that language in the bill would require companies to “remove all personal information before that data is transferred to the federal government”, and that the Department of Homeland Security would scrub any data not cleaned by companies. “We’ve tried to minimize in that any personal, identifying data that could be captured,” he said.

But Burr admitted the bill would still allow companies to share directly with the NSA, and could potentially receive liability protections if information is shared “not electronically”. “Our preference is the electronic transfer through the DHS portal,” he said.

While the NSA has labored to convince the public to move on from international condemnation of its digital dragnets – though Congress has passed no legislation to curtail them – acrimony within the tech sector at the surveillance giant persists.

At a Washington forum last month, Yahoo’s chief security officer confronted the NSA’s chief, Admiral Mike Rogers, over a recent push by US security agencies to undermine encryption for government benefit, a revival of the so-called “Crypto Wars” of the 1990s.

Alex Stamos of Yahoo challenged Rogers to explain why his company should not do the same thing on behalf of US adversaries or competitors to facilitate their spying on the United States. Rogers, in what was seen as a heated exchange, resisted the comparison.

Against that backdrop of suspicion, it is uncertain if the new cybersecurity bill can garner the votes in the broader Senate and House that its predecessors could not. The digital-rights group Access on Thursday was already seeking to mobilize its membership to call legislators in objection to the bill.

Wyden declined to comment to reporters, saying as he left the meeting: “You guys know I like talking about this stuff but I can’t say anything.”

He later articulated his dissent in a statement: “The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order US hardware and software companies to build weaker products, as senior FBI officials have proposed.”



Via Paulo Félix
more...
No comment yet.
Scoop.it!

OpenDNS trials system that quickly detects computer crime

OpenDNS trials system that quickly detects computer crime | IT Support and Hardware for Clinics | Scoop.it

A security system undergoing testing by a San-Francisco-based company aims to speed up the detection of websites and domains used for cybercrime.

The technology is being developed by OpenDNS, which specializes in performing DNS (Domain Name System) lookups. The DNS translates domain names such as idg.com into an IP address that can be called into a browser

OpenDNS offers a secure DNS service for ISPs and organizations that blocks requests from Web browsers to sites that may be associated with cybercrime or spoof a company such as PayPal.

The company, which was founded in 2005, has grown so much that its systems respond to some 71 billion DNS requests per day. That’s just 2 percent of global DNS traffic but is enough of a sample to pick up on many cybercrime campaigns.

The new system, called Natural Language Processing rank (NLPRank) looks at a range of metrics around a particular domain name or website to figure out if it’s suspicious.

It scores a domain name to figure out if it’s likely fraudulent by comparing it to a corpus of suspicious names or phrases. For example, g00gle.com—with zeros substituting for the letter “o”—would raise a red flag.

Many cybercriminal groups have surprisingly predictable patterns when registering domains names for their campaigns, a type of malicious vernacular that OpenDNS is indexing. Bogus domain names use company names, or phrases like “Java update,” “billinginfo” or “security-info” to try to appear legitimate.

But there’s a chance that NLPRank could trigger a false positive, flagging a variation of a domain that is legitimate, said Andrew Hay, director of security research at OpenDNS.

To prevent false positives, the system also checks to see if a particular domain is running on the same network, known as its ASN (autonomous system number), that the company or organization usually uses. NLPRank also looks at the HTML composition of a new domain. If it differs from that of the real organization, it can be a sign of fraud.

NLPRank is still being refined to make sure the false positive rate is as low as possible. But there have been encouraging signs that the system has already spotted malware campaigns seen by other security companies, Hay said.

Earlier this month, Kaspersky Lab released a report on a gang that stole upwards of US$1 billion from banks in 25 countries. The group infiltrated banks by gaining the login credentials to key systems through emails containing malicious code, which were opened by employees.

Hay said Kaspersky approached OpenDNS before the report was published to see if it had information on domains associated with the attacks. NLPRank was already blocking some of the suspicious domains, even though OpenDNS didn’t know more details about the attacks.

“We caught these things well back,” Hay said.

In some cases, NLPRank could allow a domain to be blocked even before one is actively used. After cybercriminals register a domain, they’ll often visit it once to make sure it’s accessible. It may then go dormant for a few days before it is incorporated in a campaign, Hay said.

If a fraudster is connected to an ISP that uses OpenDNS’s service, just a single DNS query for that new domain would allow OpenDNS to analyze and potentially block it before it is used for crime.

“As soon as we see that little bump on the wire, we can block it and monitor to see what’s going on,” Hay said. “It’s almost an early warning system for fraudulent activity.”



more...
No comment yet.
Scoop.it!

Google has delayed its Android encryption plans because they're crippling people's phones

Google has delayed its Android encryption plans because they're crippling people's phones | IT Support and Hardware for Clinics | Scoop.it

Google is delaying plans to encrypt all new Android phones by default, Ars Technica reports, because the technical demands of encryption are crippling people's devices.

Encryption slowed down some phones by 50% or more, speed tests show. 

In September 2014, Google — along with Apple — said that it planned to encrypt all new devices sold with its mobile OS by default. This means that unless a customer opted out, it would be impossible for anyone to gain access to their device without the passcode, including law enforcement (or Google itself).

This hardened stance on encryption from tech companies came after repeated revelations about the NSA, GCHQ and other government spy agencies snooping on ordinary citizens' data.

Default encryption has infuriated authorities. One US cop said that the iPhone would become "the phone of choice for the paedophile" because law enforcement wouldn't be able to access its contents. UK Prime Minister David Cameron has floated the idea of banning strong encryption altogether — though the proposal has been slammed by critics as technically unworkable.

Apple rolled out default-on encryption in iOS 8 back in September. Google's Android Lollipop system was first released in November — but because the phone manufacturers, rather than Google itself, are responsible for pushing out the update, it can take months for a new version of the OS to reach the majority of consumers.

But as Ars Technica reports, Lollipop smartphones are now finally coming to the market, and many do not have default-on encryption. So what's the reason? The devices couldn't actually handle it.

Speed tests show that even Google's flagship phone, the Google Nexus 6, suffers serious slowdown when encryption is turned on. A "random write" test measuring writing data to memory showed that the Nexus 6 performed more than twice as fast with encryption switched off — 2.85MB per second as compared with 1.41 per second with it on. The difference was even more striking in a "sequential read" test to measure memory reading speeds. An unecrypted device achieved 131.65MB/s; the encrypted version managed just 25.36MB/s. That's a third of even the Nexus 5, the previous model, which came in at 76.29MB/s.

