Hackers may cash in when XP is retired
An interesting article from ComputerWorld.com‘s Security Section:
Hackers could find themselves in the catbird seat on April 8, 2014 — the day Microsoft plans to stop patching Windows XP. As security expert Jason Fossen sees it, those who have zero-day exploits for XP will bank them until that day and then sell them to crooks or loose them themselves on unprotected PCs.
It’s simply economics at work, said Fossen, a trainer for the SANS Institute since 1998.
“The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft’s response,” said Fossen. When a new vulnerability — dubbed a “zero-day” — is detected, Microsoft investigates, pulls together a patch and releases it to XP users.
But the price will go up when Microsoft stops patching its aged operating system.
Fossen acknowledged that there really aren’t any precedents to back up his speculation, because the last time Microsoft retired an operating system was in July 2010, when it pulled the plug on Windows 2000, which wasn’t nearly as widely used as XP is.
Read more here.
NSA Responds To Criticism Over Surveillance Programs
An interesting article by Brian Prince at DarkReading.com:
The NSA has hit back after mounting criticism about its ability to intercept Web communications domestically, claiming that reports of its capabilities are “inaccurate and misleading.”
The response follows a Wall Street Journal report stating the agency has the capacity to reach “roughly 75 percent of all U.S. Internet traffic.”
According to The Wall Street Journal story, the NSA’s filtering of the Web is carried out with telecom companies and designed to look for messages that either originate abroad, are sent abroad, or are entirely foreign and just passing through the U.S. But sources told the paper that the system’s reach increases the chance that domestic communications will be accidentally intercepted.
“Press reports based on an article published in…[the] Wall Street Journal mischaracterize aspects of NSA’s data collection activities conducted under Section 702 of the Foreign Intelligence Surveillance Act,” the agency says. “The NSA does not sift through and have unfettered access to 75 percent of the United States’ online communications.”
“In its foreign intelligence mission, and using all its authorities, NSA “touches” about 1.6 percent and analysts only look at .00004 percent of the world’s Internet traffic,” the NSA continues. “The assistance from the providers, which is compelled by the law, is the same activity that has been previously revealed as part of Section 702 collection and PRISM.”
Read more here.
China’s Internet hit by biggest cyberattack in its history
Were you trying to access a .cn Internet address over the weekend? Are you still hitting refresh?
Internet users in China were met with sluggish response times early Sunday as the country’s domain extension came under a “denial of service” attack.
The attack was the largest of its kind ever in China, according to the China Internet Network Information Center, a state agency that manages the .cn country domain.
The double-barreled attacks took place at around 2 a.m. Sunday, and then again at 4 a.m. The second attack was “long-lasting and large-scale,” according to state media, which said that service was slowly being restored.
Official state media said the attack targeted websites with the .cn country domain, as well as the popular microblogging site Sina Weibo.
Denial of service attacks aren’t technically “hacks,” since they can be done without breaking into any systems. Typically, DoS attacks overwhelm a website’s servers by flooding them with requests. That makes websites unreachable or unresponsive.
To bring down bigger sites, attackers will sometimes organize large numbers of infected computers to send requests all at once.
Read the rest here.
US science fund pumps $20 million into cybersecurity research
America’s National Science Foundation (NSF) last week announced an investment of $20 million into three academic cybersecurity research projects.
The studies cover cloud security, privacy issues, and improving the security of health-related systems and networks.
The NSF supports over 100 research projects related to cybersecurity, but their ‘Frontier’ awards are among the biggest they grant, supporting major multi-discipline, multi-institution projects.
The largest award of this round, of $10 million, went to a project called Trustworthy Health and Wellness (THaW), a five-year collaboration between researchers from Dartmouth College, Johns Hopkins University, the University of Illinois and the University of Michigan at Ann Arbor, which hosts the Archimedes Center for Medical Device Security.
Their research covers all things medical, including improving secure access to patient data from modern mobile devices, safely using cloud technology for data storage and analysis, and allowing patients to control the personal data gathered by hi-tech medical scanners and sensors.
Read the rest here at Naked Security.
Snowden suspected of bypassing electronic logs
WASHINGTON (AP) – The U.S. government’s efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden’s sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded.
The government’s forensic investigation is wrestling with Snowden’s apparent ability to defeat safeguards established to monitor and deter people looking at information without proper permission, said the officials, who spoke on condition of anonymity because they weren’t authorized to discuss the sensitive developments publicly.
The disclosure undermines the Obama administration’s assurances to Congress and the public that the NSA surveillance programs can’t be abused because its spying systems are so aggressively monitored and audited for oversight purposes: If Snowden could defeat the NSA’s own tripwires and internal burglar alarms, how many other employees or contractors could do the same?
In July, nearly two months after Snowden’s earliest disclosures, NSA Director Keith Alexander declined to say whether he had a good idea of what Snowden had downloaded or how many NSA files Snowden had taken with him, noting an ongoing criminal investigation.
NSA spokeswoman Vanee Vines told the AP that Alexander “had a sense of what documents and information had been taken,” but “he did not say the comprehensive investigation had been completed.” Vines would not say whether Snowden had found a way to view and download the documents he took without the NSA knowing.
