Google challenges US surveillance court on 1st Amendment grounds

SEATTLE (Reuters) - Google Inc asked the U.S. Foreign Intelligence Surveillance Court on Tuesday to allow it to publish aggregate numbers of national security requests it receives separately from criminal requests, on First Amendment grounds.

In its filing, Google requested the court to allow it to publish the aggregate number of national security requests it receives, including disclosures under the Foreign Intelligence Surveillance Act (FISA), claiming it as part of its First Amendment right to free speech.

"In light of the intense public interest generated by the Guardian's and Post's erroneous articles, and others that have followed them, Google seeks to increase its transparency with users and the public regarding its receipt of national security requests, if any," the Google filing said.

Google's move comes after other tech companies, including Microsoft Corp, Facebook Inc and Apple Inc released limited information about the number of surveillance requests they receive under an agreement they struck with the U.S. government last week.

Under that agreement, the companies were only allowed to disclose aggregate requests for data made by government agencies without showing the split between surveillance and criminal requests, and only for a six-month period.
The companies are scrambling to assert their independence after documents leaked to the Washington Post and the Guardian newspapers suggested they had given the U.S. government "direct access" to their computers as part of a National Security Agency program called Prism.
The disclosures about Prism, and related revelations about broad-based collection of telephone records, have triggered widespread concern and congressional hearings about the scope and extent of the information-gathering.
Google said it asked the U.S. Department of Justice and Federal Bureau of Investigation on June 11 to publish the aggregate number of national security requests, but said it was told such an act would be unlawful.
(Reporting by Bill Rigby; Editing by Richard Chang and Leslie Gevirtz)

NSA director describes surveillance as 'limited, focused' in House hearing

Keith Alexander testifies to Congress that programs revealed by Edward Snowden have stopped 'more than 50' attacks

Some of the most senior intelligence and law enforcement officials in the United States strongly defended the National Security Agency's broad surveillance efforts on Tuesday, saying they had disrupted more than 50 terrorist plots around the world.
General Keith Alexander, the director of the NSA, told a rare public hearing of the House intelligence committee in Washington that the programs were "critical" to the ability of the intelligence community to protect the US.
Offering the most extensive defence yet on the efficacy of secret surveillance programs reported by the Guardian and the Washington Post, Alexander said they were "limited, focused and subject to rigorous oversight".
During the hearing, members of Congress criticised the source of the leaks, Edward Snowden, who remains free in Hong Kong. On Tuesday, Iceland said it had received an informal approach from an intermediary claiming that Snowden, a 29-year-old former NSA contractor, wanted to seek asylum there. Asked at the congressional hearing about what was next for Snowden, Alexander said: "justice".
Flanked by senior officials from the FBI, Justice Department and the Office of the Director of National Intelligence, Alexander said that two surveillance programs revealed by the Guardian and the Washington Post had "helped prevent more than 50" terrorist attacks in over 20 countries.
Most of those prevention efforts, Alexander said, came from the NSA's monitoring of foreigners' internet communications under a program known as Prism. He conceded that only 10 related to domestic terror plots.
The Obama administration officials gave more details about four cases in which information taken from the NSA's databases of foreign internet communications and millions of Americans' phone records had contributed to stopping attacks. Two of them have been previously disclosed, especially that of the 2009 arrest of would-be New York subway bomber Najibullah Zazi. That case has been sharply challenged thanks to court records as more attributable to traditional police surveillance.
Referring to the statutory authority for Prism, known as Section 702 of the 2008 Fisa Amendments Act, FBI deputy director Sean Joyce said: "Without the 702 tool, we would not have identified Najibullah Zazi."
Joyce identified two previously unknown cases that he said the surveillance efforts helped unravel. In one, a Kansas City, Missouri, man named Khalid Ouazzani was found communicating with a "known extremist" in Yemen, information that helped detect what Joyce called "nascent plotting" to bomb the New York Stock Exchange. The other, described more vaguely, allowed the US government, using the NSA's phone-records database of Americans, to revisit a case closed shortly after 9/11 for lack of evidence.
Ouazzani, however, was never convicted of plotting to bomb the stock exchange. Andrew Ames, a Justice Department spokesman, later clarified that he was convicted of "sending funds" to al-Qaida. The other case, Joyce said, involved an American who provided "financial support" to extremists in Somalia.
Two members of the Senate intelligence committee, Ron Wyden and Mark Udall, said last week that they had not seen any evidence to show that the "NSA's dragnet collection of Americans' phone records has produced any uniquely valuable intelligence".
The intelligence and law enforcement officials as subject to "checks and balances". But they clarified, in the most detail provided publicly thus far, that most of those checks are internal.
James Cole, the deputy attorney general, said that the NSA needs "reasonable, articulable suspicion" of involvement in terrorism before searching the millions of Americans' phone records that it collects. But, Cole said: "We do not have to get separate court approval for each query."
Instead, the NSA sends an "aggregate number" of times it has searched the database every 30 days to the secret Fisa court that oversees surveillance, while also sending a separate report each time NSA analysts inappropriately search the database. Alexander's deputy, Chris Ingliss, said NSA analysts searched the database 300 times in 2012 in total.
Representative Adam Schiff, Democrat of California, said that "it may be valuable to have court review prospectively".
Alexander pledged to send the House and Senate intelligence committees greater detail on the surveillance programmes' role in preventing the 50-plus plots in secret on Wednesday. But he insisted the NSA took great care internally to balance civil liberties and national security.
"I would much rather today be here to debate this point than try to explain why we failed to prevent another 9/11," he said.