As such, Google is now rowing back on its encryption stance. Its guidelines now say that full-disk encryption is "very strongly recommended" on devices, rather than the necessary requirement promised. Users can still encrypt their devices (even if it slows them down), but it won't happen by default.

Google says it still intends to force it in "future versions of Android".


more...
No comment yet.
Scoop.it!

Time to Ban the 'Bloatware'

Time to Ban the 'Bloatware' | IT Support and Hardware for Clinics | Scoop.it

What will it take to make hardware manufacturers ditch "bloatware"?

That's one of the more charitable names for the software that so many manufacturers - Apple and Google being notable exceptions - preinstall on the devices they sell. Such software includes screensavers, toolbars, utilities or even Superfish Visual Discovery. That's the adware that Lenovo, the world's biggest PC manufacturer, was preinstalling on many of its consumer laptops until earlier this month, when security experts - including the U.S. Computer Emergency Response Team - began warning that the software poses an information security risk to users.

 Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled. 

The practice of adding bloatware - a.k.a. junkware or trialware - to PCs is common, Microsoft says, warning that such software may "slow down your computer and junk up your Start screen or desktop." That's why Microsoft in 2012 began selling "Signature" Windows systems that come with a vanilla version of Windows, with no such bloatware or trialware preinstalled, for the added price of just $99.

And therein lies the bloatware flaw: Too often, such software isn't designed to make life easier for paying customers, but rather operates at their expense. Indeed, some users reported that it took them days to track down odd behavior on their PC to the Superfish software, which was relatively hidden on their device, and which can be difficult to fully eradicate.

As the Superfish saga has unfolded, with Lenovo apologizing and saying it "messed up," you might think the company would distance itself from bloatware and offer customers the choice of a "clean" install of Windows. "Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled," says Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, which is the association of European police agencies.

"Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device," he says.

Lenovo Promises Listening Sessions

But Lenovo's chief technology officer, Peter Hortensius, tells the The Wall Street Journal that "in general, we get pretty good feedback from users on what software we preinstall on computers."

Hortensius paints a picture of customers clamoring for more of these add-ons. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers," he says. "The outcome could be a clearer description of what software is on a user's machine, and why it's there."

Likewise, Lenovo spokeswoman Wendy Fung tells me Superfish was preinstalled "in our effort to enhance our user experience." But that's false logic. When Apple, for example, wants to improve its Mac OS X user-experience design, does it preinstall software that alters the images displayed in search results, even for supposedly secure HTTPS pages? That's what Superfish Visual Discovery was designed to do.

Fung also confirms that Lenovo received compensation from Superfish to preinstall its software, although it claims it wasn't a "financially significant" arrangement.

But following the bloatware money suggests a lot - including manufacturers taking advantage of consumers and small businesses who don't know better. One defense of PC manufacturers' bloatware practices could be that their profit margins are razor-thin, and that unless consumers want to pay more, they should expect to see privacy or even security tradeoffs. Consumers, however, aren't being clearly presented with that choice.

Can Bloatware Be Battled?

Unfortunately, it's not clear how we might rid the world of bloatware. In the U.S., the Federal Trade Commission could get involved and investigate bloatware-bundling practices, per its ability to police "unfair or deceptive acts." So far, one U.S. lawsuit has been filed that takes aim at Lenovo having preinstalled Superfish. In the United Kingdom, meanwhile, the Information Commissioner's Office, which enforces EU privacy protections, says it's planning to demand Superfish-related answers from Lenovo.

With luck, sharp questions from regulators and Lenovo's Superfish debacle will lead more manufacturers to rethink their business practices, and begin offering consumers a clean install. But too many will likely just default to offering the same old raw deal.


more...
No comment yet.
Scoop.it!

Apple Spending $2 Billion to Build Two New Data Centers in Europe

Apple Spending $2 Billion to Build Two New Data Centers in Europe | IT Support and Hardware for Clinics | Scoop.it

Apple announcedon Monday that it will invest €1.7 billion to build and operate two new data centers in Europe. The state-of-the-art facilities will be located in County Galway, Ireland and the Central Jutland Region of Denmark, powering Apple's online services such as the App Store, iTunes Store, iMessage, Maps and Siri for European customers.

“We are grateful for Apple’s continued success in Europe and proud that our investment supports communities across the continent,” said Tim Cook, Apple’s CEO. “This significant new investment represents Apple’s biggest project in Europe to date. We’re thrilled to be expanding our operations, creating hundreds of local jobs and introducing some of our most advanced green building designs yet.”

The data centers will be powered by 100% clean and renewable energy sources, with each having the lowest environmental impact yet for any Apple data center. Apple will also work with local partners to develop additional renewable energy projects derived from wind and other sources for future usage.

“We believe that innovation is about leaving the world better than we found it, and that the time for tackling climate change is now,” said Lisa Jackson, Apple’s vice president of Environmental Initiatives. “We’re excited to spur green industry growth in Ireland and Denmark and develop energy systems that take advantage of their strong wind resources. Our commitment to environmental responsibility is good for the planet, good for our business and good for the European economy.”

The 166,000-square-meter data centers are expected to be begin operations by 2017 and help support nearly 672,000 jobs in Europe, a large portion of which relate to the development of iOS apps. Apple claims that developers have earned more than €6.6 billion through app sales since the App Store launched in 2008.


more...
No comment yet.
Scoop.it!

Two Lawsuits Filed Against Lenovo Over Superfish Scandal

Two Lawsuits Filed Against Lenovo Over Superfish Scandal | IT Support and Hardware for Clinics | Scoop.it

Lenovo's Superfish adware drew a lot of anger and criticism last week to the point where the software was immediately disabled and the company promised it would not upload it in future releases. Even with Superfish disabled and Lenovo's assurance that there were no vulnerabilities associated with the software, the effect on affected products is irreversible. In the wake of the incident, a class-action lawsuit was filed against Lenovo last week which could put the company in jeopardy.

The class-action suit, with blogger Jessica Bennett as the plaintiff, was filed at the U.S. District Court in the Southern District of California. Bennett claims that Lenovo invaded her privacy and made a profit by keeping track of her onlinebrowsing.

She initially noticed the problem when she wrote a blog post for a client's website with the website featuring spam ads "involving scantily clad women." Further investigation by Bennett on other websites showed more pop-up ads, which led her to believe her Yoga 2 was compromised or contained spyware. She eventually found the source on the Lenovo forums in the form of the company's Superfish software.

Superfish worked by placing ads in search engines and other websites without the user's permission. It also made secure connections vulnerable because of the company's own root certificate, which would replace a secure site's own certificate. Even though the software is now deactivated, those who had Superfish on their Lenovo devices are still vulnerable to hackers who can monitor user traffic and steal important banking credentials.

