3.1 C
London
Sunday, November 19, 2017

NIST releases cyber security framework to help US firms reduce risks

The US Department of Commerce's National Institute of Standards and Technology (NIST) has released a draft form of a cyber security framework that is intended to help critical infrastructure owners and operators reduce cyber security risks. In Februar...

Hack turns Belkin baby monitor into iPhone-controlled bugging device

The "Internet of things" may make life richer, but it can also allow new attacks.    

Intelligence chief: Le Monde’s allegations against NSA ‘false’

Director of National Intelligence James Clapper calls the French newspaper's allegations "inaccurate and misleading." October 23, 2013 9:16 AM PDT (Credit: Declan McCullagh/CNET) The Director of National Intelligence has rebutted claims from a F...

Information sharing key to security, say European experts

Sharing information on threats faster is essential in the face of increasingly sophisticated attacks, says Freddy Dezeure, head of the European Union computer emergency response team (EU-Cert). However, this is typically hampered by a lack of adequate tools, concerns about brand damage, and a tendency to make too much information classified, he told the ISSE 2013 security conference in Brussels. “Zero day threats are also bought [on the underground market] for greater sums than security suppliers are willing to pay,” he said, which means this information is rarely available to business. As a result, businesses are regularly targeted by cyber attacks that can take up to 48 hours to control and malware that can remain undiscovered on business networks for up to a year before it is found. “It is hardly surprising that offensive rather than defensive responses are becoming more interesting to organisations faced with tactics such as malware infection through compromised websites,” he said. But Dezeure said this is worrying and organisations should instead be collaborating to create trusted communities for sharing information on attacks they are seeing to help improve defences. He also believes that the EU has a role to play in creating legislation that requires and supports greater sharing of threat information. Guenther Welsch, head of governance at the German federal office for information security also believes governments should take a stronger hand by setting minimum security standards. “But it must be done in a smart way.

All sectors are slightly different so it must be sector specific.

A one-size-fits-all approach is doomed,” he said. Information security professionals will also have to improve and diversify their skills, said Franky Thrasher, information security manager, Electrabel, Belgium. He believes that security professionals need to match the rate at which attackers are increasing their skills, sharing information and exploiting new technologies. Gerold Hüber, chief product security officer at SAP, Germany, said organisations should use threat intelligence to keep raising the bar to reduce the gap between required effort and potential gain. “Business just has to keep the bar high enough that the potential gain is not worth the time and effort that attackers need to put in to attain their goal,” he said. Manel Medina, stakeholder relations advisor at EU cybersecurity agency Enisa, said the organisation is working on several initiatives to support cyber-threat-information sharing in the region. These include an incident reporting tool, programmes that promote collaboration between European Certs, and the development of strategies for early warning and response. Read more about cyber information sharing             UK government sets up cyber security fusion cell UK government launches cyber threat data-sharing partnership Democrats support Cispa cyber bill despite White House veto threat OSSIM update enables cyber threat intelligence sharing Infosec 2013: Research shows value in crowd-sourced threat intelligence Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Time to review cyber trust, says ICSPA

