STE WILLIAMS

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Antivirus maker F-Secure has responded to privacy campaigners’ concerns over the handling of spook-grade surveillance malware – by insisting its security software slays government spyware wherever it can.

In an open letter to the Bits of Freedom team, F-Secure president and chief exec Christian Fredrikson said his firm stands by its 2001 vow to not discriminate in favor of intelligence agencies when block potentially malicious code.

Earlier this month, the campaigners wrote [PDF] to F-Secure, which headquartered in Helsinki, Finland, demanding to know if the biz had “ever been approached … by a government requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software.”

Now Fredrikson has shot back: “If we would be approached by a government asking us not to detect a specific piece of malware, we would not comply with their request.

“To us, the source of the malware does not come into play when deciding whether to detect malware.”

The letter sent by the privacy warriors was part of an open call to antivirus vendors to disclose their policies.

The campaign, backed by top computer security expert Bruce Schneier, asked companies to come clean on whether they would turn a blind eye to a particular strain of spyware should a government ask.

According to Fredrikson, the company has in fact encountered government-sponsored malware samples. The firm cited the 2011 saga of R2D2, a secretive package that was allegedly deployed by German police to listen in on VoIP calls.

Once detected, however, the firm said that it grants no special favors to the g-men’s software. Fredrikson denied that F-Secure has ever been asked by government agencies to allow spyware through its security checks.

“If it’s malware, we will protect our customers from it. Our decision-making boils down to a simple question: would our customers run this program on their system or not,” the F-Secure boss continued.

“Obviously the answer for governmental trojans would be a ‘no’.” ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/07/fsecure_to_feds_malware_is_malware_and_youre_not_getting_any_favors/

Usually, the talks at Black Hat are more likely to revolve around compromising security and privacy. At the Black Hat Regional Summit in Brazil later this month, however, one researcher will take the opposite tack and look to add new layers of security to protect users of the WhatsApp messenger service.

WhatsApp is a cross-platform instant messaging service for Google Android, BlackBerry, Apple iOS, Nokia Series 40, Symbian S60, and Microsoft Windows Phone. Besides text messaging, users can send each other images, video, and audio messages. But the question that bugged security researcher Jamie Sanchez is just how safe messaging can be in an age of government monitoring.

WhatsApp security has taken hits before in regards to privacy and security. For example, the company was criticized by some for using International Mobile Equipment Identity (IMEI) numbers, a situation the company has reportedly fixed. Last month, a Dutch researcher reported the company uses the same cipher stream for outgoing and incoming messages. At the time, the company criticized the report, calling an attack on the issue “theoretical.”

WhatsApp did not respond to a request for comment before publication. For Sanchez, the main objective of his research was to ensure the exchange of messages can happen in a way that could not be affected by an external hacker.

“The first layer of security involves adding secure encryption to the client,” says Sanchez. “If an attacker intercepts the messages, or any governments try to intercept our messages at WhatsApp’s server, they won’t find any legible information. Only recipients that know the password and algorithm chosen will be able to decrypt the original message.”

“In the second layer, we give a certain level of anonymity to the conversation by using fake/anonymous accounts and intermediate communication nodes,” he continues. “We ensure that there is no direct communication between the mobile phone and the server.”

The final piece of the puzzle involves modifying the inner workings of the application and routing all traffic and messages to Sanchez’s own XMPP server and only using the original WhatsApp servers to send fake data.

“We analyze every message we send and proceed to decipher the message using the custom encryption algorithm,” he says. “Then we extract the plaintext message to send it to the XMPP server with this data: ??. The program will replace every character in the original text with our wildcard character, so the original message will never pass through WhatsApp’s servers, (this step is necessary or destination will reject our messages).”

Finally, the recipient receives a message full of wildcard characters, queries the XMPP server and replaces it with the original text, he says.

Though the research was started with a rooted Google Android device, it was discovered that the techniques could work for all platforms. The advantage of using a rooted Android is that software can be ported over to work natively inside the Android phone, while using other platforms requires an external device to make the real-time modifications, he explains.

