The cyber arena is filled with the effluvia of vendor driven agendas and political wrangling for budgetary dollars. As a topic cyber security is especially vulnerable as the waning leadership and expertise is so centralized in so few individuals that consensus can be driven literally from people sitting in one room. Consider the recent testimony by Dr. Eugene Spafford to the Senate Commerce Committee on how few doctoral students graduate from the academic setting. The cyber security arena may be the one last place that a person with relatively little academic training can be a substantive contributor. Though that model has not served so well with over 40 years of computing and little to have moved us forward toward a secure environment.
I am here before the subcommittee today to provide testimony on 21st Century security threats. I
hope this testimony is of value despite its brevity. My analytical method is to provide
frameworks for decision makers to help them make sense of rapidly changing environments.
These frameworks are intended to provoke high quality thinking — agreement or disagreement
with their specifics works equally well to achieve this.
Researchers in Toronto have released a document that describes what may be the first real evidence of a government-operated cyber-espionage network in action. In a ten-month investigation, the team documented the operation of what they dubbed GhostNet, and its various worldwide infections.
Canadian researchers have uncovered a vast electronic spying operation that infiltrated computers and stole documents from government and private offices around the world, including those of the Dalai Lama, The New York Times reported on Saturday.
For the security-conscious, the idea that malware, viruses, and Trojans could be lurking around every digital corner is frightening enough. Now, a duo of Argentinian researchers has demonstrated how code can be embedded and flashed into a system’s BIOS. We’ve been down this road before, but it’s definitely much harder to detect and root out such attacks.
DroneBL a distributed DNS Blacklist service, says in a recent blog post that a botnet named Psybot gained control of approximately one hundred thousand routers and that it became a victim of a distributed denial-of-service (DDoS) attack that was carried out by this botnet.
A botnet consisting primarily of routers is actually rather unusual. Usually Windows PCs are enslaved to act like zombies in a botnet. Psybot seems to have specialised in attacking small home network routers that run an embedded Linux for MIPS CPUs.
There’s lots of innovation going on in security - we’re inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I’m invited to a new computer security conference, or I’m asked to write a foreword for a new computer security book. And, thanks to the fact that it’s a topic of public concern and a “safe issue” for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a “hot topic.” But why are we spending all this time and money and still having problems? Let me introduce you to the six dumbest ideas in computer security. What are they? They’re the anti-good ideas. They’re the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying “trying to ignore reality.” Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don’t fully understand the situation, but other times it’s just a bunch of savvy entrepreneurs with a well-marketed piece of junk they’re selling to make a fast buck. In either case, these dumb ideas are the fundamental reason(s) why all that money you spend on information security is going to be wasted, unless you somehow manage to avoid them. For your convenience, I’ve listed the dumb ideas in descending order from the most-frequently-seen. If you can avoid falling into the the trap of the first three, you’re among the few true computer security elite.
Potential cyber attacks against federal and private-sector networks loom larger every day and while the Department of Homeland Security (DHS) has made some important efforts, it has yet to fulfill many of the myriad responsibilities placed on it by the national cybersecurity plan. Those were the main conclusions of a Government Accountability Office report out today on the status of US national cybersecurity efforts. The GAO report included input from a panel of cybersecurity experts including representatives from the Internet Corporation for Assigned Names and Numbers, Juniper, Verizon, the US Department of Justice and the Electronic Frontier Foundation.
Less than a year after leaving Silicon Valley for the Beltway, tech entrepreneur Rod Beckstrom has resigned his post as the head of the National Cyber Security Center at the Department of Homeland Security. In a sharply worded letter to DHS Secretary Janet Napolitano, Beckstrom complains of inadequate funding and cites efforts by the National Security Agency to “subjugate” the NCSC to its control.
I have been reading extensively about whether cyber warfare exists, whether it is a defensive only engagement, and if it does exist does it actually involve combat. These questions are born upon the back of the military establishment well entrenched into the ideas of high intensity conflict. I on the other hand see much of cyber warfare not through the goggles of an army armor officer, but the mud spattered boots of counter insurgency. What has happened is the discussion is based on various military documents, created in an echo chamber, and supported by the choir. Leading to whether cyber is simply a defensive stance that all militaries should take.
The changes Microsoft has made to Windows 7’s UAC render it little more than a pesky annoyance. If this is the path the company wishes to go down, it should stop doing things by halves and kill it off altogether.
As his administration continues to work on an stimulus plan that can save America’s economy, Obama’s latest course of action will see millions of dollars being allocated to heighten cyber security. The move will assist government officials in preventing future attacks on the United States.
First, let me explain what I mean by “tiered password scheme”. Many perfectly smart people I know have one strong password they use for one or two online banking type sites. They’ll then have a “medium security” password they use on sites that kind of important to them (maybe those sites have their credit card info stored), but not critical to day to day stuff. Then they’ll have one or two passwords they use on all the other sites like Twitter, Yahoo!, Facebook, GMail, etc. Obviously they’re being relatively careful about the important stuff and that’s good, but the flaw in this system is in the perception of pain. People think “wow, it would massively suck if my bank account password got out, but it’s not such a big deal if my Twitter password gets compromised. I can always make another Twitter account.” Or, they’ll say “Why would anyone care about hacking my account? There’s nothing special about it.” And while there’s nothing inaccurate about those thoughts, they’re also totally missing the point.
It’s not always about money; sometimes hackers just hate you Malware authors and hackers have to eat like the rest of us, but security data from 2008 suggests many engage in their illegal activities for other reasons besides a desire to get money. Twenty-four percent of all the attacks the Web Hacking Incidents Database logged for 2008 were related to website defacement.
Federal agencies, including the U.S. Federal Trade Commission and the U.S. Securities and Exchange Commission, have begun investigating Heartland Payment Systems following a massive data breach at the payment processing company.
