Cybersecurity is a big issue this year, with people becoming more and more aware of the steps that both governments and companies are making to gain access to or stop others accessing their data. After its recent attempt to get Apple to help bypass the security features on an iPhone, the FBI rather embarrassingly revealed that government systems had been accessed by an unknown party since 2011. In a move to help combat cybersecurity issues, President Obama intends to appoint executives from several major technology companies to a new cybersecurity panel to help act on these matters.
As part of a $19 billion proposal, the Commission on Enhancing National Cybersecurity will see people who are described by President Obama as being “dedicated individuals [who will] bring a wealth of experience and talent to this important role, and I look forward to receiving the Commission’s recommendations.”.
Among the names appear the likes of General Keith Alexander, director of the NSA from 2005 till 2014; Ubers Chief Security Officer Joe Sullivan; the CEO of MasterCard Ajay Banga and corporate vice president of Microsoft Research, Peter Lee. With these being just a few of the names listed, the list seems to be focused on gathering the support of those who have experience within the industry, and while the released statement may be an announcement of his intent, any of the members on the list could provide valuable insight into cybersecurity.
You’d have to be stupid to pick up a random USB drive off the ground and connect it into your PC, right? If the answer is yes (which it is), then there’s a whole lot of dunces out there wilfully putting their computer security at risk. A new study by researchers from the University of Illinois, the University of Michigan, and Google has revealed that at least half of people will pick up a foreign USD drive they find and use it.
As told in a paper titled “Users Really Do Plug in USB Drives They Find” [PDF], the researchers investigated “the anecdotal belief that end users will pick up and plug in USB flash drives they find by completing a controlled experiment in which we drop 297 flash drives on a large university campus.” The results found “that the attack is effective with an estimated success rate of 45–98% and expeditious with the first drive connected in less than six minutes.”
297 test USB drives were dropped at random locations around the University of Illinois’ Urbana Champaign campus. 98% of these drives were moved from their drop location, with 48% plugging them into their computers and opening the files stored on it.
“It’s easy to laugh at these attacks, but the scary thing is that they work—and that’s something that needs to be addressed,” lead researcher Matt Tischer told Vice Motherboard.
68% of those who used the USB drives admitted that they took no precautions when using the USB device when questioned afterwards.
“I trust my macbook to be a good defense against viruses,” said one of the USB users, while another confessed, “I sacrificed a university computer.”
Viruses should be the least people’s worries: last year, we reported on the Killer USBs, versions 1.0 and 2.0, a pair of flash drives designed to fry any computer into which it is plugged.
“There are no easy solutions to these problems, but they will certainly extend beyond simply the technical to include a deeper understanding of the social, behavioral, and economic factors that affect human behavior,” Tischer added. “There is a difference between warning users that a particular action is dangerous and convincing them to actually avoid it. We need to close that gap.”
Hack the Pentagon, the US intelligence agency’s new bug bounty program, is set to begin this month, its organiser HackerOne has revealed. The challenge, which is open to anyone who thinks they have the technical nous to find and exploit weaknesses in the Pentagon’s cybersecurity systems, will commence on 18th April, running until 12th May.
“This is an effort for the Government to explore new approaches to its cybersecurity challenges,” the official website reads, “and evolve to adopt the best practices used by the most successful and secure software companies in the world, the DoD can ensure U.S. systems and warfighters are as secure as possible.”
Many organizations in the US that rely on networked printers got a rude awakening last week when white supremacist troll and hacker Andrew “Weev” Auernheimer sent out an enormous batch print job to every unsecured network printer in North America. Among those who found their printer trays full of racist fliers covered in swastikas and other white supremacist propaganda were a number of universities and other educational establishments.
The motive behind this attack was simple, Auernheimer admitted to The Security Ledger that his actions served as a demonstration to other white supremacists the insecurity of Internet of Things devices and how easy it is for someone to carry out such an attack. He made use of the Masscan TCP port scanning tool in order to discover the printers, which all exposed port 9100 and then sent a batch print job to all of them with just five lines of code. Auernheimer admitted that he had not deliberately targeted universities, instead simply sending the print job indiscriminately to the huge amount of unsecured printers connected to the internet in the US.
