Encryption , Privacy , Risk Management

Silicon Valley: Crypto Debate Continues Highlights from ISMG's San Francisco Fraud and Breach Prevention Summit Mathew J. Schwartz (euroinfosec) • March 25, 2016    

Despite the recent move to put the FBI-obtained court order against Apple on hold, the crypto debate is far from over. So said a panel of experts at Information Security Media Group's Fraud and Breach Prevention Summit, held March 22-23 in San Francisco (see Feds Obtain Delay in Apple Hearing).

See Also: Rethinking Endpoint Security

Sessions at the summit focused on a number of topics, ranging from the fight against malware and fraud to new trends in spotting and stopping network intrusions and data exfiltration.

But one of the hottest sessions was the closing panel on the Apple versus FBI debate, which I moderated. The discussion didn't seem blunted at all by Judge Shari Pym granting a Department of Justice request to delay - and potentially dismiss - her order for Apple to assist the FBI in unlocking an iPhone 5C issued to San Bernardino shooter Syed Rizwan Farook. Federal officials requested the delay because the FBI says it may have found a way to unlock the phone without Apple's assistance.

Supervisory Special Agent Elvis Chan, who's part of the FBI's San Francisco division, emphasized early in the panel how his bureau training began: by literally swearing to uphold the Constitution, including Fourth Amendment protections against "unreasonable searches and seizures." Speaking as a front-line investigator, he noted that complex, cybercrime-related search warrants may take months to complete. And he said it was in everyone's interest to know what type of information can - or cannot - be the subject of a search warrant or court order so that agents can follow the rules as well as focus their energy appropriately. "We're human beings, we're not Big Brother," he said.

Similarly, Scott Swantner, director for global security at Western Union Digital Ventures, urged greater cooperation between the private sector and law enforcement agencies, for example, via the FBI's InfraGard. Swantner, who until recently was a U.S. Secret Service agent, also spoke of investigators' frustration when faced with encrypted data during the course of an investigation and worried about the hit to productivity if more and more data was to become encrypted.

'Extraordinary Access' Problems

In contrast to the investigators' experience, attorney Mark Mao, a Troutman Sanders partner who co-chairs the firm's data privacy practice, said that related crime-fighting crypto proposals offered by FBI Director James Comey and some members of Congress involve seeking a backdoor - a.k.a. "extraordinary access" capability - or else keeping copies of cryptographic keys, via what's known as key escrow, which would be obtainable with a warrant.

But Mao said that so-called backdoors create vulnerabilities that anyone could - and likely would - target. In a nutshell, that's because cryptography works by multiplying together two incredibly large prime numbers, he said. Using less-long numbers to make a cryptographic key easier to crack for law enforcement agencies would mean it would be just as easy for cybercriminals to crack, thus imperiling communications, intellectual property, as well as e-commerce and banking transactions. Meanwhile, key escrow, many panelists agreed, would great a "single point of failure" that attackers would obviously target.

Backdoors could also be bad for the U.S. technology sector, panelists warned. Representing Silicon Valley, Jim Pflaging, the global lead for the technology sector and business strategy practice at the Chertoff Group, referenced an encryption white paper his firm released in time for this year's RSA Conference. The paper concludes "that an extraordinary access requirement is likely to have a negative impact on technological development, the United States' international standing, and the competitiveness of the U.S. economy and will have adverse long-term effects on the security, privacy and civil liberties of citizens" (see Crypto Review: Backdoors Won't Help).

Panel participants also discussed the question of whether a court could order Apple to create a special, backdoored version of iOS - dubbed FBiOS by some - that would allow it to get access to any device. But panelist Joseph Burton, a partner at the law firm Duane Morris who specializes in information security law, said there was no legal precedent for the U.S. government being able to force a technology company to write code of the government's choosing, whatever the time or cost involved. He added that attempting to do so would, in fact, seem to violate the 1994 Communications Assistance for Law Enforcement Act, known as CALEA (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

'Going Dark' Alarmism

Everyone on the panel agreed that U.S. firms want to help U.S. law enforcement agencies stop bad guys. But Mao said that the debate needs to be framed in a different way. Indeed, many panelists noted that the "going dark" alarmism about terrorist risks advanced by some law enforcement agency chiefs isn't conducive to fostering a closer working relationship between private businesses and law enforcement agencies.

"There's been lots of focus on what Apple won't do, and what the technology community doesn't want to do," Chertoff Group's Pflaging told me following the panel. But the more constructive approach, he argued, would be to ask of industry: "What can they do?"

