STE WILLIAMS

News in brief: Pentagon risks cyberattacks; government rapped on security; Russia warned on meddling

Your daily round-up of some of the other stories in the news

Misconfigured Pentagon servers ‘easy to attack’

The US Department of Defense has “misconfigured” servers with flaws so easy to find that it is “very likely” they have already attracted the attention of cyberattackers, a security researcher has warned.

Dan Tentler of Phobos Group told ZDNet that the flaws could let hackers or “foreign actors” hit the systems and make the attacks look as though they come from US networks.

Tentler criticised President Trump’s draft executive order on cybersecurity, which was pulled at the last minute, saying they are “just not feasible”. The draft order, said Tentler, “demonstrates a complete lack of understanding of what the existing problems are”.

Government’s ‘chaotic’ approach to cybersecurity rapped

A shortage of skills and mishandling of data breaches is undermining the ability of the government to protect the UK from cyberattacks, a group of MPs has warned.

The Commons Public Accounts Committee says in a report released on Friday that although cyberattacks has been one of the top four risks to national security since 2010, it has taken the government “too long to consolidate and co-ordinate its ‘alphabet soup’ of agencies involved in protecting Britain in cyberspace”.

It’s a sharply critical assessment of the government’s approach to cybersecurity, with the committee chair, Meg Hillier MP, saying that it needs to “up its game” and that its approach to handling data breaches “has been chaotic and does not inspire confidence in its ability to take swift, co-ordinated and effective action in the face of higher-threat attacks”.

Russian cybermeddling ‘testing Nato and the west’

Russia “is clearly testing Nato and the west” and “weaponising misinformation”, according to Sir Michael Fallon, the UK defence secretary. In a speech at St Andrews University in Scotland, he pointed to “the use of cyber-weaponry to disrupt critical infrastructure and disable democratic machinery”, listing what he said was Russia’s involvement in French, German, Dutch, Bulgarian, Montenegran and of course US affairs.

Fallon warned that Russia could be looking to influence the outcome of key European elections this year. He said: “The head of the German BfV agency warned the Kremlin is ‘seeking to influence public opinion and decision-making processes’ ahead of this year’s German elections”.

We reported yesterday that Dutch officials have decided to revert to counting votes by hand in the upcoming general election there because of fears that “state actors may try to benefit from influencing political decisions”.

Catch up with all of today’s stories on Naked Security


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6hm_rKvK38A/

  • 03/02/2017
  • adm

Google will use Gmail to nudge you into updating your browser

Google is going to tweak the next version of Gmail so that it won’t quite work with older browsers by the end of the year. The idea seems to be to push people into using up-to-date versions of Chrome, as it will no longer support versions 53 and below.

The full technical detail is on the G Suite blog. Many corporate IT departments will be fine with upgrading to the latest version, and indeed it seems to be Windows Vista and Windows XP users who will be hardest hit.

Keeping to the current version is often seen as more secure than doing otherwise, but there is bound to be some pushback; a quick poll around our Facebook contacts found a number of people dismissing upgrades as problematic as some people had difficulties when upgrading to Windows 10 (and every time you raise the issue there seems to be a backlash against W10 from certain sections of the IT community).

It makes sense for Google to stop supporting these older versions of Windows as Microsoft itself has ceased to put any resource into them.

However, upgrades are not without difficulties and nor is sticking resolutely with so-called legacy systems. IT support specialist Anthony Dowling of MyIdealPC had a customer who wanted a new PC but insisted it should have Windows XP on it. He says:

When I finally found a licence to buy and compatible hardware he had all sorts of trouble with out-of-date software such as Chrome and outdated hardware drivers for printers.

He had the reverse experience when a customer wanted a new graphics card:

He then realised his PSU was not powerful enough so decided to replace that too. As far as I am aware he did this while the system was on and blew the motherboard and CPU! He had to pay me for a complete rebuild.

Gmail itself won’t stop working completely, according to the blog, but Google warns that customers on older browsers will be increasingly vulnerable in terms of security and Gmail on older systems could start defaulting to the basic HTML view of the email system by the end of this year.

Users of older systems and Gmail have until the end of the year to catch up.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HwwQsMvlNsY/

  • 03/02/2017
  • adm

Critical WordPress update fixes zero-day flaw unnoticed

An apparently unremarkable “point” release of the world’s most popular website software, WordPress, rolled out across the web at the end of last week.

