OpenDNS, the company best known for its DNS service that adds a level of security by monitoring domain name requests, today announced that its Umbrella security service is now integrated with the FireEye Web Malware Protection System (MPS).

Launched by OpenDNS in November 2012, Umbrella is a DNS-based security solution delivered through the cloud that helps protect users from malware, botnet and phishing threats regardless of location or device. 

Adding FireEye’s behavioral analysis technology to Umbrella will provide OpenDNS customers with real-time protection against custom malware, zero-day exploits and advanced persistent threats (APTs), the company said.

Using predictive threat detection and enforcement, the combination of OpenDNS and FireEye will enable customers to extend security policies to the cloud and transparently protect any user and any device, both on and off the corporate network.

“Malicious activity detected by FireEye is automatically fed to the Umbrella service to enhance security policy enforcement, protecting customers from infection and preventing data leakage,” the company explained.

David Ulevitch, CEO of OpenDNS, called the partnership a “force-multiplier for Enterprise security.”

The announcement of the partnership was made at the FireEye 2014 Momentum Partner Conference, taking place in Las Vegas this week.

“Through this partnership, we are able to extend FireEye’s advanced threat protection to the cloud and provide centralized security policy enforcement to any device, on or off the network,” said Didi Dayton, vice president of worldwide strategic alliances at FireEye.

Because Umbrella resolves more than 50 billion DNS requests each day through its OpenDNS network, it is able to collect massive volumes of data and gain unique insight into emerging security threats and attacks. Using data collected from its DNS requests, OpenDNS leverages big data analytics to predict and block cyber threats without the need for manual intervention by security teams.

FireEye’s technology utilizes an isolated virtual environment (Virtual Execution Engine) to analyze file behavior and detect malicious code embedded in common file types. FireEye delivers alerts to OpenDNS when new threats are detected.

The OpenDNS-FireEye integration extends enforcement beyond the eroding network perimeter, Ulevitch said. “Together we can detect, alert and block advanced threats before damage can be done.”  

The Umbrella service with FireEye integration is available immediately.

Tags:

• Network Security
• NEWS & INDUSTRY
• Malware

OTTAWA – Canada’s ultra-secret eavesdropping agency on Friday blasted the disclosure of its tradecraft, after it was reported the agency had tracked airline passengers connected to Wi-Fi services at airports.

Communications Security Establishment Canada said: “The unauthorized disclosure of tradecraft puts our techniques at risk of being less effective when addressing threats to Canada and Canadians.”

On Thursday, the Canadian Broadcasting Corporation said documents leaked by fugitive NSA contractor Edward Snowden showed that the CSEC could follow the movements of people who passed through airports and connected to Wi-Fi systems with mobile phones, tablets and laptops.

The documents showed the agency could track the travellers for a week or more as they and their wireless devices showed up in other Wi-Fi “hot spots” in cities across Canada and beyond.

This included people visiting other airports, hotels, coffee shops and restaurants, libraries and ground transportation hubs and other places with public wireless Internet access.

Under Canadian law, the CSEC is prohibited from domestic spying.

But the agency said it is authorized to collect and analyze metadata — the identifying data generated by calls from wireless devices such as called ID, telephone numbers and user location.

The leaked classified document was “a technical presentation between specialists exploring mathematical models built on everyday scenarios to identify and locate foreign terrorist threats.”

According to the documents, older software took too long to locate targets to be useful. The new software cut the time from more than two hours to several seconds, in tests.

“It is important to note that no Canadian or foreign travelers were tracked. No Canadian communications were, or are, targeted, collected or used,” the CSEC added.

Defense Minister Rob Nicholson meanwhile in Parliament said the CSEC is in “complete compliance with Canadian law.”

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

Websense is providing free source code, queries and lookups designed to help organizations use Microsoft Error Reporting to identify USB devices connecting to their networks.

Also known as Dr. Watson reports, the Microsoft Error Reporting feature was indirectly the source of controversy a few weeks ago when it was made public that the NSA had intercepted these reports and use them to gather information about its targets. With this data in hand, the spy agency could get a better read on the hardware on software on a given network and use that information to tailor its cyber-operations.

According to Websense, enterprises can use Dr. Watson reports for their own use as well – in this case, to identify when a storage device such as a USB drive or mobile phone is plugged into their network.  

