Posts Tagged IT security info

(click image for larger view)
If a cyber war breaks out, what’s a CIO to do?

Prepare for cyber bombings? Get off the Internet and avoid the virtual front? Let the government step in and take over cyber defense for private networks? Hire Pinkerton-style paramilitaries to go out and crack cyber skulls?

These are some of the questions raised in a recent talk about cyber war and civil liberties given at Harvard’s Berkman Center for Internet Society by Timothy H. Edgar, the first White House director of privacy and civil liberties.

[ How can you avoid punching some granny in Akron whose PC is a zombie? Read 4 Steps For Proactive Cybersecurity. ]

Edgar told a crowded room that we are not in a cyber war, at least not now. But some would consider Stuxnet an act of war — although the U.S. does not. And what company wouldn’t want a little help staving off Anonymous?

“In some ways … we are in a September 10th moment,” said Edgar. “The intelligence community is screaming that we have problems and we need to do something about it.”

Edgar argued that as attacks from all sorts of sources have increased, the U.S. government is increasingly concerned with protecting computer networks, particularly those at companies involved with critical infrastructure. But security concerns must be balanced with expectations of privacy that are a basis of our democracy, and also with the need to maintain a competitive economy.

“How are we going to maintain a free Internet with personal privacy?” Edgar asked. “Will we destroy the Internet to try to save it?”

Rearchitecting the Internet to make it more secure would likely disrupt some of the things that have made the Internet popular and commercially useful.

He pointed out that although President Obama has said the government won’t dictate security standards to private companies, and won’t monitor private sector networks and Internet traffic, it is already doing so. “What I take this promise to mean is we will not have a comprehensive Internet monitoring program to use cyber security to do programmatic monitoring of all kinds,” Edgar said.

CIOs can help themselves by adopting technologies such as private information retrieval, a cryptography technique that will let a company give limited access to records in its databases.

Edgar also says CIOs in firms considered part of the U.S.’s critical infrastructure need to expect that they will be asked, or possibly told, to adopt the Einstein intrusion detection system

Visit InformationWeek’s Global CIO — our online community and information resource for CIOs operating in the global economy.

“The pros would be a central command and control structure, access to the latest technology (ideally), and it’s funded by the taxpayers rather than each company,” said a cyber security special agent at the Department of Defense, who asked that his name not be used. CIOs would likely gain access to classified intelligence on geopolitical threats that could enrich understanding about certain markets. They would be less likely to run into international incidents, and if they chose to respond to an attack, they would have federal blessing.

The drawbacks, he said, could include 24/7 government attention, limited threat data sharing — because the government doesn’t need to share if it’s doing the protecting — more intimate knowledge of your specific corporate network, and the potential that the government might make mistakes that damage corporate bottom lines.

CIOs also should be aware of the http://www.nist.gov/itl/cyberframework.cfm”NIST Cybersecurity Framework, and be prepared to adopt its best practices recommendations, he said.

A CIO could argue that the government can’t protect itself, so how will it protect the rest of us?

But does that mean CIOs should prepare to go on the offensive? In the physical world, it would be unthinkable. But Edgar says cyber law is a greyer area. The U.S. itself has declined to sign treaties that ban cyber weapons. And what would they ban? Social networks are seen by some governments as destabilizing forces.

Edgar thinks some companies could decide to go on the offensive in their own right, particularly multinationals, whose personnel outside the U.S. might be exempt from U.S. anti-hacking laws.

“A lot of companies aren’t going to go there,” he said. But he told InformationWeek that companies could certainly hire their own cyber-Pinkertons, who could have the freedom to try to take down cyber attackers.

Of course, doing so could land CIOs in the middle of an international incident, if they go after a cyber attacker that turns out to be part of a foreign government. The same holds true for CIOs overseas, who could find themselves engaged with U.S. cyber forces.

It’s a complicated issue. CIOs need to know the terms of engagement.

E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks, and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. Register for E2 Conference Boston today and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass!

Article source: http://feeds.informationweek.com/click.phdo?i=9f11e28ea9128b54df0fbb2b5ff9896a

(click image for larger view)

A multi-year advanced persistent threat (APT) campaign that targeted the government of Pakistan, as well as global businesses operating in mining, automotive, engineering, military and finance sectors, among others, appears to have been run from India. Organizations targeted for industrial espionage were located in numerous countries, including the United States, Iran, China and Germany.

Those findings come from “Unveiling an Indian Cyberattack Infrastructure,” a new report from Norwegian security software vendor Norman that documents an APT campaign that began in 2010, if not earlier. According to the report, the APT campaign and related, malicious infrastructure has served “primarily as a platform for surveillance against targets of national security interest that are mostly based in Pakistan and possibly in the United States.”