Unlike its closest competitors, Drupal and Joomla, WordPress knows how to apply security updates to itself automatically so version 4.7.2 made its way on to millions of websites with their owners none the wiser:

On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.

Any website operators who looked up from their cornflakes to read the security release in more detail will have seen that 4.7.2 dealt with three important but far from hair-raising security vulnerabilities.

What they won’t have seen is that is also fixed a fourth vulnerability: an unauthenticated privilege escalation vulnerability serious enough to warrant deployment in total silence.

Vulnerability #4

The unmentioned vulnerability affects version 4.7.0 and 4.7.1 of WordPress so if for some reason you’re running a WordPress site that hasn’t self-updated stop reading and get the update now yourself (it’s that serious).

The vulnerability, which affects the WordPress REST API added in the 4.7 release, allows attackers to modify the content on any affected website remotely.

A bug like this is a massive opportunity for criminals and when a serious vulnerability is found in a popular web Content Management System automated attacks can start within hours.

The problem was discovered by Marc-Alexandre Montpas from web security outfit Sucuri as part of a vulnerability research project.

He alerted the WordPress team on January 20 and they began work on the fix while monitoring for in-the-wild activity and alerting security vendors and web hosts about the problem.

When the update was ready the WordPress team took the decision to deploy the fix without disclosing details of it first, giving themselves an opportunity to stay ahead of the criminals who might exploit it:

By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

Once the automatic deployment process had run its course the silent fix was disclosed in an update to the the security release.

How the attack works

An API (Application Programming Interface) is an interface to a computer program that’s meant to be used by other computer programs rather than people. They’re what allow apps on your phone to update your Twitter account, your fridge to talk to your supermarket or your time-tracking software to tell your accounts software what you’ve been up to.

Unlike the graphical interfaces used by people, APIs are sets of commands. The modern vogue for web-based systems is to implement APIs using the web’s simple and stateless HTTP protocol, an idea known as REST (Representational state transfer).

The WordPress REST API allows authorised computer programs access to your site’s data so that they can do things like creating, updating or deleting WordPress posts.

It works by looking out for specially crafted HTTP requests sent to specific URLs or “endpoints”. The endpoint for creating, updating or deleting WordPress posts is /wp/v2/posts/.

Anyone in the world can request any public URL from any website (that’s the whole point of the web, after all) so websites have to check that the people or programs sending requests to their APIs are authenticated and authorised to perform those commands.

What Montpas discovered was a subtle but potentially devastating way to bypass those checks.

To demonstrate it, let’s imagine that we have a WordPress blog with a few thousand posts and pages. All WordPress posts and pages have numeric IDs and we’re going to use 1337 in our example.

To tell WordPress which post we want to change we add its ID to the end of the REST API endpoint and send the data we want to change to the URL that creates.

The URL or endpoint for updating post 1337 is therefore /wp/v2/posts/1337.

You can also tell WordPress the ID of the post you want to change by adding an id parameter to the URL, and Montpas’s first important discovery was that if he used an id parameter he could get WordPress to accept a non-numeric post ID.

You’ll see why this ability to pass in non-numeric IDs was important in a minute, but for now know that if we send our update request to /wp/v2/posts/1337?id=1337ISMYREALTARGET WordPress 4.7.0 and 4.7.1 will accept 1337ISMYREALTARGET as the post ID.

Of course WordPress doesn’t allow just anyone to edit a post, so having accepted your fake ID it checks to see if we’re allowed to edit it. Unfortunately a subtle flaw in that check allows our attack to progress a little further.

It turns out that if the post 1337ISMYREALTARGET exists and you don’t have permission to edit it you’ll be stopped in your tracks but if the post doesn’t exist (which it can’t because all WordPress posts have numeric IDs) you aren’t stopped.

Having fooled the gatekeeper your data progresses to the WordPress update_item method which, as you might expect from its name, is the code that actually updates the post. You might also expect that our attack will fail here because even though we’re allowed to update 1337ISMYREALTARGET we can’t change something that doesn’t exist.

It’s no accident that our fake ID starts with the ID of a post that does exist though: 1337.

