Category Archives: Network

If Amazon were in Apple’s position, would it unlock its cloud for the feds?

Lock
There’s an easy way to protect your data in the cloud.

As Apple continues to resist FBI demands to unlock a terrorist suspect’s phone, it raises a question: What if Amazon Web Services was ordered to provide access to a customer’s cloud? Would AWS hand the data over to the feds?

+MORE AT NETWORK WORLD: Tim Cook issues internal memo on ongoing FBI/iPhone saga | VMware turns to IBM in the public cloud +

Amazon’s terms of service provide us a clue. AWS says it complies with legally binding orders when compelled to do so. Here’s a statement from Amazon’s FAQ on cloud data privacy (which is not written specifically about the Apple-FBI issue):

“We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders, and we review all orders and object to overbroad or otherwise inappropriate ones.”

Most of the time, when ordered to hand over data, Amazon does so. In 2015 AWS received 1,538 subpoenas from law enforcement officials, according to information the company recently began making public. Just over half the time (in 832 cases, or 54% of the time) AWS complied fully with those orders. Another quarter of the time (in 399 cases) Amazon partially responded to the request for information, while in the remaining 20% of cases AWS did not respond to the subpoena.

amazon-subpoenas-100646389-large_idge

For customers who are concerned about Amazon handing over their data to the government, there are protections that can be put in place. “There’s a huge market focused on encrypting data stored in the cloud, and giving the customers the keys,” explains 451 Research analyst Adrian Sanabria. If customers use a third-party encryption service to scramble their data and manage the keys themselves, then even if Amazon did hand over the data to the feds, it would be useless. “Yes, it does sometimes create some issues with flexibility and breaking functionality, but it is there as an option if you want it, and (if done properly) AWS (or the government) can’t decrypt the data,” Sanabria says.

+ MORE ON APPLE: Apple and the FBI will need to compromise, Cisco’s CEO says +

AWS offers multiple different encryption methods, including ones that are built in automatically to some services – like S3, the Simple Storage Service, and others that customers manage themselves, such as the Hardware Security Module (HSM). AWS’s marketplace offers a variety of additional encryption and security services from independent software vendors.

Amazon says that it notifies customers when there’s been a request for their data to be handed over, unless there’s a compelling reason not to do that; for example if its clear the cloud service is being used for an illegal purpose.

AWS is more stringent about not providing other types of information to the government. In the second half of 2015 alone, AWS received 249 “National security requests” but did not comply with any of them. AWS also received 78 requests from non-U.S. entities, the vast majority of which (60) the company did not respond to.

AWS did not respond to a request to comment on this story.

Microsoft Azure basically has the same policy, according to the company’s website, saying “We do not provide any government with direct or unfettered access to your data except as you direct or where required by law.”

Even with all the concern over providers or the government being able to access data, Sanabria estimates that only a minority of cloud users encrypt data and manage their own keys.

 

 

 

 

DHS Establishes Information Sharing Capability and Process Required under CISA; Issues Multi-Agency Information Sharing Guidance

The Department of Homeland Security (“DHS”) has posted four documents on the US Computer Emergency Readiness Team (US-CERT) website to satisfy several requirements set forth in the  Cybersecurity Information Sharing Act of 2015 (“CISA”).  Details on the four documents are provided below.

By way of background, CISA was passed into law on December 18, 2015 and provides authorization for, among other things, the sharing of cyber threat indicators and defensive measures by and between the federal government, private entities, and state, local, and tribal governments.  The law also provides liability protections for non-Federal entities that share or receive cyber threat indicators or defensive measures, provided that these activities are conducted “in accordance with” the Act.  This requires, among other things, that (1) the information shared meets the definitions of cyber threat indicator or defensive measure, as applicable; (2) that the sharing be “for a cybersecurity purpose”; and (3) that the sharing entity comply with the requirement to screen information prior to sharing it for personal information that is not directly related to a cybersecurity threat and remove it.

In addition, when sharing with the federal government via electronic means, liability protections generally attach only if the information is submitted through the capability and process required to be established by DHS under the act.  CISA directs that this be “through electronic mail or media, an interactive form on an Internet website, or a real time, automated process between information systems.”



