STE WILLIAMS

Two weeks ago, the US Army told its troops that using drones from DJI – maker of the world’s best-selling drones – was henceforth verboten, given unspecified vulnerabilities discovered by its research lab and the US Navy.

While the army was keeping mum about those vulnerabilities, others haven’t been so circumspect. Rather, they’ve been talking for months about sensitive information having the potential to be scattered in the tailwinds.

In May, Kevin Pomaski, a chief pilot for one of the largest commercial UAS service providers in the US, wrote an article about highly sensitive information that can be revealed in conversations between unmanned aerial system (UAS) pilots and their clients: details that he said can include infrastructure, stadiums, military installations, construction sites, details about security, details about the drone itself, details about the drone operator, and more.

This sensitive data is vulnerable to interception, he said:

Critical infrastructure access and layouts are being captured every day. This information may be accessed by foreign actors that mean to harm the countries that these locations are in. The complete data record can be cataloged by pilot, region or location and a full report of the layout, security response, names of people will be revealed. Corporate espionage agents would love to have visual and audio details of that new system being captured by the drone in any industrial field of pursuit.

More recently, rumors have been flying about operators being told not to show up for work at US government agencies unless they bring American-made drones with them. According to sUAS News, the unspecified government agencies allegedly have security concerns about data being shared unwittingly.

If the allegations are true, it adds up to a ban on the Chinese-made DJI equipment. DJI is, after all, a Chinese company, governed by Chinese law, as Pomaski pointed out.

He dissected the privacy policy of DJI’s Go app and came up with a number of issues around sensitive data. For example, this passage from the privacy policy notes that personal information could be transferred to offshore servers:

The DJI Go App connects to servers hosted in the United States, China, and Hong Kong. If you choose to use the DJI Go App from the European Union or other regions of the world, then please note that you may be transferring your personal information outside of those regions for storage and processing. Also, we may transfer your data from the US, China, and Hong Kong to other countries or regions in connection with storage and processing of data, fulfilling your requests, and providing the services associated with the DJI Go App. By providing any information, including personal information, on or through the DJI Go App, you consent to such transfer, storage, and processing.

Now, two months after the army banned DJI drones, DJI has responded by adding a privacy mode to its equipment to prevent flight data being shared to the internet.

On Monday, DJI announced that it’s adding a local data mode that stops internet traffic to and from its flight control apps “in order to provide enhanced data privacy assurances for sensitive government and enterprise customers”.

The company says the privacy mode had been in the works for months, before the army ban. The new privacy mode, due out in future app versions expected in the coming weeks, entails a tradeoff: blocking all internet data means that DJI apps won’t…

• update maps or geofencing information, meaning pilots could wind up flying in banned zones
• notify pilots of newly issued flight restrictions or software updates
• be able to upload to YouTube

On the plus side:

[Local data mode] will provide an enhanced level of data assurance for sensitive flights, such as those involving critical infrastructure, commercial trade secrets, governmental functions or other similar operations.

The army memo had told troops to “cease all use, uninstall all DJI applications, remove all batteries/storage media from devices, and secure equipment for follow on direction.”

However, the army has reportedly walked that ban back a bit, sUAS News reported on Monday. A second memo had reportedly gone out at the end of last week, to the effect that the army will grant exceptions to the ban once a DJI plugin has passed OPSEC (Operational Security) scrutiny.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o5hg-rr9McI/

It’s coming on two decades now since the first warnings that US critical infrastructure is vulnerable to a catastrophic cyberattack. According to some experts, it is perhaps more vulnerable now than ever – the threats are worse and the security is no better.

But how likely is such an attack? There is still plenty of debate about that.

Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.

There have been similar warnings since from top government officials – former defense secretary Leon Panetta paraphrased Clarke in 2012, warning of a “cyber Pearl Harbor” – a major cyberattack on industrial control systems (ICS) that could disable the nation’s power grid, transportation system, financial industry and government for months or longer.

Of course, nothing even close to that catastrophic level has happened – yet. And there are a number of experts who say such doomsday language is gross hyperbole, peddling nothing but FUD (fear, uncertainty and doubt). Marcus Sachs, CSO of the North American Electric Reliability Corporation (NERC), said at the 2015 RSA conference that squirrels and natural disasters were a more realistic threat of taking down the grid than a cyber attack.