This isn’t the first time Auernheimer has been responsible for a cyber attack, playing a role in the 2010 hack of AT&T which saw the email addresses of 114,000 owners of Apple iPads exposed. He was convicted of felony charges under the Computer Fraud and Abuse Act in 2012 and spent a year in prison before the verdict was overturned. It is unlikely that he will be prosecuted for this attack as he did nothing to gain access to the printers that would be classed as unauthorized access and simply exploited their already open states to send a print job.
Maybe this attack will be an eye-opener for those IT departments that turn a blind eye to security for the sake of ease of use and convenience. In this case, it was simply offensive printouts, but a more criminally-minded individual could easily see these unsecured devices as a way to gain unauthorized access to a network or steal data sent to the printers.
“China,” McAfee writes in a Business Insider op-ed, “has already stolen top secret information of everyone who worked for the US Government for the past 50 years, accessed critical information from the Pentagon. Homeland Security and the FBI, has everyone’s phone number, address and habits – and this is just the tip of the iceberg as far as we know. China has done the same thing to nearly every nation on earth.”
“I can assure you that the first word of an attempted attack against China, from any quarter, any person or any agency, would be heard, analyzed and dealt with within minutes of its utterance,” he argues. “In China, encryption is controlled by the Office of State Commercial Cryptography Administration (OSCCA). However, items such as wireless telephones, standard computer operating systems and internet browsers are not included under their regulations.”
Therefore, McAfee posits, China should be given the keys to the US cybersecurity initiative: “It would be better to subcontract our security to the Chinese, eat crow and swallow our pride, until we can stand on our own as a nation in this sea of cyber security chaos which we are clearly incapable of navigating.”
A new vulnerability has been discovered by security researchers that could be used to allow eavesdroppers to spy on the traffic between users and as many as one-in-three HTTPS servers. The problem arises due to the fact that many HTTP servers still support the outdated and now-insecure Secure Sockets Layer (SSL) version 2 protocol. SSLv3 succeeded SSLv2 back in 1996, however, it was only officially deprecated by 2011, which has resulted in its continued presence in servers. Even SSLv3 has since been replaced with newer, more secure Transport Layer Security (TLS) versions 1.0, 1.1 and 1.2.
While SSLv2 is totally unsuitable for encrypted communications, it wasn’t until now that security researchers have thought that its continued support in servers would pose a security threat as most modern clients such as web browsers and others capable of TLS communications no longer support it. A newly released paper has found this assumption to be false by showing that a server supporting SSLv2 can be exploited by attackers to decrypt any traffic from its clients, even those using the most up-to-date TLS protocols.
The attack, which has come to be known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), has a number of prerequisites, but unlike some vulnerabilities, they remain practical to execute. Firstly, the server must either support SSLv2 or share its private key with another server that does, which is common in many organizations that share a key across both web and email servers. With this satisfied, the attack must then monitor several hundred encrypted communications between the victim and the server, whether by simply observing over a long period or using malicious code to force numerous connections to be repeatedly made with the sever. Even the requirement that the handshake must use the RSA key exchange algorithm is simple, as it is the most commonly used key exchange in TLS implementations.
Armed with this information, the attacker then connects to the server via SSLv2 multiple times using specially crafted handshake messages that contain modifications of the RSA ciphertext captured during the victim’s TLS connections. These connections will cause the server to leak further information regarding the secret keys used during the TLS connections despite failing. It was calculated that even in a worst-case scenario, an attacker would need to erform roughly 40,000 probe connections and 2^50 computations to decrypt one out of 900 observed TLS connections. It was estimated by the researchers that running the calculations for the attack on Amazon’s EC2 cloud computing platform would cost around $440. The attack is even significantly easier if the server is running a version of OpenSSL library that contains two known flaws.
As many as 17% of all HTTPS servers are directly vulnerable to the attack, with 25 percent of SMTP with STARTTLS servers, 20 percent of POP3S and IMAPS servers and 8 percent of SMTPS also vulnerable. Even amongst HTTPS servers that did not directly support SSLv2, those that shared their private keys with other web servers supporting SSLv2 raised the overall percentage of vulnerable servers to 33%. Thankfully, while DROWN attacks may expose critical information such as login or banking credentials, the attack would have to be executed from scratch for every user and the server’s long-term private keys are not exposed, only the keys negotiated for specific sessions.
