The Defense Department and broader US government intelligence community have urged President Barack Obama to fire National Security Agency chief Admiral Michael Rogers, US media reported Saturday.

The reports came even as President-elect Donald Trump, currently in New York, was said to be considering Rogers as director of national intelligence himself.

"The recommendation, delivered to the White House last month, was made by Defense Secretary Ashton B. Carter and Director of National Intelligence James R. Clapper Jr.," The Washington Post reported citing multiple US officials familiar with the case.

Action has been delayed, the paper said, since removing Rogers is linked to pending creation of "separate chains of command at the NSA and the military’s cyberwarfare unit, a recommendation by Clapper and Carter that has been stalled because of other issues."

If selected by Trump, Rogers would succeed Clapper as the official who oversees all 17 US intelligence services.

"In a move apparently unprecedented for a military officer, Rogers, without notifying superiors, traveled to New York to meet with Trump on Thursday at Trump Tower," the Post said. "That caused consternation at senior levels of the administration.".

The New York Times on Saturday confirmed that Rogers' position in the Obama administration was in potential jeopardy.

"Obama is considering removing Admiral Michael S. Rogers from his posts as leader of the National Security Agency and United States Cyber Command after top officials expressed frustration over the speed at which Admiral Rogers had moved to combat the Islamic State and over the agency’s repeated loss of closely guarded secrets," the Times said citing unnamed administration and intelligence officials.

Earlier, Trump, who spent his first weekend outside Manhattan since his election, met for about 90 minutes with moderate US Republican Mitt Romney, known for his harsh criticism of the president-elect during the campaign.

Romney is believed to be interested in the US secretary of state position. There was no official word on whether he was offered the job.

Romney would bring a more orthodox Republican worldview to foreign policy. He described Russia in 2012 as the main American geopolitical threat -- a sharp contrast to Trump, who has exchanged compliments with Russian President Vladimir Putin.

Related: U.S. Intelligence Chief James Clapper Resigns

view counter

© AFP 2016


SecurityWeek RSS Feed

FBI reports more attempts to hack voter registration system

James Comey, director of the FBI, speaks at a House Judiciary Committee hearing in Washington on March 1, 2016.


The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections.

The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

"There have been a variety of scanning activities, which is a preamble for potential intrusion activities, as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August," FBI Director James Comey told the House Judiciary Committee on Wednesday.

Comey said that the systems that could be at risk were the voter registration systems that are connected to the Internet. The vote system in the U.S., in contrast, is hard to hack into "because it's so clunky and dispersed," he added. He advised states to get the best information they can get from the Department of Homeland Security and ensure their systems are tight as there is "no doubt that some bad actors have been poking around."

"We are doing an awful lot of work through our counter-intelligence investigators to understand just what mischief is Russia up to in connection with our elections," Comey said. U.S. officials have hinted that they believe Russia is behind recent attacks on servers of the Democratic National Committee, which led to the leak of embarrassing emails through whistleblowing website, WikiLeaks. But the U.S. government has not directly attributed the attacks to Russia.

Security experts and Democratic party president candidate Hillary Clinton have blamed Russia for the attack, but Republican party candidate Donald Trump said nobody knows it was the Russians, adding that the hack could have come from Russia, China, or a 400-pound hacker working from his bed.

The U.S. government is not sure whether Russia, which is said to have interfered in U.S. elections since the 1960s, aims to influence the outcome of the election or try to
InfoWorld Security

The SWIFT messaging system for banks has been working on improving security after some high-profile thefts, with the newest attempt in the form of antifraud reports to be offered to supported banks. However, experts said this move could be more about shifting responsibility for fraud back to the banks.

SWIFT said the Daily Validation Reports should "supplement customers' existing fraud controls," and provide a summary of transactions to better allow banks to verify activity and identify potential fraud. The Daily Validation Reports will include Activity Reports, which will show aggregate daily activity on the SWIFT messaging system, and Risk Reports, which will show a "review of large or unusual payment flows and new combinations of payment parties."

Stephen Gilderdale, head of SWIFT's Customer Security Programme, said this should disrupt attackers from "concealing their fraudulent messaging activity on customers' local systems."

"Smaller institutions, in particular, are currently dependent on the accuracy of the data on their own systems, but in the event of a security breach, their locally stored payment and reconciliation data may be altered or unavailable," Gilderdale wrote in a statement. "Daily Validation Reports will provide a reliable and independent source of information, providing such institutions with an activity lens to help them quickly detect fraud -- whether perpetrated by external attackers or by malicious insiders."

Eldon Sprickerhoff, founder and chief security strategist for eSentire Inc., based in Cambridge, Ont., said this may only create more work for the SWIFT member banks that choose to use the service.

"It's difficult to determine how effective the tool will be for daily transactions that usually number in the hundreds or more," Sprickerhoff said. "Unfortunately, this tool will make more work for banks [that] use it because of the sheer time and resources required to manage, monitor and action the reports, which may lack automated alerting capabilities."

Rajiv Dholakia, vice president of products at Nok Nok Labs Inc., based in Palo Alto, Calif., said, "The assumption that local banks are able to maintain secure networks that can prevent intrusions is a fallacy," and aims to fix the wrong problem.

"The root of the SWIFT problems point to lost, stolen or hijacked credentials that are being used to authorize transactions," Dholakia told SearchSecurity. "Until SWIFT is able to implement stronger authentication measures to authorize and monitor transactions, measures like reporting or monitoring and slowing transactions simply put the burden back on the banks."

SWIFT said the new antifraud reports will be introduced in December 2016. The reports will be voluntary, and they will come with a service charge, but details of the fees involved have not been decided.

Avivah Litan, vice president and distinguished analyst at Gartner, said it makes sense to create a voluntary system if there is a cost to participate, but questioned the cost to SWIFT and the value of the service.

