Sunday, May 31, 2009
The speech highlighted a 60-day study conducted at his direction, designed to take a look at how vulnerable we are to cyber attacks that could drastically change the whole way we exist.
Is this a far cry from reality? Perhaps not; if you can take command and control of the computer that controls something we use, you can do pretty much anything you want with it. This might be anything from a banking system to the system that controls an electrical grid or a sophisticated weapon. If you really think about, computers control just about everything nowadays.
As I was considering this, it reminded me that there are already millions of computers where some hacker has gained command and control of and formed into a botnet (essentially a supercomputer). All it took to do this was a little social engineering to trick someone into downloading some malicious code on a machine. While some of us might write this off as stupid people doing stupid things, people have even been tricked into doing this at government agencies and Fortune 500 companies. Trust me, not all the people who fall for some of this stuff are stupid. Social engineering is known to cause people to do things they normally would not!
While it takes a little technical sophistication to write malicious code, a person doesn't necessarily have to be a technical whiz to get their hands on it. They can buy it right on the Internet, complete with a do-it-yourself (DIY) kit to execute their intended misdeed. While most of the "misdeeds" seen in the wild have a financial intent, the intent is dictated by the person committing the act. In other words, the intent might be different depending on the person who is executing the deed.
Also mentioned, both in the report and in the speech, was cyber-warfare. For years now, the Chinese have been accused of hacking into government systems, although they always deny it. Also mentioned was an actual use of cyber warfare, or the Russian attack on Georgia that happened in the not very distant past.
Please note that botnets, which I mentioned above, were used to cripple the Georgian infrastructure. The zombie computers used in these botnets didn't come out of Russia, either. Some of them were traced right back to this country. In the current environment, you don't need to be in a physical location to take command and control; it might happen from anywhere.
The report also mentions attacking electrical grids and that the CIA has intelligence that this has already occurred in other countries. Just last month, the Wall Street Journal issued an article stating that Russian and Chinese hackers had mapped the U.S. power grid and left behind software that in theory could be used to attack our electrical grid. The article quoted unnamed officials from within the government. This set off a flurry of articles and in the end, most of the experts concluded that the threat, although real, wasn’t as bad as it was hyped up to be. Nonetheless, hacking certain utilities, such as electricity, water, and sewage could cause a lot of serious problems and there is evidence it has been accomplished in other countries.
While cyber warfare is an ominous subject, the report points out that we have already seen some pretty major events when financial systems were successfully attacked. Examples given were the TJX data breach (45 million payment cards compromised) and the more recent WorldPay payment card breach where a 30 minute exploit netted nine million dollars. This highly coordinated scheme took place all over the United States, Montreal, Moscow, and Hong Kong in a very short time-frame.
There is tangible evidence that so much personal and financial information has been stolen that the laws of supply and demand are driving prices down. Interestingly enough, a lot of this information is traded right over the Internet in anonymous forums using hard to trace forms of payment.
Two recent reports point to this. Symantec released a pretty interesting report on the underground economy and shortly afterwards, Verizon issued another report on the state of personal and financial information being stolen. The Verizon report, pointed out that the 285 million "known" records stolen in 2008 amounted to more than what was recorded in the previous three years. The Symantec report, which breaks down the going prices for information noted that the practice of spoofing (impersonating) financial institutions to steal information grew from 10 percent in 2007 to 29 percent in 2008. The Symantec report stated that 90 percent of the attacks being launched via botnets were designed to steal information and that the number of infected computers had grown 31 percent in 2008 over 2007, also.
Also cited in the report and in the speech was an estimated $1 trillion dollar loss per year in intellectual property. In recent years, the FBI has been busy catching numerous people stealing technology secrets and exporting them out of the country. This brings up another variable in the problem or if a person is given access to a system it is relatively easy to compromise it.
Recently, it was even disclosed that computers in Congress were hacked. It appears that even government intellectual property is being targeted.
When it comes to intellectual property theft, often we do not know what the motive is. Again, the intent is largely dictated by the end user. If you wanted to see a real world example, you might take a look at software piracy. The Business Software Alliance puts worldwide losses at over $50 billion, yearly. If you were to look at counterfeiting in general – which can involve the theft of intellectual property – the International Anticounterfeiting Coalition estimates the losses at $200 to $250 billion just in the U.S., every year.
The report, which is posted on WhiteHouse.gov, also addresses the growing problem of privacy in the digital world. Personal and financial information is worth a lot of money to businesses and criminals alike. Unfortunately, because of this, a lot of people are leery of putting in controls that might make it harder to profit from information. Because of this, a lot of people’s personal and financial information has gone missing.
