Many hobbyist drones found flying over 2,000 ft.
NEWS ANALYSIS: Full details emerge on the U.S. Postal Service breach, and some of the insights are surprising, including the fact that the USPS didn't immediately block compromised servers. The United States Postal Service (USPS) publicly admitted that it was the victim of a cyber-intrusion on Nov. 10. As it turns out, the USPS had been aware of a potential intrusion since Sept. 11, and it took several months of planning and strategic actions until the public and USPS employees were informed. Full details on the USPS breach were provided by Randy Miskanic, vice president of secure digital solutions at the USPS, in testimony before the Subcommittee on Federal Workforce, U.S. Postal Service & the Census at the U.S. House of Representatives. The testimony, which took place on Nov. 19, is posted online and provides 11 pages of details on the actions and timeline of the USPS breach incident. The testimony gives insight into how much time and process is involved in detecting and responding to a breach, which is far from a rapid process. Miskanic testified that on Sept. 11, 2014, the U.S. Postal Service Office of Inspector General (USPS OIG) received information from the U.S. Computer Emergency Readiness Team (US-CERT) regarding four Postal Service servers that may have been compromised. Rather than immediately take action to shut down or otherwise block the compromised servers, the USPS was advised to take no action. "The USPS OIG provided the CISO [Chief Information Security Officer] with an operational security warning advising that actions taken without coordination are likely to adversely impact the Postal Service's overall security posture," Miskanic testified. "The guidance document instructed the CISO to take no action—including further investigative activity, scanning, re-imaging, resetting account passwords, taking systems offline or searching IP addresses." Initially, the USPS suspected that only four servers were compromised, but through monitoring actions that occurred from Sept. 19 to Oct. 2, an additional 29 servers were identified as potentially being compromised. The USPS identified three Postal Service user accounts as potentially being compromised as well. On Oct. 20, USPS staff provided a classified briefing to the National Security Council staff and the White House cyber-security director about the incident. It wasn't until Nov. 7, nearly two months after first being alerted to the breach in September, that the USPS activated a full remediation plan to remove the attacker risk from the network. "Implementing remediation plan elements required initiation of an information systems network brownout period, which limited communications between the Postal Service network and the Internet," Miskanic testified. "During the Nov. 8-Nov. 9 brownout period, virtual private network (VPN) connections were blocked and remote network access was denied." The USPS also put in additional security controls during the two-day brownout, including two-factor authentication for administrative accounts. Going a step further, the USPS began to block access to personal online email services, including Gmail and Yahoo. "In addition, direct database access is now only enabled to technology support staff, and a number of business applications have been retired," Miskanic testified. "These safeguards will continue to be reviewed and enhanced over the coming months in order to increase our overall security posture." What the Miskanic testimony clearly illustrates is that detecting or being alerted to a breach is only the first step in what can be a lengthy process to recovery. It's interesting to note that the USPS itself did not initially detect the breach, but rather was alerted to it by US-CERT. The fact that the initial course of action was to not immediately block the impacted servers is also very interesting. The USPS and its security partners wanted to be thorough and make sure they fully understood the problem so it could be properly fixed in a coordinated manner. In many security incidents, there is often a rush to judgment, but that's not necessarily always the right course of action. The USPS attack and response provide organizations with a case study in how a thoughtful process can be implemented in the event of a cyber-security incident. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Either way, AT&T says net neutrality will limit fiber and DSL upgrades.