"SWIFT should provide these simple validation reports for free, or for a small fee. They are likely very easy to produce, and once automated and set up for distribution, the cost to SWIFT should be nominal," Litan told SearchSecurity. "A more intelligent service -- for example, one that did anomaly detection -- would be more effective, as it would highlight the exceptions that needed to be investigated instead of simply reporting on all transactions. That type of report would command and deserve a higher subscription fee."

Litan said simply notifying SWIFT messaging member banks of large transfers won't be much help because "crooks know how to stay under the radar of these types of rule-based flags. They would find out what the threshold is for such a flag in no time."

The SWIFT announcement stated the notifications could assist banks in detecting "unusual payment flows," but it is unclear how advanced this type of anomaly detection will be.

Sprickerhoff noted some other details missing from the announcement.

"There are some details that could be better defined for clients, such as how out-of-band access will be effected and whether the tool will be provided as part of SWIFT's core service offering," Sprickerhoff said. "It also doesn't clearly resolve any of the nonrepudiation problems raised through the breach cases that prompted the development of this tool in the first place."

The Daily Validation Reports follow other recent efforts to shore up the security of the SWIFT messaging system. Last month, SWIFT launched a campaign to raise awareness of its relationship management application and how the RMA can be used as the "first line of defense" against unwanted and potentially fraudulent message flows. The campaign also promoted the use of two-factor authentication in SWIFT products.

Next Steps

Learn more about the attacks that prompted SWIFT to improve security.

Find out about why network anomaly detection is the essential antimalware tool.

Get info on why SWIFT execs ignored security before the attacks.

SearchSecurity: Security Wire Daily News

In its latest quarterly report on the cloud, Netskope reported that 43.7% of malware found in the cloud is carrying ransomware and one in 10 of the enterprises monitored by Netskope yielded ransomware-infected files in sanctioned cloud apps.

Although the Netskope Threat Research Labs report covered only cloud apps that were officially approved by the enterprises using them, it discovered an average of 26 pieces of malware in cloud apps across organizations where cloud ransomware was present -- and over half of all infected files were shared publicly.

Sanjay Beri, founder and CEO at Netskope, said in a statement: "With the rise of ransomware, the cloud threat landscape is now increasingly complicated; IT teams need deeper intelligence, protection, and remediation that can help them stop malware and ransomware in their tracks and prevent them from spreading."

Netskope reported cloud ransomware being delivered through Javascript exploits and droppers, Microsoft Office macros, PDF exploits and Linux malware. "Ranging from one to hundreds of pieces of cloud malware at each organization, for enterprises infected with malware, the average amount found in cloud apps was 26 pieces of malware." Netskope also reported that 55.9% of the cloud malware "was shared with others, including internal or external users, or publicly, a significant increase from last quarter's 26.2%."

Solutions to the cloud ransomware threat have yet to catch up. Netskope's recommendation was to have security teams focus on the cloud malware threats. "With these threats often delivered through phishing and email attacks, security teams should consider training sessions for employees on spotting suspicious emails and not opening attachments from unknown sources or suspicious email addresses. Within a cloud context, files that have been encrypted can easily affect other users when they are in sync folders."

Other suggestions from Netskope included "using a cloud access security broker (CASB) to detect and remediate ransomware that affects files in cloud applications, as well as enabling the versioning function in Box, Dropbox, Microsoft OneDrive, Google Drive, and other file-sharing applications in order to roll encrypted files back to their last known good version and fully recover from ransomware attacks."

Experts agreed that as cloud ransomware becomes more common the risks will continue to grow -- and finding solutions will be challenging.

"Now more than ever, companies need to prepare for a ransomware attack by implementing fully-baked business continuity plans," said Richard Walters, senior vice president of security products at Intermedia, the Mountain View, Calif., business cloud app firm. "These should incorporate off-site, real-time cloud backups to ensure file archives can't be deleted and employees can access clean versions of the files on another device."

"The number of options for enterprises to reduce risk is decreasing," said Vishal Gupta, CEO at Seclore, the Sunnyvale, Calif., enterprise digital rights management firm. "Infrastructure protection strategies focused on protecting the device, the application or the network are moving to the necessary but not sufficient category. The amount of malware infiltrating even 'secure' cloud applications and data being delivered via containers like office files and PDFs is already at 43.7%, and increasing every day. Focusing on securing the information itself as it moves in and out of cloud apps, which is part of a data-centric security model, is the future of security."

"The fact that ransomware attacks are now so pervasive in the cloud only reinforces the need for a multi-dimensional defense strategy, including the use of machine learning and artificial intelligence techniques to pinpoint small changes in behavior that identify malicious carriers such as email, while flagging telltale signs that a user has been infected" said Larry Lunetta, vice president of strategy at Niara, the Sunnyvale, Calif., security analytics firm.

"One of the biggest risks ransomware poses on enterprises isn't the ransom that the executives might have to pay, it's employee downtime," Walters said. "The major damages occur when employee productivity is abruptly halted by ransomware attacks, jeopardizing business operations and sales. Companies can't afford the crippling effects of downtime, as that tends to be pricier than the ransom itself."

Gupta said the risks for enterprises vary. "At the least, a breach is an embarrassment -- at the worst, it means lost intellectual property, compliance violations, lawsuits and loss of reputation. Risk assessment can also be a very subjective exercise since the true risks of information breaches is almost never obvious."

Next Steps

Find out more about how cloud ransomware attacks are targeting cloud providers.

Learn about why the cloud may not be a solution for healthcare IT pros battling ransomware.

Read about how ransomware as a service growth is tracking the continued growth in cloud computing.

SearchSecurity: Security Wire Daily News