September 26, 2018
Category archive


The United States needs a Department of Cybersecurity

in China/Column/computer security/Congress/cyberattack/cybercrime/Cyberwarfare/Delhi/department of defense/Department of Homeland Security/department of justice/executive/Federal Bureau of Investigation/Government/hacking/India/national security/Politics/Russia/San Francisco/Security/spy/United States/Washington by

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy.

For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13 Russians yet the attack on US sovereignty and stability has gone largely unanswered.  The $120 million set aside by Congress to address the Russian attacks remains unspent. We expelled Russian diplomats but only under international pressure after the poisoning of a former Russian spy and his daughter.

Recent sanctions are unlikely to change the behavior of the Putin administration. To put it bluntly, we have done nothing of substance to address our vulnerability to foreign cyberattacks. Meanwhile, our enemies gain in technological capability, sophistication and impact.

Along with the Russians, the Chinese, North Koreans, Iranians and newly derived nation states use cyber techniques on a daily basis to further their efforts to gain advantage on the geopolitical stage. It is a conscious decision by these governments that a proactive cyber program advances their goals while limiting the United States.

Krisztian Bocsi/Bloomberg via Getty Images

We were once dominant in this realm both technically and with our knowledge and skillsets. That playing field has been leveled and we sit idly by without the will or focus to try and regain the advantage. This is unacceptable, untenable and will ultimately lead to potentially dire consequences.

In March of this year, the US CyberCommand released  a vision paper called “Achieve and Maintain Cyberspace Superiority.” It is a call to action to unleash the country’s cyber warriors to fight  for our national security in concert with all other diplomatic and economic powers available to the United States.

It’s a start but a vision statement is not enough.  Without a proper organizational structure, the United States will never achieve operational excellence in its cyber endeavors.  Today we are organized to fail.  Our capabilities are distributed across so many different parts of the government that they are overwhelmed with bureaucracy, inefficiency and dilution of talent.

The Department of Homeland Security is responsible for national protection including prevention, mitigation and recovery from cyber attacks. The FBI, under the umbrella of the Department of Justice,  has lead responsibility for investigation and enforcement. The Department of Defense, including US CyberCommand, is in charge of national defense.  In addition, each of the various military branches  have their own cyber units. No one who wanted to win would organize a critical  capability in such a distributed and disbursed manner.

How could our law makers know what policy to pass? How do we recruit and train the best of the best in an organization, when it might just be a rotation through a military branch? How can we instantly share knowledge that benefits all when these groups don’t even talk to one another? Our current approach does not and cannot work.

Image courtesy of Colin Anderson

What is needed is a sixteenth branch of the Executive — a Department of Cybersecurity — that  would assemble the country’s best talent and resources to operate under a single umbrella and a single coherent policy.  By uniting our cyber efforts we would make the best use of limited resources and ensure seamless communications across all elements dealing in cyberspace. The department would  act on behalf of the government and the private sector to protect against cyberthreats and, when needed, go on offense.

As with physical defense, sometimes that means diplomacy or sanctions, and sometimes it means executing missions to cripple an enemy’s cyber-operations. We  have the technological capabilities, we have the talent, we know what to do but unless all of this firepower is unified and aimed at the enemy we might as well have nothing.

When a Department of Cybersecurity is discussed in Washington, it is usually rejected because of the number of agencies and departments affected. This is code for loss of budget and personnel. We must rise above turf battles if we are to have a shot at waging an effective cyber war. There are some who have raised concerns about coordination on offensive actions but they can be addressed by a clear chain of command with the Defense Department to avoid the potential of a larger conflict.

We must also not be thrown by comparisons to the Department of Homeland Security and conclude a Cybersecurity department would face the same challenges. DHS was 22 different agencies thrust into one. A Department of Cybersecurity would be built around a common set of skills, people and know-how all working on a common issue and goal. Very different.

Strengthening our cyberdefense is as vital as having a powerful standing army to defend ourselves and our allies. Russia, China and others have invested in their cyberwar capabilities to exploit our systems almost at will.

Counterpunching those efforts requires our own national mandate executed with Cabinet level authority. If we don’t bestow this level of importance to the fight and set ourselves up to win, interference in US elections will not only be repeated …  such acts will seem trivial in comparison to what could and is likely to happen.

News Source = techcrunch.com

Averon closes $8.3M funding to make your smartphone the key to ID online

in Averon/Delhi/hacking/India/Politics/TC by

Because of the threat of cyber attacks, sign in and identity verification procedures are becoming utterly cumbersome. There’s no “identity” layer to the internet (until there is a mainstream Blockhain solution perhaps?). However, using signalling and data packets, and the SIM/eSIM chips already found in smartphones, you could make this much easier. It would also require no installation and much less effort for users, and could be rolled out in areas like IoT.

