NEWS

4Computer Fraud & Security April 2013

Microsoft reveals FBI snoopingFollowing Google’s lead, Microsoft has released information about the FBI’s use of National Security Letters (NSLs) to obtain information about the company’s customers without requiring a warrant. The firm used its Corporate Citizenship website to post details of law enforcement requests made to it in 2012. NSLs have been used hundreds of thousands of times to obtain information from organisations such as Internet service providers, telecoms firms and so on. Not only can NSLs be used to obtain the data without requiring a judge’s approval, they also act as a gag, preventing the company that is forced to provide the information from informing the subject of the search that this has happened. Google and Microsoft have not been able to provide specific details of the NSLs but have been granted permission to indicate a rough idea of the number of NSLs received. This comes shortly after a federal judge, US District Judge Susan Illston, ruled NSLs to be “unconstitutional” in a case brought by the Electronic Frontier Foundation on behalf of an unnamed telecoms firms. The US Government has until June 2013 to appeal the ruling. Microsoft’s report is here: http://bit.ly/201304microsoft.

The dangers posed by spreadsheetsResearch by ClusterSeven on C-level executives and senior managers working in financial services in the UK has, says the firm, revealed dangerously poor attitudes to business-critical data managed in spreadsheets and similar databases. Half (51%) of C-level executives say there are either no usage controls at all or poorly applied manual processes over the use of spreadsheets. Some 89% admit they rely on manual oversight to maintain data integrity, with only 11% saying there is an automated control policy that allows them to fully understand changes between different versions of spreadsheets and see a clear audit trail for data. Nevertheless, 55% of C-level executives rate spreadsheet risk – the risk of serious financial/reputational loss from poor management of corporate spreadsheets and databases – as either ‘very serious’ or ‘serious’, while around one in seven (15%) admit their firm has suffered a significant data breach. And 19% of C-level executives say that they use spreadsheets to manage values of over £1bn, with the average from all respondents being £350m. The study comes shortly after the Basel Committee on Banking Supervision released the report ‘Principles for Effective Risk Data Aggregation and Risk Reporting’ – the first time that spreadsheet management has ever been specifically addressed at such a high level. This report is available at: http://www.bis.org/publ/bcbs239.pdf.

Anti-virus is missing malwareTraditional approaches to fighting malware are failing, according to research by firewall vendor Palo Alto Networks. And the problem is that a great deal of malware is delivered via channels such as web browsers, which corporate anti-virus defences struggle to monitor in real time. The ‘Modern Malware Review’ claims to be the first industry report to examine the behaviour of unknown malware throughout its entire lifecycle, beginning when it enters the network, how it behaves once it is on the infected device and finally the outgoing traffic it generates. Among its key findings are that: 94% of the fully undetected malware found on networks was delivered via web browsing or web proxies; 70% of malware left identifiers in the traffic or payload that can be used by security teams for detection; 40% of seemingly unique malware actually consists of repackaged versions of the same code; FTP is a highly effective method for introducing malware to a network, with 95% of malware delivered via FTP going undetected by anti-virus solutions for more than 30 days; and modern malware is highly adept at remaining undetected on a host device. The review identified 30 different techniques for evading security and more than half of all malware behaviours were focused on remaining undetected. The report is available at: www.paloaltonetworks.com/mmr.

DEA defeated by iMessageAs US federal agencies push for greater communications interception powers, it has emerged that at least one of them has been having difficulties with Apple’s iMessage service. A leaked memo from the Drug Enforcement Agency (DEA) suggested that its attempts to monitor the communications between some unnamed suspects had been thwarted when the surveillance targets switched to iMessage. That’s because the Apple service uses on-device, hardware-based encryption that the DEA was unable to crack. Whether all federal agencies – such as the National Security Administration (NSA) – would have the same difficulty is open for debate. It’s also possible that the DEA could have overcome the problem by applying to Apple for details of the communications, although that still wouldn’t allow for real-time interception. As a point-to-point, cloud-based service, iMessage isn’t covered by the 1994 Communications Assistance for Law Enforcement Act (CALEA), which obliges telecoms firms to provide law enforcement agencies with interception capabilities. Although a 2006 amendment extended coverage to VoIP and broadband traffic, it still doesn’t touch services supplied by firms, such as Apple, that are not defined as carriers. There is a push from

within the intelligence and law enforcement communities to extend CALEA to all forms of communication, even in-app chat capabilities, and this may explain why the DEA memo was leaked.

NATO issues cyberwar manualCyberwar is a legitimate activity for nation states, according to a new manual from NATO that attempts to spell out the legal status of Internet-based warfare and its relation to the Geneva Convention. However, countries might still fall foul of international laws if they attack civilian targets such as hospitals or power stations. In fact, the book warns against all attacks on critical national infrastructure. The document is not official NATO doctrine, but rather a collection of legal opinions. The manual has been compiled by legal experts working under the auspices of NATO’s Co-operative Cyber Defence Centre of Excellence (CCD COE), which is based in Tallinn, Estonia – hence the name, ‘Tallinn Manual on the International Law Applicable to Cyber Warfare’. More details are available at: http://www.ccdcoe.org/249.html.

NIST targeted by ironic malwareThe US National Vulnerability Database (NVD), managed by the National Institute of Standards and Technology (NIST) was offline for several days recently – due to a malware infection. A firewall detected unusual traffic from the NVD and it was subsequently discovered that two servers had become infected. This resulted in a number of NIST-hosted websites being taken offline. The organisation said it believes that no public-facing pages were used to deliver malware to visitors. Some security pundits noted that, the day after the malware was discovered, NIST switched from using Microsoft’s IIS 7 web server running on Windows 2008 to an Apache server running on Linux. It’s believed that the infections were made possible by compromising a flaw in Adobe ColdFusion, since patched, and that the infections remained unnoticed for two months.

Supply chain security qualificationA new ‘domain’ has been added to the Certified Secure Software Lifecycle Professional (CSSLP) qualification offered by (ISC)2. The Supply Chain and Software Acquisition component is, in part, a response to the growing frequency of software acquisition and outsourcing, and also the fact that software vulnerabilities rate very highly on lists of organisations’ security worries. In the ‘2013 (ISC)2 Global Information Security Workforce Study’, application vulnerabilities were the top concern for 69% of respondents, and 72% of C-level executives. There is more information about the CSSLP credential here: https://www.isc2.org/csslp/.

In brief