Security News

Raytheon, GrammaTech Partner on Federal IT Security

The companies intend to develop tools to help organizations inspect the software inside network-enabled devices and protect them from attack. The BBN Technologies division of intelligence systems and security specialist Raytheon and software-assurance tools and cyber-security solutions specialist GrammTech were awarded a $4.8 million contract under the Defense Advanced Research Projects Agency's Vetting Commodity IT Software and Firmware (VET) program. Under the program, the two companies said they intend to develop tools and techniques to enable organizations to inspect the software and firmware that exist inside network-enabled devices and protect them from attack. BBN Technologies said it plans to develop techniques that enable analysts to prioritize elements of software and firmware to examine for hidden malicious functionality. "The U.S. Department of Defense relies on equipment with components manufactured all over the world," Jack Marin, vice president for cyber-security at BBN, said in a statement. "Any backdoors, malicious code or other vulnerabilities hidden in those components could enable an adversary to do serious damage, including the exfiltration of sensitive data and the sabotage of critical operations.

The VET program seeks to enable DoD analysts to vigorously vet software and firmware devices before they are connected to our critical networks." Mobile phones, network routers, computer workstations and other networked devices can be secretly modified to function in unintended ways or to spy on users, a concern that led to the VET program, which seeks to help U.S. government agencies address the threat of malicious code and hidden "backdoor" access in commodity IT devices. GrammaTech, whose software tools span a myriad of industries including avionics, medical and industrial control, said it plans to develop tools that actually examine software and firmware for exploitable security vulnerabilities. "Our scientists are developing new technology that aims to advance the state-of-the-art for analyzing machine code," Tim Teitelbaum, GrammaTech's CEO, said in a statement. "We are leveraging these advances to create a tool that could confirm the absence of broad classes of vulnerabilities." Federal agencies often fail to take the user experience into account when deploying cyber-security solutions, and as a result, users often circumvent security measures and open up their agencies to data theft, data loss and denial-of-service attacks, according to an October report from Meritalk, a public-private partnership focused on IT. The study, underwritten by Akamai Technologies, found the most challenging user applications to secure are email, external Websites and the Internet from agency workstations.

These are tools that more than 80 percent of users rely on daily.  

New US spy satellite features world-devouring octopus

"Nothing is beyond our reach," new logo tells the world.    

French agency caught minting SSL certificates impersonating Google

Unauthorized credentials for Google sites were accepted by many browsers.

Tech Giants Say No More to Gov’t Snooping as New Allegations...

NEWS ANALYSIS: AOL, Facebook, Google, LinkedIn, Microsoft and Yahoo get together to demand government surveillance reform. Week after week for months on end in 2013, new allegations and reports have emerged about the online surveillance activities of the U.S. National Security Agency, and now, a group of the largest tech vendors in the U.S. have said, enough is enough. In an open letter publicly posted on a new Web domain, titled "Reform Government Surveillance," AOL, Facebook, Google, LinkedIn, Microsoft and Yahoo have joined together to ask for changes to current laws and practices around surveillance. The tech vendors have outlined five key principles that they want to see reformed.

They include placing new limits on the government's authority to collect users' information, adding more oversight and accountability, and improving transparency over government data requests.

The final two principles are about respecting the free flow of information and avoiding conflicts across government jurisdictions. This new open letter follows a letter sent to the U.S. Congress Oct. 31 by AOL, Apple, Facebook, Google, Microsoft and Yahoo, asking for more transparency in U.S. government data requests in support of the USA Freedom Act. American tech vendors have much to worry about when it comes to government snooping, and the risks are not theoretical.

At the end of October, leaks published from NSA whistleblower, Edward Snowden revealed how data center links from Google and Yahoo were being intercepted. Google has already taken steps to further improve its security, and just last week Microsoft made its stance known on how it would also defend against NSA incursions. The irony of the whole situation, of course, is the fact that the tech companies that have signed the reform government surveillance letter all collect copious volumes of information from their own users.

For example, Microsoft has long been complaining about how Google collects information about users and has pushed that message in its Scroogled campaign. For at least the last three years, there has also been a "Do Not Track" effort aimed at limiting the ability of big Web vendors and advertisers to track users who don't want to be tracked.

The actual outcome of Do Not Track has been somewhat muted with varying degrees of privacy now available for Web browsers. So the reality is that multiple vendors are already tracking and collecting user data, but the big question here is about potential government misuse.

The NSA has long argued that its actions are all about protecting national security.

As the volume of Snowden's disclosures mount though, it has become increasingly apparent that the NSA's activities have been very broad. In fact a report  in The New York Times today, claims that the NSA was even going after gamers in World of Warcraft and Second Life. It's important to understand that the tech vendors in the Reform Government Surveillance effort understand why the government should have some access, though they question the current activities. "While the undersigned companies understand that governments need to take action to protect their citizens' safety and security, we strongly believe that current laws and practices need to be reformed," today's Reform Government Surveillance letter states. Fundamentally it's all about confidence and trust.

