STE WILLIAMS

US President Donald Trump unexpectedly cancelled the signing of a new executive order on cybersecurity Tuesday, following a day of briefings by the White House on its contents.

The order – a draft of which was leaked and we reviewed last week – was due to be signed at 3:15pm Eastern time, but was cancelled at the last minute with no explanation given.

While discussion and commentary in the capitol has continued to revolve around the fallout from Trump’s ill-conceived executive order on immigration – not least his firing on Monday night of the assistant attorney general after she questioned its legality – the White House has spent much of the day talking about cybersecurity.

Officials briefed journalists in the morning on the order’s contents and told them that the goal behind the order was to “hold the heads of federal agencies accountable for managing their cyber risk.” A cybersecurity framework developed by NIST, the National Institute of Standards and Technology, was held up as the standard.

The order also asks the executive branch’s budget operation – the Office of Management and Budget – to assess the risks that the federal government faces when it comes to cybersecurity, with an eye to modernizing the system to be more secure.

In the afternoon, Trump held a meeting with a group on cybersecurity – including Rudy Giuliani, who he has chosen to head up cybersecurity efforts despite a lack of experience – in which he reiterated that he would “hold my cabinet secretaries and agency heads accountable, totally accountable, for the cyber security of their organizations.”

From Russia with love

Trump and Giuliani went heavy on the need to secure networks against attacks, and said that corporations – which own the majority of internet networks in the United States – would need to work with the government to that end. However, they stopped short of suggesting there would be an effort to impose some form of authority over them.

Trump talked about “working with” the private sector on cybersecurity and said that he would “make sure that owners and operators of critical infrastructure have the support they need from the federal government to defend against cyber threats.” Giuliani was more aggressive, arguing that “the private sector is wide open to hacking, and sometimes by hacking the private sector, you get into government. So we can’t do this separately.” He said part of the goal of the executive order was to “get the private sector to wake up.”

Trump said: “We must protect federal networks and data. We operate these networks on behalf of the American people and they are very important,” and he gave the electrical grid and power plants as key examples.

Trump was unable to stop himself from talking about the hack of the Democratic National Congress’ email servers, however – leaks from which embarrassed the political party and contributed to his victory.

“Despite how they spent hundreds and hundreds of millions of dollars more money than we did, the Democratic National Committee was hacked successfully, very successfully, and terribly successfully,” he noted.

He then repeated the questionable statement that the same hackers who infiltrated the DNC’s servers had tried unsuccessfully to do the same to the Republican party. “The Republican National Committee was not hacked. Meaning it was hacked, but they failed. It was reported, I believe, by Reince and other people that it was hacked, but we had a very strong defense system against hacking.”

Youtube Video

Despite having raised the issue, Trump refused to mention or talk about the assessment of the US intelligence agencies that it was the Russian government that had instigated the hacking and had actively attempted to sway the election in his favor. Cybersecurity experts also believe that the RNC servers were in fact hacked by the Russian government – but their contents were not shared publicly for fear of damaging Trump’s chances.

After the briefing and meeting on cybersecurity, Trump was scheduled to sign the executive order in the Oval Office. That signing was abruptly cancelled however, with no explanation given. The final text of the order has yet to be confirmed, although a draft was leaked to The Washington Post. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/trump_delays_cybersecurity_signing/

Your daily round-up of some of the other security stories in the news

Nearly 2m records stolen from The Witcher forum

Close to 2m user credentials have been stolen from the Witcher game developers’ forum, according to breach notification website Have I Been Pwnd.

The leak of 1.8m records from the forum, run by the game’s developer CD Projeckt RED, apparently happened in March last year, according to IT Pro, quoting emails sent to users via Have I Been Pwnd, but, as HIBP owner Troy Hunt points out, “sometimes there can be a lengthy lead time of months or even years before the data is disclosed publicly”.

If you’re a member of that forum, our advice, as ever, is to change your password – and now would be a good time to review our advice on how to choose a good password.

Reply-all chain sent out 500m emails in 75 minutes

A wrongly configured distribution list was to blame for the reply-all email chain that saw half a billion emails being sent across the NHS’s network in just 75 minutes in November, almost bringing the network to its knees, according a report into the incident seen by The Register.

The unwitting starter of the chain was a local admin who thought they were sending a test email to a restricted group they had just set up – but the misconfiguration meant that without their knowledge, emails sent to the group actually went to the NHS’s “AllEngland” group of more than 1m users.

