STE WILLIAMS

Analysis The Home Office has revealed some of the costs associated with its proposed Investigatory Powers law – but the final price tag could arguably run into billions of pounds.

At present, Secretary of State Theresa May’s department has estimated a price tag of £247m over a 10-year-period to cover the costs of communications data and oversight.

Government estimates for previous abandoned bids to legislate for greater surveillance of Brits’ online activity were far higher. For example, Labour’s Interception Modernisation Programme carried a £2bn price tag, while May’s Communications Data Bill would have lifted an estimated £1.8bn from the public purse.

However, the current £247m does not take into account the potential costs for interception of bulk personal data and hacking into computer systems. Costs associated with those “policy provisions” are marked as “N/K” – not known.

The only breakdown of estimated costs the Home Office does offer in its “Overarching Impact Assessment” [PDF] for the draft Investigatory Powers Bill – which was laid before Parliament on Wednesday – relate to communications data (£187.1m) and oversight (£59.9m).

It’s unclear where the comms data figure comes from, but according to industry sources, little or no consultation has taken place on costs so far. The Home Office may therefore be referring to cost estimates [PDF] outlined in 2012’s draft Communications Data Bill (CDB).

As The Register noted in early 2013, Charles Farr – Director General of the Office for Security and Counter Terrorism – previously estimated to MPs that around 50 per cent of the highly-questioned £1.8bn price tag placed on the Communications Capabilities Development Programme (which morphed into CDB) would have been used to pay communications providers for storage of the data.

Those compensation costs of around £859m to be paid to ISPs over the course of 10 years were widely dismissed by the industry, which complained at the time that those estimations of payment were full of assumptions.

The reason? The Home Office had failed to seek the advice of comms providers when drawing up its draft bill.

May’s department said in its latest Impact Assessment that:

There would be minimal increases above existing baseline costs for interception, equipment interference, and bulk personal data.

The government can openly say this now, after May disclosed to Parliament that Brit spooks have, for years, been using section 94 of the 1984 Telecommunications Act to intercept bulk communications data of people in the UK.

The Home Office added in its assessment:

The costs of the Bill are primarily in relation to increased cost of establishing a new oversight body (led by the Investigatory Powers Commissioner), including accommodation, overheads, running costs, and the administration of a new warranty process.

The provisions in the Bill in relation to internet connection records and the request filter for communications data have associated costs to business, which are reimbursed by government.

Section 185 of the draft IPB [PDF] notes that telcos should “receive an appropriate contribution in respect of such of their relevant costs as the Secretary of State considers appropriate”.

However, we’ll have to wait and see exactly what price tags are applied to these particular provisions once the proposed law has been scrutinised by politicos and peers and re-drafted. By then, we may have a better idea about whether ISPs would be required to suck up any hidden costs that could ultimately hit the pockets of their customers. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/draft_investigatory_powers_bill_cost_estimates/

Third bathroom reading material The Economist served malware from its website via the compromised PageFair network.

The biz mag today alerted readers that it put their PCs at risk last weekend.

“If you visited economist.com at any time between Oct. 31, 23:52 GMT and 01:15 GMT, Nov. 1, using Windows OS and you do not have trusted anti-virus software installed, it is possible that malware disguised as an Adobe update was downloaded onto your PC,” the publication said.

Team Economist advises that anyone who received what appeared to be a Flash update from the website should change all of their passwords on their computer, and notify their banks and other financial institutions to check for suspicious activity.

The mag also recommends any exposed users install and maintain up-to-date antivirus software from Microsoft or a third-party security vendor, a good idea even for those who were not exposed to the Halloween weekend PageFair malware attack.

The malware outbreak was attributed to an attack on the popular PageFair publishing tool. Hackers were able to get into PageFair’s systems and play a devious Halloween trick on the company and customers who use its tools to thwart ad-blocking plug-ins.