But a couple of experts in ICS – the equipment used to operate the grid and other critical infrastructure – say they are increasingly troubled that security has not really improved since the warnings began.

Galina Antova, co-founder and chief business development officer at Claroty, recently referred in a blog to “The Lost Decade of Information Security”, saying:

“We are no better off today in terms of cybersecurity readiness than we were 10 years ago. The threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.

She has some company in the person of Joe Weiss, managing partner at Applied Control Solutions, who has said for years that ICS security is dangerously lax. Writing on his “Unfettered” blog last week, Weiss said there is essentially no security in ICS process sensors, the tools to detect anomalies in the operation of ICSs – which means an attacker could get control of them relatively easily and create major physical damage.

Weiss cited a number of sensor “malfunctions” that illustrate the problem. One, he said, resulted in the release of 10m gallons of untreated wastewater. Another, he said, was the rupture of a pipeline in Bellingham, WA, which released 237,000 gallons of gasoline into a nearby creek causing it to catch fire, killed three people, caused an estimated $45m in property damage and led to the bankruptcy of the Olympic Pipeline Company.

“That happened in June, 1999,” Weiss said in an interview. “How can that be relevant today? It turns out every bit of it is, because the same flaws that existed then exist today.”

He said in most cases there is no way to know if what happened was an accident or a malicious attack, because of a lack of visibility into the networks. And he wondered on his blog: “How can this lack of security and authentication of process sensors be acceptable?”

What to do? That is where Weiss and Antova part company – just a bit. Antova said she agrees that the sensor flaws exist and, as she wrote, the threat of major ICS attacks “is real and just over the horizon”, But, in an interview, she also said she is “allergic” to describing the threat at either extreme – in relatively trivial terms (squirrels) or disaster (Pearl Harbor).

She said it is not simple or quick to fix flaws in sensors. “Engineers know it takes years to design,” she said, “and it can take 25 to 35 years to replace the architecture” of ICS equipment. She ought to know – she was formerly global head of industrial security services at Siemens, a leading manufacturer of power generation and transmission systems.

In her blog post, she said called for implementing what is practical and feasible – the kind of “security hygiene” steps that would keep ICS from being the “low-hanging fruit” that it is now. Things like patches, really taking network segmentation seriously, and giving IT professionals visibility into the networks.

What has hampered that, she wrote, has been a failure to “bridge the gap” between IT and engineering staff, each of whom, “approach the world with different viewpoints, backgrounds and missions.” Engineers, she noted, focus on keeping things physically safe and running. Anything that impedes that, they reject.

She also said government regulatory frameworks and standards are, in many cases, not practical. One example she cited was the push for “air-gapped” networks. It sounded good, she said, but it interfered too much with efficiency and the needs of the business. “As a result, air gaps now have one thing in common with unicorns – they don’t exist,” she wrote.

But just doing security basics would help. “You have to start somewhere,” she said.

Weiss contends it is possible, and necessary, to be both more aggressive and creative. Part of the problem, he said, “is a failure of imagination. When you look at the bad guys, they really are bad guys. We need to think like bad guys.”

But the two agree that there needs to be better communication between operations and IT. “We’ve got to have engineering in the same room when IT comes in and says this is what I want to do,” Weiss said. “Every time there’s an important meeting in DC on cybersecurity, GE and Siemens aren’t there.”

And both agree that the risk of something really serious happening is growing. “We know these (ICS) networks are exposed,” Antova said. “They are resilient and have safety measures, but for a skilled hacker, it’s not that hard to fool safety equipment.”

The real menace, she is said, is that ransomware like WannaCry and Petya are not just in the hands of nation states, but, “in the hands of every crazy person. I don’t think people realize how poor the cyber hygiene is.”

Follow @NakedSecurity
Follow @tarmerding2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/APcVFtuXsPc/

BSides Weighing in at 800kg secondhand, freestanding ATMs – a “safe with a computer on top” – are a logistical nightmare to own and research, security boffin Leigh-Anne Galloway warned delegates at the BSides Manchester infosec conference yesterday.

