Tag Archives: Cybersecurity

US government releases draft cybersecurity framework

US government releases draft cybersecurity framework

NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches.

 

C/NET News
by Dara Kerr
October 22, 2013

 

According to NIST, all levels of an organization should be involved in cybersecurity. (Credit: The National Institute of Standards and Technology)
According to NIST, all levels of an organization should be involved in cybersecurity.
(Credit: The National Institute of Standards and Technology)

 

The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.

The aim of NIST’s framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.

The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.

“The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally,” reads the draft standards. “The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”

Obama’s executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency’s surveillance program was revealed.

Some of the components in Obama’s order included: expanding “real time sharing of cyber threat information” to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a “review of existing cybersecurity regulation.”

Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a “cyber 9/11” could happen “imminently” — crippling the country’s power grid, water infrastructure, and transportation networks — hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.

In May, Congress released a survey that claimed power utilities in the U.S. are under “daily” cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported “daily,” “constant,” or “frequent” attempted cyberattacks on their computer systems. While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems — but rather attempts to hack their networks.

While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.

In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government’s cybersecurity policy and have not yet been finalized.

NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.

 

Direct Link:  http://news.cnet.com/8301-1009_3-57608834-83/us-government-releases-draft-cybersecurity-framework/

 

 

Victim of Your Bad Online Habits? Cryptolocker Ransomware: What You Need To Know

Cryptolocker Ransomware:  What You Need To Know!

 

MalwareBytes.org
by Joshua Cannell
October 8, 2013

 

FBI / Cryptolocker Ransomware: What You Need To Know
FBI / Cryptolocker Ransomware: What You Need To Know

 

Just last month, antivirus companies  discovered a new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

 

Cryptolocker Ransomware (view)
Cryptolocker Ransomware (view)

 

Spread through infected websites, this ransomware has been targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

 

asymmetric encryption.
asymmetric encryption.

 

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

Currently, infected users are instructed to pay $300 USD to receive this private key.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

 

REMOVAL:

Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.

 

MalwareBytes detected Trojan
MalwareBytes detected Trojan

 


In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).

 

 

While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.

Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.

To learn more on how Malwarebytes stops malware at its source, check out this blog.

Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.

 

MalwareBytes Protected System
MalwareBytes Protected System

 

Backup:

Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.

However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.

Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).

 

MalwareBytes Secure Backup
MalwareBytes Secure Backup

 

To find out more on remove Cryptolocker, check out the official removal guide from Malwarebytes.

Direct Link:  http://webcache.googleusercontent.com/search?q=cache:AALLcZNyITkJ:blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a

 

 

 

 

The Wasted Money Never Ends: NIF, IRS, Spying on Americans, Now This! Defense Department building its own secure 4G network

Defense Department building its own secure 4G network

The department hopes new network will improve collaboration among separate branches of the military, the chairman of the Joint Chiefs of Staff says.

C/NET
by Steven Musil
June 27, 2013

Defense Department building its own secure 4G network
Defense Department building its own secure 4G network

 

The U.S. Department of Defense is building its own secure 4G network to improve collaboration among separate branches of the military, according to the chairman of the U.S. Joint Chiefs of Staff.

The network is part of an effort dubbed “Joint Information Environment,” which will consolidate 15,000 Defense Department networks in the cloud, Army Gen. Martin Dempsey said in a speech (PDF) delivered Thursday at the Brookings Institute, an influential think tank based in Washington, D.C. In addition to greater collaboration, the new network will be “significantly more secure, helping ensure the integrity of our battle systems in the face of disruption,” Dempsey said.

The network, which will allow access to a variety of mobile devices, is expected to be operational by the middle of next year, Dempsey said, as he gave a preview of the type of security to which service people will be privy.

“This phone would make both Batman and James Bond jealous,” he said, holding up what he said was a secure mobile phone. “With tools like this, the smartphone generation joining our military will help us pioneer a new era of mobile command and control.”

Part of the plan is a federated app store that will allow Defense Department users to share content across several devices, he said.

