Cyber News of the Week

Israeli Credit Card Hack

A group of Saudi Hackers exposed the credit card information of 150,000 Israelis. According to Amichai Shulman, chief technology officer of security firm Imperva, this also created opportunities for further attack.

“One of the immediate effects of the breach is that people in Israel rushed over to the web to check whether they are in the list. This created a wonderful opportunity for attackers of all kinds to promote their business by posting fake links to the list. These links, promoted through black hat search optimisation, are part of either click-fraud campaigns or malware infection schemes,” he said to ComputerWeekly.com.

Other quick entrepreneurs posted web applications which allow people to check whether their name is in the file by supplying either their e-mail - some of which are legitimate applications posted by security researchers - or their Israeli ID number, which are clearly not legitimate, said Shulman.

Stratfor Hack

On December 24th, hackers operating under the Anonymous handle released the email addresses, credit card information, and personal information of over 800,000 users of the security website Stratfor. Several affected bank accounts were later found to be used to donate money to charitable organizations. The hackers involved have threatened to publish company emails at an unannounced date that will reveal "Stratfor is not the 'harmless company' it tries to paint itself as."

Top Cyber Threats of the Year

McAfee released predictions for the top cyber threats of 2012. My favorite:

Embedded hardware: Embedded systems, which are designed for a specific control function within a larger system, are commonly used in vehicles, GPS systems, medical devices, routers, digital cameras and printers. Hackers with access to malware that attacks the hardware layer of such systems will gain control and long-term access to the system and its data.

"Legalized" spam: While global spam volumes have dropped in recent years, legitimate advertisers are now using the same techniques, such as purchasing email lists of users who have consented to receive advertising, or purchasing consumer databases from companies going out of business. “Legal” spam is expected to grow at a faster rate than illegal phishing and confidence scams on the internet.

Threats to virtual currency. Hackers will increasingly target the growing use of cyber currency, which is often not encrypted, as a means to steal money and spread malware.

Mobile threats bypassing PCs. Attackers will improve their craft with an eye toward launching mobile banking attacks. For example, consumers may eventually see SpyEye and Zeus, two Trojan banking attacks, migrate from the computer to the smartphone.

 Blinking online traffic lights. Legislative issues are expected to stall efforts to develop Internet traffic "rules of the road," which could aid in reducing instances in which hackers steer users to an unintended server.

Congress Continues to Debate SOPA; Major Sites Consider "Blackout"

In case you've been living under a rock, the cause célèbre of the month is the "Stop Online Piracy Act" introduced by by Representative Lamar Smith (R-TX). This piece of legislation, which was drafted in order to target intellectual property illegally hosted offshore, has come under heavy opposition from Google, Facebook, Twitter, Zynga, eBay, Mozilla, Yahoo, AOL, and LinkedIn, as well as the European Parliament, Nancy Pelosi, and Ron Paul.

According to CNET, it would allow "the U.S. attorney general to seek a court order against the targeted offshore Web site that would, in turn, be served on Internet providers in an effort to make the target virtually disappear." Laurence Tribe, a high-profile Harvard law professor, argues that SOPA is unconstitutional because, if enacted, "an entire Web site containing tens of thousands of pages could be targeted if only a single page were accused of infringement." This would be disastrous for user-generated content sites such as Youtube and Wikipedia.

Another major controversy is that the Act could severely impact DNS Security (known as DNSSEC). The most recent development has been the announcement by Google, Twitter, Facebook, and Amazon that they were considering a so-called "nuclear option" (coordinated blackout of services) to demonstrate their opposition to the bill.

Well hello there! My name is Aviva, and I am very excited to be your new cyber blogger. I'm currently finishing my last year of undergrad at American University and I hope to begin a long, storied career in government around this time next year. The most important thing to know about me (and something that will become very apparent) is that I absolutely love cyber: cyber intelligence, cyber security, cyber law, cyber crime.... you name it. I hope to blog about recent news, major publications, and cyber events in and around DC! One more thing: I work at the Intelligence and National Security Alliance, a professional organization for the public and private Intelligence Community as well as the inspiration for my inaugural blog.

On September 13, 2011, INSA was hacked. The guilty party is unconfirmed, but a leaked document containing an old member list was received and posted by Cryptome.org, a website that hosts

"documents for publication that are prohibited by governments worldwide, in particular material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance—open, secret and classified documents—but not limited to those."

The list's description states that it "includes ex-directors of spy agencies and current spies, ex-White House national security staff, members and ex-members of Congress and their staff, senior military officers, senior corporate personnel and other notables." The list included member names, unclassified emails, a few phone numbers, and office addresses, but I think the point was to 'expose' the members of a clearly shadowy organization. (I'm new to this blogging thing- is my sarcasm clear enough?) Maybe the site's editors last read this article about INSA in 2007; my favorite quote (about INSA's Executive Vice President) is, "Even Frank F. Blanco's age is on a need-to-know basis, and he needs it not to be known." All joking aside, the breach came on the heels of INSA releasing their most recent white paper, "Cyber Intelligence: Setting the Landscape for an Emerging Discipline" and many believe that the views expressed therein may have precipitated the attack.