Security boffin Leigh-Anne Galloway, cat and pieces of ATM…

Galloway, Positive Technologies’ security resilience lead, explored various ways to purchase an ATM including through a seemingly cancelled eBay auction and a quickly discarded plan to drive a leased machine from Moscow before discovering that it is easier to get one through the regular market in the UK. Suppliers are used to selling in bulk to banks but they will sell to firms providing they set up a line of credit.

Galloway’s logistical problems kicked in after the purchase of an NCR “Personas 77” ATM for £2,600 (before tax). Most courier firms wouldn’t move and Positive Technologies’ third floor UK office had a lift rated only to 600kg. “Part of the security of these devices is their immovability,” Galloway explained. “They are designed to be brought somewhere and to stay in situ”.

Four out of five cash machines still run Win XP or Win XP Embedded.

The security researcher’s house is a converted warehouse. The ATM was initially brought – where moving it caused damage to her floor – before it was left outside, protected from the elements by pond liners. It later found a home in a car park outside Positive Technologies’ offices.

Galloway reports that in both locations, neighbours asked when the device would be operational.

The ATM was initially was left outside, protected from the elements by pond liners, later finding a home in a car park…

To make the ATM more practical to transport, Galloway and colleagues cut off its base with an angle grinder. The safe element is typically concrete and steel and cutting through that with industrial-grade kit allowed the team to halve its weight.

ATMs can be compromised and used to jackpot cash, skim cards and even infect banking networks. Having gained access to the front of the machine, a criminal can access USB ports within the device to perform various attacks. These include forcing the machine to dispense cash and installing malware to skim card details.

ATM logic attacks involving malware started in earnest in 2009, with the “Skimer” trojan. Ever more sophisticated malware has been developed in the years since.

Crooks typically look for people with legitimate access to the ATM such as a bank employee or contractor responsible for ATM maintenance that can be bribed to compromise machines and install the malware. Once the necessary ATMs have been infected, the criminals proceed to the cash withdrawal phase. Mules have to physically come to the ATM and take the cash.

There are also attacks that will focus on bypassing the ATM’s computer altogether, so encryption should be enforced between the computer and the dispenser. Galloway added, “While ATMs made in the last six years will likely have this any manufactured pre-2011, of which there are many in use today, should be fitted with an ‘after-market’ device that monitors the current between the dispenser and PC for anomalies. These devices typically retail at £150.”

Banks should install and properly configure application control software to monitor software integrity, allowing only whitelisted programs that have been checked for unauthorised modifications.

Although Galloway said she’d learned a lot from the project, which helped her firm secure consultancy work with Wincor, she said she “would not recommend” it to others because of the logistical problems and general hassle involved. At the end of the exercise, Galloway was saddled with the device. “An ATM is for life, not just for infosec,” she concluded.

A trailer for Galloway’s talk, Money Makes Money, How To Buy An ATM, can be found below. ®

Youtube Video

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/18/atm_purchase/

The Information Tribunal has rejected an appeal by campaigners trying to find out how many British Reaper drones are being used for warlike missions in the Middle East.

The Tribunal ruled that the Information Commissioner’s Office (ICO) was right to reject anti-drone campaign group Drone Wars UK’s Freedom of Information request seeking to find out how many RAF MQ-9 Reaper drones are being used to bomb Islamic State in Iraq and Syria on March 1, 2016.

As Chris Cole of Drone Wars pointed out in his appeal, the Ministry of Defence routinely publishes the number of conventional, manned aircraft being used for warlike operations abroad, and released detailed numbers of Reapers being used in Afghanistan and their main base location at Kandahar Airfield.

Cole’s appeal was heard under parallel legal rules that apply for national security hearings, where most of the normal procedures about openness and transparency of evidence simply do not apply. This even extends to having two parallel judgements: a non-binding “open” one that is made available to the public, and the actual “closed” judgement, which is kept secret from everyone except the government and the judge who writes it.

In theory the open judgement is a bowdlerised version of the closed judgement. In practice the closed judgement can say anything.

Rejecting the FoI request, the ICO said that revealing the number of drones being used would prejudice “the capability, effectiveness or security” of the drone units, as well as being likely to prejudice “the promotion or protection by the United Kingdom of its interests abroad” – two of the reasons the State can use to refuse disclosure of information, as permitted under sections 26 and 27 of the Freedom of Information Act 2000.

