Friday, August 1, 2014

Hackers Tap Into USB Devices, Evade All Known Security Protections

BOSTON (Reuters) - USB devices such as mice, keyboards and thumb-drives can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin's SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.
The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Thursday, July 31, 2014

5 Ways Boards Could Tackle Cybersecurity

A new handbook from National Association of Corporate Directors, titled Cyber-Risk Oversight, offers five principles to guide boards of directors in helping their organizations address IT security threats.
The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.

"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."

The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
  5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach. 
Read more here.

Wednesday, July 30, 2014

House Passes 3 Cybersecurity Bills

In what seemed to be a flashback to a more genial era in Congress, when compromise wasn't a dirty word, the House of Representatives passed a key cybersecurity bill, with its conservative Texas sponsor lauding the support for the measure from the liberal American Civil Liberties Union.

By voice votes on July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act and two other cybrsecurity measures. Next stop: the Senate.

On the floor, House Homeland Security Committee Chairman Mike McCaul, R-Texas, pointed out that business organizations and the ACLU, groups that often are at odds over legislation, supported the bill, with McCaul alluding to the ACLU's characterization of the bill as being pro security and pro privacy.

"Striking a balance between security and privacy, I believe, is one of the most difficult challenges in developing cybersecurity legislation, and I'm so very proud that this committee and this bill achieves that goal," McCaul said.

The bill, if enacted, would codify the National Cybersecurity and Communications Integration Center, an agency within the Department of Homeland Security that fosters real-time cyberthreat information sharing with critical infrastructure operators. It also would establish an equal partnership between industry and DHS, and ensure that DHS recognizes industry-led organizations to expedite critical infrastructure protection and incident response.

Friday, July 25, 2014

Listening devices found at Ford HQ

Detroit— The FBI searched Ford Motor Co.’s world headquarters while investigating one of the automaker’s engineers and seized listening devices, computers and financial records, according to search warrants obtained by The News on Thursday.

A lawyer for the mechanical engineer said Ford’s security team feared she was stealing trade secrets by hiding secret recording devices in conference rooms at the Dearborn automaker’s headquarters, nicknamed the Glass House.
Court records that would explain why the FBI had probable cause to search Ford and the engineer’s home are sealed in federal court. The government’s lawyer on the case, Assistant U.S. Attorney Jonathan Tukel, heads the National Security Unit in Detroit, successfully prosecuted underwear bomber Umar Farouk Abdulmutallab and specializes in cases involving espionage, counter-terrorism and terrorism financing, among others.

Searching a Fortune 500 company’s world headquarters instead of issuing a subpoena is a rare step and could indicate investigators were worried about someone destroying evidence, said Peter Henning, a law professor at Wayne State University and a former federal prosecutor.
“If it’s an economic espionage case or trade secrets case, that rarely involves one individual,” Henning said. “So the concern is if you send a subpoena and ask for recording devices, those things can be erased.”
The U.S. Attorney’s Office and FBI declined comment Thursday.

Monday, July 21, 2014

Hidden network packet sniffer found in millions of iPhones, iPads

An analysis of iOS by a security expert digging into claims of the NSA spying on Apple products has revealed some unexplained surveillance tools hidden in the operating system.
His study has also shown that a user's data may not be as safe as Cupertino is making out.

Data forensics expert and author Jonathan Zdziarski wrote an academic paper on the topic in March, and gave a talk [PDF] at the Hackers On Planet Earth (HOPE X) conference in New York on Friday showing his findings. The results of his research indicate a backdoor into iOS, although it's not as wide open as some reports have suggested.
"There are certain steps that have to be taken to get this data," Zdziarski told The Register. "Backdoors are guarded, there are things protecting it – you don’t just type 'Joshua' for full access."
Zdziarski's analysis shows that 600 million iOS devices, particularly those running the most recent version 7 builds, have data discovery tools that are separate from those used by Apple for standard backup and storage. These include a file-relay service that can snoop out data, bypassing the Backup Encryption service offered by Apple.

Read more here.

Kerry caught on hot mic disparaging Israel

Secretary of State John Kerry was caught on a hot mic on Fox News Sunday apparently disparaging Israel’s claim to be conducting a “pinpoint” operation in Gaza.

Host Chris Wallace explained that while Kerry spoke with an aide between his interviews with multiple Sunday shows, a microphone picked up his rather candid remarks in what Wallace called an “extraordinary moment of diplomacy” about the violence there.

“It’s a hell of a pinpoint operation,” Kerry said. “It’s a hell of a pinpoint operation … We’ve got to get over there. Thank you, John. I think, John, we ought to go tonight. I think it’s crazy to be sitting around.”
Wallace asked him after playing the recording whether he was upset that the Israelis were going too far, and Kerry appeared to go into damage control mode.

Read more here.

Thursday, July 17, 2014

Former Hospital Worker Faces HIPAA Charges

Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data.

The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas.

The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.

Read more here.