STE WILLIAMS

SALT LAKE CITY, UT – October 9, 2013 – Venafi, the market-leading cybersecurity company in Next-Generation Trust Protection (NGTP), today announced the release of Venafi Threat CenterTM. Recognizing the sharp rise in cyber-criminals who exploit the trust established by cryptographic keys and digital certificates, Venafi created Threat Center to focus specifically on the increase in trust-based attacks and their impact on Global 2000 enterprises. Another industry first, Venafi Threat Center offers insight into and intelligence about this new threat vector and provides strategies to mitigate these attacks.

On a global basis, every organization and government entity is under attack. Cyber-criminals are using keys and certificates as an attack vector to compromise enterprises and to disguise their activities within organizations. Recent Ponemon Institute research validates that every organization has fallen prey to attacks on keys and certificates in the last two years. Due to the lack of insight into key and certificate inventories, more than 60% of organizations take at least 24 hours to one week to replace compromised keys and certificates. This delay results in an average $398 million exposure for every organization over two years.

Access Venafi Threat Center, including new research regarding attacks on keys and certificates, here.

Secure Socket Layer (SSL) and Transport Layer Security (TLS) have fast become two of the most widely deployed and popular techniques that cyber-criminals use to mask their communications between remote access tools (RAT) and command and control (C2). Unfortunately, the millions of dollars organizations spend on perimeter-based security solutions are for naught; compromised keys and certificates provide cyber-criminals with unfettered trusted access and status. Forrester Research has recognized that “enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” (July 2013 commissioned study entitled “Attacks on Trust: The Cybercriminal’s New Weapon,” conducted by Forrester Consulting on behalf of Venafi.)

“For too long organizations have blindly trusted keys and certificates that provide little visibility into their threat risk exposure,” said Jeff Hudson, Venafi CEO. “Malicious actors have taken note of this blind trust and use it nefariously against organizations and government entities. The results are clear: terabytes of valuable information and intellectual property are being pilfered from them for months before a compromise is even detected. Venafi Threat Center is at the forefront of Next-Generation Trust Protection (NGTP), helping organizations respond to and remediate trust-based attacks.”

Venafi Threat Center provides organizations with information about current threats related to compromised keys and certificates, an understanding of how encryption keys and certificates establish trust, and insight into recommended strategies to protect against attacks on trust. Venafi Threat Center also provides details about the Venafi Trust Protection Platform, which empowers organizations to detect trust-based attacks and rapidly respond to mitigate them.

Sample reports on the new Venafi Threat Center site include:

“Broken Trust: Exposing the Malicious Use of Digital Certificates Cryptographic Keys: – iSIGHT Partners and Venafi

“Attacks On Trust: The Cybercriminal’s New Weapon” – Commissioned Forrester Consulting Study

“2013 Annual Cost of Failed Trust Report: Threats Attacks” – Ponemon Institute

“Is Your APT Strategy Leaving the Door Open?” – Venafi

About Venafi

Venafi is the market leading cybersecurity company in Next-Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates that every business and government depend on for secure communications, commerce, computing, and mobility. As part of an enterprise infrastructure protection strategy, Venafi Director prevents attacks on trust with automated discovery and intelligent policy enforcement, detects and reports on anomalous activity and increased threats, and remediates errors and attacks by automatically replacing keys and certificates. Venafi Threat Center provides research and threat intelligence regarding trust-based attacks. Venafi customers are among the world’s most demanding, security-conscious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.

Article source: http://www.darkreading.com/vulnerability/venafi-launches-new-threat-center/240162444

DENVER, Colo. – Oct. 9, 2013 — Ping Identity, The Identity Security Companytrade, today announced PingOne for Groups. Built on the PingOne cloud identity management service, PingOne for Groups is simple enough for small- and medium- sized organizations, and secure enough for enterprise departmental single sign-on (SSO) needs. PingOne for Groups is a free subscription for up to five applications and 50 users. It provides secure SSO in minutes, and offers a seamless upgrade path to PingOne for Business or PingOne for Enterprise.

PingOne for Groups is the only industry solution that helps organizations of all sizes do SSO right by delivering access to thousands of applications from any device using the right level of control and security at the right time.