Another law firm also opened up a class action lawsuit against Lenovo and is encouraging customers to reach out if they want to participate. Both cases are still in their early stages, so the process could take some time before Lenovo gets its day in court. But with Lenovo potentially fighting a legal battle on two fronts, the company seems to be taking a turn for the worse, with the trust of customers slowly fading away.



more...
No comment yet.
Scoop.it!

Windows 10 Ransomware Scam Represents Growing Trend in Malware

Windows 10 Ransomware Scam Represents Growing Trend in Malware | IT Support and Hardware for Clinics | Scoop.it

I don’t usually jump on the new software or device bandwagon immediately. I tend to wait until something has been on the market for a little while and let other people work the bugs out first. However, the release of Windows 10 intrigues me. I had the chance to talk to some people at RSA about it, and I’m not sure the last time I heard so much enthusiasm for a new Microsoft product.


The release came at the end of July, with the upgrade made available for free. Who doesn’t like free, right?

Consumers aren’t the only ones who appreciate a free upgrade, though. Scammers and bad guys are taking advantage of the Windows 10 launch, too, using phishing emails to spoof the arrival of the OS. As PC World explained, the scam does a very good job mimicking a legitimate Microsoft announcement regarding Windows 10. The difference, though, was this:


An attached .zip file purports to be a Windows 10 installer … the attachment contains a piece of ransomware called CTB-Locker that encrypts your files and requests payment within 96 hours, lets your files be encrypted forever.


I can’t imagine that anyone would be surprised that the bad guys would try to take advantage of the OS release. However, according to Cisco’s midyear report, using ransomware is part of a growing trend with hackers using social and breaking news events to deliver ransomware. According to the report, ransomware has really stepped up its game, with improved professional development to encourage innovation and to ensure that the malware brings in financial gains.

The Cisco blog explained more about how it works:


The ransoms demanded are usually affordable, generally a few hundred dollars depending on the bitcoin exchange rate. Criminals appear to have done their market research to determine the right price points for the best results: Fees are not so high that victims will refuse to pay or will tip of law enforcement. Ransomware authors keep their risk of detection low by using channels such as Tor and the Invisible Internet Project to communicate, and they use bitcoin so that financial transactions are difficult for law enforcement to trace.


Will we see more problems with ransomware going forward? I suspect the answer is “Yes,” especially as the developers get smarter about manipulating the ransom for their own gain. (Remember, as successful as Cryptolocker was at locking down a computer’s data, too many weren’t able to pay the ransom with Bitcoin, and, in turn, the developers weren’t able to make the money they planned to make.) We know that the spammers are very good at faking us out with phishing attacks. So enjoy your new Windows 10 upgrade. Just download with a lot of caution.

more...
No comment yet.
Scoop.it!

Kaspersky may have been hacked to spy on its research

Kaspersky may have been hacked to spy on its research | IT Support and Hardware for Clinics | Scoop.it

Eugene Kaspersky, the Russian whose namesake company acknowledged that it had been infected with top-tier malware, struggled during a press conference to come up with reasons why the hackers targeted his firm.


After all, antivirus makers like Kaspersky Lab should be prepared to sniff out and snuff out an attack.

“They were not only stupid, but greedy,” Kaspersky said during a London-based press conference Wednesday, which was also webcast to reporters elsewhere.


When asked why the attackers—whose malware was dubbed Duqu 2.0 in a nod to2011’s Duqu, which in turn was thought to be an offspring of the infamous Stuxnet—went head-to-head with his company, Kaspersky had theories but nothing more.

“They were not interested in our customers,” he said after asserting that the intrusion did not appear to have touched any customer or partner data.


“I’m pretty sure they were watching,” he said of the hackers during the months they had their malware running undetected on Kaspersky’s network. He speculated that the attackers were doing reconnaissance and research, hoping to find out more about Kaspersky’s security technology or how it found and analyzed malware.


Specifically, Kaspersky wondered if they had infected Windows PCs on the company’s network to uncover how researchers decided what malware to manually examine.

A treasure trove of research

The vast bulk of the malware that Kaspersky—and any major antivirus firm—collects is processed, evaluated and categorized by automated systems, which also craft the resulting “fingerprints,” or signatures, that are sent to customers’ devices. Only the occasional piece of attack code is interesting enough, different enough from the run-of-the-mill to justify a human touch.


How researchers make the decision to closely evaluate—and root through—one piece of malware while passing on another would obviously be information a hacker crew or state-sponsored group would love to have, as it would help them craft attack code and develop tradecraft that would be more likely to get shunted to the machines, where it would be one among millions, and its true purpose perhaps overlooked.


“[The bad guys] absolutely want to know what security researchers are doing, what’s the state of the art on that side,” said Tod Beardsley, the engineering manager at security vendor Rapid7, in an interview. “They want to know, is it better than what [they] have?”


It’s certain, Beardsley continued, that just as security researchers launch projects to analyze attack technology and attackers’ predilections, the other side does the same. “Having a hold in a security company is of great advantage,” Beardsley said. “Just the operational intelligence would be valuable, as that would give them lots or preparation time for their next mission.”


And with more-than-public knowledge, hackers might be able to come up with ways to steer clear of security defenses like those employed by Kaspersky’s customers.


But Eugene Kaspersky dismissed the idea that the hackers’ presence within his company’s network—he said it had been hidden there at least several months—would give them real clues about the vendor’s technologies, even if they had obtained the source code, which they had not. “These technologies are quickly outdated,” Kaspersky contended, saying that changes were constantly being applied.


“Maybe they were interested in some specific attacks we were working on,” Kaspersky said. “Or maybe they wanted to see if we could catch them.”

"Very awesome" malware

In a long blog post on Forbes, Kaspersky elaborated. “I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk” of being discovered, Kaspersky said.


Which is exactly what happened.


“Now we know how to catch a new generation of stealthy malware developed by them,” Kaspersky wrote. “And the attackers are now back to the drawing board since we exposed their platform to the whole IT security industry. Moral considerations aside, that’s hardly a good return on a serious investment with public money.”


That latter line was a reference to Kaspersky’s contention that Duqu 2.0 was created by a state-sponsored or state-run hacking crew.

Beardsley and Kaspersky agreed on one thing: Duqu 2.0 was top-of-the-line malware.


“It’s very awesome for sure,” said Beardsley. “It is definitely a milestone. It has a very modular framework, is able to swap out one zero-day for another, and uses new techniques for signaling and non-persistence.”