“We wanted to protect all of our rights and liberties so we developed this technique to be used in a manner completely transparent for the users and completely customizable,” he adds. “The main impact on society is providing a way to prevent prying eyes of governments and private corporations from analyzing our data and exchange of information for their own benefit.”

“It can be adapted to add new layers of security/privacy to Instant Messaging systems widely used on mobile devices,” he continues. “The process will involve anonymizing and encrypting the data [text, pictures, videos, etc.] exchanged between users so that when they reach application’s servers they won’t be in ‘plain text’ and will only be legible for the people inside the conversation.”

Sanchez’s presentation is scheduled for Nov. 27.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/privacy/whatsapp-security-to-be-spotlighted-at-b/240163700

San Francisco, CA – November 7, 2013 – Lookout Inc., the leader in mobile security, today announced ATT is delivering the award-winning consumer application, Lookout Mobile Security, to Android customers. Lookout plays a key role in protecting ATT customers from emerging mobile threats, keeping the important information stored on their mobile devices safe. Lookout Mobile Security will be installed on ATT Android devices.

The surge in mobile device usage has made it more important than ever for customers to take the necessary steps to safeguard their smartphones, data and privacy. According to Gartner, 1.8 billion mobile phones are expected to ship by the end of 2013, a 4.5 percent increase from the previous year[1]. Lookout will offer comprehensive protection against malware and spyware, privacy violations, data loss and loss of the device itself to all ATT customers who have a compatible Android device.

“Our goal is to ensure that we provide our customers with the most comprehensive security, and we are excited to team up with Lookout to help protect our customers,” said Judy Cavalieri, ATT Mobility vice president of voice and prepaid products.

Lookout Mobile Security is available to ATT customers with Android smartphones and tablets, including the new Samsung Note3. Lookout Mobile Security enables users to find a missing or stolen device, manage phone security and easily back-up precious data. From Lookout.com, people can manage multiple mobile devices and locate a phone or tablet on a Google map. Basic protection with Lookout is free; premium protection is $2.99 per month and is billed back to the user’s ATT account.

“As mobile devices become the dominant computing platform, we are thrilled to be working with ATT to enhance the security of its devices. This announcement marks a significant milestone for Lookout,” said Tim Roper, vice president global business development, Lookout. “ATT is a leader in the wireless industry and is passionate about providing customers with the best security and privacy available.”

About Lookout

Lookout builds security software that protects people, businesses and networks from mobile threats. With the world’s largest mobile threat dataset and the power of 45 million devices, Lookout proactively prevents fraud, protects data and defends privacy. Lookout secures the mobile experience for people everywhere through Lookout Mobile Security, a consumer app, and Lookout for Business, a cloud-based business offering for device security and management. Lookout was selected as a 2013 World Economic Forum Technology Pioneer company and received the 2013 Laptop Editor’s Choice Award. Lookout has offices in San Francisco and London. For more information, please visit Lookout.com.

Article source: http://www.darkreading.com/mobile/lookout-now-installed-on-att-corners-mob/240163712

Orlando, FL – November 7, 2013 – The Cloud Security Alliance today released its planned research agenda and a preview of new working groups to be launched at the upcoming Cloud Security Alliance Congress 2013, taking place December 4-5 in Orlando. This year’s event will feature the release of research in the areas of Big Data, Mobile, CloudTrust Protocol and Cloud Assessment among others. Attendees of this year’s Congress will gain first-hand access to all reports, along with exclusive access to authors of each report through one-on-one discussions and featured interactive presentations.

Research, guidance reports and working groups scheduled for release include:

Big Data Security Taxonomy and Framework

The new report from the Big Data Working Group evolved from the idea of mapping different varieties of big data such as graphs and streaming video to ten facets of data derived from the groups previously released top-ten list. The group’s motivation for coming up with this taxonomy is to help big data services to determine what kind of big data infrastructures they need to deploy and metrics they need to employ for getting the best value out of the data.

