Monday, April 6, 2015

Proposed Amendments to US Cybersecurity Laws Under Scrutiny

The White House in January proposed updates to the Computer Fraud and Abuse Act that have stirred controversy within the cybersecurity industry. The proposals would allow prosecution under the CFAA of insiders who abuse their ability to access information, while setting aside insignificant conduct. "If the proposed legislation were to be enacted, it would certainly have a chilling effect on cybersecurity research," Chris Doggett, managing director at Kaspersky Lab North America, told TechNewsWorld. The current law already does this sometimes, and the proposed legislation "makes [stultifying research] much easier to do by broadening the definition of illegal activities while removing some of the aspects, such as intent, that mitigated risk for those who were doing bona fide research," Doggett continued. White Hats at Risk? The amendments proposed seek to promote better cybersecurity information sharing between government and the private sector, provide targeted liability protection for participating companies, improve Americans' privacy, and suggest advancing guidelines for the federal government's development, receipt, retention, use and disclosure of information. They also aim to allow prosecution of the sale of botnets, and criminalizing the overseas sale of financial information stolen from the United States, such as credit card and bank account numbers. The suggested amendments also seek to update the RICO Act to apply to cybercrimes. Adding the concept of racketeering could see online security communities or those who share information about exposures subject to prosecution, Doggett pointed out. "The removal of the 'with intent to defraud' provision and replacing it with [the] 'willfully traffics' [clause] makes their actions illegal even though their intent may be good and their actions appropriate." Still, there is no doubt that cyberattacks are a real and ongoing problem. The United States Department of Homeland Security responded to 257 credible threats to the U.S. critical infrastructure in 2013, Brian Foster, CTO of Damballa, told TechNewsWorld. Meanwhile, attacks on U.S. government websites continue apace, and the government appears unable to combat these hackers. For example, the hackers who penetrated the U.S. State Department's unclassified email system three months ago are still in the system, despite efforts to eliminate them. The barrier to entry for cybercriminals is low, Foster pointed out, adding, "information is readily available about how to perpetrate attacks and there's a thriving underground economy for buying the tools to do it." United We Fall Section 6 of the proposed legislation essentially says it's illegal to share such information so long as the person sharing it knows, or should know, that someone else might abuse it. That's akin to allowing the government to prosecute gun manufacturers when their products are used in the commission of crimes, and it is causing great concern. To test this issue, researcher Mark Burnett released a database of 10 million passwords he built over the years into the public domain, removing identifiers. All the data was, at one time, publicly available and discoverable by search engines. Burnett is currently within the law because he has no intent to commit or facilitate a crime, but the proposed amendments to the CFAA might change that. Fear and Loathing in the Security Industry The CFAA's language is vague, and "I'm not sure how much it will club researchers for the time being," Derek Manky, senior security strategist at Fortinet's FortiGuard Labs, told TechNewsWorld. For example, Fortinet monitors activity for Heartbleed, and "it is tough to tell if a Heartbleed attack, which leaks data by nature, is just a pen test or an actual attack," Manky remarked. If, however, a law is imposed to limit or stop researchers from responsibly disclosing vulnerabilities, "in my professional opinion it is a backwards step since now the bad guys will -- for the most part -- always beat the good guys [in] the arms race," Manky continued. Companies are likely to use the amendments to clamp down on independent security research, noted Richard Blech, CEO of Secure Channels. "We may not know if a system is safe, even if it's tested," Blech told TechnewsWorld, "hackers can always find an unexpected flaw. But we sure will know that our systems aren't safe if they're not tested, or if testing is prevented." At the same time, "we don't want to allow too much leeway to think that cybercriminals can get away and dodge bullets when it comes to breaking the law," Manky said. "In the physical world, we don't have the concept of packs of people breaking into homes and companies to conduct unauthorized tests of physical security," remarked Rob Enderle, principal analyst at the Enderle Group. "If they did, they'd be arrested and might get shot in the process. So, "if you don't have legal authority to test the security of a thing, then your act should be illegal." Step Back and Breathe Deeply Stung by the criticism, the United States Department of Justice in March defended this approach on the grounds that criminals not only use botnets to commit fraud but also to commit other crimes. The DoJ asserts that it has no interest in prosecuting legitimate security researchers, academics, or system administrators. For this reason, the DoJ says it requires that the government prove beyond a reasonable doubt that the individual intentionally trafficked in a means of access he or she knew to be unlawful, and prove the individual knew or had reason to know, that the means of access would be used to commit a crime by hacking. It's discussing the issue with security researchers and groups, and with Congress, to ensure that it avoids chilling legitimate security research. "I think the idea that everyone should be free to test security is frankly nuts," Enderle told TechNewsWorld. "Managing the current mess has become problematic as the lines between criminal and legitimate researcher are badly blurred, especially in Asia and Europe."