According to Andras Cser, Forrester Research VP and principal analyst, “Many small and medium-size businesses (SMBs) know they can’t afford to spend hundreds of thousands of dollars to hire experienced IAM pros for the care and feeding of an on-premises IAM system. Even large enterprises are considering eliminating on-premises IAM systems because of large licensing and support costs and long implementation times.” *

PingOne for Groups manages employee, customer and partner identities. By making it simple, secure and free, Ping Identity is helping any size company realize the time and cost saving benefits of SSO. And, because Ping Identity is well known for delivering standards-based federation and access management to global enterprise organizations, customers can be confident PingOne will scale as their business grows.

“For too long identity management has been exclusively for large enterprises with the budget to manage complex and expensive infrastructure projects,” said Roger Oberg, VP of marketing and product management, Ping Identity. “Today, every business relies on cloud apps. PingOne for Groups brings enterprise-grade identity management to businesses of all sizes so anyone can have secure SSO to popular apps like Salesforce, Google, Dropbox, Office365 and WebEx.”

PingOne cloud identity management services is available in three price plans:

PingOne for Groups

A cloud service that lets small businesses give up to fifty users one-click access applications with the security and control needed. PingOne for Groups eliminates the headache of multiple usernames and passwords.

Free SSO for up to five applications and up to 50 users

Basic and federated single sign-on

Centralized user access management for IT

Basic user management

PingOne for Business

Offers SSO for unlimited applications and up to 1,000 users. It builds upon PingOne for Groups by integrating with an organization’s existing user directory to make identity management simple and secure.

Integration with Microsoft Active Directory

Integration with Google Apps for Business as an identity bridge via OpenID

Multi-factor authentication

PingOne for Enterprise

Offers SSO for unlimited applications and users for a complete, automated identity management system.

All features in PingOne for Business

On-premises identity store integration (AD/LDAP/DB/WAM)

User provisioning

All PingOne plans include CloudDesktop, a customizable portal that gives users one-click access to all their applications from any device and gives the administrator a dashboard to manage user access.

Get started with PingOne for Groups now at www.pingone.com.

About Ping Identity | The Identity Security Company

Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 1,000 companies, including half of the Fortune 100, rely on our award-winning products to make the digital world a better experience for hundreds of millions of people. Visit pingidentity.com for more information.

Article source: http://www.darkreading.com/end-user/free-cloud-identity-service-delivers-sin/240162445

The EU’s cyber security Agency ENISA released a white paper today, giving recommendations regarding prevention and preparedness for an agile and integrated response to cyber security attacks and incidents against Industrial Control Systems (ICS)/SCADA. Increasing numbers of recent security incidents against industrial control systems/SCADA raise questions about the ability of many organisations to respond to critical incidents, as well as about their analytical capabilities. A proactive learning environment through ex-post analysis incidents is therefore key, the Agency underlines.

ICS are widely used to control industrial processes for manufacturing, production and distribution of products. Often commercial, outdated off-the-shelf software is used. Well-known types of ICS include supervisory control and data acquisition (SCADA), where SCADA systems are the largest ICS subgroup. Recent ICS/SCADA incidents underline the importance of good governance and control of SCADA infrastructures. In particular, the ability to respond to critical incidents, as well as the capacity to analyse the results of an attack in order to learn from such incidents is crucial, the Agency underlines.

The goal of an ex-post incident analysis is to obtain in-depth-knowledge regarding the incident. This gives you the ability to:

rely on robust evidence in order to respond to the changing nature of domestic and alien threats;

ensure that enough learning takes place in order to deploy resilient systems.

We identified four key points for a proactive learning environment which will in turn ensure a fast response to cyber incidents and their ex-post analysis:

Complementing the existing skills base with ex-post analysis expertise and understanding overlaps between cyber and physical critical incident response teams;

Facilitating the integration of cyber and physical response processes with a greater understanding of where digital evidence may be found and what the appropriate actions to preserve it would be;

Designing and configuring systems in a way that enables digital evidence retention; and

Increasing inter-organisational and interstate collaboration efforts.

The Executive Director of ENISA Professor Udo Helmbrecht commented: “SCADA systems are often embedded in sectors that are part of a nation’s critical infrastructure, for example power distribution and transportation control, which makes them an increasingly attractive potential target for cyber attacks, ranging from disgruntled insiders and dissident groups, to foreign states. Such systems should be operated in a manner which allows for the collection and analysis of digital evidence to identify what happened during a security breach.”