 

WARNING: Malware Targets Facebook Users

Microsoft discovered malware aimed at obtaining Facebook users’ login information and taking over their accounts, and the new malware strain, Trojan:JS/Febipos.A, has been delivered in the form of extensions for Google Chrome and add-ons for Firefox. The only good news is that it appears to have been discovered only in Brazil thus far.
The Next Web reported that Internet Explorer and Safari appear to be immune from Trojan:JS/Febipos.A thus far.
According to The Next Web, the browser extensions or add-ons determine if users are logged in to Facebook and attempt to download configuration files that include lists of commands, enabling them to perform activities such as liking pages, sharing content, posting on other users’ Timelines, commenting on posts, joining groups and inviting friends to do so, and chatting with friends.
Microsoft concluded, as reported by The Next Web:

There may be more to this threat because it can change its messages, URLs, Facebook pages, and other activity at any time. In any case, we recommend you always keep your security products updated with the latest definitions to help avoid infection.

In other words, while the threat seems to be currently focused on targeting Facebook users in Brazil (its messages are all written in Brazilian Portuguese), it’s easy to see how the threat could be modified to target more users. The fact that it uses a configuration file shows that the criminals specifically designed it to be modular.

Readers: Have you ever fallen victim to malware on Facebook?

HP introduces HAVEn to combat $4 billion cyber-theft in Big Data space

HP announced at HP Discover 2013, the new big data solutions along with security portfolio to combat $4 billion cyber theft in big data space. The acronym HAVEn  is built with best of HP’s technology such as Hadoop, Autonomy, Vertica and Enterprise Security represented by Arcsight and "n" apps built on this platform, all representing various aspects of big data.

Big data is unmanageable and complex data comprised of machine and human generated data. This is a perfect platform to manage that big data from all perspective including analytics, reporting, and security. Autonomy is the best big data solutions for human generated data, ArcSight has been managing the machine generated big data since 2007 with introduction of CORRe, Hadoop is a great place to consolidate all of this data with which you can use any analytical tool such as Vertica to perform real-time, near-real-time, and historical analysis of all type of data.

Big data is caused by the volume, velocity, and variety of the data and HAVEn handles each of this along with managing the vulnerability of the big data. This combined solution has the capability of collecting data from 750+ built-in connectors at over 100,000 events per second, and pushing the data to both ArcSight for event correlation and Hadoop for further analysis and storage at the same 100,000 events per second. You will now be able to perform Google like search on any type of data with simple full-text searching at over 3,000,000 events per second, and coordinate the events in real-time across devices at over 5,000,000,000 events per day. This provides end-to-end and comprehensive big data solution from collections, analysis, storage, and searching.