The MoD successfully argued to the ICO that disclosing the number of drones being used “would be likely to assist opposing forces in building up a detailed picture of UK tactics and strike capabilities”, allowing enemies to figure out how to counter them. Supporting the MoD, the Information Commissioner herself, Elizabeth Denham, vigorously agreed with the government department’s view that revealing how many drones were flying over Iraq and Libya would create “a real and significant risk” of prejudicing the RAF’s operations.

Denham told the tribunal she could not disclose the evidence that led her to come to this conclusion, saying only that there were “differences” between the Afghanistan deployment and the more recent Syria and Iraq drone deployments. She also argued that there was little public interest in the number of Reapers being used to bomb Islamic State being disclosed, claiming that this would not help in “informing a debate about the use of Unmanned Aerial Vehicles (UAVs)”.

Group Captain Mark Flewin of the MoD’s Permanent Joint Headquarters at Northwood, Middlesex, giving evidence for the MoD, claimed the RAF’s Reapers are “intelligence, surveillance and reconnaissance assets” before conceding that their available munitions include laser-guided bombs and Hellfire anti-tank missiles.

An RAF Reaper famously used its weapons to kill British Islamist terrorist Reyaad Khan in Syria during August 2015, while his fellow Brit, Junaid Hussein, was eventually killed by American drones after a bungled first attempt killed three civilians.

Flewin was questioned by the tribunal about an MoD press release that described how “two Tornados joined the existing eight earlier this week and six Typhoon aircraft were introduced” to anti-Islamic State bombing operations from RAF Akrotiri at Cyprus. Asked whether this was not the same type of information that Cole was asking for, the group captain described the precise figures in the press release as “generic numbers”.

The tribunal ruled in favour of the MoD and dismissed Cole’s appeal. It also refused to disclose whether the USA “had been given an effective veto over disclosure”, something Flewin was asked about in a closed session that Cole was excluded from.

“Drawing on an analogy from World War 2, it can be readily understood why, for reasons of boosting morale at home and seeking to undermine that of the enemy, the government would have been keen to release the news that, on a particular night, a specified number of Lancaster bombers flew a mission over Berlin,” ruled tribunal judge Peter Lane. “It would, however, be entirely understandable why the government would be reluctant to reveal how many Lancaster bombers it actually had at its disposal on that particular night. By the same context, question (a) is directed at the number of RAF Reaper UAVs that were available to the RAF on 1 March 2016.”

Part of the three-judge tribunal’s unanimous decision that the public interest was not strong enough to order disclosure rested on reasons given in its closed judgement. Judge Lane, accompanied by Paul Taylor and Anne Chafer on the bench, did not even give a summary in the open judgement of the tribunal’s reasoning for this decision.

Speaking to The Register today by email, Cole speculated that the MoD may be struggling to recruit enough personnel to fly and maintain its drone fleet and so opposes disclosure because this would reveal whether that is the case.

He added: “The other, and probably overlapping explanation, is that the government simply wants to be able to deploy armed drones on covert operations overseas and does not want to seek Parliamentary approval, as [has] become the convention. Publicising the number and location of UK drones in operation today would set a precedent and make it harder for the government to refuse such details in the future.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/18/info_tribunal_drone_isis_bombing_numbers_refusal/

BSides The opening talk at BSides Manchester on Thursday examined how red team tactics are evolving beyond phishing to include a wider variety of methods.

For example, internet-facing ADFS (Active Directory Federation Services) endpoints can be abused to gain entry to corporate environments without needing to trick staff into opening booby-trapped emails. Alternatively, pushing fake Skype updates through recently expired Microsoft domains offers another attack technique, according to security researchers Dominic Chell and Vincent Yiu. The pair showed how a tool called LinkedInt could be used to scrape the professionals’ social network LinkedIn during reconnaissance.

Red team penetration testing emulates a real-world attack against a company to evaluate the effectiveness of its security defences. It’s wider in scope than regular pen-testing exercises, which are normally to focus solely on specific corporate resources such as a range of IP addresses.

As defensive technologies and detection capabilities improve, red team aggressors must evolve, adapting their tactics to avoid the spotlight shone by the blue (defence) team.