For full report and recommendations; https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents

Background: http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security

For interviews; Ulf Bergstrm, Spokesman, Mobile: ulf.bergstrom[at]enisa.europa.eu, mobile: + 30 6948 460 143, or Adrian Pauna, Expert, resilience[at]enisa.europa.eu

Article source: http://www.darkreading.com/management/enisa-white-paper-can-we-learn-from-indu/240162430

DALLAS, Oct. 9, 2013 /PRNewswire/ — After four years’ development, idcloak Technologies launches its high-speed global privacy network which, if adopted widely, the firm claims will free the Internet of surveillance, censorship and georestrictions.

“The Internet is currently less private, less safe and less free than at any stage in its development as a medium,” says idcloak’s senior web researcher, Terence Shull. “Transiting data is routinely tapped or stolen, access is restricted, and whole nations are discriminated against. But, like tired parents, we accept what we’ve brought into the world rather than try to turn things around.”

The privacy network is built from VPN tunneling technology, essentially creating a virtual Internet over the top of the actual web. Users of the network interact with the Internet as usual but all their activity is encrypted, anonymous and unhitched from their actual location.

“If a large portion of the global online population accessed the web through our privacy network, the Internet could still be what we hoped it would be: less the domain of governments, corporations and criminals and more a safe, functional medium for the people,” says Shull. “For one, hackers would be denied a large portion of their toolkit – no WiFi sniffing, sidejacking, waterholing or other targeted attacks of individuals or companies. Government surveillance and censorship would also be sidelined by the ubiquitous encryption and anonymity, while corporations would be forced to offer the same prices and services to every customer wherever they were based.

“People seem to have forgotten this was how the world wide web was supposed to be.”

To preempt any comparison with the infamous TOR network, Shull was quick to underline the differences of the idcloak network: “For one, we are a good deal faster than TOR; we use the subscription fees to deliver speeds as close to ISP standard as possible. But also our network remains fully answerable to local laws, so we cannot be accused of providing a safe haven for criminal activity. We believe we can offer dependable privacy and anonymity without opening ourselves up to the blackguarding TOR has suffered over the years.”

Download and use the Windows 7 VPN client for as little as $6.25 a month.

Article source: http://www.darkreading.com/end-user/new-global-privacy-network-marks-new-daw/240162446

AMSTERDAM and SAN FRANCISCO, Oct. 9, 2013 /PRNewswire/ — AVG Technologies N.V.

(NYSE: AVG), the provider of Internet and mobile security, privacy and optimization to 155 million active users, today announced that it has extended its relationship with Yandex (NASDAQ: YNDX), Russia’s leading Internet search provider. Owners of Android devices who download AVG AntiVirus PRO v3.3 for

Android(TM) before the end of 2013 from the Yandex.Store will receive a perpetual license for free to help keep their Android device protected and optimized.

AVG AntiVirus PRO v3.3 for Android(TM) is AVG’s premium security app that helps protect mobile devices from viruses, malware, spyware and online exploitation in real-time. Yandex.Store is one of the largest alternative applications stores for Android devices with more than 50,000 apps available to users worldwide.

“The rapid uptake of connected mobile devices has created a valuable channel for cybercriminals to reach unsuspecting consumers. We’re delighted to work with Yandex to bring mobile security to its customers, helping them to feel safe online, no matter what device they are using,” said Omri Sigelman, AVG Technologies. “The AVG AntiVirus PRO v3.3 for Android(TM) app delivers powerful tools, ranging from real-time app scanning to privacy controls and battery tune-ups, to help protect users while improving the performance of their Android device.”

This is the next step in the growing relationship between AVG and Yandex. Both companies already provide the AVG Safeguard(TM) Toolbar to Yandex’s search customers in Turkey.

About AVG AntiVirus PRO v3.3 for Android(TM)

Safe Web Surfing: helps protect your device when you are browsing the web from your smartphone

— Actively checks web addresses in real time with AVG LinkScanner, to help you make the right decisions online.

Safety: combats viruses and malware so you can download media and apps with confidence

— SIM Lock – SIM Lock, which is set up from the Anti-theft menu, locks your lost or stolen phone to prevent others from replacing your phone’s SIM card.

— Camera Trap – If the in-built Anti-Theft function records three failed attempts by an intruder to unlock your phone, it takes a photo of them with the phone’s front-facing camera. The photo is then emailed to you with an alert to the attempted break-in.

— App Scanner – scans apps to help ensure that malware will not infect your device. Scans run manually or you can easily set up automatic daily or weekly scans.