The American Library Association, the Cato Institute, the Center for Democracy and Technology, Carnegie Mellon University, Consumer Action, the Center on National Security Studies, Cornell University, the Electronic Frontier Foundation, the Electronic Privacy Information Center, George Washington University, Harvard University, Indiana University, Johns Hopkins University, OMB Watch, Ohio State University, the National Security Archive, the University of California-San Diego and the American Civil Liberties Union were all consulted in the initial 60-day report.
While the report isn't clear on how privacy will be dealt with, it nonetheless is calling out that a problem exists. The problem is too much information being stored in too many not very well secured places.
For a real example here, one could refer to the DATALOSSdb Open Security Foundation, which tries to document all the known data breaches. The problem is getting worse all the time, and although some might argue that greater transparency is the reason for this, there are probably many more unknown data breaches that occur out there. After all, it’s unlikely that the hackers or other criminals stealing the information are going to come right out and tell us where they are getting it from. From a business perspective, it isn’t in their best interests.
The real casualties in this part of it are the individual victims, who suffer a lot when their information is used after it stolen. With the sheer amount of victims out there, some could argue we are facing an identity crisis.
To add to the problem, technology is now also being used to produce high-quality counterfeit documents and financial instruments in places, such as garages. This makes the information being stolen all the more dangerous, or easy to abuse.
Another thing the report addresses is the need for education and that laws need to catch up to the technology we are using. An interesting section at the end of the report highlights the history of modern communication technology. There is little doubt that as technology grows at a rapid pace; it is hard for the legal community to keep up with it.
In the end, in my humble opinion, the study is the first step in a positive direction. We have already seen too many examples of the abuse of technology, which has a lot of potential for good, too! The problem is how to deal with those who abuse it. The good news is that a large part of solution can be achieved by using a little more common sense and the clean slate approach (mentioned in the report) will go a long way towards making this a viable effort. In the end, a responsible balance is the key, and this is what it seems the report seems to be calling for.
Saturday, May 30, 2009
Most Americans embrace the philosophy of helping others in their time of need. In every disaster -- whether it is in this country or anywhere in the world -- Americans are there to help those who need a helping hand. Unfortunately, there are those who take advantage of this, which has led to an ever-growing problem with charity fraud.
One of the more popular charity causes is to support the public service organizations, which are on the front lines of protecting the rest of us. Sadly enough, charity fraudsters are impersonating organizations that raise money to support fire fighters, policemen, and members of the armed forces.
Often, the line between an outright scam and the deceptive marketing of charitable causes is a little blurry. There are a lot of services-for-profit that market charitable causes for a cut of the proceeds. Unfortunately, some of them get too greedy when taking their cut.
To combat this growing problem, the Federal Trade Commission, along with dozens of state law enforcement officials, announced Operation False Charity on May 20th. Operation False Charity is a crackdown on fraudulent telemarketers, who claim to be gathering money on behalf of police, firefighters and veteran’s charities.
In keeping with the FTC tradition of educating the public, they are also releasing a lot of educational materials about charity fraud. They even provide a lot of these materials in Spanish.
Warning signs of scams, and what you should do about them:
• High pressure pitches. Reject them: It’s okay to hang up.
• A “thank you” for a pledge you don't remember making. Be skeptical. Scam artists will lie to get your money.
• Requests for cash. Avoid giving cash donations.
• Charities that offer to send a courier or overnight delivery service to collect your money.
• Charities that guarantee sweepstakes winnings in exchange for a contribution.
• Charities that spring up overnight, especially those that involve current events like natural disasters, or those that claim to be for police officers, veterans, or firefighters. They probably don't have the infrastructure to get your donations to the affected area or people.
To assist the public in learning how to avoid being taken when giving money to a charitable cause, the FTC has a lot of tips to identify a potential scam. Here again, these tips are provided in Spanish, too.
Individuals are not the only ones targeted by charity fraudsters. Frequently businesses are targeted, also. One way businesses are targeted is by being solicited to buy advertising in publications that look like they're sponsored by nonprofit groups. Just because the publication may use words like "firefighter," "police," or "veteran" doesn't necessarily mean they are affiliated with these groups. The prudent thing is to check out any unknown charity with a site like NASCO (National Association of State Charity Officials), which provides resources to identify legitimate charities throughout the country.
The results are starting to come in from the efforts put forth in Operation False Charity. On Friday, Jerry Brown, the California AG, announced they have filed eight law suits on 53 people, 17 telemarketers, and 12 charities accused of squandering millions of dollars of charity money intended to support policemen, fire fighters, and veterans. According to the announcement, the so-called agencies involved had bloated overheads and even purchased a 30-foot sail boat with the money they collected.
