Wednesday, 12 February 2014

'The Day We Fight Back' calls for protests against NSA spying

(Credit: Screenshot by Lance Whitney/CNET)
Those of you angered over reports of NSA spying are being urged to add your voices to those of a group of 5,300 companies and Web sites staging a worldwide protest.
Dubbing February 11 "The Day We Fight Back," organizations such as the Electronic Frontier Foundation, the American Civil Liberties Union, Free Press, Mozilla, Reddit, and Tumblr want Internet users to call or e-mail their legislators to pressure them to end the National Security Agency's mass surveillance program. The groups also are asking Web site owners to set up banners on their pages to urge visitors to join the cause.
Susan Molinari, Google's vice president of public policy, used the occasion to argue in a blog post that the US government should make major changes to how it responds to electronic privacy concerns. She said Congress ought to update the Electronic Communications Privacy Act to require the government to get a warrant before compelling tech firms to disclose the content of user communications; and pass the USA Freedom Act, a proposed law that would codify proposed surveillance reform principles.
A series of protests also are planned today in the United States and other countries. And the groups involved have suggested setting up local events as another way for people to participate.

The Electronic Frontier Foundation also is drawing attention to its 13 Principles, a document that it says outlines how surveillance can be conducted without impinging on human rights. The overall goal behind "The Day We Fight Back" is to raise awareness and put more pressure on Washington to limit the NSA's methods, which have been criticized by Internet users, privacy groups, and several of those serving in Congress.
"Since the first revelations last summer, hundreds of thousands of Internet users have come together online and offline to protest the NSA's unconstitutional surveillance programs," Josh Levy, Internet campaign director at Free Press, said in a statement. "These programs attack our basic rights to connect and communicate in private, and strike at the foundations of democracy itself. Only a broad movement of activists, organizations, and companies can convince Washington to restore these rights."

NSF $289,000 grant to help undergraduate cyber security research

The National Science Foundation has awarded a grant of more than $289,000 to faculty of UALR’s Department of Computer Science that could improve cyber security for people using mobile technology and social networking sites.
Dr. Mengjun Xie
Dr. Mengjun Xie, UALR computer science assistant professor, was joined by Dr. Kenji Yoshigoe, computer science department chair and associate professor, in submitting the grant.
The project, “REU Site: CyberSAFE@UALR: Cyber Security and Forensics Research at the University of Arkansas at Little Rock,” will enhance undergraduate research in cyber security protection for the public.
As a designated REU (Research Experience for Undergraduates) Site, UALR offers its students research opportunities on a specific project for which they are paired to work closely with computer science faculty.
The CyberSAFE project seeks to integrate fundamental security and forensics research with the latest technology advances in mobile computing, cloud computing, and social networks, according to Dr. Xie.
“The grant will advance our understanding of cyber attacks by allowing us to explore novel and practical techniques and methods of collecting and analyzing digital evidence,” said Xie.
Xie said researchers will also investigate more secure and user friendly approaches to protecting people in using their smartphones, visiting their social networks, and accessing their apps and data in computing clouds.
The NSF award was effective Feb. 1 and expires Jan. 31, 2017.

David Marcus uses credit card hacking to plug PayPal

David Marcus uses credit card hacking to plug PayPal
It seems executives of big online payments companies aren’t immune to hacking scams.
But while such an unfortunate incident would be at best a headache for the average consumer, it offered PayPal’s top executive a convenient marketing opportunity.
PayPal President David Marcus’s credit card information was swiped after the Silicon Valley executive went shopping in the UK. Marcus tweeted Monday that the thief racked up a “ton of fraudulent” charges.”
And without skipping a beat, he lunged at the opportunity to tout his own company: “Wouldn’t have happened if merchant accepted PayPal.”
He went on to tweet about PayPal’s superior security.