Server administrators have been urged to ensure that SSLv2 has been disabled on their servers, including any sharing private keys. Instructions on how to do so have been provided by the researchers for the most common web servers and TLS libraries. For those unsure whether their server is vulnerable, even with SSLv2 disable, a tool has been released to determine is a server is vulnerable and affected by key reuse.
It is scary to think that some of the websites vulnerable to this issue include big names used in the everyday lives of many such as yahoo.com, weibo.com, buzzfeed.com, weather.com, flickr.com, and dailymotion.com.
IBM has announced today that they will be acquiring Resilient Systems and as well as the company, they will be bringing one of the biggest names in the security world on board, Bruce Schneier.
Resilient Systems specialize in developing an incident response platform that orchestrates and automates incident response processes in the case of cyber incidents including security breaches and loss of devices carrying vital data. Integrating the talents and platform of Resilient Systems into IBM Security gives them the first fully end-to-end system that combines analytics, forensics, vulnerability management and incident response in the industry said IBM.
Part of the deal for the acquisition includes plans by IBM to bring on board Resilient’s full staff of around 100 people, including Bruce Schneier, cryptography and security expert and CTO of Resilient. Exactly when the deal would be closed was not revealed by IBM, nor were any further details of the terms between the two companies.
This is just the latest step by IBM to bolster their abilities in the field of security, already hiring over 1000 security experts in the last year and appointing Mark van Zadelhoff as the manager of the security division. Monday also saw the launch of IBM X-Force Incident Response Services which aims to work with clients to assist them in planning for, managing and responding to cyber attacks. The Resilient Incident Response Platform, as well as IBM’s QRadar Security Intelligence Platform, will both be a key part of these services, with the technologies planned to be integrated across IBM’s full security portfolio.
In the modern corporate world, where it is quickly becoming a case of how to respond to and handle cyber-attacks instead of just defending against them, the acquisition of Resilient helps IBM to provide an even greater security service to their customers.
Attacks on a computer’s BIOS certainly aren’t common, but they are hard for typical security software to handle due to the nature of the BIOS and even typical measures such as formatting hard drives and reinstalling operating systems are unable to fix the issue. Dell’s new Data Protection Endpoint Security Suite Enterprise is to include BIOS verification functionality that is able to tackle this potentially vulnerable part of PCs.
The BIOS verification works alongside a cloud server that holds valid BIOS data. When the PC boots up, it sends a copy of its BIOS data to the secure server, where it is tested against official metrics of how the BIOS image should be according to Dell’s BIOS lab. By handling the verification on the server-side, it avoids a compromised PC sabotaging the result of the comparison and ensures any checks take place in a secure environment. Any BIOS that is detected as potentially compromised is then reported to the administrator who can take appropriate actions, with plans to automate a recovery process in the works.
This BIOS verification will be implemented on Dell systems that are based on the sixth generation Intel chipset, which includes the Latitude line of PCs as well as a number of Dell Precision, OptiPlex, and XPS PCs and Dell Venue Pro tablets. The suite will be optional for users of compatible PCs and will cost extra. It is interesting to see where Dell will go with the Data Protection Endpoint Security Suite in future, as its use of artificial intelligence and machine learning to protect against advanced and persistent threats could be the start of something great.
Shodan is a search engine designed to allow users to search through information on devices that are connected to the internet. The site, named after the AI from the System Shock series of games has been around since 2009, making news ever since as it has allowed access to potentially unsafe systems that have been exposed to the public internet, such as power stations and oddities including gym equipment. The newest feature to be added to Shodan has now put it back under the spotlight with a newly added section of the site allowing users to browse and view vulnerable webcams.
These feeds capture all manner of activities, from people’s offices and kitchens to far more worrying things including banks, schools, laboratories, drug plantations and even sleeping babies. Security researcher Dan Tentlertold Ars Technica “It’s all over the place, practically everything you can think of.” He went on to explain that the prevalence of vulnerable Internet of Things (IoT) devices is the result of a race to the bottom by webcam manufacturers. Typical users tend not to value security and privacy to the point that they’d pay more for a product, allowing manufacturers to slash the costs of their devices to maximize profit. The end result of this race is a slew of cheap insecure devices being on the market and filling more and more homes as times go by.
