STE WILLIAMS

Some key security vendors – including Microsoft, Google, Cloudflare – are offering pro bono services and tools for election jurisdictions and campaigns this election season. But will it help?

It’s too late to truly secure US election infrastructure for the 2018 fall midterms: that would require a massive security overhaul nationwide. But a number of election jurisdictions around the country have signed up for free website and user-account protection services being offered this election season by a handful of security companies, including big-name vendors like Google and Microsoft.

State and local election jurisdictions and campaigns traditionally are cash- and resource-strapped when it comes to technology, and especially security. So the freebie, cloud-based election security services available now from Cloudflare, Google, Microsoft, Akamai, Synack, and Thycotic give them a shot at putting some protections around their Web-based systems.

There are over 10,000 election jurisdictions nationwide, and the ones who’ve opted in for these new free security services remain the minority. Cloudflare, one of the first vendors to offer free election security services with the December 2017 launch of its Project Athenian service, says some 72 election jurisdictions from 19 states have signed up for the DDoS mitigation and firewall protection service, while Akamai says 10 state and county election bodies including the states of Arizona and Virginia are on board for its free DNS-based Enterprise Threat Protector with Akamai Cloud Security Intelligence.

That leaves plenty of other state and local election systems theoretically at risk of attack either in the coming days before the election or on Election Day itself, unless they have other security measures in place.

While voting machines have been proven as painfully easy marks for hackers thanks to the work of researchers participating in DEF CON’s Voting Village the past two years, security experts say Web-based systems are the most likely and easiest targets for attack during the elections.

States’ election-reporting websites, states’ voter roll websites, and candidate websites all are at risk of disruption via distributed denial-of-service (DDoS) attacks, as well as hacking and data-tampering by nation-state or other attackers. Rather than tamper with a voting machine, an attacker could remotely penetrate a public-facing website to DDoS it, deface it, alter information (such as changing vote count data or polling place information), or access sensitive data stored on its back-end servers.

While the wave of gratis security services from the security industry this election year are a welcome assist, it’s just a first step in updating and tightening security of election systems. There realistically won’t be any major improvements in security until at least 2020, experts say.

“You can make meaningful change in two years” before the 2020 presidential election, notes Patrick Sullivan, director of security strategy at Akamai. “A lot of that is … leveraging cloud services is easier than” replacing on-site security infrastructure, he notes.

The state of Idaho runs Cloudflare’s Project Athenian service for its Secretary of State site, sos.idaho.gov, and its idahovotes.gov elections information site, which includes voter registration. Idaho deployed the service three weeks prior to its May primaries and got an immediate wakeup call about threats to the sites: three days before the primary, it saw some 27,000 blocked domain requests by Cloudflare in one 24-hour period, according to Chad Houck, Deputy Secretary of State for Idaho.

The spike came amid a website defacement attack on Idaho’s state legislative services and state judicial services websites – which don’t use the Project Athenian. One theory was the attackers may have targeted a wide swath of the state’s domains in the attack.

Free security offerings for elections aren’t all altruistic, of course. Some of the free offerings – Akamai’s and Synack’s, for example – expire after the fall elections, although jurisdictions can become paying subscribers thereafter. The security vendors get a shot at new customer prospects who’ve had a chance to test-drive their security services for free.

Even so, it’s a start. “A rising tide raises all boats. Being able to offer campaigns and [elections] enabling cybersecurity and knowledge can only be useful in raising” the bar, says Priscilla Moriuchi, director of strategic threat development at Recorded Future and former threat manager for East Asia and Pacific for the National Security Agency (NSA).

As long as it’s a reputable security company that’s offering the pro bono services or security education for the right reason, it can help improve security, she says. “But if companies are offering it to solidify their own reputation, then it may be doing more harm than good,” she says. “As long as they’re making sure it’s the right [security] advice and tailored for” the election office, she says.

Matthew Prince, CEO of Cloudflare, sees his company’s free service as a first step in locking down election infrastructure.

“In the long term, my hope is that [Project Athenian] will help make those systems that much stronger,” says Matthew Prince, CEO of Cloudflare.

Who’s Offering What

Here’s a rundown of some of the free security services now available for US election officials and campaigns:

Microsoft last week joined a wave of security vendors offering versions of their security services for free to election jurisdictions and campaigns. Its free AccountGuard, available to federal, state, and local candidates and campaign offices as well as think tanks and political organizations that use Office 365, includes a threat and attack detection and notification service for both corporate Office 365 accounts as well as for personal accounts for Hotmail. Microsoft also is offering up best practices guidance, materials, and workshops covering threat modelling, secure coding, phishing awareness, and identity management, for example.

