STE WILLIAMS

How to become a threat hunter, how to build a cybersecurity architecture that actually defends against today’s risks, and much more…

THIS WEEK: 

Wednesday, March 16 at 1 p.m. Eastern Time: Building a Cybersecurity Architecture to Combat Today’s Risks, with Christie Terrill, partner at Bishop Fox. “Layered defense” has traditionally been the modus operandi of IT security, but this approach can’t be counted on to stand up to today’s threats and attacks. In addition, attack surfaces are growing every day as companies adopt technologies like cloud and the Internet of Things. So how can you combat today’s risks? Attend Wednesday and learn how.

Thursday, March 17 at 1 p.m. Eastern Time: Becoming a Threat Hunter in your Enterprise, with John Sawyer, senior security architect of InGuardians, and Chris Pace, technology advocate for Recorded Future. If you’re tired of waiting for your technology to alert you that there’s already a problem, if you want be more proactive, if you want to sink your hands into those threat intelligence feeds, dig into those behavioral analytics reports, follow one clue after another after another, until it leads you to a would-be attacker, before they finish carrying out their grand plan, then this is the webinar for you.

COMING SOON:

• Tuesday, March 21, 1 p.m. ET: Understanding the Risks and Costs of a Data Breach, John Pironti, president of IP Architects and Michael Dalgleish, director of sales engineering, LogRhythm
• Thursday, March 23, 1 p.m. ET: Enriching Threat Intelligence Data, Cheryl Biswas, cybersecurity consultant, threat intel at KPMG, Haydn Johnson, senior consultant at KPMG, and Travis Farral, director of security strategy at Anomali
• Tuesday, March 28, 1 p.m. ET: Preparing for the Ransomware Onslaught, Part 3 — Remediation and Recovery, John Pironti, president of IP Architects, and Aimee Simpson, solution marketing manager, Code 42

DOWN THE ROAD:

May 15-19: Interop ITX Conference, Las Vegas, MGM Grand Hotel. Online events are great, but nothing beats face time. 

Planning to hit Thursday’s webinar, but can’t get enough threat hunting? You’ll want to hit “Rise of Cyber Hunting: Not Falling Victim to Undetected Breaches,” with Kris Lovejoy, president of Acuity Solutions. 

Need to dust off your endpoint security strategy, which hasn’t had a good overhaul since you implemented that BYOD policy five years ago? Then don’t miss Updating Your Endpoint Security Strategy. 

Trying to deal with the security skills shortage, and don’t have time to wait for the next generation of infosec pros to graduate from university programs that don’t even exist yet? Then take a seat in Surviving the Security Skills Shortage, moderated by Dark Reading’s own executive editor Kelly Jackson-Higgins, with a panel of security executives from Coca-Cola, Ford, and Microsoft.  

Check out all the sessions in the Interop Security Track. And don’t forget about the two-day Dark Reading Cybersecurity Summit — a great “what you need to know now” refresher for the overworked infosec pro or security crash course for the IT generalists in your life. (Cybersecurity Summit speakers and agenda coming soon.)

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/this-week-on-dark-reading-events-calendar/a/d-id/1328378?_mc=RSS_DR_EDT

If your organization has all of these pieces in place, congratulations!

The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I’ve worked with, both small and global, lack adequate clarity for SecOps objectives.

SecOps manifests in many ways, but it’s likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.

Security Operations
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.

Functions
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.

• The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business’s information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
• The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
• Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
• Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
• Incident response is the organization’s reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
• Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
• Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a “red team” to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.

People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there’s already an existing SecOps organization, redesigning it should follow this sequence.

The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can’t hope to mature uniformly across all functional areas.

Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):

A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).

Related Content:

• From SOC To SIC: Transforming Security Operations Centers (video)
• The 7 Habits of Highly Effective Security Operations
• Saving The Security Operations Center With Endpoint Detection And Response

Chris Crowley is as an independent consultant at Montance, LLC, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis.
He is the course author for “SANS Management 517 – … View Full Bio

Article source: http://www.darkreading.com/operations/what-your-secops-team-can-(and-should)-do/a/d-id/1328359?_mc=RSS_DR_EDT

The Ministry of Defence has spent around £200m rebuilding a jetty at HM Naval Base Portsmouth ready for the arrival of HMS Queen Elizabeth later this year. El Reg got invited to watch an American supply ship test it out.