In defending the NSA surveillance programs that Snowden revealed, Deputy Attorney General James Cole told Congress last month that the administration effectively monitors the activities of employees using them.
“This program goes under careful audit,” Cole said. “Everything that is done under it is documented and reviewed before the decision is made and reviewed again after these decisions are made to make sure that nobody has done the things that you’re concerned about happening.”
The disclosure of Snowden’s hacking prowess inside the NSA also could dramatically increase the perceived value of his knowledge to foreign governments, which would presumably be eager to learn any counter-detection techniques that could be exploited against U.S. government networks.
It also helps explain the recent seizure in Britain of digital files belonging to David Miranda — the partner of Guardian journalist Glenn Greenwald — in an effort to help quantify Snowden’s leak of classified material to the Guardian newspaper. Authorities there stopped Miranda last weekend as he changed planes at Heathrow Airport while returning home to Brazil from Germany, where Miranda had met with Laura Poitras, a U.S. filmmaker who has worked with Greenwald on the NSA story.
Snowden, a former U.S. intelligence contractor, was employed by Booz Allen Hamilton in Hawaii before leaking classified documents to the Guardian and The Washington Post. As a system administrator, Snowden had the ability to move around data and had access to thumb drives that would have allowed him to transfer information to computers outside the NSA’s secure system, Alexander has said.
In his job, Snowden purloined many files, including ones that detailed the U.S. government’s programs to collect the metadata of phone calls of U.S. citizens and copy Internet traffic as it enters and leaves the U.S., then routes it to the NSA for analysis.
Officials have said Snowden had access to many documents but didn’t know necessarily how the programs functioned. He dipped into compartmentalized files as systems administrator and took what he wanted. He managed to do so for months without getting caught. In May, he flew to Hong Kong and eventually made his way to Russia, where that government has granted him asylum.
NBC News reported Thursday that the NSA was “overwhelmed” in trying to figure what Snowden had stolen and didn’t know everything he had downloaded.
Insider threats have troubled the administration and Congress, particularly in the wake of Bradley Manning, a young soldier who decided to leak hundreds of thousands of sensitive documents in late 2009 and early 2010.
Congress had wanted to address the insider threat problem in the 2010 Intelligence Authorization Act, but the White House asked for the language to be removed because of concerns about successfully meeting a deadline. In the 2013 version, Congress included language urging the creation of an automated, insider-threat detection program.
© 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
$6B DHS Cybersecurity Contract Sets Off Race to Supply Real-Time Monitoring to Feds
Written by Ellen Messmer is senior editor at Network World.
Network World — The Department of Homeland Security’s $6 billion cybersecurity award last week to a slew of contractors and vendors sets in motion a contest among them to sell federal agencies on new network monitoring, vulnerability assessment and mitigation technologies. The underlying goal of this massive “Continuous Diagnostics and Mitigation” (CDM) contract is to spur federal civilian agencies to move away from A static approaches to network-security compliance reporting in favor of real-time monitoring.
“What they’re trying to accomplish here is moving from FISMA [Federal Information Security Management Act] reporting quarterly to see what’s going on a daily basis,” says Peter Allor, federal cybersecurity strategist for IBM Security Systems, alluding to the government’s IT compliance-reporting obligations spelled out under FISMA. FISMA, passed in 2002, is now widely seen as too much of a check-the-box approach, given how many security monitoring technologies support a real-time approach. IBM is just one vendor among the crowd of 17 systems integrators that won a spot on the DHS CDM contract awarded last week.
[GOVERNMENT:Can the U.S. Postal Service find a future running a cloud-based authentication service?]
John Streufert, director of the National Cybersecurity Division at DHS, had a hand in the CDM last NovemberA before the RFP was issued. At the time, he expressed hope CDM might one day become a “cyberscope” for the federal agencies to know what’s happening in real-time on their networks and a way to mitigate vulnerability problems. He says federal agencies need to get away from inefficient and untimely paper-based vulnerability reporting.
Along with IBM, the systems integrators winning a spot on CDM include Booz Allen Hamilton, CSC, Knowledge Consulting Group, Lockheed Martin, Northrop Grumman, SAIC and ManTech. The contract also brings in dozens of vendors of monitoring, scanning, log management and security-information and event management tools. These include McAfee, Symantec, ForeScout, Splunk, Veracode, Rapid7, Core Impact, Microsoft, RedSeal, nCircle and several more. ForeScout, for example, said its CounterACT monitoring product has been included in product suites put forward by 11 out of the 17 systems integrators winning the contract.
The products and services under the CDM contract award will be available through the General Services Administration. However, DHS is expected to oversee the contract, which is established as a 1-year baseline for “indefinite quantity, indefinite delivery” purchases by agencies for a maximum total of five years and $6 billion if all options are exercised.
IBM, which will be selling its Security Endpoint Manager, Security AppScan and QRadar SIEM, notes the contract is set up in a way to engender competition while making it easier for civilian federal agencies to buy monitoring and mitigation products. The contract is also expected to be available to state and local agencies.
The CDM contract was also put forward with the idea that there could be Continuous Monitoring as-a-Service (CMaaS), meaning some larger agencies could take on the role of providing services to smaller agencies.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com