The world needs to reset the clock on trust after whistleblower Edward Snowden revealed the US Prism internet surveillance programme, according to the International Cyber Security Protection Alliance (ICSPA). “Governments need to do a better job to help citizens to understand the reasons for conducting internet surveillance, John Lyons, ICSPA chief executive told the ISSE 2013 security conference in Brussels. They also need to expedite efforts to resolve differences over how the internet is governed and set guidelines for norms of behaviour. However, Lyons said the argument between those who want an open internet and those who want to control it could “rumble on for decades” particularly in the wake of Snowden’s revelations. “We need to reset the clock, and at least agree we will not spy on our friends in international organisations such as Nato,” he said. The ICSPA also believes international organisations need to rally around cyber security-related projects to help rebuild trust and relationships. We need to reset the clock, and at least agree we will not spy on our friends in international organisations John Lyons, ICSPA “Combining international efforts to clamp down on child abuse p**nography could help to rebuild relationships and trust between business, law enforcement and governments,” said Lyons. He called for collaboration on efforts such as the ICSPA’s 2020 Project to help citizens understand cyber threats and take responsibility for their own cyber security.   Lyons also called for international collaboration in outlawing ignitable currencies such as Bitcoin, which he said are enabling a large proportion of cyber crime. A recently published report by security firm McAfee, an ICSPA member, revealed that virtual currencies are being used to enable an extremely wide range of crime, including contract killings. “The perceived anonymity of virtual currencies is helping drive crime at a scale not seen before,” said Raj Samani, chief technology officer of McAfee Europe and co-author of the report. Lyons said if US and European financial institutions collaborated, they could shut down virtual currencies such as Bitcoin overnight by requiring all financial transactions to go through auditable channels only. “This is the safest and most secure way of shutting down funding to criminal groups,” he said. A fourth way international trust could be restored, said Lyons, is if the US and Europe worked together to extend the principle of seizing the proceeds of crime to the cyber world. “Seized funds of cyber criminals' organisations could be used to pay compensation to victims, sponsor charities and improve cyber crime fighting capabilities,” he said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

US publishes draft cyber security framework

The US has published a draft framework of voluntary cyber security standards aimed at reducing risks to companies providing critical national infrastructure. The US National Institute of Standards and Technology (Nist) drew up the framework with input from 3,000 industry and academic experts in response to an executive order by President Barack Obama. The executive order called for a framework that provides a “prioritised, flexible, repeatable, performance-based, and cost-effective approach” for assisting organisations responsible for critical infrastructure services to manage cyber security risk. “We want to turn today's best practices into common and expected practices," said Nist director Patrick Gallagh. Protecting critical national infrastructure from cyber attacks Like the UK, a large proportion of organisations responsible for critical national infrastructure, such as electrical power and water supplies, are private sector companies. The draft framework published by Nist outlines how private companies can identify and protect network assets and detect, respond to and recover from cyber attacks and data breaches. However, many in the private sector have expressed fears that the voluntary framework will inevitably turn into a set of requirements or create new liabilities, according to Reuters. “The framework provides a common language for expressing, understanding and managing cyber security risk, both internally and externally," the document states. "The framework can be used to help identify and prioritise actions for reducing cyber security risk and is a tool for aligning policy, business, and technological approaches to managing that risk." Obama's executive order was issued in February after months of debate in Congress had failed to get cyber security legislation in place. Sharing information about cyber threats In addition to setting basic cyber security standards for private sector organisations, the executive order was aimed at expediting information sharing about threats between government and private sector organisations that run parts of the critical national infrastructure, and expediting security clearances for private sector organisations, especially those involved with critical national infrastructure. The draft cyber security framework outlines how private companies can identify and protect network assets and detect, respond to and recover from cyber attacks and data breaches For 45 days after the publication of the draft framework, Nist will take public comments. It plans to issue the final cyber security framework in February 2014. In the UK, a communications expert is calling for legislation to set rules for the cyber security of critical national infrastructure. Chris McIntosh, chief executive at communications firm ViaSat UK and a former lieutenant-colonel in the Royal Signals, believes the situation in the UK is very similar to that in the US. While UK military networks are held to strict standards, said McIntosh, the same standards are not being applied to providers of critical national infrastructure. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Google to release two-factor security token