According to PageFair, the attackers stole employee credentials via a spear phishing attack and then took over the PageFair content distribution network. From there, the hackers began feeding publishers JavaScript code that attempted to download and install a botnet controller masquerading as an update for Adobe’s Flash Player plugin.

It is estimated that the sites affected by the PageFair breach serve as many as 10 million page views per month.

The outbreak does no favors for PageFair’s campaign to dissuade users from running ad-blockers, which are popular in large part because of their ability to shield users from malicious advertising copy. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/pagefair_pwned_economist_serves_malware/

After a crushing distributed denial-of-service attack against its servers and ISPs, secure email service ProtonMail has paid the ransom demanded by its attackers.

The Swiss firm was promptly smashed offline again.

“We were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time to the bitcoin address 1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y,” the firm said in a statement.

“We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.”

Judging from public notes attached to transactions between ProtonMail and whoever was holding it hostage, it is possible there appears to be more than one group trying to disable the encrypted email service. “Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack,” reads one memo.

ProtonMail received a note from unknown criminals threatening to blast it off the internet just before midnight on November 2 unless a 15 BTC ($5,500 at time of writing) ransom was paid.

The webmail biz ignored the demand, and the next morning a 15-minute attack knocked its servers offline. A few hours later the assault resumed, this time with an “unprecedented level of sophistication,” Team ProtonMail said.

The attackers went after the firm’s upstream connectivity, dumping 100Gbps of packets on its ISP within a couple of hours. That onslaught left hundreds of companies in Switzerland and Germany without internet access, and these organizations put pressure on ProtonMail to pay the ransom.

Having forked out a few thousand bucks in Bitcoin on November 4 to end the waves of useless traffic, all went quiet – but not for long. Today, the website remains offline, submerged by unknown assailants.

A detailed analysis of the original attack shows two distinct phases. First, there was a standard DDoS attack against ProtonMail’s IP addresses, but this was followed up by a sophisticated raid on the infrastructure supporting the firm.

ProtonMail said that the larger assault had the hallmarks of a state-sponsored attack, both in its complexity and in showing a willingness to cause large-scale damage to achieve its aims. However, it has provided no concrete proof of a nation state going after its servers.

ProtonMail said that its IT infrastructure can’t handle any more floods of duff traffic, and is going to need an upgrade. The firm estimates that this will cost $100,000 and has launched a funding page that has already garnered over $25,000 in donations. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/protonmail_pays_attack_ransom/

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats

Discussions about the cyber security readiness of government agencies have typically tended to focus on federal entities rather than on their state counterparts. That may be a big mistake.

A new study by the Pell Center for International Relations and Public Policy at Salve Regina University revealed a troubling lack of preparedness to deal with cyber security threats among a vast majority of state governments.

All 50 states are investing in broadband communication and moving forward aggressively on promoting wider use of the Internet to stimulate economic growth and to improve service. But not a single one of them managed to meet all the evaluation criteria that Pell used to measure their cyber readiness, says Francesca Spidalieri senior fellow for cyber leadership and author of the report.

“The study was really meant to bring awareness to the role that state governments, not just the federal government, play in protecting critical infrastructure and the data than has been entrusted to them by their citizens,” Spidalieri says.

Just like the federal government, state governments too hold data on millions of citizens and depend heavily on the Internet and communications technologies to deliver services and to maintain critical infrastructure. But few appear to be considering the potential exposure and costs associated with cyber threats says Spidalieri.

For the study, Pell looked at measures like whether the state had a strategic cyber security plan, formal incident response capabilities, data breach notification and other cyber security laws, threat information sharing mechanisms and spending on cybersecurity RD. Pell interviewed state CIOs, chief information security officers and other state government officials and also reviewed open source data, to arrive at its conclusions.

California, Texas, Maryland and Washington were among eight states that were identified by the study as being relatively more prepared to deal with current and emerging cyber threats than counterparts. The others are New York, New Jersey, Washington and Virginia.