“We were surprised to learn that a USB drive insertion considered a hardware change, and that detailed information about the USB device and computer that it was plugged into being sent to Microsoft,” blogged Websense Director of Threat Research Alex Watson. “These logs are sent to Microsoft via HTTP URL-encoded messages. Organizations can use knowledge about their content and how to decode these messages to detect USB drives and devices that could be a risk to the organization. This knowledge can help organizations detect USB drives and devices such as those used in the KCB and [Edward] Snowdn leaks, and automatically generate reports when they are plugged into a secure system.”

The error report is sent to Microsoft every time an application crashes, fails to update, or a hardware change happens to a PC running Windows. In Windows Vista and later, these reports are automated and part of an opt-out program Microsoft estimates nearly 80 percent of the PCs in the world participate in, Watson explained.

“These reports can be gathered in a variety of ways, either by examining outbound web proxy logs… creating an IPS rule in an open source intrusion prevention system such as Snort or Suricata, or by simply monitoring a SPAN port using a sniffer such as Wireshark,” Watson blogged. “In our last blog entry, we discussed an information leakage that can arise with these reports and suggested that organizations set up a group policy that sends reports to an on-premise server which then forces encryption before forwarding to Microsoft. In this case, the reports can be processed at the organization’s WER (Windows Error Reporting) collection server.”

The Dr. Watson reports have a specific report type for USB inserted devices. Organizations can start by filtering down to messages containing ‘PnPGenericDriverFound’. Using some lookup tables, the information that follows can be broken up into several fields, including date, USB device manufacturer and host computer BIOS version and UMI [unique machine identifier].

“It turns out the Vendor and Device ID lookups can be a little tricky – but map exactly to Windows and Linux driver databases,” Watson blogged. “To see an example for yourself, try typing “lsusb” from a Linux machine. After scraping some online driver databases, we put together a lookup script that you can use for vendors and device codes that you can download on GitHub. These will obviously need to be updated periodically to remain up to date. Feel free to add new device codes yourself, or check back to our site for updates.”

“Using Splunk or a similar SIEM tool, create lookups to map the vendor and product IDs that you see in the Watson logs above to the manuf_ids.csv and product_ids.csv files that have been attached,” he added. “Please note that our Product ID lookup contains the VID+PID (Vendor ID and Product ID) together – this is the one you’ll most likely want to use in your lookups.”

The next step is decoding the WER report structure. Websense has included some Splunk queries that can be used to detect USB device insertions and create reports. It is also possible to configure the SIEM tool to trigger a report every time a certain device is added to the network.

In an interview with SecurityWeek, Watson added that the crash reports can be fed into any SIEM tool or custom framework. Leveraging this information can allow business to better understand what devices, applications and applications versions are deployed on their network without needing a dedicated endpoint.

Organizations can also use this to help prevent data leaks by filtering the reports based on computer names or IP addresses from computers with sensitive data.  However, this is not meant to replace data loss prevention (DLP) products.

“DLP is an incredible technology that is really starting to gain traction in the security marketplace to enable businesses to protect their data,” Watson told SecurityWeek. “I view the example we provided as a way for businesses that have not deployed DLP to start to see the value that it can provide.”

Tags:

• NEWS & INDUSTRY
• Security Infrastructure

WASHINGTON – The United States agreed to give technology firms the ability to publish broad details of how their customer data has been targeted by US spy agencies, officials said Monday.

Facing a legal challenge and a furious public debate, Attorney General Eric Holder and Director of National Intelligence James Clapper said the companies would now be allowed to disclose figures on consumer accounts requested.

“The administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers,” the officials said in a joint statement.

In a letter to tech giants Facebook, Google, LinkedIn, Microsoft and Yahoo, the Justice Department freed them to release the approximate number of customer accounts targeted.

President Barack Obama’s administration has faced pressure from the tech sector following leaked documents outlining vast surveillance of online and phone communications. The companies have said the reports have already begun to affect their business.

Facebook, Google, LinkedIn, Microsoft and Yahoo, which sued for the right to publish more data, said in a joint statement they were pleased with the settlement.

“We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” the companies said.

“We’re pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”

Under the agreement filed with the secretive Foreign Intelligence Surveillance Court the companies will be able to disclose the numbers, within ranges.

