17.8 C
Wednesday, August 16, 2017

NSA Surveillance Reform Bill Passes House to Mixed Reaction

Civil libertarians hoped the legislation would prevent indiscriminate collection of volumes of private communications. But now they say it was amended with weaker language. The U.S. House of Representatives passed long-sought-after communications surveillance reform legislation on May 22, but last-minute changes to the bill had one-time supporters criticizing it as weak. The bill (H.R. 3361), also known as the USA Freedom Act, amends the Foreign Intelligence Surveillance Act (FISA) of 1978, adding restrictions on the use of FISA by the National Security Agency to prevent the indiscriminate collection the phone records and other communications of U.S. citizens. Yet changes to the legislation earlier in the week caused many of the original supporters of the legislation to back away from supporting the bill. Critics fear that changes to the definitions of what types of records can be targeted continue to leave open the possibility of mass surveillance. "I am troubled by the changes that were made to the bill behind closed doors that stripped key protections and open the door to bulk collection," U.S. Representative Bennie G. Thompson, D-Miss., a ranking member of the House Committee on Homeland Security, said in a statement. "The Privacy and Civil Liberties Oversight Board found that the NSA's bulk collection of metadata is illegal and called for it to be stopped." Civil liberties groups, such as the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), spoke out against the amendments to the bill. On May 20, the EFF released an analysis that took issue with the amended bill's modified definitions of what information could be targeted as well as the lack of reform to a second section of FISA, Section 702, which covers intelligence collection about foreign individuals outside the United States. Finally, the EFF and other groups had called for a special advocate to be present during FISA Court hearings that could represent the interests of the people of the United States. The EFF's analysis took exception to the relaxing of the definition of the terms that limit the NSA's collection. "The new version not only adds the undefined words 'address' and 'device,' but makes the list of potential selection terms open-ended by using the term 'such as,'" the analysis stated. "Congress has been clear that it wishes to end bulk collection, but given the government's history of twisted legal interpretations, this language can't be relied on to protect our freedoms." "Earlier today, House Leadership reached an agreement to amend the bipartisan USA FREEDOM Act in ways that severely weaken the bill, potentially allowing bulk surveillance of records to continue. The Electronic Frontier Foundation cannot support a bill that doesn't achieve the goal of ending mass spying. The ACLU also criticized the changes, but welcomed legislation that moves the nation ahead with needed surveillance reforms. "While far from perfect, this bill is an unambiguous statement of congressional intent to rein in the out-of-control NSA," Laura W. Murphy, director of the ACLU's Washington Legislative Office, said. "While we share the concerns of many—including members of both parties who rightly believe the bill does not go far enough—without it we would be left with no reform at all, or worse, a House Intelligence Committee bill that would have cemented bulk collection of Americans' communications into law." The critics of the legislation, such as the ACLU and EFF, pledged to work to modify the bill as it is considered in the Senate. "With the passage of this measure, I now call on the Senate to work expeditiously and approve legislation that leaves no room for bulk collection to continue," Representative Thompson said.  

Twitter caves to Pakistani “blasphemy” censorship requests

It's the first time Twitter's censorship policy has been used in the country.

Blizzard sues unknown creators of StarCraft II’s “ValiantChaos MapHack”

"Blizzard seeks to protect the sanctity of the StarCraft II gaming experience."

Vote for Vader: Star Wars’ Sith Lord loses in Ukraine mayoral...

Gallery: Luke's dad handles reporters, kisses babies, and does more politicking.

US may block visas for Chinese hackers attending DefCon, Black Hat

Organizers of those conferences skeptical of the move to exclude Chinese nationals.

Why Vint Cerf Thinks Net Security Should Go Back to the...