This is a particularly high-profile time for PayPal, which just redesigned its website, revamping it for superior mobile viewing.  PayPal is in the midst of a global hackathon tour and in the throes of merging with Braintree, the mobile payments platform PayPal acquired last year. And the company ended up in the spotlight last month when activist investor Carl Icahn last month proposed a spinoff of PayPal business from parent company eBay– a suggestion eBay dismissed.
Marcus said the stolen account was an EMV card — which stands for Europay MasterCard Visa. These cards include smart chips that use an embedded microprocessor instead of a magnetic stripe to store cardholder data, and are supposed to be more secure than the average piece of plastic. They have received quite a bit of attention since the massive data breaches at Target and Neiman Marcus. Beginning in October 2015, the US will become the last major market to shift to EMV, and retailers will replace the old swipe machines with a slot to enter a card and pin number, the Wall Street Journal reports.  But Marcus’ card theft adds to existing concerns about whether EMV cards are indeed an answer to credit card insecurity.
But for all of Marcus’ plugs, PayPal hasn’t been immune to hackers either. Hacking group the Syrian Electronic Army this month took responsibility for breaching and defacing the websites belonging to PayPal UK and eBay. And last year hacking group Anonymous claimed responsibility for the high-profile 2010 hacking of PayPal accounts and passwords.
Marcus’ credit card theft drew reaction from some Bitcoin fans who called on PayPal to start accepting the virtual currency. Some media reports have speculated that Marcus is ready for such a move, but last year PayPal executives, in an interview with this newspaper, said only they would “look at” the possibility.

Feds Launch Cyber Security Guidelines For US Infrastructure Providers

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo.
6 Cool Apps From Uncle Sam
(click image for larger view and slideshow)
The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It's a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.
The Framework for Improving Critical Infrastructure Cybersecurity "enables organizations -- regardless of size, degree of cybersecurity risk, or cybersecurity sophistication -- to apply the principles and best-practices of risk management to improving the security and resilience of critical infrastructure," the White House said in a statement.
Although the document was hailed by administration officials as a "major turning point" in cybersecurity, it contains little that is revolutionary or even new. The National Institute of Standards and Technology, working with the Homeland Security Department and industry stakeholders, has compiled a set of known, publicly vetted standards that can be applied to identify, protect from, detect, respond to, and recover from risks.
The framework is technology-neutral and does not specify tools or applications to be used. Choices of technology are left to the user in addressing each category of risk management.
[Experts believe NIST's voluntary Cybersecurity Framework will become the de facto standard for litigators and regulators. Read NIST Cybersecurity Framework: Don't Underestimate It.]
The framework is built on three basic components:
  • Core. A set of common activities that should be used in all programs, providing a high-level view of risk management.
  • Profiles. These help each organization align cybersecurity activities with its own business requirements, and to evaluate current risk management activities and prioritize improvements.
  • Tiers. Tiers allow users to evaluate cybersecurity implementations and manage risk. Four tiers describe the rigor of risk management and how closely it is aligned with business requirements.
The framework is one leg of a three-pronged program set out in a presidential executive order on protecting privately-owned critical infrastructure, issued one year ago in response to Congress's failure to pass cybersecurity legislation. The second leg involves information sharing among companies and between the public and private sectors. The third leg attempts to address the protection of privacy and civil liberties.
Privacy was a difficult area for stakeholders to come to a consensus on during the five public workshops and multiple iterations of the document. Some protections are incorporated in instructions for using the framework, but privacy was identified as an area that needs to be better addressed in future versions.
Although it would be difficult today for any attack to cause widespread, long-lasting damage to the nation's critical infrastructures, cyberattacks are becoming more effective. Demonstrated weaknesses in the IT systems that control and support the energy, transportation, financial services industries, and others leave them vulnerable to these attacks.
President Obama calls the latest cyber security framework 'a turning point.' (Source: White House)
President Obama calls the latest cyber security framework "a turning point."
(Source: White House)
Although the framework is voluntary and will depend primarily on "enlightened self-interest" to drive its use, it is not entirely without teeth. Regulatory agencies are working to harmonize existing regulations with the document, and government procurement requirements are likely to include conformance to the framework for contractors and suppliers.
But one White House official said during a briefing, "The goal is not to expand regulation."
Other incentives for adoption are expected to include public recognition, cyber insurance and cost recovery programs, all of which can be implemented without legislation. Administration officials said they will ask Congress for additional authority as needed, for protections such as limitations on liability for companies adopting the framework. But given the slow pace of legislation in the current Congress the administration's goal is to convince companies operating critical infrastructure that using the framework would be a good business decision.
Drafters said the framework creates a shared vocabulary for discussing and describing cybersecurity that can be used by a broad range of companies in different industries to create and evaluate risk-management programs. Gaps in programs can be identified and plans tailored to meet the specific needs for each user.
Focus on resilience
In an effort to support adoption of the framework by the private sector, the Department of Homeland Security is also launching a voluntary Critical Infrastructure Cyber Community program. According to DHS Secretary Jeh Johnson, the program will provide a "single point of access" to the department's cybersecurity experts for anyone needing help or advice.
Although the program is just getting underway, one of its services, the Cyber Resilience Review, has already been widely used by industry. The review lets organizations assess their current programs and determine how well they are aligned with the practices and standards of the framework. More than 300 of the reviews have been carried out.
President Obama, in a prepared statement, called the framework a turning point, but added, "It's clear that much more work needs to be done," a sentiment shared by the document's supporters and detractors alike.
Bob Dix, VP of global government affairs and public policy for Juniper Networks, called it "a laudable first step," but said "there is more that government and industry must do together to address basic cyber hygiene as well as the most sophisticated and persistent threats to critical infrastructure."
Because the framework is based on existing practices and standards, it has been criticized as enshrining the status quo rather than advancing cybersecurity. NIST officials said it is a living document that will be regularly updated.
A preliminary draft of the framework laid out areas for improvement to be addressed in future versions. These include authentication, automated information sharing, assessing compliance with standards, workforce development, big data analytics, international impacts, privacy standards, and supply chain management.