Tom Burt, corporate vice president of customer security trust at Microsoft, acknowledged that the service only covers its own ecosystem of customers, and there are other vectors for attackers to hack election systems. “We know our colleagues in the industry are working diligently to take similar steps, and we’re enthusiastic about their work. As we expand Microsoft AccountGuard, we will look for opportunities to coordinate with their efforts,” he wrote in a blog post. 

Google’s Alphabet Jigsaw group offers free cloud-based security services under its so-called Protect Your Election tools for candidates, campaigns, publishers, journalists, NGOs, and election monitoring websites. It includes Project Shield, a DDoS mitigation service, as well as account protection services like its free password manager Smart Lock, Password Alert for Chrome that flags a possible password compromise, and personalized security recommendations.

But Google’s Advanced Protection Program to add extra security to a Google account isn’t totally free: it requires the purchase of two physical security keys. The keys run from $20 to $50 or so apiece.

Cloudflare’s Project Athenian is akin to its enterprise-class service: DDoS mitigation, firewall, site access management, and load balancing. It’s also a service offered in perpetuity and not just for the election season. Project Athenian protects public-facing websites as well as internal sites. In addition to Idaho, the San Francisco Board of Elections; the State Boards of Elections in Hawaii, Idaho, North Carolina, and Rhode Island; and that of Pickens County, S.C., all use it.

Akamai‘s free Enterprise Threat Protector with Akamai Cloud Security Intelligence service is a recursive DNS service. “The focus here is on just using DNS as a security chokepoint,” Akamai’s Sullivan says. It detects phishing and other malicious domains, and is available for free through Nov. 30, 2018. 

 

Synack, co-founded by two former NSA cybersecurity experts, offers pro bono penetration testing services to US states. Synack’s Secure Election Initiative service roots out vulnerabilities in voter registration databases and online voter registration websites, and provides remediation help as well. The company says it’s working with “a number of different states” but can’t provide details on them at this time.

User access management firm Thycotic last month released the Cybersecurity Election Protection Toolkit for US election candidates and their teams. The kit includes a digital edition of Cybersecurity for Dummies, an incident response template, and a poster template for campaign offices to display and educate staffers on how to protect their credentials and practice secure online behavior. There’s also a tool to check password strength.

Related Content:

• Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains
• The ABCs of Hacking a Voting Machine 
• White House Cybersecurity Strategy at a Crossroads
• 8 Steps Toward Safer Elections

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/application-security/free-cybersecurity-services-offer-a-first-step-to-securing-us-elections-/d/d-id/1332687?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The threat from rogue insiders, for so long dismissed as scare stories, has quietly bubbled back on to the official worry list.

High-profile cases – like that brought against Anthony Levandowski over IP he was accused of stealing from Google’s Waymo car division, and Jiaqiang Xu, who got five years in the clink for stealing source code belonging to IBM – have helped to bring these fears back to the fore.

Even the US government has been caught out – three employees of the Department for Home Security were accused of stealing a computer containing the personal files of 246,000 agency staff.

For years, the dominant narrative was the spiteful employee run amok, either spilling or stealing data (the Morrisons worker who leaked its entire employee database in 2014), or just plain messing with the network (the admin who caused chaos at Gucci in 2010).

It’s now dawned on organisations that it’s the quiet rogues you never hear about – let’s call them the “exfiltraitors” – that represent a threat potentially as bad as anything from the outside.

A CA study (PDF) earlier this year reckoned that 47 per cent of insider threats stemmed from maliciousness of one sort of another, with the remainder caused by carelessness. The single biggest factor was the abuse of privileges, precisely the thing that coders, admins and managers need to do their jobs.

Fade to grey

The idea of abusing privileges brings us to a specialised category of exfiltrating insider, the so-called “grey hat”. These are engineers or coders who know a lot about a company’s IP, assets and weaknesses, and have the entrepreneurial skills to understand that this knowledge is worth something.

Strictly speaking, a grey hat is just a black hat hacker who uses their day job to enable their nefarious activity, but this month’s Malwarebytes-sponsored Osterman survey of 900 security pros across the UK, US, Germany, Australia and Singapore found that it can be incredibly difficult for companies to spot the difference.