While the Justice Department may no longer attempt to force Apple to help it bypass security features built into one of its devices, the related questions still remain unanswered, the panelists agreed (see Legal Issues Persist as FBI Backs Off in iPhone Case).

"It's disappointing that the can has been kicked down the road," the FBI's Chan said.

Cybersecurity , Risk Management

GAO: Taxpayer Data 'Unnecessarily Vulnerable' to Inappropriate Use Eric Chabrow (GovInfoSecurity) • March 28, 2016     IRS Commissioner John Koskinen: Agency is vulnerable to cyberattacks.

The Internal Revenue Service continues to struggle to implement proper security controls to protect taxpayers' data, a new audit from the Government Accountability Office reveals.

See Also: Rethinking Endpoint Security

Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.

The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of."

Some Signs of Progress

GAO acknowledges in the audit that the IRS has made progress in restricting access privileges for key financial applications and expanding multifactor authentication across the agency, a point IRS Commissioner John Koskinen accentuated in his written response to the report.

"The security and privacy of all taxpayer information is of the utmost importance to us, and the integrity of our financial systems continues to be sound," Koskinen says. The IRS chief says GAO recommendations in the latest audit "provided more specificity" than earlier reports; GAO sent 44 recommendations to the IRS in a private addendum to the audit. "While the increased level of detail has likely resulted in more recommendations, it will allow the IRS to better address cybersecurity risk," Koskinen says.

Auditors note, however, that the tax-collection agency has not fully implemented unique user identification and authentication that complies with a presidential directive.

The GAO report also notes that as the IRS expands the use of encryption, weak cryptography controls persist. GAO says it identified 11 systems that had not been configured to encrypt sensitive user authentication data. Such failures, the auditors say, increased the risk that unauthorized individuals could view and then use the data to gain unwarranted access to its system or sensitive information.

Koskinen concedes IRS information systems are vulnerable to attack. "We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day (see Tax Commissioner Expects More IRS Cyberattacks). "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."

Recent IRS Security Issues

Earlier this month, the IRS said it was temporarily deactivating an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud. The IRS said it had discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate identity protection PINs tied to tax filers' accounts, and it warned that it's facing up to 130,000 fraudulent returns (see IRS Disables Hacked PIN Tool).

The IRS also recently revised upward the number of accounts victimized in its Get Transcript breach, originally discovered last May, with the tax agency saying the personal information from as many as 724,000 taxpayers' accounts may have been stolen (see IRS Doubles Number of Get Transcript Victims). At first, the IRS believed that 114,000 accounts had been breached (see IRS: 100,000 Taxpayer Accounts Breached). Then, last August, the IRS revised that tally to 334,000 accounts (see IRS: Hack Much Wider Than First Thought).

Past Weaknesses Not 'Effectively Corrected'

In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected."

GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.

The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.

Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."

Payments

Will the Fed Support a Cryptocurrency? Sizing Up the Role of Blockchain in Faster Payments Tracy Kitten (FraudBlogger) • March 28, 2016     Robert Schwentker, president, Blockchain University

Will the Federal Reserve support the use of cryptocurrency and related blockchain technology to push the movement to faster payments?

See Also: How to Measure & Communicate Return on Cybersecurity Investments

That was a hot topic at Information Security Media Group's Fraud and Data Breach Prevention Summit in San Francisco last week.

Summit speaker Robert Schwentker, co-founder and president of Blockchain University, raised eyebrows at the summit when he referred to a theoretical cryptocurrency called Fedcoin.

Proposed by David Andolfatto, vice president of the Federal Reserve Bank of St. Louis, Fedcoin would be a fixed-rate cryptocurrency issued by the Fed. Built on a bitcoin-like anonymous communal algorithm, Fedcoin could be used to facilitate faster payments in the U.S. via blockchain technology, the distributed database behind bitcoin and other cryptocurrencies.

"Fedcoin could offer a way for the Fed to move away from paper currency ... and there could be a real test of it in 2017," Schwenkter said.

Next month, the Fed will accept proposals for technologies that can help the U.S. market implement faster, near real-time payments. And some of those proposals likely will leverage blockchain technology.

But naysayers contend that blockchain could never support the volume of payments we have in the United States and that it's far from a cure-all for the many payments woes we face (Could Blockchain Play Broader Role in Payments?).

The Fed's View

Nevertheless, Jon Jeswald, vice president and payments strategy executive at the Federal Reserve Bank of San Francisco, noted during his summit presentation that the Fed is taking blockchain technology seriously. And he acknowledged that the Fed expects several proposals coming from the private sector for faster payments to be blockchain-based.