Thus far, 76 law enforcement actions against 32 fundraising companies, 22 non-profits or purported non-profits on whose behalf funds were solicited, and 31 individuals throughout the United States have been initiated as a result of Operation False Charity. Also included in this total are two FTC actions against alleged fake non-profits and the telemarketers making the calls.
If you want to learn more about how to make your donations count, you can visit the special site the FTC has put up on this subject. Furthermore if you spot what you suspect is charity fraud, contact your State Attorney General or local consumer protection agency.
You also may file a complaint with the Federal Trade Commission by visiting the page on their site, or calling toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261.
Wednesday, May 20, 2009
Yesterday, government officials were briefed about the compromise, which was originally discovered in April. The hard drive held a terabyte of computer data that could contain millions of individual records. A terabyte of data would be enough to fill millions of books, according to this article published by the AP.
The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing – although it is not clear which daughter's information was compromised. Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too. According to articles I read, authorities are still trying to figure out exactly what was on the hard drive.
The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland.
The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation. According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time. When the researcher tried to resume work on the project, it was discovered to be missing.
According to Rep. Edolphus Towns, Democrat-N.Y., chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating.
The FBI will have a lot of suspects in this case. One hundred badge holders had access to the area. Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom.
This information would normally be stored in a secure area. Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost.
At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted. Encrypting data is considered a "safe and sane" security practice when dealing with data in transit and has become a legal requirement in many situations.
The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past. In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide. Other findings in the report include: agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches.
The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists.
More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today. Thus far, a study has been conducted, and is being reviewed. Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries (notably China and Russia), who have been suspected of targeting government systems.
If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled "The Dark Visitor (Information on Chinese Hacking". Another non-government source which covers data breaches in general is the Open Security Foundation.
While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised. Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time.
Update 5/20/09: It has now been confirmed that the missing hard drive had no encryption and a $50,000 reward is being offered for information leading to it's recovery. Source: CNet.
Sunday, May 17, 2009
For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.
The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.
Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.
This information can then be used to commit financial crimes, using the victim’s identity.
I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.
According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.
Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.
First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.
Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.
Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.
When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.
So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.
While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.
Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.
The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.
Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!
Friday, May 15, 2009
Craigslist has given in to the immense media attention regarding its "erotic services" ads and announced they are shutting the section down. In its place they are now adding an "adult" section, which appears to hawk the same type of personal adult services.
A lot of this occurred after it was discovered that a killer used Craigslist to stalk his victims, who were offering adult services. Since then the nasty subject of teenage prostitution on Craigslist has been covered in the mainstream press and the site has been referred to as an "online bordello."
Craigslist announced the change on their blog and made some points in their defense. At the same time, they announced they will be charging for the ads in the new section and the proceeds will go to charity. All of the new ads will be reviewed by Craigslist employees before they are posted.
The post refers to statistics that the chances of a predator abusing their forum are less likely than a predator using print ads to commit a foul deed. Also pointed out was that Craigslist has safety features built into the site that most "classified advertising" venues don't have. These include blocking, screening, telephone verification, and a community flagging system. The company also claims they cooperate (at a high level) with law enforcement and that predators can be tracked electronically back to the computer they are using. Last but not least, they point to safety tips prominently posted on all forums. These safety tips run the gamut of illegal schemes commonly found on the Internet.
Investigations are normally confidential matters, but if someone was tracking a sexual predator some of these forums could provide real-time investigative capabilities to resolve the case. They could literally track everything to a particular location given the right circumstances and cooperation by the forum and the ISP. Quite often, the frustrations voiced by those tasked with investigating internet crime are that the site and or the ISP do not cooperate as much as they should. If these sites aren't going away, then maybe the solution is to make is easier to tag the offenders?
Craigslist claims they do cooperate with investigative inquiries, but thus far no one is publishing any of these stories. It does state that law enforcement personnel provided feedback on how to design their new "adult section." Again, I'm not sure, but I imagine they couldn't claim this unless there was some truth to it; there is probably an army of lawyers monitoring this situation.
I doubt a flurry of media attention directed at Craiglist is going to solve the "people abuse" problem caused by anonymous venues. The problem will merely move from one anonymous venue to another one. The key will be the ability of the people doing the abuse to remain anonymous, or at least think they are. When sites and ISPs cooperate, it really isn't hard to track a lot of these individuals.
Since none of these sites are going away anytime soon, perhaps the best solution is to make it easier for the authorities to obtain cooperation from them when abuse is suspected or occurred, which is exactly what Craigslist is claiming to do. But Craigslist is hardly the only place where people are victimized by those with sinister intent on the Internet or via advertising in the print media. We need to begin to take a realistic look at the entire issue.