Report co-author Snorre Fagerland, a principal security researcher in the Malware Detection Team at Norman Shark in Norway, said in an interview: “What we found surprised us a little bit, because we started out anticipating the Chinese, but the indicators we found pointed toward India.”

[ Would better passwords have made a difference? Read How Password Strength Meters Can Improve Security. ]

Researchers also found multiple references to Appin, an Indian information security software vendor and “ethical hacking” training company. References included “appin” and “appinbot” in “cleartext project and debug path strings,” according to Norman’s report, and some domains used in the APT attacks appeared to have been registered with a corporate Appin email address before being hidden.

Norman’s report said the Appin name-dropping is no smoking gun. “Maybe someone has tried to hurt Appin by falsifying evidence to implicate them,” said the report. “Maybe some rogue agent within Appin Security Group is involved, or maybe there are other explanations.” But Adam Meyers, director of intelligence at CrowdStrike, told DarkReading: “I think it is highly unlikely Appin is not involved.”

Contacted for comment, a spokesman for Appin in New Delhi strongly dismissed any suggestion that his company was connected with the APT campaign. “The Appin Security Group is no manner connected or involved with the activities as sought to be implied in the alleged report,” he said in an emailed statement. “The reference to Appin Security Group in the report is malafide and made purely with an intention to slur the good name of Appin Security Group in the industry.”

This isn’t Norman’s first foray into malware research. In Nov. 2012, the company discovered an unrelated, botnet-driven malware espionage campaign focused on Middle Eastern targets in Israel and Palestine.

Norman undertook a similar investigation — on its own initiative — after Norwegian telecommunications company Telenor reported experiencing a network breach on March 17, 2013. “We arrived at the conclusion that Telenor was not an isolated case, but part of a much larger attack pattern emanating from India,” said Fagerland in a related blog post. “This conclusion is backed up by indicators found in malware, similar related cases, domain registrations, hosting details and other available data from our own extensive dataset as well as public data.”

The APT attackers chiefly employed spear-phishing emails to compromise targets. Some emails tried to trick recipients into opening attached, malicious documents that attempted to exploit known vulnerabilities. Other emails included a link to a website designed to launch a phishing attack. According to Norman, no watering hole attacks have been seen.

The APT campaign is sizeable: more than 600 domains have been spotted and over 800 samples of malware — some customized for specific targets — recovered. “As far as I know, this is one of the largest command and control infrastructures I’ve seen by any APT group, certainly outside of China,” said Fagerland. Norman’s report said all signs point to the campaign being “conducted by private threat actors with no evidence of state sponsorship.”

Malware developers used relatively simple development tools and techniques, and outsourced some work to freelancers, for example via the Elance virtual marketplace. “I like the use of Elance for tool development. Way to keep those costs down,” the Bangkok-based vulnerability buyer and seller known as “the Grugq” said via Twitter.

Furthermore, “the attackers were not very good at covering their tracks,” said Fagerland. “We found for example several open drop folders where they had uploaded stolen data.” Attackers often left their project management notes behind too. “Curiously, many of the executables we uncovered from related cases contained cleartext project and debug path strings,” according to the report. “It is not very common to find malware with debug paths, but these particular threat actors did not seem to mind leaving such telltale signs, or maybe they were unaware of their presence.” Language used in the project notes further suggests that at least some of the project team was Indian.

Fagerland said that a report published last week by ESET malware researcher Jean-Ian Boutin, describing an APT campaign that appeared to be targeting Pakistan, was part of the APT campaign analyzed in Norman’s report. ESET likewise ascribed the attack to India based on numerous fronts, including the hours worked by attackers and reference to “Ramu Kaka,” which “is a typical Bollywood-style servant in a house,” according to Boutin. “Considering that this variable is responsible for achieving persistence on the system, this definition is a good fit.”

Norman’s researchers found that the command-and-control infrastructure used by the APT attackers was used to target the Chicago Mercantile Exchange, which publicly reported that a failed phishing attempt had been launched against it. The malicious infrastructure was also used to infect an Angolan activist’s OS X systems with a Trojan backdoor, which wasn’t discovered until the activist attended last week’s Oslo Freedom Forum, according to a blog post from Sean Sullivan, security advisor at F-Secure Labs, which is analyzing the malware. Sullivan said the malware was signed with a legitimate Apple developer ID in the name of “Rajinder Kumar.”

What can be deduced from the finding that the same attack infrastructure used against Pakistan government targets was also used to infect an Angolan activist’s Mac with a backdoor Trojan? “That’s an interesting side branch of this operation,” said Fagerland. It suggests the botnet’s controllers “could be hiring out the infrastructure to other attackers,” or offering targeted attacks as a service.

