Monthly Archives: September 2013

Security company scours ‘Dark Web’ for stolen data

Alex Holden, founder of security company Hold Security, is in the business of bringing companies bad news.

Holden often reaches out to organizations, alerting them that their valuable data is circulating on underground hacker forums. These days, that’s pretty frequent.

Holden’s company, which focuses on penetration testing and auditing, recently expanded into monitoring the so-called dark or deep web, which refers to password-protected forums where cybercriminals sell or trade the data they’ve stolen.

“We went from being reactive and working a breach and getting the information for the client to monitoring as much of the Internet as possible and bringing the data into our data centers and looking at it,” he said.

Data breaches are costly for organizations. A Symantec-sponsored survey released in May conducted by the Ponemon Institute found the average cost to recover from one was highest in the U.S. at $5.4 million, followed by $4.8 million in Germany and $4.1 million in Australia.

Holden’s research in part contributed to the revelation last month that three major data brokers — LexisNexis, Kroll Background America and Dun and Bradstreet — had been victims of persistent breaches, which leaked consumer and business data as reported by security analyst and journalist Brian Krebs.

Those public disclosures, however, are just the tip of iceberg, as hackers dig deeper and deeper into company networks, Holden said in an interview Tuesday. His company has profiles on as many as 10,000 data thieves worldwide, a formidable, clever force that is causing security headaches worldwide.

Earlier this month, Hold Security launched a subscription service called “Deep Web Monitoring,” where the company’s analysts search secret forums and let companies know if their data has been compromised. If a company isn’t working with Hold Security, Holden said he will sometimes approach the organization’s legal team to let them know there’s a breach.

Holden, who also is chief information security officer for his company, has a small team of analysts, mostly based in the U.S. They look for email addresses, login credentials, employee and customer names as well as any other data circulating on forums and chat channels. Hold Security’s clients are predominantly in financial services, the medical industry and e-commerce businesses.

Just in the last month alone, the company’s analysts came across more than 100 million stolen user IDs and passwords, Holden said.

If the data appears to match that of one of its clients, a delicate negotiation may take place. Some companies will give the nod to Hold Security to negotiate to prevent the data from becoming public.

“We often try to communicate with the cybercriminals and say ‘Alright, I know you stole this data, but I want exclusive rights’,” Holden said. “In some cases, we were successful doing that.”

Other companies may opt for a more defensive strategy. If a company’s network is compromised, some have chosen to instead seed fake data on their systems. Malware that periodically collects database information would suck up the bogus data.

“The bad guys are not really good at keeping backups of the original data,” Holden said. In one case, Holden said “we were able to taint the data that was being stolen.”

Cybercriminals are also in competition with one another. There have been instances of one hacker ratting out another to Holden’s analysts in an attempt to shut down their competitor.

“There is no kinship between certain thieves,” he said.

Retrieved from Computer World

Tech firms push Congress for transparency on NSA surveillance

The U.S. Congress must act quickly on legislation that would make electronic data collection efforts by the U.S. National Security Agency more public, a group of tech firms, civil liberties groups and other organizations said Monday.

Internet and telecommunications companies that receive data collection and surveillance requests from the NSA should “have the right to publish basic statistics about the government demands for user data,” the coalition said in a letter to the judiciary committees in the U.S. Senate and House of Representatives.

The letter endorsed two pieces of legislation, the Surveillance Transparency Act in the Senate and the Surveillance Order Reporting Act in the House, both of which would allow companies to publish information about the number of surveillance requests they receive from U.S. agencies. The Senate bill is sponsored by Senator Al Franken, a Minnesota Democrat, with 11 co-sponsors, including Senate Judiciary Chairman Patrick Leahy, a Vermont Democrat, and the House bill is sponsored by Representative Zoe Lofgren, a California Democrat, with nine co-sponsors.

The Senate bill would require the U.S. government to issue annual public reports on surveillance requests made through the U.S. Foreign Intelligence Surveillance Court. Companies receiving surveillance requests could publish numbers every six months.

The House bill would allow Internet firms and telecoms to report the number of surveillance requests they receive every three months.