Winner, Winner, prison dinner: Five years in the clink for NSA leaker

READ MORE

Globally, 4.6 per cent of respondents believed a colleague fell into the grey category, which rose in the UK to an alarming 7.9 per cent. This sounds bad until you read that 12 per cent of respondents said they had considered black hat activity during their careers, with more than one in five claiming they had been approached to carry out such acts.

When asked which security threats had affected their organisations in the previous 12 months, intentional insider data breaches were mentioned by almost one in ten.

“Our research discovered that the proportion of grey hats increases with the size of the organisation. For example, while grey hats represent 2.8 per cent of IT security professionals in small organisations, this figure increases to 4.2 per cent for mid-market organisations and 5.7 per cent for large ones,” wrote Osterman’s researchers.

In the UK, 7 per cent believed it was easy to get involved in grey hat activities without being caught, particularly those in mid-market organisations less likely to have monitoring or controls.

Barely one in ten in the UK agreed with the statement that “there is more money to be made in fighting cybercrime than being a cybercriminal”. Money wasn’t the only motivation for turning to the dark side. Other reasons mentioned included that professionals might do it for revenge on their businesses, for the challenge, or for political or philosophical reasons.

“We are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation,” said Malwarebytes’ CEO, Marcin Kleczynski.

Sceptics will observe that security companies have been banging on about insider threats for years, so does any of this stand up beyond the general observation that employees occasionally go bad?

According to an unusual warning by the CEO of large US defence contractor Raytheon, Thomas A Kennedy, a new factor for today’s grey hat economy is geopolitical rivalry.

In a recent Fortune article, Kennedy drew attention to “collection requirements”, a term used to describe catalogues of tech IP that attract the highest prices on the black markets used by nation states to grab each other’s secrets.

“Do any of your employees have such handbooks? And if they were stockpiling and exporting sensitive data, would you know before it was too late?” he wrote.

The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cards

READ MORE

State-sponsored IP theft has become a business, the threat from which could be internal just as easily as external.

“A knowledgeable insider using a new generation of hacking tools could steal terabytes worth of valuable IP in a matter of minutes,” Kennedy said. “Your IT teams should know which sections of your networks are off-limits and monitor for attempts at inappropriate access.”

It’s no longer journalists and security companies writing about malicious insiders – CEOs now feel the need to advertise the threat from their own employees to the world, a strange thing to do on the face of it. Or perhaps the message isn’t only for investors but is directed at employees who might think about leaking IP.

In a few short years, insider threats have gone from being an abstract threat to worry the IT teams to a business big enough to concern – and define – many businesses. The ones that will live to tell the tale are those that grasp that the only company without an insider threat is the one with no employees. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/28/black_hat_white_hat_grey_hat/

More than half (51.8 per cent) of the Alexa Top 1 Million sites are actively redirecting to HTTPS for the first time.

The milestone was crossed during another strong six months moving towards a fully encrypted web, according to the latest stats from security researcher Scott Helme, published on Friday.

Back in February, at the time of Helme’s last data-driven web security sitrep, it looked as if the adoption of HTTPS might have slowed.

HTTPS adoption crosses half the web’s most visited sites milestone

“[HTTPS] adoption has picked up again and we’re continuing to see that sharp incline sustained,” Helme said. “The growth shown here in this graph is unrivalled in any other security mechanism and if you think about the effort required to achieve this, how impressive it is becomes crystal clear.”

Meanwhile, the use of HTTP Public Key Pinning (HPKP) has tailed off after security researchers turned against the technology and Google began to deprecate it.

“The use of PKP is down 18 per cent and the use of PKPRO is also down 5 per cent, so rather than continued growth like all other metrics, we’re seeing sites drop the header now,” Helme reported. “There are still far more sites lower down the ranking using HPKP, thanks almost exclusively to Tumblr, so the distribution is still the same, but the numbers are a lot less now.”

Other security headers, by contrast, are growing in prevalence. There’s been an “epic” 40 per cent increase in Content Security Policy (CSP) and a 23 per cent increase in HTTP Strict Transport Security (HSTS), driven by the increase in HTTPS usage, according to Helme.

Google Chrome users visiting unencrypted websites have been confronted with a warning since late July, a factor that will likely push even stronger adoption of HTTPS over the next six months. Helme and his frequent collaborator Troy Hunt created a site, whynohttps.com, that shamed high-profile sites that can load without crypto to coincide with the change in how Google Chrome worked.