Unlike most malware, Duqu 2.0 resides almost exclusively in memory, making it difficult for security software to detect it.

Which led Eugene Kaspersky to make an odd-but-effective suggestion about how to rid a network of the malware. “Technically, it’s simple: Turn off the power and the system will be clean.”

more...
No comment yet.
Scoop.it!

Lenovo Patches Critical PC Flaws

Lenovo Patches Critical PC Flaws | IT Support and Hardware for Clinics | Scoop.it

Lenovo issued an emergency patch to fix flaws in software that it preinstalls on many of its Windows PCs after security researchers warned that it contained vulnerabilities that attackers could use to remotely seize control of systems.


The vulnerabilities affect the Lenovo System Update software - version 5.6.0.27 and before - which was previously known as ThinkVantage System Update. The Chinese PC manufacturer says the vulnerable software may be present on its ThinkPad, ThinkCenter and ThinkStation laptops and tablets, as well as Lenovo V/B/K/E Series devices.


The flaws were discovered by IOActive security researchers Michael Milvich and Sofiane Talmat in February, after which they alerted Lenovo and helped it prepare related fixes, which Lenovo released in April. But the researchers' findings were only made public this week.


One flaw, rated critical by the IOActive researchers, centered on a "race condition," in which attackers could have System Update verify that an executable file was legitimate, and then substitute a malicious executable. "Lenovo System Update validates all system update files as they are downloaded from the Lenovo servers. However, if the local system contains malware, it is possible that the downloaded updates could be altered before installation," Lenovo warns in a related security advisory.


To fix the flaws, users should update to version 5.06.0034 or later of Lenovo's software, which includes related patches. "Lenovo System Update automatically checks for a [new] version whenever the application is run," the company's security advisory says. "Click OK when prompted that new version is available." Alternately, users can download updates manually.

Follows Superfish

The security alert follows revelations in February that Lenovo, which is the world's largest PC manufacturer, had been preinstalling adware called Superfish on many of its PCs. Numerous security experts warned that the adware put users at risk because of the insecure manner in which it used digital certificates to intercept and decrypt otherwise encrypted Internet traffic.


Now, security experts are expressing dismay that yet more flaws have been found in Lenovo's preinstalled software. "Lenovo has been found wanting again on the security front," information security expert Alan Woodward, a professor at Surrey University, tells the BBC. Following on the Superfish debacle, he said Lenovo was demonstrating a "lamentable record for security."


While Lenovo initially defended Superfish - as a feature - it later backed off and began working with security firms to delete the software. The manufacturer also promised that beginning with new devices running the forthcoming Windows 10 operating system it would include only essential operating system and related software, including hardware drivers, security software and Lenovo's own applications, with a spokeswoman saying they would be free from "what our industry calls 'adware' and 'bloatware.'"

Predictable Security Tokens

While Superfish adware was preinstalled on many consumer-focused Lenovo systems, the new vulnerabilities are largely present on business-oriented machines.


Furthermore, Lenovo's System Update software is powerful, in that it will execute any code that it receives, for example to update the Windows operating system. Such functionality would be useful to attackers, of course, if they could trick it into installing malicious code. If that attack was successful, then the attackers could install a backdoor, execute malware that steals data stored on the device, and take full control of the machine.


To guard against that, the System Update software requires any client that attempts to connect to the service to authenticate itself, using a security token. "Unfortunately this token is a predictable token and can be generated by any user without requiring any elevated permissions," the IOActive researchers say about the previous version of System Update. "As a result, an attacker who is unprivileged can perform the same operations as the System Update. The attacker can create a valid token and include it with a command to be executed." Lenovo's patch, however, fixes that problem.

Another Flaw Patched

Another problem present in previous versions of the Lenovo System Update software was a failure to conduct complete security checks on executable code.


"As a security measure, Lenovo signs its executables and checks the signature before running them, but unfortunately does not completely verify them," the IOActive researchers said in their vulnerability warning. As before, this flaw was patched by Lenovo in April.

In particular, the Lenovo software did not fully validate the certificate authority chain. As a result, an attacker could create a fake certificate authority, use it to sign a malicious executable, and then fool the System Update software into executing it.


For example, per the "classic coffee shop attack," a related man-in-the-middle attack could be launched if the attacker was connected to the same WiFi network as a vulnerable Lenovo PC, the researchers say. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against 'coffee shop' style attacks," they add.


But protection was provisional on the Lenovo software correctly handling digital certificates, which it was not. "Lenovo - like Fandango, Kredit Karma, and an estimated 40 percent or more of mobile application developers - were not able to validate if certificates were from a trusted authority," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, which develops software to secure and protect cryptographic keys and digital certificates. "As this vulnerability shows, if you can compromise certificates, other security controls break down. With a compromised or forged certificate, you can masquerade as a trusted service, hide [via] encryption, and go undetected."


Again, however, Lenovo and IOActive report that all of the above flaws have now been patched.


more...
No comment yet.
Scoop.it!

House OKs 2nd Cyberthreat Info-Sharing Bill

House OKs 2nd Cyberthreat Info-Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

A second cyberthreat information sharing bill passed the House of Representatives on April 23. That measure, the National Cybersecurity Protection Advancement Act, now will be combined with the House Intelligence Committee's Protecting Cyber Networks Act, which passed on April 22, before it's sent to the Senate.

The National Cybersecurity Protection Act, which was approved by a 355-63 vote, provides businesses with liability protections if they share cyberthreat information with the federal government and other businesses. The bill designates the National Cybersecurity and Communications Integration Center as the portal for government and business to share data.

"Ultimately, this legislation will arm those who protect our networks with valuable cyber-threat indicators that they can use to fortify defenses against future attacks," said one of the bill's sponsors, Rep. John Ratcliffe, chairman of a House Homeland Security Committee subcommittee, which has cybersecurity oversight.

Supporters of cyberthreat information sharing legislation, including President Obama, say such a measure is needed because many businesses will not share information with the government unless they're protected from civil and criminal lawsuits resulting from the sharing of data. Both bills, and one approved by the Senate Intelligence Committee, would provide those liability safeguards.

The House-passed bills' supporters contend their measures protect citizens' privacy and liberties by requiring businesses to strip personally identifiable information from information to be shared. Language added to the National Cybersecurity Protection Advancement Act specifically says the shared data is to be used for cyberdefense only and cannot be used for intelligence or law enforcement purposes. Still, consumer advocacy groups contend the bill does not go far enough to prevent sharing of data for purposes other than cyberdefense.

