Category: News

James Clapper, the United States’ director of national intelligence, also reports in the “US Intelligence Community’s Worldwide Threat Assessment” of March that there has been a significant increase in state actors’ use of cyber capabilities, and this could possibly lead to an increase in the probabilities of miscalculations, misunderstandings and unintended escalation. The CSIS report suggests that malicious activity in cyberspace, which could inflame existing tensions or increase misperception and miscalculation among governments of the intent and risk of cyber actions, poses the greatest cyber risk to security in Asia. Furthermore, there is no international or regional agreement on clear and harmonised definitions for what constitutes “cyber security”, “cyber attack” or “cyber defence” – lines between cyber crime, cyber espionage and cyber attack are also ambiguous.

In light of these developments, and in addressing non-traditional security issues, the ASEAN Political-Security Community seeks to promote the renunciation of aggression and of the threat or use of force or other actions in any manner inconsistent with international law.

Confidence-building measures and preventative diplomacy, such as exchanges among defence and military officials, can also be enhanced to ensure escalation does not occur between ASEAN member states or between ASEAN member states and third countries.

A joint EU-US Working Group on Cyber Ssecurity and Cyber Crime was created in November 2010, and the European Parliament Committee on Foreign Affairs report of 2012 calls for accelerating cooperation and exchange of information on how to tackle cyber security issues with third countries, such as its proposals to engage the BRICS countries. The Asia-Europe Meeting (ASEM), whose partners include the ASEAN Plus Three, 27 EU members and the European Commission, can also be engaged to explore these issues of common concern in an open and informal fashion in order to complement bilateral and multilateral cooperation efforts.

Cooperation in tackling cross-border cyber threats should also be included within the ASEM 2012-2014 work programme and placed on the agenda of the 10th ASEM summit, which is due to be held in 2014.

In the future, ASEAN member states should agree a common position on shared norms for responsible state behaviour in cyberspace and the applicability of international law for the use of advanced cyber capabilities and techniques.

Link: http://www.nationmultimedia.com/opinion/Tackling-cyber-threats-will-require-regional-coope-30209055.html

The Obama administration has been focused on Iran because the attacks have given the Iranian government a way to retaliate for tightened economic sanctions against it, and for the American and Israeli program that aimed similar attacks, using a virus known as Stuxnet, on the Natanz nuclear enrichment plant.

In a letter to the editor of The Times, responding to a May 12 article that reported on the new attacks’ similarity to the Saudi Aramco episode, Alireza Miryousefi, the head of the press office of the Iranian mission to the United Nations, wrote that Iran “never engaged in such attacks against its Persian Gulf neighbors, with which Iran has maintained good neighborly relations.”

American officials have not offered any technical evidence to back up their assertions of Iranian authorship of the latest attacks, but they describe the recent campaign as different from most attacks against American companies — particularly those from China — which quietly siphon off intellectual property for competitive purposes.

The White House would not confirm that Iran was the source, but Laura Lucas, a spokeswoman for the National Security Council, said that “mitigating threats in cyberspace, whether theft of intellectual property or intrusions against our critical infrastructure” was a governmentwide initiative and that the United States would consider “all of the measures at its disposal — from diplomatic to law enforcement to economic — when determining how to protect our nation, allies, partners, and interests in cyberspace.” But Homeland Security was able to issue a broader warning because of an executive order, signed in February, promoting greater information sharing about such threats between the government and private companies that oversee the nation’s critical infrastructure. It said the government was “highly concerned about hostility against critical infrastructure organizations,” and included a link to a previous warning about Shamoon, the virus used in the Saudi Aramco attack last year.

Government officials also say Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars.

Link: http://www.nytimes.com/2013/05/25/world/middleeast/new-computer-attacks-come-from-iran-officials-say.html

Jim O’Leary from Twitter’s product security team acknowledged in a blog post on Wednesday that “even with this new security option turned on, it’s still important for you to use a strong password and follow the rest of our advice for keeping your account secure.”

