STE WILLIAMS

Getting into America can be tricky at the moment if you have the wrong skin color or the wrong surname.

Even though President Donald Trump’s crackdown on refuges and Muslim immigrants has been put on hold by the courts, US border officials have got the message: now’s the time to make life difficult for some people entering the country.

Over the weekend, American-born NASA scientist Sidd Bikkannavar says he was stopped by border agents when he returned from racing solar-powered cars in Patagonia, South America. The g-men insisted to their fellow citizen he hand over his JPL-issued government phone and PIN so it could be inspected and its contents copied.

“On my way home to the US last weekend, I was detained by Homeland Security and held with others who were stranded under the Muslim ban,” Bikkannavar wrote on Facebook. “Officers seized my phone and wouldn’t release me until I gave my access PIN for them to copy the data.”

You don’t have to be a refugee nor from one of the seven Muslim-majority countries on Trump’s badly worded executive order on immigration to feel the heat from customs and borders staff. Green card and visa holders, even Canadians, have been stopped.

If you’re traveling into the Land of the Free, what are your rights? What about the data on your devices? The Register has been talking to experts on the matter and the results aren’t looking good.

Good cop, bad cop

Like a police officer, a US Customs and Border Patrol (CBP) official must have a reasonable suspicion that a crime or immigration violation is being committed, before seizing and searching devices and possessions. Unfortunately, CBP staff aren’t always adequately trained, and there isn’t much oversight, so this requirement of probable cause can be pushed to its very limit by some agents.

Border officials don’t just have authority over you at your point of entry – CBP can take action within 100 miles of any US border, which covers roughly two thirds of the country’s population. While CBP has more powers at borders, within that 100-mile zone the agency is perfectly within its rights to set up immigration checkpoints, and to conduct searches if officers feel they have a reasonable suspicion about someone.

In practice, tourists have been stopped in national parks and asked to show their visitation paperwork, or stopped when driving down the road. While some of these cases were defeated in court as unfair searches, it took time and money to do so. Always make sure you have identification with you at all times and keep it safe.

When it comes to safeguarding your personal data on devices, CBP has considerable leeway in what it can demand and copy – basically everything is up for grabs. The CBP told The Register it reserves the right to check “computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players, and any other electronic or digital devices.”

“All persons, baggage, and merchandise arriving in or departing from the United States are subject to inspection, search and detention,” a spokesperson said.

“This is because CBP officers must determine the identity and citizenship of all persons seeking entry into the United States, determine the admissibility of foreign nationals, and deter the entry of possible terrorists, terrorist weapons, controlled substances, and a wide variety of other prohibited and restricted items.”

While this is applicable to all, it’s important to note that when entering the US you have a particular set of rights depending on whether you are a citizen, a legal permanent resident, arriving on a visa, or visiting under a visa waiver program.

I’m a Yankee Doodle Dandy, you’re not

First off, if you’re a US citizen, the CBP doesn’t have the right to block you entering the homeland. However, if there’s an outstanding warrant out on you, expect to be collared as soon as you set foot on American soil.

When it comes to data security, American citizens also have additional rights, although there are some important caveats.

“US citizens can’t be compelled to turn over passwords,” Nathan Wessler, staff attorney at the ACLU, told The Reg. “But border agents may make your life much more difficult. It does have the right to seize electronic devices and send them off to a forensics lab for tests that could take weeks or months.”

Such laboratories are typically not in the airport building, and devices that are taken could be sent anywhere in the US. You can get them back – if you’re willing to pay for delivery charges – there’s no time limit on Uncle Sam holding them, and you’re dependent on an overworked techie getting around to checking them out.

If you are coming in on a green card, visa or visa waiver scheme then you technically don’t have to give up passwords or encryption keys. However, the CBP doesn’t have to let you into the country if you refuse – it’s up to the discretion of the CBP officer at the time.

