[ISN] Firms take 10 hours to spot data breaches, McAfee finds

http://news.techworld.com/security/3453139/firms-take-10-hours-spot-data-breaches-mcafee-finds/ By John E Dunn Techworld 17 June 2013 The average organisation believes it would spot a data breach in ten hours, a McAfee global survey of IT professionals has found. But is that result good, indifferent or an indication of the downright complacent? The firm’s interrogation of 500 decision makers from the US, UK, Germany and Australia earlier this year found that 22 percent thought they’d need a day to recognise a breach, with one in twenty offering a week as a likely timescale. Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards. In terms of general security, three quarters confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] NSA leaker says audits on gov’t snooping don’t work

http://www.washingtontimes.com/news/2013/jun/17/nsa-leaker-says-audits-govt-snooping-dont-work/ By Shaun Waterman The Washington Times June 17, 2013 The former National Security Agency contractor who leaked classified information about its telecommunications surveillance program said Monday that there are few safeguards to prevent abuse of data-gathering projects and that large amounts of data about Americans routinely are collected in dragnet searches, despite officials’ denials. “The reality is this, … [any U.S. intelligence agency] has access to query raw databases, they can enter and get results for anything they want. Phone number, email, user id, cell phone handset ID, and so on,” Edward Snowden told readers in a question-and-answer session on the British newspaper Guardian’s website. “The restrictions against this are policy based, not technically based,” Mr. Snowden added. He said that, even though U.S. intelligence officials note that the warrantless monitoring of U.S. citizens’ communications is illegal, “Americans’ communications are collected and viewed on a daily basis on the certification of an analyst rather than a warrant.” […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?

http://arstechnica.com/security/2013/06/encrypted-e-mail-how-much-annoyance-will-you-tolerate-to-keep-the-nsa-away/ By Peter Bright and Dan Goodin Ars Technica June 14 2013 In an age of smartphones and social networking, e-mail may strike many as quaint. But it remains the vehicle that millions of people use every day to send racy love letters, confidential business plans, and other communications both sender and receiver want to keep private. Following last week’s revelations of a secret program that gives the National Security Agency (NSA) access to some e-mails sent over Gmail, Hotmail, and other services—and years after it emerged that the NSA had gained access to full fiber-optic taps of raw Internet traffic—you may be wondering what you can do to keep your messages under wraps. The answer is public key encryption, and we’ll show you how to use it. The uses of asymmetry The full extent of the cooperation between the NSA and various technology companies is unclear. It will probably remain that way for the foreseeable future. For the time being, however, it seems likely that the standard cryptographic tools used to secure data “in flight”—that is to say, the SSL that protects data traveling between machines on the Internet—remain secure as long as certain best practices are used. That protects against some threats, such as wholesale monitoring of Internet traffic of the kind the NSA is known to engage in, but it doesn’t do anything to protect data that’s “at rest.” That is to say, SSL doesn’t do anything to prevent a company like Google or Microsoft from handing over an archive of your e-mail in response to a court order. The e-mails are just lying around on some Google server somewhere. If you don’t want a government, service provider, employer, or unauthorized party to have access to your mail at rest, you need to encrypt the mail itself. But most encryption algorithms are symmetric, meaning that the encryption key serves a dual purpose: it both encrypts and decrypts. As such, people encrypting mail with a symmetric key would be able to decrypt other mail that used the same symmetric key. While this would protect against anyone without the key, it wouldn’t be very useful as an encrypted e-mail system. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Army major guilty in data leak gets 10-year sentence

http://www.stripes.com/news/army/army-major-guilty-in-data-leak-gets-10-year-sentence-1.226150 By Ken Kobayashi and William Cole The Honolulu Star-Advertiser June 15, 2013 An Army officer who worked for U.S. Pacific Command was found guilty Friday by a military jury of illegally possessing and passing classified national defense information, an Army official said. The jury Friday night sentenced Maj. Seivirak Inson to 10 years in prison, forfeiture of pay and dismissal from the Army. Inson passed classified intelligence assessments about Cambodia to an unidentified person not entitled to have them between 2009 and 2012, and had unauthorized possession of a U.S. Pacific Command maritime strategy document, which he “had reason to believe could be used to the injury of the United States,” the Army said. Capt. Leslie Waddle, a spokes­­woman for the Army’s 8th Theater Sustainment Command in Hawaii, said Inson was found guilty of those charges as well as a charge that he had unauthorized possession of a Defense Intelligence Agency intelligence report, and that he failed to report to his chain of command that he had contact with Cambodian military and government officials. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Data breach costs decline, malicious attacks increase in US