This is what SF-based startup Averon is working on. They call it Direct Autonomous Authentication (DAA), or a mobile identity verification standard that is both pretty frictionless and very secure.

Averon has now closed an $8.3 million Series A financing round led by Avalon Ventures. The idea is to make the hacks involving Equifax, Target, Home Depot, Anthem Medicare, a thing of the past.

Developed in stealth for nearly two years, Averon’s security solution takes the real-time mobile network signal from your phone and the SIM/eSIM chips to create authentication.

With existing solutions, users manually enter ID info on their device, use 2-factor authentications, and biometric info that is easily breached and prone to human error. Your mobile carrier actually knows who you are, but so far packet device origination tracking (SIM) has been limited to carrier use and carriers themselves have been viewed as siloed networks. This solution breaks down the barriers.

Wendell Brown, CEO and chairman of Averon says DAA “has the potential to substantially reduce the exposure each of us has to the growing wave of cybercriminals.” His co-founder is Lea Tarnowski, a former UK-based VC partner.

Tarnowski was formerly an investment manager at Northzone Ventures, one of Europe’s leading global venture capital funds.

Brown is an acclaimed computer scientist, entrepreneur, and inventor known for his innovations in telco and mobile security with 20 years of expertise in cryptosecurity and a U.S. Department of Defense security.

Averon is led by a cadre of business leaders, engineers and cybersecurity experts with backgrounds spanning MIT, Harvard Business School, Stanford, USC, Cornell, the NSA, the Israel Defense Force, PayPal, Microsoft, and other top universities and institutions. It’s also the creator and holder of IP protected by 15 U.S. and international patents

Featured Image: Getty Images

News Source = techcrunch.com

Kaspersky fights spying claims with code review plan

in antivirus/computer security/Delhi/espionage/eugene kaspersky/Europe/Government/hacking/India/intelligence/kaspersky labs/Politics/Russia/Security/TC by

Russian cybersecurity software maker Kaspersky Labs has announced what it’s dubbing a “comprehensive transparency initiative” as the company seeks to beat back suspicion that its antivirus software has been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.

In a post on its website today the Moscow-based company has published a four point plan to try to win back customer trust, saying it will be submitting its source code for independent review, starting in Q1 2018. It hasn’t yet specified who will be conducting the review but says it will be “undertaken with an internationally recognized authority”.

It has also announced an independent review of its internal processes — aimed at verifying the “integrity of our solutions and processes”. And says it will also be establishing three “transparency centers” outside its home turf in the next three years — to enable “clients, government bodies and concerned organizations to review source code, update code and threat detection rules”.

It says the first center will be up and running in 2018, and all three will be live by 2020. The locations are listed generally as: Asia, Europe and the U.S.

Finally it’s also increasing its bug bounty rewards — saying it will pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

That’s a substantial ramping up of its current program which — as of April this year — could pay out up to $5,000 per discovered remote code execution bugs. (And, prior to that, up to $2,000 only.)

Kaspersky’s moves follow a ban announced by the US Department of Homeland Security on its software last month, citing concerns about ties between “certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks”.

The US Senate swiftly followed suit, voting to oust Kaspersky software from federal use. While three months earlier the General Services Administration also removed Kaspersky Lab from a list of approved federal vendors.

The extensive system-wide permissions of antivirus software could certainly make it an attractive target for government agents seeking to spy on adversaries and scoop up data, given the trust it demands of its users.

The WSJ has previously reported that Russian hackers working for the government were able to obtain classified documents from an NSA employee who had stored them on a personal computer that ran Kaspersky software.

Earlier this month CEO Eugene Kaspersky blogged at length — rebutting what he dubbed “false allegations in U.S. media”, and writing: “Our mission is to protect our users and their data. Surveillance, snooping, spying, eavesdropping… all that is done by espionage agencies (which we occasionally catch out and tell the world about), not us.”

But when your business relies so firmly on user trust — and is headquartered close to the Kremlin, to boot — words may evidently not be enough. Hence Kaspersky now announcing a raft of “transparency” actions.

Whether those actions will be enough to restore the confidence of US government agencies in Russian-built software is another matter though.