In keeping with these requirements, the three ways DHS has established for entities to electronically submit cyber threat indicators to the federal government are as follows:

  1. Via DHS’ Automated Indicator Sharing (“AIS”) program, which allows entities to share information with the federal government in real time by connecting through a specialized client to an AIS server operated by DHS’s National Cybersecurity and Communications Integration Center (NCCIC).  Information shared in this manner must conform to the Structured Threat Information eXchange (STIX) and be transmitted via the Trusted Automated eXchange of Indicator Information (TAXII), which are the format and exchange mechanisms, respectively, selected by DHS for real time threat sharing.  Among other features of AIS, DHS notes that it:
    • Performs a series of automated analyses and technical mitigations to ensure that personally identifiable information that is not directly related to a cybersecurity threat is removed before any information is shared (with human review where necessary); and
    • Anonymizes the identity of the submitter of the information, unless the submitter has consented to sharing its identity.
  2. Via email.  When using this method, entities must email “ncciccustomerservice@hq.dhs.gov” and ensure that the shared information conforms to specified formatting requirements.
  3. Via a webform established by DHS for this purpose.

DHS discusses these methods for sharing cyber threat indicators and defensive measures with the federal government in one of the four documents it posted: Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government.  This document, issued by the Secretary of Homeland Security and the Attorney General in consultation with the heads of appropriate federal agencies, “describes the processes for receiving, handling, and disseminating information that is shared pursuant to CISA,” as required under Section 105(a)(1) of CISA.

The other three documents that DHS posted to its website generally satisfy specific directives in CISA to provide additional detail around certain processes, as follows:

  1. Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015: This document responds to Congress’s directive in Section 105(a)(4) of CISA and provides guidance on (1) types of information that would qualify as a cyber threat indicator that would be unlikely to include information that is not directly connected to a cybersecurity threat that is also personal information or personally identifiable information, and (2) types of information protected by otherwise applicable privacy laws and that are unlikely to be directly related to a cybersecurity threat.
  2. Privacy and Civil Liberties Interim Guidelines: Cybersecurity Information Sharing Act of 2015:  Section 105(b)(1) of CISA directs the Attorney General and Secretary of Homeland Security to “jointly develop, submit to Congress, and make available to the public interim guidelines relating to privacy and civil liberties which shall govern the receipt, retention, use, and dissemination of cyber threat indicators by a Federal entity obtained in connection with activities authorized in this title.”  The interim guidelines created in response to this directive direct federal entities to “follow procedures designed to limit the effect on privacy and civil liberties of federal activities under CISA.”  Specifically, the interim guidelines define CISA-specific implementations of the Fair Information Practice Principles (FIPPs) set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace, namely: transparency, individual participation, purpose specification, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.
  3. Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015: In response to a directive in Section 103 of CISA, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General, in consultation with the heads of appropriate federal entities, issued these procedures, which “facilitate and promote” the sharing of threat information by the federal government with non-federal entities, such as private entities and state and local governments.  Such sharing falls into the following categories:
    • Timely sharing of classified cyber threat indicators and defensive measures in the possession of the Federal Government with representatives of relevant federal entities and nonfederal entities that have appropriate security clearances;
    • Timely sharing with relevant federal entities and non-federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government that may be declassified and shared at an unclassified level;
    • Timely sharing with relevant federal entities and non-federal entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators and defensive measures in the possession of the Federal Government;
    • Timely sharing with federal entities and non-federal entities, if appropriate, of information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats; and
    • Periodic sharing, through publication and targeted outreach, of cybersecurity best practices that are developed based on ongoing analyses of cyber threat indicators, defensive measures, and information relating to cybersecurity threats or authorized uses under this title, in the possession of the Federal Government, with attention to accessibility and implementation challenges faced by small business concerns (as defined in Section 3 of the Small Business Act (15 U.S.C. 632)).

The procedures note that the required information sharing is currently implemented through a series of existing programs, of which the procedures provide an overview.  The procedures also provide an overview of the roles and responsibilities of federal entities, non-federal entities, and Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) in the information sharing context.

JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product

John_McAfeeCybersecurity expert John McAfee is running for president in the US as a member of the Libertarian Party. This is an op-ed article he wrote and gave us permission to run.

Using an obscure law, written in 1789 — the All Writs Act — the US government has ordered Apple to place a back door into its iOS software so the FBI can decrypt information on an iPhone used by one of the San Bernardino shooters.

It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers and to our nation’s enemies than publishing our nuclear codes and giving the keys to all of our military weapons to the Russians and the Chinese, our government has chosen, once again, not to listen to the minds that have created the glue that holds this world together.