Ok, now to be serious. This breach was a very significant incident. INSA was fortunate that no sensitive information (if there is any stored on the servers) was leaked; our member list is merely proprietary information. Many members were (rightfully) upset that the information they had entrusted to us was released. Still, the consequence of what was exposed pales in comparison to Wikileaks or your average bank breach. So why do I bring it up?

As a staff member, I had a unique view of INSA's actions in the days following the breach. Senior leadership became aware of the posting late on Wednesday, September 13th. An email went out informing members of the incident on the 14th. A press statement was released on the 16th. The entire staff was given a rundown on the situation and given the information necessary to communicate with members who called the office. In short, INSA demonstrated a very high level of due diligence, with forensic teams being called in less than a day after. As Ellen McCarthy, President, stated in the press release, "We are working with INSA member companies, who represent the best in the field on security, to ensure that we are protected going forward and that this never happens again." 

As someone who has watched the saga of corporate breaches unfold over the last year, I was highly impressed by INSA's response. In a situation where a company may be both legally liable and at risk of reputational loss, it is difficult to confront members, clients, or shareholders with notice of a breach. Remember the Sony PlayStation incident? A class action suit was brought against them within a week of having failed to notify customers of the hack. According to the plaintiff, the delay prevented the affected parties from making "an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions." Recently, a breach compromising 360,000 Citigroup accounts was exposed by the Financial Times nearly a month after the fact. The company claims the stolen information contained credit card numbers and contact information, but not customers' credit card expiration dates, social security numbers, birth dates, or card verification numbers. A class action suit was brought against Citigroup in mid-October, citing the company's refusal to protect victims in the wake of the breach.

This isn't a black and white issue though. The Ponemon Institute's Data Breach Cost Report found that the cost of each incident reached $214 per compromised record and averaged $7.2 million per data breach event. They also found that companies that responded quickly to events had a tendency to 'over-notify' customers that may not have been affected, and on average paid 54% more than other companies. There are legitimate business interests at stake. However, if both early and late notification will result in financial penalties for the company (either in terms of reputational loss or class action lawsuit) I think the future will see that companies who are perceived as 'doing the right thing' by their customers will thrive.

When I began drafting this post, I had intended to rail against the all too-familiar pattern of corporate silence and call for more federal guidance on data breach reporting. But someone beat me to it! Last week, the Securities and Exchange Commission (SEC) released a document on "Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents." Now, don't get too excited. According to the website, the document is merely a formal recommendation neither approved nor disapproved by the SEC.  Still, this represents a very important step in the right direction. The SEC seems to be leading by example, as they were also hacked this month. 

I believe we have seen that data breaches are no longer an anomaly, but a way of life. Corporate executives need to build cybersecurity into their business model, and stop thinking of it as a reactionary, post-hack measure. That said, regardless of how secure your organization may be (and I believe the recent string of lawsuits demonstrates how important this is), you will be hacked. This a new, inevitable fact of life. After that, how your company decides to react will say a lot about how much you respect and value your clients.

So, good for the countless plaintiffs setting the precedent for companies to be answerable to their customers. I believe their actions may have more of an immediate impact on corporate behavior than what's being handed down by the government, but this is only the first step in what promises to be a long struggle to have federally mandated incident reporting.

UPDATE: An interesting debate between two CEOs on this issue.

What to Follow September 7, 2011

Certificate Authority GlobalSign has been hacked by the same person who hacked Comodo last year. The targets are believed to be Iranians connecting to their email accounts. 

The Department of Homeland Security is warning that Anonymous is preparing to strike again with DDoS and real life protests. DHS warns that new tools will facilitate Anonymous' capabilities to target other organizations and groups.

Foreign Policy has released a good summarization of cyber-conflict with a scary sounding headline. 

For those having trouble keeping track of all the hacking that occurred this summer, CNet has created an informative chart consisting of published attacks.

-J.M.

Whose Who in Cyberspace (US Edition)

FBI's Cyber Division, NCSD, NCSC? What does mean, who are these people? Welcome to the alphabet soup of acronyms known as the US government. Don't worry, I'm here to help. The culture of cybersecurity has a history of secrecy that rivals any spy agency and to make matters worse, there is no one agency that handles the US's cybersecurity responsibilities. The government's growth in cyberspace is more ad hoc and decentralized then a lot would believe. So lets begin!

The National Security Agency (NSA): These guys are the granddaddy of the US cyber agencies. The NSA began as a Signals Intelligence (SIGNIT) collection and cryptology analysis branch of the Department of Defense. This basically means the would record and analyze telephone, satellite, and radio messages of foreign governments. Because most governments expect there messages will be read they encrypt them to make them unreadable to third parties. This required the NSA to become experts at creating and breaking cyphers.

