http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/ By Kim Zetter Security Wired.com 10.01.15 SECURITY RESEARCHERS AND vendors have long been locked in a debate over how to disclose security vulnerabilities, and there’s little on which the two sides agree. Apparently this extends even to the question of whether they should meet to hash out their disagreements. That’s the conclusion after a coalition of security vendors, academics, lawyers, and researchers gathered at UC Berkeley on Tuesday to discuss how to improve the sometimes-hostile system for reporting software vulnerabilities. But the diverse group of participants had a hard time even agreeing on the purpose of the meeting: Was it to draft a charter for best practices in reporting software vulnerabilities? Was it to reform parts of the Digital Millennium Copyright Act and Computer Fraud and Abuse Act to make them less hostile to researchers? Or was it to develop guidelines for companies interested in launching bug bounty programs? The participants hit another sticking point when they tried to determine if they should hold a second meeting. “I spent $2,000 [to come to this meeting],” Dave Aitel, CEO and founder of the Florida-based security firm Immunity, told attendees. Whether or not there’s a second meeting, “should at least be an option” for discussion. […]
http://freebeacon.com/national-security/intel-assessment-obama-admin-response-to-cyber-encourages-more-attacks/ By Bill Gertz Follow @BillGertz Washington Free Beacon July 28, 2015 The United States will continue to suffer increasingly damaging cyber attacks against both government and private sector networks as long as there is no significant response, according to a recent U.S. intelligence community assessment. Disclosure of the intelligence assessment, an analytical consensus of 16 U.S. spy agencies, comes as the Obama administration is debating how to respond to a major cyber attack against the Office of Personnel Management. Sensitive records on 22.1 million federal workers, including millions cleared for access to secrets, were stolen by hackers linked to China’s government. U.S. officials familiar with the classified cyber assessment discussed its central conclusion but did not provide details. Spokesmen for the White House and office of the director of national intelligence declined to comment. Recent comments by President Obama and senior military and security officials, however, reflect the intelligence assessment. […]
http://www.lawfareblog.com/2015/05/tallinn-2-0-and-a-chinese-view-on-the-tallinn-process/ By Ashley Deeks LAWFARE May 31, 2015 This past week, the NATO Cooperative Cyber Defense Center of Excellence put on its annual Cyber Conflict conference in Tallinn, Estonia. The conference boasted a number of experienced cyber-hands, including Adm. Mike Rodgers, DefCon founder Jeff Moss, and law of armed conflict expert Mike Schmitt. One of the most interesting sessions, which included a presentation by Mike, focused on aspects of the Tallinn Manual versions 1.0 and 2.0. Version 1.0, produced by an independent group of experts, came out in 2013. It proffered what the experts saw as current black letter law on jus ad bellum and jus in bello rules relevant to cyber operations. The Manual includes both crisp articulations of the rules and more extensive commentary setting out the legal basis for the rule and any differences that arose among the experts. Version 2.0 picks up where Version 1.0 left off, and will set forth the experts’ views on what international law applies to cyber activity that falls below the level of armed conflict or the use of force. Mike previewed some of the topics that 2.0’s group of experts will discuss, including customary rules related to sovereignty. As Mike notes, sovereignty is not simply a factor restricting a state’s activities in other states’ territory. It also is the basis for states to regulate and exercise jurisdiction within their territory over people, hardware, and cyber operations. One challenge for the experts will be to achieve consensus on what types of activities by one state violate another state’s sovereignty: what level of damage, intrusion, or alteration of data suffices? Other norms up for discussion relate to due diligence obligations by states to stop actions that produce adverse consequences for other states, and the applicability of state responsibility (including counter-measures and the use of “necessity” arguments). Tallinn 2.0 has the potential to be even more influential than Tallinn 1.0, because it systematically will address activities that are far more prevalent in the cyber realm than uses of force or armed attacks. Bill Boothby, a former Deputy Director of Legal Services for the UK Royal Air Force, then provided a retrospective look at Tallinn 1.0. Mike Schmitt had asked Bill to review all of the literature that offered reviews or critiques of Tallinn 1.0, to assess whether to consider certain modest amendments to the Manual’s commentary (though not to its black letter rules) or to take up certain issues that Tallinn 1.0 did not cover. Bill assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions” on the issues it took up and that there were only a few amendments worth pondering. In particular, Bill wondered whether the definition of what constitutes a “cyber attack” might need to expand to include “major disruptions” that nevertheless do not produce physical harm to the affected state. He also asked whether the jus in bello rule on precautions was ill-suited to cyber, given that states utterly have failed to segregate their military cyber infrastructure from civilian cyber infrastructure. […]