Consensus Assessments Initiative Questionnaire (CAIQ) V.3 Open Review Period

In 2010, the CSA released a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider, which can then be tailored to suit each unique cloud customer’s evidentiary requirements. Now in its third version, the Cloud Assessments Initiative Working Group will start the open review period for a set of new questions intended to help organizations further build the necessary assessment processes for engaging with cloud providers.

Mobile Authentication

The CSA Mobile Working Group will release a new report that outlines key factors in determining recommended authentication processes, trust boundary identification approaches, guidelines to improve usability of mobile authentication in enterprise / bring-your-own-device (BYOD) environments, and authentication threats and risks identification approaches to conduct an appropriate risk assessment.

Cloud Trust Protocol Technical Model and API

The Cloud Trust Protocol Working Group is releasing a new document that proposes a technical model and API for the CloudTrust Protocol. The CloudTrust Protocol (CTP) is designed to be a mechanism by which cloud service clients can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.

Secure Development of Cloud Applications

In conjunction with the Software Assurance Forum for Excellence in Code (SAFECode), the CSA will release a new set of guidelines on Practices for Secure Development of Cloud Applications. The report aims to address how the emergence and maturation of cloud computing has impacted the security development lifecycles of leading technology providers, and help readers better understand and implement best practices for secure cloud software development.

Virtualization Working Group Launch

The Cloud Security Alliance will be announcing the formation and associated details of a reconstituted version of the CSA Virtualization Working Group. Virtualization is a critical part of cloud computing as it provides an important layer of abstraction from physical hardware, enabling the elasticity and resource pooling commonly associated with cloud. Recent developments in software defined networking (SDN) show great potential to virtualize data networks in the same way that operating systems have been virtualized. The future integration and potential convergence of virtualization of operating systems and networks promise to greatly impact the next generation of cloud architectures. The security issues and recommended best practices of this broader view of virtualization merit additional focused research from this group.

Anti-Bot Working Group Launch

Botnets have long been a favored attack mechanism of malicious actors. As cloud computing is rapidly becoming the primary option for server-based computing and hosted IT infrastructure, CSA as the industry leader has an obligation to articulate solutions to prevent, respond and mitigate against botnets occurring on cloud infrastructure. The CSA Anti-Bot Working Group will be the primary stakeholder for coordinating these activities.

Cloud Security Alliance Congresses continue to be the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. In addition to offering best practices and practical solutions for remaining secure in the cloud, this year’s fourth annual U.S. CSA Congress will focus on emerging areas of growth and concern in cloud security. Attendees will gain exposure to industry-specific case studies that will help them learn and leverage best practices used by their peers in moving to a secure cloud.

Article source: http://www.darkreading.com/cloud-security-alliance-annual-congress/240163711

MOUNTAIN VIEW, Calif. – November 7, 2013 – HyTrust Inc., the Cloud Security Automation Company, today announced that it has acquired HighCloud Security, a leader in cloud encryption and key management software. By combining HyTrust’s powerful administrative visibility and control with HighCloud’s strengths in encryption and key management, the acquisition offers customers of both companies an unprecedented level of flexibility in addressing security, compliance and data privacy requirements in all cloud environments–private, public and hybrid.

“With the increasing prevalence of data breaches, leaks of classified information by insiders, and surveillance in the cloud, data security and privacy are more important than perhaps ever before,” said HyTrust CEO John De Santis. “Cloud computing in all its forms has become the top technology priority for every enterprise, and that’s why we’ve quadrupled our growth at HyTrust in just the past year. By bringing HighCloud Security’s market-leading technologies into the HyTrust family of solutions, we can take to market the strongest protection for virtualized cloud infrastructure available anywhere.”

The combined offering from HyTrust and HighCloud enables ‘cloaked’ private, hybrid and public clouds and helps address three of the primary security concerns in cloud environments. These are:

The broad level of access available to privileged users with malicious intent (or those who acquire their credentials)

Breaches and other data center disasters caused not by criminal intent but through human error or misconfiguration

Challenges involved in maintaining the security and privacy of the data itself

While these issues don’t always get the attention they deserve, security executives are certainly aware of the concerns that stem from in-house misuse. A recent report1 from Forrester Research notes that insiders rather than extraneous criminal elements were the top source of breaches in the past 12 months, and 36% of them were caused not by malfeasance but by inadvertent misuse of data by employees.