Google is planning a two-factor authentication token, the firm’s principal engineer, Mayank Upadhyay, has confirmed. The security industry has long recognised that passwords are becoming increasingly insecure and difficult to use as they become more complex and difficult to remember. “Authentication is a key part of security, and with technology shifts we have an opportunity to redefine it so that it is easy to use and is more secure,” Upadhyay told the ISSE 2013 security conference in Brussels. Google plans to introduce a single USB token that can be used to authenticate to multiple online services. Users will register the token’s public key, and then registering with each new service will create a unique pairing with the token’s private key without ever exposing the private key. “This eliminates the need for one-time passcode (OTP) mechanisms, the need to store secrets in the datacentre, and the possibility of man-in-the-middle [MITM) attacks,” said Upadhyay. Until now, second factor authentication has relied on OTPs by text message, but this approach has several challenges, such as when users lose their mobile phone. “Hackers have also adapted to the use of OTPs by creating ways of stealing user credentials as well as OTPs,” said Upadhyay. Giving users control of online accounts Google is optimistic about user adoption of the proposed token because it will give users a sense of being in control over who has access to their online account, he said. The company also expects adoption to be supported by the fact that the token does not require any middleware, it can be used for multiple services, and website integration is simple and easy. For this purpose, Google plans to create two JavaScript application programming interfaces (APIs) – one for registering and one for signing in to a service. “In this way, website users remain in complete control of the user interface,” said Upadhyay. Google is testing the proposed token internally for allowing staff to access corporate data and is working with the Fido alliance on new industry standards on authentication. The token is also being tested with a small group of partners ahead of the public roll-out, which Upadhyay said was likely to be some time in 2014. Secure password alternatives Longer term, Google sees the token as the opportunity to reduce passwords to a single personal identification number that can be used with the token for multiple accounts. “A single PIN is typically used for multiple bank cards nowadays, which is a model that could be extended to online services using the proposed token,” said Upadhyay. As trusted platform modules (TPMs) with cryptoprocessors become available in all devices, tokens could be built into devices such as smartphones using the secure area of the built-in TPM. The whole IT industry needs to work together to establish standards for strong device to cloud authentication – we must seize the opportunity to make it happen Mayank Upadhyay, Google Google decided not to use TPMs for the initial implementation of its universal authenticator because many legacy devices are not equipped with the TPM chips. “We believe USB will provide the best connectivity across the types of devices in use around the world at the moment,” said Upadhyay. The first tokens will have near field communication (NFC) capability, which will enable them to be used with the new smartphones that are using this technology. Strengthening cloud authentication Through this project, Google hopes to introduce “non-stealable” credentials, which the firm considers a key component in making security easier for users. Other key components are malware-resistant platforms, secure communication channels, and out-of-band notifications relating to sensitive transactions. “The whole IT industry needs to work together to establish standards for strong device to cloud authentication – we must seize the opportunity to make it happen,” said Upadhyay. Previous attempts at introducing password alternatives have failed because of the need for all web services to adopt the same standard, but pundits say Google may be big enough to make it happen. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

The commercial reality of Huawei’s trust issues

This week, we have been visiting Huawei’s headquarters in Shenzhen.

The company has been on a mission in the past three years to open its doors to more journalists and try and change its reputation as a closed off firm to one of openness and transparency. Yet, it is still struggling to break into some of the world’s biggest and most lucrative markets. Amid rumours the company has links with the Chinese state government – Huawei's founder Ren Zhengfei is a former major of the People's Liberation Army of China – it has experienced continuing failure in the US.  A US government committee even went as far to say Huawei’s equipment posed a risk to national security and businesses across the country should not use it, or any kits from fellow Chinese firm ZTE. Discussing the difficulties Huawei had in the US – the firm holds less than one per cent market share in its biggest business area of supplying telecom networking equipment, for example – Scott Sykes, head of international media relations, was honest about the bleak outlook when it came to gaining the trust of big customers, both private and public. “We have had to accept it is a commercial reality,” he said. “It is nothing to do with our intent. We are ready, willing and available to serve telcos and consumers in the US. But the fact is we see no significant commercial opportunity for the foreseeable future.” This hasn’t stopped Huawei trying though. It began operations in the US in 2001 and now has 13 offices across the country, employing 1,500 people – 70% of which are American citizens. Yet, even with this presence and what Sykes sees as “doing its part to participate and bring jobs and stimulate the American economy,” its home roots of China was stopping it from fairly competing for business.   “If we are going to put it down to one reason it would be protectionism but it is more complicated than that,” he added. “You could add politics and sinophobia perhaps, but the main problem is protectionism.” Some have suggested acquisition might be the answer for a strong entry into North America, gaining an existing customer base without having to build up its own brand. Huawei has been throwing a lot of investment into its devices division to take on the big guns such as Apple and Samsung.