— File Scanner – scans for malware, spyware, viruses and lets you remove them with a simple click. Protects your phone while you’re using your favorite apps, keeping your contacts, bookmarks, text messages, music and videos safe. Choose between running manual scans or setting up automatic daily or weekly scans.

Privacy:

— Only available with AVG AntiVirus PRO, App Locker enables you to lock your apps individually and secure them from being accessed by others using your phone. You can also back them up on your SD (Secure Digital) card.

About AVG Technologies (NYSE: AVG)

AVG’s mission is to simplify, optimize and secure the Internet experience, providing peace of mind to a connected world. AVG’s powerful yet easy-to-use software and online services put users in control of their Internet experience.

By choosing AVG’s software and services, users become part of a trusted global community that benefits from inherent network effects, mutual protection and support. AVG has grown its user base to 155 million active users as of June 30,

2013 and offers a product portfolio that targets the consumer and small business markets and includes Internet security, PC performance optimization, online backup, mobile security, identity protection and family safety software.

www.avg.com

Article source: http://www.darkreading.com/endpoint/avg-and-yandex-deliver-mobile-security-t/240162432

BUCHAREST, Romania, Oct. 9, 2013 /PRNewswire/ — Bitdefender, the creator of leading antimalware solutions, today launched GravityZone-in-a-Box to protect and improve performance for small and medium-sized businesses that require security solutions for virtual, physical and mobile environments from a consolidated management platform.

Enterprise class security for SMBs

GravityZone-in-a-Box provides SMBs a new standard in managing, monitoring and reporting security activities across a broader threat environment. Businesses will better manage reporting for regulatory compliance and audits, following best practices. Like its big brother, GravityZone (launched earlier in 2013), the new solution delivers an enterprise class security management console to manage multiple endpoints, no matter the environment.

GravityZone-in-a-Box, a Citrix Ready security solution verified for VDI-in-a-Box, secures up to 250 endpoints, allows companies to easily manage security for virtual desktops and servers as well as physical and mobile endpoints. This streamlines management and resolves security headaches often suffered by SMBs adopting bring-your-own-device policies for mobile devices.

Amid the increasing complexity and diversity of today’s business environment, GravityZone-in-a-Box offers plug-and-play convenience to ease IT workloads. The solution, which comes as a single virtual appliance that can be imported in minutes, is integrated with VMware vCenter, Citrix XenServer and Microsoft Active Directory.

GravityZone-in-a-Box defeats the threats of data loss, theft and malware damage with the world’s top-rated anti-malware technology. This year alone, Bitdefender technology won three PCMag Editor’s Choice awards, the global #1 spot in rigorous testing by independent analysts from AV-TEST, Product of the Year by AV-Comparatives and more.

“GravityZone-in-a-Box is tailored from start to finish for SMBs,” said Bitdefender Chief Security Strategist, Catalin Cosoi. “We designed it to offer the world’s most effective protection, while ensuring that companies without large IT departments can deploy it easily and quickly to free up resources for SMBs’ core activities.”

For more information about Bitdefender GravityZone-in-a-Box, see www.bitdefender.com/business/#GravityZone-in-a-Box

About Bitdefender

Bitdefender is the creator of one of the world’s fastest and most effective lines of internationally certified internet security software. The company is an industry pioneer, introducing and developing award-winning protection since 2001. Today, Bitdefender technology secures the digital experience of around 400 million home and corporate users across the globe.

Recently, Bitdefender won a series of important awards and accolades in the global security industry, including “Product of the Year” by AV-Comparatives, “Best Repair 2012” by AV-Test, and “Editor’s Choice” by PC Mag, that confirmed the antivirus software’s leadership status among security products. More information about Bitdefender’s products is available from the company’s security press room. Additionally, Bitdefender publishes the HOTforSecurity blog, where readers can find stories from the underworld of internet fraud, scams, malicious software – and gossip.

Citrix is a trademark of Citrix Systems, Inc. in the United States and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and other countries. VMware, VMware vShield and VMware vShield Endpoint are registered trademarks and/or trademarks of VMware, Inc. in the United States and/or other jurisdictions. All other trademarks and registered trademarks are property of their respective owners.

Article source: http://www.darkreading.com/end-user/bitdefender-launches-gravityzone-in-a-bo/240162448

Microsoft’s Tenth Anniversary Patch Tuesday is out, and, yes, Redmond’s security gurus did patch against the recent Internet Explorer zero-day that is being exploited in the wild.