Norman shared its findings with Norwegian law enforcement agencies in advance of releasing its report. Although the timing may be coincidental, attackers’ behavior has since changed. “We have reason to believe that at least some information from this report was known to some people in India some time ago, and since then, some things have changed,” said Fagerland. “Whole branches of this command and control infrastructure have gone silent.”

But he said that the timing could just be a coincidence.

E2 is the only event of its kind, bringing together business and technology leaders across IT, marketing, and other lines of business looking for new ways to evolve their enterprise applications strategy and transform their organizations to achieve business value. Join us June 17-19 for three days of 40+ conference sessions and workshops across eight tracks and discover the latest insights in enterprise social software, big data and analytics, mobility, cloud, SaaS and APIs, UI/UX and more. Register for E2 Conference Boston today and save $200 off Full Event Passes, $100 off Conference, or get a FREE Keynote + Expo Pass!

Article source: http://feeds.informationweek.com/click.phdo?i=5380de15bcc7607acc99e41b6f56b110

Amazon Web Services has passed the federal government’s FedRAMP cloud security assessment, making it one of the first commercial cloud providers to be certified for no-fuss adoption across government.

Amazon announced Tuesday that it has received “authority to operate,” essentially a green light to offer its services, under the Federal Risk and Authorization Management Program, or FedRAMP. Uncle Sam launched FedRAMP in 2010 to streamline the process of determining whether cloud services meet federal security requirements. In December 2012, Autonomic Resources LLC became the first cloud vendor to be approved under the program.

FedRAMP was created through a joint effort by the General Services Administration, National Institute of Standards and Technology, Department of Homeland Security, Department of Defense, National Security Agency, Office of Management and Budget and the federal CIO Council. Cloud service providers must be sponsored by a federal agency to considered for FedRAMP.

The U.S. Department of Health and Human Services served as the sponsoring agency for AWS. Kevin Charest, HHS’s chief information security officer, said in a statement that that all HHS operating divisions can now use AWS with minimal duplication in vetting Amazon’s cloud security.

[ Here's what you can learn from the feds about cloud security. Read Follow Feds To The Cloud. ]

Amazon VP Teresa Carlson said in an interview that cloud security authorization for federal agencies, which had been a months-long process, is now a check-box exercise for them. “Now they don’t have to go through all of those evaluations on their own,” she said.

Amazon launched a version of its cloud services for government agencies, called GovCloud, in 2011. It’s one of nine AWS regions, or “availability zones.” GovCloud meets the requirements of the International Traffic in Arms Regulations (ITAR), which govern the export and import of defense-related information and services. In keeping with those rules, GovCloud servers are housed in the U.S. and can only be accessed by U.S. citizens or permanent residents.

Cloud service adoption is growing rapidly in government, fueled by a policy from the White House’s Office of Management and Budget that encourages agencies to steer toward IT services in lieu of on-premises hardware and software where possible. More than 500 government agencies around the world, including about 300 in the U.S., now use AWS. They include NASA’s Jet Propulsion Laboratory and the departments of Agriculture, State and Treasury.

Carlson said that U.S. intelligence agencies are among Amazon’s federal customers, but she declined to confirm reports earlier this year that Amazon had reached a deal to provide a private cloud to the CIA.

Amazon’s FedRAMP approval applies to “moderate impact” data, as defined by the Federal Information Security Management Act (FISMA). Carlson said about 80% of government workloads fall into the low or moderate FISMA categories.

Federal, state and local government agencies can access most of the same cloud services on GovCloud — Elastic Compute Cloud, Simple Storage Service, Virtual Private Cloud and others — as businesses do in Amazon’s other cloud zones. That includes using Amazon’s spot instances capability, which lets agencies bid on unused virtual resources that are put up for auction by other customers.

Mark Ryland, chief solutions architect for Amazon’s public sector team, said that agencies save, on average, 86% using spot instances, compared to Amazon’s standard pricing. A typical usage scenario for spot instances is large-scale parallel processing.

Uncle Sam’s taken the lead on secure use of cloud services. Here’s how FedRAMP can change your experience, too. Also in the new, all-digital Follow The Feds issue of InformationWeek: Candid career advice for women in IT includes calling work-life balance a myth. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=7a3128954da41e39f3575ca7487de187

(click image for larger view)

A threat by the Anonymous hacktivist collective has led to all Wi-Fi communications at the Guantanamo Bay Naval Base in Cuba being disabled.