Google may be asked to apply the privacy obligation to its main Google.com site. European Union privacy regulators may ask Google to extend users' "right to be forgotten" to its Websites outside the EU as well. Regulators meeting in Brussels, Belgium, Nov. 26 have prepared a proposal that will require Google to apply the EU privacy obligation—which gives its citizens the right to ask Google to remove content—to its main Google.com site in the United States and to other sites viewable from the EU, Bloomberg Businessweek reported today. The decision apparently is rooted in concerns that information blocked by Google in the EU will still be accessible to Internet users there simply by visiting Google search sites in other countries, Bloomberg said, quoting unnamed sources. If the proposal is approved, all search engine companies, and not just Google, will be required to abide by it. Isabelle Falque-Pierrotin, the chairman of the EU data protection council, is expected to present the guidelines later today, possibly with some modifications, the Bloomberg report noted. A Google spokesman said the company hasn't seen the EU Article 29 Working Party's new guidelines yet. "But we will study them carefully when they're published," he said. Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), said the proposal that is reportedly being considered by the EU makes sense. "This is a logical and sensible request from the European Union since Google is the entity that gathers the personal data and chooses to make the subsequent disclosure," he said in emailed comments. "It would make little sense to allow Google to publish in domains outside of Europe private facts concerning EU citizens that should be removed from Google search results." The more interesting question now is how Google will respond to growing expectation that the company will recognize a similar legal right in the United States and other countries, he said. In May of this year, the Court of Justice for the European Union held that European privacy law gives citizens the right to ask Internet search engine companies like Google to remove search results pointing to inaccurate, outdated or incomplete data about them. The Right to Be Forgotten decision was related to a lawsuit filed by an individual in Spain who wanted Google to remove search results pointing to two articles in a Spanish-language newspaper from 1998 that mentioned his name in connection with the recovery of Social Security debts. Since the European court ruling this May, Google says it has received more than 174,000 right-to-be-forgotten requests from EU citizens and has evaluated some 602,000 URLs for removal. So far, the company has removed 42 percent of the URLs that people have asked it to remove and is in the process of working through the remaining requests. The removal requests have involved a wide range of content, including criminal records, embarrassing photos, slander, online bullying, negative press mentions and content pertaining to sexual crimes, Google has noted. Google has maintained that while it wants to be respectful of EU law, the right-to-be-forgotten obligation is a new and difficult challenge for the company. It requires Google "to weigh, on a case-by-case basis, an individual's right to be forgotten with the public's right to information," Google's Advisory Council on the Right to be Forgotten has noted. "We want to strike this balance right." This week's proposal, if adopted, would extend Google's obligation to remove content at the request of EU users to its main Website as well. It is unclear how the company will respond to the new development or even what its legal obligations will be under the new proposal. Either way, the company is likely going to have to find a way to respond to the issue quickly because there are signs of similar demands from countries outside the EU as well. In October, for instance, a court in Tokyo ordered Google to remove about 120 search engine results pointing to articles hinting about a certain individual's involvement in a crime from more than 10 years ago. Some privacy groups, such as the Electronic Frontier Foundation, have expressed alarm at the EU requirement and have likened it to censorship. "The court has created a vague and unappealable model, where Internet intermediaries must censor their own references to publicly available information in the name of privacy, with little guidance or obligation to balance the needs of free expression," the EFF noted in a blog in July. "That won't work in keeping that information private, and will make matters worse in the global battle against state censorship."
Sen. Patrick Leahy says 30 named locker sites have "no legitimate purpose."
NEWS ANALYSIS: Although 2014 has been the year of the retail breach, consumers looking to do some holiday shopping have very little to worry about. On Black Friday in 2013, millions of consumers shopped at retailers that had been breached by point-of-sale (POS) malware. A year later, has anything changed? Target admitted in December 2013 that it was breached between Nov. 27 and Dec. 15 of that year in an incident in which 70 million customers were impacted. The breach also cost Target $148 million in expenses and took the jobs of Target's CIO and CEO. As it turns out, the Target breach was only the leading edge of an avalanche of retail breaches that were disclosed in 2014. Grocery chain SuperValu, UPS, Michaels, Dairy Queen, Goodwill, Staples and Home Depot are among the retailers that admitted being breached during the year. Surprisingly, while the Target breach was reported last December and was the subject of intense scrutiny and discussion in the first half of this year, lessons learned from that incident apparently were not enough to stem the tide. Home Depot, for example, reported its breach in September, with the actual attack lasting from April to September. That means that Home Depot's systems were breached long after Target's disclosure and long after the retailer should have been able to discern lessons and best practices from that incident. With Home Depot, the retailer has admitted that a third-party vendor's username and password were compromised. That credential compromise was then leveraged by the attacker to gain access to the Home Depot network. Once inside, a privilege escalation flaw was exploited, giving the attacker broader access. With that access, some form of POS malware was deployed, which is how the customer information was stolen. The problem with the Home Depot breach scenario is that it is likely the same as what happened at Target. It is also likely the same scenario that has played out at other retailers as well, including some that consumers will shop at on Black Friday. While this has been a year of disclosures and discussion about retail breaches, the simple truth is this: Little has changed. POS malware is still widely deployed, with the Backoff POS malware alone infecting a thousand retailers, according to the U.S. Secret Service. Going a step further, privilege escalation vulnerabilities, which in my view are at the root of many retail breaches, remain difficult to deal with. Case in point, it was just last week that Microsoft issued an emergency out-of-band patch for a Kerberos authentication flaw identified as CVE-2014-6324. That vulnerability could potentially enable an attacker to elevate his or her privileges to control an entire system. While there is a patch available, Microsoft itself warned that a complete fix of a potentially compromised domain requires the organization to completely rebuild its domain. Given the proximity to Black Friday and the complexity of rebuilding domains, I suspect that not all retailers that run Windows have actually heeded Microsoft's advice. While there are likely still privilege escalation risks present in some retailer networks and there are also likely still many undetected POS infections, not all is lost. Don't Panic While the risk of retailer breaches on Black Friday is still present, there is much reason for optimism too. Thanks to the Target breach and those like it, there has been heightened awareness among law enforcement and credit card issuers. While as yet unknown breaches and POS malware might well be lurking on Black Friday retailer systems, the "good guys" are watching for bad things.