Kaspersky hasn’t yet named who its external reviewers will be, either. But reached for comment, a company spokeswoman told us: “We will announce selected partners shortly. Kaspersky Lab remains focused on finding independent experts with strong credentials in software security and assurance testing for cybersecurity products. Some recommended competencies include, but are not limited to, technical audits, code base reviews, vulnerability assessments, architectural risk analysis, secure development lifecycle process reviews, etc. Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at transparency@kaspersky.com

She also sent the following general company statement:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.

As there has not been any evidence presented, Kaspersky Lab cannot investigate these unsubstantiated claims, and if there is any indication that the company’s systems may have been exploited, we respectfully request relevant parties responsibly provide the company with verifiable information. It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20 year history, has never helped any government in the world with its cyberespionage efforts.

In addition, with regards to unverified assertions that this situation relates to Duqu2, a sophisticated cyber-attack of which Kaspersky Lab was not the only target, we are confident that we have identified and removed all of the infections that happened during that incident. Furthermore, Kaspersky Lab publicly reported the attack, and the company offered its assistance to affected or interested organisations to help mitigate this threat.

Contrary to erroneous reports, Kaspersky Lab technologies are designed and used for the sole purpose of detecting all kinds of threats, including nation-state sponsored malware, regardless of the origin or purpose. The company tracks more than 100 advanced persistent threat actors and operations, and for 20 years, Kaspersky Lab has been focused on protecting people and organisations from these cyberthreats — its headquarters’ location doesn’t change that mission.

“We want to show how we’re completely open and transparent. We’ve nothing to hide,” added Kaspersky in another statement.

Interestingly enough, the move is pushing in the opposite direction of US-based cybersecurity firm Symantec — which earlier this month announced it would no longer be allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products.

Featured Image: CeBIT Australia/Flickr UNDER A CC BY 2.0 LICENSE

News Source = techcrunch.com

Legal fight against UK state hacking seeks crowdfunds

in bulk hacking/Delhi/equipment interference/Europe/Government/hacking/human rights/India/IPT/mass surveillance/national security/Politics/privacy/Privacy International/Security/snowden/surveillance/TC/United Kingdom by

Privacy rights group, Privacy International, is running a crowdfunding campaign to try to raise funds to help cover its legal costs as it continues to challenge the UK government’s use of hacking as a mass surveillance technique for domestic security agencies to gather intelligence.

The group is hoping to raise £5,000 via this route, noting that an anonymous supporter has offered to match any donations it receives up to a maximum of £12,000.

It also says it has a ‘Protective Costs Order’ which limits its potential legal liability to £25k, i.e. should it lose the case and have to pay the government’s costs, but adds “that’s still a lot of money for a charity with very limited resources!”. Hence the crowdfunder.

It’s raised just over £1k at the time of writing.

Long battle against state hacking

The group has been fighting the government’s use of hacking as an investigatory power since 2014, filing an original complaint against state hacking with the IPT, the oversight court for UK intelligence agencies, in May 2014.

As part of that legal challenge more information emerged about the state’s use of hacking as an investigatory tool — including the fact it does not require individual warrants to hack devices or services. Rather it can use so called “thematic warrants” to authorize hacking activities in bulk.

Privacy International went on to argue that untargeted hacking activities violate Articles 8 and 10 of the European Convention on Human Rights, pertaining to privacy and free speech rights.

Its contention is that the use of bulk hacking, “fundamentally undermines 250 years of English common law”, arguing that common law “has long rejected general warrants” and “is clear that a warrant must target an identified individual or individuals”.

“Parliament is presumed not to have overridden such a profound and fundamental right unless it clearly and expressly states that general warrants are now permissible — which it has not,” it wrote in May last year.

At the same time as the legal challenges to hacking as an investigatory tool of the state, thematic warrants were included by the UK government in a new draft surveillance framework, published in 2015, as it sought to bake existing operational powers, whose existence had been revealed by documents released by NSA whistleblower Edward Snowden, fully into UK law — rather than continuing to rely on authorization via a patchwork of outdated legislation.

Then, in February 2016, as the government’s new draft surveillance powers bill was being put before parliament, the IPT rejected Privacy International’s challenge to state hacking.

And in May last year the group filed for a judicial review in the UK High Court of the IPT ruling.

In November the UK High Court ruled it has no power to overturn an IPT ruling, citing a clause in UK legislation that oversees the state’s use of investigatory powers (RIPA) which apparently protects IPT decisions from being subject to appeal or questioning on points of law.

Privacy International is in the UK Appeals Court today to try to overturn the High Court decision and force a judicial review of the IPT’s ruling.

A spokesperson told us it does not expect the Appeals Court to pass judgement today.

The case could be referred to the UK’s Supreme Court, and — beyond that — to the European Court of Human Rights.