As the picture further down this story shows, the planned exercise involving US Naval Service ship Robert E Peary was postponed because of fog – leaving a rather cold and soggy press pack standing around gazing at… well, damp concrete.

And what a load of concrete it was. The two new jetties for the UK’s two new aircraft carriers, HMS Queen Elizabeth and HMS Prince of Wales, has cost Blighty’s taxpayers the thick end of £100m. The one we were shown was built on top of various older structures dating back to the 1920s, as Captain Iain Greenlees RN, HMNB Portsmouth’s infrastructure lead told The Register.

VolkerStevin engineer Gerrit Smit added that around 220 piles had to be sunk into the harbour floor to support the giant concrete raft, which moves up and down an inch or so as the tide ebbs and flows. One of the new jetties will be used as a “pit stop” for the active carrier, while the other will be optimised for longer stays; the rough idea is that once each ship passes her sea trials, one will be deployed while the other sits in reserve. Extensive dredging work is still being done at Portsmouth to ensure the carriers can manoeuvre safely, with a German WWII bomb being fished up from the deep just three weeks ago.

Due to the planned arrival of the American ship, the jetty was being operated live as part of a full-scale dress rehearsal. This included two armed policemen toting Heckler und Koch MP7 sub-machine guns in the terminal building being used for the press event your correspondent attended, putting on their very best “I’m doing an important job” faces as the snap-happy press pack walked down the empty naval equivalent of the passport queue. There our press passes were checked by a studious BAE Systems dockyard worker before we were let out into a holding pen on the jetty itself. This was the inspiring sight that greeted our eyes:

It’s a Union Flag. And a mooring bollard. That was it

“It’s all about the people,” Commodore Jeremy Rigby, Naval Base Commander Portsmouth, told The Register. “A dress rehearsal is much more effective than doing it on paper.” Although USNS Robert E. Peary was still offshore, waiting for the fog to burn off and the tide to fall and rise again, Cdre Rigby emphasised how his people were nonetheless still gaining valuable experience needed to safely bring the 40,000-ton supply ship alongside – “how far out to anchor, harbour control, reconfiguring tides and ensuring she has a fresh workforce [on the jetty, the anticipated docking delay being in the region of six hours].”

Beyond the obvious, the jetty is one of the largest dedicated single mooring points in the UK. It includes auto-tensioning bollards for the carriers to be moored to – a first for the Royal Navy, we were told, removing the need for teams of sailors to slacken and tighten mooring lines as the tide rises and falls. The QE-class carriers will overhang the jetty by around five metres once snug against its fenders.

Along with the jetties come the brows (great big ramps) for moving people and equipment on and off the carriers. These will happily carry around 500 men per day while the ships are alongside, we were told, against 100 per day for the old Invincible-class aircraft carriers’ brows. The QE-class are almost double the size of the Invincibles. In terms of storing ship, BAE Systems’ Chris Alcock, support projects manager for the QE Class programme, assured the press pack that the brows would be capable of handling one 20-foot ISO container every six minutes. Simulated stress tests had also been carried out, with Hampshire Fire Brigade to be invited along for familiarisation training.

Like the dockyard equipment, a relatively large amount of automation is built into the brows, which will be self-levelling and self-adjusting, removing the need for teams of sailors to physically manhandle them after they are placed in position. All in all, it will need just 20 people on the dockside to bring a 75,000-ton QE-class aircraft carrier alongside.

The jetty also carries the final stage of the giant electrical supply cable which will power the carrier while she’s alongside and her own generating machinery is shut down. The supply is taken from the main National Grid feed into Portsmouth, at 11kVA, and, via a local transformer which takes it up from the standard 50Hz to the carriers’ 60Hz, plugs into a giant receptacle on the side of the ship. An automatic gantry carries the cable, paying it out and retracting it as the ship moves with the tide. The automatic retraction feature is disabled by software, we were told, if the ship sails with the cable still attached – a bit like a petrol pump cutting off if an absent-minded driver leaves the nozzle in the fuel tank while driving off.

“95 per cent of what we need in the UK comes by sea,” observed Cdre Rigby. While the £6bn total cost of the two carriers and the £1bn or so spent on infrastructure around the UK for the two ships seems like a helluva lot of cash, it is ultimately sea power which ensures that mobile phones, laptops, servers, even your mouse mat, reaches the UK on time and thus at a reasonable price.

