| 07.23.13 | Secret court renews NSA's snooping authority

If you are unable to see the message below, click here to view.

Editor's Corner: NSA snooping: Here we go again What's New: 1. Secret court renews NSA's snooping authority 2. Cisco to pay $2.7 billion for network security firm Sourcefire 3. Apple admits to developers' website breach that caused outage 4. Attackers could steal payment credentials from mobile phones through SIM cards 5. U.K. government to probe Huawei security center in southern England Spotlight: ActiveX-based public key system opens Korean security 'black hole' Follow @fiercecio on Twitter Also Noted: Experts target iOS passcode bypass; The danger of open access to university IP; Much more... News From The Fierce Network: 1. Cloud-based MDM market to reach $1.5 billion in 2018, says Analysys Mason 2. Q&A with John Marshall of AirWatch 3. China overtakes US as the largest cellular M2M market, says Informa July 23, 2013 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP This week's sponsor is HP.   Today you need more than firewalls and antivirus software to defend your business and comply with security regulations. You need real-time information, flexibility, responsiveness, aggregation, and analysis-and SIEM is the key. But where do you turn for help? This year Gartner ranked HP ArcSight SIEM as the most complete solution on the market. And if you look back at the last 10 years, you'll find that we've won Gartner's approval every year. Access the full report now. Editor's Corner NSA snooping: Here we go again By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Here we go again. The secret court that has been rubber stamping requests from the National Security Agency to throw massive dragnets over communications records of carriers and web firms has approved the extension of the U.S. government's surveillance authority past the July 19, 2013, expiration date (see related story). No surprise there. The authority for the massive cyber snooping is granted to the U.S. government by the Foreign Intelligence Surveillance Act (FISA), argues the Director of National Intelligence James Clapper. "Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States," Clapper said in a statement last month responding to the public disclosure of the surveillance program.   The problem is that the NSA surveillance is not confined to "non-U.S. persons located outside the United States," according to a secret order leaked by former intelligence contractor Edward Snowden. The order, the authenticity of which has not been disputed by the U.S. government, directs Verizon to hand over "all call detail records" on a daily basis for communications "wholly within the United States, including local calls." If that is not "intentionally" targeting U.S. citizens, then I don't know what surveillance would be. Another argument put forward by the U.S. government is that the collection of this information has thwarted terrorist attacks. During the G-8 summit last month, President Obama said that "lives have been saved" by the "narrow" NSA surveillance program. He estimated that at least 50 threats had been thwarted by the program. We will have to take the president's word for that, since the details are classified. Even if true, the U.S. Constitution does not allow the government to do whatever it deems necessary for national security. The Fourth Amendment was included in the Constitution because the British government decided that national security required the unannounced searches of homes, confiscation of guns and documents, and arrests of individuals suspected of engaging in rebellion. To quote the Fourth Amendment in full: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." It would be hard to argue that the sweeping nature of the secret order targeting Verizon customers in the United States could pass muster under the Fourth Amendment. All of that information collection was done without the knowledge or consent of those customers and without having any particular individual or individuals in mind. And that is only one order out of hundreds, if not thousands, of similar orders approved by the secret court over the years. National security has always been the "go to" excuse for governments riding roughshod over the rights of their citizens. This latest example by the U.S. government is no different. But like the Founding Fathers, sometimes people have to stand up and say, "No, we will not take this treatment any longer." - Fred Read more about: government surveillance, FISA Sponsor: HP Marketplace > Whitepaper: Case Study: Improve Service and Lower IT Overhead with Skybot Scheduler What's New 1. Secret court renews NSA's snooping authority By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn The secret court set up to oversee the National Security Agency's snooping program has given the green light for the agency to continue its information dragnet. The Office of the