3.1 C
Saturday, November 18, 2017

“Hockey stick graph” climate researcher’s defamation suit to go forward

Judge rules against attempts by conservative groups to have it thrown out.    

Black Hat: Don't Blindly Trust Vulnerability Data

Researchers at Black Hat plan to discuss some of the common ways data about vulnerabilities is used to draw false conclusions about security. Numbers never lie—except when they are used to draw false conclusions.

And if those false conclusions are part of an IT security strategy, then nothing good can happen. Just ask Brian Martin and Steve Christey, members of the CVE (Common Vulnerabilities and Exposures) Editorial Board, who at the upcoming Black Hat USA conference (July 27 – Aug. 1 in Las Vegas) will outline the ways they have seen vulnerability statistics misused over the years. "Vulnerability stats are misused in many different ways," said Steve Christey, principal information security engineer in the security and information operations division at MITRE. "The most common error is to calculate and present the statistics without accounting for the different kinds of bias that exists in the original data. Many people who generate statistics are using somebody else's data, e.g., a vulnerability database that they do not operate themselves. "There seems to be a common misconception that vulnerabilities are a naturally occurring phenomenon that can be easily and reliably monitored, like the weather or the study of disease within a population," he added. "Our industry is nowhere near that level of maturity." In the 14 years of the CVE's history, Christey said he has been asked about five times how CVE collects and represents vulnerability data. Common assumptions include that a single CVE entry only covers one vulnerability, and that the CVE has knowledge of all published vulnerabilities.

The reality, however, is that a single CVE entry may cover multiple vulnerabilities. "Anybody who maintains a large vulnerability repository struggles constantly with maintaining consistency and quality, while simultaneously adjusting to the rapid change and growth in vulnerability research," he told eWEEK. "This can force some difficult or unexpected decisions that are not necessarily obvious to consumers, who may be using the data under faulty and dangerous assumptions." Companies and individuals that analyze vulnerability databases tend to blindly accept the information inside as perfect and complete, added Martin, who is content manager of the Open Source Vulnerability Database. "If the data they are working against shows only three vulnerabilities in a given product, the company may mistakenly assume it is a relatively secure product," said Martin. "In reality, all of the large vulnerability databases may have missed published vulnerabilities in the product, typically because they use a single channel to do so (e.g., their Web site). We routinely see this while digging up more vulnerabilities to add to our databases." Some of the most secure products actually have a large number of published vulnerabilities, Christey said, because they are popular and under investigation by expert researchers. Most products don't get that type of special attention. "The inherent insecurity of a product is better determined by the difficulty of finding a new vulnerability, combined with the number of skilled people who are looking at the product and the amount of human labor required to find the vulnerability in the first place," Christey said. "Too many products can be hacked with only 10 minutes' effort using simple techniques for the most obvious vulnerability types; that's the low-hanging fruit of vulnerability research, and we will show its impact on vulnerability statistics at Black Hat." The message—treat vulnerability counts and claims that one Web browser or operating system is more secure than another with a healthy dose of skepticism, the researchers said. "At Black Hat, we will go into details about why vulnerability counts have major systematic problems and should not be relied on without digging more deeply into the context," Christey told eWEEK. "Vulnerability counts are some of the easiest and most obvious statistics to generate, but they are fraught with peril, especially when used to compare products or vendors. Any study that uses vulnerability counts without extensive disclaimers or context should be regarded with suspicion."

Crypto flaw makes millions of smartphones susceptible to hijacking

New attack targets weakness in at least 500 million smartphone SIM cards.    

Canary aims to make home security simple and smart

The startup is developing a $199 home security device with an HD camera and multiple sensors that is managed by an iOS or Android smartphone. July 22, 2013 8:54 AM PDT Canary includes an HD video camera and multiple sensors that track motion, vi...

