Google Brings Open Source Security Gifts

  Google isn't just about search anymore. In recent
weeks it has announced multiple security projects including santa for mac os

The season for giving, and search giant Google wants to give security researchers and end-users some new tools. Over the past few weeks Google has released multiple security tools and open source efforts to help end-users and organizations defend themselves from modern threats.

One of the most recent tools released by Google is called Santa (yeah, that Santa), which is a Mac OS X security tool.

"Santa is named because it keeps track of binaries that are naughty and nice," states Google's Github page on Santa.

The Santa project is still quite new and isn't yet a 1.0 release. In fact, it is not an official Google product. Rather, according to the Github page, "Santa is a project of Google's Macintosh Operations Team."

In any event, Santa monitors binary files and compares them against known good and known bad elements to help prevent malicious files from executing. From an operational perspective, Santa has two primary modes: monitor and lockdown.

"In MONITOR mode all binaries except those marked as blacklisted will be allowed to run, whilst being logged and recorded in the database," the Santa project page explains. "In LOCKDOWN mode, only whitelisted binaries are allowed to run."

Google's Firing Range

Also this month Google formally announced Firing Range, a tool for testing Web application vulnerability scanners.

"Firing Range is a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other Web vulnerabilities," Claudio Criscione, security engineer at Google wrote in a blog post. "We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!)."

Google's Nogotofail

Google started November by announcing its nogotofail network traffic security testing tool.

"Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way," Google's nogotofail Github page states. "It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues and more."

SSL issues have been top of mind for many in 2014, given the Heartbleed flaw which targeted OpenSSL in April. Google helped disclose a critical SSL flaw known as POODLE, which impacts SSLv3.

Facebook integrates ESET Online Scanner to help find malware in problem PCs

     
          

Facebook has partnered with antivirus firm ESET to offer users the ability to scan their computers for malware directly from inside the social networking site.

Facebook has integrated ESET’s technology into its abuse detection and prevention system so that users will be prompted to run the ESET Online Scanner for free when Facebook flags suspicious activity on their accounts or computers, like the posting of malicious links via news feeds and messages.

“Here’s how it works: if the device you’re using to access our services is behaving suspiciously and shows signs of a possible malware infection, a message will appear offering you an anti-malware scan for your device,” said Chetan Gowda, a software engineer with Facebook’s Site Integrity Team, in a blog post. “You can run the scan, see the scan results, and disable the software all without logging out of Facebook—making it seamless and easy to clean up an infected device.”

ESET is the third antivirus vendor to integrate its technology directly into Facebook, the social networking site having signed similar partnerships with F-Secure and Trend Micro in May.

Users will likely be prompted to scan their computers with the technology of the vendor that detected the suspicious behavior. In its May announcement, Facebook said that “each product contains distinct malware signatures and is suited to different kinds of threats.”

ESET’s anti-malware service for Facebook is based on its existing online scanner that’s already available on the company’s own site. According to the antivirus vendor, 44 millions scans have been performed with the product so far and malware was detected in nearly half of those scans.

Online malware scanners, available through Facebook or otherwise, are good for one-time on-demand scans, but should not be viewed as replacements for locally installed antivirus programs that also include proactive layers of protection.

        

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention. 

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records, and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—it’s driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO ofCoretelligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks, and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.

Judge: Give NSA unlimited access to digital data

The U.S. National Security Agency should have an unlimited ability to collect digital information in the name of protecting the country against terrorism and other threats, an influential federal judge said during a debate on privacy.

“I think privacy is actually overvalued,” Judge Richard Posner, of the U.S. Court of Appeals for the Seventh Circuit, said during a conference about privacy and cybercrime in Washington, D.C., Thursday.

“Much of what passes for the name of privacy is really just trying to conceal the disreputable parts of your conduct,” Posner added. “Privacy is mainly about trying to improve your social and business opportunities by concealing the sorts of bad activities that would cause other people not to want to deal with you.”

Congress should limit the NSA’s use of the data it collects—for example, not giving information about minor crimes to law enforcement agencies—but it shouldn’t limit what information the NSA sweeps up and searches, Posner said. “If the NSA wants to vacuum all the trillions of bits of information that are crawling through the electronic worldwide networks, I think that’s fine,” he said.

In the name of national security, U.S. lawmakers should give the NSA “carte blanche,” Posner added. “Privacy interests should really have very little weight when you’re talking about national security,” he said. “The world is in an extremely turbulent state—very dangerous.”

Posner criticized mobile OS companies for enabling end-to-end encryption in their newest software. “I’m shocked at the thought that a company would be permitted to manufacture an electronic product that the government would not be able to search,” he said.