The White House, in Statements of Administration Policies, has given both House-passed bills a lukewarm endorsement, but it made suggestions on changes it seeks, especially the narrowing of the liability protections the measures offer.

In the Senate, Majority Leader Mike McConnell said its version of cyberthreat information sharing legislation should come up for a vote shortly, but did not provide a specific date. If the Senate passes its own cyberthreat information sharing legislation, conferees from both chambers, weighing recommendations from the White House, will draft new language in hopes of winning the support of a majority of House and Senate lawmakers as well as the president.


more...
No comment yet.
Scoop.it!

House Panel Passes Cyberthreat Info Sharing Bill

House Panel Passes Cyberthreat Info Sharing Bill | IT Support and Hardware for Clinics | Scoop.it

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote.


The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on cyberthreat information sharing legislation as early as next week.


In the Senate, a version of its cyberthreat information sharing bill could come up for a vote shortly. Senate Majority Leader Mitch McConnell included the Cybersecurity Information Sharing Act passed last month by the Senate Intelligence Committee as among several bipartisan bills that the Senate is "working hard to advance."


The National Cybersecurity Protection Advancement Act of 2015, approved by the House Homeland Security Committee, provides many of the privacy and civil liberties protections sought by President Obama that were absent in earlier versions of cyberthreat information sharing legislation that passed the House and the White House had threatened to veto in the two previous congresses.

Limits Placed on Shared Data

The House committee approved one amendment that explicitly states that shared cyberthreat information processed through the National Cybersecurity and Communications Integration Center - known as NCCIC, the Department of Homeland Security portal - could not be used for law enforcement or intelligence purposes. Civil liberties groups have raised concerns that some cyberthreat information sharing bills could allow the use of collected cyberthreat data to spy on Americans, violating their privacy and liberties.


The legislation would require private companies to remove personally identifiable information unrelated to the cybersecurity risk before sharing information with the NCCIC or other private entities. It would also require the NCCIC to conduct a second scrub and destroy any personal information that is unrelated to the cybersecurity risk before further sharing with other government agencies or private organizations.


The aim of the cyberthreat information sharing legislation is to encourage businesses and other private organizations to share voluntarily threat data with the government and other businesses to mitigate damaging cyber-attacks. But some businesses are reluctant to share the information unless they are protected from legal actions, which led to the various provisions to offers liability protections.

Liability Provisions Remain Intact

The Democratic minority on the House Homeland Security Committee, along with the Obama administration, contend that the liability protections offered to businesses in the committee's bill were too broad, providing legal protections when not warranted. An amendment offered by Rep. Cedric Richmond, D-La., would have removed liability protection for businesses that received threat data but failed to act on it. "If you abide by the provisions of this act," Richmond said, "then you're exempt from liability. It's just that simple. Instead of adding all these other concepts to the liability language, if we take the time to pass a bill and you abide by it, you have liability exemption. If you don't, then you don't have exemption."


But the bill's cosponsor, Republican Rep. John Ratcliffe of Texas, said the broader liability protections in the bill are aimed to get the greatest number of businesses to participate in cyberthreat information sharing. "Stakeholders are concerned about putting their customers or consumers at risk, and their information at risk; they're concerned about exposing their own sensitive business information by sharing," Ratcliffe said. "And, they're also concerned about possibly violating federal privacy laws. Having strong liability protection is going to be absolutely critical and vital to the success of this bill, and the phraseology in this bill is absolutely critical and essential to that point."

The bill originally provided liability protection for businesses that conducted its network security awareness in "good faith," but the committee voted to excise those words from the measure because, as McCaul noted, the term is too ambiguous and could lead to confusion in enforcing the measure should it become law.

Awaiting Word from White House

The White House has not said whether it would support or veto any of the cyberthreat information sharing bills winding their way through Congress. Statements of Administration Policy, such as the ones containing the earlier veto threats, usually are issued shortly before one of the chambers is set to vote on the legislation.

After the committee vote, the Financial Services Roundtable called for swift floor action on the legislation. "Congressional action to better protect consumers from cyber-attacks is long overdue," said Tim Pawlenty, CEO of the Roundtable, a financial services industry advocacy group. "We applaud the House for addressing gaps in our nation's cybersecurity laws and urge both chambers of Congress to quickly put a bill on the president's desk."


more...
No comment yet.
Scoop.it!

Hackers have found a way to get into nearly every computer

Hackers have found a way to get into nearly every computer | IT Support and Hardware for Clinics | Scoop.it

Hacking even the most secure data is easier than previously thought. This was evidenced by two researchers at the CanSecWest security conference in Vancouver last week.

The two computer security experts, Xeno Kovah and Corey Kallenberg, exhibited a proof-of-concept, showing how to hack into BIOS chips, which are microchips containing the firmware of a computer’s motherboard.

"The BIOS boots a computer and helps load the operating system," Wired explained. "By infecting this core software, which operates below antivirus and other security products and therefore is not usually scanned by them, spies can plant malware that remains live and undetected even if the computer’s operating system were wiped and re-installed. "

The attacks can be levied either through remote exploitation — such as phishing emails — or through “physical interdiction of a system,” Wired reports. The researchers discovered what they called "incursion vulnerabilities," giving them access to the BIOS. Once the BIOS is compromised, they can grant themselves the highest of system privileges. Then, they are able to gain all sorts of control over the system. This includes the ability to steal passwords as well as surveil other data. 

Kovah told Business Insider that of the 10,000 enterprise-grade machines they analyzed, 80% of them had at least one BIOS vulnerability.

Most alarming is that any and all data is up for grabs once the BIOS is compromised. This means encrypted data is accessible — even if the computer user is using privacy-oriented security software.

For example, the researchers said that the Tails system — a widely used OS known for its immense security — could be hijacked. Edward Snowden and Glenn Greenwald use Tails to share data. Kovah and Kallenberg say that their malware could subvert Tails making it possible to gain access to any of its data. 

The ramifications for computer security are huge. For one, it was previous thought that only the most well-equipped hacking guns, like deep-pocketed governments, were able to compromise BIOS chips. This was most recently evidenced by findings from the Kaspersky Lab, which discovered a series of attacks targeting computers' firmware from what appears to be the NSA.

Now, given that Kovah and Kallenberg were able to hack these chips without a billion dollar government budget, things have changed. Already vendors are working on patches to deal with the vulnerability, but there's no way to know what sort of damage has already been done.

While the vectors for attack are numerous, Kovah and Kallenberg hope their findings bring awareness to how critical firmware security truly is. At the very least, they hope this forces companies to patch their systems. As Kovah explained, even when new patches are issued, "we keep finding new vulnerabilities."


more...
No comment yet.
Scoop.it!