“By using off-the-shelf technology, we are bringing the full force of the tech revolution into the classified environment,” Dempsey said.

Earlier this year, the U.S. Defense Information Systems Agency approved the use of Apple iOS 6 devices, Galaxy S4, and BlackBerry 10 devices by U.S. government and military departments that tap into the Department of Defense networks. The Defense Department currently has more than 600,000 commercial mobile devices in operational and pilot use, including 470,000 BlackBerrys, 41,000 Apple devices, and 8,700 Android devices.

Noting that the U.S. military has made significant progress in embracing the cyber realm, Dempsey echoed previous Defense Department concerns that efforts to protect critical private-sector infrastructure facilities are “lagging.”

“Too few companies have invested adequately in cybersecurity. I worry that adversaries will seek to exploit this chink in our nation’s armor,” the general said. “To them, our economy and infrastructure are softer targets than our military.”

Improving battlefield communications infrastructure has been a prominent goal of the Defense Department. The Defense Advanced Research Projects Agency announced last December it was looking for ideas on how to update the military’s wireless communications platform to deliver 100Gbps connections.

Related stories

Direct Link:  http://news.cnet.com/8301-1035_3-57591445-94/defense-department-building-its-own-secure-4g-network/

 

Car Hacking Threat Prompts New Effort by Auto Regulator

Car Hacking Threat Prompts New Effort by Auto Regulator


BLOOMBERG

by Angela Greiling-Keane
May 15, 2013

Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows.  (Ralph Orlowski / Bloomberg)
Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows. (Ralph Orlowski / Bloomberg)

 

Rising hacking risks to drivers as their cars become increasingly powered by and connected to computers have prompted the U.S.’s auto-safety regulator to start a new office focusing on the threat.

“These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability, but are also creating new and different safety and cybersecurity risks,” David Strickland, head of the National Highway Traffic Safety Administration, said at a Senate Commerce Committee hearing today. “We don’t want to be behind the eight ball.”

Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows. Photographer: Ralph Orlowski/Bloomberg

A new office within the agency to research vehicle-electronics safety will look at risks to the systems in cars and those that communicate with other vehicles. NHTSA is conducting a pilot project in Ann Arbor, Michigan, of so-called talking-car technology intended to prevent crashes.

Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat, said while he’s excited about safety improvements through technology, he’s concerned about new risks including hacking.

“As our cars become more connected — to the Internet, to wireless networks, with each other, and with our infrastructure — are they at risk of catastrophic cyber attacks?” Rockefeller asked.

 

Remote Access

Regulators are preparing for the possibility that cars could be accessed remotely in the future, though now a person would need to have physical access to a vehicle to redirect its electronic functions, Strickland said.

“If there is a chance of it happening, we have to address it,” Strickland told reporters after leaving the hearing.

NHTSA, part of the U.S. Transportation Department, was criticized by Congress and safety advocates in 2010 for lacking expertise in automotive electronics during hearings about Toyota Motor Corp. (7203)’s unintended-acceleration recalls.

No electronic cause was found for the incidents after the agency asked NASA and the National Academy of Sciences for help with the probe.

Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows. Infotainment systems connect drivers to satellite and wireless networks.

 

100 Million

Today’s typical luxury car has more than 100 million lines of computer code, while software and electronics account for 40 percent of the car’s cost and half of warranty claims, said John D. Lee, a professor at the University of Wisconsin-Madison’s industrial and systems engineering department. Lee also testified at today’s hearing in Washington.

NHTSA and others developing new vehicle-control technologies need consumers to accept them if they’re to penetrate the market and provide safety benefits, Strickland said. If consumers don’t trust the technology, they won’t buy it, he said.

“Cybersecurity is hard,” he told reporters. “Even the best systems in the world can be compromised, as we have seen.”

Strickland said the agency plans to decide by the end of this year whether to regulate crash-imminent braking, a technology that applies brakes automatically if sensors indicate there’s about to be a crash.
Direct Link:  http://www.bloomberg.com/news/2013-05-15/car-hacking-threat-prompts-new-effort-by-auto-regulator.html