Each of these states fared better then others on some of they key measures used to evaluate them. For example, California scored well in areas like incident response, e-crime laws and cyber RD. But its performance in areas like regular threat assessments and accountability for cyber preparedness remained a work in progress. Pell assessed Texas as being adequate in areas like having a competent cybersecurity authority, doing regular threat assessments and following the NIST framework but found it still has work to do in terms of implementing effective cybersecurity laws. Michigan appeared to be the most prepared, based on its meeting most of the measures it was evaluated against.

A vast majority of states though are unprepared, says Francesca. “Most states don’t even mention the need to secure their IT systems or to address cyber threats,” she said. Some acknowledge the problem but appear to have done little to address it.

The common challenges somewhat unsurprisingly related to a lack of funding for cybersecurity programs, lack of executive engagement, the growing sophistication of threats and a shortage of cybersecurity professionals. “It’s a grim picture and my report meant to shed some light on the states that are leading the way,” she said.

Meanwhile, a second report also released this week served up another reminder of the challenges that federal agencies continue to face on the cybersecurity front. The report by MeriTalk and Palo Alto Technologies found that 44 percent of federal endpoints are vulnerable to cyber threats while 30 percent of federal network connected devices have been infected with some type of malware.

As with state governments, barely half of all federal agencies have taken specific steps to secure end points while some 20 percent of endpoint security audits do not include all network-connected devices.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/government/states-cyber-security-readiness-presents--grim-picture--pell-study-finds/d/d-id/1323042?_mc=RSS_DR_EDT

Drones: even if they sometimes crash into walls, spark fights in the prison yard or get snagged on barbed wire, they’re still more effective for smuggling contraband than cats.

US prisons want to take them out. Drones, not cats.

The Federal Bureau of Prisons on Wednesday put out a call for information on integrated systems that can detect, track, interdict, engage and neutralize small unmanned aerial vehicles (UAVs) – specifically, those that weigh less than 55 lbs. (25 kg).

It’s not just drugs and mobile phones the bureau wants to keep out, it’s also unauthorized surveillance, it said:

From small devices of less than a pound that can provide unauthorized imagery and surveillance to larger systems that can carry 20 or more pounds of contraband, these devices represent a new and unprecedented challenge for [prison] personnel.

These are the tasks the bureau said it was looking for in a drone detection/termination system, according to the RFI:

1. Detection
2. Location/Tracking
3. Identification
4. Classification
5. Threat/No-threat
6. Response
7. Verification
8. Clean up/attribution of UAVs

A system that could do them all would be great, but a subset might also be pretty sweet, it said.

Just how, exactly, such a system would be able to safely disable drones without having them turn into noggin-crushing meteorites is an open question.

We’ve seen possibilities that include attacking drones with resonant frequency that screws with the gadgets’ gyroscopes.

In fact, there are already sound-related devices on the market for both offensive and defensive purposes: one, the LRAD Corporation’s 450XL, is billed as an “acoustic hailing device” that can be mounted on a vehicle or a tripod and can project a voice message up to 1700 meters.

Then again, there’s also the technique employed by William Merideth: a shotgun and Number 8 birdshot. But that does get us back into the realm of meteors and skull-crushing.

At any rate, the prisons bureau said that the general requirements for an anti-drone system include the ability to handle:

• Operation in mixed-use airspace, where both threat and “friendly” drones may be operating.
• Drone performance that consists of: Flying altitudes from ground level to 18,000 ft. at velocities from 0 to 100 m/sec.
• Highly variable dimensions, but in general less than 4 ft. in their maximum dimensions.
• Drones made from materials ranging from carbon fiber to high-density plastic to light metal alloys and others.
• Both commercially available as well as custom-made UAVs.
• Detection ranges of 1 mile with tracking at .75 miles and kill/interdiction as far out as possible.
• Both command operation as well as autonomous functioning.
• Use of GPS.
• Surveillance target being generally isolated in the middle of an open area with limited ground clutter and other interfering sources such as people and RF. There may, however, be roads where vehicular traffic is moving within the zone of interest.

