The long-awaited Parliamentary Intelligence and Security Committee report into privacy and security, published this morning, has dismissed suggestions that GCHQ and other parts of the UK's intelligence services circumvent the law. The claims followed the leak of US National Security Agency (NSA) material by whistleblower Edward Snowden, which seemed to indicate that the UK's security services were engaged in mass data collection and surveillance. "The [security] Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the internet as a whole: GCHQ are not reading the emails of everyone in the UK," says the report. It continues: "GCHQ's bulk interception systems operate on a very small percentage of the bearers that make up the internet. We are satisfied that they apply levels of filtering and selection such that only a certain amount of the material on those bearers is collected. Further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes." It added that the current legal framework has led to widespread confusion, yet also asserted "we have established that bulk interception cannot be used to target the communications of an individual in the UK without a specific authorisation naming that individual, signed by a Secretary of State". The report has therefore called for the security services to be put under clearer legislation to overcome what it describes as an "unnecessarily complicated" legal framework. "Our key recommendation therefore is that the current legal framework be replaced by a new Act of Parliament governing the intelligence and security Agencies. This must clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required before they may do so," the report says. Campaign group Privacy International accused the committee of whitewashing the extent of GCHQ's mass surveillance and data gathering operations. In a statement it said: "Far from allaying the public's concerns, the Intelligence and Security Committee's report should trouble every single person who uses a computer or mobile phone: it describes in great detail how the security services are intercepting billions of communications each day and interrogating those communications against thousands of selection fields." It called for the new legal framework proposed by the Committee to provide genuine restraints on the power of GCHQ and the security services, and for greater judicial oversight in their surveillance and data-gathering activities. Is the report accurate or is it a whitewash? Comment below.
Interviewed on the BBC Radio 4 Today programme this morning, ahead of an ISC announcement expected later today, Jimmy Wales of the Wikimedia foundation, which yesterday launched legal action against the US National Security Agency, argued that mass surveillance of communications by the intelligence services has to stop. "For me one of the key elements is one of the oldest bits of jurisprudence in free societies, which is probable cause. Get a warrant, go to a judge. Don't surveil everyone," he said. "Bulk collection of data is incredibly dangerous," he said. "We've been very lucky that we live in a society where we don't have leaders who are using that kind of data for political assassinations and so forth but that possibility exists so long as this data is being collected," Wales added. Interviewed at the same time, Nigel Inkster of the International Institute for Strategic Studies and former deputy chief at intelligence service MI6, sought to downplay the activities of the spy agencies. Asked whether mass surveillance should be troubling in a free society, Inkster said: "It would be troubling if it were mass surveillance but it's not what we're talking about here. It is a bulk collection of civilian telecommunications, something which has actually been going on for decades without obvious detriment to civil liberty human rights, in order for the intelligence agencies to identify very narrow and specific sets of information about threats." This is an interesting statement given that such activities may well have been against the law. Inkster also sought to broaden the argument to cover the activities of commercial organisations such as Google, contrasting the legal framework under which the security agencies must operate with the free-for-all of the internet. "I think the biggest thing to come out of the Snowden revelations is the growing realisation by people around the world that the degree to which their personal data has been traded and commoditised without their active consent by [commercial organisations] who are operating with very few of the constraints under which intelligence services in democratic societies do operate," Inkster said. Wales believes that the rise of end-to-end encryption will soon make life very difficult for the intelligence agencies. Citing the example of WhatsApp he said: "If you use the application everything you type is encrypted from your computer to your friend's computer. The service itself has no way to read it, GCHQ can't read it, NSA can't read it. That's what consumers are demanding today because of the overall intrusive nature of what's been going on." Wales went on: "People in China are using Tor to browse websites. The genie is out of the bottle and there's nothing to be done about it." Inkster's response was that this would be a dangerous thing. Arguing that the rise of encryption is more to do with market share than concerns over personal privacy, he said: "The big question to be answered here is about whether we do actually want to live in a world where no communications can be controlled." He went on: "There is no doubt that the Snowden revelations have provided for many malevolent actors on the internet a roadmap that minimises the risk of them getting caught."
Millions of users could be at risk from two vulnerabilities, but Facebook downplays significance
Birmingham, UK and Dublin, Ireland - 12 March, 2015 -- ENTERTECH SYSTEMS, the official operating partner for Suprema Inc. in Ireland, the United Kingdom, United States, Canada and Puerto Rico, has announced that Reliable Security Products Ltd., a leadi...