But he stopped short of saying the Fed supports the use of blockchain in the move to faster payments. "I won't say that we are leaning toward blockchain," Jeswald told me.

The Fed's Faster Payments Task Force is asking the private sector to submit technology proposals for review between April 1 and 15. The Fed will review these proposals to identify shortcomings and potential technology gaps that could prevent the U.S. from migrating to faster payments, Jeswald explains.

"The Fed is not going to promote one solution over another," he says "We just want to evaluate these solutions, so that we can identify gaps that we will publish in a report in March of next year."

I'll be covering all the latest developments in the move toward faster payments in the months to come.

EMV Shift and Chargebacks

EMV, not surprisingly, was another hot topic at our summit. The growth in chargebacks to merchants since the October 2015 EMV liability shift got quite a bit of attention.

David Matthews, general counsel of the National Restaurant Association, which represents more than 500,000 restaurants, grabbed attention when he contended that quick-serve restaurants have not yet been given realistic options for EMV deployment. That's because EMV chip transactions take too long and slow down the drive-thru line.

What's more, he said restaurants that don't yet accept EMV transactions have been getting hit with an exorbitant number of chargebacks for fraud since the October 2015 EMV liability shift date.

"Chargebacks started significantly increasing in October and November and they keep going up," Matthews said. "We don't feel like the banks are investigating these fraudulent charges [to determine if they are legitimately fraudulent or just consumers disputing charges] and instead are just putting everything back on the merchant."

Last year, Matthews said his association was not recommending that quick-serve restaurants and smaller restaurants and chains make the investment in EMV. That's because the association did not believe the expense associated with fraud would outweigh the expense of investing in EMV.

But given the number of chargebacks that are hitting the restaurant industry, Matthews said the NRA is second-guessing that recommendation. "These chargebacks were just much higher than what we ever expected."

I suspect the EMV transition will be an even hotter topic next month at our summit in Miami, where we are likely to learn more about how merchants plan to address the significant upticks in chargebacks they are seeing.

Litigation , Mobility , Privacy

Justice Department Won't Characterize Data Retrieved from Shooter's Smartphone Eric Chabrow (GovInfoSecurity) • March 28, 2016    

The FBI has successfully retrieved data off the iPhone used by one of the San Bernardino shooters and is withdrawing its motion to have a federal court order Apple to help the government unlock the phone, according to the Department of Justice (see: Feds Obtain Delay in Apple Hearing).

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

A federal law enforcement official, briefing reporters on March 28, said the FBI is reviewing the information on the phone, "consistent with standard investigatory procedures." He declined to characterize the information discovered on the iPhone.

But the law enforcement official, who requested anonymity, didn't rule out future court actions to compel technology companies to cooperate with law enforcement. "It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety, either with cooperation from relevant parties, or through the court system when cooperation fails," the law enforcement official said. "We will continue to pursue all available options for this mission, including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors."

The Apple-FBI dispute has resulted in a national debate that pitted the needs of law enforcement to gain access to data for a criminal investigation, voiced by FBI Director James Comey, against the security and privacy rights of users of technologies such as the iPhone, championed by Apple's CEO, Tim Cook, and many others in the IT sector (see FBI Versus Apple: A Lose-Lose Situation).

Retrieval Method Tailored for iPhone 5c

The law enforcement official would not describe how the iPhone was unlocked with the help of a third party, although he said the technique was designed specifically for an Apple iPhone 5c running iOS 9, the type of device used by Syed Rizwan Farook. In a Dec. 2 workplace rampage, Farook and his wife, Tashfeen Malik, shot and killed 14 of his coworkers at a San Bernardino County Department of Public Health event. Later that day, authorities recovered the iPhone after police killed Farook and Malik in a shootout. The official said it was premature to speculate whether the method used to unlock the iPhone in this case could be used on other smartphones.

The official said it's too early to decide whether the FBI would share the technique with Apple so it could patch the vulnerability in its iPhone 5c. "Right now, we're focused on the San Bernardino case," he said. "We can't comment on the possibility of future disclosures at this time."

Sharing Technique with Apple Urged

Andrew Crocker, a staff attorney for the advocacy group Electronic Frontier Foundation, says the FBI should disclose the technique with Apple, citing a recent revision in a government policy known as the Vulnerabilities Equities Process, or VEP. VEP establishes a process that allows the government to keep secret software vulnerabilities in national security matters, but encourages their dissemination in other instances. "If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply, meaning that there should be a very strong bias in favor of informing Apple of the vulnerability," Crocker writes in a blog. "That would allow Apple to fix the flaw and protect the security of all its users."

In a 2014 blog, following revelations that the National Security Agency had known about the Heartbleed vulnerability before it was made public, White House Cybersecurity Coordinator Michael Daniel unveiled an interagency process aimed to limit the government from keeping software bugs secret (see White House Policy on Disclosing Cyberflaws). The process, Daniel explained, "helps ensure that all of the pros and cons are properly considered and weighed. ... We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake."

Apple did not immediately reply to Information Security Media Group's request for comment.

The law enforcement official said he hopes this case doesn't preclude Apple and government authorities from cooperating in other cases.

Help Came from Outside Government

The law enforcement official said the FBI was aided in retrieving the data by a non-government organization but declined to say whether that organization was based in the United States. The Israeli newspaper Yedioth Ahronoth last week identified the Israeli mobile forensics software provider Cellebrite as the company coming to the bureau's rescue. Cellebrite declined to comment on the report.

On Feb. 16, a federal magistrate granted a motion by the Justice Department to compel Apple to help unlock Farook's iPhone, which was owned by the county government. A day later, Apple CEO Tim Cook blasted the order, saying the company would oppose it (see Apple Blasts Judge's iPhone Backdoor Order ).

Last week, the Justice Department filed a motion to delay ordering Apple to cooperate, revealing a third party had come forward to help it unlock the password-protected phone. The court delayed a hearing on the case to April 5. The government's March 28 filing seeks to end the case.

Watch for updates on this developing story

Cyber attackers are not just more sophisticated and more persistent than ever before. They also are greedier, says IBM Security's Limor Kessem, who shares insight on the latest fraud threats to UK banking institutions.

Kessem, a globally-respected cybersecurity evangelist for IBM Security, details how this greediness manifests in the latest attacks.

"There's an intense focus on the highest-value accounts at the banks [being targeted]," Kessem says. "Hefty bank accounts are so interesting now to cyber criminals that they monitor them in their botnet control panels. They literally can pull balances from the accounts directly to their dashboards, and then they filter out the top targets, and then apply a more advanced attack scenario against those accounts."

And it's not only high-value customers, but also high-profile bank executives who are being targeted, Kessem says.

Banking Trojans such as Dridex and web injections created by the Neverquest development team are predominant, and at their peak these exploits can attain up to 5,000 infections per day in the UK alone.

How are attackers reaching their victims? Through multiple vectors, which include website redirection attacks, ransomware and social engineering - the latter of which fuels many of the most successful fraud schemes.

"The human factor is becoming increasingly important everywhere," Kessem says, discussing how institutions can improve their defenses. "Educate your top customers; make sure that businesses are very well aware of the risks, and recommend new processes that will make it much harder for criminals to trick employees with something like business email compromise."

In an interview about top fraud threats to UK banking institutions, Kessem discusses:

The raw impact of malware-fueled fraud schemes; Specific observations of redirection attacks, ransomware and other schemes; What institutions can do to improve detection and response.

Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned speaker and a regular blogger on the cutting-edge IBM Security Intelligence blog. She comes to IBM from organizations such as RSA Security's research labs. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. She covers the full spectrum of digital crime trends affecting consumers, corporations and the financial industry as a whole.

Breach Response , Cybersecurity , Data Breach

Attorney Chris Pierson on How FTC Probes May Spur More Regulatory Oversight Tracy Kitten (FraudBlogger) • March 30, 2016    

Cybersecurity attorney Chris Pierson says recent Federal Trade Commission actions linked to data security and breach response could influence other governmental agencies.

See Also: CISO Discussion: Secure Code

The FTC has been imposing steeper penalties against companies that expose sensitive consumer information, such as payment card data. Plus, the commission recently requested that several qualified security assessors, or QSAs, provide details about the ways they assess compliance with the Payment Card Industry Data Security Standard (see Could FTC Play Bigger Role in Card Security?).

"What they're [the FTC] really trying to do is keep up with where things are heading," Pierson says during this video interview at Information Security Media Group's recent Fraud and Data Breach Summit in San Francisco.

In the interview, Pierson discusses:

How the FTC's actions could impact other government agencies, such as the FCC, which also has a keen interest in ensuring consumer privacy; Steps companies should take now to ensure they are prepared for FTC scrutiny.

Pierson is general counsel and CISO for invoicing and electronic payments provider Viewpost. He also serves on the Department of Homeland Security's Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee. Before joining Viewpost, Pierson served as the first chief privacy officer for the Royal Bank of Scotland's U.S. banking operations, where he oversaw RBS's privacy and data protection program. He also formerly served as a corporate attorney at the law firm Lewis and Roca, where he established the firm's cybersecurity practice.