Follow @NakedSecurity

Follow @LisaVaas

Image of drone flying courtesy of Ivan Smuk / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/TCmwGYdQihU/

A woman who blabbed on Facebook about “dying from boredom” while serving on a jury has been slapped with a $1000 fine.

Kimberly Ellis, of Queens, New York, was on a jury for a case about a 2014 robbery when she began making detail-filled posts, sometimes twice a day, from a courthouse in the Queens neighborhood of Kew Gardens.

According to The Daily News, which accessed a court transcript, this was a post Ellis made on 17 September:

Everything about this process is inefficient. I’m trying to remain positive and centered but, truthfully, I’m dying from boredom.

The complaining kept coming after the jury began deliberations.

Another of the oversharing juror’s posts:

God help me. The other jurors don’t trust the police and want to outright dismiss the confessions as well as the majority of the rest of the evidence. Tomorrow is going to be a very difficult day.

She was ratted out by one of her Facebook friends who just so happened to be a former federal and Brooklyn District Attorney’s Office prosecutor.

On 30 September, Queens Supreme Court Justice Ira Margulis called Ellis out.

From the court transcript:

Margulis: “Now, can you tell me why you did this?”

Ellis: “Well, I sometimes – I suppose I forget it’s so public and it’s Facebook and it’s something that I use a lot. And I’m pretty quiet in my day-to-day dealings with people, so it’s just a way for me to, you know, express myself.”

Margulis: “Even though you violated an expressed order from the Court not to do that?”

Yes, even so, Ellis said, admitting that the court had made it clear that jurors are forbidden from using social media while serving.

Ellis:

I wasn’t thinking clearly. I apologize.

Ellis was found in contempt of court. Margulis gave her this advice before dismissing her:

It is in your best interests that you retain an attorney.

With Ellis off the jury and no alternate waiting to take her place, the case was declared a mistrial.

The judge made clear how costly a mistrial can be.

In fact, it costs taxpayers thousands of dollars, Margulis said, ticking off some line items:

We had an interpreter in that case. We have the court reporter, we have the clerk, and everybody else associated with the case and including the district attorney’s time and effort and defense counsel.

This is just wasted taxpayers’ money because of what the defendant did. And it’s not that she was not aware.

He also explained the difficulties a mistrial presents to the victims who have to testify:

One of the robbery victims because of what happened to her moved out of state and came back for the trial.

Ellis is remorseful, she told The Daily News:

I continued my personal life as if I was not there to judge a trial It was my first time as a juror, and I was naive.

She also said she’s “absolutely frightened I will lose my job over this.”

My ex-husband is disabled and I raise my two children. I’m afraid this will impact them. I’m very scared.

There’s probably not much we can say about Ellis’s actions that she hasn’t already said to herself.

At any rate, she’s not the first person to find herself in hot water over social media posts about a trial.

In April, Judge Michelle Slaughter, from Galveston County, Texas, was chewed out for making Facebook posts about a case that resulted in a mistrial and was ordered to get trained on “proper and ethical use of social media” by judges.

Slaughter was cleared of wrongdoing in September, though a three-judge Special Court of Review noted that a judge’s use of social media is a murky territory where care is needed.

The Houston Chronicle quotes the review panel judges:

A judge should never reveal his or her thought processes in making any judgement. While [Slaughter’s Facebook] comments were ultimately proven to not be suggestive of her probable decision on any particular case, the process for reaching this conclusion required the expenditure of a great deal of time, energy and expense.

Social media can be a pleasant bubble.

We can get lulled into the feeling that we’re just chatting with friends who sympathize as we share our gripes or who exult with us when we, say, post selfies of ourselves with a winning ticket …that crooks can use to make a counterfeit ticket and thereby swipe our money.

Let’s all try to remember that what seems, to us, to be inconsequential moments of boredom and glee can have deep, serious, costly consequences when we share them publicly.