Chell and Yiu examined the most significant advances in red team tactics over the past 12 months. In addition to public research, the duo detailed some of the research performed by MDSec’s ActiveBreach team. Specifically, the research included domain fronting, using high-reputation domains to evade controls such as proxy categorisation in the course of exfiltrating data. The presentation also covered how popular (and expensive) malware protection sandboxes can be bypassed.

Chell predicted that over the next year we will witness a greater focus in red teaming on defensive tech evasion such as approaches to defeating Windows 10’s Device Guard and Credential Guard as the technologies become widely deployed.

Chell and Yiu’s talk opened the one-day security conference, attended by around 500 pen-testers, app developers and other infosec pros. The conference closed with a plea that white-hat hackers need to go beyond being engineers to become teachers, diplomats and negotiators as computer security issues and concerns become more mainstream. The plea was delivered by Charl van der Walt in a talk entitled Return of the Jedi – Considering the role of the Security Professional in Extraordinary Times. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/18/red_team_tactics/

A voting machine supplier for dozens of US states left records on 1.8 million Americans in public view for anyone to download – after misconfiguring its AWS-hosted storage.

ESS says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters’ names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers’ licenses and state ID numbers.

“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ESS said in a statement on Thursday.

“These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”

According to ESS, it was alerted at 5.37pm on August 12 when, as part of a larger project to seek out sensitive data insecurely hosted on AWS, Vickery notified the company it had left its voter records out in the open. The cloud system was taken down four hours later. The biz, which supplies voting machines and backend services to more than 40 US states, is investigating the cockup.

A spokesperson for UpGuard confirmed to The Register that the vulnerable service was an AWS S3 silo accidentally set up to be open to the public. Strangely, only Chicago’s data was exposed by a misconfiguration.

“We can’t determine why the data exposed was only Chicago other than the bucket name, ‘Chicagodb’. Our cyber risk team checked for other cities but came up empty,” UpGuard’s Kelly Rethmeyer told us.

Chicago’s election board, meanwhile, says it is “deeply troubled” to hear of the exposure, but applauded ESS for taking quick action.

“We have been in steady contact with ESS to order and review the steps that must be taken, including the investigation of ESS’s AWS server,” said Chicago Election Board chairwoman Marisel Hernandez in a statement.

“We will continue reviewing our contract, policies and practices with ESS. We are taking steps to make certain this can never happen again.”

This isn’t the first time UpGuard found voter data sitting out in the open on AWS. Earlier this year the security firm caught a Republican analytics company who failed to put any access restrictions on an S3 instance that contained the personal details of nearly 200 million US voters within a 1.1TB database collected prior to the 2016 presidential election. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/17/chicago_voter_leak/

Apple’s Secure Enclave, an ARM-based coprocessor used to enhance iOS security, became a bit less secure on Thursday with the publication of a firmware decryption key.

The key does not provide access to the Secure Enclave Processor (SEP). Rather, it offers the opportunity to decrypt and explore the otherwise encrypted firmware code that governs it, affording security researchers and other curious types a chance to learn more about how the technology works.

A hacker who goes by the name “xerub” on Twitter and GitHub posted the key on Twitter and to the iPhone Wiki, a community website that documents technical information used to pry inside Apple devices.

“This is very nice for security researchers, in my opinion,” said Will Strafach, CEO of the Sudo Security Group, in an email to The Register. “It is not as useful for jailbreaking, because jailbreaking targets the main AP [application processor], not the SEP. This makes the firmware more accessible to security researchers who may not know much about the iOS platform.”

Used in conjunction with xerub’s img4lib, the key should be able to decrypt an iPhone 5s IMG4 SEP (Secure Enclave Processor) firmware image, which can then be processed further with a tool called sepsplit to extract the executable binaries from the image.

“This key being available does not reduce security of the Secure Enclave in any way,” said Strafach. “Secure Enclave has the main task of protecting sensitive content, but the firmware decryption key is more comparable to ‘obfuscation’ rather than anything related to protection of the actual content stored.”

According to Apple’s technical documentation, the Secure Enclave coprocessor is built into Apple S2 (Watch Series 2), A7 (iPhone 5S, iPad Air, Mac Mini 2 and 3), and subsequent A-series chips.