If you are refused entry, you’ll be put in a holding cell and sent home. If you’re lucky, the airline will let you change your return ticket – if not you’ll have to pay for another one. Being ejected will show up as a big red flag next time you try to enter the US.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/reg_guide_to_data_security_when_entering_us/

Technology known for a Jeopardy stunt six years ago is now powering question answering within IBM Security’s QRadar system.

IBM hopes to elevate artificial intelligence and cognitive computing way beyond party tricks and game show supremacy and as a part of that push, Big Blue picked cybersecurity as a prime market to explore the possibilities. Today, IBM announced that it’s officially marrying up its cybersecurity portfolio with the vaunted Watson questioning answering system.

Known best for its performance as a “contestant” on the game show Jeopardy in 2011, Watson was engineered to ingest vast quantities of data on any given subject in order to receive and answer questions in a conversational fashion. A system specifically developed to tackle Jeopardy, this cognitive technology uses natural language processing and machine learning to sift through data sources, synthesize information contained within, find and rank hypotheses and come up with a precise answer to the user’s questions.

In the ensuing six years since Watson’s success in winning a $1 million first prize in Jeopardy against two human champions, IBM has not only refined Watson’s engine but al so been on the look out for ideal business cases to put the technology to use. The firm has achieved early successes in medical decisioning technologies, tracking customer and social media sentiment, and analyzing satellite and municipal data to track water use for drought mitigation.

With the growing problem of alert fatigue and a shortage of skilled security analysts, the industry seemed like it was crying out for Watson’s help. The idea is to pair security operations center (SOC) technologies with Watson’s processing capabilities so that analysts can ask the system questions about their data and existing threat posture, and receive meaningful advice on further action.  

The announcement follows a year of learning for Watson, which for the past 12 months has been trained on the language of cybersecurity, ingesting over 1 million security documents in the process.

“We’ve been teaching it for basically about a year, and it’s learned a lot along the way and it’s got a lot smarter along the way. It can read a ton more than it ever could before,” says Caleb Barlow, vice president of threat intelligence for IBM Security. “And now we’re at the point where it’s kind of graduated college and it’s time to go get that first real job.”

According to Barlow, IBM’s intent is to take the strain off of teams who can’t afford or find enough skilled operators to manage the volume of advanced threats that barrage enterprise networks. Not only will they be able to make faster decisions, but they should be able to do it with more complete data. For instance, he referenced one competition a customer created during beta where they pit a team of experienced analysts against a team of junior analysts armed with Watson. They were given a certain security incident and an hour to look into it. The skilled analysts were able to confirm that attackers were testing the  network with an attempt at brute force password attacks, but believed that nothing further had occurred. Meanwhile, the Watson team identified those attempts but also were able to connect it with a form of malware, and then identify that the malware was actually on the network tied to the same threat actor.

“So, as you can imagine, that’s a very exciting find for that security team,” Barlow says, “because now they know exactly how to go to address it, and they know, ‘Wait a minute, this isn’t somebody who’s knocking at the door, this entity’s actually already in the door; they’re just trying to get more access.'”

The centerpiece of what IBM calls its Cognitive SOC paltform will be IBM QRadar Watson Advisor, which brings together Watson with its QRadar security intelligence platform. The natural language processing capabilities will sift through a variety of security sources, including security blogs, websites, research papers and combine that with threat intelligence and security data from users’ QRadar systems.  IBM will also be bringing cognitive tools to its global X-Force Command Center network and has rolled out a Watson-powered chat bot for IBM Managed Security Services customers.  Additionally, the company has a new project codenamed Havyn, which plans to also add voice-activated capabilities so that analysts can query the system by speaking plain-language questions aloud.

Related Content:

• How Artificial Intelligence Will Solve The Security Skills Shortage
• Introducing Deep Learning: Boosting Cybersecurity With An Artificial Brain
• Improving Attribution Malware Identification With Machine Learning

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/ibm-brings-watson-cognitive-computing-to-the-soc/d/d-id/1328130?_mc=RSS_DR_EDT

Michael Daniel is now head of the newly incorporated nonprofit Cyber Threat Alliance, a security threat intel-sharing group of major security vendors.