Online trust is at the breaking point

Online trust is at the breaking point | IT Support and Hardware for Clinics | Scoop.it

IT security professionals around the globe believe the system of trust established by cryptographic keys and digital certificates, as well as the security of trillions of dollars of the world's economy, is at the breaking point.

For the first time, half of the more than 2,300 IT security professionals surveyed by The Ponemon Institute now believe the technology behind the trust their business requires to operate is in jeopardy. 100% of organizations surveyed had responded to multiple attacks on keys and certificates over the last two years.


Research reveals that over the next two years, the risk facing every Global 5000 enterprise from attacks on keys and certificates is at least $53 million USD, an increase of 51 percent from 2013. For four years running, 100 percent of the companies surveyed said they had responded to multiple attacks on keys and certificates, and vulnerabilities have taken their toll.

"The overwhelming theme in this year's report is that online trust is at the breaking point. And it's no surprise. Leading researchers from FireEye, Intel, Kaspersky, and Mandiant, and many others consistently identify the misuse of key and certificates as an important part of APT and cybercriminal operations," said Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi. "Whether they realize it or not, every business relies upon cryptographic keys and digital certificates to operate. Without the trust established by keys and certificates, we'd be back to the Internet 'stone age' – not knowing if a website, device, or mobile application can be trusted."

As risk increases, so does the number of keys and certificates: Over the last two years, the number of keys and certificates deployed on infrastructure such as web servers, network appliances, and cloud services grew more than 34 percent to almost 24,000 per enterprise. The use of more keys and certificates makes them a better target for attack. Stolen certificates sell for almost $1000 on underground marketplaces, and doubled in price in just one year. Researchers from Intel believe hacker interest is growing quickly.

Organizations are more uncertain than ever about how and where they use keys and certificates: Now 54 percent of organizations admit to not knowing where all keys and certificates are located and how they're being used. This leads to the logical conclusion: how can any enterprise know what's trusted or not?

Security pros worry about a Cryptoapocalypse-like event: A scenario where the standard algorithms of trust like RSA and SHA are compromised and exploited overnight is reported as the most alarming threat. Instantly transactions, payments, mobile applications, and a growing number of Internet of Things could not be trusted. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity, and time to remediate.

The misuse of enterprise mobile certificates is a lurking concern: The misuse of enterprise mobility certificates used for applications like WiFi, VPN, and MDM/EMM is a growing concern for security professionals. Misuse of enterprise mobility certificates was a close second to a Cryptoapocalypse-like event as the most alarming threat. Incidents involving enterprise mobility certificates were assessed to have the largest total impact, over $126 million, and the second largest risk. With a quickly expanding array of mobile devices and applications in enterprises, it's no wonder why security pros are so concerned.

"With the rising tide of attacks on keys and certificates, it's important that enterprises really understand the grave financial consequences. We couldn't run the world's digital economy without the system of trust they create," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "This research is incredibly timely for IT security professionals everywhere – they need a wake up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals."survey


Via Paulo Félix
more...
No comment yet.
Scoop.it!

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch

Windows PCs remained vulnerable to Stuxnet-like attacks despite 2010 patch | IT Support and Hardware for Clinics | Scoop.it

If you patched your Windows computers in 2010 against the LNK exploit used by Stuxnet and thought you were safe, researchers from Hewlett-Packard have some bad news for you: Microsoft’s fix was flawed.

In January, researcher Michael Heerklotz reported privately to HP’s Zero Day Initiative (ZDI) that the LNK patch released by Microsoft over four years ago can be bypassed.

This means that over the past four years attackers could have reverse-engineered Microsoft’s fix to create new LNK exploits that could infect Windows computers when USB storage devices got plugged into them. However, there’s no information yet to suggest this has happened.

The original attack, which exploited a vulnerability in how Windows displayed icons for shortcut (LNK) files, was used to spread Stuxnet, a computer worm that sabotaged uranium enrichment centrifuges at Iran’s nuclear facility in Natanz.

Stuxnet, which is believed to have been created by the U.S. and Israel, was discovered in June 2010 after it spread beyond its intended target and ended up infecting tens of thousands of computers around the world. The LNK vulnerability, tracked as CVE-2010-2568, was one of several zero-day, or previously unknown, flaws that Stuxnet exploited. Microsoft patched the flaw in August that same year as part of a security bulletin called MS10-046.

“To prevent this attack, Microsoft put in an explicit whitelist check with MS10-046, released in early August 2010,” the HP researchers said in a blog post Tuesday. “Once that patch was applied, in theory only approved .CPL files should have been able to be used to load non-standard icons for links.”

“The patch failed,” they said. “And for more than four years, all Windows systems have been vulnerable to exactly the same attack that Stuxnet used for initial deployment.”

ZDI reported the LNK patch bypass found by Heerklotz to Microsoft, which treated it as a new vulnerability (CVE-2015-0096) and fixed it Tuesday as part of MS15-020. The ZDI researchers plan to examine the new update to see if there are any other possible bypasses.

However, applying the workaround published by Microsoft in 2010, which involves using the registry editor to manually disable the display of icons for shortcut files, will protect against the latest flaw too, they said.

While the LNK attack was first discovered as part of Stuxnet, security researchers from Kaspersky Lab recently found that another computer worm, called Fanny, had used it since 2008. Fanny is part of a malware arsenal used by a highly sophisticated cyberespionage group that Kaspersky has dubbed Equation.

As revealed by a Kaspersky Lab report in August 2014, exploitation of the original CVE-2010-2568 vulnerability remained widespread even after the Microsoft patch in 2010, primarily because the exploit was integrated in more common threats like the Sality worm. From July 2010 to May 2014, Kaspersky Lab detected over 50 million instances of the CVE-2010-2568 exploit on more than 19 million computers worldwide.


more...
No comment yet.
Scoop.it!

Apple, Android Prep 'Freak' Fix

Apple, Android Prep 'Freak' Fix | IT Support and Hardware for Clinics | Scoop.it

Numerous Apple and Android devices, as well as websites, are vulnerable to a serious flaw, which an attacker could exploit to subvert secure Web connections. The flaw exists in SSL and TLS and results from the ability to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.

The researchers who discovered the vulnerability have dubbed it "Freak," for "Factoring RSA-EXPORT Keys," and warn that it can be used to crack a cipher key and then impersonate legitimate sites - such as the public-facing National Security Agency website - to vulnerable clients. In some cases it could also be used to hijack third-party tools, such as the Facebook "like" button functionality, and inject JavaScript into vulnerable clients and steal passwords.


