US government releases draft cybersecurity framework
NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches.
C/NET News by Dara Kerr October 22, 2013
The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday. These standards are part of an executive order that President Obama proposed in February.
The aim of NIST’s framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats. Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce.
The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches.
“The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally,” reads the draft standards. “The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk.”
Obama’s executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency’s surveillance program was revealed.
Some of the components in Obama’s order included: expanding “real time sharing of cyber threat information” to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a “review of existing cybersecurity regulation.”
Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years. For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a “cyber 9/11” could happen “imminently” — crippling the country’s power grid, water infrastructure, and transportation networks — hackers hit the US Department of Energy. While no data was compromised, it did show that hackers were able to breach the computer system.
In May, Congress released a survey that claimed power utilities in the U.S. are under “daily” cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported “daily,” “constant,” or “frequent” attempted cyberattacks on their computer systems. While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems — but rather attempts to hack their networks.
While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework. According to Reuters, some companies are worried that the standards could turn into requirements.
In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations. These proposed incentives are a preliminary step for the government’s cybersecurity policy and have not yet been finalized.
NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.
Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.
In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).
While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.
Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.
To learn more on how Malwarebytes stops malware at its source, check out this blog.
Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.
Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.
However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.
Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).
NSA loophole allows warrantless search for US citizens’ emails and phone calls
Exclusive: Spy agency has secret backdoor permission to search databases for individual Americans’ communications
The Guardian / UK by James Ball & Spencer Ackerman August 9, 2013
The National Security Agency has a secret backdoor into its vast databases under a legal authority enabling it to search for US citizens’ email and phone calls without a warrant, according to a top-secret document passed to the Guardian by Edward Snowden.
The previously undisclosed rule change allows NSA operatives to hunt for individual Americans’ communications using their name or other identifying information. Senator Ron Wyden told the Guardian that the law provides the NSA with a loophole potentially allowing “warrantless searches for the phone calls or emails of law-abiding Americans”.
The authority, approved in 2011, appears to contrast with repeated assurances from Barack Obama and senior intelligence officials to both Congress and the American public that the privacy of US citizens is protected from the NSA’s dragnet surveillance programs.
The intelligence data is being gathered under Section 702 of the of the Fisa Amendments Act (FAA), which gives the NSA authority to target without warrant the communications of foreign targets, who must be non-US citizens and outside the US at the point of collection.
The communications of Americans in direct contact with foreign targets can also be collected without a warrant, and the intelligence agencies acknowledge that purely domestic communications can also be inadvertently swept into its databases. That process is known as “incidental collection” in surveillance parlance.
But this is the first evidence that the NSA has permission to search those databases for specific US individuals’ communications.
A secret glossary document provided to operatives in the NSA’s Special Source Operations division – which runs the Prism program and large-scale cable intercepts through corporate partnerships with technology companies – details an update to the “minimization” procedures that govern how the agency must handle the communications of US persons. That group is defined as both American citizens and foreigners located in the US.
“While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data,” the glossary states, “analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence].”
The term “identifiers” is NSA jargon for information relating to an individual, such as telephone number, email address, IP address and username as well as their name.
The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.
Wyden, an Oregon Democrat on the Senate intelligence committee, has obliquely warned for months that the NSA’s retention of Americans’ communications incidentally collected and its ability to search through it has been far more extensive than intelligence officials have stated publicly. Speaking this week, Wyden told the Guardian it amounts to a “backdoor search” through Americans’ communications data.
“Section 702 was intended to give the government new authorities to collect the communications of individuals believed to be foreigners outside the US, but the intelligence community has been unable to tell Congress how many Americans have had their communications swept up in that collection,” he said.
“Once Americans’ communications are collected, a gap in the law that I call the ‘back-door searches loophole’ allows the government to potentially go through these communications and conduct warrantless searches for the phone calls or emails of law-abiding Americans.”
Wyden, along with his intelligence committee colleague Mark Udall, have attempted repeatedly to warn publicly about the ability of the intelligence community to look at the communications of US citizens, but are limited by their obligation not to reveal highly classified information.