The vulnerability of the devices is rooted in their use of the Real Time Streaming Protocol (RTSP) on port 554 to share their video, but often have no authentication systems in place to protect it from access. Many of the devices have surfaced on Shodan as the site crawls the internet searching for IP address with ports open to connections. If the port provides a video feed and lacks any authentication, it captures an image from the feed, records the IP address and port and moves on. While Shodan may take flak for publicly exposing so much private footage, it is hardly the one to blame and, in fact, sheds light on the poor state of security often applied to consumer IoT products. Tentler estimates that millions of insecure webcams are connected and easily discoverable through Shodan.
Shodan’s image is available to its paid users at images.shodan.io while those users with free accounts can find an array of video devices by using the search filter “port:554 has_screenshot:true“. It is truly frightening how much is haplessly made available to anyone online, with users expecting manufacturers to handle the security for them, but the manufacturers being unwilling to raise the cost for the sake of security. Hopefully, the images made public by this new feature of Shodan will convince both users and manufacturers to value cybersecurity more in this increasingly connected world.
Today Hyatt Hotels issued a warning to their visitors in the wake of a cache of malware being discovered on their customer payment system being discovered. This isn’t the first hotel chain to suffer security issues recently, with Hilton, Mandarin Oriental, Starwood and Trump Collection all having suffered issues with the security of their payment systems.
The security breach was made public by Hyatt’s Global President of Operations, Chuck Floyd, in a post on their official website. While there was no mention of exactly when the issue was discovered, he reported that the problem had been fixed and the system in place have had their security strengthened. Previous customers have been encouraged to check their credit card statements in case of unauthorized use of their payment details.
A lot of the details regarding the incident still remain unclear and unmentioned by Hyatt. They neither confirmed nor denied whether the malware led to the leaking of any customer data. Hyatt is currently investigating the issue fully with the help of leading third-party cybersecurity experts. The results of this investigation will be posted on Hyatt’s website.
Operating in 52 countries and with 627 hotels in their portfolio, the potential impact of this hack is huge if it led to the leak of customers’ personal and payment details. Thankfully, only around half of their properties were impacted by the malware, with franchised hotels managing to be unaffected.
On Friday, a number of Twitter users received a notification from the social networking platform, explaining that their accounts had been the target of state-sponsored actors. Unsurprisingly, the supposed targets of these attacks were mass surveillance researchers and security professionals.
The incident was surprising for users of Twitter, as until the notifications went out at 17:30 EST, Twitters notification service regarding state-sponsored attacks had never before been seen, let alone mentioned by Twitter. Fortunately for those affected, Twitter assures in the notification email that they believe that only email addresses, IP addresses, and phone numbers could have been taken by a breach, and even then, could not confirm that any data had been taken. The compromising of a single social media account can be a big deal though, with some users holding multiple Twitter accounts for different purposes, and using personal details and account credentials could yield access to other sites too.
Twitter is yet to release any further information beyond the notification letter, however people have begun theorizing what could be taking place, with Jacob Appelbaum, a key member of the Tor Project taking the effort to keep up a list of sorts of the individuals receiving the notifications. He questioned in a tweet whether Twitter had been “owned” or hacked. More information and theorycrafting on the topic has come under the hashtag #StateSponsoredActors which also discusses Twitter’s blocking of a number of accounts used through the Tor service.
Twitter is not the only online service with warnings against incidents with state attackers, with Google having one in place and Facebook having launched theirs back in October, which immediately identified attacks on US Government employees.
Security is a word that has appeared more and more online when it comes to the digital world in recent years. With more and more attention drawn by everyone from presidential candidates like Donald Trump to toy companies like VTech, governments are now pushing for stricter security on their systems. The EU have since agreed upon a set of rules regarding how their countries should approach the problem and where their responsibilities lie.
The proposed legislation would mean that essential services, such as electricity management and traffic control systems would have to be able to withstand online attacks while major marketplaces like Amazon or eBay would be included with cloud-based services (things like your apps which use online storage app) would be required to ensure that their infrastructure is secure and will be legally responsible for reporting any incidents.
While teams will be set up to help coordinate responses there will be a set of rules to exchange information and support one another in regards to their capability of handling cyber security issues.