Hacking Joins Curriculum as Businesses Seek Cyber Skills: Tech

For students of cybersecurity at Switzerland’s 150-year-old ETH university in Zurich, hacking is a legitimate part of the curriculum.
Students learn to infiltrate Internet and mobile networks in classes on “wireless electronic warfare” and “modern malware” designed to prevent computer malfeasance. The number of students enrolled in ETH Zurich’s information security master’s program has more than tripled since 2009, the university said.
Demand for cyber specialists is rising as companies such as Deutsche Telekom AG (DTE) and ABB Ltd. (ABBN) hire more experts to counter risks to their networks and products. Cybersecurity has grown into a $60 billion global business, according to PricewaterhouseCoopers LLP, while concern over hacking has been heightened by reports of mass surveillance by the U.S. National Security Agency and eavesdropping of German Chancellor Angela Merkel’s mobile phone.
“The NSA affair was a wake-up call, but companies also became aware that there’s a lot more cyber criminality,” Juergen Kohr, head of cybersecurity at Germany’s biggest phone company Deutsche Telekom, said in an interview. Last year it suddenly became more competitive to recruit the right people, he said. “It’s a very, very embattled market.”
Gulp Information Services, a Munich-based subsidiary of Dutch recruitment agency Randstad Holding NV, said it received 2,423 requests for IT security specialists last year, up 54 percent from 2012 and almost seven times more than a decade earlier.

Malicious Programs

18 months ago, attacks by the so-called Shamoon computer virus against Saudi Arabian Oil Co., the world’s largest crude exporter, destroyed about 55,000 servers and workstation hard drives, according to U.S. officials.
Software made by Siemens AG (SIE), Europe’s biggest engineering company, and used to control water-processing plants, power grids and factories suffered an attack by a malicious program dubbed Stuxnet in 2010. It targeted Simatic WinCC, a supervisory control program that the world’s infrastructure agencies and manufacturers use to acquire and analyze data, the company said at the time.
Stuxnet was able to penetrate controls, send data back to its creators and eventually destroy systems.
The proportion of companies reporting losses of $10 million or more as a result of cybersecurity incidents has risen 51 percent since 2011, according to a survey of 9,600 executives in 115 countries by PwC last year. About 7 percent of respondents said they had suffered such losses.

Career Options

About 30 ETH Zurich information security master’s students can also learn how to protect products such as cars. In an experiment, they open and start vehicles with off-the-shelf electronic hardware costing as little as $100 to analyze security flaws of wireless remote keys.
If a hacker wants to pursue a career outside the corporate world, governments worldwide are also keen to secure their services.
“Supply isn’t keeping up with the growing demand for talent,” said Kristina Huramsin, a Frankfurt-based recruitment consultant for Manpowergroup Inc. (MAN)’s Experis unit who specializes in cybersecurity hires. “Since 2011 demand grew in tiny steps, but it jumped massively last September because of the whole Snowden affair.”