http://www.wired.com/2015/03/clintons-email-server-vulnerable/ By ANDY GREENBERG SECURITY Wired.com 03.04.15 FOR A SECRETARY of state, running your own email server might be a clever—if controversial—way to keep your conversations hidden from journalists and their pesky Freedom of Information Act requests. But ask a few security experts, and the consensus is that it’s not a very smart way to keep those conversations hidden from hackers. On Monday, the New York Times revealed that former secretary of state and future presidential candidate Hillary Clinton used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com. Much of the criticism of that in-house email strategy has centered on its violation of the federal government’s record-keeping and transparency rules. But as the controversy continues to swirl, the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of America’s top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers. “Although the American people didn’t know about this, it’s almost certain that foreign intelligence agencies did, just as the NSA knows which Indian and Spanish officials use Gmail and Yahoo accounts,” says Chris Soghoian, the lead technologist for the American Civil Liberties Union. “She’s not the first official to use private email and not the last. But there are serious security issue associated with these kinds of services…When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.” […]
http://www.eweek.com/security/data-theft-a-major-concern-for-organizations.html By Nathan Eddy eWEEK.com 2014-05-01 This will not come as a surprise to most IT security people: Most enterprises lack the tools and business intelligence to protect their critical information in an optimal manner, according to new research conducted by the Ponemon Institute and sponsored by Websense. The main problems are a critical deficit of security solution effectiveness, a disconnect in executives’ perceived value of data, and limited visibility into attack activity, according to the global cyber-security report, The findings, based on the responses of IT security practitioners with an average of 10 years’ experience in the field from 15 countries, including Brazil, China, Germany, India, the United Kingdom and the United States, revealed a global consensus that security professionals need access to heightened threat intelligence and defenses. According to respondents, there is a gap between data breach perception and reality–specifically regarding the potential revenue loss to their business. Eighty percent of respondents say their company’s leaders do not equate losing confidential data with a potential loss of revenue. […]
http://www.computerworld.com/s/article/9246266/White_House_pushes_cybersecurity_framework_for_critical_infrastructure By Grant Gross IDG News Service February 12, 2014 A new cybersecurity framework released Wednesday by the Obama administration aims to help operators of critical infrastructure develop comprehensive cybersecurity programs. The voluntary framework creates a consensus on what a good cybersecurity program looks like, senior administration officials said. The 41-page framework takes a risk management approach that allows organizations to adapt to “a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner,” according to the document. Organizations can use the framework to create a “credible” cybersecurity program if they don’t already have one, said one senior Obama administration official. “The key message is that cybersecurity is not something you just put in place and walk away,” the official said, in a background press briefing. “There’s no prescription or magic bullet for cybersecurity. There are only well-conceived, proven ways of continuously managing the risks.” The framework, building on a presidential directive from a year ago, can help “companies prove to themselves and to their stakeholders that good cybersecurity can be the same thing as good business,” the official said. […]
http://www.govhealthit.com/news/years-end-policy-work-hipaa-disclosure-accounting By Anthony Brino Associate Editor Government Health IT November 25, 2013 As the seminal year of 2014 approaches for American healthcare, the Office of the National Coordinator (ONC) is getting an earful about implementing the HIPAA Accounting of Disclosures provision. ONC’s Privacy and Security Tiger Team is slated to convene the Monday after Thanksgiving, December 2nd, two days before the team is giving the Health IT Policy Committee recommendations on moving forward with disclosure accounting. That comes as HHS prepares an interim or final version of rules that many in the industry deemed too hard to achieve — for instance, with mandated PHI access reports for patients. The Tiger Team, which includes Epic CEO Judy Faulkner and Cerner informatics VP David McCallie, MD, is going into December with consensus on several topics, and with a philosophy of “less is more” for approaching the issue as a whole. The “scope of disclosures and related details to be reported to patients” should provide information that “is useful to patients, without overwhelming them” and that doesn’t place “undue burden on covered entities,” the Tiger Team said in an outline of recommendations presented during a November 18th meeting. […]
By Antone Gonsalves CSO.com December 06, 2012
Anonymous is planning to launch a cyberattack this weekend against the website of the International Telecommunications Union, a United Nations agency holding a meeting of 190 governments to discuss political and commercial control of the Internet, a security firm says.
The ITU-organized World Conference on International Telecommunications runs Dec. 3-14 in Dubai. The secretive meet has sparked rage within Anonymous and the blogosphere over a Russian proposal to hand control over the Internet to the ITU.
Such conspiracy theories are unlikely to become reality, experts say. That’s because such a move would require an international consensus, and many countries would oppose such a proposal, including the U.S.
Nevertheless, the hacktivist collective Anonymous posted a YouTube video last week denouncing the ITU meeting and warning of “grave consequences” to human rights.
______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org