Privacy International has also — in August 2016 — filed a legal challenge to the state’s use of bulk hacking against foreigners with the European Court of Human Rights. So it has a parallel legal action ongoing.

“By taking this case to the European Court of Human Rights, we aim to bring the government’s hacking under the rule of law,” it wrote when it initiated that action. “The government is currently hacking abroad based on a very vague and broad power that provides few if any safeguards on this incredibly intrusive power.”

Controversial and risky

Bulk hacking as an investigatory tool for spies is especially controversial, enabling the UK’s security agencies to carry out mass hacking of devices and services which can potentially cover tens of thousands of people at a time who may be located anywhere in the world.

Not to mention potentially compromise the security of software programs used by many more people if backdoors are being intentionally inserted into systems.

An example of the kind of mass collateral damage that can result when state agencies utilize software exploits as an intelligence-gathering route occurred earlier this year when the WannaCrypt ransomware caused havoc across multiple countries, including shutting down hospitals and impacting comms businesses — relevant because the malware apparently made use of an exploit stolen from the NSA.

Last year the UK parliamentary Intelligence and Security Committee also raised concerns about bulk hacking as an investigatory technique, recommending the provision be removed entirely from the draft Investigatory Powers bill before parliament, saying it had not seen “sufficiently compelling evidence” to justify sanctioning such an intrusive capability.

Despite concerns from a normally hawkish committee, and despite a subsequent review of the bulk powers contained in the bill (pushed for by the opposition Labour party), the legislation was passed by parliament in November 2016 with bulk powers intact, becoming law by the end of the year.

The August 2016 review of the bill’s bulk powers, which was carried out by the government’s independent reviewer of terrorism legislation, rapidly concluded there was a distinct though not yet proven operational case for the inclusion of “bulk equipment interference” (as mass hacking is euphemistically termed).

Although the review did not consider whether bulk powers are proportionate or desirable — leaving such matters for the UK parliament to decide.

And with both government and the main opposition party in parliament backing the legislation that left little room for robust scrutiny — and its few critics in parliament to warn of “weakness of safeguards” in the legislation.

Privacy rights groups had also criticized the UK government’s terrorism legislation reviewer for focusing on “claimed successes of bulk power use”, relying on anecdotal evidence provided by the intelligence agencies, and for failing to “inspect evidence of their failures”.

The difficulty in evaluating and assessing risks when the state is engaging in bulk hacking that could cause unforeseen disruption is another point raised by critics — given the already complex interplay of digital devices and services, and an increasingly complex picture as more devices and things become critically reliant on connectivity.

Featured Image: Bryce Durbin/TechCrunch

News Source = techcrunch.com

New Bluetooth vulnerability can hack a phone in ten seconds

in Bluetooth/computer security/computing/cryptography/Cyberwarfare/Delhi/Enterprise/hacking/India/Internet of Things/national security/Politics/TC/vulnerability by

Security company Armis has found a collection of eight exploits, collectively called Blueborne, that can allow an attacker access to your phone without touching it. The attack can allow access to both computers and phones as well as IoT devices.

“Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.

“Blueborne affects pretty much every device we use. Turns that Bluetooth into a rotten black one. Don’t be surprised if you have to go see your security dentist on this one,” said Ralph Echemendia, CEO of Seguru.

As you can see from this video the vector allows the hacker to identify a device, connect to it via Bluetooth, and then begin controlling the screen and apps. It’s not completely secretive, however, because in activating the exploits you “wake up” the device.

The complex vector begins by finding a device to hack. This includes forcing the device to give up information about itself and then, ultimately, release keys and passwords “in an attack that very much resembles heartbleed,” the exploit that forced many web servers to display passwords and other keys remotely.

The next step is a set of code executions that allows for full control of the device. “This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control,” write the researchers.

Finally, when the hacker has access they are able to begin streaming data from the device in a “man-in-the-middle” attack. “The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.”

Windows and iOS phones are protected and Google users are receiving a patch today. Other devices running older versions of Android and Linux could be vulnerable.

How do you stay safe? Keep all of your devices update regularly and be wary of older IoT devices. In most cases the problems associated with Bloodborne vectors should be patched by major players in the electronics space but less popular devices could still be vulnerable to attack.

“New solutions are needed to address the new airborne attack vector, especially those that make air gapping irrelevant. Additionally, there will need to be more attention and research as new protocols are using for consumers and businesses alike. With the large number of desktop, mobile, and IoT devices only increasing, it is critical we can ensure these types of vulnerabilities are not exploited,” wrote Armis.

News Source = techcrunch.com

Go to Top