RSA CONFERENCE – San Francisco – The Cyber Threat Alliance (CTA) consortium founded by security vendors Fortinet, Intel Security, Palo Alto Networks, and Symantec, today announced that it is now officially a nonprofit trade association and that Michael Daniel, the former cybersecurity coordinator and special assistant to President Barack Obama, will serve as the CTA’s first president.

The CTA today here also announced that Check Point and Cisco Systems are now part of the founding members of the organization, whose members share threat information for locking down security among their organizations as well of their customers. As its first order of business as a nonprofit, the CTA is officially launching its automated threat intelligence-sharing platform for its use that’s basically an integration of the founding members’ own intel-sharing systems. It employs threat intel-sharing standards STIX and TAXII.

A handful of new affiliate members have now joined the organization, including IntSights, Rapid7, and RSA. Eleven Paths and ReversingLabs already are affiliate members of the CTA, which was first founded in 2014.

The security vendor-member CTA hopes to serve as a hub for intel-sharing quickly in order to thwart attacks and campaigns, Daniel explained. “The vision I would have for the CTA is to first serve as a hub for information-sharing in the ecosystem at a rate that actually matters,” he said. “Our goal is to cover as much of the ecosystem as we possibly can which is inevitably going to affect how we share information with governments, plural.”

CTA’s threat intel-sharing platform automates the process of sharing information among members, who are required to contribute regularly to the platform. The more a vendor contributes intel, and the more valuable it is, the more access they get to the intel gathered on the platform.

“If we actually work together, we can cover a lot of ground,” Mark McLaughlin, chairman CEO of Palo Alto Networks, said in a panel discussion here today announcing CTA’s expansion. “No one company can take care of everything” for customers, he says. “We’d love to scale this [organization] pretty dramatically from here.”

Greg Clark, CEO of Symantec, called the CTA’s announcement “a landmark event” given the heavy-hitting security firms involved.

Among the CTA’s previous efforts was its work in the fall of 2015 to crack and disript the CryptoWall version 3 ransomware’s encryption: that ransomware variant was responsible for attacking victims worldwide in some $325 million in ransom fees. The CTA later also uncovered the CryptoWall gang’s work on a fourth version of the ransomware. The four initial founding vendor members pooled their research resources to expose the associated malware and command-and-control infrastructure of the CryptoWall ransomware campaign. 

Daniel, the former White House cybersecurity official, said the difference between the CTA and the traditional ISAC-ISAO model is they tend to be more industry-vertical oriented in their membership and focus. “And a lot of ISACs suffer from a free-rider program. They have a very large membership and a small percentage of them contribute useful intel on a regular basis,” he said. The CTA, meanwhile, requires a miminum level of intel-sharing; details on the incentive program are in the works.

In an interview after the panel, Daniel explained how he sees the CTA drilling down into more than the typical indicators of compromise (think IP addresses and malware) and to sharing more in-depth analysis of an attack’s tactics, techniques, and procedures. Those are the features of an attack or threat that can’t easily be retooled by the typical attacker like a malware variant or IP address can be, according to Daniel.

As the CTA’s membership expands along with its intel-sharing, it will ultimately clean up the “underbrush” of low-level attacks and then have the ability to focus on the more advanced and stealthy threats, he said.

“This enables our teams and governments to focus on the really sophisticated adversaries, and they will have fewer places to hide,” he said.

Related Content:

• White House’s Daniel ‘Intrigued’ By UL-Type Model For IoT Security
• Threat Intelligence’s Big Data Problem
• DHS Courts Private Sector For Threat Intelligence-Sharing
• ISACs Demystified

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/obamas-former-cybersecurity-coordinator-named-president-of-cta/d/d-id/1328133?_mc=RSS_DR_EDT

Gen. Keith Alexander gives Trump a thumbs-up and Cloud Security Alliance releases a new application.