If there is no trust in systems and services, then users will avoid them and that's what the big tech vendors desperately want to avoid.

The increasing volume of the drum beat for some type of reform on government surveillance is now hopefully too loud for anyone in the U.S. to ignore, but only time will tell, what will actually change.

In the meantime, the fact that the big tech vendors continue to publicly push for change and reaffirm their own commitments to user privacy and trust, will likely be enough to placate users that the tech vendors are all trying to do the right thing. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Microsoft, Google, Apple call for end to NSA’s bulk data collection

Spying should be limited to specific targets and subject to independent review.    

Carriers got 1M gov’t, police requests for data in 2012

Requests for customer mobile phone data from federal, state, and local authorities topped 1 million, says a US senator. But no carrier said whether it had received requests under the Patriot Act. December 9, 2013 7:40 AM PST (Credit: Declan McCu...

Security Think Tank: ISF’s top security threats for 2014

The top security threats global businesses will face in 2014 include bring your own device (BYOD) trends in the workplace, data privacy in the cloud, brand reputational damage, privacy and regulation, cybercrime and the continued expansion of ever-present technology. As we move into 2014, attacks will continue to become more innovative and sophisticated.

Unfortunately, while organisations are developing new security mechanisms, cybercriminals are cultivating new techniques to circumvent them. Businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected, high-impact security events. The top six threats identified by the ISF are not the only threats that will emerge in 2014. Nor are they mutually exclusive and can combine to create even greater threat profiles. 1 BYOD trends in the workplace As the trend of employees bringing mobile devices into the workplace grows, businesses of all sizes continue to see information security risks being exploited.

These risks stem from both internal and external threats, including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications. If the Bring Your Own Device (BYOD) risks are too high for your organisation today, stay abreast of developments.

If the risks are acceptable, ensure your BYOD program is in place and well structured. Keep in mind that a poorly implemented personal device strategy in the workplace could face accidental disclosures due to loss of boundary between work and personal data and more business information being held in unprotected manner on consumer devices. 2 Data privacy in the cloud While the cost and efficiency benefits of cloud computing services are clear, organisations cannot afford to delay getting to grips with their information security implications. In moving their sensitive data to the cloud, all organisations must know whether the information they are holding about an individual is personally identifiable information (PII) and therefore needs adequate protection. Most governments have already created, or are in the process of developing, regulations that impose conditions on the protection and use of PII, with penalties for businesses that fail to adequately protect it.

As a result, organisations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts. 3 Reputational damage Attackers have become more organised, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organisations reputation. With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. Organisations need to ensure they are fully prepared and engaged to deal with these ever-emerging challenges. 4 Privacy and regulation Most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organisations that fail to sufficiently protect it.

As a result, organisations need to treat privacy as both a compliance and business risk issue to reduce regulatory sanctions and commercial impacts, such as reputational damage and loss of customers due to privacy breaches. Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers that will occur with a particular cloud-based system, an organisation needs to work with their cloud provider to determine where the information will be stored and processed. 5 Cybercrime Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. Organisations must be prepared for the unpredictable, so they have the resilience to withstand unforeseen, high impact events. Cybercrime, along with the increase in online causes (hacktivism), the increase in cost of compliance to deal with the uptick in regulatory requirements, coupled with the relentless advances in technology against a backdrop of under-investment in security departments, can all combine to cause the perfect threat.  Organisations that identify what the business relies on most will be well placed to quantify the business case to invest in resilience, therefore minimising the impact of the unforeseen. 6 The internet of things Organisations’ dependence on the internet and technology has continued to grow over the years.

The rise of objects that connect themselves to the internet is releasing a surge of new opportunities for data gathering, predictive analytics and IT automation. As increased interest in setting security standards for the internet of things (IoT) escalates, it should be up to the companies themselves to continue to build security through communication and interoperability.

The security threats of the IoT are broad and potentially devastating and organisations must ensure that technology for both consumers and companies adheres to high standards of safety and security. You cannot avoid every serious incident, and while many businesses are good at incident management, few have a mature, structured approach for analysing what went wrong.

As a result, they are incurring unnecessary costs and accepting inappropriate risks. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly, and appropriately. Steve Durbin is global vice president of the Information Security Forum (ISF) Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in December 2013

Computer system failure delays hundreds of UK flights

Hundreds of flights at several UK airports were delayed or cancelled at the weekend because of a computer failure at National Air Traffic Services (NATS). The UK air traffic controller said the failure of the computer system enabling ground communications between air traffic controllers in the UK and Europe had been resolved by Saturday evening. However, the knock-on effects of the failure resulted in the cancellation of 18 flights at London’s Heathrow airport on Sunday after 228 flights were cancelled the day before, according to the Financial Times. Gatwick, the UK’s second largest airport, said about 20% of its early morning flights had been delayed because of the air traffic control problem. On Saturday, the computer failure at NATS in Swanwick also affected flights at Stansted, Birmingham, Southampton, Cardiff and Glasgow. NATS said the reduction in capacity has had a disproportionate effect on southern England because it is an “extremely complex and busy airspace”. NATS apologised for the computer failure, but said that contingency measures implemented on Saturday had enabled it to support 90% of normal Saturday flights. “This has been a major challenge for our engineering team and for the manufacturer, who has worked closely with us to ensure this complex problem was resolved as quickly as possible while maintaining a safe service,” NATS said in a statement. NATS has not released any more details, but a spokeswoman told Computer Weekly that more technical detail would be provided as and when it was available. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Internet of things: Low-cost trade-off