But in a letter they recently wrote to the NSA director, General Keith Alexander, the two senators warned that a fact sheet released by the NSA in the wake of the initial Prism revelations to reassure the American public about domestic surveillance was misleading.
In the letter, they warned that Americans’ communications might be inadvertently collected and stored under Section 702, despite rules stating only data on foreigners should be collected and retained.
“[W]e note that this same fact sheet states that under Section 702, ‘Any inadvertently acquired communication of or concerning a US person must be promptly destroyed if it is neither relevant to the authorised purpose nor evidence of a crime,'” they said.
“We believe that this statement is somewhat misleading, in that it implied the NSA has the ability to determine how many American communications it has collected under Section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans.”
The foreign intelligence surveillance (Fisa) court issues approvals annually authorizing such operations, with specific rules on who can be targeted and what measures must be taken to minimize any details “inadvertently” collected on US persons.
Secret minimization procedures dating from 2009, published in June by the Guardian, revealed that the NSA could make use of any “inadvertently acquired” information on US persons under a defined range of circumstances, including if they held usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted or are believed to contain any information relevant to cybersecurity.
At that stage, however, the rules did not appear to allow for searches of collected data relating to specific US persons.
Assurances from Obama and senior administration officials to the American public about the privacy of their communications have relied on the strict definition of what constitutes “targeting” while making no mention of the permission to search for US data within material that has already been collected.
The day after the Guardian revealed details of the NSA’s Prism program, President Obama said: “Now, with respect to the internet and emails, this doesn’t apply to US citizens and it doesn’t apply to people living in the United States.”
Speaking at a House hearing on 18 June this year, deputy attorney general James Cole told legislators “[T]here’s a great deal of minimization procedures that are involved here, particularly concerning any of the acquisition of information that deals or comes from US persons.
“As I said, only targeting people outside the United States who are not US persons. But if we do acquire any information that relates to a US person, under limited criteria only can we keep it.”
Dianne Feinstein, the California Democrat who chairs the Senate intelligence committee, said in June 2012 that she believed the intelligence agencies and the Justice Department were sufficiently mindful of Americans’ privacy.
“The intelligence community is strictly prohibited from using Section 702 to target a US person, which must at all times be carried out pursuant to an individualized court order based upon probable cause,” Feinstein stated in a report provided to the Senate record.
While there are several congressional proposals to constrain the NSA’s bulk collection of Americans’ phone records, there has to date been much less legislative appetite to abridge its powers under Section 702 – as lawmakers are satisfied it doesn’t sufficiently violate Americans’ privacy.
“702 is focused outside the United States at non-citizens,” said Adam Schiff, a member of the House intelligence committee. “The evidence of the effectiveness of 702 is much more substantial than 215 [the bulk phone records collection]. So I think there are fewer fourth amendment concerns and more evidence of the saliency of the program.”
Wyden and Udall – both of whom say foreign surveillance conducted under Section 702 has legitimate value for US national security – have tried and failed to restrict the NSA’s ability to collect and store Americans’ communications that it accidentally acquires.
Wyden told the Guardian that he raised concerns about the loophole with President Obama during an August 1 meeting with legislators about the NSA’s surveillance powers.
“I believe that Congress should reform Section 702 to provide better protections for Americans’ privacy, and that this could be done without losing the value that this collection provides,” he said.
The Guardian put the latest revelations to the NSA and the Office of the Director of National Intelligence but no response had been received by the time of publication.
Defense Department building its own secure 4G network
The department hopes new network will improve collaboration among separate branches of the military, the chairman of the Joint Chiefs of Staff says.
C/NET by Steven Musil June 27, 2013
The U.S. Department of Defense is building its own secure 4G network to improve collaboration among separate branches of the military, according to the chairman of the U.S. Joint Chiefs of Staff.
The network is part of an effort dubbed “Joint Information Environment,” which will consolidate 15,000 Defense Department networks in the cloud, Army Gen. Martin Dempsey said in a speech (PDF) delivered Thursday at the Brookings Institute, an influential think tank based in Washington, D.C. In addition to greater collaboration, the new network will be “significantly more secure, helping ensure the integrity of our battle systems in the face of disruption,” Dempsey said.