Snowden Leaks

Former U.S. government contractor Edward Snowden began leaking documents in June that revealed NSA spying activities targeting companies, European Union institutions and governments.
While companies are keen to protect themselves, they’re also selling services that protect their customers.
Markus Braendle, head of cybersecurity at the world’s largest maker of power transformers ABB, said the 9/11 attacks also spurred demand for security services because the U.S. government required utilities to upgrade their cyber defences.
“Cybersecurity was the number one new boardroom issue of the past year,” said Leif Johansson, chairman of the European Round Table of Industrialists, whose 53 members are chief executive officers or chairmen of some of Europe’s biggest companies including Roche Holding AG, Nestle SA and Royal Dutch Shell Plc. (RDSA) “The potential consequences are huge and we need many more well-skilled employees to tackle those issues.”
Cybersecurity budgets increased on average by more than half in 2013, and almost half of respondents expect to increase their outlay further this year, according to the PwC study.

Certain Mindset

To attract candiates, companies may pay as much as 25 percent more for security experts than for Web developers, said Huramsin. One headhunter even offered candidates the use of his holiday house in Switzerland, she said.
“You definitely need people who have a certain mindset -- which is thinking outside the box, figuring out how do I attack a system,” said Braendle, who is a ETH Zurich graduate.
ABB, which competes to supply equipment to power grid operators with Siemens, General Electric Co. (GE) and Emerson Electric Co. (EMR), added cybersecurity managers for each of its 24 business units and bought a stake in security company Industrial Defender in 2010.
Siemens in December introduced a service it manages on behalf of clients to protect hardware from Web attacks. Siemens declined to be interviewed and said in an e-mailed statement that it takes industrial security “very seriously” as it works with clients to secure facilities.
While security is a priority for executives, companies are often reluctant to discuss breaches, said Braendle.
“We know that there have been attacks, incidents, breaches, but they are not being talked about,” he said. “It’s still pretty sensitive, people don’t want to share their experiences. And that makes it harder to defend against.”

FBI, Secret Service Investigating Sands Hacking

The FBI and Secret Service are investigating the hacking of the Las Vegas Sands casino company's websites, which remained down more than a day after they were hijacked.
The company's corporate site, as well as the home pages of the Italian-themed Venetian and Palazzo casinos in Las Vegas, displayed a screen Wednesday that said they were down for maintenance. The message provided phone numbers for all Sands properties, but not emails, because the hacking knocked that system out too.
Patrons can still make reservations through third-party sites.
Sands spokesman Ron Reese declined to say whether the company is aware of credit card records being stolen.
"While we have been able to confirm that certain core operating systems were not impacted by the hacking, the company remains focused on working through a step-by-step process to ascertain what, if any, additional systems may have been impacted," Reese said in a statement.
FBI spokeswoman Jenny Shearer said the FBI and Secret Service were investigating. The Secret Service is charged with safeguarding the country's financial systems.
The Nevada State Gaming Control Board was also investigating the cyberattack.
Las Vegas Sands Corp. runs the largest casino in the world in the Chinese gambling enclave in Macau. It also owns hotel-casinos in Singapore and Bethlehem, Pa.
The first sign that the company's systems might have been breached came Monday morning, when email went down. By Tuesday morning, hackers had taken control of all Sands sites, posting what looked like a clip-art collage featuring a map with flames where Sands casinos are located, a snapshot of Sands CEO Sheldon Adelson posing with Israel Prime Minister Benjamin Netanyahu, and a message condemning the use of weapons of mass destruction. The hackers also posted employee Social Security numbers and signed their work, "Anti WMD Team."
Adelson, who is known for his fiery personality, has been outspoken in his support for Israel. In October, he floated the idea of dropping a nuclear bomb on Iran, saying strength was the only thing the country understands. He suggested that the U.S. could begin negotiations over the country's nuclear program by launching a strike on the Iranian desert and threatening to bomb Tehran next.

White House Unveils Plan To Cut Hacking Risk, But Will It Work?