RSA CONFERENCE — San Francisco – While deep conversations about DNS infrastructure and Dyn DDoSes were absent, the most popular refrains at today’s Cloud Security Alliance Summit here were related instead to regulation, identity, and how to use the cloud to improve security.

Keynote speaker Gen. Keith Alexander (ret.) — who served as the first commander of the US Cyber Command from 2010 to 2014 and director of the NSA from 2005 to 2014 – proposed a new model for securing government systems.

“Why did [the Office of Personnel Management] get hacked?” said Gen. Alexander, now CEO and president of IronNet Cybersecurity. “They didn’t have the resources to” defend themselves, he said.

Historically, the government has left individual agencies “on their own as if they were individual organizations on their own to defend themselves. But they’re not,” he said.

Moving government agencies to the cloud, he said, would ultimately make it possible to create a defensive surface far stronger than what currently exists, protecting the entire government. “Reading the Constitution, it reads ‘provide for the common defense,’ not only for the defense of you who are really big and the really critical,” he said.

The same practice could be applied to businesses in the same vertical industry, to make compliance with regulations easier and more effective, he indicated.

Gen. Alexander also remarked that he met President Trump for the first time recently, as a civilian at a White House cybersecurity meeting Jan. 31. Once the press left, said Alexander, the President listened to each person, took in their advice, and weighed what they said. “I think what I saw there was the President our nation needs to solve this problem.”

Regulation and More Regulation

Throughout the day, speakers discussed regulation — how more was coming, how to make complying with it easier, and even how to avoid complying with it at all. 

The usual alphabet soup of HIPAA, FISMA, FedRAMP, etc., made passing appearances, but more time was devoted to the tricky topic of government intelligence agencies or law enforcement subpoenaing cloud users or cloud service providers for data. 

“The subpoenas are not the problem; the blind subpoenas are the problem,” said Venafi CEO Jeff Hudson. As Hudson explained, because of the secretive nature of these exposures, the government begins to seem like an adversary and a blind subpoena seems like a breach.

Building on that sentiment, Chris Eng, Veracode vice president of research, said “If I don’t have the data, I can’t give it up.” He said he believed cloud users’ desire to avoid these situations should push them to stop storing data they don’t really need, and he predicts more cloud service providers will move to end-to-end encryption and put keys in the hands of users to avoid these sticky situations.

Robert Herjavec, CEO of Herjavec Group (and star of Shark Tank, who has served as cybersecurity advisor to the government of Canada and recently joined the US Chamber of Commerce Task Force for Cybersecurity) predicts there will be more and more cloud regulation — which, among other factors, will contribute to the creation of more country-specific cloud services, that keep data within national borders.

CSA’s First Commercial Product

The CSA itself is making a new contribution to help organizations prepare for whatever compliance obligations that may be on the horizon — announcing, today, the official launch of STARWatch. Building on the CSA Security Trust and Assurance Registry (STAR) program, STARWatch is a SaaS application that enables organizations to manage all their cloud providers, as well as their own private clouds, set consistent security baselines, and perform audits. The application already boasts 250 licensees, activated during the beta phase. 

“We created the STARWatch application with two main objectives in mind – to simplify assurance and vendor management as well as to streamline compliance,” said Daniele Catteddu, CTO for the Cloud Security Alliance, in a release.

This is the first commercial product that CSA has released. In an interview here, CSA CEO Jim Reavis said STARWatch was created because of demands from the CSA members for such an offering. It’s essentially a tool to make all the Alliance’s earlier research more usable and actionable, he said.

While Reavis didn’t rule out the possibility of CSA releasing more products in the future, he also didn’t indicate the Alliance had plans to make this a habit. Rather, they would take the approach of being the “standards-bearer” for the industry, he said.

Identity

“You need to get your identity act together,” said CEO of Centrify Tom Kemp. He mentioned that despite the fact that the vast majority of attacks derive from an excess of passwords and privileges, only a small share of cybersecurity investments are spent on identity solutions.