Army Lt. Col. Samuel House told the Associated Press that disabling the Wi-Fi across the base was a preventive measure, designed to address a threatened disruption by Anonymous. Authorities at the base also blocked all access to Facebook, Twitter and other social media services.

“You shut the Wi-Fi down in GTMO, we will shutdown Guantanamo,” read a subsequent post to the Crypt0nymous News Network’s Facebook page.

The initial threat arrived earlier this month, with Anonymous announcing via Pastebin that “#OpGTMO” would run from May 17 to May 19. It also detailed a related “Twitter Storm package,” urging people to flood Twitter with related messages using preset hashtags, as well as “phonebomb” their senators and representatives.

“We, the people and Anonymous, will not allow the most expensive prison on earth to be run without any respect for international laws,” read an Anonymous press release, referring to the Guantanamo Bay detention camp. “We stand in solidarity with the Guantanamo hunger strikers. We will shut down Guantanamo.”

[ Is India in the security hotseat usually reserved for China? Read APT Attacks Trace To India, Researcher Says. ]

The Anonymous operation was meant to highlight the 100th day of a hunger strike being held at the base by prisoners protesting their length of incarceration, as well as conditions at the base. According to news reports, as of Monday, 103 of 166 prisoners at the base were continuing a hunger strike.

It’s not clear whether the Army’s disabling of all Wi-Fi on Guantanamo may have been the disruption that Anonymous was intending.

The threats from Anonymous aren’t the first information security concerns to confront Guantanamo Bay Naval Base. Last month, a Guantanamo war court judge ordered pretrial hearings to be delayed after defense attorneys reported that since February, key documents had gone missing from their systems and prosecutors’ files — which they didn’t open — had suddenly appeared on their systems, Reuters reported. Defense attorneys also reported signs that their internal base emails and Internet searches were being monitored by a third party. In response, the chief defense counsel for the tribunals, Col. Karen Mayberry, ordered all defense attorneys — civil and military — to immediately stop using government-issued computers.

In other Anonymous news, the collective earlier this month announced Operation Petrol (#OpPetrol), in conjunction with SaudiAnonymous and a hacker known as AnonGhost, who was a key figure in this month’s #OpUSA attacks, which multiple critics derided as “FlopUSA” for being more bark than bite.

First announced on May 10 via Pastebin, #OpPetrol is designed to target oil-producing nations as well as petroleum companies, and scheduled for June 20.

The operation’s stated raison d’etre is to avenge an alleged “petro-dollar” conspiracy involving Muslim countries selling oil in dollars, rather than local currency. “The new world order installed their own rules so that they can control us like robots,” according to the post.

Countries designated as targets for attack include the United States, Canada, England, Israel, China, Italy, France, Russia and Germany. The campaign’s organizers also designated as targets the governments of Saudi Arabia, Kuwait and Qatar.

Some related attacks have already been disclosed, including a purported leak of 16 Saudi government email access usernames and passwords in plaintext, which was uploaded on May 12 to Pastebin.

As that suggests, organizations that might be targeted by these attacks shouldn’t wait until June 20 to perform a threat assessment and lock down vulnerable systems. “As we know from past events, actors may be compromising sites now only to release the results as part of the operation,” according to a blog post from security researchers at HP. “Potential targets may have already seen activity that could later be associated with this announcement.”

That said, many security experts expect #OpPetrol to be a non-starter. “Given the trends so far, we anticipate that this operation will mirror #OpUSA,” said HP. “We do not anticipate #OpPetrol to be a large success.”

Antivirus systems alone can’t fight a growing category of malware whose strength lies in the fact that we have never seen it before. The How To Detect Zero-Day Malware And Limit Its Impact report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=0456e916d8b2b1e7a48150c00e21c62a

(click image for larger view)
A high-profile information security attack against Google in late 2009 — part of what was later dubbed Operation Aurora — was a counterespionage operation being run by the Chinese government.

Former government officials with knowledge of the breach said attackers successfully accessed a database that flagged Gmail accounts marked for court-ordered wiretaps. Such information would have given attackers insight into active investigations being conducted by the FBI and other law enforcement agencies that involved undercover Chinese operatives.

“Knowing that you were subjects of an investigation allows them to take steps to destroy information, get people out of the country,” a former U.S. government official with knowledge of the breach told the Washington Post, which first reported the news. But the official cautioned that the attack also could have been a subterfuge operation by Chinese intelligence agencies designed to trick U.S. intelligence agencies into believing false or misleading information.

[ What are the facts behind Chinese hacks? Read China Denies U.S. Hacking Accusations: 6 Facts. ]

The new Operation Aurora revelations came after a Microsoft official last month disclosed that his company had apparently been targeted by the same attackers — unsuccessfully, he said — at the same time as Google.