In this environment, HyTrust and HighCloud Security offer unique and complementary strengths to the market.

Eric Chiu, president and founder of HyTrust, said: “HyTrust represents the control point for cloud management, providing automated policy-based security for private cloud environments that can enable both trusted hybrid clouds and ‘cloaked’ public clouds. HighCloud encryption, meanwhile, can be deployed in private, hybrid and public clouds, ensuring data security and privacy as organizations migrate between these environments.”

Cloud computing, and the security concerns that go with it, remain a top priority for most organizations. According to technology analyst firm Gartner Inc., nearly half of large enterprises have deployed a private cloud service and three-fourths expect to have hybrid cloud deployments by 2015.2 A full 80% of organizations intend to use cloud services in some form within the next year, while 60% plan to increase their investment in the next two to five years.3

Chiu continued: “The service also enables a unique level of ‘walk-way’ freedom by making it possible to securely change cloud providers or decommission from the cloud without having to worry about data being left behind. This also makes it easier for corporations to achieve compliance with regulations such as HIPAA and PCI.”

While the technologies can already be used together, the HighCloud solution will in the future be integrated into HyTrust to more tightly bind administrative controls with data security in cloud environments, making encryption and key management invisible to the end user. HighCloud’s engineering team will join HyTrust, continuing to provide support and maintenance to existing customers, and moving forward with the development of HighCloud’s technology roadmap.

“HighCloud and HyTrust have had many ties over the years and solve complementary problems for customers,” said Bill Hackenberger, co-founder, president and CEO of HighCloud Security. “Together, HyTrust and HighCloud give enterprises unprecedented ability to address security, compliance and data privacy requirements for all cloud environments, private, hybrid and public.”

Industry Analysts, Customers Partners Approve

Todd Pavone, executive vice president of Product Development and Strategy at VCE, the industry leader in Converged Infrastructure, explained, “Security is critical to the adoption of cloud computing. HyTrust’s acquisition of HighCloud Security is a home run– it greatly enhances the level of security in a range of evolving user environments while easing the implementation of new technologies.”

Wayne Pauley, senior analyst at Enterprise Strategy Group, said, “HyTrust sits at the center of an important IT ecosystem, providing the control, security configuration, compliance assurance and visibility needed to reap the benefits of the cloud. With HighCloud, HyTrust adds strong, cloud-optimized data security to its portfolio – a critical requirement for data protection and compliance. And customers gain improved security for data at rest – enabling the same level of visibility in the new virtual datacenter as its physical counterparts.”

Jeff Byrne, senior analyst consultant, Taneja Group, said, “In the move towards software-defined data centers, HyTrust is a key enabler for software-defined security with the ability to automate and orchestrate controls across the cloud. The HighCloud acquisition is a major step that supports HyTrust’s vision of enabling automated, policy-based security for the cloud to prevent breaches and data center disasters.”

Shannon Poulin, vice president of marketing for Intel’s Datacenter and Connected Systems Group, said, “HyTrust is a strategic collaborator in Intel’s software-defined infrastructure initiative, which allows security to be automated and provisioned on-demand across private, hybrid, and public clouds in order to safeguard data, maintain compliance, and increase SLAs. HyTrust’s addition of automated encryption and key management, combined with Intel AES-NI acceleration, gives organizations even greater confidence to run their most mission-critical workloads in the cloud while retaining the highest level of data security and privacy.”

Dave Shackleford, founder of Voodoo Security, said, “HyTrust has built a strong position for protecting against the insider threat in virtualized datacenters. HighCloud encryption and key management effectively secures the data in these environments, as well as in public clouds. This acquisition gives HyTrust an interesting opportunity to expand its market position, providing tighter controls over both people and data in the cloud.”