http://healthitsecurity.com/2013/06/14/data-breach-costs-decline-malicious-attacks-increase-in-us/ By Kyle Murphy, PhD Health IT Security June 14, 2013 The cost of data breaches is on the decline, but a new source of breaches is on the rise, according to a recent survey by the Ponemon Institute. In the 2012 Cost of Data Breach Study, the organizational cost of dealing with data breaches has gone down from $5.5 to $5.4 million with the cost per record dropping from $194 to $188. In the United States, the healthcare industry only trails behind transportation in terms of per capita cost for data breaches. The cost per head is $305, which places it behind transportation ($316) but ahead of 11 other industries (e.g., communications, pharmaceutical, industrial). Considering how frequently subject matter experts compare data security and privacy approach of the healthcare and financial industry — often suggesting that the former take a cue from the latter — the fact that financial costs $50 less per capita ($254) than healthcare lends weight to that argument. So why certain industries tend to have higher-than-average costs? It has to do with oversight. “Specifically, heavily regulated industries such as healthcare, communications, pharmaceuticals and financial services tend to have a per capita data breach cost substantially above the overall mean of $188,” states the report. What should prove unsettling is what has emerged as the leading cause of these data breaches: malicious or criminal attacked. This is the first study by the Ponemon Institute to indicate these types of attacks as the most frequently encountered by organizations. In terms of distribution, human error (33%) and system glitches (26%) trailed the leader malicious or criminal attacks (41%). […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Start-ups ride a cybersecurity wave into Israel

http://www.timesofisrael.com/start-ups-ride-a-cybersecurity-wave-into-israel/ By David Shamah The Times of Israel June 17, 2013 There are two big “waves” set to hit Israeli hi-tech in the coming year, according to Gadi Tirosh, a general manager at venture capital fund Jerusalem Venture Partners. One wave will consist of new companies working in the cybersecurity space, as protecting government, enterprise, and consumers from hacking, online espionage, and cyber-terrorism becomes even more vital than in the past. The second wave concerns the place where many of these security-oriented companies will set up shop — Beersheba, a city which will soon host many of the IDF’s advanced technology facilities. As the city grows, multinational giants, like Deutsche Telecom, Ness Technologies, EMC, and others are setting up R&D facilities in the city, drawing from the graduates of Ben Gurion University’s large body of engineering students. It’s the perfect place, said Tirosh, for JVP to set up its new cybersecurity incubator. “As computer attacks get more sophisticated, they are more difficult to prevent,” Tirosh told the Times of Israel. “There is a big demand for advanced technology to keep cyberspace safe, and we are actively recruiting companies working in this space that have promising technologies. Beersheba, with its high-tech environment created by Ben Gurion University, the IDF’s large tech facilities, and international R&D facilities, will provide a very supportive environment for our startups. It’s a triangle that will benefit everyone involved,” Tirosh said. Not long ago, Israel was faced with a major denial of service (DDOS) attack organized by hacker outfit Anonymous, in which hackers tried to overload Israeli computers and choke them with an excess of data. Attacks like those aren’t what Tirosh and many other cybersecurity experts are worried about these days; DDOS attacks are an annoyance, but there are strategies companies and countries can take to prevent them from causing damage; Israel itself utilized many of these techniques during the Anonymous-led #OpIsrael hack attack in April, and as a result, the attack, which was supposed to “destroy Israel’s presence on the Internet,” turned out to be a bust. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Anon posts Filipino president’s phone numbers

http://www.theregister.co.uk/2013/06/17/philippine_anonymous_nabs_president_mobile/ By Phil Muncaster The Register 17th June 2013 An Anonymous hacktivist has published what he claims to be three telephone numbers belonging to the Philippine president Benigno Simeon Cojuangco Aquino III, including his private mobile number, in a bid to urge voters to confront their leader directly. Going by the pseudonym “#pR.is0n3r”, the hacker posted the numbers to his 10,000+ followers on Facebook on Friday night alongside the president’s home address and the address of Aquino’s office in the House of Representatives Batasan building. Beneath the numbers is the message “This is now the chance for your voice to be heard”, alongside an Anonymous logo. There was no confirmation as to the veracity of the phone numbers but an Aquino spokesman, Ricky Carandang, didn’t sound too happy. […] _______________________________________________ ISN mailing list ISN@lists.infosecnews.org http://lists.infosecnews.org/mailman/listinfo/isn_lists.infosecnews.org


Facebooktwittergoogle_plusredditpinterestlinkedinmail