Richard Clarke on gathering intel, WiFi malware, a peak at the 2014 DBIR, webcam image harvesting, and TrustyCon top this week's list of infosec-worthy reads.
Richard Clarke, chairman and CEO of Good Harbor and former US National Security Coordinator, gave his RSA keynote speech based on his time spent in the Review Group on Intelligence and Communications Technology last fall. Clarke claims that the NSA's ability to collect intelligence, "created the potential for a police surveillance state," making it vital to control the organization and prevent such an outcome. He added, however, that "the reason that other countries are secure is because of US intelligence and NSA".
Chameleon is a new form of malware designed to exploit structural weaknesses in wireless access points and systems while avoiding detection through a variety of tactics. The researchers report that "the code was able to successfully infect remote systems, since traditional security software looks for malware either on the host system or the Internet – not across a wireless link", allowing the code to attack other computers that are wirelessly linked to a router. In its proof-of-concept run by a Liverpool research team, Chameleon did not affect how the AP worked, "but was able to collect and report the credentials of all other WiFi users who connected to it."
The soon to be released Verizon's 2014 Data Breach Investigations Report (DBIR) will use breach data from a record 50 contributors, and very little of it presents good news for businesses. The report will surprise no one: in the battle of cybercrime versus enterprise security, enterprises are on the losing side, and continue to fall behind against the relentless assault from cyberattacks.
The UK's GCHQ has been accused by The Guardian of harvesting images from Yahoo users through Operation Optic Nerve between 2008 and 2010. GCHQ's response was that its work was done within the confines of the law and was, "authorized, necessary and proportionate." Sarb Sembhi, an analyst and director of consulting with Incoming Thought, believes the webcam program was "[blanket] harvesting without analysis" and that the budget for the operation was most likely spent more on storage of data than actually looking at it. Yahoo! claims it wasn't aware of the image harvesting and objects to the privacy violation.
A protest intended to raise awareness of the RSA-NSA controversy had little impact on the 2014 RSA conference attendance, but a protest "shadow conference" called "TrustyCon" ran next door and also sold out rapidly. The RSA is still taking heavy criticism for receiving $10 million from the NSA in 2013, but most businesses and customers attending the conference were chiefly concerned with improving their own security, and less so with the possibility that vendors were undermining their security. The protest did cause senior execs from a number of security vendors to defend their companies against allegations of backdoors and working with intelligence agencies.