They will have an option to reveal within bands of 1,000 the numbers of “national security letters” and specific court orders. Another option will be to disclose, in bands of 250, all the national security requests, lumped together.

The reports will have a six-month lag time, so data for the second half of 2014 may be published in mid-2015, according to the agreement.

Previously, the existence of orders made by the secret for access to private online data was itself classified, to the outrage of the firms.

In addition to the bare numbers of targeted consumers, the companies will also be permitted to disclose the number but not the nature of selection criteria for broader Internet sweeps.

Civil liberties groups welcomed the deal, while arguing for even more transparency.

“This is a victory for transparency and a critical step toward reining in excessive government surveillance,” said Alex Abdo, an ACLU attorney.

But Abdo said more is needed: “Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies’ involvement.”

Kevin Bankston of the New America Foundation’s Open Technology Institute, called the news “an important victory in the fight for greater transparency around the NSA’s surveillance programs” but said the agreement “falls far short of the level of transparency that an unprecedented coalition of Internet companies, privacy advocates and civil liberties organizations called for this summer.”

“Meaningful transparency means giving companies the ability to publish the specific number of requests they receive for specific types of data under specific legal authorities,” Bankston said.

“Fuzzing the numbers into ranges of a thousand — and even worse, lumping all of the different types of surveillance orders into a single number — serves no national security purpose while making it impossible to effectively evaluate how those powers are being used.”

US tech firms have claimed that reports on the US government’s secretive data collection programs have distorted how they work with intelligence and law enforcement. The firms have been asking for permission to disclose more on the nature of the requests and what is handed over.

Google’s petition said that despite reports to the contrary, the US government “does not have direct access to its servers” and that it only complies with “lawful” requests.

The issue caught fire after Edward Snowden, a former IT contractor at the National Security Agency, revealed that US authorities were tapping into Internet user data.

[Updated]

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement

Recent Phishing Attacks Compromised Employee Email, Social Media Accounts at Microsoft

Microsoft on Friday said that attackers breached the email accounts of a “select number” of employees, and obtained access to documents associated with law enforcement inquiries.

According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts, and in some cases, the attacks were successful.

“While our investigation continues, we have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed,” Adrienne Hall, General Manager at Microsoft’s Trustworthy Computing Group, wrote in a blog post. 

“It appears that documents associated with law enforcement inquiries were stolen,” Hall said.

“If we find that customer information related to those requests has been compromised, we will take appropriate action,” Hall continued. “Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents.”

The software giant did not say how many documents might have been obtained or exposed as a result of the attacks, or who they believe may have been behind the attacks.

Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers—which may be the case if this was a “hacktivist” attack.

“In terms of the cyberattack, we continue to further strengthen our security,” Hall continued. “This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation.”

In a Microsoft Law Enforcement Requests Report that covered the first half of 2013, Microsoft (including Skype) said that it received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts.  

Microsoft has recently faced a barrage of attacks claimed by the Syrian Electronic Army (SEA), hackers who support President Bashar al-Assad’s regime. While no attacks have resulted in any significant data loss or company-wide impact, the company did have social media accounts and blogs compromised this month.

It is unclear if the attacks may be related to the Syrian Electronic Army.

SecurityWeek has reached out to Microsoft for additional details and this story will be updated when a response is received.

Related: Yes, Virginia, There Really is Social Engineering

Related: Social Engineering is Alive and Well. How Vulnerable is Your Organization?

Tags:

• NEWS & INDUSTRY
• Cybercrime

Slovenia Frees Hacker Despite US Extradition Order

LJUBLJANA  – A Slovenian higher court on Wednesday rejected an United States extradition request and released a Romanian citizen charged with hacking into NASA computers in 2006.

Maribor’s higher court rejected the extradition request taking into account that Romanian citizen Victor Faur could not be tried again for the same charges for which he had already been sentenced in Romania in 2008 to 16 months of suspended prison time and a 238,000 dollar (EUR176,000) fine.

“I want to thank the Slovenian authorities for taking the right decision and not bowing to the American pressure,” Faur told Slovenian journalists after being released in the northeastern town of Murska Sobota.

He added “I’m sure they (the US government) knew they had no chance of extradition yet they wanted to keep me here as long as possible.”

Slovenian police detained 34-year-old Faur during a routine road control in October and kept him until the local authorities decided on the US international arrest warrant.

