Enterprise Security Today

Yahoo, Apple Disclose Government Data Requests

Tue, 18 Jun 2013 11:14:36 -0500

Following disclosures from Microsoft and Facebook last Friday, Yahoo and Apple are releasing information on thousands of requests they have received for user data related to criminal and security investigations from law enforcement and the U.S. National Security Agency.

Requests for user data that investigative agencies in the U.S. made to Yahoo from Dec. 1, 2012, to May 31 numbered between 12,000 and 13,000, including both criminal requests and those under the Foreign Intelligence Surveillance Act (FISA), which is the authority the NSA uses to seek information. Yahoo said the most common requests for user data concerned fraud, homicides, kidnappings and other criminal investigations. Yahoo did not specify how many user accounts were involved in the requests.

"Democracy demands accountability," Yahoo said in a statement authored by CEO Marissa Mayer and General Counsel Ron Bell. "Recognizing the important role that Yahoo can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year. We will refresh this report with current statistics twice a year.

"As always, we will continually evaluate whether further actions can be taken to protect the privacy of our users and our ability to defend it. We appreciate -- and do not take for granted -- the trust you place in us."

Apple Data Requests

For Apple, from Dec. 1, 2012, to May 31 the company received between 4,000 and 5,000 requests from U.S. investigative agencies for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. Apple said the most common form of request came from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease,...

Secret to Prism Program: Even Bigger Data Seizure

Tue, 18 Jun 2013 09:23:45 -0500

In the months and early years after the Sept. 11, 2001, terrorist attacks, FBI agents began showing up at Microsoft Corp. more frequently than before, armed with court orders demanding information on customers.

Around the world, government spies and eavesdroppers were tracking the email and Internet addresses used by suspected terrorists. Often, those trails led to the world's largest software company and, at the time, largest email provider.

The agents wanted email archives, account information, practically everything, and quickly. Engineers compiled the data, sometimes by hand, and delivered it to the government.

Often there was no easy way to tell if the information belonged to foreigners or Americans. So much data was changing hands that one former Microsoft employee recalls that the engineers were anxious about whether the company should cooperate.

Inside Microsoft, some called it "Hoovering" -- not after the vacuum cleaner, but after J. Edgar Hoover, the first FBI director, who gathered dirt on countless Americans.

This frenetic, manual process was the forerunner to Prism, the recently revealed highly classified National Security Agency program that seizes records from Internet companies. As laws changed and technology improved, the government and industry moved toward a streamlined, electronic process, which required less time from the companies and provided the government data in a more standard format.

The revelation of Prism this month by the Washington Post and Guardian newspapers has touched off the latest round in a decade-long debate over what limits to impose on government eavesdropping, which the Obama administration says is essential to keep the U.S. safe.

But interviews with more than a dozen current and former government and technology officials and outside experts show that, while Prism has attracted the recent attention, the program actually is a relatively small part of a much more expansive and intrusive eavesdropping effort.

Americans who disapprove of the government...

Microsoft, Facebook Tell of Thousands of Security Requests

Mon, 17 Jun 2013 10:27:41 -0500

Thousands of law enforcement and U.S. national security requests were received by Microsoft and Facebook in the second half of 2012, the two companies disclosed late Friday. The companies noted, however, that the requests represented a tiny fraction of their user bases.

John Frank, vice president and deputy general counsel at Microsoft, said his company was permitted, for the first time, to disclose the total volume of national security orders but was still not allowed to confirm whether it had received any Foreign Intelligence Surveillance Act (FISA) orders. Frank is still convinced, however, that what the company is permitted to publish falls short of what is needed to help the community understand and debate the issues.

Microsoft Escapes Verizon's Fate

With that said, Microsoft revealed that for the six months ended Dec. 31, 2012, it received a total of 6,000 to 7,000 criminal and national security warrants, subpoenas and orders from local, state and federal U.S. governmental entities, affecting more than 31,000 consumer accounts. Frank said that amounted to only a tiny fraction of Microsoft's global customer base.