Some of the more recent and widely-reported attacks have hit targets ranging from The White House to the Associated Press to more than 250,000 users at large earlier this year.

At the end of April, the San Francisco-based private company penned a memo to news media outlets warning that such cyber attacks would continue.

In regards to the media, Twitter added at the time that most of the security breaches appeared to be “spear phishing attacks” targeting corporate email.

Link: http://www.zdnet.com/twitter-steps-up-security-with-two-factor-authentication-option-7000015762/?s_cid=e589&ttag=e589

The DHS pitch: We’ll share intelligence gleaned from the U.S. government’s vast stockpile of zero-day vulnerabilities — purchased from bug hunters and resellers — to help block zero-day threats. “It is a way to share information about known vulnerabilities that may not be commonly available,” Homeland Security secretary Janet Napolitano said Wednesday at the Reuters Cybersecurity Summit in Washington, D.C., reported Reuters. The DHS proposal is a continuation of the February 2013 executive order and related presidential policy directive issued by President Obama, which created a public-private cyber-threat information sharing regime, as well as voluntary private sector cybersecurity standards.

The executive order expanded the Enhanced Cybersecurity Services program — formerly known as the Defense Industrial Base pilot — to share threat information, including classified intelligence, with defense contractors, telecommunications and other critical-infrastructure firms that have appropriate security clearances.

But the suggestion has drawn the ire of privacy and civil rights groups, which object to giving blanket immunity to any business that shares customer and employee information — potentially including full texts of all emails sent and received via business networks — with intelligence agencies.

Outsourcing zero-day-vulnerability scanning to a private business, however, would seem to obviate related privacy concerns, since network providers already scan their customers’ network traffic for some signs of attack.

The offer of shared threat intelligence is a crucial incentive for getting private businesses to agree to participate in the government’s cybersecurity program, which is designed in large measure to better secure the critical infrastructure, which is largely owned by private businesses.

To date, the large sums of money on offer for buying zero-day vulnerabilities have seen the bug-buying restricted to organizations, criminal gangs or governments with deep enough pockets, and presumably a need to put the vulnerabilities to use.

Furthermore, some information security experts have warned that the move to share threat intelligence gathered by the NSA and other agencies could further bolster the bug vulnerability marketplace and potentially direct tax dollars to anti-U.S. hackers who are expert bug hunters, as opposed to spending that money on defense.

“If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users,” former White House cybersecurity advisor Richard Clarke told Reuters.

“NSA, CIA and military are now #1 buyers of exploits, while DHS, which is responsible for cyber defense, has lost most of its top officials,” said Christopher Soghoian, principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, via Twitter.

Link: http://www.informationweek.com/security/vulnerabilities/dhs-eyes-sharing-zero-day-intelligence-w/240154972?queryText=ThreatGrid

Mo-Yuen Chow, co-author of the research and a professor of electrical and computer engineering, said the concept was like a “community watch,” where neighbors watch each other’s property for burglaries.

SCADA and PLC systems are used in industries comprising the nation’s critical infrastructure (CI), which includes power generation facilities, oil and gas pipelines, electric power transmitters and defense manufacturing.

Securing the nation’s critical infrastructure is difficult because most of the electronics and machinery was built before the Internet evolved as a networking protocol in controlling systems. In tackling the problem, NCSU researchers have developed an algorithm that can be deployed in any networked device, either in software or as firmware in a microcontroller.

The technology would augment traditional security systems used today, such as communication encryption and access controls, said Wente Zeng, a doctoral student and co-author of the research.

The researchers plan to present their paper (PDF), entitled “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS,” at the IEEE International Symposium on Industrial Electronics being held May 27-31 in Taipei, Taiwan.

Link: http://www.csoonline.com/article/733477/researchers-develop-industrial-systems-that-watch-for-breaches

NSS Labs released their latest report on browsers, it shows that though not perfect, Chrome and IE10 is the far ahead of the rest. But it can be subjective in post report review. See the full report at: https://www.nsslabs.com/reports/2013-browser-security-comparative-analysis-socially-engineered-malware