The US authorities charged Faur with hacking into NASA computers and causing more than 1.5 million dollars of damage to the US space agency and of breaking into the computers of the US Navy and Department of Energy between November 2005 and September 2006.

Faur has admitted the intrusions but said he wanted to prove that many computers are vulnerable to IT attacks and maintained he did not try to obtain material for personal gain.

Related: NASA Inspector General Said Hackers Had Full Functional Control Over NASA Networks

Tags:

• NEWS & INDUSTRY
• Tracking & Law Enforcement
• Cybercrime

WASHINGTON – Edward Snowden may have acted in concert with a foreign power in exposing US surveillance programs, two Republican lawmakers suggested Sunday.

“I think there are some interesting questions we have to answer that certainly would lend one to believe that the Russians had at least in some part something to do” with the affair, House Intelligence Committee chairman Mike Rogers told CBS’s “Face the Nation.”

Rogers, a Republican, said “everything from how he prepared to leave, his route of departure and how he quickly ended up in Moscow” put Snowden’s ties at question.

Fugitive NSA Leaker Edward Snowden

The “vast majority” of the information leaked by Snowden, Rogers said “had nothing to do with the NSA program and everything to do with our military capabilities, army, navy, air force, marines.”

Rogers, appearing in a second interview on NBC’s “Meet the Press,” said he didn’t think “it was a gee-whiz luck event that he ended up in Moscow under the handling of the FSB” state security agency in Russia.

Michael McCaul, chairman of the House Homeland Security Committee, told ABC’s “This Week” that he didn’t believe “Mr Snowden was capable of doing everything himself.

“I believe he was helped by others,” the congressman said in an interview from Moscow.

McCaul, a Republican, said he could not say “definitively” that Russia was involved, “but I believe he was cultivated.”

US President Barack Obama curtailed the reach of massive US National Security Agency phone surveillance sweeps Friday, in a long-awaited speech designed to quell a furor over the programs exposed by Snowden.

The president, however, also said bulk data collection must go on to protect America from terrorists.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement
• Cybercrime

WASHINGTON – President Barack Obama will Friday announce plans to stop the National Security Agency hoarding hundreds of millions of telephone call records, among reforms to US surveillance programs exposed by Edward Snowden.

A senior US official, speaking ahead of Obama’s speech on NSA programs, said that Obama believed trawling for telephone “metadata” was vital to fighting terrorism, but needed to be reformed to preserve civil liberties.

“In his speech, the president will say that he is ordering a transition that will end the Section 215 telephone metadata program as it currently exists,” the senior official told AFP.

The president foresees a move to a program “that preserves the capabilities we need without the government holding this bulk metadata.”

“The president believes that the 215 program addresses important capabilities that allow us to counter terrorism, but that we can and should be able to preserve those capabilities while addressing the privacy and civil liberties concerns that are raised by the government holding this metadata.”

It was not immediately clear how Obama would accomplish the reform or whether he would leave it up to Congress to decide which entity should hold the call data.

Telecommunications companies have balked at suggestions that data on the destination and duration of calls should be held within their servers and be accessed by US spies armed with court permission.

Some activists have suggested a third party company could be charged with holding the data.

Obama will also order Friday another immediate change to the system of telephone data dragnets, requiring a judicial finding before the NSA can query the database, the official said.

Obama has also asked Attorney General Eric Holder and the intelligence community to report to him by March 28 on how the program can be preserved without the government holding the metadata.

Snowden, a fugitive US contractor now exiled in Russia, has fueled months of revelations by media organizations over data mining and spying on foreign leaders by the NSA in one of the biggest security breaches in US history.

The disclosures have infuriated US allies, embarrassed Obama administration diplomats and shocked privacy campaigners and lawmakers.

The White House has assured Americans that data on phone calls and Internet use is only collected to build patterns of contacts between terror suspects — and that US spies are not listening in.

But Obama has said that one of his goals in Friday’s speech at the US Justice Department is to restore public confidence in the clandestine community.

His appearance follows a prolonged period of soul-searching and policy reviews by the White House.

On the eve of the speech, Britain’s Guardian newspaper and Channel 4 News splashed the latest revelations from Snowden.