The trouble started when irritated users hit “reply all” to ask to be taken off the distribution list, slowing the network to a crawl. The moral of the story? Don’t hit reply-all unless you’re absolutely sure your reply does actually need to go to everyone.

Russian cybersecurity officials face treason charges

Two of Russia’s top cybersecurity officials have been arrested in Moscow accused of co-operating with the CIA, according to a Russian news report. The two men, Sergei Mihailov, deputy head of the FSB’s Centre for Information Security, and his deputy, Dmitry Dokuchayev, both face charges of treason, said Interfax, the Russian news agency.

Their arrest follows that of Ruslan Stoyanov of Kaspersky’s computer incidents investigations unit in December, although his arrest is apparently not linked to his work with the company.

It’s unclear from the murk surrounding this ongoing scandal if the arrests are connected to the widespread belief that the US election was influenced by alleged Russian hacking, although Kremlin-watchers have suggested that the arrests could be part of a purge connected to the attacks on the US election.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/UzU1gLTIVa8/

Facebook has stepped up security for users with its announcement that in addition to its in-app support for two-factor authentication (2FA), it is now supporting 2FA with physical security keys.

This is great news for anyone who prefers not to use a smartphone app or rely on an SMS message for 2FA: all you need now is an internet connection and a compatible security token.

A quick refresher: you use 2FA to log in to a service, program, or website by authenticating you are who you say you are with two of the three factors below:

• Something you know (eg a password)
• Something you have (eg a key code)
• Something you are (eg a fingerprint or iris scan)

We’ve covered why we think 2FA is a great idea and why you should enable it on services that offer it to you (and the list of services using 2FA grows by the day). If, upon logging in to a website or corporate computer, you’ve ever been asked to enter a numerical code sent to you by SMS or displayed on a key fob that you’ve been given, that’s 2FA at work.

The physical security keys that Facebook now supports for 2FA plug into a computer’s USB port – so, yes, you do at the very least need USB capabilities. There’s no specific brand or key that a Facebook user needs to buy: so long as it it supports the Universal 2nd Factor (U2F) standard, the key should work with Facebook’s 2FA protocols.

A popular option for U2F is Yubico’s YubiKey, which also allows 2FA logons for other apps like Dropbox and LastPass, so if you’re considering purchasing a token for Facebook, it’s not singular-use. (This is a bonus that Facebook itself touts in its official blog post on this announcement.)

When you enable the physical security key on your Facebook account, you’ll be prompted to simply touch a button on the USB key to acknowledge that the key is in your possession and you’re authorizing the login.

The catch is that you must be logging on to Facebook using a browser, and at this time only Chrome and Opera are supported (Firefox and Safari fans take note). The key also doesn’t work with the Facebook mobile app just yet.

We always recommend that you use a unique password and enable 2FA to keep your Facebook account safe from anyone who might try to break into it, or ensare you in a phishing attack.

You don’t need to be a high-profile user or celebrity to be wary of this happening to you: with so many services and apps using Facebook as their login protocol, you could  in effect be handing over the keys to the kingdom to a lot of services you use (and have financial information tied to) if your Facebook account is not properly secured.

By enabling 2FA on your account, it’s an additional signal to you that the service you’re logging into is indeed the real deal – and if, by chance, someone tries to fool you into giving away your credentials with a convincing phishing attack, the lack of a 2FA prompt will immediately signal that something is amiss. And unless an attacker has access to your physical token (something you have), even if they know or figure out your password, they still can’t access your account.

Follow @NakedSecurity
Follow @mvarmazis

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NHWz8lWLB70/

More than a third of organisations that experienced a breach last year reported substantial customer, opportunity and revenue loss.

The finding is one of the key takeaways from the latest edition of Cisco’s annual cybersecurity report, which also suggests that defenders are struggling to improve defences against a growing range of threats.

The vast majority (90 per cent) of breached organisations are improving threat defence technologies and processes following attacks by separating IT and security functions (38 per cent), increasing security awareness training for employees (38 per cent), and implementing risk mitigation techniques (37 per cent). The report surveyed nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries. CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security policies.

More than half of organisations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organisations that experienced an attack, the effect can be substantial: 22 per cent of breached organisations lost customers and 29 per cent lost revenue, with 38 per cent of that group losing more than 20 per cent of revenue. A third (33 per cent) of breached organisations lost business opportunities.

Hackers are going back to classic attack vectors dating back as far as 2010 and earlier, such as adware and email spam to exploit access points.