"Microsoft has not received any national security orders of the type that Verizon was reported to have received that required the wireless carrier to provide business records about U.S. customers," Frank confirmed. That's good for Microsoft, since the debate over Verizon releasing customer information to the U.S. government and the National Security Agency is still raging.

"Verizon and Verizon Wireless are in the center of the storm, but they are keeping quiet and the storm has not ravaged them yet. That's the good news," Jeff Kagan, a wireless industry analyst, told us. "To date, they have not lost customers or investors. I hope they can continue to stay away from the chaos. However, things can change quickly.

"So far I would give Verizon an 'A' in the way...

Microsoft Study Finds Gap in SMB Cloud Perception, Reality

Fri, 14 Jun 2013 10:29:34 -0500

Small- and medium-size businesses have been wary of cloud services because of security, privacy and reliability issues. But a new Microsoft report, released this week, found that perceptions of clouds contrast with actual experiences.

Adrienne Hall, general manager of Trustworthy Computing at Microsoft, said in a statement that "there's a big gap between perception and reality when it comes to the cloud." She said SMBs that have adopted cloud services have "found security, privacy and reliability advantages" that were unexpected.

The Microsoft study did not inquire about specific products, vendors or services, but asked non-cloud-using SMBs why they weren't leveraging cloud technology.

Data Security

For 60 percent of respondents in the study, a key concern has been data security, and 45 percent were concerned that they could lose control of their data. Forty-two percent doubted the cloud's reliability.

But, for SMBs that are actually using cloud services, the study found a different picture. Ninety-four percent reported they now have security benefits they didn't previously with on-premises technology, including up-to-date systems, up-to-date antivirus and spam e-mail management. Sixty-two percent said they experienced increased levels of privacy protection, while 75 percent noted improved service availability.

The study also pointed to the cost savings from cloud services, with 70 percent of respondents saying the savings allowed them to invest money and time into other areas and half saying they were "pursuing new opportunities" because of the time saved through cloud-based security management.

For some SMBs, cloud services also could pose an issue for regulatory compliance. But in announcing the study, Microsoft pointed to the DHCU Community Credit Union, a nonprofit financial co-op based in Illinois. The Union utilizes cloud-based Microsoft Office 365, and President/COO Matt McCombs is quoted as saying that 365 "gives us peace of mind that these things are being handled, and handled well."

Public, Private, Hybrid

The credit...

Keeping Your Data Safe from Spying

Mon, 17 Jun 2013 07:56:02 -0500

Phone call logs, credit card records, emails, Skype chats, Facebook message, and more: The precise nature of the NSA's sweeping surveillance apparatus has yet to be confirmed.

But given the revelations spilling out into the media, there hardly seems a single aspect of daily life that isn't somehow subject to spying by the U.S. agency.

For some, it's a matter of indifference who or what is rifling through their electronic records. Others, mindful of spy agencies' history of abuse, are more concerned.

Here are some basic tips to avoid having your personal life turned into an intelligence report:

ENCRYPT YOUR EMAILS

Emails sent across the Web are like postcards. In some cases, they're readable by anyone standing between you and its recipient. That can include your webmail company, your Internet service provider and whoever is tapped into the fiber optic cable passing your message around the globe -- not to mention a parallel set of observers on the recipient's side of the world.

To beat the snoops, experts recommend encryption, which scrambles messages in transit, so they're unreadable to anyone trying to intercept them. Techniques vary, but a popular one is called PGP, short for "Pretty Good Privacy." PGP is effective enough that the U.S. government tried to block its export in the mid-1990s, arguing that it was so powerful it should be classed as a weapon.

Disadvantages: Encryption can be clunky. And to work, both parties have to be using it.

USE TOR

Like emails, your travels around the Internet can easily be tracked by anyone standing between you and the site you're trying to reach. TOR, short for "The Onion Router," helps make your traffic anonymous by bouncing it through a network of routers before spitting it back out on the other side. Each trip through a router provides another layer of protection, thus the onion reference.