This is a black day and the beginning of the end of the US as a world power. The government has ordered a disarmament of our already ancient cybersecurity and cyberdefense systems, and it is asking us to take a walk into that near horizon where cyberwar is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly.

Any student of world history will tell you that this is a dream. Would Hitler have stopped invading Poland if the Polish people had sweetly asked him not to do so? Those who think yes should stand strongly by Hillary Clinton’s side, whose cybersecurity platform includes negotiating with the Chinese so they will no longer launch cyberattacks against us.

The FBI, in a laughable and bizarre twist of logic, said the back door would be used only once and only in the San Bernardino case.

Tim Cook, CEO of Apple, replied:

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

Tim_Cook

No matter how you slice this pie, if the government succeeds in getting this back door, it will eventually get a back door into all encryption, and our world, as we know it, is over. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be in the US government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.

Cook said:

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The fundamental question is this: Why can’t the FBI crack the encryption on its own? It has the full resources of the best the US government can provide.

With all due respect to Tim Cook and Apple, I work with a team of the best hackers on the planet. These hackers attend Defcon in Las Vegas, and they are legends in their local hacking groups, such as HackMiami. They are all prodigies, with talents that defy normal human comprehension. About 75% are social engineers. The remainder are hardcore coders. I would eat my shoe on the Neil Cavuto show if we could not break the encryption on the San Bernardino phone. This is a pure and simple fact.

And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.

gettyimages-136135710

Cyberscience is not just something you can learn. It is an innate talent. The Juilliard School of Music cannot create a Mozart. A Mozart or a Bach, much like our modern hacking community, is genetically created. A room full of Stanford computer science graduates cannot compete with a true hacker without even a high-school education.

So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.

If you doubt my credentials, Google “cybersecurity legend” and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.

Hackers Are Holding an LA Hospital’s Computers Hostage

hpmc-100644867-primary.idge

Ransomware attacks, in which hackers lock your computer or keyboard until you pay a ransom, are on the rise. The latest notable ransomware victim is Hollywood Presbyterian Medical Center in Los Angeles, whose computers have been offline for over a week. The computers will come back online, the hackers reportedly say, in exchange for $3.4 million, paid in bitcoin.

The Hack

The incident, first reported by a local NBC affiliate, affects the Los Angeles hospital’s computer systems, including those needed for lab work, pharmaceutical orders, and even the emergency room.

While the hospital’s spokesperson was unavailable to comment, HPMC president and CEO Allen Stefanek told KNBC that it was “clearly not a malicious attack; it was just a random attack.” It’s not clear what he means, though; a hospital in a wealthy neighborhood seems unlikely to be a random target, especially for such a large sum.

As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a “key” in exchange for the ransom money. The hospital has yet to officially detail the attack.



Who’s Affected

Stefanek told NBC4 that patient care hasn’t suffered, although some 911 patients have been sent to other nearby hospitals. Meanwhile, it appears to mostly add up to a headache for those in the HPMC system because hospital staff have had to write all documentation out by hand for the last week. Some patients, meanwhile, need to drive to more remote hospitals for medical tests that HPMC cannot offer without a functioning network.

The fallout appears limited to this one hospital, though, and even within its walls the impact seems annoying, but not crippling. HPMC says it’s working with the FBI, LAPD, and computer forensics experts to recover its systems.

How Bad Is It?

Given the degree of things that could potentially go wrong at the intersection of hospitals and hackers, this isn’t so terrible. But in terms of the scale of the ransomware, it’s about as as bad as it gets. Symantec recently pegged the total amount of ransomware paid out in any given year at $5 million. This single incident asks for well over half that amount.

The bigger impact may not be clear until after the incident is resolved. If the hospital ends up paying out, it could inspire copycat attacks. If not, and the hackers are identified, it could act as a deterrent. Either way, for now it shows that no target is off limits for ransomware, nor is any sum.

Verizon Shutting Down Public Cloud, Gives Users One Month to Move Data

Verizon-HQ-NY-getty-e1455314841646
Verizon Communications, which several years ago had huge public cloud ambitions, is shutting down its public cloud service, which competes head to head with giants like Amazon Web Services and Microsoft Azure.

The company notified its cloud customers of the coming change Thursday, giving them one month to move their data or lose it forever. It has already removed any mention of public cloud compute services from its website.

The move appears to be a confirmation of what many in the industry have been predicting, especially since news started coming out of big telcos looking to offload massive data center portfolios they had amassed in recent years to go after the cloud services market. It has become almost impossible to compete with AWS, Azure, and to a lesser extent with Google Cloud Platform in the market for renting virtual compute power over the internet and charging by the hour.

In competing with each other, these giants have made the cost of using cloud VMs so low and built out global infrastructure so big, no-one can really manage to keep up. HP made several attempts to become a public cloud provider but failed, and so did Dell. Notably, IBM is still in the market, gradually expandintg its cloud data center capacity around the world.

Read more: Who May Buy Verizon’s Data Centers?

Publicly, Verizon has been quiet about its plan to discontinue public cloud services, one of its spokespeople telling Fortune the closure affected a “cloud service that accepts credit card payments…” The world learned about it from a tweet by one of its cloud customers, who posted the entire notice, giving customers the deadline of April 12 to move their data elsewhere:

Ca9xq65UAAA5sz1Ca9xq6_UsAATNKM

A Verizon spokeswoman did not respond to a request for comment from Data Center Knowledge in time for publication.

The company is offering its Virtual Private Cloud services as an alternative. These are dedicated, physically isolated cloud environments. They are usually a lot more expensive than public cloud services, where many customer VMs run on shared physical servers.

“Please take steps now to plan for migration to VPC or another alternative before the discontinuation date,” the notice read. “Verizon will retain no content or data remaining on these Cloud Spaces after that date and any content or data that you do not transfer prior to discontinuation will be irrecoverably deleted.”

Services being shut down are Public Cloud and Reserved Performance Cloud Spaces. Public cloud storage services will remain intact.

Kenneth White, the user who posted Verizon’s notice on Twitter, is a security researcher and co-founder of the Open Crypto Audit Project. In another tweet, he referred to Verizon’s “credit card payment” response to Fortune as spin:

One of the people who commented under White’s original tweet was involved in one of HP’s failed early efforts to build a public cloud business, saying those efforts stood little chance against AWS:

The commenter, Tim Pletcher, was a senior engineering manager at HP between 2011 and 2014, according to his LinkedIn profile.

Gartner analyst Lydia Leong, one of the top industry analysts covering cloud services, wrote in a tweet that although the technology behind Verizon’s public cloud was impressive, going from vision to successful product is a difficult road:

Another one bites the dust !!!!!

 

 

FBI Still Can’t Access San Bernardino Shooter’s Encrypted Phone

Although the phone has been taken as evidence, there is still no way to find out what information it holds due to the encryption key that only the owner can unlock.

phone

The FBI still cannot unlock the encrypted cellphone of one of the San Bernardino shooters more than two months after the California terrorist attack.

FBI Director James Comey told the Senate Intelligence Committee on Tuesday that his agency’s inability to access the information in the retrieved phone is an example of the effect on law enforcement of the growing use of encryption technology.

Comey said the problem of “going dark” is overwhelmingly affecting law enforcement at all levels.

“It affects cops and prosecutors and sheriffs and detectives trying to make murder cases, car accident cases, kidnapping cases, drug cases,” Comey said.

He said the biggest concern was phones that automatically locked and secured all information inside.

“It is a big problem for law enforcement armed with a search warrant, when you find a device that can’t be opened even when a judge said there’s probable cause to open it,” Comey said.

Sen. Dianne Feinstein of California, the ranking Democrat on the committee, and the committee’s chairman, Sen. Richard Burr, R-N.C., have said they are considering legislation that would compel manufacturers to provide law enforcement access to encrypted data when there’s a court order. Industry associations have opposed such proposals.

While encryption issues are more common in local criminal cases, counterterrorism investigations are also affected, Comey said. He cited the December attack in San Bernardino, in which Syed Rizwan Farook and Tashfeen Malik killed 14 people at a holiday party.

“In San Bernardino, a very important investigation to us, we still have one of those killers’ phones that we have not been able to open. It’s been over two months now; we’re still working on it,” Comey said.

Comey previously told Congress that investigators could not read more than 100 text messages that one of the shooters who attacked a cartoon contest in Garland, Texas, last year exchanged with an “overseas terrorist.” The contest was to draw caricatures of the Prophet Muhammad.

Privacy advocates who oppose limits on encryption argue that giving such backdoor access to data opens devices to thieves and hackers. A recent report from Harvard University’s Berkman Center for Internet and Society concluded that law enforcement fears of encryption are exaggerated, in part because increasingly sophisticated technology is opening up other ways for police to conduct surveillance.

National Intelligence Director James Clapper told the senators that he thinks the government and tech companies should be able to work out a solution without resorting to legislation.

“I’m not sure we’ve exhausted all the possibilities here technologically,” Clapper said.

Adm. Michael Rogers, director of the National Security Agency, said “encryption is foundational to the future.” The challenge, he said, is finding the balance between privacy and security.

Security for Wireless Devices

 

WirelessThis subject  of securing wireless devices      conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts:

  • Even back in 2013, 98 percent of U.S. small businesses used wireless technologies in their operations according to an AT&T poll.
  • The Internet of Things (IoT) is rapidly expanding, and it is based firmly on wireless. For example, many home and office security systems are wireless.
  • Mobile phones are becoming the main avenue to the Internet for an increasing number of people all over the world.

So it makes sense that wireless security should be a big concern.

Wireless technologies are more vulnerable than wired technologies

Keep in mind that many businesses have wired and wireless networks. Wireless devices are vulnerable to any attacks that may be made on wired devices. But there are many more threats to wireless networks. This is because wireless transmits data over the air. The air cannot be secured. So wireless technologies must incorporate more safeguards against eavesdropping and man-in-the middle attacks than wired technologies.

For example, man-in-the middle attacks in a wireless environment are child’s play. An attacker connects to the Internet and configures a laptop to look like a legitimate wireless access point (AP). Victims wanting Internet access unwittingly connect through the bogus AP. Furthermore, the attacker can launch a de-authentication attack, causing devices already connected to a legitimate AP to drop their connection and to automatically reconnect to the attacker’s AP. The attacker now has unlimited access to data transmitted by any attached user since wireless operates at Layer 2. Layer 3 protections such as encryption, network authentication, and virtual private networks (VPNs) cannot protect against this scenario.

Two wireless devices can communicate without involving the access point. This is clearly not a possibility in the wired world. So not only must there be protection against external threats, but also against other devices attached to the AP.

Denial of Service attacks are a danger to any network, but especially with the restricted bandwidth of wireless networks.

Wireless Security measures that don’t work

Some sources recommend wireless security measures that are not effective for business. Here are three examples:

  1. Most wireless configurations provide MAC filtering. Here, an administrator enters a list of the MAC addresses (Layer 2 addresses) of authorized devices. A device with a MAC address that is not on the list is blocked. But any attacker with sniffing software can easily find authorized MAC addresses since MAC addresses in Layer 2 headers are not encrypted. The attacker simply changes his own MAC address, via widely-available software, to an authorized address, and he’s “in”.
  2. In setting up a wireless network connection, there is normally an option to hide the SSID (Service Set Identifier). This keeps the connection from appearing on a list, but does not prevent anyone from using the connection.
  3. Static IP addressing stops attackers from being assigned DHCP addresses. It does not block a knowledgeable attacker.

Recommended strategies to implement a wireless network

There are different approaches depending on the size of the organization and the level of in-house IT expertise:

  1. Create a completely isolated wireless network: Users must authenticate and have acceptable security software before they can connect to the Internet or, for that matter, to any local network resources. This approach requires a Network Access Server.
  2. Forward all web traffic to a proxy server which provides authentication and authorization.
  3. Require users to access resources through a virtual private network (VPN). VPNs provide encryption from the user’s location to the destination router (remote-access VPNs) or from the user’s router to the destination router (site-to-site VPNs). There are numerous implementations of VPNs including PPTP, L2TP, IPsec, and SSH.

Using end-to-end encryption would be ideal. However, not all intervening software and hardware may support encryption.  For example, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text. The next best alternative is to require users to connect to the company network through VPNs .

Of course, authentication is critical. IEEE 802.11i Wi-Fi Protected Access II (WPA2) should be used. For authentication, there are alternatives:

  • Pre-shared key (PSK) – This is normally used only in a home environment and provides Advanced Encryption Standard (AES) encryption.
  • EAPOL (Extensible Authentication Protocol over LANs) with 802.1X and an authentication server such as RADIUS or DIAMETER: There are open-source RADIUS servers that could easily accommodate the needs of most businesses.
  • EAPOL with EAP-TLS: The majority of implementations require client-side X.509 certificates.

A hardware or software card or token can be used in combination with the above authentication techniques, depending on the vendor.

Finally…

Educate your users about the dangers of using public wireless. Be aware of “shoulder surfing” in public wireless areas. An attacker doesn’t necessarily have to be a computer genius.