"In case you're not familiar with SSL and its successor TLS, what you should know is that they're the most important security protocols on the Internet," Johns Hopkins University cryptographer Matthew D. Green says in a blog post. "In a world full of untrusted networks, SSL and TLS are what makes modern communication possible."

Security researchers warn that the flaw exists in versions of OpenSSL prior to 1.0.1k, and affects all Android devices that ship with the standard browser, although they say Google Chrome is immune. The flaw also exists in Apple TLS/SSL clients, which are used by both Mac OS X clients, as well as iOS mobile devices. The vulnerability has been designated as CVE-2015-0204.

Researchers say it's not clear how many users, devices or websites are vulnerable to the Freak flaw, or if it has yet been exploited in the wild. But 6 percent - or 64,192 - of the world's 1 million most popular websites (as ranked by Amazon.com Web traffic monitoring subsidiary Alexa) are currently vulnerable to the flaw, according to the Tracking the Freak Attack site, which is run by researchers at the University of Michigan, and can be used to check if clients are vulnerable to Freak attacks.

Researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research have been credited with discovering the flaw and detailing how it can be exploited. "You are vulnerable if you use a Web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites," they say. "If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."

In recent weeks, the researchers - together with Green - have been alerting affected organizations and governments. Websites such as Whitehouse.gov, FBI.gov, and connect.facebook.net - which implements the Facebook "like" functionality - were vulnerable to related attacks, but have now been fixed, Green says. But he notes that numerous sites, including the public-facing NSA.gov website, remain vulnerable.

Apple, Google Prep Patches

Apple tells Information Security Media Group that it is prepping a patch, which it plans to release next week. OpenSSL released a related patch in January, and content delivery networks - such as Akamai - say they've either put fixes in place or will do so soon.

While Google didn't immediately respond to a related request for comment, a spokeswoman tells Reuters that the company has already prepped an Android patch and distributed it via the Android Open Source Project to its business partners. She notes that it's now up to those businesses - which include such equipment manufacturers as Samsung, HTC, Sony, Asus and Acer - to prep and distribute patches to their customers. But while some OEMs have a good track record at prepping and releasing patches in a timely manner, others delay, or never release patches.

Businesses and users should install related patches as quickly as possible, says information security consultant and SANS Institute instructor Mark Hofman in a blog post. "To prevent your site from being used in this attack you'll need to patch OpenSLL - yes, again. This issue will remain until systems have been patched and updated, not just servers, but also client software," he says. "Client software should be updated soon - hopefully - but there will no doubt be devices that will be vulnerable to this attack for years to come - looking at you Android.

Crypto Wars 1.0 Legacy

Experts say that the Freak flaw is a legacy of the days when the U.S. government restricted the export of strong encryption. "The SSL protocol itself was deliberately designed to be broken," Green says, because when SSL was first invented at Netscape, the U.S. government regulated the export of strong crypto. Businesses were required to use the relatively weak maximum key length of 512 bits if they wanted to ship their products outside the country.

While those export restrictions were eventually lifted, and many developers began using strong crypto by default, the export-grade ciphers still linger - for example in previous versions of OpenSSL - and can be used to launch man-in-the-middle attacks that force clients to downgrade to the weak crypto, which attackers can crack. "The researchers have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not 'officially' supported," Hofman says.

Hacking NSA.gov

The researchers who discovered the Freak flaw have published a proof-of-concept exploit on the SmackTLS website, demonstrating a tool they developed, together with a "factoring as a service" capability they built and hosted on a cluster of Amazon Elastic Compute Cloud - EC2 - servers. The exploit was first used against the NSA.gov website. "Since the NSA was the organization that demanded export-grade crypto, it's only fitting that they should be the first site affected by this vulnerability," Green says. Cracking the key for the NSA.gov website - which, it should be noted, is hosted by Akamai - took 7.5 hours, and cost $104 in EC2 power, he adds. Were the researchers to refine their tools, both the required time and cost to execute such attacks would likely decrease.

The researchers have reportedly been quietly sounding related alerts about the Freak flaw in recent weeks to vulnerable governments and businesses, hoping to keep it quiet so that patches could be rolled out in a widespread manner before news of the flaw went fully public. But The Washington Post reports that Akamai published a blog post on March 2, written by its principal engineer, Rich Salz, which brought attention to the problem sooner than the researchers had hoped.

Still, the Freak flaw has existed for well over a decade, and follows the 2014 discovery of such new "old" bugs as Heartbleed, POODLE and Shellshock, which existed for years before being found.

Moral: Encryption Backdoors

In the post-Snowden era, many technology giants have moved to use strong encryption wherever possible, in part to assuage customers' concerns that the NSA could easily tap their communications. Apple and Google also began releasing mobile devices that use - or could be set to use - strong crypto by default. And many U.S. and U.K. government officials have reacted with alarm to these moves. Often citing terrorism and child-abuse concerns, many have demanded that the technology firms weaken their crypto by building in backdoors that government agencies could access.

But Green says the Freak flaw demonstrates how any attempt to meddle with strong crypto can put the user of every mobile device, Internet browser or website at risk. "To be blunt about it, the moral is pretty simple: Encryption backdoors will always turn around and bite you ..." he says. "They are never worth it."


more...
No comment yet.
Scoop.it!

Congress Averts DHS Partial Shutdown

Congress Averts DHS Partial Shutdown | IT Support and Hardware for Clinics | Scoop.it

Congress, at the 11th hour, passed a bill to fund the Department of Homeland Security for the next seven days, averting for now a partial shutdown that would have curtailed some cybersecurity programs.

Funding of the department was to expire at midnight Feb. 27. Hours before the money was to run out, the Senate voted to fully fund DHS through September, the end of the fiscal year. The House, however, refused to take up that measure, and instead rejected a bill that would have funded DHS for three weeks. After the House failed to pass a funding bill, the Senate approved "a one-week patch," which the House enacted around 10 p.m. EST.


Without the temporary funding, a partial shutdown of DHS would have occurred. Critical IT security operations such as those that defend against cyber-attacks aimed at the government and the nation's critical infrastructure would have continued to function. But other cybersecurity initiatives, such as the rollout to agencies of the Einstein 3 intrusion prevention system and continuous diagnostic and mitigation systems to identify IT vulnerabilities, would have been placed on hold.

Still, Congress will have to pass a new appropriation if DHS is to continue fully operating beyond March 6.