The strong growth in HTTPS has been accompanied by an associated rise in the use of certificate authorities. One that seems to be helping the growth in adoption is Let’s Encrypt, which is witnessing the sharpest increase in growth. “Its presence in the top 1 million has seen similar growth across the board, from the very top to the very bottom they’ve increased their presence,” Helme said.

Let’s Encrypt stats show 53.5 million active certificates issued, with an average of 600,000 more issued every day. Despite strong growth in HTTPS across the top 1 million sites, EVs (extended validation certificates) have not seen much of that growth at all.

“With such a massive flood of new sites coming to HTTPS and the proposed benefits of EV, I’d have thought we’d at least see a little more increase in the use of EV but we really haven’t,” Helme noted. He added that his data showed some sites that used to have EV certs have switched from them to either OV (organisation validated) or DV (domain validated) certs.

In his blog post, Helme noted that more secure ECDSA (elliptic curve digital sgnature algorithm) keys aren’t grabbing much of the new HTTPS adoption – outdated RSA remains the top choice.

“Adoption is the first step, making improvements after that is a lot easier,” Helme told El Reg. “The really good thing is that all of the metrics are improving.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/28/web_security_sitrep/

Fat-fingered staff at London football team West Ham United have upset some fans following a ticket confirmation email bungle.

West Ham’s email to away season ticket-holders confirming their ticket for tonight’s (Tuesday) Football League Cup fixture at Wimbledon was CC’d to every intended recipient. The message should have been sent as a BCC, irritating some Hammers in the process.

West Ham’s email to away season ticket holders confirming their ticket for Wimbledon has cc’d in every single person who has got the ticket.

Massive data breach for a top PL club. Fine can be up to 4% of annual income. Hugely embarrassing for club.

— Jack Lebeau (@JackLebeau66) August 23, 2018

Other fans saw the bright side of the slip-up. West Ham fan Vinny responded: “If I ever need a spare ticket it’s a great list to go through!”

El Reg asked West Ham for comment, but we’re yet to hear back. Data privacy watchdogs at the ICO have likewise stayed shtum.

The ICO previously took action over privacy slip-ups stemming from emails being sent as CC instead of BCC, but these related to cases highlighting possible victims of sexual abuse or membership of a HIV support group. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/28/west_ham_email_blunder/

Internal cybersecurity audits rarely make it to the public domain, but when they do it’s often an eye-popping read.

Take the Western Australian (WA) Auditor General’s 2017 recent report on the state of user account security in an Aussie state which tends a mammoth 234,000 Active Directory (AD) accounts across 17 state agencies.

We reported the news here, but what are the deeper implications? Well, this isn’t a problem unique to the government of Western Australia.

Bad passwords are one of those problems that never goes out of fashion, and sure enough, 60,000 (26 per cent) of the state’s AD passwords were found to be somewhere between easily guessed and downright lamentable.

Among these, ‘Password123’ was in use by 1,464 accounts, ‘Project10’ by 994, ‘support’ by 866, ‘password1’ by 813, and ‘October2017’ by 226, to pick only the top five worst offenders in popularity order.

In one particularly epic fail, the auditors said they were able to remotely access a test environment for the agency’s web system using the password ‘Summer123’.

“We identified a significant amount of production data in this environment,” noted the authors, with commendable understatement. So far so bad, but it gets worse when analysing the common patterns among the weak passwords where variations on date and season appeared 12,744 times, ahead of 6,827 variants of ‘123’, 5,182 variants of ‘password’, and 765 comprising only digits.

It’d be easy to blame the WA Government for not imposing a sane password policy, except that it did have a sane password policy – the wrong one. “Many of these passwords comply with industry standards for password complexity and a length of at least 8 characters,” the report pointed out.

“This indicates that merely applying these parameters is insufficient to guard against inappropriate access to networks and systems.”

Failure # 1 – where’s the authentication?

Ostensibly, what the state’s admins weren’t doing was blacklisting known terrible passwords or requiring them to meet a given level of complexity. Arguably, however, the real problem was that thousands of government employees could log into networks without properly authenticating themselves.

The perfect example of this conceptual failure is the way the state was managing the privileged passwords, the ones no network wants to fall into the wrong hands.

One agency was found to have 250 privileged passwords in a weak state, while most of the agencies weren’t managing privileged accounts using a system of identity management, said the auditors. One agency was found to have over 2,000 shared accounts with privileged access.

“These accounts generally have shared passwords and limited ability to track actions back to individuals and therefore present a high risk of unauthorised access.”

Failure #2 – what Active Directory database?