Just before WordPress retrieves our fake post for editing it converts (or “casts”, in the vernacular) the ID it’s been handed into an integer.

WordPress is written in the PHP language and PHP’s (int) cast will convert our the non-existent ID 1337ISMYREALTARGET into the very-much-in-existence 1337 and our updates will be applied to it.

Of course we needn’t limit our attack to a single post. We could easily write a program to cycle through all the numbers from 1 to 9999999 and update every post and page on a site so it includes the SEO spam, advertising or malware of our choice.

We can also use the attack as a foothold to exploit other vulnerabilities, as Montpas explains:

From there, they can add plugin-specific shortcodes to exploit vulnerabilities (that would otherwise be restricted to contributor roles) … Depending on the plugins enabled on the site, even PHP code could be executed very easily.

What next?

If you’re running a WordPress website, check that you’re running the latest version of WordPress by logging in and going to Dashboard Updates.

If you want to see how WordPress actually fixed the problem and you aren’t shy of reading code you can bask in the glory of open-source software by viewing the changes on the WordPress Trac site.

If that’s a bit much for you then take a look at How to avoid being one of the “73%” of WordPress sites vulnerable to attack.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ozJAaOOoiDk/

  • 03/02/2017
  • adm

Sophos update borks systems at London NHS trust

An anti-malware update from Sophos caused borked systems at University College London Hospitals (UCLH) on Thursday.

Sophos confirmed the problem in a brief statement, adding that it was working with the NHS Trust to get to the bottom of the issue.

Sophos can confirm that the Trust raised a support case yesterday regarding an issue they experienced. We worked quickly with them to resolve the issue and we continue to work with the customer on root cause analysis.

El Reg learnt of the incident from an anonymous tipster who got in touch late on Thursday to say: “UCLH NHS was wiped out by Sophos updates effectively bombarding every PC… it caused major havoc.”

False positives are a well-known prat-fall of all anti-malware packages. Things get particularly messy when anti-virus packages wrongly identify core Windows systems components as malign before shuttling them off to quarantine. This results in unstable or (not infrequently) unbootable systems.

The security of NHS systems is becoming a growing cause of concern because of their continuing reliance on obsolete Windows XP systems, the rise of ransoware attacks in hospitals worldwide and other factors.

Nearly half (45 per cent) of NHS trusts scan for application vulnerabilities just once a year, with less only 8 per cent doing so on a daily basis. The figures comes from a series of Freedom of Information (FoI) requests to 36 hospital trusts by application security firm Veracode. It warns that failure to regularly check for problems leaves patient data at risk of cyberattacks through legacy websites and third-party plugins. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/sophos_misfiring_update_london_nhs_trust/

  • 03/02/2017
  • adm

How to Handle Threats When Short-Staffed

Skybox’s Michelle Cobb, VP of Worldwide Marketing, explains how automation and advanced analytics can give security teams the data they need when their teams are stretched

Article source: http://www.darkreading.com/analytics/how-to-handle-threats-when-short-staffed-/v/d-id/1328045?_mc=RSS_DR_EDT

  • 03/02/2017
  • adm

Talking Cybersecurity From A Risk Management Point of View

CenturyLink CSO David Mahon reflects on the evolution of the chief information security officer, and why today’s CISOs are increasingly adopting a risk-based approach to security.

Steven Grossman, Bay Dynamics’ vice president of strategy enablement, sat down recently with CenturyLink VP Chief Security Officer David Mahon in a thoughtful discussion about why CISOs are moving from the IT corner into a more operational role, managing the risks that threaten to harm their company’s most valuable data.

This QA is part of a Dark Reading interview series with cybersecurity experts by cybersecurity experts.

Decades ago, a new executive-level role emerged in the enterprise – the Chief Information Security Officer (CISO). The original CISO sat in the IT corner, mainly managing firewalls and other fundamental security technologies. Due to the person’s technical expertise, the CISO reported to the Chief Information Officer (CIO), the leading technical expert in the enterprise.

Fast forward twenty years, the CISO has become a more business-centric, board member go-to expert -and no longer reports to the CIO. Today’s CISOs are increasingly reporting to the chief risk officer (CRO) as cybersecurity has transformed into a risk management issue, viewed alongside, if not above, other operational risks to the business.