Adobe issued an out-of-band patch update on Nov. 25 for a vulnerability identified as CVE-2014-8439, which impacts the Adobe Flash Player. Typically, an out-of-band patch update is a rare event that is reserved for severe and risky zero-day flaws, but that's not quite what is going on with the new Adobe update. The CVE-2014-8439 vulnerability was actually first mitigated during Adobe's regular patch Tuesday update on Oct. 14. Adobe spokesperson, Heather Edell told eWEEK that that October update included a proactive mitigation, which typically is not assigned a common vulnerabilities and exploits, or CVE, number. "We were later notified that there was an attack in the wild, and we identified that the proactive mitigation was blocking this attack," Edell said. "Since there was a specific attack in this area, we added further mitigations in today's release." The actual CVE-2014-8439 vulnerability is what Adobe's advisory describes as a "de-referenced memory pointer that could lead to code execution." Though Adobe has now issued further mitigations for CVE-2014-8439, it's not because any attacks were actually able to bypass the protection that Adobe provided in the October update. "Out of an abundance of caution, we are releasing further changes that strengthen the mitigation against potential variants," Edell said. "That said, we are not aware of any attacks, in the wild or otherwise, that can bypass the October mitigation." In my view, this is truly a dramatic turnaround for Adobe, in contrast to the way it used to deal with security. Back in 2009, Adobe was largely a reactive company when it came to security, dealing with what seemed like an endless stream of zero-day vulnerabilities with active exploits in the wild. The Nov. 25 out-of-band update, in contrast, is a remarkably proactive effort to protect users. In a 2013 video interview I did with Adobe Chief Security Officer Brad Arkin, he explained to me how Adobe made security a core principle of the entire company's development efforts. It's an effort that is clearly working today. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed. Information security professionals overwhelmingly covet a single, comprehensive endpoint security solution; however, endpoint security deployment is tactical and driven more by firefighting than strategy, according to a report on endpoint security conducted by Enterprise Strategy Group (ESG) on behalf of Digital Guardian. Despite recognition of the problem—that endpoints are still at risk and data breaches are increasingly common—more than one-third of respondents to the survey aren't addressing the problem strategically because members of the security staff are spending too much time attending to high-priority issues. More than half of the survey respondents increased budgets for endpoint security, but much of the investment went to antivirus (AV) protections, and nearly one-third of respondents describe a complex enterprise landscape where they deploy three or more unique AV products. "To truly secure the data, you must be at the endpoint, you must see every data and process event, and you must have controls set up. This is hard, but it can be done," Ken Levine, CEO of Digital Guardian, told eWEEK. "Given that data is the target from threats originating both inside and outside the organization, companies must recognize this and make data protection a priority for 2015. The good news is that the winds are changing—we're hearing from more and more customers that are seeing the need as billions of dollars in perimeter defenses have not been able to stop data breaches." Compounding this complexity is the fact that more than half of those surveyed shift between AV vendors frequently, impacting end-user performance and draining IT resources. When asked what type of endpoint security technology approaches would be most attractive, more than half of the respondents said a comprehensive endpoint security solution from a single vendor. "We strongly believe that protecting data at the endpoint should top the security professionals' list of 2015 priorities. While traditional DLP [data loss prevention] solutions have not necessarily been implemented beyond compliance, a proper data protection strategy is still the single best way to go," Levine said. "Even the recent hacking incident at Sony Studios makes it clear—data is the target and adding protections at the data level is the only way to ensure protection." Yet the report indicated senior security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed by an impact on end-user productivity, a significant and common enterprise concern. "The research shows that the biggest stumbling block is even getting up to the start line," Levine said. "Companies already have antivirus protections in place, so when faced with questions about endpoint security it is easier to shuffle around AV vendors to help address problems, rather than taking a step back and developing a strategy. IT professionals are also very sensitive to negatively impacting end-user productivity and disrupting the status quo."
Baltimore man was located, searched earlier this year after use of a stingray.