Maritime shipping from the Far Eastern countries which make virtually everything our island nation depends on to function must pass through a number of choke-points (such as the Strait of Hormuz) that could otherwise be easily dominated by a nation wanting to make a point about Britain’s vulnerability, and once she is operational HMS Queen Elizabeth will be deploying to the South China Sea. This is partly to fly the flag in a part of the world the UK has traditionally had little presence in, partly a thank you to the US Navy for training the UK’s future aircraft carrier and F-35 crews (QE will be taking the place of a US carrier’s normal deployment), and partly to safeguard Britain’s own interests, keeping the seas open for lawful commerce to flourish.

As the UK leaves the European Union, keeping the lifeblood of commerce flowing freely will become more important than ever before. This otherwise uninspiring raft of concrete on the South Coast plays a vital part in that mission. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/new_aircraft_carrier_jetty_portsmouth/

Smartphones from Samsung, LG, Xiaomi, ZTE, Oppo, Vivo, Asus and Lenovo have been spotted sporting malware they apparently carried when they were shipped.

The malware discovered by Check Point Software Technologies included info-stealers, ransomware like Slocker; Loki, which shows “illegitimate advertisements” to generate revenue while stealing device information; and information stealers.

Check Point says it found infections in 38 Android devices. Since the malware wasn’t in the vendor’s ROM, the company’s researcher Oren Koriat reckons they were added in the supply chain between vendor and customer.

Koriat’s post doesn’t identify the victims beyond saying two companies owned the devices: one large telecommunications company, and one international IT company.

The malicious package names and devices they were spotted on are listed below. Since they were added after manufacture, vendors aren’t to blame.

“Six of the malware instances were added by a malicious actor to the device’s ROM using system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed”, Koriat writes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/12/malware_infecting_androids_somewhere_in_the_supply_chain/

Canada’s taxman has restored online services it took down over the weekend to respond to unspecified vulnerabilities.

The Canada Revenue Agency (CRA) announced the end of its partial outage at 5:00PM Sunday, Eastern Daylight Time.

The agency doesn’t stipulate the vulnerability it identified, merely saying it affected “websites worldwide”, prompting it to “temporarily take down our online services, including electronic filing” while it applied patches.

“We took this action as a precaution, not as the result of a successful hack or breach,” the statement says.

The CRA’s servers are on Shared Services Canada IP addresses, and according to Netcraft were running Apache 2.2.31 on *nix when last scanned on March 7, behind an F5 Big-IP for protection.

We are working to bring our online services back up as soon as possible. Updates will be posted at https://t.co/LpD4eFaH7O

— CanadaRevenueAgency (@CanRevAgency) March 11, 2017

In January, Apache shipped 2.2.32 in the legacy branch, a security and bug fix release. Canadians probably hope it was the web server, rather than a more critical personal-data-gathering application a tier or two down the agency’s stack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/13/canada_revenue_agency_outage_to_patch_something/

Mohan Nirala, 52, a former employee of the US National Geospatial Intelligence Agency, received a prison sentence of 12 months and a day on Friday for storing national defense information in violation of the law.

According to the Department of Justice, Nirala, who worked for the NGIA from February 2009 until 2015, pled guilty on September 16, 2016 to a single felony count under the Espionage Act.

Nirala appears to have come to the attention of supervisors on September 11, 2013, when NGIA security personnel were notified that he had included classified information in a discrimination complaint.

Eight days later, according to an FBI affidavit filed with the District Court in Alexandria, Virginia, that heard the case, Nirala allegedly sent an email containing classified information to a Chinese citizen residing in the US.

Then on January 10, 2014 FBI agents searched Nirala’s residence in Laurel, Maryland, and found over 20 classified documents, as described in the statement of facts [PDF] filed with the court.

When FBI agents returned to Nirala’s residence on March 8, 2016, after months of negotiation in relation to the case, they found a FedEx box sealed with white duct tape beneath an unfinished basement stairway. The box contained more than five hundred pages of documents, many marked Top Secret or Secret. Among them was a copy of the warrant presented to Nirala when federal agents conducted their 2014 search.

No reference is made to the discrimination claim in the plea agreement filed with the court, by which Nirala accepted responsibility for Willful Retention of National Defense Information, in violation of Title 18, United States Code, Section 793(e).