EXCLUSIVE: Cerf on the IoT: "I am very worried about the [future] headline that says: 'One Hundred Million Refrigerators Attack Bank of America.'" LAGUNA BEACH, Calif.—Not too many people would know or remember this, but Vint Cerf is one who does: May 2014 marks the 40th anniversary of the first publication of the description of what we know today as the Internet. In September 1973, Cerf and a colleague, Robert Kahn, wrote a paper, "A Protocol for Packet Network Intercommunication," for the May 1974 edition of IEEE Transactions on Communications. The dissertation described how packets of digital data would be able to move from one computer node to another, then to another, then to many others, using new protocols and standard phone networks. One of those protocols, designed and written that same year, was TCP/IP, short for Transmission Control Protocol/Internet Protocol. It remains the key data movement protocol of the Internet; in 1983, it became a standard. Another of those protocols, FTP, or File Transfer Protocol, enables users to log on to a remote computer, list the files on that computer and download files from that computer. Vinton Gray Cerf, 70, now serves as vice president and chief Internet evangelist for Google. He was there when the Internet was turned on using TCP/IP and FTP in 1983, and is one of the fathers of the network because he helped code it and was influential in many of the biggest milestones in its history. Security Was an Issue From the Very Beginning "It started out as a bunch of geeks who basically thought it would be really cool if every network in the world, every computer in the world, would be interconnected in some very informed way, and wouldn't that be amazing if they could share information in a very fluid and flexible way?" Cerf said in an interview at the 12th annual FiRE 2014 conference here on May 21. "For a very long time, it was the property of the scientific and military community, but in about 1989, the commercial services came along, and not very long after that, Tim Berners-Lee's invention [of the World Wide Web] becomes visible, then Marc Andreessen and Eric Bina with Mosaic [the first graphical browser in 1994], suddenly, the general public comes onto the net. At that point, we have a sea change."  

Fake key e-mails, win a $25M court case

Works great until it's discovered.

Cisco Bolsters Security Portfolio

At Cisco Live, company executives unveil enhanced AMP offerings, new firewalls and the acquisition of ThreatGrid. Amid Cisco Systems' talk about collaboration and cloud computing, security emerged as a key subject at during the Cisco Live 2014 event this week. The networking company at the show unveiled a range of new and enhanced security offerings—including enhancements to its Advanced Malware Protection (AMP) products—and announced it is buying malware analysis vendor ThreatGrid, the third security acquisition Cisco has made this year. As Cisco continues its efforts to become an enterprise IT solutions provider, security will play a key role, according to CEO John Chambers. In an interview with Bloomberg, Chambers said that the network can provide security that no other part of the IT infrastructure can. That will only help Cisco in its security ambitions. "We are moving to become the number-one security company, because the only way you can defend [the enterprise IT environment] is from the cloud to the data center, the wide-area network to the edge to any device," the CEO said, noting the company's recent security acquisitions. "We are moving rapidly to all areas of security, not with individual pieces but an architecture that brings them together." A cornerstone to Cisco's security efforts was the $2.7 billion acquisition last year of cyber-security vendor SourceFire. The upcoming purchase of ThreatGrid will bolster the AMP product portfolio, which Cisco inherited from SourceFire, and add to a security business that continues to grow. During a conference call with analysts and journalists May 14 to talk about quarterly financial numbers, Chambers said that in the first three months of 2013, security revenue for Cisco increased 10 percent from the same period last year, and orders jumped 20 percent. The AMP technology is a key part of Cisco's security strategy, the foundation for what executives call the company's "AMP Everywhere" initiative. "Given the dynamic threat landscape, we must be just as dynamic in evolving our advanced threat protection offering to enhance our already robust capabilities to aggregate and correlate data from across the extended network, to identify advanced and evasive cyber-threats, and provide intelligent cyber-security solutions for the real world," Martin Roesch, vice president and chief architect for Cisco's Security Business Group, wrote in a post on the company's blog, noting recent enhancements Cisco has made in its offerings. "All of this work has been based upon a clear understanding of what a complete solution looks like in today's threat landscape. We must offer solutions that bring together both point-in-time technologies possessing strong detection rates with continuous analysis and retrospective security to 'go back in time' to remediate files that may have initially evaded defenses," he wrote. At Cisco Live, the vendor rolled out updates to AMP that enable improved sharing of data regarding compromise to networks and endpoints, and also provide support for Apple's Mac OS X operating system. AMP offers continuous detection and response capabilities throughout the network, including endpoints, mobile devices, virtual machines, and Web and email gateways, according to the company. AMP for Endpoints includes a technology called Elastic Search, which enables users to quickly determine the scope of an attack, while Remote File Analysis can store and retrieve files that can be later scored and analyzed. AMP for Networks includes multiple source indicators of compromises that can be prioritized in one console across AMP for Networks and Endpoints and various security intelligence feeds. In addition, users can analyze potential threats in a cloud-based sandbox. Cisco also is offering AMP appliances for private cloud environments, and two new AMP FirePower appliances dedicated to AMP for Networks—the FirePower AMP8150 with up to 2G bps of performance and FirePower AMP7150 with up to 500M-bps capabilities. Cisco also is adding new firewall capabilities through its updated ASA 5585-X and new ASAv. The firewalls bring greater security to software-defined network (SDN) environments and data centers running Cisco's Application Centric infrastructure (ACI) platform.    