Just when you thought the report could not get any worse it moved onto Active Directory security. Here it was found that one agency had left an old offline AD database in a location support users and contractors were able to access – just the sort of place attackers might look first. Another had, “inadvertently shared its entire AD database with a third party. The database contained all user account information including staff names, usernames and encrypted passwords.”

So, this wasn’t just an organisation with bad passwords, it’s an organisation with bad security all over, the lack of password policies and enforcement simply reflecting this lack of strategy.

The WA Government now has until the end of 2018 to implement a security overhaul, which will include blacklisting the worst passwords, mandating better password management on privileged accounts, and – it’s not rocket science – multi-factor authentication (MFA) for remote accounts.

Behind the freshly painted white picket fence, plenty of corporate networks are probably not as far away from this near failure of account security as they’d like to imagine.

At least the Western Australian Government had one thing missing from the world of most enterprise network chiefs – an auditor willing not only write a damning report for consumption behind closed doors but able to publish it for all to see.

With bad passwords never going out of fashion, it would seem we all need that touch of outside intervention. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/28/bad_passwords_never_go_out_of_fashion/

In 2018, mobile communication platforms such as WhatsApp, Skype, and SMS have far less protection against app-based phishing than email.

Mobile phishing is a topic that just won’t go away. According to Verizon, 90% of all data breach incidents begin with a phish — and mobile is the fastest-growing vector of attack. Our research shows a new phishing site is created every 20 seconds. Yet, within mobile phishing there are many different techniques and campaigns being employed by attackers, making it difficult to keep up with the latest threats.

Researchers at Wandera have observed a new trend that’s been growing in popularity among cybercriminals — with dozens of new attacks being detected every day, many last less than 24 hours before the campaign is shut down and recreated elsewhere. This vast family of phishing attacks can be identified by a number of common features, most notably centering on WhatsApp, the popular message application.

Distribution Methods
We’ve observed an increase in phishing attacks that center on WhatsApp — not just for the initial method of delivery but also to subversively reach many more targets after each success.

While traditional phishing campaigns make use of email, most attacks today are distributed via other vectors on mobile. There are multiple reasons for this. For one thing, email clients and associated security technologies are better than ever at detecting and filtering suspicious messages from inboxes, whereas less-mature communication platforms such as Skype, WhatsApp, and SMS have far less protection in place. Put simply, email is far less effective than app-based phishing in 2018.

Furthermore, the many millions of apps that people use for communication on mobile devices mean that in-app defense against phishing is next to impossible — meaning that attackers can target users in places they do not expect malicious messages. These mobile-based attacks are three times more effective than desktop phishing, according to research from IBM.

Exploiting WhatsApp
Unlike in email, where the message is flagged as risky, this new phishing attack is not filtered at all in WhatsApp. In fact, when the link is shared in WhatsApp, it is sometimes expanded to display the snippet of the website, complete with logo and page title — all signifiers to the victim that this may be a legitimate domain.

Malicious Domains
When the user clicks on one of these links within WhatsApp, he or she is taken to a page that appears to be a limited time offer for a particular brand. These pages host content offering some kind of incentive for the user to complete a short questionnaire, typically employing a fake timer or countdown to instill a sense of urgency in the target.

These pages often also make use of mock Facebook comments, creating a false sense of social proof that these promotions are legitimate. Many of these fake commenters even express apprehension about the legitimacy of the page, only to later post that they have successfully completed the offer and have now received their reward. Some even include pictures of the gift as further evidence.

Most of these campaigns will aim to extract sensitive information from the target. In the examples discovered by Wandera, this ranged from personal data such as name, address, and phone number, to even more dangerous forms of personally identifiable information, such as credit card information.

Secure Sites
These campaigns employ another hallmark of the modern mobile phishing attack. While efforts to encrypt the web by implementing HTTPS on websites are admirable, general user understanding about this technology remains low. Most mobile browsers display a “secure” marker near the address bar of sites that have successfully made use of an SSL certificate, which attackers have used to convince users that their phishing domain is secure in a more general sense. Many users mistake this information as validation by Google or Apple that the site itself is authentic.

Organizations such as Let’s Encrypt have been offering these certificates to website owners for free, providing a zero-cost way for attackers to bolster the perceived legitimacy of their phishing pages, and subsequently the efficacy of their attacks. These WhatsApp campaigns make frequent use of this technique.

Redistribution techniques
The more novel part of this campaign is how victims of the attack are exploited to share the campaign with their contacts. This technique is not entirely new, but by integrating with WhatsApp, this method of campaign “virality” is much more effective than more primitive efforts, which explains why these attacks are increasing in frequency.

