Malware

SPOTLIGHT ON SECURITY

No Wrongdoing at NCIS, Says Defense Watchdog

The U.S. Department of Defense’s Inspector General has rejected allegations that the Naval Criminal Investigative Service engaged in questionable domestic intelligence activity.

The finding concluded a DoD IG probe spurred by a March 2014 Washington Examiner report that alleged NCIS was facilitating information sharing among federal, state and local law enforcement agencies.

NCIS was making available to military intelligence agencies its Law Enforcement Information Exchange, a massive database of 506.3 million law enforcement records ranging from criminal histories and arrest reports to field information cards filled out by cops on the beat, even when no crime had occurred, the Examiner article alleged.

The data exchange raised concerns that military officials were crossing the line that generally separates their activities from civilian law enforcement, according to the paper.

However, the defense intelligence community and NCIS did not violate procedures governing the collection, retention and dissemination of information about U.S. citizens, wrote Anthony C. Thomas, deputy inspector general for intelligence and special program assessments, in a memorandum released earlier this month.

Unsubstantiated Allegations

Individuals using LInX or its companion database for defense department criminal records — the Law Enforcement Defense Data Exchange — do not have direct access to records in which they do not have record ownership, Thomas explained.

Access to complete records requires the record owner’s permission. “This is contrary to the initial reporting in the Washington Examiner,” he wrote.

Based on the DoD IG investigation, no intelligence components of the DoD intelligence agencies have direct access to LlnX or LE DDEx, or use these systems, Thomas said.

The Washington Examiner’s allegations that NCIS owns and maintains the databases, and that the databases contain many records of United States persons not affiliated with DoD, were correct, Thomas acknowledged.

However, “we have found that only Security/Law Enforcement entities of the DoD intelligence agencies are the users of LinX and LE D-DEx,” he said.

“As a result of our investigation and subsequent findings, allegations of a possible questionable intelligence activity are not substantiated,” Thomas wrote.

Although it was beyond the scope of the DoD IG probe, the question remains, why is all this information on U.S. civilians in the hands of a military entity in the first place?

“What we’ve learned about the intelligence agencies is [that] what the government represents to be the case has turned out not to be true,” observed Joel R. Reidenberg, founding academic director of the Center on Law and Information Policy at the Fordham University School of Law.

“The inspector general is determining as of now, the intelligence agencies aren’t accessing the database — but that tells us nothing about what will happen tomorrow,” he told TechNewsWorld.

“There’s no civilian oversight over the use of these databases,” Reidenberg continued. “If the Defense Department were to change its internal policies and start accessing this data two or three weeks from now, we wouldn’t know unless there’s another Snowden.”

Business of Cybercrime

Online criminals are using image downloads to create performance metrics for their malware, Proofpoint revealed last week, adding to mounting evidence that cybercrime has become more business-like in its operations.

The technique is ripped from the playbook of legitimate marketers.

“For many years, marketers have used either small images on Web pages or in emails — the classic 1-pixel image — to understand if someone viewed a Web page or opened an email,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint.

“Image tracking is a well-understood and used phenomenon,” he told TechNewsWorld, “but I have to say this is the first time we’ve seen it used by malware.”

When a user is duped into downloading some malware programs, an image from a public image hosting service is downloaded as well. By keeping track of how many times an image is downloaded, bad actors can determine how many machines have downloaded their malware.

Trading Risk for Metrics

The black hats aren’t stopping there, though. Their malware downloads a second image when their malicious package is installed on a machine — a risky move, since it increases the bad app’s exposure.

“They’re trading stealth for tracking,” Epstein said.

“Their software is easier to detect because they’re making these additional calls and downloads, but it lets them track and see if people have activated the malware, and if the malware has successfully completed installation,” he explained.

“It’s a very new behavior, and it speaks to the motivation of attackers,” noted Epstein. “Cybercrime is a multitier business — and just like legitimate businesses, there’s competition. What you can charge for your product resides with how effective it is, so it helps if customers can be shown the efficacy of your malware compared to the next guy’s.”

Net of Bots

Machines are taking over the Net. Only about 41 percent of traffic on the Internet is from humans, according to a report released by Distil Networks. Most of it is from bots — automated agents performing a variety of tasks, some good, some bad.