“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” David W. Aucsmith, senior director of Microsoft’s Institute for Advanced Technology, told a government IT conference hosted by Microsoft in Redmond, Wash., last month, CIO.com first reported.

“So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way,” said Aucsmith. “Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”

Microsoft’s recounting of the attacks stood in sharp contrast to Google’s disclosure, published in early January 2010. “In mid-December [2009], we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google,” said a blog post by Google’s chief legal officer, David Drummond.

At the time, having a major business publicly blame the Chinese government for having launched an information security attack against its systems was rare.

The successful attack against Google was dubbed Operation Aurora by security firm McAfee because attackers reportedly employed the Aurora (a.k.a. Hydraq) Trojan horse application. At the time, however, Google said its investigation into the attack found that “at least twenty other large companies from a wide range of businesses — including the Internet, finance, technology, media and chemical sectors — have been similarly targeted.” Google also disclosed that a second branch of the attack had compromised multiple Chinese and Vietnamese activists’ Gmail accounts.

All told, the Operation Aurora attacks reportedly targeted at least 34 companies, including Adobe, Juniper, Rackspace, Symantec, Northrop Grumman, Morgan Stanley and Yahoo.

At the time, Bruce Schneier, chief security technology officer of BT, said that the Google attackers exploited wiretap backdoors mandated by the U.S. government to access the activists’ accounts. “In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access,” according to Schneier. “Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic.”

The Operation Aurora attacks became the basis for what’s now known as an advanced persistent threat (APT) attack.

Last year, Symantec reported that the Aurora gang was still at work, and operating with a large budget. “The group seemingly has an unlimited supply of zero-day vulnerabilities,” according to Symantec. “The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent.”

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn’t mean stopping all attackers. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=71b092dea4f4f23aed58fd7875b4698b

Skyscape Cloud Services, a British cloud SMB, has won a £1.5 million ($2.3 million) annual contract to provide security for the background check system British citizens use to reveal any criminal records to prospective employers.

Following a number of high-profile tragedies, applicants for posts, particularly those that involve working with young people, are now required to reveal any criminal histories. The Home Office (the U.K. equivalent to the Department of Justice) is phasing out older processes set up to do that in favor of a new online system called the Disclosure and Barring Service (DBS). The DBS runs on the new unified public sector URL, GOV.UK.

The DBS’s purpose is to disclose to prospective employers any run-ins or convictions that might bar applicants from certain positions. Records involving abuse of any kind, for example, might preclude an applicant from working with children.

[ U.K. government needs to do a better job of using the data it collects to improve public services. Read U.K. Has $10 Billion Of Public Data, Study Concludes. ]

Beginning in April 2014, the service will be run not by government, but by Indian outsourcer Tata Consulting Services. The partnership, announced last November, promises an estimated four million annual DBS applicants electronic applications and “improved online services to enhance [their] experience.”

Skyscape, which will back the Tata version of the DBS, markets itself as offering ‘assured’ (secure) cloud to the high IL3 (Impact Level 3) level to government and other public sector users. Monetary loss of data that is deemed to be at IL3 level protection is defined as equaling millions of pounds — or, by another metric, would “disadvantage a major U.K. company” in any international trade negotiations.

According to Skyscape, no user data ever leaves its U.K.-based data centers — an important flag to fly in a country where security fears, especially among public servants, have been hobbling adoption of the cloud. “This is a significant step forward for the use of cloud in Britain, as this is one of the first public-facing, front office apps on GOV.UK that will use cloud,” Skyscape CEO Phil Dawson told Information Week.

The contract with Skyscape was awarded via the G-Cloud Framework, the British government cloud. Dawson’s team said Skyscape was chosen over “a major service integrator” as well as other G-Cloud offerings.

Beyond today’s announcement, Skyscape claims HMRC (the British equivalent to the IRS) as a customer, along with Government Digital Services, the body that built and runs GOV.UK. The Hampshire-based firm says it is also working on “over 100 projects across central government, local authorities, police, healthcare and other publicly funded bodies.”

Skyscape partners with firms like VMware, Cisco and EMC, adding its assured cloud connectivity to their solutions. Describing the company as “one of our key partners in delivering cloud services to the U.K. public sector,” VMware’s head of public services Cliff Keast said, “This significant win further validates the adoption of cloud by government organizations as they strive to reduce costs and deliver better service to the public.”

The latest open source movement aims to be the platform of choice for hybrid clouds — and the anti-VMware. Also in the new, all-digital OpenStack Steps Up issue of Network Computing: With all the noise around the “what” and “how” of software-defined networking, many people forget the “why.” (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=e05a73521bf2132827f827c2f43a878d

Skyscape Cloud Services, a British cloud SMB, has won a £1.5 million ($2.3 million) annual contract to provide security for the background check system British citizens use to reveal any criminal records to prospective employers.