More precisely, the vulnerability CVE-2013-3893 has been fixed, so even if you aren’t using (or couldn’t use) Microsoft’s temporary Fix it, you can now close off that avenue of attack altogether.

Notably the Fix it was for 32-bit platforms only, so computers running 64-bit Windows versions, such as servers and amlmost any recent laptop, were out of luck.

That’s a creditably quick response from Microsoft, and a great Tenth Birthday result.

By the way, there’s a reliable and easy-to-modify proof of concept exploit floating around on the web, as well as an exploit module for the DIY break-and-enter toolkit Metasploit, so CVE-2013-3893 must be considered a clear and present danger.

The proof of concept I’ve seen is packaged as a single chunk of JavaScript inside a single HTML file, and targets IE 8 and IE 9 on Windows XP, Vista and Seven.

If you view a web page that contains the JavaScript from the proof of concept, then your browser will connect to an external site, download an executable file in the background, and run it.

If you don’t have a decent anti-virus installed (or you have one that hasn’t been updated since the free trial ran out a year ago) then you won’t see anything – not a warning, a dialog box, a progress bar or even a logfile entry – to tell you what happened.

Your browser will eventually crash, but after the download has finished and the secretly installed malware has launched.

→ A decent anti-virus is ilkely to control this exploit. Sophos Anti-Virus, for example, blocks booby-trapped web pages as Exp/20133892-B. But immunising your browser alogether, by neutralising the vulnerability that makes the exploits possible in the first place, is by far the best solution.

There are nine other remotely exploitable holes fixed in the Internet Explorer patch, and although Microsoft describes the others as “privately reported,” any one of them alone would be enough to make this patch a priority.

But don’t concentrate only on the big fix for Internet Explorer.

There are six other bulletins that deal with remote code execution this month, and even though four of them are rated only at Important by Microsoft, rather than Critical, I’d still treat “important” as meaning “important enough to patch right away.”

All the Important vulnerabilities are in various components of the Office suite, and can be triggered via shellcode – that’s executable code buried invisibly in amongst data – in files you are entitled to assume that Office should open without risk.

In theory, if you put executable code in a data file, it ought to be harmless: whether you give your name as text that spells out Paul Ducklin or machine code that corresponds to PUSH-PUSH-CALL-POP should make no difference.

The machine code version of your name should be treated as data, and never get a chance to run.

Programming mistakes do happen, however, sometimes allowing deliberately mangled files to confuse Word or Excel (or other software of that sort) into executing data as if it were code.

The eighth patch this month is for an information disclosure bug in Silverlight.

Microsoft isn’t saying what might be disclosed if this bug is triggered.

But since “information disclosure” is another way of saying “potential data breach,” you probably want to patch the eighth one, too.

For the opinion of SophosLabs on the likelihood of each of the eight vulnerabilities being exploited, and for advice on alternative mitigiations (if you are unwilling to patch) or additional mitigations (if you are patching anyway), please visit our Vulnerabilties page.

Updates – how to check

Readers regularly ask us to remind them where to find the option to kick off a check for updates on Windows, so here’s how.

On Windows 7, ① go to Control Panel | System and Security and, in the Windows Update entry, ② choose Check for updates:

On Windows 8, ① do a search for the word updates, ② click into the Settings section, and ③ choose Check for updates:

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bDhjlOn3Ck0/

Adobe’s Patch Tuesday fixes are out.

This is business as usual, promised long in advance and expected toay, so there isn’t anything in it related to the company’s recent network intrusion woes. (We hope!)

There’s a RoboHelp update, discussed in APSB13-24, and fixes for Version XI of Acrobat and Reader, discussed in APSB13-25.

The RoboHelp bug allows potential RCE, or Remote Code Execution, so you definitely want the APSB13-24 patch if you’re a RoboHelp user.

The Reader XI and Acrobat XI vulnerability is a little different, and it’s just the sort of bug that Adobe could have done without right now, because it’s what is known as a regression.

If you’re on Reader X or Acrobat X, you’re not affected and can stand down from high alert. For now, anyway.

In programming, a regression is when you make new changes that inadvertently counteract various previous changes and, hey presto, a bug that you thought you’d got rid of returns.

If you like, a regression is a sort of anti-patch, where you repeat a mistake you fixed already.

Adobe isn’t giving a lot of detail away, but does say:

This update resolves a regression that permitted the launch of javacript scheme URIs when viewing a PDF in a browser (CVE-2013-5325).

The scheme in a URI is the part at the beginning, like http://, or mailto:, that tells your browser how to get to the resource you’ve just specified.

Until fairly recently, most browsers allowed you to go the address bar and run JavaScript directly, by prefixing it with the scheme identifier javascript:, for example like this:

The hazards quickly became obvious once scammers starting luring you into “pasting the following web address into the address bar,” but including a JavaScript-based URL, not one that used HTTP.

→ There are hundreds of different legal URL schemes, from aaa: (a protocol to do with login, dealing with authentication, authorisation and accounting) to z39.50: (a search and indexing protocol that was made pointless by the web).

JavaScript-based URLs are now considered harmful in your browser’s address bar, and so browsers simply ignore them.

So will your Adobe PDF plugin, once you’ve updated.

Should you patch Reader and Acrobat?

And that raises an interesting question: should you apply this patch?

After all, some of you might be feeling a bit cagey about accepting Adobe’s patches right now.

The company just admitted that hackers were able to break in and exfiltrate 40GB of product source code from the corporate network, almost certainly including Acrobat.

What if the crooks were also able to make commits? (That’s where you save back changes so they can be compiled into the next build.)

If they did so, and their changes weren’t spotted, malicious modifications could now be part of an official release.

My own opinion is that this is highly unlikely, not least because modern software engineering tools make it comparatively easy to track the changes to the source code files in a product between builds.

Also, remember that this patch deals with fixing a regression – “repatching” a previous patch – rather than with a shepherding in a huge raft of changes throughout the product.

So it’s reasonable to assume that if Adobe’s recent unauthorised visitors really had made any malware-related modifications, they’d surely have been spotted before release.

In short, if I were an Acrobat or Reader user, I’d take the update.

Of course, as an OS X user my PDF needs are met without having Reader or Acrobat installed, so it’s easy for me to say that – a botched release wouldn’t affect me directly.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NwP-1aX9mcQ/

All communications coming from visitors and athletes at the 2014 Winter Olympics in Russia will be monitored by newly strengthened telephone and internet spying technologies.

Investigative work to document Russia’s massive surveillance ramp-up was undertaken by a team of Russian journalists looking into preparations for the Games, The Guardian reports.

According to a dossier compiled by the journalists, their country’s powerful security service – the Federal Security Service of the Russian Federation (FSB) – has been taking the steps to install near-ubiquitous monitoring.

Documents compiled by the journalists – Russian security services experts Andrei Soldatov and Irina Borogan – track government procurement and tenders from Russian communication companies showing that newly installed telephone and internet spying capabilities will give the FSB “free rein to intercept any telephony or data traffic and even track the use of sensitive words or phrases mentioned in emails, webchats and on social media”, The Guardian’s Shaun Walker writes.

Walker reports that the Russian journalists have collated dozens of open source technical documents published on Zakupki, the Russian government’s procurement website, as well as public records of government oversight agencies.

The duo’s investigations show that while surveillance technology is being modernized throughout the country, particular attention has been paid to overhauling telephone and Wi-Fi networks in the Black Sea resort of Sochi, where the Games will be hosted.

Walker describes how “major amendments” to the infrastructure have focused on SORM – the nation’s interception system for phone and internet communications.

At this point, SORM is so tied into Russian communications architecture that, Edward Snowden revelations aside, it makes the US National Security Agency’s (NSA’s) level of surveillance seem almost like an afterthought.

The Guardian quoted Ron Deibert, a professor at the University of Toronto and director of Citizen Lab, which co-operated with the Sochi research, as calling the Winter Games SORM upgrades “PRISM on steroids”.

The difference in the two countries’ surveillance infrastructures can be found where the communications providers’ rights intersect with the government’s pre-emptive power to force its will upon them, he said:

The scope and scale of Russian surveillance are similar to the disclosures about the US programme but there are subtle differences to the regulations… We know from Snowden’s disclosures that many of the checks were weak or sidestepped in the US, but in the Russian system permanent access for Sorm is a requirement of building the infrastructure.

In fact, Russia has been beefing up SORM for some time, as Soldatov and Borogan, writing for Wired in December 2012, described.