To get an industry veteran’s point of view on this transformation, I spoke with David Mahon, vice president and chief security officer at CenturyLink. David is responsible for designing and implementing a global security program that includes cybersecurity, critical infrastructure protection, enterprise risk management, physical security, network fraud and abuse, industrial security, international travel security, global threat intelligence, work place violence prevention, executive protection and investigations. In many enterprises, such as CenturyLink, the CRO and CSO roles are interchangeable. Both involve centering their strategic objectives around risk, and both are seeing more CISOs move under their wing.

Steven Grossman: Thank you for taking the time to chat with me, David. Why do you think CISOs should be reporting to CSOs/CROs vs. CIOs?

More on Security Live at Interop ITX

David Mahon: The main reason is that the CISO profession and industry responsibilities have changed. The CISO profession started in the IT department when cybersecurity was emerging as a core competency. CISOs were mainly called IT security professionals. Over time, as more high profile data breaches came to surface, CISOs increasingly interacted with other C-level executives who were outside of technology such as chief privacy officers and chief legal officers. The cybersecurity ecosystem transformed, going from a primarily technical to a risk management discipline.

Because of that shift, the CIO isn’t the best executive to oversee cybersecurity. The CIO doesn’t have risk management functions, such as Governance, Risk Management and Compliance (GRC), which is a key component of an effective enterprise-wide risk management program.

Steven Grossman: So, in other words, CISOs shouldn’t be making absolute security their goal but instead, effective risk management.

David Mahon: Our role as CSOs, which essentially carries the same responsibilities as CROs, is to enable strategic objectives and risk posture as approved by the board of directors. When a CSO signs off on a project, it’s not about the technology; it’s about what the project will do for the business.  CSOs manage all security and risk functions for the company, which oftentimes blend together, to achieve the risk posture established by the board.

Steven Grossman: Based on what we have seen working with our clients, CISOs who report through the CIO to the board often present technical information from a messaging point of view while those reporting through the CSO/CRO present a more balanced, risk-orientated point of view. As CenturyLink’s CSO how do you work with your CISO, who is on your team, and how do you implement a risk-orientated approach to security?

David Mahon: First, you must understand the strategic plan approved by the board of directors. Visit with each business unit to understand how their tactical plans roll up into the larger strategic plan.  For example, the CTO may have a strategic roadmap that you know will need cybersecurity engineers on the front end. You can start deploying those resources to support the CTO rather than waiting until the CTO launches a project. You need visibility into what each business unit is doing so that you can enable them to also achieve the overall cyber risk mitigation objectives set by the board.

It’s critical to assess where your most valuable data is located and what is the value associated to the applications and systems that store that data. Identifying where your highly valuable assets live will enable you to risk-rank those assets. What is your most sensitive data down to data that is less sensitive? What are the security controls you have in place to protect your highly valuable data? Are they working properly? Where are the gaps? If business units are outsourcing work, who are they outsourcing it to, and how are those users interacting with your valuable data? Identify the top risks for the company and map those with each business unit’s objectives.

Since many information security programs are designed by technical solution-based thinkers, it’s also better to turn to regulatory standards and frameworks like NIST, ISO or HIPPA as a baseline for your risk management program.

These are just some of the steps; there are many others in-between. The key is to broadly look at the risk posture of the company, map those risks to your (and the board’s) objectives and define how to decrease risk incrementally.

Steven Grossman: It is unfortunate that so many enterprises do not know where their valuable information assets are located. In the physical world, that’s like an operations manager not knowing where his/her company’s critical buildings are located. Understanding where your valuable assets live is central to risk management.

David Mahon: When there are thousands of employees, vendors, contractors and assets, understanding your valuable assets – including where they exist and how people interact with them – and being able to measure your risk along with appropriate response and recovery plans for various potential incidents, is a sign of a mature risk management program.

Steven Grossman: What do you think are the biggest challenges CISOs face if they report to CSOs/CROs vs. CIOs?

David Mahon: One challenge is that CISOs are not adequately prepared to address the questions that a CSO/CRO will ask. CSOs/CROs tend to ask global questions to which CISOs respond with technical answers. CISOs lean on their technical acumen and therefore are challenged to look more broadly at such things as threat intelligence, adversaries, and business objectives.