Director of National Intelligence confirmed on Friday that the Foreign Intelligence Surveillance Court had renewed the NSA's authority to collect "certain telephony metadata under the business records provision of the Foreign Intelligence Surveillance Act," authority, which expired on July 19, 2013. "The DNI has decided to declassify and disclose publicly that the Government filed an application with the Foreign Intelligence Surveillance Court seeking renewal of the authority to collect telephony metadata in bulk, and that the Court renewed that authority," ODNI said in a release. "The Administration is undertaking a careful and thorough review of whether and to what extent additional information or documents pertaining to this program may be declassified, consistent with the protection of national security," the release added. The existence of the surveillance program, known as PRISM, was first disclosed by former U.S. intelligence contractor Edward Snowden, who gave a copy of a FISC order to The Guardian newspaper in June. The secret order authorized the NSA to collect on a daily basis "all call detail records or 'telephony metadata' created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local calls." The order identified telephony metadata as "comprehensive communications routing information," such as session identifying information, trunk identifiers, telephone calling card numbers, and time and duration of calls. In June, Director of National Intelligence James Clapper confirmed the existence of the intelligence collection program. "Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States," he said in a statement. Clapper also stressed that the "unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans," suggesting that the documents Snowden leaked were authentic. The FISC order published by The Guardian would seem to contradict Clapper's assertion about the targets of the U.S. government surveillance, as it directs Verizon to supply telephony metadata for calls within the United States, including local calls. In fact, the order explicitly states that it "does not require Verizon to produce telephony metadata for communications wholly originating and terminating in foreign countries." So the notion that the NSA surveillance only involves foreigners located outside the United States" is contradicted by the order leaked by Snowden. The renewal of NSA's authority under this program will no doubt fuel calls by civil liberties groups and others concerned about the privacy implications of the program to halt it or at least provide greater transparency about its operations. For more: - see the ODNI release - read the leaked FISC order - check out Clapper's statement Related Articles: US, China kick off cybersecurity talks amid more Snowden leaks Spying could undermine European trust in U.S. cloud firms, warns EU official Malware, and Breaches, and Snowden--Oh my! Read more about: DNI, Telephony Metadata back to top This week's sponsor is HP.   Know the Top 3 Mobile Application Threats According to Morgan Stanley Research, the smart phone will become the dominant computing platform by the end of 2013, with more units being sold than desktop and laptop computers combined. It's been a remarkable and rapid transformation, and ease of use and flexibility have outpaced security. This paper will tell you how to prevent sensitive data leakage over insecure channels or stolen devices. 2. Cisco to pay $2.7 billion for network security firm Sourcefire By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn IT behemoth Cisco (NASDAQ: CSCO) announced Tuesday that it will pay $76 per share, for a total of $2.7 billion, to acquire network security firm Sourcefire. The acquisition news fueled a 28 percent increase in Sourcefire's share price in morning trading on Tuesday, bringing the share price up close to the $76 per share Cisco agreed to pay. The acquisition appears to fit in with Cisco's broader competitive philosophy: If you can't beat them, acquire them. Cisco has been losing market share in the network security market to the likes of Check Point Software Technologies, Fortinet, and Palo Alto Networks.  According to figures from research firm IDC, Cisco saw its revenue in the security appliance market shrink by 5.9 percent year-over-year in the fourth quarter of 2012, while Check Point and Fortinet posted revenue increases that quarter.Other vendors that had strong quarters included Sourcefire, Blue Coat, Palo Alto Networks, Barracuda, and Dell SonicWall.  