As a result, industry analysts had touted the company as a suitor for struggling mobile manufacturer BlackBerry, buying its existing footprint across North America. However, speaking to Computer Weekly at a press conference in Hong Kong, Sykes claimed M&A had never been Huawei’s growth strategy and it could go as long as 10 years without buying another company, putting it out for the running for the struggling mobile manufacturer. “We think we have been very successful with the strategy we have taken,” he said. “We have [grown] organically. We started our company simply as a reseller in 1987. In 1990, we made a major transition to have our own products. In 1995, we got into mobile kit. In 1997, we started our international expansion.” “Those are all very significant hurdles and we have done all of those through organic growth and development.” Sykes also said the company would not go public in the next five to 10 years, exclaiming “no IPO for Huawei".

The executive admitted both going public and M&A activity were seen as avenues of growth for many firms and acknowledged others would judge these bold statements, but stuck to his guns. “People may say we are wrong, [but] that’s ok, we are fine with that,” said Sykes. “We understand that people are going to watch us and that people are going to have opinions. We accept that. [But] we think we have chosen the right strategy.” You could add politics and xenophobia perhaps, but the main problem is protectionism Scott Sykes, head of international media relations, Huawei He added: “Let’s say this about the US… nothing simple is going to solve that challenge,” he said. “Acquisitions, going public, all other kind of simple approaches that you might think of won’t solve what is happening there.” However, despite its shortcomings across the pond, Huawei’s business in the UK is booming. In October 2012, it confirmed it would be investing £1.3bn into its UK operations, including a new headquarters in Reading, and last week confirmed that £125m would go into a new UK R&D centre. While it has major contracts with big telecoms players such as BT and EE, it has also won the backing of the UK government, striking up a strong relationship with universities minister David Willets and even receiving a visit from Chancellor of the Exchequer George Osborne when he was on his tour of China last week. "One of the most exciting opportunities for collaboration between Britain and China in the next step of our relationship is between our cutting-edge, high-tech companies,” said Osborne when he went to Shenzhen. “I am delighted to be visiting Huawei's headquarters with leaders of some of Britain’s most entrepreneurial tech companies to welcome Huawei's investment into the UK." With the “special relationship” that exists, for now, between the US and UK, Huawei could try to leverage the trust it is being shown on our shores to gain more trust on the other side of the Atlantic. However, currently, Huawei’s two main focuses are R&D and trying to get a positive message out there to prospective customers in the telecoms sector, worldwide governments and consumers looking for their next smartphone.

The journey is sure to be a long one though and, even if Osborne is Ren’s new best friend, Obama will take a lot more convincing. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Aaron’s computer rental chain settles FTC spying charges

The rent-to-own computer company settles a complaint that accused it of secretly taking Webcam photos of users in their homes and recording keystrokes of Web site login credentials. October 22, 2013 9:54 PM PDT Imagine getting set up with a ren...

Code Signing Seen as Effective Way to Safeguard App Security

NEWS ANALYSIS: Certificate Authorities (CAs) are ramping up efforts to make code signing the norm for application security. There are a number of different ways to ensure application security in the modern IT en...

US government releases draft cybersecurity framework

NIST comes out with its proposed cybersecurity standards, which outlines how private companies can protect themselves against hacks, cyberattacks, and security breaches. October 22, 2013 8:09 PM PDT According to NIST, all levels of an organization should be involved in cybersecurity. (Credit: The National Institute of Standards and Technology) The National Institute of Standards and Technology released its draft cybersecurity framework for private companies and infrastructure networks on Tuesday.

These standards are part of an executive order that President Obama proposed in February. The aim of NIST's framework (PDF) is to create guidelines that companies can use to beef up their networks and guard against hackers and cybersecurity threats.

Adopting this framework would be voluntary for companies. NIST is a non-regulatory agency within the Department of Commerce. The framework was written with the involvement of roughly 3,000 industry and academic experts, according to Reuters. It outlines ways that companies could protect their networks and act fast if and when they experience security breaches. "The framework provides a common language for expressing, understanding, and managing cybersecurity risk, both internally and externally," reads the draft standards. "The framework can be used to help identify and prioritize actions for reducing cybersecurity risk and is a tool for aligning policy, business, and technological approaches to managing that risk." Obama's executive order in February was part of a government effort to get cybersecurity legislation in place, but the bill was put on hold after the National Security Agency's surveillance program was revealed. Some of the components in Obama's order included: expanding "real time sharing of cyber threat information" to companies that operate critical infrastructure, asking NIST to devise cybersecurity standards, and proposing a "review of existing cybersecurity regulation." Critical infrastructure networks, banks, and private companies have increasingly been hit by cyberattacks over the past couple of years.