In the end, CISOs who embrace a risk-based approach to security will have a broader view of their enterprise’s objectives and know how to strategically and tactically use their resources to achieve them. They will get a horizontal view of the enterprise, instead of a swim lane, which will enable them to deliver shareholder value and enhance customer experience.

R. David (Dave) Mahon was named chief security officer in April 2011 for CenturyLink, the third-largest communications provider in the U.S. In addition to his CSO role, McMahon is also the company's liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.Prior to joining CenturyLink, Mahon was a supervisory special agent with the FBI responsible for investigating violations of federal statutes in which the Internet, computer systems, and networks were exploited as the targets of terrorist organizations, foreign government-sponsored intelligence operations or criminal activities.

R. David (Dave) Mahon was named chief security officer in April 2011 for CenturyLink, the third-largest communications provider in the U.S. In addition to his CSO role, McMahon is also the company’s liaison with the National Security Telecommunications Advisory Council (NSTAC), National Cybersecurity and Communications Integration Center (NCCIC), as well as federal and state law enforcement and homeland security agencies.

Prior to joining CenturyLink, Mahon was a supervisory special agent with the FBI responsible for investigating violations of federal statutes in which the Internet, computer systems, and networks were exploited as the targets of terrorist organizations, foreign government-sponsored intelligence operations or criminal activities.

Related Content:

 

Steven has over 20 years of management consulting and industry experience working with technology, security and business executives, driving solutions to their most critical and complex problems. At Bay Dynamics, Steven is responsible for ensuring that clients are successful … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/talking-cybersecurity-from-a-risk-management-point-of-view/a/d-id/1328050?_mc=RSS_DR_EDT

  • 03/02/2017
  • adm

IRS Warns Of New W-2 Phishing Attacks

The infamous Form W-2 email phishing scam plaguing the corporate sector now targeting school districts, tribal organizations, nonprofits, others.

The Internal Revenue Service (IRS) is warning that the infamous Form W-2 phishing scam that traditionally has targeted corporations now is being used to dupe school districts, tribal organizations, restaurant chains, temp agenices, healthcare, shipping and freight firms, and non-profits.

In addition, attackers are adding wire transfer schemes to the mix, according to the alert from the IRS.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,” said IRS Commissioner John Koskinen.

The phony emails come in the form of business email compromise (BEC) attacks, where the sender poses as an organization executive, sending phishing emails to payroll or human resource department employees asking for their employees’ Forms W-2.

“In the latest twist, the cybercriminal follows up with an ‘executive’ email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers,” the IRS alert explains.

The IRS alert and information on how to protect your employees from these attacks is here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/irs-warns-of-new-w-2-phishing-attacks/d/d-id/1328055?_mc=RSS_DR_EDT

  • 03/02/2017
  • adm

Windows SMB Zero-Day Exploit On The Loose

Vulnerability allows remote attackers to trigger denial-of-service conditions on several Windows client versions.

US-CERT and other organizations Friday warned of a zero-day memory corruption bug in several versions of Microsoft Windows that could allow a remote attacker to cause a vulnerable system to crash and reboot.

Proof of concept code for exploiting the vulnerability has already been released on GitHub and is now publicly available for anyone to use. As of mid-day Eastern Time on Friday, no patch was available for the vulnerability, which poses more of threat for home and small businesses than enterprises.

The bug exists in the way certain Windows versions handle Server Message Block (SMB) traffic, Carnegie Mellon University’s CERT division said in an alert. By sending a specially crafted message from a malicious server, an attacker can trigger a buffer overflow condition in a vulnerable Windows system and cause it to crash, the alert noted. Several methods are available to attackers to get a Windows client system to connect to a malicious SMB server, sometimes with little to no user interaction, it added.

The Microsoft SMB file sharing protocol allows Windows clients to request services and to read and write files from Windows servers in a network. It has been the source of several security issues over the years.

A Microsoft spokesperson downplayed the severity of the issue. “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” the spokesperson said in a statement. “Our standard policy is that on issues of low risk, we remediate that risk via our current Update Tuesday schedule.” 

Johannes Ullirch, head of the Internet Storm Center at the SANS Institute, said he tested the issue on a fully patched Windows 10 system using the proof of concept code and immediately got a blue screen of death. All Windows clients that support SMBv3 including Windows 2012 and 2016, appear vulnerable to the exploit, he said.