In the highly competitive and fluid security market, Intel's (NASDAQ: INTC) McAfee also recently made a major acquisition move, buying up Stonesoft, a Finnish next-generation firewall firm, for $389 million in cash. Cisco has been on a buying spree this year. Recent Cisco acquisitions include data virtualization firm Composition Software; software firm JouleX; mobility firm Ubiquisys; cloud services firm SolveDirect; network security firm Cognitive Security; and networking firm Intucell. For more: - see Cisco's release  - check out IDC's figures Related Articles: Intel's McAfee ponies up $389M in cash for next-generation firewall firm Enterprises turn to DDoS prevention appliances to fend off increasing number of attacks McAfee completes acquisition of Finnish firewall firm Stonesoft   Read more about: Sourcefire back to top 3. Apple admits to developers' website breach that caused outage By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn An "intruder" may have broken into Apple's developer website and stolen the names, business mailing addresses, and email addresses of registered developers, according to an email sent by the company to developers on Sunday, July 21. The incident prompted Apple to take down the site to investigate, and put in place additional security measures, the email, obtained by MacWorld, explained. Apple stressed that personal information was encrypted and could not be accessed. "In order to prevent a security threat like this from happening again, we're completely overhauling our developer systems, updating our server software, and rebuilding our entire database," an Apple spokesperson wrote. No customer information was compromised, Apple told MacWorld. Security researcher Ibrahim Balic said in a comment to a TechCrunch story about the breach that he was the one responsible for hacking into the developer site. He said he did not do it to cause "harm or damage," but "to report bugs" and collect data to demonstrate the security vulnerability to Apple. Balic said he was able to obtain details on more than 100,000 users of the developers' site by exploiting the security holes he discovered. Lysa Myers of Mac Security Blog blamed Apple for taking too long to disclose the "breach," and then using inflammatory language in its email to developers, such as "intruder." At the same time, Balic disclosed information on some of the Apple developers in a video describing his security testing. "This story is full of missteps on both sides: Apple did take their site down within a few hours of the report of the breach, but they waited several days to announce it to developers. Balic may have quietly, responsibly, disclosed the vulnerabilities to Apple, but then he effectively doxed the developers whose information he stumbled upon," Myers wrote. This could end up being a tempest in a teapot. Perhaps if Apple had responded to Balic's bug reports more quickly and had disclosed the issue to developers when it happened, all of this could have been avoided. For more: - see Macworld story with Apple letter - check out Balic's comment to the TechCrunch report - read the Mac Security Blog story Related Articles: Spotlight: New Mac spyware uses old disguise 'Dramatic increase' in Apple phishing emails, warns Kaspersky Lab Hackers could exploit security bugs in QuickTime, Apple warns   Read more about: Ibrahim Balic, personal information breach back to top 4. Attackers could steal payment credentials from mobile phones through SIM cards By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Attackers could gain access to millions of mobile phones through a security flaw in their SIM cards and steal payment credentials, warned Karsten Nohl, a security researcher at Security Research Labs. If hackers could commandeer the SIM cards, they could impersonate the mobile phone users and use the payment credentials to make purchases, Nohl wrote. He added that hackers could gain access to the SIM cards through over-the-air updates that are deployed via encrypted SMS messages to the SIM cards, many of which rely on a 1970s-era DES cipher for their encryption. "DES keys were shown to be crackable within days using FPGA clusters, but they can also be recovered much faster by leveraging rainbow tables similar to those that made GSM's A5/1 cipher breakable by anyone," Nohl related. To get the DES key, an attacker could send a binary SMS to a target SIM card. In many cases, the SIM responds to the binary SMS with an error code, carrying the encryption signature. A rainbow table, which is a precomputed table used for cracking password hashes, takes two minutes on a standard computer to obtain the key from the signature, Nohl explained. Once the key is obtained, the hacker sends a properly signed binary SMS, which downloads Java applets onto the SIM card. "Applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse," he wrote. Nohl told the New York Times that he tested around 1,000 SIM cards on mobile phones in Europe and North America over a two-year period. About one-quarter of those SIM cards with the older encryption were vulnerable. He estimated that around 750 million cell phones could be at risk to hacking through this method. Before going public, Nohl provided his research to the GSMA mobile phone trade association. "We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," Claire Cranton, a spokeswoman