So how does this apply to cyber? Well, all this technology requires computers to function. Sometimes, rather than waiting for messages to be sent, you just want to get information while it sits in a database. And that is called hacking. Not that they've ever done it. 

So ever since the creation of the Internet the NSA have been to go to guys for anything cyber related. But this created so legal problems. The NSA is a spy agency and spy agencies are not legally allowed to conduct operations in the US nor do they have the authority to arrest criminals. Thus another agency would have to pick up the slack.

The Federal Bureau of Investigation's Cyber Division (FBI CD): In a delightful bit of irony the FBI's Cyber Division doesn't have its own webpage. Its budget, like the NSA, is also hidden from public view. The FBI is suppose to investigates intrusions on federal government and the private sector systems. To do this you need good computer security experts, unfortunately many tend to get recruited into the NSA or the private sector. The FBI has the legal authority to investigate any domestic cyber-crime, cyber-terrorism, or cyber-espionage that occurred in US territory and make arrests if possible.

The Department of Homeland Security (DHS):

The Secret Service: The original role of the SS was to catch counterfeiters and people who commit financial fraud. Since money has gone digital so have the SS. They generally go after bank, credit card, and identity theft. But doesn't this partly overlap with the FBI efforts? Yes, but the two agencies have different investigative philosophies which means they don't necessarily have redundant investigations. The FBI goes after big fish (ie. crime bosses or botnet leaders), the SS goes after whoever crosses their radar (if someone is making threats to the president or pumping fake money into the economy, you generally don't care the other crimes they commited). 

The National Cyber Security Center (NCSC): The NSCS does...um...I'm actually not sure what they do. Seeing as how they don't publish their mission, I think they want to keep it that way. Their wikipedia page says they collect and share information between DoD, FBI, DHS, and the NSA. 

The National Cyber Security Division (NCSD): They are essentially the face of DHS in cyberspace. The NCSD runs several programs that are meant to coordinate with local law enforcement, report vulnerabilities, coordinate with federal agencies, and analyse threats. They also run the Federal Network Security (FNS) program which is tasked with improving the US Government's cyber-security. 

United States Computer Emergency Response Team (US-CERT): US-CERT is organized under NCSD and is essentially the face and operational wing for DHS's cyber team. They report vulnerabilities and track security vulnerabilities. Essentially, this is were DHS puts their nerds to work. When something goes wrong these are the guys that are suppose to be the technical experts.

Immigration and Customs Enforcement (ICE): Remember how 80,000 websites were shut down by the US government? That was ICE. The seizures wouldn't have been so many if ICE didn't accidentally take down a DNS host. But I digress, ICE handles copywrite enforcement for the US government. 

This list is by no means exhaustive (NIST, CIA, DOC, EOP's Cyber-Czar were all left out), but is meant to cover the major players and organizations that have tangible power to effect the US's cyber policy.

-J.M.

China: Hackers or Victims?

Both Xinhua and China Daily have reported the country was attacked 493,000 times last year from hackers. These reports come several weeks after McAffee claimed China was behind Operation Shady RAT (which they later retracted). This raises the question, are the Chinese major victims of attacks or is this just another PR campaign? 

The answer is both. Chinese businesses and governments are major victims are attacks because of several fundamental dynamics. The first, is the shear size of the Chinese internet economy. With 485 million Internet users and a booming economy, hackers have began attacking Chinese Internet population with gusto. This is made worse by the large scale use of 网吧(Internet cafes). By taking over a public computer, it means hackers can utilize faster Internet connections (compared to the average home dsl connection in China) to conduct APTs, DDoS or just to use as basic proxies to obfuscate other attacks. It also means that instead gaining access to one or two people's accounts they have access to an infinite amount of people's sensitive information (economics of scale works for criminals too). Given the fact that most people reuse the same password once someone logs into one site, logging into QQ means a hacker could get into your bank. 

The growth of standard smart phone operating systems (namely Android) is also driving an increase in hacking victims. For many developing nation's Internet users, their phone is their computer. Cell phone banking and finance has shown promise for rural development, but where there money there are criminals. Geinimi is just the tip of the iceberg when it comes to Android viruses. As the smartphone platforms grows so will the number of attacks. The iPhone is no safer per se but given the fact that you can download software outside of the Apple market and Android's higher usage in China, Android is seen as a better platform for hackers.

The worst of all, the amount of pirated software in use in China severally hinders any chance at securing their IT infrastructure. Running pirated software prevents you from updating new security patches. Many times the software has a trojan bundled in the software and simply installing the software gets your machine infected. Given that 90% of Chinese government is pirated, China is a victim of hacking. 