Eric Novikoff, COO of ENKI, a cloud service provider, said, “Security and data privacy are paramount for our customers, especially those with compliance requirements. The combined strengths of HyTrust and HighCloud technologies make this a truly compelling solution that helps us mitigate customer concerns and expand our offering to more security-sensitive customers.”

Derek Brink, vice president and research fellow for IT Security, Aberdeen Group, said, “Aberdeen’s research has consistently shown that security, compliance, and visibility are among the leading inhibitors to even faster adoption of virtualization and cloud. It has also shown that augmenting the security capabilities of cloud solution providers, while retaining enterprise visibility and control, corresponds with about one-third less cost per application per year, driven in part by better security and in part by more consistent and efficient operations. HyTrust’s acquisition of HighCloud Security is very much in line with these findings, and should be seen as a good move for both companies and their respective customers and business partners.”

Forrester analysts John Kindervag, Stephanie Balaouras, Rick Holland and Heidi Shey reported4, “Increasingly, customers want vendors to embed more security functionality into a single service or product. Consolidated offerings give security and risk (SR) professionals more visibility and control into their environment and they also reduce the operational complexity and cost of managing individual point products.” They continue, “Forrester’s Zero Trust model states that SR pros must eliminate the idea of an internal trusted network and an untrusted external network. Three concepts underpin Zero Trust. SR pros must: 1) verify and secure all resources regardless of location; 2) limit and strictly enforce access control across all user populations, devices, channels, and hosting models; and 3) log and inspect all traffic, both internal and external.” HyTrust is delivering the highest levels of visibility and control for cloud environments as would be available for physical datacenters. And it has further consolidated the broadest range of capabilities under one umbrella so that organizations can ensure strong security and compliance.

Webinar

HyTrust will conduct a webinar on Wednesday, November 20, 2013 at 2:00 PM (EST) to communicate this news in greater detail and demonstrate how, with this move, the company is enabling end-to-end security for cloud environments. Please register here: www.hytrust.com/highcloud

About HighCloud Security

Founded by Silicon Valley veterans, Bill Hackenberger and Steve Pate, HighCloud Security offers encryption and key management software designed specifically to address the unique security challenges of virtualized server infrastructures. Virtual machines are mobile, dynamic and contain specific files that can contain sensitive data even when the VMs are dormant. HighCloud addresses these specific vulnerabilities with strong encryption that travels with each VM, encrypts even snapshot and suspended files, and allows organizations to secure data in private, public and hybrid clouds.

About HyTrust (www.hytrust.com)

Cloud Under Controltrade

Headquartered in Mountain View, CA, HyTrust is the Cloud Security Automation (CSA) company. HyTrust delivers the essential real-time control, security, administrative account monitoring, logging and compliance assurance necessary to enable the benefits of cloud adoption and virtualization of critical workloads. The Company is backed by top tier investors VMware, Cisco Systems, Intel Corporation, In-Q-Tel, Fortinet, Granite Ventures, Trident Capital, and Epic Ventures; its partners include VMware, VCE, Symantec, CA, McAfee, Splunk; HP Arcsight, Accuvant, RSA and Intel Corporation.

Article source: http://www.darkreading.com/authentication/hytrust-acquires-highcloud-security/240163713

Programs that pay security researchers for finding flaws in software have become all the rage, and a new bug bounty program launched this week rewards finding vulnerabilities in key open-source software platforms as well as the underlying Internet infrastructure.

Microsoft and Facebook — under the auspices of HackerOne — are co-sponsoring The Internet Bug Bounty, a program that pays anywhere from $300 to $2,500 for a new vulnerability found in key open-source platforms such as OpenSSL, Python, Ruby, PHP, Django, Rails, Perl, Phabricator, Ngix, and Apache httpd. The program also rewards a minimum of $5,000 to researchers who find working flaws in sandbox technologies, and a minimum of $5,000 for bugs found in the Internet’s underlying infrastructure, such as DNS, SSL, or PKI, for example.