Insider threat: Balancing security with privacy

Data loss prevention (DLP) systems, encryption, internet monitoring tools and other restrictive controls are failing to deliver total security, with a growing number of data breaches linked to insiders. But how can organisations increase security without affecting productivity or encroaching on employees’ right to privacy? The challenge is an important one to tackle, with insider-related fraud up 43% in 2012, according to the latest report from the UK’s fraud prevention service Cifas, and 14% of all data breaches linked to insiders, according to The Verizon 2013 Data Breach Investigations Report. A more recent study by storage and information management firm Iron Mountain revealed that 8% of UK employees said that if they were treated badly by an employer, they would take revenge by stealing confidential or sensitive information. Why is the insider threat increasing? In recent years, companies with highly sensitive data have done a fairly good job of securing the network perimeter with firewalls and intrusion prevention systems, which has pushed attackers into looking for insiders to help them bypass these controls. Accessing data within an organisation on a regular basis is much easier with the help of an insider, and security firms are reporting an increase in the number of data breach incidents that can be linked to an insider who has been coerced by the hackers into co-operating. Why does this require a change in approach to security? Banks have traditionally approached security by locking down systems and restricting access to the internet because data security is essential to their core business. They also commonly deploy data leakage prevention (DLP) tools to restrict what types of data can be accessed and sent out of the organisation, data encryption tools and other restrictive controls. But banks are realising that data is still leaking, and at the same time that locking down systems and restricting access is stifling innovation that is vital to creating competitive advantage. Banks, as well as media companies and telcos, are leading the way in adopting a “trust, but verify” model of security to balance data protection with employee privacy, according to Mohan Koo, managing director of Dtex Systems. This approach means that employees can be given the access and flexibility they need to be innovative and creative, but at the same time deploying protective monitoring systems to verify that they are not engaging in any risky or malicious behaviour. “This is enabling banking institutions in the UK to reverse out of their restrictive lockdown approach to security,” Koo told Computer Weekly. Why are DLP tools and internet security tools failing? The main reason for DLP tools failing to halt data loss is that they have not been configured properly for the specific requirements of the organisations that have deployed them, said Koo. Often, suppliers of DLP tools recommend the same configuration settings to all customers, he said, even though organisations do not have the same risks. “The only way to understand and to see where data loss is really taking place is to run an audit that looks at how users interact with all of the files across the network to identify where the DLP systems are working and where data is being transferred without DLP systems picking it up,” said Koo. Protective monitoring also reveals that in many data breach cases, employees are using internet searches to find ways of bypassing the most common internet security tools used by their employers, and then sharing those techniques with their peers. By identifying the gaps, organisations are able to reconfigure their DLP tools and internet security systems to make them more effective and keep up to date with new and emerging behaviour trends of their employees, he said. What other sectors are changing their approach to security? Telecommunication companies have been second only to financial institutions in their restrictive approach to security, but they too are looking for ways to improve data security, but at the same time be less intrusive on employee access to internal systems and online resources. Protective monitoring provides a way for telcos to remain in control of key customer retention data, as required by the Data Protection Act, for example, without being too restrictive and without infringing employees’ privacy. Conversely, media organisations are turning to this approach to improve information security, while preserving the freedom they have traditionally allowed their employees because creativity and innovation is core to their business. It is surprising how often insiders responsible for malicious activity are members of the IT or security teams Mohan Koo, Dtex Systems “Media organisations, which generally have few to no security controls in place, are beginning to recognise the importance of information security, especially after the high-profile attacks in May on Western media organisations by the Syrian Electronic Army,” said Koo. Other sectors that are moving towards the “trust, but verify” approach to security using protective monitoring are energy and retail. But how does protective monitoring avoid privacy concerns? The key to approval of this approach by the Information Commissioner’s Office (ICO), the UK’s privacy watchdog, is that all data is anonymised. The systems create event logs based on three classes of general high-level activity, and not on content.

