10Fold – Security Never Sleeps – 91

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: DNI head James Clapper told a Washington audience Wednesday that the intelligence community is grappling with the “internet of things” — devices and appliances that can be wirelessly connected to the web and can provide access for hackers or foreign spies. Updates released by Cisco for the AsyncOS operating system powering the company’s Web Security Appliance (WSA) address several high severity denial-of-service (DoS) vulnerabilities. Researchers at MIT and Oxford University have shown that the location stamps on just a handful of Twitter posts can be enough to let even a low-tech snooper find out where you live and work. A senior lawmaker Wednesday hinted that nations not doing enough to stop ransomware groups from operating within their countries should be treated in the same way that the US treats countries that sponsor terror groups.

Clapper: My hearing aids needed security clearance – Publication: CNN – Reporter name: Nicole Gauette

The intelligence community is trying to figure out how it should operate on a wireless basis, Clapper said, in ways that are secure. It’s a particular challenge “in terms of dealing with millennials who are quite used to that,” he added. “We’re trying to come up with a policy on this, some governance that is consistent across the enterprise, that at the same time will allow for latitude for technology to change — because it will,” he said. The country’s top intelligence official said that as the internet of things grows more common, the 10.3 billion end points now in existence are expected to mushroom to 29.5 billion by 2020 in an industry that will be worth $1.7 trillion.


Cisco Patches Serious Flaws in Web Security Appliance – Publication: SecurityWeek – Reporter name: Eduard Kovacs

One of the vulnerabilities (CVE-2016-1380) is caused by the lack of proper input validation for packets in an HTTP POST request. A remote, unauthenticated attacker can cause the appliance to reload by sending it a specially crafted HTTP POST request. The second security hole (CVE-2016-1383) is related to how the operating system handles certain HTTP response code. An unauthenticated attacker can remotely cause a DoS condition by sending a specially crafted HTTP request to the targeted device, causing it to run out of memory.


Got privacy? If you use Twitter or a smartphone, maybe not so much – Publication: CIO – Reporter name: Katherine Noyes

The researchers set out to fill what they consider knowledge gaps within the National Security Agency’s current phone metadata program. Currently, U.S. law gives more privacy protections to call content and makes it easier for government agencies to obtain metadata, in part because policymakers assume that it shouldn’t be possible to infer specific sensitive details about people based on metadata alone. This study, reported in the Proceedings of the National Academy of Sciences, suggests otherwise. Preliminary versions of the work have already played a role in federal surveillance policy debates and have been cited in litigation filings and letters to legislators in both the U.S. and abroad.


Time To Treat Sponsors Of Ransomware Campaigns As Terrorists, Lawmaker Says – Publication: Dark Reading – Reporter name: Jai Vijayan

Richard Downing, deputy attorney general at the US Department of Justice and one of the witnesses at the hearing, characterized the scope of the ransomware problem as “staggering.” One of his recommendations is for Congress to enact legislation that will close loopholes in existing laws and make it easier for FBI and law enforcement in general to pursue and prosecute those involved in ransomware schemes. Current statutes such as the Computer Fraud and Abuse Act (CFAA) already make it a crime for people to create botnets by breaking into computers or using a botnet to carry out ransomware attacks. But the law is less clear on the implications for people who might be renting or selling a botnet but are not actually using it, he said.