Critics say the White House's voluntary plan for a “cybersecurity framework” released Wednesday is toothless without incentives for firms to comply with the blueprint for dealing with potential attacks.
The new framework is part of an executive order that President Obama issued exactly one year ago, after cybersecurity legislation failed in Congress. Members of both the government and the private sector spent that time drafting several versions of the plan.
Codifying guidelines for "cybersecurity" as a whole is a broadly defined task, however. The final 41-page document is essentially a set of best practices for companies, banks and infrastructure to mitigate cyber risk: identify, protect, detect, respond and recover.
The plan presents considerations in each category, and suggestions for improvement. The framework's creators say that flexibility is the only way such a document can work.
"It's sort of a 'Choose Your Own Adventure,'" said Jeff Greene, senior policy counsel at security software maker Symantec, who was one of eight CEOs involved in the plans to draft the framework. "It's a flexible way to help companies assess their own cybersecurity situation. It says, here are some possible options ... or go ahead and find the best path for you."
"When you're asking companies to spend money to keep their lights on, or spend it on cybersecurity, you can guess what wins every time."
But companies aren't forced or compelled to follow any kind of path, critics pointed out. Obama's February 2013 order called for the framework to include some sort of incentive as part of the program, but the plan doesn't provide for that -- and it would likely need to come from formal legislation.
"When you're asking companies to spend money to keep their lights on, or spend it on cybersecurity, you can guess what wins every time," said Nathan Sportsman, CEO of security firm Praetorian. "Without offering a tax break for compliance, or [levying] a fine to those who don't follow it, you're not going to change behavior."
And the cost of inertia can be great. In the year since Obama issued his executive order, several retailers including Target suffered high-profile data breaches. A major attack on services related to the nation's critical infrastructure would be even more devastating.
Greene, the Symantec counsel, insisted that the framework wasn't intended to fix those kinds of issues; instead, he said, it's meant to "break down the risks and the processes, in plain English," for companies of all sizes.
"We know how to think about cybersecurity issues already. What we need is carrots and sticks."
"People laugh when I say this, but the framework is just that: a framework," Greene said. "These criticisms about incentives and force would be valid if it were intended to be law. But it's not legislation, or a set of controls, or a checklist."
There is value in that setup, said John Michener, chief scientist at Casaba Security.
"I find it valuable, and people who read it can certainly use it to build their knowledge and their processes," Michener said. "Of course, it can only affect the people who are paying attention. So I think it could make a minor difference around the edges."
Sporstman -- who has helped write other security-related government frameworks in the past -- understands the intent of the framework. What he doesn't understand is the point of it.
"We don't need yet another framework; this framework references other frameworks," Sportsman said. "We know how to think about cybersecurity issues already. What we need is carrots and sticks."
It's unclear whether Capitol Hill will create those provisions that Sportsman and his fellow critics want.
Obama said in a statement on Wednesday: "While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity."
Overall, said Casaba's Michener, the White House's framework "adds to the body of documents of guidance, and that is always helpful."
All parties seem to agree that a single framework is far from a one-stop solution, but cybersecurity threat increases as they tussle over the best fix.

Anonymous hacktivists launch DDOS attack against GCHQ website

It seems like Anonymous hackers have launched a Distributed denial of service(ddos) attack against GCHQ website.

The attack just came after Edward Snowden leaked a document which revealed that British Spy Agency (GCHQ) carried out ddos attacks to disrupt the anonymous hacktivists' communication channel.

Sponsored Links
Some anonymous hacktivists also claimed to have successfully disrupted the website of GCHQ.  Netcraft confirmed that today has experienced 'noticeable performance issues'.  Netcraft says the attack could be originated from Romania.

"Curiously, a much larger amount of downtime has been observed from Netcraft's Romanian performance monitor since the leaked slides were made public."Netcraft post reads.

"That could indicate much more extreme DDoS mitigation techniques are being applied to these requests, and this in turn suggests that if an attack is occurring, perhaps Romania is one of the countries from which the attacks are being launched."

400Gbps NTP-based DDOS attack hits CloudFlare - largest DDOS attack in History

Until a week ago, it was believed that Distributed denial-of-service(DDOS) attack against Spamhaus is the largest one in the history.  Now, an even bigger DDOS attack has been recorded by the Content delivery Network CloudFlare.

Matthew Prince, CloudFlare CEO, said in twitter that very big NTP reflection attack was hitting them and appears to be bigger than the Spamhaus attack from last year.

Sponsored Links
According to Matthew, the attack reached 400Gbps which is 100Gbps higher than the ddos attack targeting Spamhaus.

CloudFlare said all websites have returned to production.

Founder of a French hosting firm OVH also said their network received more than 350Gbps traffic, but it is not clear whether it is related or not.

Last month, CloudFlare also wrote an article detailing about the Network Time protocol(NTP) based DDOS attacks that caused trouble for some gaming web sites and service providers.

NTP protocol is UDP-based protocol runs on port 123 which is used by Internet connected computers to set clocks accurately.  A system will synchronize with the server and receives the current time.

Experts says this protocol is prone to amplification attacks because it will response to the packets with spoofed source IP address "and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool."

List of open NTP servers on the Internet allows attackers to launch Denial of attack against any target network.