Originally...

Google Reports Iranian Phishing on Eve of Elections

Thu, 13 Jun 2013 14:14:50 -0500

Google is revealing a near three-week-long battle against phishers coming out of Iran. The technology giant reports it has detected and disrupted multiple e-mail phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users.

"These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region," said Eric Grosse, vice president of Google's Security Engineering, writing in a blog post. "The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday."

Google Warns Phishers

We caught up with Sean Bodmer, chief researcher at security firm CounterTack, to get his take on the phishing activity. He said it isn't new to Iran, and Google has been reporting on it since the third quarter of 2011.

"There are always observable traits and effects in every campaign, incident or attack that infer the possible aggressor, and it would appear that political implications and motives may indeed be one of them in this particular case," Bodmer said.

"However, in all likelihood, Google is simply disclosing news of the campaign's existence as a warning to those behind it, while withholding specifics due to privacy concerns for those that are being targeted."

Tapping Current Events

Ken Pickering, development manager for security intelligence at CORE Security reminded us that phishing is usually only successful if the users actually click on a link.

"Attackers often use current events to spread these links; in Iran -- and in virtually every other part of the world -- presidential elections are big news. Using this story as a pretense for sharing a malicious link improves the odds an attack will be successful," Pickering said.

"Many attackers also rely on hacked e-mails and Twitter accounts. If recipients think they're receiving a...

HP Offers OpenStack-Based Cloud OS, New Cloud Services

Thu, 13 Jun 2013 10:25:50 -0500

It's getting cloudier over at Hewlett-Packard. On Wednesday, HP announced new additions to its Converged Cloud portfolio that deepen its position in the OpenStack camp and position the company as a facilitator for hybrid clouds in the enterprise.

HP's announcements focused on its next phase of OpenStack-based architecture for its private, managed and public cloud offerings, as well as new software and services for cloud implementations. In its announcements, HP noted research it had commissioned, which found that "it is expected to be a hybrid world," with 75 percent of enterprise IT to be "delivered across private, managed and public clouds" within three years.

The HP Cloud OS is a platform that utilizes OpenStack and is designed for management across hybrid clouds. CloudSystem, its private cloud software, currently uses HP Cloud OS, and a new CloudSystem Enterprise Starter Suite is now being offered. The suite provides a bundled solution for rapidly providing cloud services, and the company said it reduces up-front costs by as much as 20 percent.

HP Cloud OS

HP Cloud OS will also be offered on HP Moonshot servers and used in HP Cloud Services. While based on the open source Open Stack software, the HP Cloud OS offers such enhanced features as a streamlined installation process, automatic upgrading, and the ability to move workloads between an on-premises cloud and an HP cloud service. The company said the enhancements were being added through plug-ins, not through a modification of OpenStack. A Cloud OS Sandbox will be offered to customers for trying things out, at no cost.

The company is also now offering its Converged Cloud Professional Services Suite, which include support, design and networking services, Proactive Care for CloudSystem, security risk consulting and an enhanced HP Applications Transformation to Cloud Services.

Meanwhile, HP Enterprise Services has upped its game for cloud services, especially...

Google Says Data Given to NSA Via Secure FTP and By Hand

Fri, 14 Jun 2013 09:46:25 -0500

Google disclosed Wednesday that it uses secure FTP servers and occasional in-person delivery when it complies with National Security Agency requests for user information.

"When required to comply with these requests, we deliver that information to the U.S. government -- generally through secure FTP transfers and in person," Google spokesman Chris Gaither said in an e-mail. "The U.S. government does not have the ability to pull that data directly from our servers or network."

Secure FTP is used to send files through an encrypted digital channel from one computer to another. By technological standards, it's an old tool.

Google's revelation comes on the heels of requests made Tuesday by Google, Facebook and other tech firms to publish further details about requests for user information made by the U.S. government for national security purposes.