“I’m really happy about this program,” says renowned security researcher Dan Kaminsky, who discovered a key DNS bug in 2008 that affected a large portion of the Internet. “The black market has gotten so hot because there are so many players doing criminal activities … more accurately, they are out to compromise systems, and that takes a lot of work even to identify a flaw [to exploit].

“If nothing else, this program provides direct incentive for people to raise the quality of [software] flaw analysis,” he says, pointing to the program’s emphasis on quality vulnerability finds that pose real risks to the Internet community and its well-defined guidelines that promote responsible hacking.

Not all bug discoveries will actually qualify for a bounty payment, either, according to the program’s disclaimer. In the case of Internet bugs, for example, the criteria for a paid flaw is one that affects multiple products or affects a significant number of users, is “severe” or “novel,” for instance.

Both Microsoft and Facebook, like many major vendors today, have established their own bug bounty programs that pay researchers who find flaws in their products.

[How Microsoft’s new bug bounty program will play in the quest for more secure software. See Microsoft’s Big Bucks For Bugs Ups The Ante .]

A panel of volunteers from the security community is charged with managing The Internet Bug Bounty, including Microsoft’s Katie Moussouris, Matt Miller, Roman Porter, and Arthur Wongtschowski; Facebook’s Alex Rice, Neal Poole, and Colin Greene; Chrome’s Chris Evans; iSec Partners’ Jesse Burns; and Etsy’s Zane Lackey.

“The Internet Bug Bounty is accessible to a broad pool of security researchers and has the potential to improve security for a wide variety of technology users,” says Moussouris, senior security strategy lead for Microsoft Trustworthy Security. “This bounty is a great way to support coordinated disclosure of critical vulnerabilities in shared components of the Internet stack.”

Countering the black market for bugs indeed is the main incentive for heavy-hitters like Microsoft and Facebook to team up and sponsor a vulnerability reward program for open-source platforms, says Chris Wysopal, CTO at Veracode. “This is a reaction to that” black market for bugs, he says. “This is really trying to disrupt the offensive market. As the offensive side of vulnerability finding has grown, this is counter-balancing it.”

And more secure open software platforms also benefit those vendors, as well as the entire Internet community, security experts say. “This is definitely helping out those open source projects,” Veracode’s Wysopal says. “And [the vendors involved] are also helping themselves because they use these products. It’s a win for them and a win for the Internet in general.”

The closest thing to a bug bounty for finding flaws in open source software is Google’s new patch bounty, announced earlier this month. Google launched an experimental program that offers rewards for coming up with security improvements to key open-source projects such as OpenSSH, BIND, Chromium, and KVM.

Open source software is often considered the weak link in applications, as flaws in open source code have been targeted by attackers looking for the quickest and simplest way to break into systems. Community software projects typically lack sufficient resources to stay on top of bugs and patches, so the new HackerOne program should help.

Whether this newfound abundance of bug bounty programs will boost or dilute efforts to secure software remains to be seen. Kaminsky, chief scientist and co-founder of fraud prevention startup WhiteOps, says the bigger problem with many bug bounty programs has been lesser-quality bug finds, and this new program should raise the bar to avoid that. “What’s good about having this overarching program is that it very much puts a stake in the ground that this is what a program should look like, these are the types of good bugs to pay for,” he says.

The new program has inspired Wysopal to rethink Veracode’s informal bug bounty program for its own software. The secure code firm currently sends a “thank you package” to a researcher who finds any flaws in its code: it has no official funding for a bounty program at this time. Wysopal says he thinks The Internet Bug Bounty may pressure other vendors to pony up with monetary awards for bugs found in their software, even at Veracode: “Maybe I’ll see if I can get some” funding now, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/new-bucks-for-bugs-program-focuses-on-op/240163714

If Ars Technica’s reading of subtle legal language (or lack thereof) proves correct, Apple on Tuesday might well have slipped in a ‘warrant canary’ to its latest transparency report.

From page 5:

Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.

With that simple statement, Ars Technica’s Cyrus Farivar explains, Apple has become one of the few big tech companies to use a warrant canary – a method that companies can use to inform their customers when they have not been served with a secret government subpoena.