Follow @NakedSecurity

Follow @LisaVaas

Image of lawyer talking to jury courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8VLWm4vVmVU/

If you’re an IT professional, you know better than anyone else about the concerns that go along with securing a business.

Anything and everything from ransomware to phishing emails to lost smartphones – the list goes on and on.

But of all the terrors that can plague your organization, which are your top concerns?

We threw together a super quick one-minute security survey for you IT heroes. Did we mention that it only takes one minute?

To thank you for your valuable time, we’re giving away ten $20 gift cards to the Sophos Store (plus free shipping). Choose from the many exclusive geek-chic socks, shirts, hats and more!

But get your entry in soon! The survey closes at 11:59 PST on Monday, 16 November 2015. And if you’re one of the lucky winners, you’ll get an email on 17 November.

So… what are you waiting for?

Take the survey!

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3hXyZu2_Vyw/

We’ve written about ransomware a lot, because it’s such an odious and in-your-face sort of threat.

Ironically, ransomware isn’t actually the most dangerous or insidious sort of malware.

Ransomware crooks don’t steal your data covertly, or keep track of you via your webcam, or try to read your emails over an extended period for competitive advantage.

But ransomware is still a big, bad body-blow for anyone who hasn’t taken the right precautions, such as a recent and safely-stored backup.

To summarise briefly:

1. Ransomware scrambles your personal files using a random, one-off encryption key.
2. The key is sent to the crooks and then wiped from memory locally, so the crooks have the only copy.
3. A message appears, offering to sell you back the key so you can recover your files.

Usually, you have to use a payment system such as Bitcoin.

That means the transaction is hard to trace, so the crooks can hide, and as good as impossible to reverse, so you won’t get your money back

Of course, this means that the crooks could simply take your payment and run, but for the most part, they don’t.

Indeed, the cybercrooks in the ransomware scene have built up a reputation for “dishonest reliability,” so that if you do pay, you probably will get your data back.

Surely some shortcut?

We’re often asked for help by ransomware victims who assume that there must be some way of recovering their data without paying up, even if it’s not obvious, or is very complicated.

But unless the crooks make a programming error, ransomware can be as good as hack-proof, thanks to strong encryption.

Sometimes the crooks do blunder, and then there’s a faint hope of getting some data back:

• The malware might temporarily put a copy of the decryption key in a hidden file or registry entry, and forget to delete it.
• The crooks might make encrypted copies of your files and forget to delete the originals.
• The encryption might be programmed badly, perhaps using a decryption key that never changes or isn’t very random, so you may be able to guess it.

Unfortunately, those are the exceptions these days, as the ransomware criminals have learned from their earlier mistakes.

Most modern ransomware gives you almost no chance of recovering without paying, unless you can afford to spend large sums on forensic analysis, and then also just happen to get lucky finding some left-over data from before the attack.

In short, if you don’t have backup, and you do care about your files, you don’t have much choice but to pay.

→ Some users have even told us that it was cheaper to pay up than to go through IT to get their files recovered officially, which sounds like a good reason to streamline your backup process. If you can’t restore effectively, then it’s not really a backup, is it?

Insult to injury

Ransomware families you may have heard of, past and present, include CryptoLocker (now defunct thanks to a law enforcement operation), CryptoWall, TeslaCrypt and even Los Pollos Hermanos, named after the restaurant run by crooks in in the TV show Breaking Bad.

To add insult to injury, the crooks behind the CryptoWall ransomware have now taken to spicing up their “get your data back” instructions with taunts and jibes added to Stage 3 above.

The crooks pop up a web page that tells you, amongst other things:

Cannot you find the files you need?

Congratulations!!!

You have become a part of large community CryptoWall.

Then they say:

Your files have been encrypted with the CryptoWall software: the instructions you find in folders with encrypted files are not viruses. [T]hey are your helpers.