While this seems like a positive step, you have to consider this is a world where people have been open about wanting to reduce, or even remove encryption, potentially even creating back doors for ‘government’ use, you have to worry about how a European-wide system would handle matters proposed by each countries governments.
In recent years, Google has been working hard to improve privacy and security on their services, with the majority of emails sent and received on Gmail now being encrypted. However, to Google, this is not enough, and there are still large volumes of emails that are sent unencrypted. To keep their users safer and more aware of their privacy, Google plans to implement warnings for its users about any unencrypted mail they receive.
For a long time, emails were generally sent unencrypted, which left them open to interception and snooping of their contents. In the world we now live in, where safety and security online are almost constantly under threat, this is no longer acceptable. And while email providers can do little to ensure the safety and trustworthiness of emails they receive, is would be unreasonable to discard unencrypted emails that were received as until encryption is a required standard, it could cause users to lose important mail. And while unencrypted mail itself cannot harm a user or their privacy, the rise of techniques such as setting up malicious DNS servers to snoop on and redirect email to the attackers.
Google’s step to ensure users are aware of any emails they receive are unencrypted is a step in the right direction. It allows users to take care around unencrypted mail, as they have no assurance that its contents are private or unaltered. I will certainly sleep easier being aware of my email security and knowing which could be at risk.
Google’s study on trends in email security can be found here.
The UK Government has teamed up with Cyber Security Challenge UK to find fresh talent for the cybersecurity industry, using sandbox building game Minecraft as its recruitment tool. Players who manage to get the better competitions and cipher-based challenges within the custom-built Cyphinx skyscraper within Minecraft could earn themselves a “£100,000” career as a “cyber-professional”.
The UK Cabinet Office is backing the scheme, which aims to create an environment to not only find fresh cybersecurity flair, but also engage with those who are already interested in such a career, putting potential employees in touch with noted cybersecurity firms.
“Amidst the chronic shortage of cyber-professionals, there is a wealth of talent which is still untapped,” Stephanie Daman, head of the Cyber Security Challenge, said. “This is the next logical step to inspire an audience who may not yet even know that cyber is the career for them.”
“Historically we’ve seen a shortfall of interest in cybersecurity due to a lack of understanding of the job,” Dr. Guy Bunker of security firm Clearswift, which is also involved in the initiative, added. “This new world allows the industry to inspire young people to enter the field, showing them how to become valuable players in a game that’s ever-changing.”
China has plans to take internet censorship to a whole new level, placing members of a real-life cyberpolice within the country’s biggest online companies to make sure they don’t dun goofed. Chinese “network security officers” will monitor online entities, garrisoned within their own building, for signs that they are violating state laws by committing what the Ministry of Public Security deems to be fraud, or the “spreading of rumours”. Internet companies will be forced to house “cybersecurity police stations” within their own buildings.
China employs around 2 million people to monitor the country’s internet activity, which includes maintaining the country’s infamous “Great Firewall”, which prohibits most non-Chinese internet traffic from being accessible within its borders.
“As the country enters the internet age, network security has become a national security issue and social stability issue, important to economic development and a serious day-to-day working issue for citizens,” the statement from the Ministry of Public Security reads.
“We will set up cyber security police stations inside important website and internet firms so that we can catch criminal behaviour online at the earliest possible point,” added Chen Zhimin, China’s deputy minister said at a conference announcing the move in Beijing.
Though the Ministry of Public Security has not revealed which companies will be forced to have their own police garrisons, it has confirmed that it will not discriminate between local firms and international businesses based within China, no doubt forcing many non-Chinese businesses to relocate.
An air-gapped computer is the most secure way of storing sensitive data; a PC that has no internet connection and no removable storage or disk drives cannot be compromised by hackers or government surveillance, in theory. Well, it’s time to say goodbye to that theory, as not only have Israeli researchers managed to remotely hack into an air-gapped computer, but they did it with a nine-year-old mobile phone that has no GPRS, Wi-Fi, or mobile data capabilities.
Researchers warn that their findings should encourage companies attempting to protect data via air-gapped systems to “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” so says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev.
Since smartphones are often restricted in areas which house air-gapped computers, so the researchers from the Cyber Security Center chose to use an old mobile phone that could bypass any security restrictions.
“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” the researchers note in their paper.