Such secret subpoenas, including those covered under the Patriot Act, come with gag orders that prevent companies from telling customers they’ve been served.

When a company publishes the dates that it hasn’t received a subpoena, customers can then infer – from the missing information – the dates that the company must have been served with the subpoena.

In the same vein, Apple might have also managed to inform customers that it’s been served with a subpoena for customer data, with attendant gag order, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act, all without breaking the law, moving its lips or saying a word about FISA.

The fact that it didn’t mention FISA could mean that it has been served, given that it did mention the subpoenas it hasn’t received.

FISA is a US law that compels companies to share data on foreigners (or “foreign powers”, which may include US citizens and permanent residents suspected of espionage or terrorism) and provides the legal basis for the National Security Agency’s (NSA’s) surveillance program.

This way of passively informing customers about subpoenas doesn’t violate laws, though it hasn’t been tested in court.

Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, said in his comments on the Ars Technica story that there are two nice things about Apple’s use of the warrant canary: the fact that Apple’s a big name, and the fact that Apple’s transparency report is only published once every six months:

I don’t mean to say that Apple is magic, but that Apple is a name every federal judge will know. This relates to my second point…

…This canary is designed to chirp only twice a year, and only after a several month delay (transparency report published every six months, with a several month lag between the last data and the report). Why is this a good thing? Federal judges are inherently risk averse. They don’t like to rule in a hurry, and when forced to rule in a hurry, they tend to err on the side of maintaining the status quo. In the warrant canary context, I fear that a judge forced to rule quickly would attempt to maintain the status quo by forcing the service provider to “feed the canary,” that is to lie.

Apple is fully aware of that risk, Cardozo said, and that’s why the company has opted for “an every-six-months-with-a-several-month-delay-canary.”

That way, if Apple is faced with a Patriot Act request, it will be able to litigate without being in a mad rush.

“Think Lavabit, but worse,” Cardozo said.

He continued:

…In the cool light of morning … they’ll be able to tee up the issue on full briefing to a federal judge who’s NOT feeling rushed and who knows that he or she is dealing, not with some fringe security freak of a company (again, think Lavabit), but with a titan of industry.

Cardozo said it all in his summation: “Should be interesting!”

Follow @LisaVaas

Follow @NakedSecurity

Image of canary courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/WOsKJMUEB5M/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Sir Tim Berners-Lee, granddaddy of the internet, has attacked the NSA and GCHQ for their “appalling and foolish” cracking of online encryption.

He warned that spooks’ attempts to break encryption standards played into the hands of cyber-criminals and rival states, saying spies were “naive” to think their own techniques would not be used against them.

“It’s naïve to imagine that if you introduce a weakness into a system you will be the only one to use it,” said Berners-Lee, adding: “I’m very sympathetic to attempts to increase security against organised crime, but you have to distinguish yourself from the criminal.”

In an interview with the Guardian, the father of the internet called for a “full and frank public debate” on digital surveillance.

His comments came ahead of an unprecedented inquiry into surveillance, which will see chief spooks grilled in full public view this afternoon.

“Whistleblowers, and responsible media outlets that work with them, play an important role in society,” Sir Tim said. “We need powerful agencies to combat criminal activity online – but any powerful agency needs checks and balances and, based on recent revelations, it seems the current system of checks and balances has failed.”

The coverage of the Edward Snowden leaks “has been in the public interest and has uncovered many important issues which now need a full and frank public debate”, he continued.

The heads of MI6, MI5 and GCHQ will be interview on live TV today for the first time. Starting at 2pm, Sir John Sawers, MI6 chief, Sir Iain Lobban, director of GCHQ, and Andrew Parker, director general of MI5, will appear in front of Parliament’s Intelligence and Security Committee (ISC).

According to a statement on the ISC website, a slight delay (reportedly of two minutes) would be used on the video feed, just in case the spooks let something controversial slip out.

