Latest CyberSec News & Related

ꕤ Article SOURCE as indicated Universal Music abusing the DMCA ie #Copyright Act rightsholders MUST consider FAIR USE prior take-down issues http://boingboing.net/2015/09/14/eff-scores-a-giant-victory-for.html #India IT security =  1.2 billion in 2016 http://www.consultancy.uk/news/2591/indian-IT-security-market-reaches-12-billion-next-year #Microsoft signs landmark agreement with #NATO re govt #cybersecurity / solidification relationship http://www.neowin.net/news/microsoft-signs-agreement-with-nato-to-bolster-government-cybersecurity Intel in #cybersecurity - auto-mobiles auto security board set up: Automotive Security Review Board (ASRB) Intel Security (formerly McAfee) published a whitepaper re automotive security best practices http://forexreportdaily.com/2015/09/14/6873-intel-in-cyber-security-driving-seat-sets-up-connected-auto-security-board/ NSA Recruiting / Scholarships USA Colleges vie to entice w. NSA cyber program scholarship stipulation = NSA job on degree http://fedscoop.com/colleges-vie-to-entice-students-with-nsa-cyber-program USA + China meet re #cybersecurity - White House Kerry, Rice + Homeland Sec. Jeh Johnson > comm. competition blocks USA whining that the following  stop US competing on level playing field in China: fines opaque regulatory system http://www.lidtime.com/u-s-chinese-officials-meet-on-cyber-security-issues-white-house-5652/ University of Texas at San Antonio grant puts city on centre #cybersecurity stage emerging cybersecurity + tech hub / expressnews (subscipt) #cybersecurity #hacker Millennial Gen / Gen Y born post 1980 social media over-sharing / lax security http://www.afr.com/technology/a-third-of-millennials-warned-by-employers-over-social-media-posts-norton-20150914-gjlw1h Cybersecurity Bill  |  CISA   |  USA Cybersecurity Information Sharing Act (CISA) Light on Security legal immunity for sharing cyber-intel with govt PRIVACY implications / poised to pass http://foreignpolicy.com/2015/09/14/a-cybersecurity-bill-light-on-security-heavy-on-corporate- Jeb Bush wants USA Internet gov. against transfer of  ICANN oversight to multistakeholders Following Presidential candidates also get a mention re cybersec: Rubio - Marco Rubio Fiorina - Carly Fiorina http://fedscoop.com/jeb-bush-unveils-cybersecurity-plan Clinton appears to be  the CYBERSEC & MILLENNIAL candidate #Clinton2016 'Best Choice' Cybercrime Wakefield Research poll - 42% over half millennials Dems better http://www.inc.com/will-yakowicz/poll-hillary-clinton-most-qualified-presidential-candidate-for-cyberattack.html Hackers hit the Kremlin  #Russia target: election commission website sounds like DDoS http://thehill.com/policy/cybersecurity/253609-hackers-hit-the-kremlin #cybersecurity #banking #cloud x4 US banks agreement w/ regulators re 'guaranteed data deletion' issues Symphony = service created thru consortium of 14 financial instutions Goldman Sachs Deutsche Bank Credit Suisse Bank of New York Mellon = guaranteed data deletion / hinder regulators + prosecutors to investigate misconduct? Does use of Symphony re communications = regulators avoidance? [ I'm not clear on that] http://www.stockhouse.com/news/newswire/2015/09/14/four-us-banks-reach-agreement-with-regulators-on-guaranteed-data-deletion-issues #Russia Yuri Ushakov fmr career diplomat fmr deputy Foreign Minister PhD:  history 2008 appointment Putin deputy chief staff foreign-policy + international economics [various sources - incl. Foreign Policy] #cybersecurity DECEPTION SOFTWARE  / HONEYPOT SOFTWARE Deception to Catch #hacker fake network