Federal Government Developing Incentives For Private Cybersecurity Investment. The Administration’s cybersecurity coordinator, Michael Daniel, on Tuesday announced on a blogpost that the Federal government has been exploring various incentives to offer private companies in order to boost investment in cybersecurity. Spearheaded by the Department of Homeland Security, the effort is part of President Obama’s February cybersecurity executive order issued earlier this year.
FBI’s Use Of Internet Surveillance Raises Privacy Concerns. From NBC News Online (8/7): The FBI’s use of malware and spyware to sabotage suspected terrorists and child pornographers, including programs operated by the Remote Operations Unit and Remote Assistance Team, is “drawing attention in the wake of disclosures about the domestic online surveillance of Americans.” The FBI did not respond to a request for comment on Monday. Mark Rasch, former head of the Justice Department’s Computer Crimes Unit, explained, though, that the FBI’s hackers “make ‘critters’ — malware, a bug, virus, a worm — that can infect the computer, the cellphone ... any kind of communication device.” Rasch noted that the FBI uses court-approved warrants or wiretap orders before conducting surveillance, however.
Report: Federal Agencies Need Better Approach To Electronic Record Preservation. From Federal Computer Week (8/6): “Federal agencies are taking an inconsistent approach to preserving official emails and other electronic records,” due, in part, to “a disconnect between the agency officers in charge of complying with NARA directives and the IT personnel who design agency information systems.” The report, which was based on the self-assessments of 241 government entities, found that “some of the highest risk respondents include the National Geospatial Intelligence Agency,” among others, while the US Secret Service and top-level operations at the State Department received perfect scores. FCW notes that the report “comes as agencies face deadlines for electronic records management under a 2012 directive from the Office of Management and Budget and NARA” that requires agencies “to develop plans to begin the transition to the electronic management of digital records.”
Windows Phones Susceptible to Password Theft When Connecting to Rogue Wi-Fi. From Ars Technica (8/5): Microsoft has warned users that smartphones running the Windows Phone operating system are vulnerable to a type of attack that allows attackers to recover a phone's encrypted domain credentials when it connects to a rogue Wi-Fi access point. The vulnerability is related to the Wi-Fi authentication scheme known as PEAP-MS-CHAPv2. According to Microsoft, attackers could exploit weaknesses in the MS-CHAPv2 cryptographic protocol and decrypt data. This attack appears to build on an attack devised by researchers against the MS-CHAPv2 cryptographic scheme around a year ago that showed how easy it was to break the encryption, which is used by hundreds of anonymity and security services. Microsoft has indicated that it does not plan to release an update that will patch this vulnerability, and has instead recommended that users require a certificate verifying a wireless access point before starting an authentication process from Windows Phone 8 devices. The advisory provides instructions on how to configure a Windows Phone to have this requirement, and also suggests the Wi-Fi connectivity should be turned off when not actively in use.
Researchers Demo Exploits That Bypass Windows 8 Secure Boot. From IDG News Service (8/1): A team of researchers gathered at the recent Black Hat USA security conference demonstrated two attacks that circumvented the Windows 8 Secure Boot mechanism in order to install a Unified Extensible Firmware Interface (UEFI) bootkion compromised computers. Secure Boot is a feature of the UEFI specification that only lets software components with trusted digital signatures be loaded during the boot sequence. It was intended specifically to keep bootkits and other malware from compromising their boot process. The researchers say the exploits they presented at Black Hat are possible due to UEFI implementation errors made by platform vendors, and not because of flaws in Secure Boot itself. The first exploit works because certain vendors do not properly secure their firmware, giving an attacker the opportunity to modify the code responsible for enforcing Secure Boot. The second attack can run in user mode, which means an attacker would only need to acquire code execution rights on the system by exploiting a flaw in a regular application such as Java, Adobe Flash, Microsoft Office, or others.
Internet Watch Foundation Says Hackers Hid Child Pornography on Legitimate Business Sites. From the Internet Watch Foundation (8/5): The Internet Watch Foundation (IWF) says that hackers have broken into legitimate business websites and used them to host images of child pornography. IWF has received more than 200 reports of such activity in the last six weeks. In at least one case, attackers created "orphan folders" on the targeted site, and then filled the folder with offensive, illegal images. Hackers have also allegedly rigged legitimate pornography sites to redirect users to the images it had hidden on other sites.
Freedom Hosting Servers Disappeared From Internet Following Man's Arrest. From the Internet Watch Foundation (8/4-5): Following the arrest of an Irish man in connection with alleged distribution of child pornography, "a large number of hidden service addresses ... disappeared from the TOR Network." The man, Eric Eoin Marques, appeared in court in Ireland last week in connection with an extradition request from the US. The FBI alleges that Marques is "the largest facilitator of child porn on the planet." He is also believed to run Freedom Hosting, which, while it uses TOR technology, is not associated with the TOR Project.
Another Malicious Android App Found. From the Internet Watch Foundation (8/5): Another malicious app for devices running Google's Android OS has been detected. This app disguises itself as an update for an online banking app for NH Nonghyup Bank, a major South Korean financial institution.
The app, like other malicious Android apps recently detected, exploits a master key vulnerability in the OS that allows the injection of malicious code into the apps without invalidating the app's digital signature. Google's app verification tool for Android 4.2 flags apps that exploit this vulnerability.
DHS Warns of BREACH Vulnerability in Compressed HTTPS. From the Internet Watch Foundation (8/5): The US Department of Homeland Security (DHS) has issued an advisory urging website operators to check if their HTTPS traffic is susceptible to a recently disclosed attack that could be used to steal sensitive information, such as login tokens and session ID numbers. The hack is being called BREACH, an acronym for browser reconnaissance and exfiltration via adaptive compression of hypertext. All versions of TLS and SSL are vulnerable to the attack. Hackers using the attack would need to have "access to passively monitor the target's Internet traffic."
ChronoPay Owner Gets Prison Sentence for Hiring Botnet Attack on Rival Site. From the Internet Watch Foundation (8/2): ChronoPay owner Pavel Vrublevsky has been sentenced to 30 months in prison for hiring botnet operators to launch an attack on a rival payment processing company. Vrublevsky was found guilty of paying brothers Igor and Dmitri Artimovich US $20,000 to launch an attack on Assist, which according to prosecutors, prevented Aeroflot from being able to sell tickets for several days. The Artimovich brothers have also receives 30-month prison sentences.