Following a number of high-profile tragedies, applicants for posts, particularly those that involve working with young people, are now required to reveal any criminal histories. The Home Office (the U.K. equivalent to the Department of Justice) is phasing out older processes set up to do that in favor of a new online system called the Disclosure and Barring Service (DBS). The DBS runs on the new unified public sector URL, GOV.UK.

The DBS’s purpose is to disclose to prospective employers any run-ins or convictions that might bar applicants from certain positions. Records involving abuse of any kind, for example, might preclude an applicant from working with children.

[ U.K. government needs to do a better job of using the data it collects to improve public services. Read U.K. Has $10 Billion Of Public Data, Study Concludes. ]

Beginning in April 2014, the service will be run not by government, but by Indian outsourcer Tata Consulting Services. The partnership, announced last November, promises an estimated four million annual DBS applicants electronic applications and “improved online services to enhance [their] experience.”

Skyscape, which will back the Tata version of the DBS, markets itself as offering ‘assured’ (secure) cloud to the high IL3 (Impact Level 3) level to government and other public sector users. Monetary loss of data that is deemed to be at IL3 level protection is defined as equaling millions of pounds — or, by another metric, would “disadvantage a major U.K. company” in any international trade negotiations.

According to Skyscape, no user data ever leaves its U.K.-based data centers — an important flag to fly in a country where security fears, especially among public servants, have been hobbling adoption of the cloud. “This is a significant step forward for the use of cloud in Britain, as this is one of the first public-facing, front office apps on GOV.UK that will use cloud,” Skyscape CEO Phil Dawson told Information Week.

The contract with Skyscape was awarded via the G-Cloud Framework, the British government cloud. Dawson’s team said Skyscape was chosen over “a major service integrator” as well as other G-Cloud offerings.

Beyond today’s announcement, Skyscape claims HMRC (the British equivalent to the IRS) as a customer, along with Government Digital Services, the body that built and runs GOV.UK. The Hampshire-based firm says it is also working on “over 100 projects across central government, local authorities, police, healthcare and other publicly funded bodies.”

Skyscape partners with firms like VMware, Cisco and EMC, adding its assured cloud connectivity to their solutions. Describing the company as “one of our key partners in delivering cloud services to the U.K. public sector,” VMware’s head of public services Cliff Keast said, “This significant win further validates the adoption of cloud by government organizations as they strive to reduce costs and deliver better service to the public.”

The latest open source movement aims to be the platform of choice for hybrid clouds — and the anti-VMware. Also in the new, all-digital OpenStack Steps Up issue of Network Computing: With all the noise around the “what” and “how” of software-defined networking, many people forget the “why.” (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=e05a73521bf2132827f827c2f43a878d

(click image for slideshow)

The Department of Defense (DOD) is taking tentative steps with Google to tackle one of the primary obstacles to adopting commercial cloud computing: the need to reliably authenticate users.

The Defense Information Systems Agency (DISA) confirmed that it is developing a proof of concept Authentication Gateway Service (AGS) that would allow for secure translation between DOD public key infrastructure (PKI) common access card authentication and Google-provided cloud services.

“This is a pilot effort to validate the ability to use DISA’s Authentication Gateway with external cloud solutions using the standards-based Security Assertion Markup Language (SAML) protocol as well as explore interoperability and usability issues in commercial cloud-based email services,” said David M. Mihelcic, CTO for DISA.

The pilot program makes use of Google Apps for Government as a way to test the ability of users to utilize their common access cards for authentication. But Mihelcic cautioned against speculation about broader use of Google Apps beyond the pilot for now. “DISA is not adopting Google Apps for Government,” he said.

[ Want to know about another Google-government collaboration? See Google, NASA Team On Quantum Computing. ]

The purpose of the pilot is to find reliable alternatives for authenticating users and ultimately eliminate the less-secure password-based login.

During the first phase of the pilot, 50 DISA employees will use Google Apps for Government to process only non-sensitive unclassified data. At the same time, DISA’s field security office is conducting a security evaluation of Google Apps for Government to determine if the service can support additional pilot users as well as sensitive but unclassified data.

The program isn’t the first effort by DISA to develop authentication services for cloud-based email services.

“DISA previously developed enterprise directory services and identity synchronization services to allow for secure (non-password based) authentication to the Microsoft Exchange-based Defense Enterprise Email (DEE) service,” he said. “The authentication gateway extends these services using the Security Assertion Markup Language to allow for rapid integration with cloud-based services.”