These classes of activity relate to internet browsing, applications and data handling. When a serious of events come together to exceed a set severity level, an alert is raised and sent to the security incident management team or a particular individual, depending on the nature and severity of the alert. The systems can pick up risky behaviour in these areas, raising alerts for example when non-IT or security employees use hacking or vulnerability assessment tools or when IT or security employees are using such tools in suspicious ways. “It is surprising how often insiders responsible for malicious activity are members of the IT or security teams,” said Koo. Protective monitoring systems also typically look at the creation, storage, copying, printing, transferring and renaming of files to ensure there is a full audit trail of any file on a system. It is only when risky behaviour is identified and data security is at risk that authorised administrators of the protective monitoring systems are able to link that behaviour to an individual as part of a formal investigation.   Whenever alerts are raised, the protective monitoring systems will generate a report that details everything that happened in the run-up to that alert being sent and what happens subsequently. The ICO requires that there are very strong authentication controls around who is allowed to access the data which can identify which employees are involved in risky or suspicious behaviour. “But this is done only when a high-risk activity has been referred for a forensic investigation,” said Koo. Fraud and investigation teams then go to work under the supervision of a very senior representative of the organisation. But protective monitoring is not only about attributing blame, it can also be used as a training tool to raise user awareness and change behaviour by giving warnings of potentially risky behaviour. According to Dtex Systems, only about 5% of risky behaviour by insiders is intentional, which means that most of it is without malicious intent and, theoretically, could be eliminated through user education. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Free Health Apps, Search Keywords Are a Threat to Privacy: Report

Free health and fitness applications were more of a threat to privacy than paid apps, according to a report from Privacy Rights Clearinghouse. Privacy Rights Clearinghouse (PRC), a nonprofit focused on consumer privacy, has released a study showing that mobile health and fitness apps threaten a user's privacy with search loopholes and a lack of encryption. Paid health apps had a lower risk than free apps of violating privacy because they require advertising for revenue, according to the report, "Technical Analysis of the Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications," unveiled on July 16. With less of a need for advertising, paid apps are less like to share data with third parties, said Craig Michael Lie Njie, founder and CEO of Kismet World Wide Consulting, who carried out the study between March and June 2013.

The California Consumer Protection Foundation funded the project. "Paid apps do not have a lot of advertising embedded," Lie Njie said. "They were just providing the core functionality because the people paying for the app are the ones driving the revenue stream," Lie Njie told eWEEK. The free apps drive advertising with keywords that could draw on the user data, he suggested. Developers of free mobile software are "basically delivering the apps so they can provide advertising and analytics to a third party, and that's where the revenue stream comes from," Lie Nijie said. "Those kinds of technologies are generally the more privacy invasive." In a paid app, advertising and revenue models are more closely aligned with consumers, he noted. Still, even though paid health apps tended to be more secure than free apps, paid apps also pose a danger to privacy, according to Lie Njie. Developers of paid apps sent data to their servers in the clear using  HTTP, he noted. A privacy risk found among the apps was the tendency to use HTTPs over HTTP, according to Lie Njie. Many health apps transmit unencrypted data and connect to third-party sites without a patient's knowledge, PRC reported. For his technical evaluation, Lie Njie studied mobile apps that aid with diet and exercise, pregnancy, behavioral and mental health.

Apps included symptom checkers and relaxation aids as well as those that help people manage chronic conditions.

Researcher: Apple developer site hack? I meant no harm

A security researcher believes he's the reason Apple shut down its developer center but claims he was simply reporting a bunch of bugs. July 22, 2013 5:09 AM PDT (Credit: CNET) Ibrahim Balic thinks he may be the intruder identified by Apple in a...

MaskMe guards your privacy like a vigilant angel

In a world that values data mining over privacy protections, the new MaskMe tool restores your ability to use the Internet without compromising your identity. MaskMe brings a clean look to complicated privacy (pictures) 1-2 of 5 Scroll Left Scroll Rig...

Apple developer site laid low by intruder

It appears that the two angels with fiery swords which are supposed to protect Apple’s walled garden of delights were having a day off last week. Apple's site for developers was attacked by an intruder who tried to gain access to developer information. Apple decided it was best to take the service down even though the most sensitive information on that site was encrypted. The company said that it's keeping the site down while security is being hardened.  It is not clear what hardening it is using and why such precautions were not taken earlier.  Apparently Apple has had to completely overhaul its developer systems, update its server software, and rebuild the entire database. However, it appears that it is taking a jolly long time and there is no indication when the site will be back up. In a note to developers, Apple said it could not rule out the possibility some developers' names, mailing addresses, and/or email addresses may have been accessed. Apple's developer site is home to software downloads, documentation and forums for third-party software developers. CNET said that the outage sparked some concerns about there being a larger, behind the scenes security problem. Users had been saying they had received password reset e-mails, suggesting others were attempting to gain access to their Apple ID accounts.