The network, which will allow access to a variety of mobile devices, is expected to be operational by the middle of next year, Dempsey said, as he gave a preview of the type of security to which service people will be privy.
“This phone would make both Batman and James Bond jealous,” he said, holding up what he said was a secure mobile phone. “With tools like this, the smartphone generation joining our military will help us pioneer a new era of mobile command and control.”
Part of the plan is a federated app store that will allow Defense Department users to share content across several devices, he said.
“By using off-the-shelf technology, we are bringing the full force of the tech revolution into the classified environment,” Dempsey said.
Earlier this year, the U.S. Defense Information Systems Agency approved the use of Apple iOS 6 devices, Galaxy S4, and BlackBerry 10 devices by U.S. government and military departments that tap into the Department of Defense networks. The Defense Department currently has more than 600,000 commercial mobile devices in operational and pilot use, including 470,000 BlackBerrys, 41,000 Apple devices, and 8,700 Android devices.
Noting that the U.S. military has made significant progress in embracing the cyber realm, Dempsey echoed previous Defense Department concerns that efforts to protect critical private-sector infrastructure facilities are “lagging.”
“Too few companies have invested adequately in cybersecurity. I worry that adversaries will seek to exploit this chink in our nation’s armor,” the general said. “To them, our economy and infrastructure are softer targets than our military.”
Improving battlefield communications infrastructure has been a prominent goal of the Defense Department. The Defense Advanced Research Projects Agency announced last December it was looking for ideas on how to update the military’s wireless communications platform to deliver 100Gbps connections.
Car Hacking Threat Prompts New Effort by Auto Regulator
BLOOMBERG by Angela Greiling-Keane May 15, 2013
Rising hacking risks to drivers as their cars become increasingly powered by and connected to computers have prompted the U.S.’s auto-safety regulator to start a new office focusing on the threat.
“These interconnected electronics systems are creating opportunities to improve vehicle safety and reliability, but are also creating new and different safety and cybersecurity risks,” David Strickland, head of the National Highway Traffic Safety Administration, said at a Senate Commerce Committee hearing today. “We don’t want to be behind the eight ball.”
Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows. Photographer: Ralph Orlowski/Bloomberg
A new office within the agency to research vehicle-electronics safety will look at risks to the systems in cars and those that communicate with other vehicles. NHTSA is conducting a pilot project in Ann Arbor, Michigan, of so-called talking-car technology intended to prevent crashes.
Senate Commerce Committee Chairman Jay Rockefeller, a West Virginia Democrat, said while he’s excited about safety improvements through technology, he’s concerned about new risks including hacking.
“As our cars become more connected — to the Internet, to wireless networks, with each other, and with our infrastructure — are they at risk of catastrophic cyber attacks?” Rockefeller asked.
Regulators are preparing for the possibility that cars could be accessed remotely in the future, though now a person would need to have physical access to a vehicle to redirect its electronic functions, Strickland said.
“If there is a chance of it happening, we have to address it,” Strickland told reporters after leaving the hearing.
NHTSA, part of the U.S. Transportation Department, was criticized by Congress and safety advocates in 2010 for lacking expertise in automotive electronics during hearings about Toyota Motor Corp. (7203)’s unintended-acceleration recalls.
Cars are increasingly controlled electronically rather than mechanically, from acceleration and starting to rolling down the windows. Infotainment systems connect drivers to satellite and wireless networks.
Today’s typical luxury car has more than 100 million lines of computer code, while software and electronics account for 40 percent of the car’s cost and half of warranty claims, said John D. Lee, a professor at the University of Wisconsin-Madison’s industrial and systems engineering department. Lee also testified at today’s hearing in Washington.
NHTSA and others developing new vehicle-control technologies need consumers to accept them if they’re to penetrate the market and provide safety benefits, Strickland said. If consumers don’t trust the technology, they won’t buy it, he said.
“Cybersecurity is hard,” he told reporters. “Even the best systems in the world can be compromised, as we have seen.”