“Bot traffic has been growing year to year,” Distil CEO Rami Essaid told TechNewsWorld. “It has become the way people do just about anything on the Internet.”

Of the bots on the Web, 36 percent were “good” bots and 23 percent “bad” bots, Distil found. A “good” bot is one that abides by a webmaster’s rules for how a robot should behave on a site and also brings value back to the website. “Bad” bots don’t return value to a site — or worse, act maliciously toward it.

There was an increase in good bot traffic this year compared to last — 36 percent from 21 percent — a finding that surprised Essaid.

“Good bots almost doubled in the past year,” he said. “What that means is that they’re becoming more of a strain on websites.”

Another surprise was how bad bots have shifted away from hosting providers toward residential networks.

“That means the bots are hiding on desktop computers behind cable companies,” Essaid explained. “That’s going to make them harder to spot.”

Breach Diary

  • May 18. Connecticut Supreme Court rules IBM losses resulting from data breach that occurred when tapes containing personal information on 500,000 past and present employees fell off a truck are not covered in the terms of the company’s general liabililty policy with its insurer.
  • May 19. Home Depot reports it paid US$7 million in the first quarter for expenses related to data breach in 2013 in which 56 million customers’ credit and debit card numbers and 53 million email addresses were exposed. It’s estimated that the cost of the breach to the company so far exceeds $50 million.
  • May 19. Letter signed by coalition of nearly 150 civil liberties organizations, digital rights advocates, tech industry trade groups, security researchers and major Silicon Valley firms sent to President Obama asking he reject any proposal that U.S. companies deliberately weaken the security of their products.
  • May 19. International team of researchers announce “Logjam” vulnerability in TLS communication layer, which allows data to be read and modified over connections to numerous websites, mail servers and other services — including VPNs and browsers.
  • May 19. Researchers at Sec Consult report vulnerability in the NetUSB service found in millions of routers and other embedded devices, which if exploited allows an attacker to execute code on a device remotely.
  • May 20. CareFirst Blue Cross Blue Shield, which covers Maryland, Washington, D.C., and Virginia, announces personal information of 1.1 million former and current customers was compromised in data breach dating back to June 2014.
  • May 21. Target’s proposed $19 million settlement of lawsuit stemming from data breach in 2013 in which payment card and personal information of 103 million customers was stolen is voided because it could not get sufficient approval from banks involved in the case.
  • May 21. Cambridge University researchers release study revealing an estimated 500 million Android phones do not completely purge data on them when they are reset to their factory settings. In addition, 630 million phones do not completely wipe internal SD cards.
  • May 21. Google releases study on effectiveness of security questions posed when logging into online accounts, which finds 40 percent of users can’t remember the answers to the questions.
  • May 22. AdultFriendFinder confirms data breach has compromised personal information of its subscribers. Site did not disclose scope of breach, but Channel 4 reports information on 4 million users was lost.
  • May 22. New York City Health and Hospitals Corporation notifies some 90,000 patients their personal health information may have been compromised when a former Jacobi Medical Center employee emailed the data to her new employer.

Upcoming Security Events

  • May 30. B-Sides New Orleans. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Cost: $10.
  • June 3. B-Sides London. ILEC Conference Centre, 47 Lillie Road, London, SW6 1UD, UK. Free.
  • June 3. Using Your Network and Cisco ASR 9000 for Comprehensive DDoS Protection. 10 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 13. B-Sides Charlotte. Sheraton Charlotte Airport, 3315 Scott Futrell Dr. Charlotte, North Carolina. Free.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • June 16-18. AFCEA Defensive Cyber Operations Symposium. Baltimore Convention Center, Baltimore, Maryland. Registration: government-military, free; member, $575; nonmember, $695; small business, $445; other, $695.
  • June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 19-20. Suits and Spooks NYC. Soho House, New York City. Registration: $595.
  • June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd, Cleveland Heights, Ohio.
  • July 3. B-Sides Lisbon. Forum Picoas, 40 Avenida Fontes Pereira De Melo, Lisbon, Portugal. Free.
  • July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095, nonmember, $1,350; government, $1,145; student, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels