cybersecurity

House Passes Cybersecurity Bill Despite Privacy Protests

CONGRESS IS HELLBENT on passing a cybersecurity bill that can stop the wave of hacker breaches hitting American corporations. And they’re not letting the protests of a few dozen privacy and civil liberties organizations get in their way.

On Wednesday the House of Representatives voted 307-116 to pass the Protecting Cyber Networks Act, a bill designed to allow more fluid sharing of cybersecurity threat data between corporations and government agencies. That new system for sharing information is designed to act as a real-time immune system against hacker attacks, allowing companies to warn one another via government intermediaries about the tools and techniques of advanced hackers. But privacy critics say it also threatens to open up a new backchannel for surveillance of American citizens, in some cases granting the same companies legal immunity to share their users’ private data with government agencies that include the NSA.

“PCNA would significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” reads a letter signed earlier this week by 55 civil liberties groups and security experts that includes the American Civil Liberties Union, the Electronic Frontier Foundation, the Freedom of the Press Foundation, Human Rights Watch and many others.

“[PCNA] fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”

Specifically, PCNA’s data-sharing privileges let companies give data to government agencies—including the NSA—that might otherwise have violated the Electronic Communications Privacy Act or the Wiretap Act, both of which restrict the sharing of users’ private data with the government. And PCNA doesn’t even restrict the use of that shared information to cybersecurity purposes; its text also allows the information to be used for investigating any potential threat of “bodily harm or death,” opening its application to the surveillance of run-of-the-mill violent crimes like robbery and carjacking.

In a surprise move yesterday, the White House also publicly backed PCNA and its Senate counterpart, the Cybersecurity Information Sharing Act in a statement to press. That’s a reversal of its threat to veto a similar Cybersecurity Information Sharing and Protection Actin 2013 over privacy concerns, a decision that all but killed the earlier attempt at cybersecurity data sharing legislation. Since then, however, a string of high-profile breaches seems to have swayed President Obama’s thinking, from the cybercriminal breaches ofTarget and health insurer Anthem that spilled millions of users’ data, to the devastating hack of Sony Pictures Entertainment, which the FBI has claimed was perpetrated as an intimidation tactic by the North Korean government to prevent the release of its Kim Jong-un assassination comedy the Interview.

If the White House’s support stands, it now leaves only an upcoming Senate vote sometime later this month on the Senate’s CISA as the deciding factor as to whether it and PCNA are combined to become law.

But privacy advocates haven’t given up on a presidential veto. A new website called StopCyberspying.com launched by the internet freedom group Access, along with the EFF, the ACLU and others, includes a petition to the President to reconsider a veto for PCNA, CISA and any other bill that threatens to widen internet surveillance.

The old adage that a chain is only as strong as its weakest link certainly applies to the risk organizations face in defending against cybersecurity threats. Employees pose a danger that can be just as damaging as a hacker. Iowa State Univ. researchers are working to better understand these internal threats by getting inside the minds of employees who put their company at risk.  

Read More - http://www.rdmag.com/news/2015/04/testing-brain-activity-identify-cybersecurity-threats

2

Intelligence Committee Chair Richard Burr says not to worry about his Cyber Information Sharing Act, which Sen. Ron Wyden has called ”a surveillance bill by another name.” Burr, on the other hand, likens his bill to a neighborhood watch program, where “citizens and private entities” share information voluntarily so that they’re all more prepared to respond to threats. But Burr’s analogy only works if he’s imagining something like the Homeowners Association From Hell, one empowered to enter the houses of residents in the neighborhood in the guise of looking for burglars, which can also then snoop around and report on whether you’re doinking the baby sitter or watching pirated videos.

A senator recently compared an invasive new cybersecurity bill to a “neighborhood watch.

Intelligence Committee Chair Richard Burr says not to worry about his Cyber Information Sharing Act, which Sen. Ron Wyden has called ”a surveillance bill by another name.”

Burr, on the other hand, likens his bill to a neighborhood watch program, where “citizens and private entities” share information voluntarily so that they’re all more prepared to respond to threats.

But Burr’s analogy only works if he’s imagining something like the Homeowners Association From Hell, one empowered to enter the houses of residents in the neighborhood in the guise of looking for burglars, which can also then snoop around and report on whether you’re doinking the baby sitter or watching pirated videos.
In February, President Obama signed an executive order to promote information sharing on cyberthreats, and a new crop of information-sharing bills in Congress look to clear the path even further. Last week, the House of Representatives passed the Protecting Cyber Networks Act, which would establish new sharing guidelines and liability protections, and the Senate is expected to take up the bill in the coming weeks. At the same time, many see PCNA and other bills like it as an unprecedented intrusion into otherwise neutral networks — what Ron Wyden described as “a surveillance bill by another name.”
This Code Can Hack Nearly Every Credit Card Machine In The Country

Get ready for a facepalm: 90% of credit card readers currently use the same password.

The passcode, set by default on credit card machines since 1990, has been exposed for so long there’s no sense in trying to hide it. It’s either 166816 or Z66816, depending on the machine.

With that, an attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customers’ payment data (think the Target and Home Depot hacks all over again). No wonder big retailers keep losing your credit card data to hackers. Security is a joke.

This latest discovery comes from researchers at Trustwave, a cybersecurity firm.

Administrative access can be used to infect machines with malware that steals credit card data, explained Trustwave executive Charles Henderson. He detailed his findings at last week’s RSA cybersecurity conference in San Francisco at a presentation called “That Point of Sale is a PoS.”

The problem stems from a game of hot potato. Device makers sell machines to special distributors. These vendors sell them to retailers. But no one thinks it’s their job to update the master code, Henderson told CNNMoney.

“No one is changing the password when they set this up for the first time; everybody thinks the security of their point-of-sale is someone else’s responsibility,” Henderson said. “We’re making it pretty easy for criminals.”

Trustwave examined the credit card terminals at more than 120 retailers nationwide. That includes major clothing and electronics stores, as well as local retail chains. No specific retailers were named.

The vast majority of machines were made by Verifone. But the same issue is present for all major terminal makers, Trustwave said.

A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware. The company said, until now, it “has not witnessed any attacks on the security of its terminals based on default passwords.”

Just in case, though, Verifone said retailers are “strongly advised to change the default password.” And nowadays, new Verifone devices come with a password that expires.

In any case, the fault lies with retailers and their special vendors. It’s like home Wi-Fi. If you buy a home Wi-Fi router, it’s up to you to change the default passcode. Retailers should be securing their own machines. And machine resellers should be helping them do it.

Trustwave, which helps protect retailers from hackers, said that keeping credit card machines safe is low on a store’s list of priorities.

“Companies spend more money choosing the color of the point-of-sale than securing it,” Henderson said.

This problem reinforces the conclusion made in a recent Verizon cybersecurity report: that retailers get hacked because they’re lazy.

The default password thing is a serious issue. Retail computer networks get exposed to computer viruses all the time. Consider one case Henderson investigated recently. A nasty keystroke-logging spy software ended up on the computer a store uses to process credit card transactions. It turns out employees had rigged it to play a pirated version of Guitar Hero, and accidentally downloaded the malware.

“It shows you the level of access that a lot of people have to the point-of-sale environment,” he said. “Frankly, it’s not as locked down as it should be.”

Follow us:  Hakon India Facebook |  Twitter

Mobile apps hide serious compromises of security and privacy, compromises you could never get away with in the browser. We’re now about to see the technology environment that allows these compromises to happen expand enormously with the emergence of wearables and it’ll be more than just your lat and long and network data at stake, it’ll be all that juicy health data they’re busy collecting too. This is just the tip of the iceberg right now.
Black Hats Look For Low Hanging Fruit: Law Firms Are The New Target For IP Theft

As an Agency of the Department of Commerce, the United States Patent and Trademark Office (USPTO) in Alexandria, Virginia holds and maintains some of the nation’s most important and vital information. The 11-building campus holds more than 10,000 people and issues more than 150,000 patents and trademarks a year. The intellectual property (IP) contained in these patents represents great value to those who created the IP and is of great interest to a number of individuals who did not. The security of the information held by the USPTO is one of the greatest challenges the Federal Government faces. This is a challenge the USPTO addresses thousands of times a day, every day of the year – and one it will likely face forever.

Since the move to Alexandria, the USPTO has changed many of the day-to-day aspects of security. There are multiple levels of facility security: badging all visitors and employees, airport-level screening of everyone who enters the facility, video monitors and managed entrance and egress. But the USPTO has also created an increasingly sophisticated cyber security defense system to protect the nation’s patents and related information. In this multi-layered system, the USPTO guards against virtually every possible type of intrusion, protecting their systems against a multitude of potential denizens, from lone wolf to suspected nation-state Advanced Persistent Threat (APT) attackers.

Upstream Targets

The successful and persistent efforts of the USPTO to protect the information it holds can be a double-edged sword for IP attorneys and their law firms. Even though the USPTO is a constant target for the ‘bad guys’, its sophisticated data security efforts can force nefarious actors to seek easier access to the information they want.

Many times, when frustrated attackers are unable to gain entry to the USPTO, they go looking elsewhere for IP and related information. Unfortunately, this has led to an increase in the number of direct attacks to the corporate networks of the IP owners and increasingly, these actors are attacking the law firms working with corporate clients to develop and submit patent applications.

Law Firm Security

Compared to the USPTO, or even corporations, most law firms are easy targets and the client IP on their networks is low hanging fruit that is all too easily harvested. Too many law firms still view ‘reasonable’ security as signature-based (passwords) access and malware protection, like McAfee, as good enough. Today, it is not nearly enough.

What is enough? Without question, and perhaps most importantly, constant vigilance on the human side of the equation is vital to the success of any security plan. Most security breaches occur as the result of human ‘error’. An active security plan, and policies that are reviewed, modified and monitored with an awareness of each individual’s responsibilities is paramount. At the least, it should include simple practices like requiring aggressive password procedures and educating employees about cyber dangers, such as spear phishing attacks.

Law firms have begun to adjust to the dangerous cybersecurity environment they operate in. Today, law firms require layers of security, one often overlapping the functionality of the other, to protect against unwanted intrusion. Risk-based identity authentication has replaced signature-based password access, and best practices have replaced taping the passwords on the monitor or inside a drawer.

However, more must be done. Now, intrusion protection and detection must exist on the endpoint as well as on the network and must be constantly upgraded to stave off advanced and dangerous actors. It’s a different and scary world out there, and all attorneys must do everything they can to protect their client’s intellectual assets.

This is the first article, in a series of three postings designed to help lawyers become more knowledgeable in the area of cyber security. In the next article, we will describe what is ‘reasonable’ today and outline some ‘basic’ tools lawyers need as a minimum defense. The third article in this series will describe more ‘advanced’ approaches: additional layers law firms may employ to increase their internal defense.

Follow us:  Hakon India Facebook |  Twitter