How the patent trolls won in Congress

Trial lawyers and pharma companies teamed up to stop change to patent laws.

eBay Breach Isn’t Just About Passwords

NEWS ANALYSIS: Organizations must improve security to limit the risks of employee credentials being applied to exploit users. This can be done in several ways. Online auction giant eBay this week revealed that one of its databases had been breached and advised its users to update passwords. However, passwords are not necessarily the weak link for eBay's security. The eBay breach has generated a lot of interest and discussion about the modern state and usefulness of passwords. Some experts advocate the use of password management systems, and some wonder if passwords have outlived their usefulness. Although debate about the usefulness and security of passwords is important, it's crucial to realize that the eBay breach is not actually about end-user passwords. Yes, it's true that eBay is recommending that users update passwords but not necessarily because those passwords have been compromised. The database breach compromised encrypted password information, and there is no official confirmation at this point that those passwords have been decrypted. What's more, eBay has long been a supporter of two-factor authentication, which also likely serves to protect users. With two-factor authentication, a second password (or factor) is needed to log on to eBay or PayPal. Going a step further, to date, eBay has not said that it has any indication that any user account has actually been compromised by a fraudulent password. What eBay has publicly stated, however, is that "employee log-in credentials were first detected about two weeks ago." That's right. This was a breach triggered by an insider compromise. That means that, somehow, an attacker tricked an eBay employee into doing something that led to the disclosure of the employee's credentials. That disclosure might have come from some form of phishing email, or perhaps it was something more dramatic like a breach of an employee's device. At this point, eBay has not publicly disclosed the specifics of how the employee compromise occurred. Earlier this month, URL shortening service Bitly advised its users to reset accounts, also after an employee's credentials were somehow compromised. More often than not, employees are being exploited as the weak link for the security of millions of users. It's great that eBay wants users to update their passwords, but if an insider compromise can exploit a hundred million user passwords from a database, users updating their passwords won't do much good. Organizations should improve security to limit the risks of employee credentials being applied to exploit users. This can be done in several ways—from improved endpoint security for phishing emails to having more aggressive monitoring of employee accounts. Going a step further, having proper role-based access control (RBAC) on database technology is a critical security control for any organization. Why does one user need full access to an entire database of more than 100 million accounts? By having proper RBAC in place, with the right granular control and monitoring, even if one employee account is compromised, there is a degree of risk mitigation. Passwords are a key part of the modern Internet and are not likely to go away any time soon. No one password for any one user or employee should ever be the single weak link that undermines overall security. Modern security is about layers at every step of the software and infrastructure stack. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

Security Picture Shows Less Spam, Java as Top Exploit

One of the largest, most comprehensive annual security reports in any given year is the Trustwave Global Security report, and this year's edition is no exception. Released May 21, the 2014 Trustwave Global Security Report is a 123-page amalgam of infor...

Microsoft to fix critical IE bug that has gone unpatched for...

Remote code-execution vulnerability was brought to Redmond's door in October.