Their reports said the NSA had collected almost 200 million mobile phone text messages a day from around the world, and used them to extract data on the location, contact networks and credit card details of mobile users.

Civil liberties activists are bracing themselves for disappointment.

Michelle Richardson, legislative counsel for the American Civil Liberties Union, said Thursday that Obama would likely neither outlaw nor significantly reform bulk collection of telephone and Internet metadata.

“We are looking to the president tomorrow to make a very bold statement about reclaiming privacy. We are looking to him to take leadership about reining in this programs,” she said.

“Will our government continue to spy on everyday Americans?”

Kevin Bankston, policy director of the Open Technology Institute at the New America Foundation, warned that if Obama did not announce specific reforms, the battle would shift to Congress.

“President Obama’s trajectory on these issues from reformer to supporter of these programs has been very dispiriting,” Bankston said.

“If he does fail to take a stand and exercise the bold leadership that is necessary, it will become Congress’s responsibility to step into the breach and we look forward to working with them to do so.”

Intelligence chiefs say the programs are perfectly legal, but their opponents say they are unconstitutional.

Obama is also expected to back extra privacy protections for foreigners swept up by the programs and limits to spying on friendly world leaders.

His challenge will be to prove that data mining programs, made possible by swift advances in technology, can enhance national security while restoring public confidence that individual freedoms are safe.

During his deliberations, Obama has had to reconcile his duties as a commander-in-chief sworn to keep Americans safe and his oath to uphold the US Constitution.

Not to mention guard his political flank — Obama knows his Republican enemies would pounce if a future terror attack could be pinned on restrictions he placed on spy agency capabilities.

The president’s speech will also be closely watched for any changes to the PRISM program, which mainly sweeps up Internet data on foreigners, based on records acquired from Internet companies like Google, Yahoo and Apple.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

BlackBerry today warned that its newest smartphones and tablets are at risk of remote code execution attacks via vulnerabilities in Adobe Flash Player.

According to a BlackBerry advisory, a malicious hacker could booby-trap Adobe Flash content and lure users into visiting rigged Web pages or downloading Adobe Air applications.

“If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content,” BlackBerry warned.

From the BlackBerry advisory:

Vulnerabilities exist in the Flash Player version supplied with affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash Player is a cross-platform, browser-based application runtime.

Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

In order to exploit these vulnerabilities, an attacker must craft Flash content in a stand-alone Flash (.swf) application or embed Flash content in a website. The attacker must then persuade the user to access the Flash content by clicking a link to the content in an email message or on a webpage, or loading it as part of an AIR application. The email message could be received at a webmail account that the user accesses in a browser on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets.

Affected products include the BlackBerry Z10 and BlackBerry Q10 smartphones and the BlackBerry PlayBook tablet.

The company said it was not aware of any active exploitation of the Flash Player vulnerabilities.

Separately, Adobe shipped a cross-platform Flash Player update to fix at least four vulnerabilities that expose users to hacker attacks. Adobe said the vulnerabilities could be exploited to cause a crash and potentially allow an attacker to take control of the affected system.

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Fraud & Identity Theft
• Wireless Security
• Malware
• Vulnerabilities

WASHINGTON – US President Barack Obama will unveil reforms to the country’s spying activities on January 17, his spokesman said Friday, following a review of the National Security Agency (NSA).

White House spokesman Jay Carney said that Obama’s remarks next Friday would show the “outcomes of the work that has been done on the review process.”

The White House said on Thursday that the president was nearing the end of his soul searching about US spying reforms as he met lawmakers who oversee the intelligence community.

Obama met the delegation in Washington as part of consultations with players on all sides of the debate on how best to balance US security and privacy rights, following revelations of massive spy agency snooping by fugitive contractor Edward Snowden.

The meeting included several prominent critics of NSA phone and data sweeps. Obama says revelations over the program by Snowden have undermined public confidence in the work of the US intelligence community and reforms are needed.

Republican House Judiciary Committee Chairman Bob Goodlatte, who was one of the lawmakers in the meeting, called on the president to explain why such vast data mining programs — which spy chiefs say help piece together links between terror suspects worldwide — were necessary.

Senior US officials have indicated Obama is considering whether to permit the programs to continue while requiring data to be held either by technology companies or a third party instead of the NSA. Intelligence officers would have to obtain court permission to access the phone records.

Tags: