A study shows that if the U.S. mandates backdoors to decrypt secret messages in order to help law enforcement, there would still be hundreds of alternative encryption products made outside the reach of U.S. law that terrorists and criminals could get their hands on.
“Smart criminals and terrorists will easily be able to switch to more secure alternatives,” is the conclusion drawn by the study “A Worldwide Survey of Encryption Products”. The authors were Internet security authority Bruce Schneier of Harvard’s Berkman Center for Internet and Society, independent security researcher Kathleen Seidel, and Saranya Vijayakumar, a Harvard student.To read this article in full or to leave a comment, please click here
Israeli startup Indegy monitors devices on industrial control networks to detect when their configurations have changed as a way to know when the machines are compromised, an attack vector exploited by the Stuxnet worm that took down Iranian nuclear centrifuges.The company makes an appliance that attaches to span ports on the switches that industrial control devices are connected to. It monitors the control layers of the devices and traffic they send over the network in order to discover changes.+ ALSO: Stuxnet reached its target via the networks of trusted business partners+To read this article in full or to leave a comment, please click here
Four Congressmen are proposing that states be forbidden to ask manufacturers to install encryption backdoors on their products outfitted with the technology.
U.S. Rep. Ted Lieu
The four filed a short bill this week that would deny states or parts of states from seeking alterations to products for the purpose of enabling surveillance of the user. It would also block them from seeking the ability to decrypt information that is otherwise unintelligible. The representatives filing the bill are Rep. Ted Lieu (D-Calif.), Rep. Blake Farenthold (R-Texas), Suzan DelBene (D-Wash.) and Mike Bishop (R-Mich.).To read this article in full or to leave a comment, please click here
In response to mounting cyber attacks on federal networks, President Barack Obama is seeking $19 billion for cybersecurity, more than a 35% increase over last year’s spending, and calling for a federal CISO to oversee all the upgrade of outdated and insecure cyber infrastructure.The number of information security incidents grew more than 11-fold between 2006 and 2014 to 67,168, and attacks from other countries have been on the rise.+More on Network World: Feds' primary network security weapon needs more bang+To read this article in full or to leave a comment, please click here
Lawyers are embracing technology that makes them more efficient and less trapped in 100-hour work weeks but that also reduces the need for them in certain types of cases or turns their counsel into a commodity.These technologies and services include a Web platform that searches patents more quickly than lawyers can, an app to find flaws in contracts, low-cost access to ask legal questions and an arbitration network to keep from having to hire legal representation to go to small-claims court.Attorneys from across the country heard about these at the recent LegalTech conference where some of the attendees indicated that the innovations could save money for law firms and even change their hiring practices by cutting the need for full-timers. One attorney joked that the innovations are disrupting the profession so much that he’ll be retiring early.To read this article in full or to leave a comment, please click here
A hacker posted the names, phone numbers and other details about 9,000 Department of Homeland Security employees and says he will post 20,000 similar records about FBI workers. He claims to have records that include military emails and credit card numbers, according to a published report.Today the hacker posted the details on Twitter along with a screenshot of a warning page allegedly from a Department of Justice computer (shown above).Motherboard writer Joseph Cox writes that Sunday he received the stolen personal data, some of which came from a single Department of Justice computer hacked using a compromised email account and social engineering.To read this article in full or to leave a comment, please click here
Startup PatternEx with roots in MIT’s artificial intelligence lab is launching a security platform it says employs artificial intelligence by learning from input it gets from human security analysts about data exfiltration and bank fraud incidents that it flags.It monitors firewall logs and traffic in and out of the network and alerts customer analysts of suspicious traffic that might represent malware connecting to command and control servers or transferring data out of the network, says PatternEx CEO Uday Veeramachaneni, a co-founder of the company.The AI engine is fed information about how the analyst responds to each notification and the algorithm running it incorporates that input into refining its predictive model of how the analyst will react. That way, over time, it sends fewer false positives, Veeramachaneni says.To read this article in full or to leave a comment, please click here
Of interest to the CIAThe CIA has been investing in startups since 1999 through its not-for-profit arm called In-Q-Tel, hoping to accelerate development of technologies the agency might find useful. It currently lists about 100 firms in its portfolio. The agency doesn’t say why it might be interested in the technologies these companies represent, but with a little imagination it’s not that hard to figure out possibilities. Here is a sample of what they’ve been interested in lately.To read this article in full or to leave a comment, please click here
Presidential candidate Gov. John Kasich thinks granting encryption backdoors is something that ought to be worked out in private by the president.During the Republican presidential debate last night the Ohio governor responded to a question about whether cryptographic experts were wrong when they say opening up secret messages to third-party decryption would cause more problems than it would solve.INSIDER: Techies back Democrats in Presidential race
“Well, look the Joint Terrorism Task Force needs resources and tools,” he said, “and those are made up of the FBI, state and local law enforcement. And … it's best not to talk anymore about back doors and encryption, it will get solved, but it needs to be solved in the situation room of the White House with the technology folks.”To read this article in full or to leave a comment, please click here
UpGuard analyzes data about the state of corporate networks to devise a single numerical score that gives a quick sense of security risk, a number that could be used by insurance companies to set premiums for cyber insurance.The UpGuard platform includes a scanner that evaluates exposure of publicly facing Web interfaces and determines the risk of breaches. This is augmented by analysis of data about the internal network from sources including existing security platforms and software services via APIs or from Windows Remote Management.That is rolled up into a number – the Cybersecurity Threat Assessment Report (CSTAR) – that capsulizes how vulnerable a network is to attacks, the company says. In addition to the number, the platform enables drilling down into what weaknesses it has found so customers can take remedial action.To read this article in full or to leave a comment, please click here
Startup SafeBreach automatically assesses corporate networks to find out whether they offer up enough security loopholes for real-world attacks to succeed.Using software probes called simulators distributed throughout customers’ networks, SafeBreach attempts to establish connections among devices and network segments just as a hacker would do in trying to carry out malicious activity.These automated attempts are driven by the Hacker’s Playbook, a SafeBreach library of known attack methods that the simulators try in order to discover weaknesses and reveal how these vulnerabilities might be exploited to carry out successful breaches.MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords
So simulators might find individual weaknesses in a desktop Internet connection, a credit card database and a management platform that could be strung together to nab customer credit card data. This would be reported on a single screen.To read this article in full or to leave a comment, please click here
Startup Cybric is working on a cloud-based platform to help businesses find out about breaches quickly and clean them up as fast as possible.It will do that with its platform, Continuous Security Delivery Fabric that creates a clone of network elements in its cloud and runs tests against them looking for vulnerabilities. Because the work is done in the cloud, it doesn’t slow down or interfere with the business’s production network, the company says.Because multiple tests can be run in parallel in the cloud, the time it takes to find vulnerabilities is reduced, the company says. Alternatively, customers can run the Continuous Security Delivery Fabric on premises.To read this article in full or to leave a comment, please click here
The U.S. took its encryption argument international last week, with Attorney General Loretta Lynch telling the World Economic forum that it doesn’t want to put security backdoors into encrypted communications, it just wants to vendors and service providers to decrypt when ordered to by a court.That ignores that facts that vendors and providers can’t decrypt unless there is a backdoor of some sort, and that any backdoor undermines the security and therefore the value of encryption.It’s a case of the Department of Justice – via Lynch and FBI Director James Comey – trying to steer clear, at least technically, of demanding backdoors, but it’s all a semantic game. Earlier, Comey stopped using the term backdoor and asked for front-door access to decryption instead. Backdoor had become too much of a flashpoint, even though a front-door is exactly the same as a backdoor from a technology standpoint.To read this article in full or to leave a comment, please click here
Authentication/identity-protection startup Trusona has enlisted the help of former identity thief Frank Abagnale -- the subject of the movie “Catch Me if You Can” -- to advise as it prepares to market what it claims to be an unbreakable cloud platform to make sure imposters don’t login. Wikimedia
Frank Abagnale
Abagnale, now a security consultant, has helped out Trusona’s founder and CEO Ori Eisen before with his previous venture, ad-tracking and fraud prevention firm 41st Parameter, which was bought by Experian in 2013.To read this article in full or to leave a comment, please click here
Raytheon has given a name to the enterprise security business it has been piecing together for the past few years: Forcepoint.The new entity that it is spinning out rolls up Raytheon Cyber Products, Websense (which the company bought an 80% share in last year), and next generation firewall vendor Stonesoft that Raytheon agreed to buy last fall and now owns.Forcepoint says its plan is to continue integrating products from the three entities so it can offer a range of protections including Web, email and endpoint security, data loss protection, firewalling and analytics all under one cloud-based umbrella.Raytheon’s history supplying products to the Department of Defense demonstrates its broad expertise that could be transferred to mainstream enterprises, says Chris Christiansen, an analyst with IDC. “It remains to be seen what they do with integrating products, how they leverage their government experience, whether they can expand out,” to general enterprises, he says.To read this article in full or to leave a comment, please click here
The Islamic State is deploying its own encrypted communications app for Android, an eventuality predicted by experts who oppose efforts of governments to require encryption backdoors so they can find out what criminals are saying to teach other.The app, called lrawi.apk, employs what is described as rudimentary encryption and was available for download last month on a Web site where Islamic State supporters could download it and another app for distributing propaganda, according to a story posted by Defense One.The creation of such an encryption app has been considered a likely outcome of laws being proposed internationally requiring backdoors that would allow service providers to fulfill court orders to decrypt private communications of their customers.To read this article in full or to leave a comment, please click here
After a stint focusing on the Netherlands, a group using the Rovnix Trojan has updated it and repackaged it to steal from the bank accounts of victims in Japan, according to IBM X-Force.The malware in this exploit, which has persisted in various forms for about five years, has been augmented to avoid being detected, dodge bank security and convincingly mimic bank websites, says Etay Maor, a senior cybersecurity strategist for IBM.It’s pretty clear from the malware samples IBM X-Force has examined that the Rovnix group in question studied Japanese banks closely and came up with a user interface that closely mimics those of specific banking sites. It’s not just a generic key-logger that steals information and hopes for the best, Maor says.To read this article in full or to leave a comment, please click here
After scrutinizing the two operating systems that run its networking and security products, Juniper Networks gives them both a clean bill of health, but it plans to replace a part of one that was exploited by unknown parties to undermine its Netscreen security gear.To read this article in full or to leave a comment, please click here(Insider Story)
After scrutinizing the two operating systems that run its networking and security products, Juniper Networks gives them both a clean bill of health, but it plans to replace a part of one that was exploited by unknown parties to undermine its Netscreen security gear.Juniper revealed last month that it had found two flaws in its ScreenOS operating system and patched them, but now it plans to patch one of them again to make the security of the operating system stronger, according to a Juniper blog.To read this article in full or to leave a comment, please click here
Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.To read this article in full or to leave a comment, please click here
Tim Greene