DHS funding is caught in a political battle between Democrats and Republicans over immigration reform. The House last month approved a DHS funding bill without appropriating money for an executive action President Obama took on immigration, a move opposed by nearly all Republicans. The Senate, as a compromise, agreed to vote on two bills; one to fully fund DHS through September, which passed, and a second measure to strip the immigration provisions, which failed to muster the 60 votes needed to break a Democratic filibuster.

An estimated 80 percent of DHS employees would have worked during the partial shutdown, but without pay, with the remainder of the staff being told not to report to work. At the National Protection and Programs Directorate, the department unit responsible for cybersecurity and infrastructure protection, 57 percent of personnel would have remained on the job. In the 2013 federal government shutdown, all employees were paid once Congress funded operations.

Mark Weatherford, the former DHS deputy undersecretary for cybersecurity, said even with the shutdown being averted, at least temporarily, the potential exists of losing skilled IT security staffers, a matter that "is a more important issue than the stopping of the Einstein 3 or the CDM funding programs."

Even the threat to fail to fund DHS could drive key IT security personnel from the department, Weatherford said, adding that he knows of private-sector recruiters waiting to "pluck these people" out of DHS because they feel disgruntled by being victims of a political skirmish over immigration.

"The impact on morale is tremendous," says Weatherford, a principal at the security advisory firm The Chertoff Group. "To be treated like you really have no value, like you're a pawn in this game, is just not right. These people have greater value than that. They have opportunities, and you don't treat people with opportunities like this."


more...
No comment yet.
Scoop.it!

Sizing Up the Impact of Partial DHS Shutdown

Sizing Up the Impact of Partial DHS Shutdown | IT Support and Hardware for Clinics | Scoop.it

The expansion of some major federal government cybersecurity initiatives would be suspended if Congress does not fund the Department of Homeland Security by week's end, triggering a partial shutdown.

Initiatives to expand the Einstein 3 intrusion prevention and continuous diagnostic and mitigation programs to a number of federal civilian agencies would be placed on hold if Congress fails to come up with the money by Feb. 27, when a temporary DHS appropriation ends.

"A shutdown would prevent us from bringing aboard those [programs] and essentially stop those agencies from receiving the protection that they need from the cyberthreats out there," says Andy Ozment, DHS assistant secretary for cybersecurity and communications.

About 43 percent of the staff at the National Protection and Program Directorate - the DHS entity that oversees its cybersecurity programs - would be furloughed if Congress fails to enact funding legislation that President Obama would sign, according to an estimate by the Congressional Research Service. Ozment says that furlough figure includes 140 employees from the National Cybersecurity and Communications Integration Center, the DHS unit that coordinates cyberthreat information sharing with federal agencies; local, territorial, tribal and state governments; the private sector and international organizations.

Will Systems Be at Risk?

Although Ozment, in testimony earlier this month to a House panel, said the furloughs would have an adverse impact on the government's cybersecurity activities, he stopped short of saying federal IT systems would be placed at risk by a partial shutdown.

"Without these staff, the NCCIC's capacity to provide a timely response to agencies or critical infrastructure customers seeking assistance after a cybersecurity incidents would be decreased and we would be less able to conduct expedited technical analysis of cybersecurity threats," Ozment testified at a Feb. 12 hearing of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.

Funding DHS's cybersecurity initiatives - which has widespread support from among Democrats and Republicans in Congress - is caught up in a highly partisan political battle over President Obama's executive order to shield millions of illegal immigrants in the United States from deportation. The House in January passed a DHS appropriations bill that would fund most department programs, including those for cybersecurity, but withholds money from initiatives that would support Obama's executive action on immigration. With a threat of a Senate filibuster by Democratic members, as well as a presidential veto, the House bill has stalled in the upper chamber.

Lamentable But Not Perilous

Jason Healey, a cybersecurity expert at the think tank The Atlantic Council, says he doubts the failure to fund DHS cybersecurity initiatives would create significant risk to either government or critical private networks. "That seems like it's a lamentable thing that they can't continue [funding], but it doesn't worry me too much," he says, adding that other federal agencies work to help safeguard government networks and critical IT systems in the private sector, including the FBI.

Besides the temporary suspensions of the Einstein 3 and continuous diagnostic and mitigation programs, also known as continuous monitoring, Ozment said a partial shutdown would halt development of new programs to secure IT. "We would be unable to continue planning our next generation of information sharing capabilities that are necessary to make our information sharing real-time and automated in order to enable us to combat highly sophisticated cyberthreats," he said.


more...
No comment yet.
Scoop.it!

Our SIM cards are secure despite alleged hack

Our SIM cards are secure despite alleged hack | IT Support and Hardware for Clinics | Scoop.it

Gemalto's SIM cards for mobile phones are secure despite purported hacks by US and UK spy agencies, the company announced Monday.

A report released Thursday by online publication The Intercept claims that the US National Security Agency and the UK's Government Communications Headquarters, or GCHQ, hacked into Gemalto's internal network and stole the encryption keys used to secure the company's SIM cards. The Amsterdam-based company said last week it would fully investigate the claim.

On Monday, the company said that "initial conclusions" indicate that its SIM cards and other products are "secure" and that it doesn't expect any "significant financial prejudice." Gemalto added that it plans to host a press conference and issue a statement on Wednesday to reveal more information about results of its investigation.

Gemalto sells its SIM cards to 450 carriers around the world, including AT&T, Verizon, T-Mobile and Sprint. The cards contain personal information, including your phone number, billing information, contacts and text messages and are supposed to be protected by encryption keys to thwart hacking attempts.

The Intercept was founded by journalist Glenn Greenwald and is the means through which NSA contractor-turned-whistleblower Edward Snowden's revelations about government spying were first released. Citing documents from Snowden, The Intercept's report last week charges that a joint unit of the NSA and GCHQ hacked the SIM card encryption keys used by Gemalto and possibly other vendors.

The report of the hack, which allegedly occurred in 2010 and 2011, has raised red flags because it would mean that the spy agencies have the ability to access personal data and tap into mobile phone voice and data communications around the world.

Using stolen keys, the NSA and GCHQ could intercept mobile communications without getting approval from telecom providers or foreign governments, The Intercept's report alleges. Having those keys basically would mean there's no need to get a legal warrant.

Gemalto's security team started its investigation on Wednesday after the company was contacted by The Intercept. Gemalto's team attempted to determine how its network could have been compromised but could find no trace of any hacks, The Intercept reported. Paul Beverly, a Gemalto executive vice president, was also asked by The Intercept if the NSA or GCHQ had ever requested access to the SIM card encryption keys.

"I am totally unaware," Beverly told the publication. "To the best of my knowledge, no."


more...
No comment yet.