Despite this fact, the Chinese are not purely innocent victims. The Internet ecosystem set up by the government, the amount of already compromised machines used to launch other attacks and lack of serious anti-hacking measures does not deter hackers from operating inside of China. This has helped create the perception that China is a major exporter of cyber-attacks. It also does not help their case that the PLA has an entire wing dedicated to hacking... 

-J.M.

Largest Cyber Intrusion Discovered

MSNBC has reported that the largest cyber intrusion was discovered by security researchers. Dubbed "Operation Shady RAT" because of the type of malware used in infected machines, the attack hit 72 organizations for at least five years. Security experts believe that the attacks were conducted by a state actor very famous for hacking. 

As the image above shows, the tagets tended to be quite diverse but share a commonality: interconnected IT systems. This attack was a classic APT that used a Kill Chain to gain access to the intended targets. Thus creating a lot of infected systems in the process. What is a Kill Chain? Its basically a tactic of going after weakly defended systems to gain access to better defended ones.

Think of it like this: There is a feudal kingdom of many different castles where each castle is connected through an underground dungeon. You need to get into a heavily fortified castle with a lot of guards looking out at the countryside. It would take an enormous amount of resources and time to into this castle. An easier way of getting in is to find another castle with the worst guards and defensives. Use the connected tunnels to go wherever you want. 

So how do you stop this? This is not an easy answer nor a short one. The main takeaway is to take a Trust No-One approach to security. Regardless of were the traffic comes from you can never 100% trust that it is safe. 

-J.M.

Think Before You Click: How to Avoid Malware on Facebook

Ok, I know we've all seen those facebook malware scams that show up on our newsfeed because one of our stupid less savvy "friends" clicked on a bad link or tried to watch a video that said something like "Casey Anthony Confession" or "This is the funniest baby I've ever seen bahahaha".  

We've all seen them.  Cyber criminals seem to be stepping up their game when it comes to using social engineering techniques to get people to click on their bad links and inadvertently download malware (virus, trojan, overall bad stuff) to their computers.  

While I'm not completely sure as to how these things work (I don't pretend to be technically savvy enough to reverse engineer malware).  It seems that as soon as someone clicks on one of those links or opens the webpage or downloads the "video" the malicious post is automatically either reposted to that victim's newsfeed and/or sent to all of that person's friends walls or personal message inboxes.  Sometimes the malware will also start conversations with the victim's friends (aka you) via the facebook chat feature and try to get you to click on the link that way too.  

Like I said, I'm not completely sure as to what these things really do once you click on them (I can only explain what I've observed from my own friends who clicked) and I'm sure they are all at least slightly different, but they do provide a initial infection vector way for a cyber criminal to not only gain access to your facebook account but also potentially remotely control your computer and/or install malware on your machine that would allow the bad guy to see your login information for other accounts like your online banking account, Amazon and/or paypal (things you would probably prefer to keep private, at least if you like keeping your hard earned money). 

Ok so now you know these things are bad. You click on them they send themselves to all of your friends and can infect your computer with badness.  So how can you keep from falling victim?  

In my mind, the easiest way to protect yourself is to just not click on any videos or links that you see on facebook, but I know that's not practical.  Sometimes there are real non-dangerous funny videos and links posted on facebook and we all need a little humor in our lives so just avoiding all facebook posts isn't necessarily the best option.  Another option would be to google the title you see and look to see if that has been reported as a title used by facebook malware.  Finally, perhaps my favorite option you can look at the text of the link that has been posted typically this is listed under the title of whatever the post is linking to may it be a video or newspaper article or whatever.  While this could be spoofed faked too, an easy way to know if you should be uber suspicious is whether the link looks like it goes to a legit website.  For example if the website links to www.cnn.com that is more likely to be a legitimate benign safe link whereas a post that links to sheidlcyse.jr looks a bit more suspicious.  

Now, if you have become a victim of one of these posts there are a few things you should do to a) protect your facebook friends who think you just sent them the link to a great video, article, shoe seller and b) secure your facebook account and at least try to make sure you don't have an infected, compromised computer.  Delete whatever posts the malicious link posted to your newsfeed and/or your friend's walls.  Send out a facebook status telling your friends that your account was compromised and that the link to *insert title here* wasn't sent by you.  Next, close your browser, update your security software, and run an antivirus scan and a spybot search and destroy scan to see if any known malware has been downloaded to your computer.  If anything is found click remove or fix (it varies depending on your security software vendor) and restart your computer.  Finally, change your passwords.  A way to make sure no one else can access your facebook account is to enable 2 factor authentication.  Once enabled everytime you sign into your account, Facebook will automatically generate a confirmation code and send it to your cell phone. Using 2 factor authentication makes it less likely that someone who isn't you will successfully gain access to your facebook account because to sign in they would have to know your username and password and have your cell phone.  