Spam has reached levels not seen for seven years, according to Cisco, accounting for nearly two-thirds (65 per cent) of email with 8 to 10 per cent cited as malicious. Penis pill promos and more mendacious pitches are sent via botnets of compromised PCs and servers.

A bright spot emerged with a drop in the use of large exploit kits such as Angler, Nuclear and Neutrino, whose owners were brought down last year, but smaller players rushed in to fill the gap.

Cybersecurity has experienced a dramatic change since the first Cisco Annual Security Report in 2007. Back then, the ASR reported that web and business applications were targets, often via social engineering, or “user-introduced infractions”. In 2017, hackers attack cloud-based applications, and spam has escalated. The formation of well-structured and intelligent cybercrime networks has brought numerous new challenges for businesses.

The 2017 edition of Cisco’s study reports that just 56 per cent of security alerts are investigated and less than half of legitimate alerts remediated. Defenders, while confident in their tools, battle complexity and manpower challenges, leave gaps that hackers might be able to exploit.

Cybercrime is becoming more “corporate”. “While attackers continue to leverage time-tested techniques,” Cisco reports, “they also employ new approaches that mirror the ‘middle management’ structure of their corporate targets.”

Ten years ago, malware attacks were on the rise, with organised crime profiting from them. In today’s shadow economy, thieves now run cybercrime as a business, offering low barrier-to-entry options to potential customers through easily purchased “off-the-shelf” exploit kits and other illicit wares.

Cisco’s 2017 report can be found here (registration required). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/cisco_cybersecurity_sitrep/

Usenix Enigma 2017 The life of the security IT professional would be a lot easier if people were capable of remembering enough passwords so that they didn’t need to reuse them.

That was the considered opinion of Facebook’s head of security Alex Stamos and Google’s security princess (her actual Chocolate Factory job title) and Enigma 2017 conference co-chair Parisa Tabriz. The two held a fireside chat at the conference on Monday evening – complete with digital log fire – and chewed the fat over the woes of the industry with the aid of a very nice bottle of Ardbeg scotch.

“Password resuse, it’s the worst problem on the internet,” Stamos opined. “Once a website gets hacked the passwords end up in a database and criminals have gotten very adept at setting up software to try them out against other accounts.”

Tabriz agreed it was a massive problem, but suggested that the industry couldn’t blame users for what was ultimately a technical issue. While hardware access systems such as those implemented by Facebook last week were a step in the right direction, the industry still hasn’t found a one-size-fits-all strategy that works.

“We don’t have a really good, usable password solution for everyone,” she said. “We need more people working on these problems. It’s hard for not just technical reasons – people are a big part of that. It’s not that people are dumb – we don’t blame victims – but we should make web authentication easier.”

Stamos agreed, pointing out that if someone crashes an unsafe car into a wall at 50mph and dies, you don’t call them an idiot. But people need to be aware that trying to maintain a decent password regimen is essential.

Education plays a big role, she pointed out. When Google first introduced the Chrome padlock browser bar symbol to indicate a secure connection, testing with consumers showed that most thought it was a handbag.

While password management isn’t as sexy a topic as something like cryptography, in many ways it is more important, Stamos suggested. The industry was occasionally a little too focused on bigger issues like advanced cryptography, to the detriment of more mundane issues.

That said, Google has already begun testing its systems for a “post-quantum” world. The slow-but-steady progress toward quantum computing has cryptoboffins concerned, and Google has its own quantum system and is using it to try out new forms of encryption for the future.

Facebook hasn’t started quantum computing yet, Stamos said, but it was under consideration. The social network cooks its own crypto, as it doesn’t trust cryptography shipped by operating system makers and prefers to use its own.

One problem Facebook hadn’t been expecting, however, is that many people aren’t using it. He cited an unnamed developing country where Facebook found that half of the people were using a Facebook app that didn’t have Menlo Park’s encryption system employed.

“We found out that people go to the store for applications, hand over a buck or so and get apps copied to their phones by the storekeeper,” he recounted. “This allows them to upload in bulk because the amount people pay for mobile charges is so high, but they aren’t getting the legitimate app. We had to set up stands in the area to update folks’ phones.”

One possible solution to the human problem is to get a more diverse group of people working on security, Stamos stated. In the past, firms have been too willing to just find candidates that tick the usual engineering boxes. Getting more non-standard researchers has shown benefits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/01/31/human_memory_biggest_security_issue/