Other speakers at Thursday’s event, including Judge Margaret McKeown of the U.S. Court of Appeals for the Ninth Circuit, disagreed with Posner, saying legal limits on government surveillance are necessary. With much of U.S. privacy law based on a reasonable expectation of privacy, it’s difficult, however, to define what that means when people are voluntarily sharing all kinds of personal information online, she said.

An expectation of privacy is a foundational part of democracies, said Michael Dreeben, deputy solicitor general in the U.S. Department of Justice. Although Dreeben has argued in favor of law enforcement surveillance techniques in a handful of cases before the U.S. Supreme Court, he argued courts should take an active role in protecting personal privacy.

“A certain degree of privacy is perhaps a precondition for freedom, political freedom, artistic freedom, personal autonomy,” he said. “It’s kind of baked into the nature of the democratic system.”

David Cole, a professor at the Georgetown University Law Center, called for a change in the U.S. law that gives email stored for six months less legal protection than newer messages. The ability of law enforcement agencies to gain access to stored email without a warrant makes no sense when many email users never delete messages.

U.S. courts or Congress also need to reexamine current law that allows law enforcement agencies to gain access, without a warrant, to digital information shared with a third party, given the amount of digital information people share with online services, he said.

Some recent court cases, including the Supreme Court’s 2014 Riley v. California ruling limiting law enforcement searches of mobile phones, have moved privacy law in the right direction, he said.

Posner questioned why smartphone users need legal protections, saying he doesn’t understand what information on smartphones should be shielded from government searches. “If someone drained my cell phone, they would find a picture of my cat, some phone numbers, some email addresses, some email text,” he said. “What’s the big deal?

“Other people must have really exciting stuff,” Posner added. “Do they narrate their adulteries, or something like that?”

Smartphones can contain all kinds of information that people don’t want to share, including medical information, visits to abortion doctors and schedules for Alcoholics Anonymous meetings, Cole said. “Your original question, ‘what’s the value of privacy unless you’ve got something to hide?’ that’s a very short-sighted way of thinking about the value of privacy,” he said.

In the 1960s and ‘70s, government agencies investigated political figures, in some cases, bugging hotel rooms in search of evidence of affairs, Cole noted. Government misuse of surveillance information is still a risk, he said, and smartphones could be a treasure trove of information.

The U.S. and other governments have a long history of targeting people “who they are concerned about because they have political views and political positions that the government doesn’t approve of,” Cole said.

New bill aims to block forced government backdoors in tech products

U.S. Senator Ron Wyden on Thursday introduced a bill that would prevent the government from forcing companies to design backdoors or security vulnerabilities into their products to aid surveillance.

The Secure Data Act aims to preempt moves by the government to better eavesdrop over newer communications technologies, and is part of an overall bid by some legislators to place curbs on extensive government surveillance.

A key legislation that would put curbs on the bulk collection of phone records by the U.S. National Security Agency, called the USA Freedom Act, could not move towards a final vote on the legislation in the Senate last month, despite backing from the administration of U.S. President Barack Obama.

Wyden said his bill comes in the wake of proposals by U.S. government officials to compel companies to build backdoors in the security features of their products. “Strong encryption and sound computer security is the best way to keep Americans’ data safe from hackers and foreign threats,” Wyden said in a statement Thursday.

The U.S. Congress should pass a law requiring that all communication tools allow police access to user data, U.S. FBI Director James B. Comey said in October.

The Communications Assistance for Law Enforcement Act, or CALEA, which requires telecommunications carriers and broadband providers to build interception capabilities for court-ordered surveillance, was enacted 20 years ago, and does not cover newer communications technologies, Comey said in a speech to the Brookings Institution.

“The issue is whether companies not currently subject to the Communications Assistance for Law Enforcement Act should be required to build lawful intercept capabilities for law enforcement,” Comey said.

Apple and Google had recently announced that they would start encrypting iOS and Android user data by default, a plan that didn’t go down well with Comey.

Wyden, a Democrat from Oregon, counters that government-driven “technology mandates to weaken data security for the purpose of aiding government investigations would compromise national security, economic security and personal privacy.”

A backdoor built into a security system inherently compromises it, and companies will have less incentive to invest in new strong data security technologies, he said. Mandating backdoors would also further erode consumer trust in these products and services, which was already hit by revelations of government surveillance.

The Senate bill aims to establish that no agency may mandate that a manufacturer, developer, or seller of computer hardware, software or an electronics device available to the public should design or change its security functions for the purpose of surveillance of any user or for the physical search of a product, unless the product is already covered under CALEA.

Wyden said his legislation builds on a bipartisan effort in the U.S. House of Representatives, which approved an amendment by Representatives Thomas Massie and Zoe Lofgren to prohibit electronic vulnerability mandates in June.