In devices powered by the A9 (iPhone 6S, 6S Plus, SE, and 2017 iPad) and later generations of silicon, the coprocessor generates the Unique ID (UID) number and keeps it segregated from the rest of iOS.

On startup, these devices create a temporary key, incorporating the UID, to encrypt the Secure Enclave’s portion of device memory space. This temporary key is also used to authenticate the Secure Enclave’s memory, except on A7 devices.

The Secure Enclave also handles the processing of fingerprint scan data from the device’s Touch ID sensor, in order to match it with registered fingerprint data.

Apple’s Secure Enclave until recently has been largely inscrutable to outsiders. Last year, security researchers Tarjei Mandt, Mathew Solnik, and David Wang lifted the veil a bit with a presentation at the Black Hat security conference.

The researchers said Apple’s security hardware design is “light years ahead of competitors” but also noted potential avenues of attack. SEPOS, the Secure Enclave’s operating system, lacks basic exploit protections like memory layout randomization, they said, and also observed that its biometric application has a significant attack surface.

The iPhone 5s was released in September, 2013, so too much should not be made of the security implications of xerub’s key. Apple has introduced security improvements since then and more can be expected with the arrival of new devices and OS 11 this fall.

Apple did not immediately respond to a request for comment. ®

PS: People have noticed iOS 11 has a cool feature where if you tap the power button five times rapidly it opens a screen, even if the device is locked, that allows you to make an emergency call. Crucially, it forces you to enter a passphrase to unlock the device, rather than accept Touch ID. And cops, in the US at least, can’t demand your PIN because that would be self incrimination. Just an FYI.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/17/apple_secure_enclave_decrypted/

US telecoms giant Verizon says police are increasingly asking it to cough up massive dumps of cellphone data rather than individual records.

This according to the latest Verizon US transparency report for the first half of the 2017 calendar year. The dossier tracks government requests for phone records both of individual customers and large groups.

The latter group is becoming an increasingly popular target, said Verizon in its report this week. In particular, investigators are asking for “tower dumps,” a record of everyone who connected to an individual phone tower as they passed by.

“In order to try to identify a suspect of a crime, the government may apply to a court for a warrant or order compelling us to provide a ‘dump’ of the phone numbers of all devices that connected to a specific cell tower or site during a given period of time,” Verizon explained.

“This tool is being used much more frequently by law enforcement.”

According to Verizon, tower dump requests were not particularly common in years past. In 2003, the carrier got a total of 3,200 dump warrants. By 2016, that number swelled to 14,630, and 2017 is on track for even more with 8,870 warrants halfway through the year.

In total, Verizon says it got 138,773 requests for customer data from law enforcement. By and large, Verizon complied, producing some or all of the requested information in 97 percent of the cases.

That includes 68,237 subpoenas, 722 wiretap demands, and 3,963 “trap and trace” orders that let law enforcement see the numbers of a target’s incoming calls in real time. Verizon also says it got 27,478 emergency requests, or demands from police for information in matters of “the danger of death or serious physical injury.” The extremely rough number of national security letters Verizon can report is between one and 499.

While higher than the second half of 2016, the first half numbers were not the highest Verizon has reported in recent years. In the first half of 2015, Verizon said it received a total of 149,810 requests, including 767 wiretap orders, 15,081 warrants, and more than 500 national security letters. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/17/verizon_says_us_cops_taking_to_pulling_phone_data_in_bulk/

A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology.

The proposed “Security and Privacy Controls for Information Systems and Organizations” will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America.

This version of the document – its fifth draft – concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet.

The foreword to this draft references the “sobering assessment” of the Task Force on Cyber Defense earlier this year on the risk that all these new devices and systems represent to critical infrastructure.

“The cyber threat to US critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities,” that report noted, “so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat… It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed.”

As such, NIST has attempted to do just that and be proactive in pushing a “systemic approach” and as a result has decided it needs to cover the new reality of everything from the internet of things (IoT) to mobile devices to things like Amazon’s Alexa digital assistant (although no actual products get name-checked).

Privacy

With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document.

“The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable,” the document states.

Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network.