Companies signing Monday’s letter included AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Reddit, Twitter and Yahoo. Other organizations signing on were the American Civil Liberties Union, BSA, Consumer Action, the Electronic Frontier Foundation, Mozilla, Public Knowledge and TechFreedom. Some of the tech companies signing on to the letter have previously asked the government to allow them to report surveillance request numbers.

Lawmakers have introduced more than 20 bills focused on reforming government surveillance efforts in recent months, after former NSA contractor Edward Snowden leaked details about massive data collection and surveillance programs at the NSA. The Center for Democracy and Technology detailed 20 bills in a list released Sept. 12, and since then, four senators introduced another bill, called the Intelligence Oversight and Surveillance Reform Act, which would outlaw the NSA’s bulk collection of U.S. telephone records.

In addition, Senator Dianne Feinstein, a California Democrat and chairwoman of the Senate Intelligence Committee, said last week she plans to introduce a bill that would largely allow current NSA data collection practices to continue. The bill would add transparency to the process, Feinstein said, but it would also allow the NSA to continue collecting the communications of terrorism suspects who enter the U.S. for seven days while authorities seek court-ordered warrants.

The Senate Intelligence Committee may debate the Feinstein proposal, and potentially other bills, in closed session later this week.

In addition, the Senate Judiciary Committee has scheduled a Wednesday hearing on oversight of the Foreign Intelligence Surveillance Act, one piece of legislation that allows NSA surveillance.

One of the bills most likely to pass, said Greg Nojeim, CDT’s senior counsel, is the FISA Accountability and Privacy Protection Act, sponsored by Leahy. As chairman of the Senate Judiciary Committee, Leahy has the power to push the bill through committee.

That bill would end the bulk collection of telephone metadata now happening at the NSA. It requires that telephone data collection orders pertain to an agent of a foreign power or be relevant to the activities of an agent of a foreign power. The bill also requires inspector general audits of past data collection of U.S. records at the NSA.

Retrieved from Computer World

 

 

US gov’t shutdown could take money from IT workers, contracts

A looming U.S. government shutdown could mean smaller paychecks for some government IT workers and contractors, as well as renegotiated contracts for some IT vendors.

The possible shutdown is scheduled to happen next Tuesday unless President Obama and congressional leaders can agree on a continuing budget resolution to keep agencies open. Many congressional Republicans want to cut funding for the huge health-care program known as Obamacare and approved in the 2010 Affordable Care Act, in exchange for passing a government funding bill, but Obama has refused to negotiate.

With little time for Congress to avoid a government shutdown, some IT workers should prepare to be furloughed, said Trey Hodgkins, senior vice president for global public sector government affairs at TechAmerica, a large tech trade group. Many government IT systems will continue to run during a shutdown, and systems administrators will likely need to continue to work, but some IT workers, such as desktop support staff, may have an unpaid vacation during a shutdown, he said.

IT workers who install new desktops won’t be needed if there aren’t many workers on the job, he said. “Those things can probably wait for a week” until the issues surrounding a shutdown are resolved, Hodgkins said.

At the same time, government IT hiring has been down since March, when new budget cuts went into effect, according to Computerworld.

Some government IT contracts may also take a hit, he added. Some agencies, including the U.S. Department of Homeland Security, have sent messages to IT contractors saying they will likely seek amendments to contracts during a shutdown because the contract work won’t be needed, Hodgkins said.

The shutdown should have little effect on new government contracts, but it’s likely that Congress will cap new contracts in any continuing budget resolution that’s passed, he said. Recent continuing resolutions have typically capped IT contracts at the previous year’s level, meaning funding for new contracts will be difficult to find, Hodgkins said.

IT contractors need to work hard to drum up business during this time of lean budgets, added Donna Council, vice president of government with SmartProcure, which operates a national database of government purchasing history.

“During a government shutdown, or even when there is simply a looming possibility, you can expect a great deal of soul-searching regarding all existing contracts, not just IT,” she said in an email. “This is a time for hungry IT contractors to contact new potential government clients, and it’s also a time for those with current contracts to make sure they are providing the best possible value.”

Retrieved from Computer World