For example, weeks after the former head of Homeland Security, Janet Napolitano, announced that she believed a -- crippling the country's power grid, water infrastructure, and transportation networks -- hackers hit the US Department of Energy.

While no data was compromised, it did show that hackers were able to breach the computer system. Related stories NSA searched phone records in violation of court requirements, documents say Amid NSA uproar, encryption-standards body defends process White House to offer companies cybersecurity incentives Defcon to feds: 'We need some time apart' Obama, China president to talk hacking -- report In May, Congress released a survey that claimed power utilities in the U.S.

Are under "daily" cyberattacks. Of about 160 utilities interviewed for the survey, more than a dozen reported "daily," "constant," or "frequent" attempted cyberattacks on their computer systems.

While the data in the survey sounded alarming, none of the utilities reported any damage to their facilities or actual breaches of their systems -- but rather attempts to hack their networks. While companies are well aware that they need to secure their networks, many are wary of signing onto this voluntary framework.

According to Reuters, some companies are worried that the standards could turn into requirements. In an effort to get companies to adopt the framework, the government has been offering a slew of incentives, including cybersecurity insurance, priority consideration for grants, and streamlined regulations.

These proposed incentives are a preliminary step for the government's cybersecurity policy and have not yet been finalized. NIST will now take public comments for 45 days and plans to issue the final cybersecurity framework in February 2014.

Chrome’s parental controls step closer to adulthood

The previously-announced "Supervised Users" option moves into Google Chrome beta, and two Chrome security engineers begin work on a "paranoid mode." October 22, 2013 7:11 PM PDT Supervised Users gives Chrome OS a long-missing feature: parental controls. (Credit: Google) Google Chrome's rumored parental control feature moved into Chrome beta on Tuesday, and it stands to make Chrome and Chrome OS even more appealing to parents and teachers. Related stories: Microsoft pulls problematic Windows RT update LG may launch its own Chrome OS devices Safari more usable than other mobile browsers, says study Google to support Chrome for Windows XP until April 2015 Google paves over hole left by Chrome plug-in ban Chromebooks have done well in the United States, capturing around a quarter of the sub-$300 PC market in the past year.

The low-price laptops also have gained attention from educators, in part because of their price, but also because they include keyboards, essential for teaching children typing skills. Supervised Users would give Chrome OS a long-missing feature: multiple accounts that can be differentiated by privilege status.

For now, a supervised account would allow the primary Chrome OS user to create a secondary account that could be monitored. Parents will be able to review browsing history, create whitelists and blacklists of Web sites, and manage permissions for blocked sites to which the Supervised User has requested access. The blog post by Chrome engineer Pam Greene said Google will be looking to expand the feature set beyond what ships in the current beta for Windows, Mac, Linux, and Chrome OS. Two Chrome security engineers are also working on an extension that enables what they described on Twitter as "paranoid mode." Nasko Oskov and Chris Palmer tweeted on Tuesday afternoon that they had built an extension, labeled " "Paranoid mode" is a project, currently in rough stages, that could eventually give users more options to secure Web traffic in Chrome. (Credit: Chris Palmer/Google) "It is currently implemented only as a personal experiment inside an extension," Oskov tweeted, but the implications could be big for Chrome users. Flake appears to let people set the flow of Web traffic to one of three settings: Offline mode, Allow only HTTPS Traffic, and Upgrade HTTP traffic to HTTPS. Although Oskov says that it's been in development for a year, it sounds like it hasn't been the focus of his coding efforts, hence the slow progress. While HTTPS isn't a foolproof security barrier, it does make the traffic sent using it more secure.

The extension could be a big boon to privacy-minded Chrome users.