The phone used, a Motorola C123, runs on a Calypso baseband chip from Texas Instruments, and supports 2G communication, but has none of the more advanced networking capacities of modern smartphones. Data was grabbed from air-gapped computers, running Microsoft Windows, Linux, and Ubuntu, at a rate of 1-2bps, allowing the researchers to obtain 256-bit encryption keys from the system via radio frequencies.
“This is not a scenario where you can leak out megabytes of documents, but today sensitive data is usually locked down by smaller amounts of data,” Dudu Mimran, CTO of the Cyber Security Research Center, said. “So if you can get the RSA private key, you’re breaking a lot of things.”
Thank you Wired for providing us with this information.
A Finnish hacker, and member of the notorious Lizard Squad, has been found guilty of 50,700 charges of hacking, according to the nation’s newspaper, Kaleva. The hacker, 17-year-old Julius “zeekill” Kivimaki, was given a 2-year suspended sentence, meaning he will avoid prison on the proviso that help “to fight against cybercrime”. Any failure to meet this condition will see Kivimaki serve his 2-year sentence in prison.
Kivimaki was charged with crimes related to data breaches, felony payment fraud, telecommunication harassments, plus a number of other computer fraud and violation of privacy crimes. He was identified as a member of Lizard Squad – the perpetrators of the Xbox Live and PlayStation Network DDoS attacks last Christmas – by cybersecurity journalist Brian Krebs late last year. Shortly after, Kivimaki conducted an interview with Sky News, using the alias “Ryan”, to discuss the Xbox and PlayStation DDoS attacks.
One of Kivimaki’s victims, Blair Strater, has been left “utterly disgusted” by the court ruling, feeling that the sentence is far too lenient. Strater was a regular victim of the practice known as “swatting” – fake calls to US law enforcement that result in a SWAT team being dispatched to an address – at the hands of Kivimaki.
“I’ve lost complete faith in the justice system, and that includes the FBI. He’s harmed American targets and the FBI should have stepped in by now,” said Strater. “The reality is, Julius Kivimaki will never be made to pay for his crimes.”
Malware, under the guise of notorious Seth Rogen comedy The Interview, has been attacking Android smartphones in India. The Computer Emergency Response Team of India (CERT-In) first detected the Trojan, proliferated via a link offering a supposed download of The Interview. The virus is designed to compromise any banking apps installed on the phone in order to access the users’ accounts.
The CERT-In blog reads:
“Once installed (the virus), the application will display an icon using imagery from the poster of the movie The Interview. When the Trojan is being installed, it requests permissions to perform either open network connections, write to external storage devices or install application packages.
When the app (application) is installed, it claims to allow users to watch the movie The Interview for free but instead installs a two-stage banking Trojan onto infected devices.”
The hope is that, now that cybersecurity has detected and catalogued the Trojan, that it will not be allowed to spread beyond the Indian locale.
Tim Cook, CEO of Apple, has criticised US President Barrack Obama’s executive order for enhanced cybersecurity, saying the move will have “dire consequences”.
Cook was speaking at a cybersecurity summit organised by the White House, just moments before President Obama was set to take the stage.
“We still live in a world where all people are not treated equally. Too many people do not feel free to practice their religion or express their opinion or love who they choose,” Cook said.
“A world in which that information can make a difference between life and death,” Cook said. “If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money. We risk our way of life.”
“Fortunately, technology gives us the tools to avoid these risks. It is my sincere hope that by using them and by working together, we will.”
He added that “history has shown us that sacrificing our right to privacy can have dire consequences.”
James Comey, Director of the FBI, criticised Apple’s use of encryption last year, saying, “Criminals and terrorists would like nothing more than for us to miss out.”
The UK government has partnered with the Open University and plans to launch a cybersecurity course that will open up classes for future candidates. The multi-year program will hopefully develop students interested in technology to focus on security, which will help boost UK defenses from foreign attack.
As western governments try to wrap their heads around growing cyberthreats, there is a shortage of skilled security specialists. Unfortunately, it has proven to be a difficult and expensive process, while data breaches and cyberattacks continue to be successful.
Here is what Natalie Black, Cabinet Office deputy director of Cyber Defence and Incident Management said:
“A key tenet of the national cybersecurity strategy is developing the cybersecurity skills we need to keep the UK safe and to do that we have to work together, we have to work through industry and academia. It goes without saying that the government takes cybersecurity incredibly seriously and we’re investing £860m over the course of five years.”