In court documents, Nirala argued that the searches of his property had been improper, that NGIA and FBI agents had lied under oath, that NGIA documents in question were not classified, and that FBI agents had targeted him because of his race as an Asian American.

A court statement by Nirala claims his record as an employee was exemplary, apart from “the retaliatory action of his supervisors.” NGIA supervisors, the document says, “provided negative references because Dr Nirala exercised his rights to complain about unlawful discrimination and retaliation and reprisal for whistleblowing.”

The court record also includes a sealed psychiatric report.

The sentencing memorandum from US Attorney Dana J Boente notes that Nirala “was explicitly warned of the consequences for stealing and removing classified information from his workplace.” It also points out that all three instances in which the FBI recovered classified information occurred after Nirala had lost his security clearance and had acknowledged he was no longer entitled to possess such information.

“Such behavior must be deterred if the intelligence community is to function,” said Boente. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/11/spy_sat_scientist_jailed/

Jeff Atwood, founder of the popular coding site Stack Overflow, has published an extended and entertaining rant about the lamentable state of password policy among developers.

The post, subtly titled “Password rules are bullshit,” points out that the current format for password rules, such as including a certain mix of characters, isn’t particularly secure. In fact, such rules are usually counterproductive, he argues, and penalize those people using secure random password generators, because the rules could block them.

“Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won’t take my word for it, read this 2016 NIST password rules recommendation,” Atwood said. “It’s right there: ‘no composition rules.’ However, I do see one error, it should have said ‘no bullshit composition rules’.”

Another key issue is password length. As an absolute minimum people should be aiming for 10-character passwords, he said. Only five of the top 25 most-used passwords are over 10 characters, so going into double figures is a smart move and should be enforced by developers.

“These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all,” he said.

Unicode could be very useful in this. He points out that building password controls that measure the Unicode of the password will increase its length significantly and make it much harder to crack.

Developers also need to get better at protecting against password dictionary attacks. He pointed out that according to data he has been collecting, about 30 per cent of users would have a password on a top 10,000 password list that there is “no question” an attacker will certainly be using.

The entire rant is worth reading if you’re writing code for passwords, or if you use them. Wise though Atwood’s words are, there’s also another alternative suggested by Heather Adkins, Google’s director of information security and privacy this morning.

It’s 2017. Passwords are irrelevant. Anything you care about should be protected by a strong 2nd factor. #Make2FAGreatAgain

— Heather Adkins (@argvee) March 10, 2017

Make sure you’re using two-factor authentication. Just turn it on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/11/stackoverflow_founder_password_rules/

Analysis The ideological goal of “light touch regulation” as proposed by the new head of the US FCC has hit a barrier: cybersecurity.

As the federal regulator of all things telecom, the FCC has been increasingly pulled into efforts to secure the United States’ online infrastructure against attacks, just as have many other federal agencies.

However, chairman Ajit Pai and his fellow Republican commissioner Michael O’Rielly have made it plain that they don’t believe the FCC should be playing any role in cybersecurity – and that has started creating some problems.

When former FCC chairman Tom Wheeler put out a white paper in January that walked through the regulator’s cybersecurity plans and priorities, Pai criticized it by arguing that the FCC’s role should only be “consultative” rather than active.

Pai previously said he was opposed to creating “uniform rules that would apply to an entire industry” and argued there are other agencies that should take on the task because their remits were more closely defined and they had “more well-established expertise.”

O’Rielly made a similar point when he voted against rules to impose privacy rules on ISPs, saying that “while cybersecurity is important, the act does not provide the FCC with any authority in this space,” and argued that they “should not presume to freelance in this area.”

This week, O’Rielly told a Senate committee the same thing, arguing that the FCC’s authority was “extremely limited” when it came to cybersecurity.

Removal

Both commissioners have also put their money where their mouths are, putting a stop to several FCC rules and proposals due to go into effect.

Pai stopped an order that was intended to tackle flaws in the Emergency Alert System, and he has pulled cybersecurity out of IPTV proposals under consideration. When he stopped the privacy rules on ISPs from taking effect earlier this month, he also removed its cybersecurity provisions over data security. And a notice of inquiry that was intended to bring in the public’s input on cybersecurity risks associated with next-gen wireless network has also been ended.

