The failures that led to Edward Snowden walking out the door with a massive cache of NSA data four years ago were not the kind that normally make their way into the public’s line of sight. Those failures were organizational, technical, and procedural, and the agency had to take a hard look at itself in the aftermath of Snowden’s theft, the NSA’s former deputy director said.
“If you’d asked me in the spring of 2013 what’s the state of your defense of the business, I would’ve said it’s good but not perfect. We don’t take our eye off the ball, we don’t assume we can chase everything down. We’d have said we vet the insiders the old-fashioned way,” Chris Inglis, the former deputy director of NSA, said in a talk at the RSA Conference here Thursday.
“Cybersecurity professionals don’t have experience dealing with traditional investigations. These cases are complex because you often don’t have the data you need to tell the story. We need to find a way to help companies characterize what’s going on. It’s a problem we haven’t really thought about for a long time,” Milan Patel, a former FBI cyber investigator and current managing director of cyber investigation and incident response at K2 Intelligence said during a panel discussion on cyber espionage at the RSA Conference here Wednesday.
In one recent case, Patel was called in to a large real estate company to investigate an administrator who had given himself extra network privileges. The admin then got access to the Exchange server and began reading emails sent by the company’s executive team. During the investigation, Patel discovered that several other people had unnecessary elevated privileges, but the firm didn’t have a way to track when the employees had gotten those rights or how. The company also didn’t have any way to do forensics on the employee’s laptop or phone.
“Lots of people are being infected and lots of people are paying. The bottom line its it’s getting worse and it’s going to continue to do so,” Jeremiah Grossman, chief of security strategy at SentinelOne, said during a talk on the ransomware epidemic at the RSA Conference here Monday. “Seven-figure ransoms have already been paid. When you’re out of business, you’ll pay whatever you have to in order to stay in business. You’re dealing with an active, sentient adversary.”
The ransomware market seems to be headed in the same direction as real-world kidnapping, where high-profile targets take out insurance policies to pay ransoms. Grossman said it probably won’t be long before the insurance companies latch onto the ransomware game, too.
“The insurance companies are going to see a large profit potential in this. Kidnapping and ransom insurance is still very boutique. This economic model will probably apply equally well to ransomware,” he said.
Trailrunner7 writes: A group of influential lawmakers, including Sen. Ed Markey and Sen. Ron Wyden, are pressing the Trump administration for answers about how an executive order that includes changes to the Privacy Act will affect non-U.S. persons and whether the administration plans to release immigrants’ private data.
The letter comes from six senators who are concerned about the executive order that President Trump issues two weeks ago that excludes from privacy protections people who aren’t U.S. citizens or permanent residents. The order is mostly about changes to immigration policy, but Trump also included a small section that requires federal government agencies to exclude immigrants from Privacy Act protections.
On Thursday, Markey, Wyden, and four other senators sent a letter to Secretary of Homeland Security Jon Kelly, asking a series of 10 questions about how the exclusion would be implemented, what it would cost, and whether the government plans to release the private data of people affected by the order.
“These Privacy Act exclusions could have a devastating impact on immigrant communities, and would be inconsistent with the commitments made when the government collected much of this information,” the senators say in the letter to Kelly.
Roger Anderson last year debuted his Jolly Roger bot, a system that intercepts robocalls and puts the caller into a never-ending loop of pre-recorded phrases designed to waste their time. Anderson built the system as a way to protect his own landlines from annoying telemarketers and it worked so well that he later expanded it into a service for both consumers and businesses. Users can send telemarketing calls to the Jolly Roger bot and listen in while it chats inanely with the caller.
Now, Anderson is targeting the huge business that is the Windows fake support scam. This one takes a variety of forms, often with a pre-recorded message informing the victim that technicians have detected that his computer has a virus and that he will be connected to a Windows support specialist to help fix it. The callers have no affiliation with Microsoft and no way of detecting any malware on a target’s machine. It’s just a scare tactic to intimidate victims into paying a fee to remove the nonexistent malware, and sometimes the scammers get victims to install other unwanted apps on their PCs, as well.
Anderson plans to turn the tables on these scammers and unleash his bots on their call centers.
Trailrunner7 writes: The House of Representatives has passed the Email Privacy Act, which requires law enforcement agencies to get a search warrant in order to obtain emails and some other stored records that are older than six months.
The legislation is an effort to modify the old Electronic Communications Privacy Act to reflect the way that service providers handle and store email. When the ECPA became law in 1986, service providers generally didn’t store their customers’ email messages for long periods of time. The ISPs mainly acted as forwarding services, and the ECPA allowed the government to access emails older than 180 days without a search warrant because those messages were considered abandoned.
The new Email Privacy Act would update that rule and on Monday the House passed the bill by voice vote. The legislation now moves on to the Senate, where it stalled last year after passing the House unanimously. Rep. Kevin Yoder (R-Kansas) and Rep. Jared Polis (D-Colo.) reintroduced the Email Privacy Act in January and urged their colleagues to move it along quickly to close the warrantless search loophole.
Trailrunner7 writes: When the Mirai botnet burst onto the scene last year, it did so in style, with two of the largest DDoS attacks on record. One of the initial targets of its wrath was the site run by reporter Brian Krebs, and the attack set off a chain reaction that not only took the site offline but eventually got Google’s anti-DDoS team involved.
Mirai is not the typical botnet, for a number of reasons, including the fact that many of the compromised machines that make it up are actually IoT devices, not normal computers. There are hundreds of thousands of DVRs, CCTV cameras, and other devices in the Mirai network, and attackers have used the botnet to generate enormous attacks. The attack on Krebs on Security hit a peak of more than 600 Gbps, and one that hit French hosting provider OVH a few weeks later was around 1 Tbps.
