The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.
Posts Tagged ‘ShazzleMail’
The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
Secret FBI rules allow agents to obtain journalists’ phone records with approval from two internal officials — far less oversight than under normal judicial procedures.
The classified rules, obtained by The Intercept and dating from 2013, govern the FBI’s use of National Security Letters, which allow the bureau to obtain information about journalists’ calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form.
Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalists’ information.
The rules stipulate that obtaining a journalist’s records with a National Security Letter (or NSL) requires the sign-off of the FBI’s general counsel and the executive assistant director of the bureau’s National Security Branch, in addition to the regular chain of approval. Generally speaking, there are a variety of FBI officials, including the agents in charge of field offices, who can sign off that an NSL is “relevant” to a national security investigation.
There is an extra step under the rules if the NSL targets a journalist in order “to identify confidential news media sources.” In that case, the general counsel and the executive assistant director must first consult with the assistant attorney general for the Justice Department’s National Security Division.
But if the NSL is trying to identify a leaker by targeting the records of the potential source, and not the journalist, the Justice Department doesn’t need to be involved.
The guidelines also specify that the extra oversight layers do not apply if the journalist is believed to be a spy or is part of a news organization “associated with a foreign intelligence service” or “otherwise acting on behalf of a foreign power.” Unless, again, the purpose is to identify a leak, in which case, the general counsel and executive assistant director must approve the request.
“These supposed rules are incredibly weak and almost nonexistent — as long as they have that second sign-off they’re basically good to go,” said Trevor Timm, executive director of the Freedom of the Press Foundation, which has sued the Justice Department for the release of these rules. “The FBI is entirely able to go after journalists and with only one extra hoop they have to jump through.”
A spokesperson for the FBI, Christopher Allen, declined to comment on the rules or say if they had been changed since 2013, except to say that they are “very clear” that “the FBI cannot predicate investigative activity solely on the exercise of First Amendment rights.”
The Obama administration has come under criticism for bringing a record number of leak prosecutions, and aggressively targeting journalists in the process. In 2013, after it came out that the Justice Department had secretly seized records from phone lines at the Associated Press and surveilled Fox News reporter James Rosen, then-Attorney General Eric Holder tightened the rules for when prosecutors could go after journalists. The new policies emphasized that reporters would not be prosecuted for “newsgathering activities,” and that the government would “seek evidence from or involving the news media” as a “last resort” and an “extraordinary measure.” The FBI could not label reporters as co-conspirators in order to try to identify their sources — as had happened with Rosen — and it became more difficult to get journalists’ phone records without notifying the news organization first.
Yet these changes did not apply to NSLs. Those are governed by a separate set of rules, laid out in a classified annex to the FBI’s operating manual, known as the Domestic Investigations and Operations Guide, or DIOG. The full version of that guide, including the classified annex, was last made public in redacted form in 2011.
The section of the annex on NSLs obtained by The Intercept dates from October 2013 and is marked “last updated October 2011.” It is classified as secret with an additional restriction against distribution to any non-U.S. citizens.
Emails from FBI lawyers in 2015, which were released earlier this year to the Freedom of the Press Foundation, reference an update to this portion of the DIOG, but it is not clear from the heavily redacted emails what changes were actually made.
In a January 2015 email to a number of FBI employee lists, James Baker, the general counsel of the FBI, attached the new attorney general’s policy and wrote that “with the increased focus on media issues,” the FBI and Justice Department would “continue to review the DIOG and other internal policy guides to determine if additional changes or requirements are necessary.”
“Please be mindful of these media issues,” he continued, and advised consulting with the general counsel’s office “prior to implementing any techniques targeting the media.” But the email also explicitly notes that the new guidelines do not apply to “national security tools.”
Allen, the FBI spokesperson, told The Intercept in an emailed statement that “the FBI periodically reviews and updates the DIOG as needed” and that “certainly the FBI’s DIOG remains consistent with all [Attorney General] Guidelines.”
Bruce Brown, executive director of the Reporters Committee for Freedom of the Press, said that the “use of NSLs as a way around the protections in the guidelines is a serious concern for news organizations.”
Last week, the Reporters Committee filed a brief in support of the Freedom of the Press Foundation’s lawsuit for the FBI’s NSL rules and other documents on behalf of 37 news organizations including The Intercept’s publisher, First Look Media. (First Look also provides funding to both the Reporters Committee and the Freedom of the Press Foundation, and several Intercept staffers serve on the foundation’s board.)
Seeing the rules in their un-censored form, Timm, of the Freedom of the Press Foundation, said that the FBI should not have kept them classified.
“Redacting the fact that they need a little extra sign-off from supervisors doesn’t come close to protecting state secrets,” he said.
The FBI issues thousands of NSLs each year, including nearly 13,000 in 2015. Over the years, a series of Inspector General reports found significant problems with their use, yet the FBI is currently pushing to expand the types of information it can demand with an NSL. The scope of NSLs has long been limited to basic subscriber information and toll billing information — which number called which, when, and for how long — as well as some financial and banking records. But the FBI had made a habit of asking companies to hand over more revealing data on internet usage, which could include email header information (though not the subject lines or content of emails) and browsing history. The 2013 NSL rules for the media only mention telephone toll records.
Another controversial aspect of NSLs is that they come with a gag order preventing companies from disclosing even the fact that they’ve received one. Court challenges and legislative changes have loosened that restriction a bit, allowing companies to disclose how many NSLs they receive, in broad ranges, and in a few cases, to describe the materials the FBI had demanded of them in more detail. Earlier this month, Yahoo became the first company to release three NSLs it had received in recent years.
It’s unclear how often the FBI has used NSLs to get journalists’ records. Barton Gellman, of the Washington Post, has said that he was told his phone records had been obtained via an NSL.
The FBI could also potentially demand journalists’ information through an application to the Foreign Intelligence Surveillance Court (or FISA court), which, like NSLs, would also not be covered by the Justice Department policy. The rules for that process are still obscure. The emails about revisions to the FBI guidelines reference a “FISA portion,” but most of the discussion is redacted.
For Brown, of the Reporters Committee, the disclosure of the rules “only confirms that we need information about the actual frequency and context of NSL practice relating to newsgathering and journalists’ records to assess the effectiveness of the new guidelines.”
By Cora Currier
FBI’s Secret Surveillance Tech Budget Is ‘Hundreds of Millions’
The FBI has “hundreds of millions of dollars” to spend on developing technology for use in both national security and domestic law enforcement investigations — but it won’t reveal the exact amount.
Deputy Assistant Director of the FBI James Burrell spoke about the secretive budget of the Operational Technology Division — which focuses on all the bureau’s advanced investigative gizmos, from robots to surveillance tech to biometric scanners during a roundtable discussion on encryption technology.
In December 2015, The Washington Post reported the budget of the FBI’s Operational Technology Division at between $600 and $800 million, but officials refused to confirm the exact amount.
The FBI did not respond to a request for comment from The Intercept on the division’s budget.
The intelligence community sponsored the roundtable on Thursday and Friday to spark discussion among academics, scientists, developers, and tech officials on the finer points of encryption — and to try to answer whether it’s technically possible to give law enforcement access to secure devices without compromising digital security.
The National Academies of Science, Technology, and Medicine hosted the workshop, which included Chris Inglis, former deputy director of the NSA; James Baker, the top lawyer for the FBI; and tech officials from Apple, Microsoft, and other companies.
Burrell said the FBI divides its technical focuses into two areas: core IT capabilities, and the Operational Technology Division, which devotes resources to researching and developing technology “specifically for use in investigations.”
The division’s budget had to be put “into context,” Burrell stressed. Resources are split between tools developed for national security investigations versus domestic law enforcement. “Sometimes we’re not able to use the technology we develop for one side equally on the other,” because some technology is classified, he said.
The FBI has tried to keep evidence gleaned from its advanced, national security technology secret in court proceedings relating to domestic investigations — technology like Stingrays, which mimic cell phone towers to track location information of an entire geographical area. The FBI has even chosen to throw out legal prosecutions to hide its technical capabilities — a controversial decision that’s been criticized by advocates for transparency.
The bureau has also repeatedly stressed how challenging and expensive it is to develop capabilities to hack into devices rather than have a mandated access point in encryption. “Hacking devices, … of course we do it, but it is slow,” Baker said in his concluding remarks. “It’s expensive, it’s very fragile.”
The FBI has requested over $100 million more dollars for its operational technology division and cyber division for 2017 — pushing the grand total closer to a billion, if the Washington Post‘s figure is accurate. The FBI asked for over $85 million to bulk up its cyber offense and defense — and over $38 million to counter the problem encryption and other anonymity software poses during investigations through technological means.
“Of all kinds of government secrecy, budget secrecy is the least defensible,” Steven Aftergood, director of the Project on Government Secrecy run by the Federation of American Scientists, wrote in an email to The Intercept. Publishing the budget is required by the Constitution, he pointed out.
Agencies often prefer not to divulge budget in order keep some programs below the radar, or because keeping the amounts secret “helps to obscure large increases or decreases in funding that could attract unwanted attention,” he said.
“But spending levels do not reveal operational information — about targets, or capabilities, or vulnerabilities — and therefore they should almost always be disclosed,” he concluded.
The work done by the Operational Technology Division had received more attention after the 2015 San Bernadino shootings. Access to encrypted communications has become a national issue following the FBI’s battle with Apple over obtaining access to the San Bernardino shooter’s phone, which was encrypted.