In response to all this, Democrats in the House of Representatives have this month started proposing legislation – three bills introduced so far – that would obligate the FCC to adopt some level of responsibility for cybersecurity. And thereby remove the argument that the FCC doesn’t have statutory authority to look at the matter.

The Securing IoT Act of 2017 would require equipment using certain frequencies (the FCC’s remit) to meet new cybersecurity standards, defined by the FCC and NIST.

The Interagency Cybersecurity Cooperation Act would require the FCC to create a new interagency committee to look at security reports as they purport to telecom, and produce recommendations to be sent to Congress and/or other government departments as required.

It would also define communications networks as part of the US’ “critical infrastructure” – meaning that all sorts of new regulations to do with security would come into force. As part of that, the FCC would be pulled into the country’s broader security apparatus.

And a third bill, the Cybersecurity Responsibility Act, would require the FCC to put out rules on how to secure communication networks, as well as define them as critical infrastructure.

Which way?

It is notable that the bills have been proposed by Democrats. As such, it is all too likely that they will be opposed by Republicans, who hold majorities in both houses. The introduced legislation is, right now, in the hands of committees to scrutinize, amend, or kill.

However, it is also the case that Republicans like to be seen as being firm on security, so voting against bills focused on national security may not sit well, especially given the recent furore over hacking of emails and phone calls.

If Congress does decide to pass a law obligating the FCC to take these roles on, it is irrelevant what Commissioner Pai or O’Rielly believe they want to do with respect to light-touch regulation – they will be obligated to do what the law says.

Of course there are plenty of arguments against Congress prescribing what semi-autonomous federal regulators should do, not least of which is that it is very hard to unravel decisions once they are made. That results in the FCC doing a lot of work that sometimes isn’t very useful, or doing parallel work, or preventing the regulator from taking a different or more effective approach.

However, the question now is: which do Congressional Republicans dislike the most – Democrats or looking weak on national security? This being Congress, the likely approach will be to create a complex and unworkable solution that saves face, quashes the Democrats and fails miserably to address what is a very serious issue. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/10/fcc_under_fire_for_ditching_cybersecurity/

The US Department of Homeland Security used software to scan social media accounts of people visiting America, but it didn’t work properly.

That’s the conclusion of a study by the department’s inspector general. In a heavily redacted report [PDF] that surfaced this week, the watchdog revealed that in December 2015, US Citizenship and Immigration Services ran a pilot program to check social media streams both manually and automatically for any signs of wrongdoing.

The tests were repeated in April and August 2016 using different software tools to rifle through online profiles for troublemakers. The exact software programs used were not named.

“In reviewing the pilot, USCIS concluded that the tool was not a viable option for automated social media screening and that manual review was more effective at identifying accounts,” the report states.

“USCIS based its conclusion on the tool’s low ‘match confidence.’ Because the resulting accounts identified by the tool did not always match up with the applicants, officers had to manually check the results. However, USCIS did not establish match benchmarks for the tool, so it does not know what level of match confidence would signify success or failure.”

That poses a significant problem for the DHS – one that’s common to many mass data-slurping programs. If fleshy humans are the only way to check the information, they are going to be facing an enormous volume of data and may either miss key clues or draw the wrong conclusions.

Nevertheless, the DHS isn’t giving up on the scheme yet. It has identified 275 software tools that could be used in the scanning, and it restarted the testing program in January 2017, presumably working on the principle that there’s no problem that can’t be overcome if you throw enough money at it.

And what a lot of money. The DHS has already said it will cost around $300m just to collect the social media data they want. The costs of actually going through it all are bound to be much higher if they want to properly check if a terrorist trying to come to the US has announced his or her plans online.

The DHS Office of Intelligence and Analysis (IA) acknowledged the report’s conclusions and said it would now add metrics for determining if they are successful or not. It also said that at the moment, neither the government nor the private sector “possessed the capabilities for large-scale social media screening.”

“DHS has taken steps to improve its social media screening pilots by implementing a four-pronged approach that measures performance, to develop consistent benchmarks and continue improving performance to ensure rigor and scalability for long-term success,” IA said.

“This approach includes using qualitative and quantitative criteria for measuring tool performance; collecting and analyzing comprehensive performance metrics of ongoing research and development pilots; reporting project milestones to the task force; and reporting select metrics measuring pilot performance in a weekly task force agenda.”