In the article, the journalists delve into the difference between where the US and Russian governments insert surveillance into their countries’ respective communications infrastructures:

In the U.S. and Western Europe, a law enforcement agency seeks a warrant from a court and then issues an order for LI [the Western term LI, short for lawful interception, as used in press releases from SORM equipment providers] to a network operator or internet service provider, which is obliged to intercept and then to deliver the requested information.

In Russia, an FSB operative is also required to get an eavesdropping warrant, but he is not obliged to show it to anyone. Telecom providers have no right to demand that the FSB show them the warrant. The providers are required to pay for the SORM equipment and its installation, but they are denied access to the surveillance boxes.

Thus, the FSB does not need to contact the ISP’s staff; instead the security service calls on the special controller at the FSB HQ that is connected by a protected cable directly to the SORM device installed on the ISP network. This system is copied all over the country: In every Russian town there are protected underground cables, which connect the HQ of the local FSB department with all ISPs and telecom providers in the region

The FSB since 2010 has been upgrading SORM to ensure it can cope with extra traffic during the Games, the journalists have discovered.

The work has included laws that require all telephone and ISP providers to install SORM boxes in their technology.

Technically, the FSB requires a warrant to intercept a communication, but it’s not obliged to actually show it to anyone.

Once a SORM box is in place, the FSB can get at any and all phone calls or internet communications, without any of it being logged and without the provider ever knowing, Walker writes.

This will enable Russia to not only track suspected foreign spies, but also possibly to immediately break up any type of rally for gay rights amidst the controversy over Russia’s crackdown on such rights, Walker comments.

The US State Department’s Bureau of Diplomatic Security earlier this year warned those traveling to the Games to take precautions with communications and devices, The Guardian notes.

It sent out a brochure that read, in part:

“Business travellers should be particularly aware that trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities.”

Or as Naked Security’s Mark Stockley puts it, “Sochi is a surveillance trap set by one the globe’s experts in surveillance. So the only sensible advice is don’t do, say or bring anything you aren’t prepared to share with the Russian Federation.”

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/g88jiATnmvg/

Microsoft marked yesterday’s tenth anniversary of Patch Tuesday by awarding a security bounty of $100,000 to a researcher at a UK company.

The award was made after James Forshaw, head of vulnerability research at Context Information Security, uncovered a new type of mitigation bypass technique that could be used against the company’s latest version of its Windows operating system.

The whopping payout from Microsoft takes its outlay on bug bounties to over $128,000, after the company paid out $28,000 just last week to a total of six security researchers who discovered exploits in the preview version of Internet Explorer 11.

One of those six researchers was Forshaw who received $9,400 for his efforts. The much more impressive bounty announced today almost didn’t come his way, though:

Coincidentally, one of our brilliant engineers at Microsoft, Thomas Garnier, had also found a variant of this class of attack technique.

Microsoft engineers like Thomas are constantly evaluating ways to improve security, but James’ submission was of such high quality and outlined some other variants such that we wanted to award him the full $100,000 bounty.

For obvious reasons Microsoft will not disclose any further details about Forshaw’s mitigation bypass technique until it has taken the necessary steps to address it. The company did, however, say that it is “excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants.”

Writing on the BlueHat blog, Katie Moussouris, senior security strategist for Microsoft Security Response Center, said that the reason for paying such a large bounty for a new attack technique was that it allowed the company to develop defences against across its product range:

This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers.

When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.

Commenting on the award, Forshaw said:

Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence. It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count. Receiving the recognition for my entry is exciting to me and my employer Context, it also gives me the satisfaction that I am contributing to improving the security of both Microsoft’s and Context’s customers.

Whilst I suspect that James, who has a track record of claiming other bounties via HP and the PWN2OWN contests, will be required to hand his award over to his employer, I do hope his achievements are recognised in some way.

If his company are feeling particularly generous it could, perhaps, give him a percentage of the cash.

Otherwise, I guess it could always consider giving him some gift vouchers, though it may want to check how the security community reacted when Yahoo offered a paltry $12.50 to researchers who discovered vulnerabilities under its bug bounty program.

Yahoo has now responded by increasing its potential payouts to the $150 – $15,000 range but that still pales in comparison to this bounty paid out by Microsoft.

Whether that disparity affects the efforts of researchers to point out security vulnerabilities to Yahoo remains to be seen, though I personally would like to think some have motivations besides money.

Follow @security_faqs

Follow @NakedSecurity

Image of briefcase with cash, ten dollar bill, one dollar bill, and quarters courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/eWDr0t_Z-bI/