The United States government wants to recruit cybersecurity specialists for the military – but has struggled to find qualified candidates – especially compared to private sector companies willing to open up their checkbooks. There are similar efforts to partner with universities and private sector companies to help boost education to create future cybersecurity specialists.
Thank you to The Inquirer for providing us with this information
It appears that a new cybersecurity bill currently going through the Senate is considered too ‘broad’ and would grant ISPs the liberty to limit streaming services’ delivery to customers, having Netflix given as an example.
The Cybersecurity Information Sharing Protection Act of 2014, which has been rallied against twice already, is said to deliver a backdoor for ISPs to destroy net neutrality, something that they have sought for a long time. Until now, the Federal Communications Commission has been the judge when it comes to net neutrality, having set ground rules in order to keep ISPs from limiting content on the Internet.
However, the bill in question appears to describe that “countermeasures” can be employed against “cybersecurity threats”, giving no specific definition to what type of information is included and can be considered a “cybersecurity threat”. This would give ISPs an ace up their sleeves, which would help them jumping over a lot of FCC rules.
“A ‘threat,’ according to the bill, is anything that makes information unavailable or less available. So, high-bandwidth uses of some types of information make other types of information that go along the same pipe less available,” Greg Nojeim, a lawyer with the Center for Democracy and Technology, stated. “A company could, as a cybersecurity countermeasure, slow down Netflix in order to make other data going across its pipes more available to users.”
A letter has been sent to Dianne Feinstein, the bill’s sponsor, having the CDT, EFF, American Civil Liberties Union and other civil liberties groups stating that the bill “arbitrarily harms average internet users”. The letter also points out that previous cybersecurity legislation considered by the Senate had some net neutrality protections defined, something that the current bill lacks.
The unsettlement caused by the bill has been said to postpone it for now, having it sent back to the Intelligence Committee for further discussions. There has been no word on any decisions regarding the bill so far.
Thank you Motherboard for providing us with this information
Microsoft plans on providing new and more efficient ways for security professionals to effectively and swiftly respond to potential threats. This is why the company has just launched the closed preview of a platform named Interflow, designed with cybersecurity in mind.
The platform is said to have been announced in a Microsoft blog post, having stated that it is a product of collaboration with the Microsoft Active Protections Platform. Interflow is designed to “take industry specifications to create an automated feed of machine-readable threat information that can be shared across industries and groups”. Also, Microsoft has stated that users decide which information or feeds are shared with the communities and even which community is required to be established.
Up until now, Microsoft has been testing the platform internally having its own security teams assessing the threats. However, Microsoft states that the platform is available to other companies as well who desire to test and even participate in improving it. The company has also stated that it plans on making Interflow available to all MAPP groups in the future.
In terms of specifications, Microsoft said that Interflow supports a number of open specifications, such as STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), as well as CybOX (Cyber Observable eXpression). Given the latter, the platform should integrate with existing systems and avoid potential data locking.
Given that threats and cyber attacks are increasing in number, security is becoming every company’s main priority and being able to respond to cyber attacks at the same time they occur is the best solution in order to have a greater chance of successfully protecting the company network and systems.
The Bank of England officially launched its CBEST framework to help mitigate the risk of cyberattacks, as criminals continually target banks and other financial institutions.
Using guidelines and threat intelligence from the British government and security providers, CBEST is designed to identify attacks against specific banks. And then attack strategies are replicated so banks are able to test their defenses to try to determine future methods to reduce risks.
In addition, the realistic penetration tests are replicated, with indicators available to assess cybersecurity maturity. Banks will be able to better understand where and how they are vulnerable – and how IT staff can improve security efforts.
The Digital Shadows UK cyberintelligence company assisted in developing the new testing framework, and it will be monitored and modified as needed.
“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” said Andrew Grace, Bank of England Executive Director, in a statement. “The results should provide a direct readout on a firm’s capability to withstand cyberattacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”
Financial crime is a high-profile target, with cyberattacks targeting financial institutions serving as the second largest source of direct loss from cybercrime, according to McAfee’s “Net Losses: Estimating the Global Cost of Cybercrime” report.