The pilot program with Google began to take shape in February when DISA and Google signed a Cooperative Research and Development Agreement (CRADA) to explore innovate ways for DOD users to securely authenticate to commercial cloud service providers.

“The DISA-Google CRADA work is a necessary precursor activity that if successful would allow DISA to bring competitive commercial cloud-based email providers into the [DEE] service offering,” said rear admiral David Simpson, vice director of DISA, in a prepared release from DISA.

He added that the program’s goal would be to provide for a portion of DOD email user communities to work with lowest cost, technically acceptable service providers whose security is assured and commensurate with various missions. The initial implementation would focus on a single enterprise e-mail system that utilizes one directory service for the entire DOD and “seamless collaboration between commercial and DOD-hosted environments,” Simpson said.

“While the current Google pilot is scheduled to end on Sept. 30, this is laying the groundwork for many future cloud services,” said Jack Wilmer, DISA’s deputy CTO for enterprise services. “The results of the CRADA are going to play a major role in our cloud strategy going forward.”

DISA officials said, given the importance of enterprise email to DOD, the agency also is using the Google pilot to explore and validate next-generation approaches to cloud-based email that can augment DISA’s existing Defense Enterprise Computing Center, which hosts the DEE service.

DISA is looking to integrate its enterprise directory services with cloud-based email to allow a single global address list to support total email interoperability. To accomplish that, an agency spokesperson said DISA is using its identity synchronization service to automatically provision Google pilot users and synchronize the global address list between the DEE service and the pilot.

“If we can validate this approach,” said Wilmer, “in the future we will be able to competitively acquire cloud-based email services to provide browser-based email for users that don’t need all of DEE’s features.”

Uncle Sam’s taken the lead on secure use of cloud services. Here’s how FedRAMP can change your experience, too. Also in the new, all-digital Follow The Feds issue of InformationWeek: Candid career advice for women in IT includes calling work-life balance a myth. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=193c581b82f079dab83b6c76c79cc5af

(click image for slideshow)

Want your site’s users to build better passwords? Then provide “password strength” meters to show if a proposed password carries a low (red), medium (yellow) or high (green) level of security.

According to the first-ever study of password meters effectiveness — delivered this month at the CHI human-computer interaction conference in Paris — such meters aren’t just window dressing or empty security theater. Meters result in stronger passwords when users are forced to change existing passwords on ‘important’ accounts, according to the “Does My Password Go up to Eleven?” research study from researchers at the University of California at Berkeley, University of British Columbia and Microsoft Research. In addition, they found that graphical design variations between different types of meters “likely have a marginal impact” on user adoption.

The usefulness of password meters wasn’t a given; no previous research had explored whether they led people to pick stronger passwords. “The original purpose of the experiment was to see whether meters based on social pressure would yield an improvement, since we didn’t expect existing meters to be effective,” said primary report author and University of California at Berkeley research scientist Serge Egelman via email. “We were surprised that one, meter design doesn’t appear to matter much, and two, meters do work under certain circumstances.”

[ Honeywords, or fake passwords, could help businesses better detect breach attempts. Read more at Sweet Password Security Strategy: Honeywords. ]

As emphasized by the report title’s “This Is Spinal Tap” film reference, when it comes to passwords, more (entropy) equals more (security). That’s why standard password security advice — at least currently — is to pick a password that has at least 12 characters, mixing letters, numbers and symbols. Whatever the rules, however, password meters provide simple and immediate visual feedback about what constitutes “strong enough.”

The researchers’ conclusions are based on comparing forced password resets in the presence of password meters to those without such meters. “We performed a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords,” the researchers explained. “We observed that the presence of meters yielded significantly stronger passwords.”

They also found that the meters didn’t seem to cause memorability problems for users, and suggested that people forgetting passwords was more related to forced expiration dates, which not all cryptography experts see as always necessary.

The researchers’ password-meter findings, however, come with a caveat. In a second study they conducted, users were asked to create a password for an unimportant account. “In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts,” they said.

Egelman said that while password meters are effective when used for important passwords, perhaps they shouldn’t be used at all for unimportant passwords. “People have a finite amount of memory, which shouldn’t be wasted protecting resources that are unimportant — e.g., low-value accounts. I think the bigger problem is that most passwords are highly susceptible to offline attacks,” he said. “Whereas when users do not select popular passwords — e.g., [in] the top 100/1,000/10,000 — online attacks are relatively unsuccessful. This suggests that a much more efficient solution is to prevent offline attacks from occurring.”