component, server or database to study their behaviour DECEPTION cybersecurity aims: 1. ID intruders / share info 2. drains hacker resources until aware duped 3. study hackers Deception has long been part of the art of war WWII, USA & British armies set up fake camps to dupe Germans / Penny Crosman {cybersec} Honeypot software = fake system = sits on network = exposes fake or real services to the attacker new gen. honeypot software = called 'deception software' centrally managed, integrated w/ other security software deception software popular with:  financial services x4 layers  (ie "deception stack"): network endpoint application data each layer of x4 deception software = has deception capabilities deception layers: eg. fake credentials in browser caches of decoy workstations, phony files & data sets. deception layers: eg. endpoint set up to look like it runs eg Windows, when is a Linux machine. deception layers: eg. fake OS = deceive malware into attacking vulnerabilities OS does not have. deception strategy: once intruder detected / continue to 'entertain' *find out what intruder knows re system decoy documents eg fake 'new product designs' = embedded w/ tracking element = knowing when & where opened deception software hidden tech in documents = beacon calling 'home' = info re intruder DECEPTION software providers: Attivo Networks TrapX Security Allure Security Technology CyberTrap Cymmetria ForeScout GuardiCore Hexis Cyber Solutions LogRhythm Percipient Networks Rapid7 Shape Security Specter TopSpin Security DECEPTION software LIMITATIONS If the hacker: 1) obtained correct credentials re system 2) knows where to look ie ... if not rummaging, knows where to go & where to get it, deception software ineffective Deception software = not foolproof = but significantly raises odds of detection & lowers false positives http://www.americanbanker.com/news/bank-technology/deception-may-be-the-best-way-to-catch-cybercriminals-1076667-1.html #cybersecurity US Dept Commerce rethinking proposed rule controlling  EXPORT of hacking TOOLS / intrusion software b/c stifles research source (subscription) http://www.law360.com/articles/702478/commerce-to-revise-cyber-rule-said-to-hamper-research #cybersecurity #hacker Cisco routers vulnerable to new attack attacks replace OS used in network Cisco equip. Cisco router attacks = x14 instances of router implants found in: India Mexico Philippines Ukraine http://www.reuters.com/article/2015/09/15/us-cybersecurity-routers-cisco-systems-idUSKCN0RF0N420150915 Malvertising #cybersecurity #hacker Malvertising Campaign Rages Undetected For 3 Weeks / manipulate ad networks' chain of trust Malvertising = number of new tactics to make attackers harder to track down eg use domain names registered years ago w/ BBB #Hacker = look like legit bus. using real-time bidding = ads clean = ads redirected to point for download malicious code ads  thru encrypted HTTPS channel = lets third party directly serve up content + encrypt comm. / no inspect. Malvertising attackers used Google URL shortener in redirects Malwarebytes + Google working to solve Malvertising hits, incl: http://ebay.co.uk  http://drudgereport.com  http://answers.com Malvertising compromised various small ad networks + major ad networks, incl DoubleClick, AppNexus + ExoClick Malvertising hits, adult, incl: nuvid.com upornia.com eroprofile.com very low-cost intro packages = attacker opportunity for short campaigns w/ small investments http://www.darkreading.com/attacks-breaches/malvertising-campaign-rages-undetected-for-3-weeks/d/d-id/1322169 #cybersecurity National Cyber Security Hall of Fame 2015 INDUCTEES Thu 29th Sept x5 - listed http://news.sys-con.com/node/3456101 #cybersecurity - REPORT - Insurance PWC Insurance 2020 & beyond: Reaping the dividends of cyber resilience http://www.pwc.com/gx/en/industries/financial-services/insurance/publications/insurance-2020-cyber.html #cybersecurity #insurance market to reach $7.5 billion annual premiums by end 2020 & min.  $5 billion by 2018 insurance co's may MITIGATE risks by partnering w/ technology co's + data sharing b/w insurance co's Insurer mitigation also by: conditional regular risk assessments of client ops & required remedies re reviews http://www.pymnts.com/in-depth/2015/cyber-insurance-market-to-thrive-triple-by-2020/ #military DOD - Overhaul of Military Ground Systems in favour of single UNIFIED system for satellite networks Satellite networks multiple siloed ground systems aka “stove-piped” =  inhibits security, resiliency, agility & affordability stovepiped / single ununified systems =  op systems each functioning w/ unique proprietary software from contractors #military ground systems - USG wants to move away from reliance original contractor / own tech baseline / free up competition DOD overhaul aim: *control interfaces + standards *no limits interface / proprietary s/w *no contractor control architecture DOD overhaul of military ground systems goals  *agility  *automation  *security  *resilience  Cost savings = inherent result cybersecurity = too many interfaces + incongruous software: *multiple cyber attack surfaces *must be defended individually Enterprise Ground System (EGS) / DOD interested in using #cloud tech for EGS / type undecided / Airforce favours private (b/c physically reside w/in operation centres) http://www.satellitetoday.com/regional/2015/09/14/dod-prepares-for-overhaul-of-military-ground-systems/ NYSE STUDY by Veracode 2015 Survey #cybersecurity in the Boardroom - 8pg PDF https://www.veracode.com/sites/default/files/Resources/Whitepapers/cybersecurity-in-the-boardroom-whitepaper.pdf Associated article: Boardrooms and cyber security http://thetandd.com/news/boardrooms-and-cyber-security/article_5edccb5b-aed1-5e88-b2e4-0dd396d5540d.html Twitter hired a trio of firms / first outside lobbyists to work DC spent $160K / first-half http://www.odwyerpr.com/story/public/5332/2015-09-14/twitter-enters-dc-lobbying-fray.html quantum encryption quantum random number  generator | Entropy Engine / 200 million random Nos. http://www.santafenewmexican.com/news/health_and_science/science-on-the-hill-for-cybersecurity-in-quantum-encryption-we/article_2ce4c8bb-78fa-5dbc-826f-ffdd33501ae3.html WEBINAR - cybersecurity Former NSA Tech. Dir. Jim Penrose cyber ops expert subtle traces compromise detection http://www.bankinfosecurity.com/webinars/view-from-inside-intelligence-driven-approaches-to-cyber-detection-w-764 #Germany #cybersecurity new IT Security Law July 24, 2015 foresees admin fines 4-yr evaluation *overview & links http://www.natlawreview.com/article/what-you-need-to-know-about-germany-s-cybersecurity-law #cybersecurity #hacker 9 FBI Warnings / risks posed by Internet of Things ('IoT') x10 device examples http://www.defenseone.com/threats/2015/09/fbi-department-homeland-security-warnings-internet-connected-everyday-objects/120905/ IronNet fmr  NSA Director Keith Alexander raised $7.5 million in equity re IronNet #Cybersecurity pt  $25-m Trident Capital financing IronNet Cybersecurity funds to go to: *cybersecurity products *building the company’s workforce http://www.bizjournals.com/baltimore/blog/cyberbizblog/2015/09/keith-alexander-led-ironnet-cybersecurity-raises-7.html #cybersecurity digital tax fraud  skyrocketed over last year / data breaches PROPOSED bill re notices ID theft almost half USA states = reported spikes in electronic filing fraud = Minnesota stopped accepting some electronic returns http://thehill.com/policy/cybersecurity/253542-senate-committee-will-mark-up-digital-tax-fraud-bill #cybersecurity new chip developed by Xerox = self-destruct on command Gorilla Glass / shattering chip Potential use:   storage device for encryption keys https://www.siliconrepublic.com/enterprise/2015/09/14/self-destructing-chip-xerox Korean-based SK Telecom + Greenville USA co. to develop vehicle cybersecurity /  Quantum Cryptography ... securely distributes a secret key to legitimate parties. Here, a key is a table of random numbers shared by legitimate users in such a way that the information is known only to them, and secure means secure against any possible eavesdropping, which is the highest level of security. The system is expected to enhance security of critical network infrastructure. Currently, most systems, including the connected vehicle ecosystems, use software-based pseudo-random number generators for encryption, meaning that they can fall vulnerable to hackers who decrypt the sequence of digits. Once developed for commercial use, SK Telecom’s technology will eliminate such concerns for security as it generates true random numbers based on hardware. http://gsabusiness.com/news/55654-greenville-center-korean-firm-to-develop-vehicle-cybersecurity #cybersecurity E-ZPass vulnerable to hackers, ID thieves + govt spying / not using encryption E‑ZPass = electronic toll-collection system =  tolled roads, bridges, & tunnels USA http://www.whdh.com/story/30022568/report-e-zpass-vulnerable-to-hackers-identify-thieves #SouthAfrica #law proposed bill too broad consequences beyond remit / state cyberwarfare / warrantless seizure #SouthAfrica /  penalties - to 25 years in prison /  has until Nov 30 to submit comment on proposed bill. http://www.zdnet.com/article/south-africa-gets-first-look-at-cybercrime-bill-that-comes-with-25-year-jail-terms/ #Tor .onion domain = formal recognition granted security certificates available to site admins http://www.cbronline.com/news/cybersecurity/business/regulators-give-tors-onion-domain-name-special-use-status-4669709 USA Dept Energy DOE REPORT linked US #Energy Tech Exports = cybersecurity risks - b/c rely on digital tech http://www.theepochtimes.com/n3/1751096-global-energy-growth-could-disrupt-americas-grid-security-doe-report-says/ ---------------------- ꕤ ---------------------- COMMENT Bunch of random stuff I looked at. It all seemed very exciting ... at the time.  Now, I'm not so sure.  lol The onion domain news and the self-destructing chip is exciting, I guess. I'm no techie, so the 'internet of things' doesn't bother me.  I like everything manual, if I can help it.  lol Twitter hiring Washington lobbyists is kind of exciting.  Wonder why? The US military proposed overhaul of ground satellite communications (if I understand correctly), is pretty cool. Surprise that it has taken them until 2015 to come up with those ideas, when they're in the business and should know what they're doing when it comes to multiple contracts and software applications etc. It doesn't sound too efficient at the DOD. Digital tax fraud sounds boring.  I don't even know what the point of it is.  lol  People pretend to be someone else ... but then what? Oh, the best news it the Ninth Circuit Court ruling regarding copyright! Take that, Universal Music a#@!@#s! ꕤ