All this does rather throw a spanner in the works for the social media scanning idea politicians are itching for. Under President Obama, the government considered asking people to voluntarily submit social media profiles, but since the election of President Trump the scheme may become mandatory and more invasive.

The new boss of the US Department of Homeland Security, John Kelly, has said that such checks should be mandatory and travelers should also be forced to provide passwords and banking records. This may take weeks or months, he said, but people will just have to wait before visiting this shining city on the hill.

On Friday a consortium of civil liberties groups, including the ACLU and Reporters without Borders, sent Kelly an open letter decrying the plans to demand this sort of data. They point out that if the US introduces such a policy, other countries will follow suit, which will put American data at risk.

“We urge you to reject any proposal to require anyone to provide log-in information to their online accounts as a condition of entry into the United States,” it reads. “Demanding log-in information is a direct assault on fundamental rights and would weaken, rather than promote, national security.”

If you are concerned about data security, The Reg has compiled this handy guide for those wishing to visit the Home of the Brave. Good luck. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/10/autoscanning_us_visitors_social_media_doesnt_work/

Tagging endangered animals with radio trackers to study their behaviour is being abused to aid “cyber-poaching” and other human interference, an article in Conservation Biology has warned.

Animal tracking using VHF radio beacons or almost live-feed GPS has been around for 20 years or more and has hugely enhanced the understanding of behaviour across many species.

More recently, however, these technologies have started being turned against the scientists’ intentions by hunters, photographers and, worryingly, professional poachers.

Naked Security first reported on this depressing phenomenon in 2013 when hackers attempted to break into the email account of a staff member at the Satpura-Bori tiger reserve in India.

The attackers were after the location data from the Iridium GPS Satellite Collar fitted to a Bengal tiger, which was fed to the account every hour as part of a programme to understand the animal’s pattern of movement.

Officials aren’t certain whether the hack succeeded but even if did the data was encrypted in a format that would have been difficult to crack.

But the warning was clear: poachers had worked out how tracking technologies could be turned against the best intentions of the people who fitted them. Three years on and it’s become clear that this incident was no one-off.

In late 2013, conservationists in Yellowstone National Park in the US started to worry that hunters were killing wolves fitted with trackers after working out how to access to the secret radio frequencies they were transmitting on.

Two years later in Australia, scientists who had tagged sharks to study their behaviour and act as a beach warning system discovered it was being used by the state government of Western Australia (which issued research permits and had access to data) to cull them to “reduce human-wildlife conflict”.

Longer term, the authors cite “telemetry terrorism” as a possibility, deployed by special interest and fringe groups as part of a strategy designed to sow confusion for conservation. For example, using duplicate accoustic telemetry tags of the sort used to track sea animals, these groups could “deploy so many tags such that the receiving systems cannot decode tags, rendering a receiver dysfunctional”.

The authors admit this might sound far-fetched but allude to the opposing interests of researchers and mainly commercial interests that have cropped up from time to time.

Should even some of this come to pass, it would be a deeply depressing outcome for tracking science, witnessing the very technology invented to save endangered wildlife being used to help wipe it out.

The researchers warn:

Failure to adopt more proactive thinking about the unintended consequences of electronic tagging could lead to malicious exploitation and disturbance of the very organisms researchers hope to understand and conserve.

What, if anything, can be done?

We suggest that electronic tracking manufacturers, researchers, managers, and stakeholders have joint discussions about their responsibilities so that use of tagging equipment and data is consistent with the foundations of animal conservation and management.

One response is for scientists to wise up a little by sharing tracking data more selectively if there is a risk it could be made public. Tagging animals is seen as a happy scientific endeavour but researchers must understand that it now carries growing risks too.

The authors don’t mention it, but there is a final and rather dark reason why tracking has become critical: it helps scientists get a grip on how quickly certain species are being wiped out. Behold the breathtaking snow leopards of the Nepal, solitary and enigmatic animals whose behaviour patterns are only now starting to be understood thanks to tracking systems.

Poached heavily in recent times, the main defence these animals have left is, ironically, their increasing rarity.  We should make clear that there is no evidence that tagging is being used against these animals but if it were, there would be no way of reacting until after it was too late.

Imagine the Himalayas without any snow leopards. Technology is still more likely to be their saviour than their downfall but there is no room for an iota of complacency.

Follow @NakedSecurity
Follow @JohnEDunn

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/76Nd1z0cdD0/