After reading this text 100% of people turn to a search engine with the word CryptoWall where you’ll find a lot of thoughts, advice and instructions.

Think logically – we are the ones who closed the lock on your files and we are the ony ones who have this mysterious key to open them.

Later on, they turn their malicious irony on the security community:

CryptoWall Project is not malicious and is not intended to harm a person and his/her information data.

The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.

Together we make the Internet a better and safer place.

Ho hum.

What to do?

Prevention is better than cure – and even if it comes to cure, your own backup is better than getting into bed with criminals:

• Keep your software and operating system patched.

Malware, including ransomware, is often delivered via exploit kits, which use known security holes to break in and perform illicit installations.

• Use an on-access (real time) virus scanner and keep it up to date.

Anti-virus software can’t detect all new malware proactively, but it will often block and prevent ransomware attacks if used correctly. Ransomware is often delivered using old malware that is already active on unprotected computers.

• Avoid unsolicited or unexpected attachments.

Ransomware can be packaged into booby-trapped files such as documents, which claim to be fake invoices, unpaid invoices, or other files you may feel pressurised into opening.

• Make regular backups, and keep at least one recent backup set off-site.

Whether you store an encrypted hard drive at a friend’s house or use a cloud-based backup service, you are protecting yourself from much more than ransomware.

If your hard disk fails, then no amount of money – neither bitcoins nor dollars – is going to help.

Follow @NakedSecurity

Follow @duckblog

Free Virus Removal Tool

The Sophos Free Virus Removal Tool works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Ransom note letters courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/lXqLTCVkCyQ/

TalkTalk has once again attempted to downplay the seriousness of the attack on its systems by claiming on Friday morning that only four per cent of its customers – nearly 157,000 people – were affected by the security breach.

The budget ISP said that bank account numbers and sort codes of 15,656 of its subscribers had been swiped in the attack.

It added that 28,000 “obscured credit and debit card numbers” had been nicked, but claimed they “cannot be used for financial transactions, and were ‘orphaned’, meaning that customers cannot be identified by the stolen data.”

Of the total 156,959 customers that TalkTalk claimed had been directly hit in the attack, 113,303 people had “sensitive personal data” stolen but their bank details were not targeted, the telco said.

Throughout TalkTalk’s statement, the company reiterated its claim that the “financial information” pilfered during the security breach “cannot on its own lead to financial loss”.

However, faith in the firm’s ability to handle customer data has hit an all-time low.

As noted by analysts at Megabyte, shares in TalkTalk are currently trading down 30 per cent since it was revealed that ISP’s systems had been violated by attackers.

“TalkTalk now faces serious questions over its security protocols. Indeed, this episode serves as a timely reminder to all corporations that cyber-attacks are becoming more frequent, malicious and successful, underlining the need to have sufficient protocols in place,” the analyst house said.

However, shares in TalkTalk have risen more than four per cent on the London Stock Exchange this morning, suggesting the City welcomes the company’s claims that fewer customers were affected by the attack than previously suspected.

Nonetheless, TalkTalk stock remains close to the bottom its 52-week range (220.10p – 415.10p), currently trading at 230p per share.

Next Wednesday (11 November), TalkTalk’s boss Dido Harding will report the company’s half-year results to the City. Those numbers will only apply up to 30 September this year – apparently before the breach occurred – but TalkTalk will undoubtedly have something to say about the costs it expects to have incurred following the attack on its systems. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/talktalk_claims_157000_customers_data_stolen/

Scandi finance house Swedbank has been hit by a DDoS attack, which has taken down access to online banking via its website.

Customers can access their online accounts through a specific URL but are unable to transact with the bank through its website.

Mobile applications and payments continue to function, Swedbank spokesman Claes Warren said.

The website was also hit by a hacker attack in October. Warren said it probably wouldn’t be the last such attack.

The bank said it expects the site to be “up and running soon”. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/06/swedbank_hit_by_ddos_attack/