“In Starbucks, you’re not using a next-gen firewall,” said Kemp. “You need to be securing the user.”

Centrify is an identity-as-a-service provider; but Kemp was not the only one beating the identity drum. The subject came up repeatedly throughout the day.

Hudson added that the identity of machines, not just users, was essential, particularly as it related to IoT security.

Herjavec, however, noted that identity management “requires a lot of care and feeding.”

Related Content:

• Cloud Is Security-Ready But Is Your Security Team Ready For Cloud?
• Why Dependence On Cloud Providers Could Come Back And Bite Us
• Cloud Security IoT: A Look At What Lies Ahead
• 2017 IT Forecast: Cloudy With A Chance Of Security Concerns

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: http://www.darkreading.com/cloud/national-security-regulation-identity-top-themes-at-cloud-security-summit/d/d-id/1328135?_mc=RSS_DR_EDT

Google has been ordered to pay $20m damages after its Chrome browser was found to have infringed four anti-malware patents.

The verdict [PDF] was handed down on Friday after a jury trial in Marshall, Texas.

The patents – including this one – were awarded to former Lucent engineer Allen Rozman, who died aged 52 in 2012, and Alfonso J. Cioffi, both of Texas*, who filed suit [PDF] against Google in 2013.

In December 2014, however, a US District judge, Judge Gilstrap, dismissed the case, after the plaintiffs acknowledged that under the judge’s interpretation of the words “web browser process”, an infringement claim wouldn’t hold up.

Cioffi and the Rozman family appealed, and a Federal Court found Gilstrap had erred, both in his interpretation of “web browser process” and over another interpretation.

“We see nothing that indicates that Cioffi intended its invention to do anything other than protect ‘critical files’ as that concept is widely understood by those of skill in the art,” the Federal Circuit court wrote.

Google then appealed to the US Supreme Court to hear the case, but the Supes declined. Ultimately the patent could yield $60m for the surviving family of the inventor. Google has said it maintains its position that the patents are invalid. ®

*The case Cioffi et al. v. Google Inc., case number 2:13-cv-00103, took place in the U.S. District Court for the Eastern District of Texas.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/google_chrome_malware_patent_defeat/

BSides SF What do you reckon US government regulations on computer security look like? If you selected outdated, contradictory and avoidable, congrats, you’re an industry veteran – or you were paying attention to a talk this morning at the BSidesSF 2017 infosec conference.

In a presentation titled “Swimming upstream: regulation vs security,” Robert Wood, head of security and compliance teams at healthcare IT firm Nuna, laid out the state of red tape in heavily regulated industries, and how it affects building secure networks and systems.

For instance, he said his company has to operate within eight different government frameworks for data handling and information security, and they can be more harm than good.

“Most regulations were brought into being with the best of intentions,” he told his audience in San Francisco. “They were there to make things better and give us some instructions. But they do mean you end up handling crazy things.”

For example, not one of the eight frameworks Numa operates under even mentions social engineering or phishing, although a few workplaces tell staff to sit through a 15-minute PowerPoint presentation on the issue once a year. That’s not enough to stop one of the biggest security threats out there, he said.

Regulations are also easy to bend and set quite a low bar, he said. One customer had a requirement that all data traffic within the firewall was to be unencrypted to allow for inspection by network monitoring tools, while the government framework it operated under required encrypted internal traffic “where possible.”

“They had ended up dumbing down controls to satisfy the unencrypted network traffic requirement, which we know is not cool,” he said. “But it’s like shaving a yak” – or, for our UK readers, like painting the Forth Bridge – “the excuses never ended. It was excuse after excuse, exception after exception and it never ended.”

Some regulations include surprise audits and inspections, on top of quarterly or annual checks. The sheer amount of reporting and paperwork involved can be crushing, he said.

The fundamental issue is that companies tend to do just enough to make sure they are compliant, and put not a penny more into IT security. Getting stuff done that isn’t officially required, such as providing social engineering training, can be left by the wayside unless IT managers game the system to get necessary resources.