When in doubt don't click! Just don't be stupid use logic when deciding whether to click, for example with the Casey Anthony video example above, the news reported that she never confessed so an online video claiming to be a confession cannot be true.  Cyber criminals are interested in people who do not use secure internet browsing practices and click without thinking.  They don't really care who you are, if they can gain access to your account then they can use that access to compromise other accounts.  Don't be stupid.  Think before you click! 

A Month in Review

Wow, what a month for cyber. Between LulzSec pwning hacking into everyone, the discovery of an "indestructible" botnet, and the FBI's successful takedown of a different botnet, this month has been very busy for hackers and governments. Here's a rundown of June's biggest cyber stories.

LulzSec targets everyone. Sony, the Arizona DPS, and the CIA were among the many organizations targeted by the hacktivist group. Luckily for organizations, LulzSec has claimed to have disbanded, but other groups have promised to pick up the cause. Between this and the wildfires its never been worse to be a Arizona public worker.

Researchers have found an indestructible botnet. TDSS, the botnet's name, contains a cocktail of various hacker software that allows it to quickly take over a user's machine. What makes this one so special is that it contains anti-virus software that prevents other malware from taking over the machine. This prevents other hackers or the FBI from stopping TDSS control. Speaking of the FBI and botnets.

FBI takes down a botnet from the inside. The FBI was able to destroy the botnet Coreflood, not by arresting the hackers but by hacking the botnet. This once illegal practice was allowed by a DOJ order stop the Coreflood from operating. This order has set a legal precedent that will allow the FBI to begin hacking infected computers and scrub them clean.

Happy 4th everybody

-JM

Consumer Passwords At Risk

Hacktivists have been out in force the last few weeks as you've probably noticed.  Groups across the globe have taken to the internet in a crusade to "inform" the world's population that their internet security isn't actually secure.  This may not seem like something you really need to worry about.  I mean come on, I'm not a major corporation and I definitely don't have much money so why would actions these groups take effect me?   See, the issue isn't whether they would attack you personally, the issue is that they are supposedly attacking and getting personal information, YOUR personal information, from sites that you use.    One hacktivist group in particular has been wreaking havoc on websites the past few weeks and released scores of login information including email addresses, usernames, and passwords.  While information a user cares about may not be housed on the site they got the data from, the publishing of this data and the subsequent "ravaging" by the group's followers, revealed that many individuals are using the same username-password combinations for multiple websites.    Using the information obtained in a hack of say, Sony, people gained access to consumers' bank, social networking, paypal, ebay, amazon and email accounts.  Lives in a stranger's hands all because someone used the same password for every online account they created.   I say all of that to say, change your passwords.  At the end of this post is a link that you can go to and check to see if any of your information was compromised, but regardless of whether you were compromised or not, change your passwords.  Odds are you haven't changed them in a while so trust me, it's time.  These hackers published the information they obtained but you can bet there are still people out there who have personal information that they haven't published.    Strong passwords use a combination of uppercase and lowercase letters, numbers and special symbols.  Also, if nothing else these recent escapades have shown us that using the same login information is dangerous.  In these cases if hackers get one set of information then they suddenly have access to everything.  So, while it is less convenient to use different passwords for each account you have, it's worth it to avoid having random people order $700 iPhones in your name from your Amazon account or transfer the money from your bank account to their own.    link: http://gizmodo.com/5815551/find-out-if-your-personal-data-is-part-of-lulzsecs-grand-finale

US Cyber Power in Context

I recommend that anyone interested in cyber read this. The Center for a New American Security released one of the most well written and comprehensive reports on cyber issues that I have ever read. The report contains articles from the top thinkers in the field of cyber-conflict and covers cyberwarfare, governance, international norms, and cybercrime, just to name a few. Rather than try to summarize this 200+ report, I'll just blog about a few interesting tidbits. Today: US Cyber Power in Context.

An American official once asked a Chinese military leader why his country launched so many cyber attacks and intrusions against U.S. networks. He replied: “Do you know how much we are attacked in cyberspace by the United States every day?”

The top players in cyberspace are: Russia, China, the US, Israel, the UK and France (Essentially the UN Security Council plus Israel). Unlike kinetic militaries, the playing field in cyber is not so unipolar. Not only is the playing field more level, but each country have different methods for operations in cyberspace. For example, Russian strategy calls for cyber attacks before a kinetic conflict accours. Prior to a confrontation, Russia will launch a series of attacks to disable communications and critical infrastructure. The purpose is to cut off the other country from the external world. This strategy played out with Georgia in 2008. 

China's strategy is similar to that of Russia's but is more likely to be directed at a major power and also involves a higher level of espionage. Aside from targeting commications and critical infrastructure, it is believed that the Chinese would also target economic targets to further destabilize this major power. In the past, Russian cyberwarfare seems to come from hackivists (patriotic hackers not affiliated with the government), while China's hacking tends to origionate fromt the PLA or military universities. 