“The session will give an insight into the world of intelligence and the work the agencies do on behalf of the UK,” the ISC said. “It represents a very significant step forward in terms of the openness and transparency of the agencies. The Committee will question the agency heads on the work of the agencies, their current priorities and the threats to the UK. Among other things it will cover the terrorist threat, regional instability and weapons proliferation, cyber security and espionage.”

“However,” continued the ISC, “since this is a public session, it will not cover details of intelligence capabilities or techniques, ongoing operations or sub judice matters.”

Edward Snowden sparked the surveillance scandal after revealing the existence of an NSA spying scheme called PRISM and a comparable British one called TEMPORA, operated by GCHQ.

A group of 28 Tory MPs have written to the Guardian to protest against its continued publication of Snowden’s revelations. The letter said publishing the secret material “runs the risk of compromising the vital work of the institutions, processes and people who protect the safety of this country”. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/07/berners_lee_criminal_nsa_gchq_prism_tempora_spying/

[The following is excerpted from “Protecting Your Enterprise From DNS Threats,” a new report posted this week on Dark Reading’s Security Services Tech Center.]

The Internet’s Domain Name System (DNS) plays a critical role in Internet communications: It translates human-readable computer hostnames into destinations defined by IP addresses — darkreading.com to 192.155.48.108, for example — so that they can be used by networking equipment, computers and software programs.

DNS is the world’s largest distributed database, supported by millions of domain name servers and administrators, each providing information about a small segment of the domain name space.

There are two main categories of name server. The authoritative name server is responsible for providing answers in response to queries about domain names in a zone — a portion of a domain name space for which it is responsible. For example, the DNS servers that answer for darkreading.com and resolve www. darkreading.com to an IP address are authoritative DNS servers. Every domain name appears in a zone served by one or more authoritative name servers.

The second category of server is a recursive name server: When it receives a request to resolve a domain name it doesn’t have cached, this server type will recursively query the DNS architecture for the appropriate authoritative DNS server to get an answer that can be cached and returned to the client. A server typically caches previous answers to queries for a certain amount of time (TTL, or time to live) to improve performance should it receive the same request again.

Every Internet-connected device and application is a client of the Domain Name System; even DNS servers in the process of resolving a name function as DNS clients. DNS clients have to trust the information they receive, but when DNS was designed back in the ’80s, scalability and availability were the key goals. Little attention was given to security.

For example, the accuracy and integrity of DNS records are vital, but they can be accessed by multiple people: the registrant who owns a domain name, the registry that sold it, the registrar that maintains records and the administrators of the top-level DNS servers. Should attackers get to a point at which they could alter or corrupt a domain’s DNS zone data, they could redirect all incoming traffic for that domain to a server they control. This server could then host fake sites to make political statements, capture personal information or install malware.

The open, distributed nature of DNS means it’s not possible for one technology or solution to eradicate the limitations inherent in DNS, so hackers continue to use it as a means of disrupting or hijacking online services.

Recent attacks by the Syrian Electronic Army (SEA) have exploited DNS weaknesses to modify DNS entries and redirect users accessing The New York Times, Twitter and Marine Corps websites to propaganda pages supporting the Bashar Assad regime.

The lack of a valid Web server certificate could alert users that they have not reached the genuine site, but these attacks can also capture all inbound email and enable an attacker to send emails using the victim organization’s domain. This would allow the attackers to impersonate the victim and register a new certificate. Control of an enterprise’s DNS and a valid Web certificate mean the attackers have effectively become the enterprise, often without having to hack into its network.

DNS attacks can either subvert the resolution of DNS queries, often by exploiting weaknesses in domain name administration practices, or use the DNS infrastructure as a means of launching distributed denial-of-service attacks (DDoS).

To learn more about the nature of DNS attacks — and what you can do to prevent them — download the free report.

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/protecting-your-enterprise-from-dns-thre/240163673

Tags: 0 day, Android, chet chat, chrome, Exploit, Facebook, Firefox, Fix it, giraffe, Microsoft, security hole, sscc, update, upgrade, verification, vulnerability, Windows, Zero Day

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8lsr1rI4apY/