UN group warns of mobile SIM cloning

A United Nations telecoms group has issued an international alert about a bug in mobile phone SIM technology that could enable hackers to remotely attack at least half a billion devices. Discovered by Berlin's Security Research Labs, the bug allows hackers to remotely gain control of and clone some mobile SIM cards. The hackers could use compromised SIMs to commit financial crimes or engage in electronic espionage. The UN's Geneva-based International Telecommunications Union, which has reviewed the research, said that it is "hugely significant". ITU Secretary General Hamadoun Touré told Reuters that the findings show where the world could be heading in terms of cybersecurity risks. Cracking SIM cards is a key target for hackers because they allow operators to identify and authenticate subscribers as they use networks. At the centre of the problem is an old encryption technology known as DES. Once a hacker copies a SIM, it can be used to make calls and send text messages impersonating the owner of the phone The ITU estimates some 6 billion mobile phones are in use worldwide. It plans to work with the industry to identify how to protect vulnerable devices from attack, Touré said. 

Apple overhauls developer systems after hack

Apple is overhauling its developer systems and its developer website is still down after hackers attempted to steal developer personal details last week. According to a holding notice on the website, sensitive personal information was encrypted and cannot be accessed. “However, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed,” the notice says. To prevent a security threat like this from happening again, the company says it is overhauling its developer systems, updating server software, and rebuilding its database. “We apologise for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon,” the notice says. Apple said the breach was not associated with any customer information and that attackers did not have access to app code, or the servers where app information is stored, according to MacWorld. In February, Apple was hit by malware spread through a website for software developers that exploited a zero-day vulnerability in Java. At the time, Apple said its computer systems had been breached by the same attackers that targeted Facebook. But the company said only a few computers were affected and there was no evidence of data theft. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Hack exposes details of nearly two million Ubuntu Forum users

The Ubuntu Forum website has been taken down after attackers defaced the homepage and accessed the database containing details of around 1,820,000 users. “Unfortunately, the attackers have gotten every user's local username, password and email address from the Ubuntu Forums database,” reads a holding message on the downed site. The passwords were not stored in plain text, but stored as salted hashes, which will afford an additional level of protection, although this form of encryption is still vulnerable to cracking. There is also no sign that the compromised details have been published online. However, members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services. “We believe the issue is limited to the Ubuntu Forums and no other Ubuntu or Canonical site or service is affected,” read a blog post by Canonical, the company that markets Ubuntu, a computing platform based on the Linux operating system. Members have been advised to change their passwords as soon as possible, especially if they are using the same password for other sites or services The company said it is investigating how the attackers were able to gain access and are working with the software providers to address that issue. Canonical said it will provide as much detail as possible once the investigation has been concluded. The company said the Ubuntu Forum site will remain down until it is safe for it to be restored. Inadequate password protection The Ubuntu Forum passwords were cryptographically scrambled using the MD5 hashing algorithm, along with a per-user cryptographic salt, according to Ars Technica. Security experts consider MD5, with or without salt, to be an inadequate means of protecting stored passwords, the publication noted. While per-user salt slows down the time it takes to crack large numbers of passwords in unison, it does little to nothing to delay the cracking of small numbers of hashes. That means the scheme used by Canonical does not prevent the decoding of individual hashes that may be targeted. Security expert Paul Ducklin of security firm Sophos recommended that any organisation storing passwords in a database should use a strong salt-and-hash system such as bcrypt, scrypt or PBKDF2. These systems make it much harder and slower for attackers to go through their password dictionary, he wrote in a blog post. Email Alerts Register now to receive ComputerWeekly.com IT-related news, , delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com