Either before or after completion of the form (depending on the specific campaign) on these malicious pages, the target cannot redeem their gift until they have sent a link to the page to a number of other contacts via WhatsApp. This way, with each successful phish, attackers are able to reach yet more victims — directly within the application that the campaign is designed to exploit.

A message is then auto-sent to what appears to be a random selection of WhatsApp contacts. This approach has the added benefit of coming from an individual that the target trusts, making them more likely to fall for the scam.

There has been a notable growth in this kind of WhatsApp phishing campaign in 2018, all making use of a number of familiar features to successfully extract data from WhatsApp users. Quantifying it is difficult, because each attack is slightly different and attackers are constantly tweaking different elements on the campaign as they learn more about what works and what doesn’t. In an age of GDPR and increased scrutiny on data breaches and privacy concerns, it is essential that mobile users learn to identify phishing in all its forms.

Related Content:

• 10 Tips for More Secure Mobile Devices
• Researchers Find New Fast-Acting Side-Channel Vulnerability
• Is SMS 2FA Enough Login Protection?

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dan is director of sales engineering at Wandera, the leading global provider of security and management for mobile data. An experienced engineer in network and cloud security, Dan has worked with start-ups through to global enterprises. Organizations use Wandera to protect … View Full Bio

Article source: https://www.darkreading.com/endpoint/whatsapp-mobile-phishings-newest-attack-target/a/d-id/1332652?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The system classifies security incidents and splits national incident response into three separate teams.

The Parliament of Poland today passed into law a new act that will fully implement the NIS Directive, the European Union’s directive on security of network and information systems.

Poland’s goal for its new national cybersecurity system is to ensure security for information systems throughout the country. The system comprises several moving parts, all in different sectors and all of which are working together to improve security. Entities include service operators in critical industries (energy, transport, healthcare); digital service providers; computer security incident response teams (CSIRTs); and a government body appointed by the prime minister focused on cybersecurity policies.

The system also includes an advisory cybersecurity council, which operates alongside the Council of Ministers, to guide security-related matters and streamline the exchange of information on security incidents with other EU nations. Another entity includes different companies providing security services and handling incidents in their networks.

In addition, the act splits incident response for cyberattacks in Poland’s cyberspace among three incident response teams. One is organized within the Internal Security Agency, one is within the Research and Academic Computer Network (NASK), and one is under the Ministry of National Security.

The EU NIS Directive was created to secure network and information systems across the European Union. Its regulations apply to operators of essential services established within the EU and digital service providers offering services to people in the region. It was implemented into UK law in May 2018.

Read more details here.

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/polish-parliament-enacts-national-cybersecurity-system/d/d-id/1332681?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 20 August 2018

• Firefox axes 23 add-ons, developer pushes back
• Los Angeles to use body scanners on metro riders
• Google employees protest work on censored search engine for China
• Adblocking and browser privacy can be bypassed, researchers find

Tuesday 21 August 2018

• Serious Security: How to stop dodgy HTTP headers clogging your website
• WhatsApp urges Android users to manually backup their chats
• Twitch admits exposing user messages after archiving error
• Social networks to be fined for hosting terrorist content
• The security changes you can expect in iOS 12

Wednesday 22 August 2018

• Netflix, HBO GO, Hulu passwords found for sale on the Dark Web
• Extortionist lawyer pleads guilty to creating porn honeypot
• Microsoft disrupts Fancy Bear election meddlers

Thursday 23 August 2018

• Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!)
• Patch time! Adobe issues unexpected ‘critical’ fix for Photoshop CC
• Facebook’s rating you on how trustworthy you are
• Babysitting app suffers ‘temporary data breach’ of 93,000 users
• Using smart meter data constitutes a search, but court allows them anyway
• Deepfakes porn service: Don’t worry, we’ll only use “consenting adults”
• How an uploaded image could take over your website, and how to stop it

Friday 24 August 2018

• T-Mobile suffers data breach affecting 2.2 million customers
• Top dark web drug vendors nabbed by ‘Operation Darkness Falls’
• Facebook pulls its privacy-violating Onavo VPN from Apple’s App Store
• DNC ‘spearphishing attack’ was actually a test

News, straight to your inbox

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Image of days of week courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Xls0CY-hWLs/

An American Muslim citizen is suing the US Customs and Border Protection (CBP) for seizing her iPhone at an airport, keeping it for 130 days, failing to explain why, and refusing to destroy whatever copies of her data that they might have grabbed, including photos of her when she wasn’t wearing a hijab, which she wears as an expression of her Islamic faith.