So what does this all mean? Well although the US invests billions in cybersecurity and ensures that the military is prepared to wage an offensive war. The US is just as vulnerable or more so than any other country. This is because the US is heavily dependent on Information Technology to function as a country. But this is were a strong military comes into play. While the US might be vulnerable in cyberspace, it can also always compensate with physical reprisal. 

-J.M.

Is nothing private anymore? From Facebook's facial recognition to Spyware that take pictures of you

From Facebook's facial recognition to a school in Pennsylvania remotely controlling the webcams on school issued Macbooks the internet is bordering on some serious privacy issues.    If you haven't heard, all facebook users are automatically "opted in" to the new program that essentially scans all of the pictures you and your friends post and suggests tags for them.  Basically, it recognizes your face and says "hey that's sam!"  This may seem innocuous but I don't know about you, but there are some pictures of me that have been posted on facebook that are, let's just say, less than flattering.  I don't want those tagged and associated with my account. The fact that some "friend" even posted them for all the world to see is mortifying but at this point out of my control.   (Here's an article about the facebook-ness if you want to read more. Remember copy and paste into your browser, don't click! http://www.computerworld.com/s/article/9217447/Facebook_stirs_privacy_ire_with_facial_recognition)   Another interesting development in privacy (or lack thereof) online comes to us from Pennsylvania where a student has filed a lawsuit against his school for literally using his school issued Macbook to spy on him.    (Article here:  http://www.computerworld.com/s/article/9217439/Penn._school_district_hit_with_new_Mac_spying_lawsuit)   According to the lawsuit cited by the article, the school took over 8,000 screenshots (pictures of what is on the screen at any given point) and pictures of the kid and his family without their consent or knowledge.  Apparently the kid's younger brother noticed the webcam light go on and off at odd times and told his mom but they didn't think anything of it because why would the school would do something like that.    Finally, according to reports, a MAC technician installed spyware on computers he was hired to fix and proceeded to use that malware to take pictures of women in "various states of undress".    (Article here: http://www.computerworld.com/s/article/9217461/Police_Mac_technician_installed_spyware_to_photograph_women)   Sidenote: I know a lot of you are apple fan-girls and boys so please make sure you check your machine for the spyware using the location listed at the end of the article.    While these stories focus on spyware on MACs I'm sure there are plenty of programs that do the same thing on PCs.  The key is to be careful.  Pay attention to your webcams.  Keep them turned off when you aren't using them and if you notice them turning on and off at odd times (i.e. when you aren't using them) then get that computer to a professional (preferably a non-creepy one).    People don't really think about their computers literally spying on them through their webcams but obviously, this is happening.  Be informed and stay safe!

Know This, Not That 6/6

LulzSec pwns Infragard: The hacker group that recently attacked Sony, taking down the Playstation Network, defaced PBS's website, and have targeted Nintendo have claimed to have stolen 200 usernames and passwords from Infragard. Not a big unless you consider that all those usernames and passwords are affiliated with the FBI. The hackers were able to exploit Infragards systems because the security experts reused the same passwords. 

Massive Gmail Attack: Google has claimed that China is once again targeting its Gmail users, which should surprise no one. The attackers began spear-phising DOD, State, and DIA employees and sent them to a fake Gmail login page. 

Read the Now: It's not news but its a very good article about attribution and the yet to be released Pentagon cyber strategy paper, and international cyber law. 

-J.M.

Cruise Missiles and Hacking

The WSJ reports that the US Department of Defense (DOD) will soon release a formal cyber strategy. The big news is that the DOD will consider major cyber attacks as acts of war. This major strategy shift is designed to do several things:

Create a legal authority for the US military in cyberspace

Build a realist style alliance against attacks

Create a cyber deterrence capability

The Bush Administration tended to view government/cyberspace-conflict in the realm of the DOD, but kept any semblance of strategy, capability, or involvement was considered secret and not for the public. The idea was that the US government would not talk about cyberwarfare in order to prevent any type of cyber arms race. The problem was this strategy ultimately failed and consequently left the US government in a weaker position. This strategy failed because most US assets in cyberspace are in fact privately held, US IT infrastructure is more decentralized than other countries (**cough cough** China), and the value of cyber attacks favors attackers. This means that technically/legally impossible for the US to fick a Internet Kill Switch. No matter how much some politicians would like it. There is also the major problem of accountablitiy of attacks, but more on that later.

What's important is that the military will have authority to against cyber attacks, meaning that if necessary/possible the US will conduct strikes against attacking nodes (or power if clustered in geographic locations). The idea behind this is that hackers cannot operate if they have no infrastructure to do so. The major hurdle to this escalation into kinetic is accountability. 