When the attackers targeted Krebs’s site, it was protected by DDoS mitigation services provided by Akamai. But the company eventually had to drop its protection, which it was providing for free, because the size of the attack was affecting its ability to protect other customers. So Krebs contacted Google, which runs Project Shield, a free DDoS protection service for journalists, news providers, and other sites. The service protects hundreds of sites now, and when Krebs reached out to Google, the company’s anti-DDoS team took on the challenge.
Trailrunner7 writes: Security teams are frustrated constantly by users who ignore warnings about phishing sites, bad certificates, or malware, and just click through to get wherever they were going. It turns out that behavior probably isn’t the users’ fault. It’s just human nature.
There are many reasons why this behavior persists, even when users are told in no uncertain terms that continuing to a site or downloading a browser extension will harm their computer. Much of it has to do with the fact that humans aren’t very good at doing more than one thing at a time, despite the modern emphasis on multitasking. In fact, people are pretty terrible at handling multiple tasks.
“Most people think they’re good at multitasking, but the truth is we’re all bad at it, and in security that has serious implications,” Anthony Vance, an associate professor of information systems at Brigham Young University, said in a talk on neuroscience and usable security at the Enigma conference here Tuesday.
Vance studies the way that the brain responds to certain inputs, especially when there are more than one. When a person is trying to do two things at once, his effectiveness at doing those tasks can go down, a phenomenon known as dual-task interference (DTI). In his work, Vance has found that people are significantly worse at responding appropriately to a browser security warning message when they’re performing other tasks on the computer than they are when the warning comes while they’re idle. So he worked with engineers on Google’s Chrome team to find better times to display warnings, such as when a video has finished playing or while a page is loading.
Trailrunner7 writes: Facebook has developed a new account-recovery system that eschews the typical communications channels used for this process, and instead relies on a user’s connections with other services. The scheme allows users to regain access to accounts without providing any identifiable information to other services.
The Delegated Recovery system, which Facebook introduced at the Enigma conference here Monday, could be a major step forward in the way that sites handle the messy and sensitive process of account recovery. Right now, most sites use either email, SMS, or a combination of the two when a user needs to recover her account. A user typically clicks on a link, which will generate an email or text with a link that the user can follow to reset a password or go through other account-recovery steps.
The system that Facebook has implemented allows a user to link her Facebook account with an account on another site. Instead of using email or SMS, the two sites exchange cryptographically secured packages with data tokens. The two sites don’t change any identifiable information about the user during the process and the communications are done over HTTPS.
“The only thing that gets learned is that you have an account on the other site,” said Brad Hill, a Facebook engineer, who spoke at the Enigma conference. “No user-identifiable information is exchanged, so it’s not tied to a username, or email, or phone number.”
A small section of the executive order, which mostly focuses on changes to immigration policy and enforcement, lays out a change that will force federal agencies to rewrite their privacy policies to make sure that anyone who isn’t a U.S. citizen or permanent resident isn’t covered by the policy.
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” the order says.
Privacy and legal experts say the change is a signal from the Trump administration that it intends to move away from the privacy policies Barack Obama established during his administration.
“It’s not something we expected to see in an immigration order and it’s important to take note of because it specifically highlights the fact that we have yet to take action to extend legal protections to citizens of other countries. It really importantly applies only to the Privacy Act protections and it’s saying that they’re limiting the protections afforded to non-U.S. persons, and that’s significant in and of itself,” said Amie Stepanovich, U.S. policy manager at Access Now.
The bill is sponsored by Rep. Ted Lieu (D-Calif.) and Rep. Joe Wilson (R-S.C.), and it’s another indication that federal regulators are taking a hard look at the security of a wide range of devices, including vehicles, medical devices, and IoT gear. The main thrust of the bill is to require the National Highway Traffic Safety Administration, along with NIST, the FTC and the Secretary of Defense, to produce a study on the necessary standards for regulating the cybersecurity of vehicles.
The FTC filed complaints against two separate groups of defendants, the leaders of which have both been involved in previous legal actions for robocalling operations. The defendants each controlled several different corporate entities that were involved in selling home security systems, extended auto warranties, and other products through repeated automated phone calls. Many of the calls were to numbers on the DNC list, a violation of the telemarketing regulations.
The two main defendants in the complaints are Justin Ramsey and Aaron Michael Jones, and in separate actions, they and many of their co-defendants have agreed to court-ordered bans on robocall activities and financial settlements. The FTC alleges that Ramsey directed an operation that made millions of robocalls a month.
The Anthem data breach is one of the larger health cae-related incidents ever in the United States and it has cost the company $260 million so far in technology improvements, credit monitoring, and other expenses. Anthem officials discovered the breach in January 2015 and disclosed it publicly the following month. The attack began, as many of the incidents do, with a spearphishing email, which an employee of one of Anthem’s subsidiaries opened. That led to the installation of malware on the employee’s machine, and the attacker then moved on to compromise at least 90 other computers in the organization, according to the report.
Anthem hired security firm CrowdStrike to investigate the intrusion, and the California Department of Insurance conducted an analysis of the event, as well. The analysts came to the conclusion that operators from a foreign government had initiated the attack. The report does not specify which government was involved, however.
The new report is the result of an order from President Barack Obama to investigate whether elements of the Russian government hacked U.S. networks in the months leading up to the election. There will be a classified version of the report delivered to Congress, as well as an unclassified version released to the public. In a hearing before the Senate Armed Service Committee Thursday, senior intelligence officials said they are highly confident that Russian intelligence was behind a number of intrusions tied to the election.
“This was a multifaceted campaign. The hacking was only one part of it. It included classical propaganda, fake news, disinformation,” said Director of National Intelligence James Clapper during Thursday’s hearing.
The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself.
In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.