The vulnerability management process is one of the most important, most difficult and most badly implemented. This toxic combination provides for a seemingly endless stream of news headlines about data breaches. Recently, there have been quite a few high-profile vulnerabilities discovered that attracted the attention of mainstream media. The biggest one has been a Shellshock vulnerability. The Common Vulnerability Scoring System base score for Shellshock is the highest possible – 10 – which indicates its criticality. That is because it is very easy to exploit and allows for remote code execution of arbitrary code. For CIOs that want to know the extent of the problem, a good documentation of the network and system is rather key. A vulnerability scan of the systems is also very important. This should highlight Shellshock vulnerability. However, a vulnerability scan that is done without logging into scanned systems can only reveal the partial picture. Hence, it's strongly suggested to use full potential of the scanning tool and doing an authenticated scan. When it comes to fixing the Shellshock issue, the patch is very easy and well documented. Yet, applying this in a large network this can be a gigantic task. Big organisations should use a triage process in vulnerability management. Take vulnerability data, network topology, firewall rules and asset criticality, and place it in a model that will calculate where to prioritise efforts. For example, a server in a demilitarised zone which has Apache but not computer-generated imagery in use can wait a bit longer for a patch, compared with a secure-shell server used as a management jump server for system admins and third parties. Moreover, an attempted Shellshock attack can be very easily detected by a host or network intrusion detection system. Set it up to look for an attack and act accordingly. Vladimir Jirasek is chief technology officer at Knightsbridge Contego Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK This was first published in November 2014
CCT provides new benchmark for cyber security training programmes in the UKCyber security specialist Templar Executives has become one of the first organisations to gain accreditation under the newly-launched CESG Certified Training (CCT) scheme.The scheme, officially launched last week by CESG, the Information Assurance arm of GCHQ, and managed by APM Group, has been designed to assure high quality cyber security training courses delivered by training providers. One of the key objectives of the programme is to enhance the professionalism of those working in the cyber security industry.Templar Executives has been awarded accreditation for three of its unique Cyber Academy courses: Board-Level Cyber Security for Senior Information Risk Owners (SIROs), Cyber Security for Information Asset Owners (IAOs) and Cyber Security Awareness.The courses aim to create a holistic understanding of cyber security encompassing people, processes, policy, culture and ICT. Templar Executives provides best practice in order to protect businesses and public organisations from internal and external cyber threats while mitigating risk to reputation, people and financial performance. Delegates will also develop capability in leadership and governance, information risk management as well as knowledge of relevant legislation and best practices in using social media.Led by expert trainers, also accredited under the new CESG scheme, the courses offer a safe and stimulating forum using real life scenarios to underpin learning, and demonstrate how effective cyber security can also enable delivery of an organisation's business outcomes and competitive advantage.Andrew Fitzmaurice, CEO of Templar Executives, said: "Now, more than ever, it is crucial to have defined confidence in the security of information as it's such a big part of our everyday lives. A knowledge of cyber security is critical but hand in hand with its heightened importance in recent years has come a need to professionalise and create a system of checks and balances that ensures best practice in cyber security training. According to the Cabinet Office, the overall cost of cyber crime to UK Plc. is estimated to be £27 billion per year so it is a very real and present threat."Gaining CESG accreditation is a welcome achievement for us, as it confirms that the organisation has demonstrated its competence and ability to perform against a highly acknowledged industry standard," he added.Templar Executives was established in 2007. The consultancy has a deep understanding that every organisation's information and, importantly, the human and technical systems that use it, are different. Templar works with a wide range of public and private sector organisations, including global FTSE 100 companies, SMEs, businesses operating in high security environments and those that are yet to fully explore their information risk profile.Templar offers a range of discreet and professional advisory services, which will lead to the high performance of businesses through better information management and cyber security.For more information, please refer to http://www.templarexecs.com/ -ENDS-NOTES TO EDITORSAbout Templar ExecutivesTemplar Executives is a dynamic, highly skilled team of discreet Cyber Security and Information Assurance specialists. Templar executives have been integral in shaping the Government's Cyber Security and Information Assurance agenda and have a proven track record of successful delivery within Government and FTSE 100 clients.About CCTThe CESG Certified Training (CCT) scheme is designed to assure high quality cyber security training courses delivered by training providers. The scheme is part of the National Cyber Security Programme to develop the UK's knowledge, skills and capability in all aspects of cyber security. The CCT scheme will help individuals and businesses to identify the most relevant training for their current needs as a part of a comprehensive learning pathway for the cyber security profession as a whole and to have confidence that training certified under the scheme is of a very high calibre.###Press contactsEdward Dodge/Niall MoranSpreckley PartnersT: 020 7388 9988E: email@example.com / firstname.lastname@example.org Source: RealWire