Bill Blunden - 'Mass surveillance is all about money and power'

SOURCE http://www.arabamericannews.com/news/news/id_10801/Mass-surveillance-is-all-about-money-and-power.html Mass surveillance is all about money and power By Bill Blunden | Wednesday, 07.22.2015, 01:37 PM “We are under pressure from the Treasury to justify our budget; and commercial espionage is one way of making a direct contribution to the nation’s balance of payments” -Sir Colin McColl, former MI6 Chief. For years, public figures have condemned cyber espionage committed against the United States by intruders launching their attacks out of China. These same officials then turn around and justify America’s far-reaching surveillance apparatus in terms of preventing terrorist attacks. Yet classified documents published by WikiLeaks reveal just how empty these talking points are. Specifically, top-secret intercepts prove that economic spying by the United States is pervasive, that not even allies are safe and that it’s wielded to benefit powerful corporate interests. At a recent campaign event in New Hampshire, Hillary Clinton accused China of “trying to hack into everything that doesn’t move in America.” Clinton’s hyperbole is redolent of similar claims from the American Deep State. For example, who could forget the statement made by former NSA director Keith Alexander that Chinese cyber espionage represents the greatest transfer of wealth in history? Alexander has obviously never heard of quantitative easing (QE) or the self-perpetuating “global war on terror” which has likewise eaten through trillions of dollars. Losses due to cyber espionage are a rounding error compared to the tidal wave of money channeled through QE and the war on terror. When discussing the NSA’s surveillance programs Alexander boldly asserted that they played a vital role with regard to preventing dozens of terrorist attacks, an argument that fell apart rapidly under scrutiny. Likewise, in the days preceding the passage of the USA Freedom Act of 2015 President Obama advised that bulk phone metadata collection was essential “to keep the American people safe and secure.” Never mind that decision makers have failed to provide any evidence that bulk collection of telephone records has prevented terrorist attacks. If American political leaders insist on naming and shaming other countries with regard to cyber espionage perhaps it would help if they didn’t sponsor so much of it themselves. And make no mistake, thanks to WikiLeaks the entire world knows that U.S. spies are up to their eyeballs in economic espionage. Against NATO partners like France and Germany, no less. And also against developing countries like Brazil and news outlets like Der Spiegel. These disclosures confirm what Ed Snowden said in an open letter to Brazil: terrorism is primarily a mechanism to bolster public acquiescence for runaway data collection. The actual focus of intelligence programs center around “economic spying, social control, and diplomatic manipulation.” Who benefits from this sort of activity? The same large multinational corporate interests that have spent billions of dollars to achieve state capture. Why is the threat posed by China inflated so heavily? The following excerpt from an intelligence briefing might offer some insight. In a conversation with a colleague during the summer of 2011 the EU’s chief negotiator for the Trans-Pacific Partnership, Hiddo Houben, described the treaty as an attempt by the United State to antagonize China: “Houben insisted that the Trans-Pacific Partnership (TPP), which is a U.S. initiative, appears to be designed to force future negotiations with China. Washington, he pointed out, is negotiating with every nation that borders China, asking for commitments that exceed those countries’ administrative capacities, so as to ‘confront’ Beijing. If, however, the TPP agreement takes 10 years to negotiate, the world–and China–will have changed so much that that country likely will have become disinterested in the process, according to Houben. When that happens, the U.S. will have no alternative but to return to the WTO.” American business interests are eager to “open markets in Asia” and “provide the United States with unprecedented opportunities for investment.” At least, that’s how Hillary Clinton phrased it back when she was the Secretary of State. China represents a potential competitor and so American political leaders need an enemy that they can demonize so that they can justify massive intelligence budgets and the myriad clandestine operations that they approve. The American Deep State wishes to maintain economic dominance and U.S. spies have been working diligently to this end. Bill Blunden is a journalist whose current areas of inquiry include information security, anti-forensics and institutional analysis. This story originally appeared on CounterPunch.org SOURCE http://www.arabamericannews.com/news/news/id_10801/Mass-surveillance-is-all-about-money-and-power.html ---------------------- COMMENT Really enjoyed this article. How hypocritical is Hillary Clinton and the US? Interesting to see that intel agencies need to earn their keep. So, Snowden's comment re surveillance being pretty much about: “economic spying, social control, and diplomatic manipulation.”  sounds about right. And it's all for the sake of 'powerful corporate interests' that control the state.