for the association, told the newspaper. She added that it was likely only a minority of phones using the older standard "could be vulnerable." For more: - see Nohl's blog - read the New York Times article Related Articles: Cheaper prices, improved efficiency fueling enterprise M2M adoption Spotlight: Embedded SIM technology to spur mobile vehicle connectivity Current Analysis: M2M security worries mount as enterprise usage grows Read more about: encryption back to top 5. U.K. government to probe Huawei security center in southern England By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Under pressure from Parliament, the U.K. government has launched a probe into a center set up by Chinese telecom gear maker Huawei in southern England to test the security of its telecom gear before it is deployed into the U.K. critical national infrastructure. The parliamentary intelligence and security committee (ISC) raised a red flag in June about Huawei's relationship with the national carrier BT and role Huawei plays in supplying equipment to key telecom infrastructure projects. Huawei's commercial relationship with BT dates back to 2003. Concern has been expressed in the United States and Australia that Huawei, which was set up by a former People's Liberation Army officer, has retained its ties with the Chinese government and agreed to provide backdoors into its equipment to enable the government to conduct cyberespionage. The company and Chinese government have consistently denied these accusations. The committee expressed concern that the center, which is intended to examine Huawei equipment to ensure it does not contain any security holes, was set up and is run by Huawei. In addition, use of the center by U.K. firms that purchase Huawei gear is voluntary. In response, the U.K. government said the country's national security advisor would conduct a review of the center's operations and report to the prime minister later this year. At the same time, the government said that the current process for reviewing Huawei's telecom equipment is inadequate. "Our work with Huawei and their UK customers gives us confidence that the networks in the UK that use Huawei equipment are operated to a high standard of security and integrity," the government's response stressed. In a statement quoted by The Guardian newspaper, Huawei said that it "shares the same goal as the UK government and the ISC in raising the standards of cyber security in the UK and ensuring that network technology benefits UK consumers." For more: - see the parliamentary committee's report  - check out the U.K. government's response  - read The Guardian article Related Articles:  US, China kick off cybersecurity talks amid more Snowden leaks  DoJ clears Softbank's acquisition of Sprint  Senators ask US agencies to consider security risk of Softbank purchase of Sprint Read more about: Chinese cyberespionage, UK government back to top Also Noted TODAY'S SPOTLIGHT... ActiveX-based public key system opens Korean security 'black hole' Microsoft's (NASDAQ: MSFT) ActiveX and Korea's public key system have combined to create a huge cybersecurity hole, resulting in massive personal data theft, according to the Korea Herald newspaper. "ActiveX is a program that momentarily disarms the computer to download codes from an outside source, which can be abused by hackers seeking to plant malicious codes," explained Lee Min-hwa, a professor at Korean public research university KAIST. Lee warned that Korea's dependence on the ActiveX-based public key certificate system has created a security "black hole." Read more > Security experts to help Apple eradicate iOS passcode bypass flaws. Blog (Mac Security Blog) > Ubuntu Forums remain down after password breach. Blog (Threatpost) > The danger of open access to university IP. Blog (Lumension) > Fanbox spam turns into costly scam. Blog (All Spammed Up) > ISO publishes security standards for energy utility industry. Blog (Digital Bond) And Finally.. Wait, don't tell me--It's 'Flipper', right? Article (Wired) Marketplace > Whitepaper: Case Study: Improve Service and Lower IT Overhead with Skybot Scheduler Eliminate hundreds of hours of programming hours needed to run your batch jobs and built-in dependency processing. Learn More Today. ©2013 FierceMarkets This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBiotech FierceBiotechIT FierceBiotech Research FierceCIO FierceCIO:TechWatch FierceContentManagement FierceDeveloper FierceEMR FierceFinance FierceFinanceIT FierceDrugDelivery FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceIPTV FierceMobileContent FierceMobileHealthcare FierceMobileIT FierceOnlineVideo FiercePharma FierceMedicalDevices FiercePharma Manufacturing FierceComplianceIT FierceTelecom FierceVaccines FierceEnterpriseCommunications FierceBroadbandWireless FierceWireless FierceWireless:Europe Hospital Impact FierceHealthPayer FiercePracticeManagement FierceEnergy FierceSmartGrid