Technology officials largely agree that giving any sort of “exceptional access” to software would damage an already fragile digital security regime experts have spent decades trying to improve.
During the first panel session, the conversation turned to what the FBI might be able to do instead of supporting mandated “backdoors” or security holes in products in order to intercept communications of suspects.
Baker, the bureau’s top lawyer, said the FBI’s technical capabilities are “finite” but “in some ways” are “better and increasing every day.”
By Jenna McLaughlin
U.S. Senate Majority Leader Mitch McConnell set up a vote late on Monday to expand the Federal Bureau of Investigation’s authority to use a secretive surveillance order without a warrant to include email metadata and some browsing history information.
The move, made via an amendment to a criminal justice appropriations bill, is an effort by Senate Republicans to respond to last week’s mass shooting in an Orlando nightclub after a series of measures to restrict guns offered by both parties failed on Monday.
“In the wake of the tragic massacre in Orlando, it is important our law enforcement have the tools they need to conduct counterterrorism investigations,” Senator John McCain, an Arizona Republican and sponsor of the amendment, said in a statement.
The bill is also supported by Republican Senators John Cornyn, Jeff Sessions and Richard Burr, who chairs the Senate Intelligence Committee.
Privacy advocates denounced the effort, saying it seeks to exploit a mass shooting in order to expand the government’s digital spying powers.
Senator Ron Wyden, an Oregon Democrat, criticized a similar effort last month as one that “takes a hatchet to important protections for Americans’ liberty.”
The amendment would broaden the FBI’s authority to use so-called National Security Letters to include electronic communications transaction records such as time stamps of emails and the emails’ senders and recipients.
The Obama administration for years has lobbied for a change to how NSLs can be used, after a 2008 legal memo from the Justice Department said the law limits them largely to phone billing records. FBI Director James Comey has said the change essentially corrects a typo and is a top legislative priority for his agency.
NSLs do not require a warrant and are almost always accompanied by a gag order preventing the service provider from sharing the request with a targeted user.
The letters have existed since the 1970s, though the scope and frequency of their use expanded greatly after the Sept. 11, 2001, attacks on the United States.
The amendment filed Monday would also make permanent a provision of the USA Patriot Act that allows the intelligence community to conduct surveillance on “lone wolf” suspects who do not have confirmed ties to a foreign terrorist group. That provision, which the Justice Department said last year had never been used, is currently set to expire in December 2019.
A vote is expected no later than Wednesday, McConnell’s office said.
The recent attacks on hospitals across the world affecting hundreds of thousands patients information globally obtained by hackers emphasize the scale of the issue. The ever rising trend of cyber-attacks on healthcare with ransomware happens mainly through phishing email and the reason being is underestimated importance of cybersecurity measures to be taken in the healthcare industry.
In the instance of Wyoming Medical Centre cyber-attack through email scam the damage involved exposure of nearly 3,300 patient’s sensitive information. The attack performed through legitimate looking phishing email to which employee have responded, and thus letting hackers an access to Hospital network enabled them to obtain patients personal information as names, contact details, health insurance details, social security numbers and other sensitive data that may cause harm if landed in wrong hands.
Based on the scenarios of recent attacks on healthcare establishments, InfoSec industry suggests in the average several crucial tips to follow to prevent corporate email network from being a victim of a phishing scam:
1. If you received excel or other files instructing you to enable some options like macros to be able to view the so called “important information” – do not do it.
2. NEVER provide your password to anyone via email
3. If you are a Healthcare Establishment – use only HIPAA compliant email service (ShazzleMD is one of them and provides an easy solution, no password required and works like any other email)
Be suspicious of any email that:
4. Requests personal information.
5. Contains spelling and grammatical errors.
6. Asks you to click on a link.
7. Is unexpected or from a company or organization with whom you do not have a relationship.
If you are suspicious of an email:
8. Do not click on the links provided in the email.
9. Do not open any attachments in the email.
10. Do not provide personal information or financial data.
11. Do forward the email to the HHS Computer Security Incident Response Center (CSIRC) at email@example.com and then delete it from your Inbox.
12. Although HHS’ CSIRC undoubtedly does not want a barrage of emails from non-government entity staff reporting potential phishing attacks, a covered entity or business associate should articulate a similar process for staff to follow when a suspicious email is identified.
Be suspicious of any email that:
13. Includes multiple other recipients in the “to” or “cc” fields.
14. Displays a suspicious “from” address, such as a foreign URL for a U.S. company or a Gmail or other “disposable” address for a business sender. However, even when the sender’s address looks legitimate, it can still be “spoofed” or falsified by a malicious sender.
Following the above mentioned tips will increase cyber security of a healthcare network, and not only, from a ransomware attack performed via phishing emails that are increasing with high tempo every month.