US PASSING SNEAKY CYBER SECURITY LAWS TO GIVE NSA MORE POWER ... & NSA STAFF GO PRIVATE

Ex-NSA chief defends his profitable cyber-security business Published time: August 06, 2014 10:05 Edited time: August 06, 2014 12:43 As the marriage between surveillance and non-governmental cyber-security firms comes under the spotlight, former NSA chief Keith Alexander fends off criticism of his new lucrative business, which he claims will revolutionize cyber-security. Alexander, who recently announced work on a number of “game-changing” patents to propel cyber security forward, sees nothing improper in the practice, as he revealed in a Tuesday interview with the AP. The former NSA head also stands to answer why he failed to share some of his groundbreaking ideas in his time as a government employee. But for Alexander, this seems to be a straightforward pursuit of doing business and making a living. ... The business was rumored to be bringing him a cool $1 million a month, but Alexander has brushed off the figure as inflated. Explaining further why IronNet Cybersecurity is different to how the government uses information, Alexander said that the NSA only had authority to defend secret government networks, whereas his work will be focused on the private sector. The tools and technical reach are at this point unknown, but "If it actually works, this will be worth a lot," he said of his new “behavioral model,” which purports to use sophisticated techniques to catch unconventional hackers. Critics see a number of issues with Alexander’s new venture, IronNet Cybersecurity. Apart from the generally disliked idea of government officials cashing in on sensitive information learned and tools retained from public service, people worry that any type of access to sensitive information by private firms using high-tech tools is not good. Only recently there was a private sector initiative to pool top officials from eight US government agencies to create a council that would defend the banking industry from cyber-attacks. Indeed, the Securities Industry and Financial Markets Association (SIMFA), the Wall Street group that proposed the council, has retained Alexander’s services. That agreement and others have raised concerns among those who’ve said Alexander may be in the business of disclosing state secrets for any company with a budget big enough to afford his services.  [Conflict of interests? - May have moved on from public service, but does it form a 'conflict of interest' type of problem from mixing it up in the private sector?] Last month, The Senate Select Committee on Intelligence voted overwhelmingly to approve the new controversial cyber security bill – the Cybersecurity Information Sharing Act (CISA), which SIMFA endorses. Privacy advocates are naturally opposed to the legislation, which lawmakers have been trying to push through for years. They believe that codifying a program to share digital data between the government and private sector would open the private sector up to sensitive information pertaining to millions of Americans. One scornful comment illustrating this came from the World Socialist Website’s Thomas Gaist, who says that “CISA clears the way for virtually unrestrained information sharing between the US government and corporations.” The criticism is not unique to rights groups – government officials occasionally also voice concern. ... Although Alexander’s move into private business has caused concern in some circles, he is traveling an already paved road, being the latest in a line of government, intelligence and security officials who go on to private sector work after an illustrious government career. Some examples include the first secretary for homeland security, Tom Ridge – he now has his own firm; the second homeland security secretary, Michael Chertoff, also has one; just as the NSA’s previous director, Michael Hayden, who now works with Chertoff. ... http://rt.com/usa/178328-nsa-alexander-cyber-security/

The thing that struck me most in this article is the cyber security bill was voted for approval by the 'Senate Select Committee on Intelligence'.

As Thomas Gaist says, the Cyber Security Information Sharing Act (CSIS) exposes the public to 'unrestrained informatin sharing between the US government and corporations'.  That's creepy.

New to looking at politics and unfamiliar with US politics, but I believe the next step is back to the House of Representatives and to Senate, before a finally rubber stamping by Obama and bringing the proposed legislation into being as law.

...........................................................................

Discussion Draft of CSIS proposed Bill - here.

Wikipedia - CSIS proposed Bill - here.

The Guardian - says Senate giving more powers to NSA in secret - here.

Wikipedia on, former NSA head, Keith Alexander - here.  Military background (now retired).  Introduced the 'collect it all' approach:

believed by Glenn Greenwald of The Guardian to be the model for the comprehensive world-wide mass archiving of communications which NSA had become engaged in by 2013.

Note also:  'stockpiling of zero-days'. Not really sure what this means specifically, but it relates to exploiting unpatched (and unknown) software vulnerabilities ... for spying.

Wired reported:

“In almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection,” the report reads. “Eliminating the vulnerabilities–’patching’ them–strengthens the security of U.S. Government, critical infrastructure, and other computer systems.”

Obama’s response to his advisers’ review, however, added a major loophole, allowing any zero-day vulnerabilities to be exploited if they have a “clear national security or law enforcement” application.

.. read the article - here - if interested.

Hey, following the Wired link, found this:

This, of course, gives the government wide latitude to remain silent on critical flaws like the recent Heartbleed vulnerability if the NSA, FBI, or other government agencies can justify their exploitation.

A so-called zero-day vulnerability is one that’s unknown to the software vendor and for which no patch therefore exists. The U.S. has long wielded zero-day exploits for espionage and sabotage purposes, but has never publicly stated its policy on their use. Stuxnet, a digital weapon used by the U.S. and Israel to attack Iran’s uranium enrichment program, used five zero-day exploits to spread.

The stuff about US and Israel hacking(?) Iran is pretty interesting.  Why doesn't Iran hack right back?

Anyway, I'm not sure what the fuss is about because it stands to reason that they'd use ANYTHING they can to their advantage.  Why is this surprising?