Rejhane Lazoja, a 39-year-old woman from Staten Island, N.Y., had her phone and its SIM card seized by border patrol agents on 26 February at Newark Liberty International Airport when she returned from a trip to Switzerland.

On Thursday, the Council on American-Islamic Relations (CAIR), a Muslim civil rights group, announced that its New Jersey chapter had filed a case in federal court challenging the CBP’s “warrantless and unconstitutional seizure” of an American citizen’s phone.

Lazoja formally asked a federal judge to force border officials to delete data copied from her iPhone 6S Plus – a legal filing that’s formally known as a Rule 41(g) Motion, or as a Motion to Return Property.

It’s not her physical phone that she wants back. She got that back after 90 days.

Rather, she specifically wants assurances that copies of her data are deleted. As CAIR points out, Rule 41(g) motions are generally used for tangible items, as opposed to easily copied data. But it’s those easily made copies that she wants wiped out: copies that were taken without the CBP explaining its reason for seizure.

One of her attorneys, CAIR’s Albert Fox Cahn, told Ars Technica that the phone was seized, and its data imaged, in spite of her never being charged with a crime:

They provided no justification for why they took the phone. They’ve never accused her of a crime.

Her attorneys have asked the CBP…

…[to] return her Data, to expunge any copies made of the Data, to disclose all third parties who received and/or retain copies, partial or complete, of the Data, and to provide information about the basis for the seizure and retention of the Property.

Lazoja’s motion argues that CBP violated Lazoja’s Fourth Amendment rights not only by seizing the phone, but by the length of time the phone was retained and by any copying of her personal data.

From the suit:

While defendants returned Ms. Lazoja’s cell phone 130 days after it was seized, they refuse to state what they did with her personal data, what third parties her personal data was shared with, and if, let alone when, they will return her data.

To add weight to its argument, CAIR notes that in June, the Supreme Court held, in Carpenter v. United States, that police need to obtain a warrant in order to seize cellphone location data.

The case involved the conviction of Timothy Carpenter, who was sentenced in 2014 to 116 years in jail for robbing six cellular telephone stores. To get him convicted, prosecutors had relied on vast amounts of data collected – without a warrant – from cellphone companies that showed Carpenter’s movements.

Carpenter v. US sought to determine whether that warrantless search violated Carpenter’s Fourth Amendment protection against unreasonable search. In June, the Supreme Court decided that yes, it did.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/F_dbcTTKVaI/

On 8 July 1978, the crew of a small wooden fishing boat made a ghastly discovery: floating less than 200 yards off the Guatemalan shoreline were the bodies of two young adults: a man and a woman.

It would turn out that the woman had been raped, they had both been beaten, and their killer had tied them to heavy engine parts before throwing them overboard to drown.

Forty years later, the man’s long-grieving sister has published a book in which she tells the story of how she tracked down the murderer, long after the case had grown cold, by using Facebook.

Writing for the Daily Mail, the surviving sister, Penny Farmer, describes how her brother, a 25-year-old, newly qualified doctor by the name of Christopher Farmer, had set off on a tropical adventure with his lawyer girlfriend, 24-year-old Peta Frampton.

Their voyage started in 1977: seven years before Facebook’s founder had even been born, and long before the World Wide Web existed. Farmer says that the young couple kept her family informed of their travels – leaving their hometown of Manchester, in the UK, they travelled through Australia and the Pacific islands to Los Angeles and then through Mexico to Belize – via phone calls and detailed letters that Peta wrote to her mother, who lived across the road from the Farmers.

The last time that their families heard from them was in a letter dated 28 June 1978, in which they explained that they’d agreed to charter a yacht down the Caribbean coastline from Belize to Honduras with an American sailor named Silas Duane Boston.

It was a bargain for the young, adventuresome couple, wrote Penny Farmer:

He had offered Chris and Peta the chance to sail 150 miles with him and his boys down the coast to Honduras for $500 (about £1,500 in today’s money). For the young couple, it seemed too good an opportunity to miss.

Boston had his two sons with him on the 32-foot sailing boat, which he used to ferry tourists to the islands off Belize for what Farmer described “as a ‘Robinson Crusoe’ experience, mooring at white sandy beaches and spearing fish for supper.”

After that final letter, the couple dropped off their families’ radar. Granted, communications were dicey back then, but Penny’s father grew desperate to find out where they were. He wrote to the harbor master in Belize City in September, asking for records of the boat, which was christened the Justin B.

Weeks later, the harbor master wrote back, but the news wasn’t good. Christopher and Peta had been on the crew list when the boat left port, but there was no record of them having been on board when it next docked. Honduran authorities, meanwhile, told the families that the visas which the couple had purchased had never been used.

Boston and his two sons turned up in California in mid-September. Penny says he was “evasive” during a phone conversation with the British Consulate in San Francisco. The families were suspicious, but there was no solid evidence to tie him to the disappearance of the two young people.

In January 1979, news came – through a private investigator – of the fishing crew’s horrific discovery of the bodies back in July 1978. The bodies were too decomposed to identify, and they were buried in unmarked graves.

Penny said that her family’s suspicions about Boston being responsible for the killings spiked after learning, through Interpol, that the man’s third wife and the mother of his two boys, Mary Lou, had disappeared in September 1968. Manchester Police asked detectives in Sacramento to interview Boston and his sons in May 1979, but by that point, he couldn’t be found: he had taken his sons and disappeared.

It was 37 years later, in 2015, that it occurred to Penny that times had changed. She didn’t have to rely on snailmail anymore. The world had gotten much smaller with the advent of the internet, and at her fingertips was a powerful research tool to track people down: namely, Facebook.

It suddenly struck me that we now live in a different age. We have the worldwide web as a source of almost limitless information, rather than the painfully slow exchange of letters of the late 1970s. I began to scour the internet, driven by the belief that if I looked hard enough, I would get to Boston – and the truth.

It didn’t take long. First, she found Boston’s eldest son, Vince. She describes him as “a 50-year-old aviation electrician living in Arizona.” On his page was this account of his mother’s slaughter:

My mother was killed at 23 with a gun.

She also tracked down Vince’s brother, Russell, a 49-year-old illustrator living in California.

My head was spinning, we always knew the brothers were the two people we desperately needed to talk to and I sent them private messages urging them to tell me what had happened on the boat.

Eventually, she tracked down the killer himself. Boston was living in a nursing home in Eureka, California. A couple of years earlier, having complained of having no friends, a sympathetic caregiver had set up a Facebook page for him.

What harm could come from a Facebook page, after all?

His Facebook picture was of a grizzled 74-year-old with a white beard wearing a T-shirt under a denim shirt, a baseball cap and sunglasses. … Though I instantly hated him, my overwhelming feeling was relief he was still alive to face justice.

Eleven days after Penny had contacted Vince on Facebook, on 13 October 2015, he provided a statement to Sacramento Police. He told a detective that “it was an open family secret” that his father had killed his mother, but no one knew where he had buried her.

Vince also told the detective that, at the age of 13, he’d witnessed the murder of Christopher and Peta on the Justin B.

Vince had repeatedly tried to tell authorities what he’d seen, but he had no luck.

Vince had joined the US Navy in 1982 at the age of 16, and his first act on escaping Silas Duane Boston’s evil grip was to tell police in London what he had seen four years earlier. He gave Chris and Peta’s full names, but was told there was no file on the case.

Further attempts by Vince and his brother Russell to get the case taken seriously on both sides of the Atlantic fell on deaf ears.

Penny said that Russell corroborated Vince’s account and produced “crucial” photographs showing Chris and Peta aboard the Justin B.

At the age of 75, Boston’s “loathsome” past finally caught up with him, Penny writes. He was charged with the murders of Chris and Peta on 1 December 2016. But “it is unlikely they were his only victims,” she writes.

In fact, the BBC reports that Boston had confided to Russell about having killed 33 people: a tally that would make him one of the most prolific serial killers in American history, if the confession were true. He had threatened to kill Russell and his brother, Vince, immediately after killing Chris and Peta, to keep his secret safe, the BBC reports.

From Penny’s article:

Today, Sacramento Police have two large files, totaling 2,000 pages, detailing five decades of crimes Boston is suspected of – including numerous murders.

But after years of alcohol abuse, his health was already failing and Boston died in custody on April 24, 2017, three weeks before Mum and I were due to fly out for a pre-trial hearing.

It’s a story worthy of Hollywood, she says.

It’s also a testament to the power of the internet, and social media, as tools in the investigative arsenal. Thanks to the ability to find people who’ve evaded investigators for years, we can look forward to justice being served on others.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YhLFKqMgiIs/