WeChat Messenger App to Be Banned in India?

The Intelligence Bureau (IB) has proposed a ban on Chinese mobile messengers including We Chat following concerns that proliferation of such services can pose a threat to national security.

Blocking access to such websites in accordance with the licensing conditions governing Internet service providers is one way of checking them, the country's internal intelligence agency pointed out at the second meeting of the inter-agency operational working group on June 4.
According to an internal note reviewed by ET , deputy national security advisor Nehchal Sandhu asked IB to discuss the matter with the home ministry and the telecom department to devise a methodology to block access to such sites.

We Chat, an instant mobile messaging application, claims a worldwide subscriber base of 300 million and competes with popular mobile applications such as Whatsapp and BlackBerry messenger. With revenue from SMS on the decline, telecom operators have been exploring tie-ups with such messengers to shore up their data revenue.

Sandhu also proposed to limit the access of various ministries and departments to Internet so as to make government's communication more secure. "A limited number of interface points could be effectively protected. The DRDO has floated a paper on the subject," he said.

Zeus FaaS Comes to a Social Network Near You

FaaS: Never a Dull Moment
The cybercriminal practice of operating Trojans and botnets has a long history on the Internet, an especially thriving one since the release of the first commercial banking Trojan, Zeus, in 2007.
Since then, the ever-evolving world of financial malware has seen many turns of the tide with new banking Trojans released, then disappear in dramatic underground events.
Through it all, the one constant has been cybercrime’s Fraud-as-a-Service offerings market, enabling the sale of Trojan bits and bites, or entire package deals, to those who could not afford a complete kit, or had no idea where to begin.
Typical Trojan FaaS deals offer a Trojan like Zeus, SpyEye, Ice IX, or even Citadel for a few hundred dollars instead of the full kit price going for a few thousands rather. FaaS deals sweeten the pot with bulletproof hosting at a discount, free set-up services, hands-on tutoring and malware-campaign help wrapped into affordable combos.
While it is beyond doubt a thriving economy, Fraud-as-a-Service mostly remained hidden in the deep enclaves of dark online markets, only advertised to those who were in the know, sought in the right place, or knew the right people. But that’s all a thing of the past, it seems. Social networks are such a great place for malware infections and phishing, why not just market the botnet directly from there?
Zeus FaaS Comes to a Social Network Near You
A recent discovery by RSA researchers shows a new FaaS offering that is being marketed directly via a popular social network. The sale item: a customized botnet panel programmed to work with the Zeus Trojan – both reworked by what appears to be an Indonesian-speaking malware developer.
Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers – which they have no qualms about sharing publicly, and best of all—a Facebook page with frequent updates and information about botnets, exploits, cybercrime, and their own product (Zeus v 1.2.10.1).
Why is This New or Interesting?
New Crime Products
Since the Zeus code leak in mid-2011, the world of information security foretold the coming development of new breeds of the malware and the compilation of working variants from the source code in the hands of those versed in malware programming. Seeing new customized Zeus Trojans out in the wild is very common, but seeing someone marketing a Zeus v1 kit is not.
This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena.
No Fear
Marketing cybercrime in such an open and accessible manner is not something common. Cybercriminals usually fear for their freedom and will not expose their endeavors online to potential undercover cyber-police officers and security research. Those who would take such a chance, in favor of selling their wares to a larger audience, do so because they trust the anti-digital crime laws in their counties are more forgiving or downright absent.
What’s The Overall Effect?
The cybercrime underground may have lost most of the access it had to the major commercial Trojans after Zeus, SpyEye, Ice IX and Citadel’s developers all decided to quit vending their malware freely, but it seems that FaaS is definitely keeping things alive in the crime world.
With affordable kits and readily available developers selling it, even an old Trojan like Zeus v1 can do the job, enticing would-be criminals to try their hand at harvesting bank credentials and online financial fraud scenarios.
Laws and Punishment – Best Deterrents
Cybercrime is a rampant phenomenon, and while it is known that policing is not yet up to par in its ability to control crime on the Internet, the most evident deterrents to online crimes are the law’s long-reaching, heavy arms.
International investigation efforts and collaborations leading to the arrests of numerous cybercriminals, botnet operators, fraudsters and online gangs have been the driver for malware developers to minimize their publicly-available operations and find a hiding place to continue their illicit activities.
Laws and actual punishments are developing all over the world; the more people understand that digital crimes can be investigated, uncovered, proven and lead to jail time, the more they would hesitate before deciding to dabble in cybercrime.

A social networking page dedicated to potential buyers and those interested in botnets, exploits and cybercrime

Demo website allowing potential buyers to look at the botnet control panel and options they can use

Mobile Risks and the Enterprise

I have worked on mobile security strategy for RSA for the last two years now, and during that tenure the market continues to evolve and move at a rapid pace, which no doubt is putting more stress and uncertainty into the minds of security professionals. But, just the other day I saw a graphic in Computerworld that really summed up the entire mobility movement. Take a look:

For those interested in reading the entire article, here it is (but don’t dare click away until you have finished this compelling blog): Poor pre-launch showing plagues Windows 8
What we are seeing with the mobility movement is not just about the next shiny new device, and the worry of that device being left in a cab or a restaurant. We are really seeing a fundamental shift in the way IT is consumed, and subsequently secured, and it’s mostly driven by mobile. The graphic above shows the amount of Windows PCs that currently have Windows 8 installed on it compared to Windows 7 at the similar time in its life (Windows 8 ships October 26^th). Now, a difference between a 1.6% share and a 0.33% share may not seem like that much on the surface, but you need to think about the kinds of people that typically deploy early releases of these operating systems.
People upgrading early are not likely to be the consumers of IT services. More often than not, early upgrades are for the development community to build the applications that we all know and love on the next operating system (like how a number of apps were ready for the Retina display when I bought my MacBook pro this summer). Sure, some of this shift between Windows 7 and Windows 8 is due to Apple continuing its dominance in the laptop market and more applications moving to OSX. But a lot of this discrepancy is also due to the mobility movement and the shift of IT consumption to iOS and Android devices rather than traditional PCs.
The new SBIC report, “Realizing the Mobile Enterprise: Balancing the Risks and Rewards of Consumer Devices”, highlights these shifts. Consider these quotes:

Roland Cloutier (VP, CSO, ADP) – “Mobile apps have the power to increase organizational agility…No matter where someone is in the world, they can manage their workflow around anything…”
Dr. Martijn Dekker (SVP, CISO, ABN Amro) – “A huge benefit of mobile devices is the user interface…This is simply how people want to interact with IT systems nowadays…”

