Thursday, August 28, 2014

Former Cyber Security Chief in Charge of Obamacare Site Going to Jail for Heinous Online Activities

A former acting director of cyber security with top clearance at the Department of Health and Human Services has been convicted of several child pornography charges, after a yearlong investigation by the FBI.
As reported by the New York Daily News:


Timothy DeFoggi, 56, was found guilty of engaging in a child exploitation enterprise, conspiracy to advertise and distribute child pornography and accessing a computer with intent to view child pornography. He was listed as an employee with top clearance at the HHS up until January 2014, though he was charged and held without bail in May 2013.

But DeFoggi wasn’t only looking at pornographic pictures. It’s far worse than that.

His activities on the site included accessing child pornography and expressing sexual fantasies — including raping and murdering children — in his communication with other site members. DeFoggi even suggested meeting one member in person to fulfill their mutual fantasies to violently rape and murder children,” the Department of Justice said of DeFoggi’s activities.
Read more here.

Tuesday, August 5, 2014

FinFisher spyware docs detail surveillance limitations

A parody Gamma International Twitter account is releasing secret documents that detail FinFisher spyware limitations, spying modules, mobile capabilities, price list and antivirus detection of the malware typically sold to governments.

“Phineas Fisher” aka @GammaGroupPR, a parody Twitter account of the Gamma Group that specializes in FinFisher spyware, certainly knows how to snag attention. Its very first tweet announced, “Here at Gamma International, we've run out of governments to sell to, so we're opening up sales to the general public!”

Then come the links to leaked FinFisher documents stored in Dropbox, including a product brochure featuring FinFisher’s selection of monitoring software and capabilities (pdf), user manual with troubleshooting tips for setting up a FinSpy server, price list, release notes for FinSpy Mobile 4.51, and another document that spells out how well the spyware does on Windows Mobile devices.
WikiLeaks Spy Files first released documents detailing FinFisher in 2011. Citizen Lab research from 2012 showed how the sneaky FinFisher surveillance had gone mobile. The leaked documents via @GammaGroupPR are the newest, with some dated April 2014.

Read more here.

Friday, August 1, 2014

Hackers Tap Into USB Devices, Evade All Known Security Protections

BOSTON (Reuters) - USB devices such as mice, keyboards and thumb-drives can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin's SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.
The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Thursday, July 31, 2014

5 Ways Boards Could Tackle Cybersecurity

A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.
The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.

"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."

The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
  5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 
Read more here.

Wednesday, July 30, 2014

House Passes 3 Cybersecurity Bills

In what seemed to be a flashback to a more genial era in Congress, when compromise wasn't a dirty word, the House of Representatives passed a key cybersecurity bill, with its conservative Texas sponsor lauding the support for the measure from the liberal American Civil Liberties Union.

By voice votes on July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act and two other cybrsecurity measures. Next stop: the Senate.

On the floor, House Homeland Security Committee Chairman Mike McCaul, R-Texas, pointed out that business organizations and the ACLU, groups that often are at odds over legislation, supported the bill, with McCaul alluding to the ACLU's characterization of the bill as being pro security and pro privacy.

"Striking a balance between security and privacy, I believe, is one of the most difficult challenges in developing cybersecurity legislation, and I'm so very proud that this committee and this bill achieves that goal," McCaul said.

The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators. It also would establish an equal partnership between industry and DHS, and ensure that DHS recognizes industry-led organizations to expedite critical infrastructure protection and incident response.

Friday, July 25, 2014

Listening devices found at Ford HQ

Detroit— The FBI searched Ford Motor Co.’s world headquarters while investigating one of the automaker’s engineers and seized listening devices, computers and financial records, according to search warrants obtained by The News on Thursday.

A lawyer for the mechanical engineer said Ford’s security team feared she was stealing trade secrets by hiding secret recording devices in conference rooms at the Dearborn automaker’s headquarters, nicknamed the Glass House.
Court records that would explain why the FBI had probable cause to search Ford and the engineer’s home are sealed in federal court. The government’s lawyer on the case, Assistant U.S. Attorney Jonathan Tukel, heads the National Security Unit in Detroit, successfully prosecuted underwear bomber Umar Farouk Abdulmutallab and specializes in cases involving espionage, counter-terrorism and terrorism financing, among others.

Searching a Fortune 500 company’s world headquarters instead of issuing a subpoena is a rare step and could indicate investigators were worried about someone destroying evidence, said Peter Henning, a law professor at Wayne State University and a former federal prosecutor.
“If it’s an economic espionage case or trade secrets case, that rarely involves one individual,” Henning said. “So the concern is if you send a subpoena and ask for recording devices, those things can be erased.”
The U.S. Attorney’s Office and FBI declined comment Thursday.

Monday, July 21, 2014

Hidden network packet sniffer found in millions of iPhones, iPads

An analysis of iOS by a security expert digging into claims of the NSA spying on Apple products has revealed some unexplained surveillance tools hidden in the operating system.
His study has also shown that a user's data may not be as safe as Cupertino is making out.

Data forensics expert and author Jonathan Zdziarski wrote an academic paper on the topic in March, and gave a talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday showing his findings. The results of his research indicate a backdoor into iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

Read more here.