“The bug is a denial of service bug,” Ullrich told Dark Reading. “If a system is hit by the exploit, then it will reboot.” The bug does not appear to give attackers a way to execute code or do anything beyond triggering a denial of service condition.

Exploiting the vulnerability is easy, Ullrich says. The attacker can use the exploit to implement an SMBv3 server and then trick the victim into connecting to it. “The easiest way to accomplish this is by inserting a URL linking the server to a Web page,” he says.

The URL might look like \192.0.2.1ipc$, where 192.0.2.1 is the IP address of the server. “An image tag like img src=”[malicious url]” will trigger the exploit.”

The vulnerability is another reminder why it is necessary to block outbound SMB connections by blocking ports 445, 135 and 139, Ullrich says. “Many networks do not close these ports outbound, which opens up a number of attack possibilities, not just this one.”

Home and small business users are more likely affected by the issue than enterprise users as small business and home firewalls usually do not block these connections by default, he notes.

In its advisory, CERT said it was currently unaware of a “practical solution” to the problem and urged organizations to block outbound SMB connections from the local network to the WAN on TCP ports 139 and 445 along with UDP ports 137 and 138.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/windows-smb-zero-day-exploit-on-the-loose-/d/d-id/1328056?_mc=RSS_DR_EDT

  • 03/02/2017
  • adm

Pacemaker data used to help indict alleged arsonist

In September, a home in Ohio caught fire, sending flames shooting into the sky, according to a neighbor.

Make sure the homeowner’s out of there, the emergency operator told the neighbor. But they didn’t need to worry: Ross Compton, the 59-year-old homeowner and now the alleged arsonist, had walked the driveway, safe and sound.

He told authorities that he’d packed a suitcase and some bags, broken a window with his cane and made his escape, climbing through the window and carrying the heavy bags to his car.

Quite a feat for a guy with extensive medical problems who’s got an artificial heart implant, investigators mused. Something about his story just didn’t add up. Actually, quite a few things didn’t: fire investigators said the fire was started in multiple places on the outside of the house, according to the search warrant.

Plus, in his call to emergency services, Compton said at one point that “everyone” was out of the house… and then, at the end of the call, told someone to “get out of here now”. Oh, and there was gasoline found on his clothing.

But about that pacemaker. According to court records seen by the local paper Journal News, police got a search warrant for all the data stored in the medical device.

The device yielded details of Compton’s heart rate, pacer demand and cardiac rhythms prior to, during and after the fire, and the story that data told was a very different one than Compton had come up with.

A month after the fire – estimated to have caused $400,000 in damage to the house and to have killed a pet cat – Compton was arrested and charged with felony aggravated arson and insurance fraud. He was indicted last week.

According to court documents, a cardiologist who reviewed the pacemaker’s data determined that it was…

…highly improbable Mr Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.

While this might be the first case of pacemaker data being used in a prosecution, it’s not the first use of Internet of Things (IoT) data being sought in a criminal investigation.

In December, Arkansas police were trying to get Amazon to help them get data from an Amazon Echo they found at a murder scene after a man was strangled in a hot tub.

Besides prosecutors and local police, the government is also quite interested in the information they can siphon from connected medical devices… and appliances… and toys… and, well, any and all data that can be monitored and collected courtesy of the IoT.

A year ago, the nation’s top spook – US director of national intelligence James Clapper – told the Senate that Big Brother might someday eyeball us through our world of connected gadgets, be they pacemakers, fridges, or toothbrushes.

In the future, intelligence services might use the [IoT] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.

If and when intelligence agencies get around to tapping into the IoT – Clapper didn’t specify which specific agencies were mulling the move – they’ll have quite a list of household objects to squeeze surveillance out of. It probably won’t be too challenging to do so, given the security holes they’re known for.

We’ve seen issues with connected pacemakers, kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege.

Of course, one person’s security hole is another person’s opportunity to gather evidence. Today, that means an Ohio court has sought, and received, pacemaker data that played some part in indicting an alleged arsonist.

Tomorrow, who knows which intelligence or law agencies will be using that information, and to what end?

All the more reason to know the risks of Amazon Alexa, Google Home, babycams, pacemakers and the whole lot of connected gadgetry.