Though Hillary Clinton's server wasn't using the most advanced cryptographic protections for her email, there's no indication of certificate misuse, Venafi finds. As the news surrounding former Secretary of State Hillary Clinton and her use of a private email server continues to swirl, security specialist Venafi offered its take on the situation. Venafi's analysis is being accompanied by the 2015 Cost of Failed Trust Report, which provides broader insight into the state of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate use on the modern Internet. To properly secure data transfer on the Internet, cryptography is used, typically in the form of SSL/TLS certificates. Venafi has a new service, called TrustNet, which was used to conduct the analysis on the "clintonemail.com" domain used by the former Secretary of State. TrustNet looks at how digital certificates are used in an effort to help track them and prevent potential misuse. Venafi TrustNet acquires certificates and metadata from Internet scanning as well as public domain historical archives, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. The Venafi scanning effort discovered that "clintonemail.com" did, in fact, have SSL/TLS certificates in place on the site. The analysis found three different certificates were issued since 2009, with one issued by Network Solutions for "mail.clintonemail.com" in March 2009 that expired in September 2013. There is another certificate for "mail.clintonemail.com" that was issued by GoDaddy in September 2013 that is valid until September 2018. Additionally, a certificate was issued in February 2012 by Network Solutions for the "sslvpn.clintonemail.com" domain that is valid until February 2013. "The 2009-issued 'mail.clintonemail.com' and 2012-issued 'sslvpn.clintonemail.com' certificates were found in the historical archives," Bocek told eWEEK. "The TrustNet scanning engine acquired the current 2013-issued 'mail.clintonemail.com' certificates." Venafi's analysis shows the certificates to all be domain-validated, as opposed to the more rigorously audited Extended Validation (EV-SSL) certificates that can also be used to secure servers. Looking at the underlying technology for the server, Bocek said that Clintonemail.com is running Microsoft's Internet Information Server (IIS) 7 Web server for Web services. The server is not leveraging Perfect Forward Secrecy (PFS), which is an SSL/TLS server deployment option that provides new encryption keys for every connection session. After revelations of U.S government snooping, multiple large Web properties, including Twitter, began to deploy Perfect Forward Secrecy in 2013 in an effort to harden security. Though Clinton's server wasn't using the most advanced forms of cryptographic protections for her email, at this time, there is no indication of current certificate misuse, Bocek said. "During the time Secretary Clinton was using 'clintonemail.com' with certificates and encryption, she traveled to China, Egypt, Israel and South Korea," Bocek said. "The risks of eavesdropping and/or credential theft were and are real for both businesses and government travelers." 2015 Cost of Failed Trust Report The research for the 2015 Cost of Failed Trust Report, sponsored by Venafi and conducted by the Ponemon Institute, sheds some additional light on how organizations manage and use SSL/TLS certificates. The study surveyed 2,300 IT security professionals in the United States, the United Kingdom, Australia, France and Germany. The study found that 54 percent of organizations admitted that they did not know how all their digital certificates were being used or even where they were all located. Looking at the types of attacks that occur against cryptographic security, respondents indicated that man-in-the-middle (MITM) attacks were the most common, followed by attacks against weak cryptography. The use of weak cryptography is at the heart of the FREAK SSL/TLS flaw that was disclosed on March 3 and has since been patched by Apple and Microsoft. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
While companies are complying with more of the Payment Card Industry’s security standards, less than a third remain compliant after they complete an assessment. Companies that handle credit- and debit-card data are complying with more of the requirements of the payment industry’s security standards, but are less likely to maintain their security posture over time, according to data published on March 11 by business-technology services firm Verizon Enterprise Solutions. In its 2015 PCI Compliance Report, Verizon found that companies typically met nearly 94 percent of the requirements of the Payment Card Industry’s Data Security Standard during an intial assessment conducted in 2014, up from 85 percent in 2013. Yet, four out of five companies did not comply with all the necessary requirements to pass the initial PCI assessment. Moreover, after passing a previous assement, more than 81 percent of companies failed their next compliance test. “It is a mixed bag,” said Franklin Tallah, an executive consultant at Verzion Enterprise Solutions, told eWEEK. “There are those companies that are ahead of the game, but for those in the lagging category, it should be a wake up call.” While the PCI Data Security Standard has often been criticized for emphasizing check boxes over security, many security professionals have recommended the standard as a starting point for any company aiming to harden their network against cyber-attacks. Last year, driven by companies’ lack of security awareness, their slow detection of attacks and threats, and the lack of consistency in assessments, the PCI Security Standards Council rolled out Verion 3 of the standards. In its report, Verizon found that, in 2014, more companies had complied with almost all 12 main PCI requirements, with the exception of the requirement to regularly conduct security scans and mitigate security issues. Only 33 percent of companies complied with those requirements in their initial assessment, down from 40 percent in 2013. Verizon, which performs both PCI assessment, as a qualified standard assessor (QSA), and post-breach investigations, has never encountered a compromised company that was compliant with PCI DSS at the time of the breach, the company stated in the report. “The companies that we visited post-breach as a [PCI forensics investigator] were significantly less … compliant than our control group of QSA customers,” Verizon stated. “Not only were breached companies less likely to be found compliant overall, they were also less likely to be compliant with 10 out of the 12 requirements individually.” In particular, companies suffering a compromise never met the requirements for maintaining secure development practices, identifying vulnerabilities, tracking access to networks and analyzing log files. The benefits of the PCI standard depend on the approach that a company takes to implementing the requirements, Verizon’s Tallah said. Companies that put a great deal of emphasis on finding the systems and software that handle payment card data and securing those systems will be far more likely to remain compliant with the standards. However, it is not an easy task, he said. “We find that many organizations underappreciate the level of effort,” Tallah said. “We are recommending that people educate themselves and understand that it is a complex project.”
Pao's discrimination claim gets microscope treatment from former employer.
Says only 10 cases out of estimated 2.5 million were prosecuted from 2010-13.