DNI announces CTIIC leadership

DNI_Ugoretz_Tonya_370Director of National Intelligence James Clapper has named a career FBI analyst and an Iraq War veteran to head up the cyber intelligence center that the White House ordered created after the massive hack of Sony Pictures Entertainment.

Tonya Ugoretz, the FBI’s former chief intelligence officer, will head the Cyber Threat Intelligence Integration Center. She has done stints at the CIA, Department of Homeland Security and National Intelligence Council, and is listed as an adjunct associate professor at Georgetown University.

Maurice Bland, who most recently was the National Security Agency’s associate deputy director for cyber, will serve as Ugoretz’s deputy. Bland has done two combat tours in Iraq and Afghanistan, according to his official biography.

Ugoretz and Bland could be talking face-to-face with President Obama following the next large-scale hack of U.S. assets.

Clapper also tapped Thomas Donahue, a nearly three-decade veteran of the CIA with a PhD in electrical engineering, as CTIIC’s research director. The center will “build understanding of cyber threats to inform government-wide decision-making,” Clapper said in a statement.

The White House announced the creation of CTIIC last February. It is based at the Office of the Director of National Intelligence, and is modeled after the National Counterterrorism Center in an effort to “connect the dots” on cyber threats. Michael Daniel and Lisa Monaco, respectively the top White House advisers on cybersecurity and counterterrorism, have been the driving forces behind CTIIC, according to an administration official involved in the agency’s standup.

CTIIC is meant to fill a void in the bureaucratic chain of command wherein Obama had no one entity to turn to for an all-source briefing on foreign cyber threats. That void became abundantly clear to White House officials after the digital destruction of Sony Pictures’ IT systems in November 2014.

The agency got off to a rocky start. House lawmakers were irked that they didn’t get a heads-up on its creation, and DHS officials were worried that the new agency might encroach on their own work.

But several months later, agency turf battles that appeared ready to unfold have been quieted, and there is agreement on Capitol Hill on the need for CTIIC, according to the administration official. The omnibus package funding the government this fiscal year includes money for CTIIC; the exact amount of funding is classified.

“CTIIC is vital because the foreign cyber threats we face as a nation are increasing in volume and sophistication,” DHS Deputy Secretary Alejandro Mayorkas said in a statement. “The CTIIC will help DHS better understand various cyber threats and provide targeted intelligence community support” to the department’s own cyber threat center.

Bland’s battlefield experience could come in handy, as there is increasingly a cyber dimension to kinetic war. A key to the “surge” of U.S. troops in Iraq in 2007 was an accompanying surge in cyber weapons that the NSA unleashed, as journalist Shane Harris reported in his book “@War.”

Bland’s LinkedIn profile touts his experience “leading numerous efforts regarding the organization of cyber units, policy, and authorities related to cyber operations.”

Drone Technology Will Revolutionize Security

 

DroneAccording to John Minor, Campus Safety Magazine advances in drone technology will revolutionize campus security.

And he is on target, so to speak. Done technology will also revolutionize the tactics and techniques for the military and law enforcement in a world becoming increasingly more violent and crime prone. Gone are the days when commanders and cops sent out scouts to surveil and predict enemy or crooks movement. Now, they can put up a drone eyeball and kill the enemy and effectively stop the crooks. Drone bomb drops are now feared by the Islamic Terrorists and likewise, legitimate law enforcement surveillance technology like wire taps and drones will also send shivers up the spines of drug cartels, mafia members, and street thugs. Information is power and drones will certainly send timely information/intelligence to those who keep us safe because.

Commercial drones can be expected to become a key part of future security and surveillance systems, and serve as an especially good fit for the security needs of universities and schools. Drones offer many benefits that stationary cameras cannot, and act as a fast-launching, easy-to-operate, portable and cheap replacement. Unlike fixed video surveillance systems, drones can be deployed at a moment’s notice, and monitor hard-to-reach and high-risk locations. The technology can also provide first responders with real-time situational awareness during campus emergencies. Drones offer a more comprehensive security surveillance system, and could likely be used for many security applications–potential areas including banks, transportation, construction sites, and more. Some of these applications are already underway, such as at BP, which uses drones to inspect the security of oil facilities in Alaska. The company employs 6-foot-long, fixed-wing Puma Aerovironment drones to conduct aerial surveys, and was the first company to obtain FAA approval to do so.

See additional information on drones:  The Digital Age