Monday, March 2, 2015

Natural Grocers investigating unauthorized access to POS systems

While a statement from Natural Grocers said the company has not received “reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution," Brian Krebs has reported that sources in the financial industry detected a pattern of payment card fraud that indicates unauthorized access to the point-of-sale (POS) systems at some of the grocery chain's locations, which led to the distribution of malware. According to Krebs, Natural Grocers spokespersons have said the company is looking into “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.” That the company “can firmly state what kind of data was not stolen, because they simply do not gather it, is strong evidence of one of the emerging truths of cybersecurity: if you keep something, someone will test your defenses, and if they aren't perfect, they'll take whatever you kept,” said Dr. Mike Lloyd, CTO at RedSeal, in a statement sent to “As a result, the new rules say don't keep it if you don't need it.” Only those companies that know “how their business processes really work can hope to successfully defend themselves, and vigilance is essential,” said Lloyd, noting that “humans don't do this well” and making a plea for automated testing. “If you can find the weaknesses before the bad guys come looking, you can hope to stay ahead.” Natural Grocers told Krebs that it's pushing up its efforts to upgrade POS systems in all of its 93 locations in 15 states to be PCI compliant. The new systems not only will offer point-to-point encryption but will also support chip and PIN payment cards, which, the company said in the statement to Krebs, will “provide multiple layers of protection for cardholder data.”

Friday, February 20, 2015

Wednesday, January 28, 2015

India’s cyber-security budget 'woefully inadequate'

India's cyber-security budget was more than doubled last year. Yet, it is "woefully inadequate" in the wake of revelations made by US National Security Agency contractor Edward Snowden and increasing cyber-attacks on government infrastructure, according to experts. In 2014-15, the Department of IT has set aside Rs 116 crore for cyber security. The country has proposed to set up a national cyber coordination centre (NCCC) with a separate budget of Rs 1,000 crore. The coordination centre is still awaiting Cabinet clearance. "Allocation is woefully inadequate given Snowden's revelations - we need at least 10 times that amount," said Sunil Abraham, executive director at Center for Internet and Society. According to the Computer Emergency Response Team-India (CERT-In), reported attacks on Indian websites have increased nearly five times in the past four years. Until mid-2014, CERT-In recorded more than 60,000 incidents. Cyber security of government infrastructure faces multiple issues. It needs better hardware and software audits and implementation of proposed projects. According to Sivarama Krishnan, executive director at consultancy firm PwC which works on various government projects, cyber security budgets might be spread across various government departments and the allocation has seen encouraging growth since the Narendra Modi government has come into power. "In real essence, the government spending in security has been growing," said Krishnan. "Every Digital India discussion ends with cyber security being talked about." Experts also pointed out the need for a singular view of the government's cyber security infrastructure. "Various states are doing many things for cyber security. Once these kinds of islands are get set up, it would be worth seeing how the government is going to integrate all of them to convert into a productive vehicle," said Krishnan. Government software needs to be audited for security loopholes better as multiple software exploits have taken place in the past few years. "There is a lot of security and non-security testing that can be outsourced to SMEs, academia and even individual researchers in an open fashion," said Abraham. The IT Department has set aside Rs 117 crore for Standardisation of Testing and Quality Certification (STQC) programme, which audits government software and hardware for loopholes. The national cyber coordination centre, if it becomes a reality, will be a big step in fighting cybercrime. "If that comes about, that has an outlay of several hundred crores, that would show a greater intent of the government in fighting cybercrime," said Kamlesh Bajaj, chief executive at Data Security Council of India, an independent selfregulatory body set up by Nasscom. However, many are sceptical of how the government plans to implement programmes that fight cybercrime. "The main thrust should be defensive measure like adoption of cryptography," said Abraham. "Natgrid was supposed to give quite a lot of intelligence including cyber. It has gone to sidelines," said Krishnan. Read more at:

Thursday, January 8, 2015

The biggest security debacles of 2014 show that enterprises are still failing at the basics

It's becoming clear that better security software and larger IT security teams may not be the most cost-effective answer. The way 2014's high-profile attacks happened underscores a need to get back...

Monday, January 5, 2015

Top 5 IT security trends to watch in 2015

​ 1. Incident prevention evolves towards incident response​​ 2. Managed security services move front and centre​​ ​​ 3. IT security gets cloudy​ 4. From security technologies to secure platforms​ ​​ 5. Endpoint security - back in vogue Full Article: