PRISM: European Commission demands answers over 'disturbing' NSA surveillance

The European Commission (EC) has responded in no uncertain terms to the allegations of NSA surveillance taking place at its premises, demanding full clarification and transparency from the US government over its activities.
Documents seen by the German newspaper Spiegel suggest that not only were bugs installed by US surveillance in the EU's offices in Washington, but also that the building's computer network was infiltrated. Through this, surveillance teams had the capability to listen to discussions in several offices belonging to the EU, as well as being able to access emails and documents on computers.
The EC said it took immediate action to raise the matter with the European External Action Service, who will liase with US authorities.
A statement from the EC said: "These are disturbing news [sic] if proven true. They demand full clarification."
The newspaper also alleges that offices in New York and Brussels also came under the watch of US surveillance teams, with EU security officials apparently noticing suspicious telephone calls targeting a remote maintenance system of a building in Brussels, where the EU Council of Ministers and the European Council are based. The calls are said to have been traced back to a NATO headquarters in Brussels, from a building used by NSA employees.
The EC asked for openness over the allegations, putting the ball firmly in the US authorities' court. "The EU is now expecting to hear from the US authorities. Clarity and transparency is what we expect from partners and allies, and this is what we expect from the US," the EC noted.
On Sunday, Spiegel also revealed that the NSA typically taps half a billion phone calls, emails and text messages per year in Germany alone. The paper also indicated that surveillance in the country was stronger than in any other EU country.
Last week, shadow home secretary David Davis told the House of Commons that UK laws to protect citizens from surveillance were ‘completely useless'. Founder of the web Tim Berners-Lee also weighed in last week, urging further advances in web freedom.
This follows allegations that security organisations such as the NSA and GCHQ were monitoring personal emails of people across the world, and accessing data from companies such as Facebook, Microsoft and Google.
The former NSA contractor Edward Snowden's location is still unknown after he failed to take a flight to Ecuador he had been booked onto last week, although it is believed he is in Russia and is seeking asylum there. The US government has issued a warrant for his arrest, with WikiLeaks founder Julian Assange expressing his allegiance to Snowden.

Cyber World War Z: Part 1

Well, there’s the Brad Pitt World War Z, then there’s the “Cyber World War Z” Ziften addresses.

While Mr. Pitt is battling the zombie apocalypse, Ziften is battling cyber-attacks at the enterprise client.  It has become the most porous, attack-ripe point of attack, so we are fighting our own version of battling the “shock, panic, disbelief and possible denial” of the results of cyber-attacks in enterprises.

Enterprise Client Systems—The Preferred Point of Entry for Routine or Advanced Cyber Attacks

Both routine malware as well as sophisticated advanced attacks typically target client endpoints. They are far less well-protected than datacenter servers, run largely unobserved by IT staff, are inconsistently patched and loosely managed, and are operated by generally naïve users (or in the worst case, by insider attackers). The compromised client endpoint then serves as the pivot point for launching attacks from behind the corporate firewall, to discover and collect data assets and export them to external command and control servers. As we’ll see below, this large enterprise population of thousands of such client systems are ripe for exploitation by all but the most inept, unorganized adversaries.
No enterprise will ever effectively secure its client population by treating it as a security problem – fundamentally it is a management challenge. Ziften has instrumented many thousands of enterprise client systems across dozens of Fortune 500 organizations from major vertical markets in defense, aerospace, energy, healthcare, industry, finance, and major media. Ziften client agents report on client system hardware configuration, on user activity, and on what software runs, when it runs, what resources it consumes, what its version metadata description is (including vendor, product and file versions, product name, copyright dates, etc.) along with a cryptographic hash (MD5) of the binary executable.
Agent reports are collected by an enterprise client management server that stores the findings in an internal database, aggregates and analyzes them for population statistics, references an extensive knowledge base on the application genre, enterprise value and known vulnerabilities of tens of thousands of enterprise software applications, and applies heuristic scoring techniques to rank the performance and security trust level of applications in the enterprise and clients in the population. After four years of collecting, reviewing, and reporting findings to its major enterprise customers, Ziften has an experience base in client population security management that informs the opinions expressed in this blog.

“Oh no, the suspect ran CCleaner to get rid of the evidence!”

I recently received a few questions about the effects of running Internet history sanitation tools such as CCleaner, when examining a computer looking for internet related artifacts. CCleaner is a product from a company identified as Piriform (www.piriform.com), and a version is freely available online and commonly used to ‘sanitize’ user activity. From the online documentation, CCleaner is said to protect privacy by cleaning out Internet browsing history and temporary internet files.
I have personally run into CCleaner on several cases when examining digital evidence and found it to have a varying degree of effectiveness, depending on exactly the types of artifacts you are trying to find/recover after its use. CCleaner has the ability to clean and remove information from several different locations, including the registry, the recycle bin and even wipe the disk. For this article, I am focusing on its effectiveness against the ability to recover Internet related history after CCleaner has been run.
Using a well-used test machine (Windows 7) with several different types of Internet related artifacts, I ran Internet Evidence Finder (IEF) using the default options to get a baseline of the artifacts that existed before running CCleaner. The test machine had artifacts from Chrome, Firefox and Internet Explorer 10, as well as numerous other application such as P2P, webmail, etc. Here is a snapshot of the just the web related artifacts found before running CCleaner.

I then installed CCleaner on the test machine, just as a suspect would, accepting the default installation options. From the CCleaner interface, the following options were enabled by default.

I then ran CCleaner and received confirmation that it cleaned several locations related to Internet hisotry.

After running CCleaner, I then rebooted the test machine and reran Internet Evidence Finder (IEF) using the same default options and was still able to find almost all the artifacts that had been identified before running CCleaner. In fact, some of the artifacts in some categories went up, likely caused by artifacts existing in memory before the reboot and then when the computer was shut down and rebooted, those artifacts were flushed to disk (pagefile).


As many are aware, Internet artifacts are commonly found in memory (which I did not examine in this example), and ultimately end up on disk in the form of the pagefile or hibernation file. Many tools such as CCleaner, have minimal effect on these files and therefore many of the commonly sought after artifacts can still be found.
This example should be a clear example and illustration of how important the collection of RAM can be regardless of the type of investigation. It is also a good demonstration showing the importance of searching for Internet-related artifacts even when you may find evidence of ‘sanitation’ tools being used by the suspect. There are several other freely available ‘sanitation’ tools available, each with different varying results. The point of this post is to illustrate that the potential benefits of running a search for Internet related artifacts is well worth the effort, even when you fear they may have been ‘sanitized’.

Is Anyone Really Responsible for Your Company's Data Security?

Protecting a company's critical information is a value proposition. Trade secrets, confidential business plans, and operational security depend on it. Losing that kind of information can mean a plunge in stock price and market share. So who's responsible for information security in your company?
To find out, I like to ask questions. But when I put the question to top management, well, they're busy — not their problem, that's for sure — and they refer me to the chief information officer or the chief technology officer. So I knock on their doors and put the same question to them. Our job, they say, is making stuff work. If the stuff doesn't work, that's our fault. But security? They refer me to the chief information security officer, but she works for the CIO, who doesn't much like to hear what's wrong with the system he built. Besides, she says, I have nothing to do with who gets access to the system. I don't write the rules. And (she looks around nervously: you won't quote me on this, will you?) my budget is a joke.
So I walk down the hall and knock on the general counsel's door. Cyber security my problem? he says. No, no, he laughs; I write the contracts that lay off the liability for cyber security on our contractors. And insofar as some of that liability stays here, it's a technical problem.
Who's left? I walk down the hall and visit the HR director, who is trying hard to conceal her opinion that, for asking her whether she has any responsibility for any kind of security, I must be the stupidest guy on Earth. Nevertheless I persist. You control the HR manual, don't you? She does. And the manual contains lots of access rules, doesn't it? She concedes the point. And weren't you the chief opponent of the CISO's plan to require a click-through log-on banner stating that information on the company's IT system belongs to the company and can be monitored? Suddenly she remembers her next appointment.
Try the experiment in your company. If you get answers like this, it means that nobody in your company is responsible for information security. The truth is, unless all these people understand they own a piece of the problem and can be brought to deal with it together, you cannot manage information security.
Verizon's newest data breach investigations report for 2013 tells us — yet again — that cyber security depends on people as much as technology. Breaches are nearly always caused by multiple factors, and people are nearly always one of them. In this latest report, based on a larger-than-ever sample, 29% of breaches involved social tactics like getting employees to click on fake emails (phishing). And gullible employees aren't the only problem. Year after year Verizon has been reporting that most intrusions — 78% this year — are "low difficulty" and could have been prevented by simple or mid-level security measures. Failure to implement patches for weeks and months on end is a common problem. This is a management failure, not a technological problem.
When intruders get in to corporate systems, they tend to stay in. We still see smash-and-grab hacks, mostly after personal information, but they are becoming less common, especially when the goal is stealing corporate information. Most breaches take time to discover — usually months rather than weeks, and sometimes longer. In a major release early this year, the forensic firm Mandiant reported solid massive Chinese hacking of private sector clients — and showed that the median period of the intrusion was nearly a year. Often such breaches are discovered only by third parties — like the FBI or the media. Not a pleasant experience.
So why do so many companies treat cyber security as merely a technical problem that can be pushed down into the IT department?
Cyber security involves legal issues, human resources practices and policies, operational configurations, and technical expertise. But while each of these silo chieftains — the general counsel, the HR director, the chief operations officer, and the IT director — owns a piece of the problem, some of them don't know it, and none of them owns the whole thing. This makes information security a risk management and governance challenge, because unless these people attack the challenge together under a C-suite mandate, it can't be managed effectively. Unfortunately this rarely happens.
Information security cannot involve not locking down information that must move quickly. It does involve figuring out where information must move, and where it must not move. And above all, it means making rules that don't stifle creativity in the business. Protecting critical information protects corporate value and is a core responsibility of the board and executive management. Best-in class companies view information security as a value proposition — not merely as a deduction from the bottom line.

Information Security - The Human Element!

Could you guess the weakest link in Information Security chain? The HUMAN Element! 

It's something technology can't control. "The human being is the most precious asset a company has, and the most dangerous thing" says founder of an international security company in UK. 

I remember a funny incident that an executive manager in one of the largest multinational financial company, while walking on the office floor, noticed a couple of unlocked user PCs. He sent a broadcast email from one PC which says, "Dear All, Today's Lunch is by me (By user X)!" It's a happy message, but here goes the more panic one from another PC... "Dear All, I am resigning from my job with immediate effect! (By user Y)". Ethics behind such messages might be debated, but the moral of the incident is that employees should not leave their desk with unattended pieces of information either digital or in black and white as well. 

Employee awareness on the "Importance of Information Security" need to be addressed efficiently which could be a team effort by HR and Training, IT, Security and Marketing departments. 

Information Security Awareness Training - Current Flaws 

The main problems with how information security awareness techniques are commonly implemented relate to "business culture" and "awareness approach". It's a common assumption that if someone was aware of the risk or threat, then their behavior would change. If you are aware about the presence of attacking dogs, you would take care while walking along those country side roads. The reality is that people may well be aware of the risk but feel constrained by other factors, such as established business culture. 

Another problem is that information security professionals don't realize information security awareness is all about marketing. Mouse mats, motivational posters, screen savers with messages copied from the organization's security policy are quite easy to do, but in reality a creative marketing approach should involve audience research, careful targeting of communications, and measuring the outcome. People part of security implementation always get unattended. The patient is dying of the common cold due to poor nursing, and yet the doctors are concentrating in health of hearts and brains. Yes, the fundamental risks need to be prioritized. 

The problem with managing employees is managing the motivation of the company itself. 

Information Security Awareness Training - A Balanced Approach 

No software or anything in black and white can't stop the spilling of company secrets through mouths of employee. The only solution is to promote real Behavioral Change. It is like the carrot-and-stick model of reward and punishment for behavior. You might push for information security compliance by either punishing bad behavior or rewarding good. The carrot is a better option. The logic is that rewards always motivates! From my personal experience, I have two small kids, and if I buy some chocolates or toys rather than getting a stick, the effect will be healthy and rewarding as well. Same applies in information security awareness training. 

For example, If you are planning to apply the complexity requirements for a windows password, you could either punish or issue warning for those who use simple passwords "name123". On the other hand, you could show example of a strong password and give small rewards to the employees who then follow those examples. What would be your choice? 

What Users Need to Know? 

Users need to know about information security issues that affect their work, their home, themselves and their families. They need to understand the threats and risks as well as the methods they can personally use to defend against these threats. 

To illustrate the Human Element, let's consider an example. You might have noticed stickers in hospitals and other public places illustrating the ideal steps to wash hands... Health authorities and other social services organizations took many years to develop the so-called cultural acceptance of the practice of washing one's hands to prevent infection, because there wasn't an instantaneous negative consequence to not washing the hands. It's the same with information security. When you click an anonymous email or a picture of a fair lady, your computer doesn't immediately blow up; it maybe gets a bit slow. Someone else's information gets stolen, and it never comes back to hurt the individual person. Hope you got the logic! 

Message to Information Security Professionals 

Many organizations are overlooking the security basics in favor of sexy new cyber-attacks most people don't know about. They worry about cyber attacks from China or Russia, but they haven't even fixed the basics that have been broken for years since the conception of the business. Hackers understands very well the "human nature" and its impact on "employee behavior", that's why social engineering and phishing attempts flourishes more than ever before. 

Best Practices

(1) Communicate to users how important is it to them personally: People are more receptive to information that affects them personally. Training should be focused on safe usage not only at workplace, but how it can be used at home as well. 

(2) Communicate with real world examples: Keep everyone's attention by citing examples which audience can identify and realize the impacts. Use any recent public information (internal or external for which consequences could be understood) 

(3) Communicate the importance of End User Security Awareness Efforts: Vulnerabilities are not only exploited from the outside, but also can be exploited from internally as well. Approach security awareness with seriousness and give the users tools to help with security efforts. 

"We're coming around to needing a balance between technological countermeasures and change in behavior countermeasures" says Williamson in (ISC)2, USA. Organizations must decide which user behavior they most care about and focus their efforts to control that risk. 

Security professionals also should examine attitudes and beliefs in their organization, and take a positive approach with a right balance of technology and human element in order to ensure a secure computing environment for the business.