Using proper network security controls and strong cryptography to secure passwords so that they can’t be retrieved by hackers and decrypted offline, however, has nothing to do with password-strength meters. “This responsibility lies solely with the websites who store the passwords, not the users,” Egelman said.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn’t mean stopping all attackers. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=abf81405b491f45aebb102e03833c3a1

(click image for larger view)

Yahoo disclosed Friday that a breach at Yahoo Japan may have exposed 22 million login names to attackers.

“We don’t know if the file [containing 22 million user IDs] was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals,” read a statement issued Friday by Yahoo Japan. Yahoo is the country’s most-visited website, and is jointly owned by Yahoo and Japanese network operator Softbank.

Yahoo Japan posted a link to a related breach notification on its homepage, and said it was contacting affected users and had strengthened network security in the wake of the attack. Yahoo Japan also recommended all users — as of last year, the company had about 24 million users — change their passwords, and added a tool on its homepage that allowed users to check if their ID was at risk from the suspected breach.

Yahoo Japan’s users, however, can’t change their login IDs — which sometimes appear publicly; for example, when users post comments on shopping sites — without losing access to their current account’s email and stored data, reported PC Advisor. But after Yahoo Japan discovered malware on its servers last month that had extracted — but not exfiltrated — information relating to 1.27 million of its users, the company added a “Secret ID” capability, which allows users to use a separate ID only for logging on.

[ Defense Department and Google are partnering to tighten cloud user authentication. Read more at Google, DISA Launch User ID Pilot. ]

Yahoo officials said they discovered the unauthorized access Thursday. The potential data breach affects 10% of Yahoo’s user base.

Yahoo was last in the data breach headlines in July 2012, when the company confirmed that an “older file” containing 450,000 usernames and passwords associated with its Yahoo Voices service had been leaked online. At the time, it said that only 5% of the leaked passwords were still valid. “D33Ds Company” took credit for the hack, saying it had been accomplished via SQL injection attack. The group said it had leaked the information “as a wake-up call, and not as a threat” to Yahoo to fix the vulnerability, the specifics of which the hackers didn’t publicly detail.

In other hacking news, the Financial Times (FT) Friday became the latest victim of Syrian hackers, after its website and multiple Twitter accounts were compromised via spear-phishing attacks. “Syrian Electronic Army Was Here,” read 12 posts to various FTTwitter feeds. Multiple fake messages were also posed to the newspaper’s Twitter account.

The Syrian Electronic Army claimed to have compromised 17 of the newspaper’s Twitter accounts as well as its website, and posted what it said was the username and password (“Gar1eth”) for a marketing executive at the paper.

“We have now locked those accounts and are grateful for Twitter’s help on this,” said Robert Shrimsley, the managing editor of FT.com, reported the FT.

The newspaper is the latest media organization to have seen its Twitter feeds hacked by the Syrian Electronic Army, which supports Syrian President Bashar al-Assad. The group has preciously compromised an Associated Press feed, which it used to issue a fake alert that explosions had occurred in the White House. Other targets have included the BBC, the Guardian, National Public Radio and satire site The Onion.

Earlier this month, Twitter warned news and media outlets to expect further attacks.

To halt Twitter account takeovers, security experts have recommended using a dedicated PC for tweeting, or employing an intermediary social media management such as Hootsuite to block the spear-phishing attacks the group often uses to obtain credentials. They’ve also called on Twitter to implement two-factor authentication. But a “secret ID” service of the Yahoo Japan variety would also help Twitter users, since all Twitter usernames are already public, meaning would-be attackers only need to obtain a password to hack into an account.

As with previous Syrian Electronic Army takeovers, some of its FT tweets advanced the group’s stated aim “[defending] the Syrian nation against the vicious lying media campaign,” referring to perceived inaccuracies in reporting on the Syrian civil war. One bogus FT tweet, for example, read: “Jabhet A-Nosra terrorists executed innocent citizens,” referring to the militant jihadist group that currently controls large parts of the rebel-held areas of northern Syria. Some leaders of that group recently pledged allegiance to al-Queda.

Interestingly, the FT last month interviewed a self-described member of the Syrian Electronic Army who calls himself “Th3Pr0.” “All the countries who support the terrorists groups in Syria are targets for us — their media/government website/social media accounts,” Th3Pr0 said. “Our demands [are] to stop suspending our accounts and domain names so we can enjoy the ‘Freedom speech of America.’”

Antivirus systems alone can’t fight a growing category of malware whose strength lies in the fact that we have never seen it before. The How To Detect Zero-Day Malware And Limit Its Impact report examines the ways in which zero-day malware is being developed and spread, and the strategies and products enterprises can leverage to battle it. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=789a8184e8145a98a0f6b625b6dafcd0