In other words, the requirements are often so low, complying with them and nothing more leaves networks at risk, and yet there’s often no money allocated to improve the situation.

Sun Tzu’s guide to IT management

Probably the most important thing IT managers can do is to identify and cultivate their allies. In any organization, there will be a few people who see the need for effective security and they need to be wooed, Wood said.

“Learn their language and use their jargon with them to make a business case for a security tool,” he urged. “Then show them how the sausage is made. There’s a tendency in IT to hide stuff like that, but once people see the amount of work involved, they appreciate what you’re up against.”

He gave the example of winning over a business development manager by suggesting sales staff show customers how their information is kept secure. To do this, beancounters have to cough up funding for tools that are outside the regulatory requirements, security processes are put in place, clients are happy, sales deals are won, and so on, he said.

IT managers hoping to secure budgets for security measures should also take a leaf out of the CIA’s playbook, Wood suggested. In 2007, the agency studied the effects of describing a threat risk as high, medium, or low probability. It found that people’s understanding of the risk involved is wildly subjective, depending on who was uttering the risk warning.

Instead, Wood suggested, present company accountants with a numerical probability risk, tied to a dollar amount of damages – say there’s a 90 per cent chance of, say, a database breach happening between five and 15 times a year costing $X per intrusion. It doesn’t have to be perfect, he said, but it’s the language accountants speak. We suggest you use real-world security breaches to guide your estimates – perhaps from an average of $4m per successful attack to the billions Yahoo! put at risk.

“It’s much better to argue with numbers,” Wood said. “It’s much more convincing than using high, medium and low threat descriptions.”

Speaking of numbers, the tech boss said while automated network security analysis is not a silver bullet to kill all vulnerabilities, it generates the kind of metrics that impresses government auditors and company accountants. Things like, number of software packages scanned, version numbers identified, bugs patched, and so on.

Finally, make sure your suppliers are on your side and smart in their business practices. He recounted the time he asked a vendor if a particular threat was covered as per the regulations, so he could pass on the reassurance to auditors. The response from the supplier was: “LOL.”

“The auditor’s response would have been WTF if they’d seen that; it wasn’t helpful,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/tips_for_running_it_teams/

Analysis A lengthy battle over the inclusion of digital rights management as a Web standard is coming to a head, with a set of new guidelines planned for early March.

Those guidelines will include the latest attempt at compromise between pragmatists and idealists over how to allow control of content online without undermining the central concept of a free and open internet.

On March 2, the World Wide Web Consortium (W3C) will publish details of its new vulnerability disclosure program, closely followed by a “call for review” from its director, Tim Berners-Lee, that intends to protect security researchers from being sued if they dig into the black box of code that makes digital rights management (DRM) possible.

It is a messy compromise, and one that some are still not happy with, but it is progress on an issue that has set the W3C against itself for five years.

It is also a proxy for a much broader fight: between corporations that want to be able to protect their content, and internet engineers opposed to commercialization of the internet who want to protect the open internet in an era of closed systems.

Stuck in the middle is the W3C itself – torn between the desire to produce common standards for the contemporary internet and the risk that it may be undermining its very reason for existing. Both sides’ positions are entirely understandable.

The case for DRM

As many, including the W3C executive team, have repeatedly pointed out, DRM already exists online and is used every day by millions of people – the best-known examples of such systems being Silverlight and Widevine. Typically, this content protection is achieved by browser plugins, although browser companies are increasingly including DRM systems as a standard.

What the W3C wants to achieve through its Encrypted Media Extensions (EME) to HTML5’s HTMLMediaElement is to avoid the need for plugins. Instead there will be a standard API that automatically discovers and handles third-party protected content.

Result: everyone is on the same page, huge collective broader benefits, fewer compatibility issues – you know, the rationale for every standard ever created. The EME idea was officially born in February 2012, and Tim Berners-Lee gave it his blessing in September 2013 (it was “within scope,” he decided).

