Monthly Archives: July 2014

U.S. Privacy Watchdog Says NSA Spying Is ‘Valuable and Effective’

Posted on by

The National Security Administration (NSA) headquarters campus in Fort Meade, Maryland.

Image: Patrick Semansky/Associated Press

By Lorenzo Franceschi-Bicchierai2014-07-02 17:00:30 UTC

The NSA Internet spying programs, including PRISM, have been "valuable and effective" in protecting the United States, according to a new report by a U.S. independent government privacy watchdog published on Wednesday.

The bipartisan Privacy and Civil Liberties Oversight Board (PCLOB) found that the NSA's collection of Internet data is line with the constitutional and has been key to disrupting terrorist attacks in the U.S. and abroad. The 191-page report focused on Section 702 of the FISA Amendments Act of 2008, the legal basis for NSA's PRISM and other Internet surveillance programs designed to vacuum large amounts of Internet-based communications.

The report, which focused on the programs' effectiveness and whether they strike a balance between protecting American national security and honoring citizens' civil liberties, can be considered a win for the NSA and the intelligence community. In January, another report by the PCLOB found that the NSA bulk phone metadata collection program, used to collect the phone records of virtually all Americans, was illegal and had a "minimal" impact on stopping terrorism.

PRISM and the other Internet surveillance programs, on the other hand, had some impact, according to the report. In 20 cases, Internet surveillance "was used in support of an already existing counterterrorism investigation," while in another 30 cases, the surveillance "was the initial catalyst that identified previously unknown terrorist operatives and/or plots."

In the past, the NSA claimed its Internet surveillance programs had helped foil more than 50 terrorist attacks. This claim was debunked in January by another independent study, this one by the New America Foundation.

The board, which is comprised five members appointed by President Barack Obama, found that, in general, the programs have "reasonable" safeguards to protect American's privacy rights, but some elements push the surveillance "close to the line of constitutional reasonableness." In particular, the board was concerned about the amount of Americans' data these programs collect "incidentally" and by the rules that allow the NSA and the CIA to search through that data.

Privacy and civil liberties advocates criticized the report, saying it failed to address the NSA's warrantless wiretapping of Internet communications.

Link:
U.S. Privacy Watchdog Says NSA Spying Is 'Valuable and Effective'

Microsoft Reveals Tougher Email Encryption After Google Remarks

Posted on by

July 1, 2014

Peter Suciu for redOrbit.com Your Universe Online

Last month Google Inc. called out rival email providers for not providing enough encryption for their respective users email accounts. Some of those rivals apparently took notice and quickly addressed the issue. On Tuesday Cnet reported that Microsoft unveiled tougher encryption standards for its web-based email and some cloud services.

Googles latest transparency report suggested that less than 50 percent of emails received by Google users through its Gmail service from Microsofts Hotmail, Live and MSN were in fact encrypted. Now Microsoft is implementing a series of changes that will provide better protection from potential prying eyes. Microsofts email services Outlook.com, Hotmail.com, Live.com and MSN.com are now secured via Transport Layer Security (TLS) protections, and this is meant to ensure that communications through these web-based programs are safe and secure.

We are in the midst of a comprehensive engineering effort to strengthen encryption across our networks and services, Matt Thomlinson, vice president for trustworthy computing security at Microsoft, wrote in a blog post on Tuesday. Our goal is to provide even greater protection for data across all the great Microsoft services you use and depend on every day. This effort also helps us reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data.

Thomlinson noted that the TLS encryption will be provided to both inbound and outbound email; and it will be encrypted and better protected as the email travels between Microsoft and other email providers.

There is a catch, however.

Of course, this requires their email service provider to also have TLS support, Thomlinson added.

Cnets Seth Rosenblatt reported that Comcast and Microsoft are already in the process of implementing TLS for their webmail services.

Outlook.com users will further get an extra level of security, as Microsoft announced that it has also enabled Perfect Forward Secrecy (PFS) encryption support for both sending and receiving of email between providers. This also utilizes a different encryption key for every connection, which the software giant claimed would make it more difficult for attackers to decrypt connections.

See more here:
Microsoft Reveals Tougher Email Encryption After Google Remarks

Microsoft Boosts Outlook.com, OneDrive Encryption

Posted on by

Microsoft has boosted encryption for Outlook.com and OneDrive.

Several months after pledging to beef up encryption across its services, Microsoft today announced some new security protections for Outlook.com and OneDrive.

Redmond has rolled out Transport Layer Security (TLS) on Outlook.com for inbound and outbound email. "This means that when you send an email to someone, your email is encrypted and thus better protected as it travels between Microsoft and other email providers," Microsoft said, provided the recipient's email service also has TLS support.

Microsoft said it coordinated with several international providers - like Deutsche Telekom, Yandex, and Mail.Ru - over the last six months to make sure its solution worked.

The company is also rolling out Perfect Forward Secrecy (PFS) for Outlook.com and OneDrive. "Forward secrecy uses a different encryption key for every connection, making it more difficult for attackers to decrypt connections," said Matt Thomlinson, vice president of Trustworthy Computing Security at Microsoft.

PFS, which Twitter rolled out last year, will be on by default for those who access OneDrive via onedrive.live.com, the OneDrive app, and Microsoft's sync clients.

Other security upgrades made over the past few months, meanwhile, include enhanced message encryption in Office 365 and ExpressRoute for Azure, which enables businesses to create private connections between Azure data centers and infrastructure on their premises or in a co-location environment.