Major changes include:

• A focus on improved outcomes rather than a general security overview
• Fully integrating privacy controls into security controls and spending more time digging into the relationship between privacy and security
• Separating the process of selecting of controls from the actual controls – i.e. allowing organizations other than federal agencies to dip in to the document and grab relevant information without having to wade through irrelevant procurement information (that info has been pushed into a separate document).
• Greater integration with other risk management and cybersecurity approaches, including the use of common language
• Updated information on systems used to analyze threats and attacks

The addition of privacy concerns is especially stark – the word “privacy” appears more than 2,000 times in the 500-page document. It contains information on both philosophical and pragmatic approaches to privacy to help sysadmins balance security and privacy concerns.

“Individual privacy cannot be achieved solely through securing personally identifiable information,” it notes. “Consequently, this publication contains controls designed to meet privacy requirements and to manage the privacy risks associated with an organizations’ creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of personally identifiable information separate from security concerns.”

Among other things, it argues for a specific privacy program and separate privacy-focused training and includes two extensive appendices that track the privacy requirements and considerations for all the different named-and-numbered controls in the document.

It calls for organizations to:

• Establish and maintain a comprehensive privacy program
• Ensure compliance with privacy requirements and manage privacy risks
• Monitor Federal law, regulation, and policy for changes
• Designate a senior agency official for privacy – who is responsible and accountable for the privacy program
• Ensure coordination between privacy and other programs

Other signs of a more consumer focus is a stress on companies gaining people’s consent if any systems gather personally identifiable information – and doing so in plain language so people understand what they are agreeing to.

An example: “When developing or purchasing consent tools, organizations consider the application of good information design procedures in all user-facing consent materials; use of active voice and conversational style; logical sequencing of main points; consistent use of the same word (rather than synonyms) to avoid confusion; the use of bullets, numbers, and formatting where appropriate to aid readability; and legibility of text, such as font style, size, color, and contrast with surrounding background.”

Overall, while the document is very long and pretty dense, it is a key document for the network rules that will apply across tens of thousands of different IT systems and in that sense, the greatly expanded consideration of privacy and of devices beyond the traditional servers and laptops approach should bring government guidelines into the modern digital world.

Comments on this draft are due by September 12 and NIST hopes to release a final draft in October with a final version released just before year-end. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/18/new_nist_draft_embeds_privacy_into_security_for_the_first_time/

A voting machine supplier for dozens of US states left records on 1.8 million Americans unsecured, in public view for anyone to download, in a misconfigured AWS storage system.

ESS says it was notified by UpGuard researcher Chris Vickery of the vulnerable database that contained personal information it collected from recent elections in Chicago, Illinois. The records included voters’ names, addresses, dates of birth, and partial social security numbers. Some of the records also included drivers’ licenses and state ID numbers.

“The backup files on the AWS server did not include any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems,” ESS said in a statement on Thursday.

“These back-up files had no impact on any voters’ registration records and had no impact on the results of any election.”

According to ESS, it was alerted at 5.37pm on August 12 when, as part of a larger project to seek out insecure sensitive data hosted on AWS, Vickery notified the company it had left the voter records out in the open. The storage system was taken down four hours later. The biz, which supplies voting machines and backend services to more than 40 US states, is investigating the cockup.

A spokesperson for UpGuard confirmed to The Register that the vulnerable service was an AWS S3 silo. Strangely, only Chicago’s data was exposed by a misconfiguration.

“We can’t determine why the data exposed was only Chicago other than the bucket name, ‘Chicagodb’. Our cyber risk team checked for other cities but came up empty,” UpGuard’s Kelly Rethmeyer told us.

Chicago’s election board, meanwhile, says it is “deeply troubled” to hear of the exposure, but applauded ESS for taking quick action.

“We have been in steady contact with ESS to order and review the steps that must be taken, including the investigation of ESS’s AWS server,” said Chicago Election Board chairwoman Marisel Hernandez in a statement.

“We will continue reviewing our contract, policies and practices with ESS. We are taking steps to make certain this can never happen again.”

This isn’t the first time UpGuard found voter data sitting out in the open on AWS. Earlier this year the security firm caught a Republican analytics company who failed to put any access restrictions on an S3 instance that contained the personal details of nearly 200 million US voters within a 1.1TB database collected prior to the 2016 presidential election. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/17/chicago_voter_leak/