This shift in how IT is consumed can have a dramatic effect on the security world. It also pushes the importance of mobile beyond just protecting the endpoint from a lost/stolen scenario, and actually makes it an even bigger problem around how you authenticate users and federated identity in a non-Windows, web-based world.
Considering this, there are a number of trends we have come up with around mobility that make it a distinctly different and new security challenge to consider:
BYOD: This is a marketing term, but the fact that devices are either personally owned (or treated as personal devices) has serious implications. First and foremost, enterprises have lost control of the endpoint image, which creates an issue around enforcing agents or installing security patches. Many enterprises are struggling just to get users to install MDM on their devices, let alone deeper agents like anti-virus or malware forensics agents to protect against advanced threats. In addition to the lost endpoint control, BYOD also creates a problem about when and how enterprise policy is applied. Obviously when a device belongs to an individual there is an expectation that enterprise rules are only being applied when working, but this is starting to be the case even when enterprises provide devices for users, especially in phones. For example, EMC purchases our phones for us, but I still treat that device largely as a personal device. It’s my only cell phone (my only phone at all, in fact), and I have a number of personal apps loaded on it. The simple fact that I carry it all day everyday means that a large percentage of the time it will be in use for personal reasons. This forces enterprises to think about applying security policy in only enterprise scenarios, not on the entire device. This is one example where MDMs tend to come up short.
Off Network: Network visibility is a drug to security teams. Its needed more than anything else to understand what users are doing and when they are doing it. That is the reason why so many advanced threat tools today are network-based monitoring tools. Unfortunately, in the mobile world, enterprise networks don’t have to be touched all that often. For phones, just about all of the network connectivity goes across carrier networks, and its only when the phone asks the enterprise for some information that the enterprise can monitor it. As soon as the data gets to the device – you’ve lost visibility from a network perspective (picture a sensitive piece of content being uploaded to Dropbox from a mobile device). The use of cloud services only exacerbates this problem, because then you have disconnected endpoints (that enterprises don’t own) connecting to cloud services (that enterprises don’t own). Nowhere in that interaction does the enterprise network see the traffic.  That lack of visibility can be troublesome for security teams.
“Chatty” Interaction Model: This is always a tough trend to explain, and the term “chatty” has been the best way I have been able to describe it. Basically, what it boils down to is the fact that mobile users have very frequent context shifts between work and play. The best way to illustrate this is email and calendar. Just a few years back, if I wanted to check my email at night or see what time my morning meetings were, I needed to boot up my laptop (which likely was a 10 minute process), open my VPN client, usually respond to a two-factor authentication challenge, and then open Outlook. The Blackberry (remember that?)  changed all of that. It gave quick access to email and calendar without the need for VPN. That began the blurring of work/play. iPhone and Android brought in more play to these devices, and what we are left with is a consistent flip between work/play throughout the day. You might check email, make a quick response, and then hop onto your Facebook app right after that. That switching does not provide good areas for strong authentication, and blurs the line as to when enterprise security policy should be applied.
Web/Federated Access Model: This one is mostly driven from the “app” economy Apple created and the chipping away of Microsoft’s dominance in the enterprise. More and more cloud services are being used for enterprise purposes (Google Apps, Salesforce, Box, Office 365, etc), and each of them make use of web-based authentication standards. As enterprise app development evolves, more and more things will be developed in the mindset of  “mobile first” (see Microsoft graphic above). That will push more traditional enterprise authentication and identity management into a web standards world.
Fighting against these trends isn’t the wisest idea. Apple has shown that consumers have an awful lot of control around enterprise IT policy. But you still need effective ways of delivering security. Fundamentally, you still need to secure data, secure identities, and get threat visibility, but you need to do it while working within these trends and not trying to push the old model on the new.
The SBIC report on mobility that I mentioned earlier gives a great overview of the security options available to enterprises today, including MDM, application containerization, enterprise authentication, and application malware detection. Specifically, the report calls out the need for MDM, but cautions against the over reliance on MDM as a security solution. Consider the quote from Marene N. Allison (Worldwide VP of Information Security, Johnson & Johnson), “…If you talk to security professionals at this point we just settle on MDM. It’s not like we can get all of the features we want yet. MDMs are still too immature.”
The overall mobile management market is maturing beyond just device management into application and data management, which allows for granular policy enforcement and network connectivity into enterprise apps. These management products will ultimately encompass the next generation security infrastructure in mobile, similar to the way VPNs made up the traditional remote access infrastructure. Strong authentication methods, especially those that rely on risk-based methodology, as well as data security and threat forensics will be layered on top of these infrastructure components to create a true mobile security stack that can take much of the mystery out of BYOD.

The Password Reset Conundrum

By Kenneth Ray, Architect, Access and Data Protection & Sandra Carielli, Principal Product Manager, Access and Data Protection
Many of us have received an e-mail, either from a web portal we frequent, or from the IT department at our place of employment, telling us that we need to reset our password due to a security breach.   In the event of a smash and grab attack that compromises user passwords, having users reset their passwords is one of the first steps in remediation.  There’s no question that the old password is now gone, and should most definitely be changed.  The next question that comes to mind is how effective is that password change?  And how might that effectiveness change when that password change is required from a large number of users on a single system?

We all know that users have developed strategies for dealing with required password updates.  Some are more obvious than others.  The simplest example is with a simple increment / rotation of a given root: e.g.  P@ssw0rd1, P@ssw0rd2, P@ssw0rd3…  This works great, as it meets the complexity requirements at once, is easy to remember, and can be reset back to P@ssw0rd1 as soon as the history requirement is met, e.g. after P@ssw0rd9 for a history limit of 10.  Some users even use the same root for multiple websites as we’ve seen with the analysis of the Linked In published passwords. Such behaviors are clearly disadvantageous for the individual users, since knowledge of the cleartext password on one site is, unfortunately, likely to allow an attacker to predict that user’s password on another site, either because the password was reused in whole or the derived root was reused in whole. Interestingly enough it is _also_ disadvantageous for the website owner as well.  Here’s why.

Attackers steal more than the current passwords of the given users; they also lift the password histories, which in most systems are protected by hashing scheme no more advanced than the ones protecting the current passwords, and on some systems are kept in the clear.  In these last systems, the administrators believe that the tradeoff between potentially revealing the previous passwords to an attacker is worth the risk of being able to more effectively address users creating a rolling scheme as described above.  We should note that no matter how clever the algorithm for detecting a rolling scheme is, there will always be users who are more clever.  In most cases, a majority of users will be able to discover a way around the detection for the simple reason that it allows them to remember their passwords without the dreaded action of writing them down!

Once the attacker has this large store of current and historical password hashes, and after some quality time with hashcat (or the hash cracker of their choice), said hacker has little work before him before the pattern of a single user’s rotation can be discovered.  Given the example above, how long will it take the attacker to decide that the next guess of P@ssw0rd11 might be the next logical choice for a given user?  For any given user, there is clearly a non-zero likelihood that the search space can be reduced to find the user’s next password based on the history.  This doesn’t even account for other patterns that can be learned, such as how the user prefers to create passwords (e.g. simple words with character substitutions, pairs of words, the first letters of common sentences, favorite topics, etc.)  In other words, what does a password history say about how the given user chooses a password?  What does your password history say about how you will pick your next password?

Now assume you’re a great big newspaper with lots of editors and reporters – in the event of breach, what are the odds that all of your editors and all of your reporters will choose a new password that is significantly different from the old one?  Specifically one that is sufficiently different from the previous historical pattern so that none of those editors and none of those reporters are subject to vastly reduced search space attacks on their new password?  The same problem exists for corporate executives protecting an enterprise’s IP.  Is it reasonable to count on the new passwords being sufficiently secure?  For all users?  It is unlikely that sufficient number of them will choose a new password with no resemblance to the last one, such that the overall system can return to the same security protections that were in place before the breach.

Password resets are an important and required step after a password or any other significant breach of a system, and it is inarguable that changing all the passwords in a breached system provides a measurable and tangible improved security profile.  The unfortunate reality is that requiring a password change is not enough.  Clearly creating systems that provide protections in addition to, or instead of, passwords are a great way to mitigate this risk, especially if those systems can take only a minor or even negligible dependency on a password provided by the user.  And short of systems such as those, or even in addition to systems such as those, users must also be sufficiently educated on how their password histories enable attackers to predict their next passwords, so that they are aware of just what they lost when a password breach occurs and how they can protect themselves, their own personal accounts, and the corporate account to which they have been entrusted with privileged access.

Kenneth Ray is Director of Technology at RSA, focusing on Core Crypto Tools, SaaS Security Isolation and Compliance and Big Data Analytics based Identity and Access Management.  Before joining RSA, Kenneth spent 16 years developing and architecting Windows Kernel, core USB, Windows Security, BitLocker, Xbox and Xbox Live Security, Rights Management Services and the Anti-Piracy model for Windows Phone. 
 Sandy Carielli has ten years of experience in the security industry, as a product manager, consultant and engineer.  Currently, she leads product management for the Data Protection portfolio at RSA.