Federal law currently prohibits the disclosure of any information about requests made under the Foreign Intelligence Surveillance Act, and permission to report even aggregate statistics about such requests would require an unprecedented declassification of national security information, USA TODAY reported Tuesday.

Since details about the secret government program PRISM surfaced last week, Google has said publicly that it was not aware of the program's existence and has said it took no part in providing the government with direct access to user information.

"We refuse to participate in any program -- for national security or other reasons -- that requires us to provide governments with access to our systems or to install their equipment on our networks," Gaither said.

The details released Wednesday go further to create separation between Google and PRISM, as FTP servers or in-person delivery of information would not give the government access to Google servers and would require the company's compliance with each request.

Meanwhile, other tech companies -- including Facebook, Apple and Twitter, which was not named in the leaks about...

Coalition Aims To Thwart Phone Thefts

Fri, 14 Jun 2013 09:40:15 -0500

The top prosecutors in San Francisco and New York planned Thursday to announce the formation of a nationwide initiative and coalition of police, prosecutors and other officials in an attempt to thwart a surge in smartphone thefts.

Officials said San Francisco District Attorney George Gascon and New York Attorney General Eric Schneiderman were set to launch what they call the Secure Our Smartphones Initiative at a New York news conference on Thursday.

The coalition includes prosecutors, police and political officials and consumer advocates from more than a dozen states and intends to put pressure on smartphone companies and their shareholders to help dry up the secondary market in stolen phones.

The announcement comes on the same day Gascon and Schneiderman are scheduled to co-host a "Smartphone Summit" with representatives from major smartphone makers Apple Inc., Samsung Electronics Co., Google Inc. and Microsoft Corp.

Among the moves the prosecutors seek is the industry-wide introduction of a "kill switch" that would render stolen phones worthless.

Apple said at a conference of web developers this week that such a feature would be part of its iOS7 smartphone software to be released in the fall. Gascon and Schneiderman said in a statement they were "appreciative of the gesture" but would reserve judgment until they could "understand its actual functionality."

Almost 1 in 3 robberies nationwide involves the theft of a mobile phone, according to the Federal Communications Commission.

"The epidemic of violent street crime involving the theft and resale of mobile devices is a very real and growing threat in communities all across America," Schneiderman said in a statement. "According to reports, roughly 113 smartphones are stolen or lost each minute in the United states, with too many of those thefts turning violent."

In New York, police have coined the term "Apple-picking" to describe...

Promise of Mobile Payments Slow To Emerge

Mon, 17 Jun 2013 07:57:11 -0500

Imagine: You've just finished pumping a tank of gas and it's time to pay up. Instead of having to swipe your card, enter your PIN, and wait for the system to approve the transaction, you simply wave your smartphone across a terminal and leave.

The technology to make these mobile payments has been available for years -- so why isn't everyone using it?

In short, it's because the market is young, highly competitive and not yet standardized. Fledgling start-ups and corporate behemoths alike are all vying for a piece of the pie.

The biggest issue is a lack of consensus over which specific technology should spearhead the market, sort of like the old VHS-Betamax war. However, mobile payment may involve even more service sectors -- from banks and payment processors, to network operators and third-party software developers -- making for a complex, highly competitive field.

Large companies are pushing for a set of mobile standards called near-field communications (NFC). This hardware-based technology can transmit small amounts of data over a short distance -- between a smartphone and a payment terminal, for instance -- making it perfect for what the industry calls "contactless" transactions.

Plenty of current smartphones come with built-in NFC chips, including the Samsung Galaxy Nexus and the HTC One. Apps such as Google Wallet allow users to make contactless payments at NFC-enabled terminals -- like any of the 300,000 MasterCard PayPass locations, including McDonald's, Rite Aid and Hess.

If that sounds like a hassle -- buying an NFC-capable phone, to use with a specific app, which only works with specific payment terminals -- it's because it is. There are simply too many variables.

This high barrier to entry has persuaded some major players, including Apple, to forgo NFC altogether. And when the maker of the world's best-selling smartphone isn't on board with something, consumers just...