Just because an attack occurs from a location/country/machine doesn't mean the owner is responsible or even aware of an attack coming from his or her systems. I believe that this strategy will reflect something of a last resort option. If a major attack occurs and the US cannot contain it, the US will request that attacking systems in foreign countries be turned off. If they are unresponsive or the military will have the authority to conduct a limited strike on these systems. There are of course a huge list of legal questions in this strategy (attacking neutral countries or allies, killings civilians, etc). 

While trying to build some semblance of a legal authority, the main purpose of this strategy is to create a stronger deterrence. It is to basically make other nations think twice before conducting or allowing any type of major attack by threat of physical force. The question is then, will it work? Probably not, but it never never hurts to have options. 

-J.M.

Don't be Stupid: Mac Malware in the Wild

Throughout the past few weeks a number of things have come to light regarding malware created to exploit apple products like macbooks, ipods, ipads, etc. A piece of malware called mac defender has been found "in the wild". Essentially, this malicious software masquerades as anti virus software. Here is the link to an article from computerworld that explains the "scare ware" further. (Copy and paste into your browser) Everything You Need To Know About Mac Scareware Like the article says, these attacks have been prevalent in PCs for years and the majority of attacks are still against Windows machines but that doesn't mean Macs are completely safe. Just don't be stupid. If something doesn't look right...it's probably not right.

Malware Explosion? How to Protect Yourself

Over the coming weeks, I will be focusing my blog posts on malware.  Explaining what it is?  Why we care?  And how you can protect yourself from falling victim to this malicious software.  This first post is designed to introduce those of you who aren't familiar with malware to what it is, what the capabilities are and offer a few suggestions on how you can protect yourself.  

As you may have deduced, malware is the shorthand word for malicious software and includes everything from worms and trojan horses to key loggers.  This is a piece of software that users usually inadvertently download onto their machines by clicking on a link that redirects to a malicious site, opening an infected email attachment or downloading a program that says it is something else (like fake anti-virus software).  

As I will discuss in subsequent posts, malware has evolved from just disrupting and altering digital data  as we saw with stuxnet to causing physical damage.  This is not just about your computer anymore.  It is so so so much more than that.

DDoS (Distributed Denial of Service) attacks can and have brought down major websites disrupting e-commerce (this is what the group anonymous used against Amazon and PayPal after the companies stopped hosting wikileaks).

A DDoS attack is when a group of "zombie computers" also called a botnet is used to inundate a website with requests with the typical intention of knocking the site offline completely for a period.  

The scary thing is computers can be infected without you knowing and anti-virus software doesn't identify every type of malware.  This is not to say that you're just as vulnerable with anti-virus software as you are without it.  

There is no way to be 100% secure.  Personally, as my friends can attest I just assume I have something on my computer and then operate accordingly.  

If I haven't scared you enough go watch the video J.M. posted earlier this week where Tom Kellermann discussed the cloud.

Here are a few ways that you can protect yourself:

1. Be aware - Just know that there are people in cyberspace that want to steal your information.  I talk to people all the time who ask me, "why would they want to attack me?"  The answer to that question is...because they can.  If they can steal just 25 cents from your bank account every day/week/month and add that to the 25 cents they're stealing from the hundreds of other accounts they can access they can make a lot of money.  Operate cautiously in cyberspace.

2. Update your computer software - Most people have their computers (both Apple and Windows machines) set to automatically update as soon as updates become available.  Each Tuesday (Patch Tuesday) the major computer software companies release patches to vulnerabilities they've found.  The majority of computers are infected with malware that exploits a known vulnerability that has already been patched so by just downloading the updates each week you are instantly more protected.  Patches are released by Adobe, Windows, Apple, Chrome, Firefox etc it's important to update all of the software you run.

3. Download, update and run anti-virus, anti-malware, anti-spyware software - Avast or Comodo both have good anti-virus and anti-malware software and spybot search and destroy is the best anti-spyware software I've found.  Just because it won't protect you 100% doesn't mean you shouldn't have it.

4. Use robust passwords - Two of the most common passwords are "password" and 1234.  My younger brother discovered how to hack into the neighbor's internet at age 10 just because the password was abcde12345.  A good, strong, secure password uses both capital and lowercase letters, numbers, and special symbols like the @ or #.  Impersonation on the internet is easy all someone needs is your login information.  Don't make it easy for them.  

5. Use different passwords for different accounts - If you use the same password for your facebook as you do for your online banking once a malicious actor discovers your facebook password they can access your bank account too.  

6. Turn on your Firewall - Many of us turn off our internet firewalls so we can watch videos on youtube or play farmville but without that firewall you are even more vulnerable to attack.  The firewall acts as a sort of barrier between your machine and the crazy chaos of the world wide web.  

7. Be careful what you click on - Google searches are quick and easy and typically bring up a ton of data.  My mom's dell was hacked through clicking on links that came up in google searches.  Copy and paste the links into your browser and if you can make sure the sites you go to have the https heading.  Which brings me to my next one...