EME exists and is in fact already included in many browsers, but its status remains only as a proposed recommendation rather than a full one. Mozilla somewhat grumpily agreed to add EME in May 2015. And just a few months later, Microsoft disowned its own DRM system in preference to an HTML5 standard.

The truth is that even the fiercest critics of DRM watch Netflix on their computers. And most of them would prefer a safer, more secure internet. Anything that moves people away from streaming video using a security disaster like Adobe’s Flash to a standard that can be properly audited and updated has to be a good thing.

But then, back in June, a big hole was discovered in Widevine and those opposed to DRM leapt on it as an example of where the rationale for having a Web standard falls down. Without some kind of legal protection for security researchers, they argued, it would be impossible to dig into DRM systems to look for bugs and so, they claimed, security benefits would disappear.

The idea was born – with somewhat of a wink – that if the W3C required all members to agree not to sue security researchers if they dug into DRM systems, then the standard could proceed.

Of course, what the companies that wish to use DRM saw was them being asked to make it legal for people to hack their systems and circumvent the protections. And so a kind of impasse developed.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/13/w3c_drm_security_battle/

BSidesSF We’re less than a month into Donald Trump’s reign in America, and so much has already kicked off. Since we’re at the BSides San Francisco infosec conference this week, we asked security pro here to “rate my president.”

And we’ll be honest: many attendees see some good in his appointment, although there is concern about who he has picked for key positions.

“Honestly, I think he’ll be good on some things,” said one US-native attendee, who said he didn’t vote for Trump nor for Clinton. “The H-1B visa situation needs to be sorted out – the outsourcers are killing us in salary negotiations.”

H-1B visas, reserved for highly skilled foreign workers, have been used by various tech giants to bring in staff on the cheap. More than one attendee has had direct experience being pushed out of a job by an outsourcing biz that shipped in lower-paid staff under the visa system.

There are clearly a lot of people who are feeling sore about unfair H-1B visa competition. Not one of the people we spoke with said they had any confidence in the Democrats to fix the issue. Instead they’re hoping Trump will shake the system up to the benefit of US staff.

That said, there are plenty of people worried about a broader immigration ban that could hurt cross-border security conferences such as this one. BSidesSF isn’t too badly affected, since most people here are local, but some predicted any crackdown on visitors’ visas could hurt other conferences.

As to whether Trump benefited from Russian hackers influencing the national debate, very few people seem to be bothered by the accusations. Most infosec people here just accept that nations screwing around with other countries is a fact of life – “We’ve been doing this to other countries for years,” one said. “Don’t dish it out if you can’t take it.”

No backdoor action here, please

However, delegates (or participants, as BSides puts it) are seriously concerned by some of Trump’s cabinet picks – in particular Attorney General Jeff Sessions. In pre-confirmation congressional testimony, Sessions said that he supports backdooring encryption for law enforcement.

The idea hasn’t so much split the security community as brought it out almost entirely on one side. As with previous investigations, the view here is that it’s almost impossible to find someone who believes you could introduce a backdoor into encryption that others couldn’t find.

Were such a golden key to exist, it would be unlikely to remain secret for long. In his presentation, Jason Truppi, a former FBI investigator, pointed out that he had trusted his biometric data to the Office of Personnel Management and – post hack – now can’t use fingerprint recognition without the knowledge that someone has a .BMP file of his paw prints in their database, because OPM stored those unencrypted.

Reconfirmed FBI director James Comey has declared that this is the year he wants to see an “adult conversation” on backdooring. With the AG and Trump behind him, he might be able to force his way.

Also of concern is the appointment of John Kelly as new boss of the US Department of Homeland Security. Kelly said the agency is considering forcing people to hand over passwords to private social media accounts if they wish to enter the US on a visa.

“He hasn’t thought this one through,” said Austin Carson, executive director of IT think tank TechFreedom. “Sure, we can demand passwords, but then so can everyone else in the world and they will get a lot more out of that than we will.”

In the meantime however, Trump’s executive order on immigration doesn’t seem to have had that much of an effect so far. One Hindu British Asian network manager at the conference told The Reg that he’d never had a faster trip through customs than this latest one.

“Sure, they ask about a minute’s worth of extra questions about Syria but I had no problems,” he said. “Mind you, that could change.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/trump_cabinet_picks/

A couple of US senators have accused Yahoo! of not cooperating with their attempts to investigate its now-notorious database security breaches.

Republicans John Thune (chair of the US Senate’s Committee on Commerce, Science and Transportation) and Jerry Moran (chair of its sub-committee for Consumer Protection, Product Safety, Insurance and Data Security) co-signed the missive last Friday (February 10, 2017).

One of their complaints, The Register suspects, will be familiar to anyone caught up in the company’s 2013 and 2014 data breaches: “Despite several inquiries … company officials have thus far been unable to provide answers to many basic questions about the reported breaches”.

Yahoo!‘s cancellation of a planned meeting with their staff on January 31 didn’t improve the senators’ mood at all.

The letter notes that the company’s briefing to the Committee in September 2016 left senators wanting more information. But “Yahoo! has not attempted to supplement its answers to the Committee as new information has become available, despite committing to do so”.

The senators want Yahoo! to provide accurate numbers of users affected by the 2013 and 2014 breaches, a detailed outline of what user data was compromised, consumer protection and systems mitigations put in place, and a detailed timeline of the incidents.

As revealed in November 2016, an SEC filing by Yahoo! showed information about the 2014 breach circulated within the company for a decent period of time. The senators’ letter indicates that information hasn’t yet landed in front of the committee.

The breaches – and the revelation that as late as 2013 passwords were secured by known-to-be-insecure MD5 hashes – have delayed Marissa Meyer’s plan to sell Yahoo! to Verizon.

The Wall Street Journal says Yahoo! is “considering” its response to the letter. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/senators_send_please_explain_letter_to_yahoo/

Verizon has published its annual Data Breach Digest and issued previews online – and it makes entertaining as well as sobering reading. One story has already attracted a fair bit of press attention, in which an unnamed university had its Internet of Things installation turned into a network of botnets dedicated to looking for fish restaurants instead of working with the students.

The IT professional in the report confirms that he reported dips in network performance to Verizon, which quickly ascertained that there had been some sort of hijack:

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure.

Many devices including light switches had been attached to the IoT infrastructure for ease of management, the report continues (one piece of coverage suggested the refrigerators were involved as well, although we confess we couldn’t see any reference to them in the report).

As an aside, readers of a certain age might remember the radio series and books of the Hitchhiker’s Guide to the Galaxy, in which an entire spaceship’s computer systems were turned to ascertaining why Arthur Dent should want a cup of tea – we always said that series was ahead of its time.

As another aside, you might wonder how vulnerable a system has to be so that everything looking something up every 15 minutes slows it down so much. As it’s anonymised, we have to take the Verizon report at face value on that score.

The lessons learned, according to the Verizon report, included not putting all of the eggs in a single basket – in other words, don’t have every element of an IoT installation in a single network. It also suggested keeping firmware updates current and – wait for it – changing the default passwords, which hadn’t been done. In the event, the attackers’ password wasn’t encrypted so it was intercepted and the attack neutralised.

Jessica Twentyman, editor of Internet of Business, said:

What’s interesting to me about this story is that it once again begs the question: who’s responsible for IoT security? Is it the manufacturers of smart devices, who often seem to treat security as a secondary design consideration, if at all; or the individuals and organisations that deploy them? The answer, of course, must be both – but we continue to see complacency on both sides and a good deal of confusion and buck-passing when things go wrong. We badly need some consensus here, with smart device manufacturers doing more to secure the devices they sell and IoT administrators doing more to secure the environments that they run.

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1OT6ZJ0-bFA/