Microsoft's push for enhanced security came in the wake of the Edward Snowden leaks, and accusations that the National Security Agency (NSA) was spying on data traveling between the data centers of top companies like Google and Yahoo, which has also rolled out more robust encryption.

See the article here:
Microsoft Boosts Outlook.com, OneDrive Encryption

Open source in local government, and other unicorns

Posted on by

Oligopolies are unhealthy. When a small number of firms dominates a market, customers are left with a dearth of choice, and in the worst cases the dominant firms collude to raise prices.

And oligopoly describes fairly accurately the situation regarding software procurement within UK government. In fact, when it comes to office software monopoly might be a more appropriate description: its basically Microsoft or Microsoft. Its estimated that UK government departments have spent over 200m of public money on Microsoft Office applications since 2010.

Cabinet Office Minister Francis Maude admitted earlier this year: The software we use in government is still supplied by just a few large companies. A tiny oligopoly dominates the marketplace.

And Microsofts dominance of Whitehall appears at first glance to be reflected too in local government. When Computing spoke to Jos Creese, CIO of Hampshire County Council, and holder of one of the largest IT budgets in local government according to one inside source, he explained that Microsoft works out cheaper than open source alternatives.

We use Microsoft [for our desktops], said Creese. Each time weve looked at open source for desktop and costed it out, Microsoft has proved cheaper.

He explained that this is because most staff are already familiar with Microsoft products, and that they work well with the thin client model employed at Hampshire council. But its also partly down to Microsoft itself.

Microsoft has been flexible and helpful in the way we apply their products to improve the operation of our frontline services, and this helps to de-risk ongoing cost. The point is that the true cost is in the total cost of ownership and exploitation, not just the licence cost.

And Creese isnt alone in his attachment to Microsoft. Alan Shields, architect team manager at Cambridgeshire County Council, says: It is incredibly difficult to get away from the stranglehold of Microsoft products, and we are planning to reinforce this by entering into an Enterprise Agreement with Microsoft later this year.

Similarly, you wont find much open source running in the offices of the Royal Borough of Windsor & Maidenhead council. Rocco Labellarte, the organisations CIO, explains that a trial of productivity software suite Open Office was ultimately unsuccessful as it wasnt sufficiently compatible with other tools.

And other open source software was dismissed for different reasons.

Link:
Open source in local government, and other unicorns

Security of open source in a post-Heartbleed world

Posted on by

The open source horse has bolted and organisations must scrutinise their network security to ensure the use of such software doesn't put data at risk.

That was the consensus of IT leaders speaking at Computing's Enterprise Security and Risk Management Summit, which took place at the London Tower Bridge Hilton Hotel.

During a panel discussion on the subject of "Keeping up with the security threats of today: can you future-proof your business?", Computing editor Stuart Sumner asked whether the participants were more doubtful about the security of open source software in the post-Heartbleed world.

"I think it's horses for courses. Open source needs more scrutiny," said Barry Coatesworth, chief information security officer for New Look.

"There are pros and cons. But I think it boils down to what's the habitat, where's the business going, is it cost saving to use open source? So it's swings and roundabouts," he added.

Marc Lueck, director of global threat management at publishing company Pearson, continued with the horse theme, using it to suggest open source is already out there in the enterprise and that it's something that security personnel need to take into account when managing risks and networks.

"I'd add to that using a horse analogy; the stable door is open and the horse has bolted. We don't have the opportunity to change our minds now, we're using open source, that decision is made," he said. "We now need to figure out how to fix it, how to solve it, how to protect ourselves from decisions that have already been made."

However, Ashley Jelleyman, head of information assurance at BT, took the view that no matter what sort of software is being used, it still has to be properly evaluated for security.

"I think the real issue is not whether it's open source or closed source, it's actually about what you do with it and how you actually evaluate it to make sure it's fit for purpose. It's have we checked this through, are we watching what it's doing?," he said.

"One of the things we can look at - whether it's open source or closed source software - is whether it's doing things that are expected, it's about having an eye on not just the software but the whole network around it, it's environment, to make sure you're not seeing shed loads of data disappearing out of your extranet for no good reason," Jelleyman added.

Read the original here:
Security of open source in a post-Heartbleed world

Tools catch security holes in open source code

Posted on by

Maria Korolov | July 2, 2014

Given its prevalence, open source code is virtually impossible to avoid, but the proper steps need to be taken address its vulnerabilities.

This year has been the best of times and the worst of times for open source code and security.

On the one hand, the latest survey by Black Duck Software and North Bridge Venture Partners shows that 72 percent of industry professionals prefer open source software because it's more secure than proprietary solutions.

On the other hand, Heartbleed exposed a security flaw in the widely-used, open source OpenSSL encryption tool that affected more than half a million websites. Also this spring, TrueCrypt unexpectedly shut down, citing "unfixed security issues" on its SourceForge page, and a critical bug in Linux, GnuTLS, was finally exposed after having been undiscovered for more than 10 years.

Open source software is widely used in business in webservers running Linux and Apache, in databases, in the Android operating system, in code libraries used by enterprise developers, and embedded into commercial software packages.

Avoiding open source completely is not an option, but blindly trusting the open source community to fix all mistakes is also problematic.

One solution is to use automated code-scanning tools to scan code for known vulnerabilities and common programming errors. Fortunately, the automated tools are getting better every year.

Trust, but verify Over the past few years, more than 5,000 security vulnerabilities have been found in open source code, according to the National Vulnerability Database.

Ideally, a company would check each of these vulnerabilities against the open source software packages it uses, plus against the open source software used inside commercial packages, and even against pieces of code that their own programmers copied off the Internet.

View original post here:
Tools catch security holes in open source code