8. Make sure the site is https before you give a site your personal information - This one should go without saying but just because a site has the "verisign" symbol on the bottom of the screen doesn't mean it's a secure page it's easy to copy and paste a picture.  Make sure the site has https://www etc etc before you put in your credit card information or tell them your name and address. Sites have been known to imitate known trusted sites (kind of like those fish that look like rocks until the tinier fish gets close enough for it to eat).  Just be smart.  Not everyone on the internet is nice.

9. Be careful about what email attachments you open - Trojans among other malware types have been known to hide in .doc and .pdf email attachments.  If you get an email from someone you don't know don't open any attachments or click on any links in the email.  If you get an email from a friend that looks suspicious contact the friend to see if he/she sent you something and/or do a google search to see if anyone has reported that type email as a hoax, spam or con.  

10. Just be smart - Being as safe as possible in cyberspace is all about just using your common sense.  If something looks shady, it probably is.  If you get an email that says its from the government but the reply email address is not .gov it's not real.  If you get an email that says it's from your bank but there are numerous spelling errors and it asks you for your personal information, it's not real.  Banks especially will never ask you to give them your personal information via email and if you're unsure you can always go down to your local branch and make sure.  

Please look out for more on malware in the next few weeks.  

-Marika 

Follow This Not That 5/17/11

The White House Releases its Cybersecurity Strategy: Only took took me two cups of coffee to get through.

India Sets up its Own CYBERCOM: Not too much in the article about India's CYBERCOM, but very good general information on cyber-crime.

Tom Kellermann on the cloud computing: He will scare the pants off you.

Sorry for the skimpy post. Very busy trying to remember my Chinese for the HSK.

-J.M.

F***ing Cyberwar, How Do They Work?

In my nerdy excitement to talk about cyber-issues, I completely forgot to actually explain what exactly cyber-warfare Cyber Warfare cyberwarfare is. For that I apologize, but its really not my fault...honest. The big problem in this field is that there really is no one discrete and simple definition of cyberwar (or even consensus on how to spell it). This problem exists just because the field is so unfounded new and geeky esoteric. So I’ll try to define some terms and explain what I’m talking about. 

  Let’s start with the easy definitions. 

  Cyberspace: the electronic medium of computer networks, in which online communication takes place.

  Cyber-conflict: a fight or struggle that takes place in the medium of cyberspace.

  Cyber-espionage: The act of using computer networks to covertly obtain secret information from a country’s computer systems. 

  Still with me? 

  The actual definition of cyberwarfare is a bit tricker. Let’s start with the granddaddy of America’s cyberwar policy, Richard A. Clarke:

“Actions by a nation-state to penetrate another nation's computers or networks for the purposes of causing damage or disruption.”

Its a good explanation, it has the basics, but lacks clarity between Title 10 and Title 50. Essentially, his definition of cyberwarfare has no distinction between acts during peacetime or wartime. It seems minute but is important if you care about international law (i.e. the difference between Article 2(4), Article 39 and Article 51 of the UN Charter) or the power of EOP to wage military power without the consent of Congress.  

  Let’s look at an academic’s definition. Martin Libicki defines cyberwarfare as,

“One state using information to attack another state's information by attacking the other's information system."

Very...uh...academic, but not useful for this forum and the general public. The definition lacks any mention of war actions (kind of important given the name cyberWARfare) and Libicki’s definition tends to suggest information warfare as part of cyberwarfare. Personally, I think information warfare can be very similar but discrete from cyberwarfare. 

  Jason Healey, can you clarify?

“Cyberwarfare is the extension of warfare in cyberspace.”

I like it! Simple, clear, and easy to understand. War is well establish in law. Its not as specific as the previous definitions, but covers both Clarke’s and Libicki’s inclusions on nation-states and computer networks, but specifies war not just attacks. It treats cyberwarfare as a domain for actions rather than an action in an of its self (like the difference between aerial warfare and dogfighting). Is it a perfect definition, no. But for the average laymen it is useful and for me, contains the spirit of what cyberwarfare actually is. 

  To help gasp these definitions, the table below shows how four cyber events (Stuxnet, the Estonian cyberattacks, the Georgian Cyberwar, and Operation Buckshot Yankee) would be classified as cyberwarfare by the various definitions. 

      The South Ossetia War, definitely a cyberwar, the others...depends on your definition of cyberwarfare. The way I like to look at it is that cyber is another medium for warfare. In this case its like saying aerial, land, or naval warfare. Cyber is a battlespace. Because it is a virtual and manmade construction it has different rules, limitations, tactics, and strategies.  

  So why is this important? Because how you define cyberwarfare dictates what laws apply to states; how attacks are conducted; who are targets are; the tactics and strategies; the government’s responsibilities; and what agency is responsible for defense, offense, and espionage. 

  Who are the players? What are the strategies? Stay tuned, there’s more to come.

-J.M.