This stuff increasingly proliferates in our homes. In the case of cardiac wireless devices, they’re implanted into our very bodies. It behooves us all to bear in mind that connected things, which can be our near-constant companions, can also be used as constant spying devices by hackers or as constant court recorders in potential criminal cases.

Remember, you have the right to remain silent, whether you’re being arrested and questioned by police or you decide to turn off Alexa’s always-on listening function.

For better or worse, your pacemaker does not.


Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1SZqz6RWVOI/

  • 03/02/2017
  • adm

UK.gov slammed by Parliamentary types for ‘dysfunctional’ infosec

A scathing parliamentary report into UK.gov’s infosec practices has called for the government to step up its efforts to protect Britain from cyber attacks in the face of today’s “chaotic” practices.

The criticism is published today in the Public Accounts Committee’s report on Protecting Information Across Government, which follows a similar report last year from the National Audit Office that slammed the Cabinet Office’s continuing failures to organise central government’s approach to infosec.

These two official reports have found that the Cabinet Office has failed in both its duty and ambition to coordinate and lead government departments’ efforts in protecting information. According to the PAC, there is “little oversight of the costs and performance of government information assurance projects, and processes for recording departmental personal data breaches are inconsistent and dysfunctional.”

Meg Hillier MP, chair of the PAC, said today: “Government has a vital role to play in cyber security across society, but it needs to raise its game. Its approach to handling personal data breaches has been chaotic and does not inspire confidence in its ability to take swift, coordinated and effective action in the face of higher-threat attacks. The threat of cyber crime is ever-growing, yet evidence shows Britain ranks below Brazil, South Africa and China in keeping phones and laptops secure,” Hillier continued.

In this context it should concern us all that the Government is struggling to ensure its security profession has the skills it needs. Leadership from the centre [of government] is inadequate and, while the National Cyber Security Centre has the potential to address this, practical aspects of its role must be clarified quickly.

“Government must communicate clearly to industry, institutions and the public what it is doing to maintain cyber security on their behalf and exactly how and where they can find support,” the committee chair concluded.

NCSC and data breaches

Where there were formerly “at least 12 separate teams or organisations” with infosec duties within the centre of government, many of these have now been amalgamated within the UK’s new National Cyber Security Centre. Launched in October 2016, NCSC will offer guidance to all, and has promised businesses that it would not inform the Information Commissioner’s Office of any data breaches they had suffered.

This is at odds with the PAC’s report, which complains: “Poor reporting of low-level breaches, such as letters containing personal details being addressed to the wrong person, reduces our confidence in the Cabinet Office’s ability to protect the nation from higher-threat cyber attacks.”

There are “major and unexplained variations in the extent to which individual departments report security breaches,” the report continued. “In 2014-15, the 17 largest departments recorded a total of 14 data incidents that they considered reportable to the Information Commissioner’s Office, and recorded 8,981 non-reportable incidents. Of the 8,981, Her Majesty’s Revenue and Customs (HMRC) recorded 6,038 (67 per cent) and the Ministry of Justice (MoJ) 2,798 (31 per cent).”

The remaining 15 departments recorded under two per cent of the total data breach incidents, with the Department for Work and Pensions (DWP) recording no non-reportable incidents at all, despite being “a large department with a comparable level of online activity to HMRC,” according to the PAC.

We are aware that numerous low-level breaches do occur, such as letters containing personal details being addressed to the wrong person; however these are not consistently recorded as data breaches.

The Cabinet Office does not collect or analyse departments’ performance in protecting information on a routine or timely basis and was not aware of the wide variability and inconsistency of departments’ self-reporting processes prior to the National Audit Office’s analysis.

Departments with a high reporting rate are likely to be better protected because they have developed a reporting culture to allow early identification of threats. Without a consistent approach across Whitehall to identifying, recording and reporting security incidents, the Cabinet Office is unable to make informed decisions about where to direct and prioritise its attention.

It recommended that the Cabinet Office “should consult with the Information Commissioners’ Office to establish best practice reporting guidelines, and issue these to departments to ensure consistent personal data breach reporting from the beginning of the 2017-18 financial year.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/03/pac_report_protecting_information_across_government/

  • 03/02/2017
  • adm