The office at DoES Liverpool has a DoorBot, which works as a kiosk device, showing webcam views of the office and a list of upcoming events. Doorbot originally consisted of a networked PC with a flat-screen monitor facing out towards the corridor through a conveniently located window.

The DoorBot works as a kiosk device, showing webcam views of the office, a list of upcoming events (from Google Calendar), and a welcome message to any expected guests. Currently, its only input device is an RFID reader. Our members can register their RFID cards (Oyster, Walrus, DoES membership card, and so on). Finally, this device is also connected to speakers, so it can play a personalised tune or message when members check in or out. Developing this device was as simple as running software on a computer ever is: the trickiest cases are things such as turning the screen off and on after office hours and coping with losing or regaining power and network. Given how close the functionality is to that of a PC, it might seem crazy to think of any other solution. However, if we had to scale up – to cover more doors or to sell the idea to other companies – we suddenly have new trade-offs. Just sticking a tower PC somewhere near the door may not be ideal for every office.

A computer that fits neatly with an integrated screen might work, such as an iMac, a laptop, or a tablet. But these devices are much more expensive than the original commodity PC (effectively “free” when it was a one-off because it was lying around with nothing else to do).

A small embedded computer, such as a Raspberry Pi, might be ideal because it costs relatively little, runs Linux and has HDMI output. Read more about the internet of things >> This is an edited extract from Designing the Internet of Things by Adrian McEwen and Hakim Cassimally, published by Wiley, RRP £19.99. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in December 2013

Top tech firms call for worldwide surveillance reform

Top technology firms have joined forces to call for urgent reforms of all internet surveillance programmes such as Prism in the US, and Tempora in the UK. Google, Apple, Facebook, Twitter, AOL, Microsoft, LinkedIn, and Yahoo, have formed an alliance called Reform Government Surveillance group. The group has written a letter to the US President and Congress which contends that current internet surveillance "undermines” freedom. The letter says documents leaked by whistleblower Edward Snowden “highlighted the urgent need to reform government surveillance practices worldwide. "The balance in many countries has tipped too far in favour of the state and away from the rights of the individual,” the letter says. The firms are concerned that public loss of trust in technology will hurt their businesses, and are calling on governments to help restore that trust. In related efforts to distance themselves from US and UK internet surveillance programmes, Microsoft, Twitter and Yahoo have introduced advanced encryption methods to protect customer data. Microsoft, Yahoo and Google have also published transparency reports on the overall number of government requests for data, as well as pushing for the right to publish more details on such requests. The new alliance has also drawn up a list of five reform principles, according to the Guardian, which call on governments to limit surveillance to specific, known users for lawful purposes. They say governments should not undertake bulk data collection of internet communications and that requests for companies to hand over individual data should be limited by new rules. These rules should balance the “need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the internet”. Reacting to news of the technology alliance, Malcolm Rifkind, the chair of the parliamentary intelligence and security committee, told the BBC Radio 4 Today programme that the onus is on governments to ensure surveillance laws are proportionate. "I think the issue we all want to address is of proportionality.

The onus has to be on government to decide what the policy should be,” he said. Nick Pickles, director of civil liberties group Big Brother Watch, said: “There can be no doubt that the surveillance laws of Britain, the US or many other countries around the world are not fit for an internet age. Britain's own laws were written before many of these companies even existed. “Governments should not need to be told by private businesses that it is wrong to collect data on every citizen, through secret processes subject to little or no oversight. Sadly that is the position we find ourselves in. “This statement of principles, by some of the world’s biggest companies, is a watershed moment and one that cannot go ignored in any country that regards itself as a democracy. “These businesses represent billions of dollars of global revenue, highlighting the significant risk to the digital economy of those nations who do not take concerns about web surveillance seriously,” said Pickles. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Anonymous hackers plead guilty to 2010 PayPal cyberattack

The hacktivist group claimed responsibility for the attack, which was in retaliation for PayPal's refusal to process payments for WikiLeaks. December 8, 2013 5:02 PM PST (Credit: CBS) Thirteen people have pleaded guilty to charges connected to a...

Security Researcher Demonstrates It’s Easy to Hijack Airborne Drones

NEWS ANALYSIS: A noted security researcher says it's easy to hijack a widely-used, but poorly-secured, airborne drone using an autonomous skyjacking drone of his own. Security and privacy researcher Samy Kamkar ...