Friday, November 16, 2012

Blog Entry #20: 2013 Predictions




            The last article for this blog project is a fitting one, as it takes a look at the cyber threat predictions made by Georgia Tech for the coming year.   Topping the Georgia Tech Information Security Center 's and the Georgia Tech Research Institute's Georgia Tech Emerging Cyber Threats Report for 2013 is cloud computing.  The panel that compiled the list of predictions feels cloud computing will abused for malicious purposes, namely creating networks of "zombie machines" to do their bidding.  The panel also voiced concern that cyber criminals might "[use] cloud computing resources to create clusters of temporary virtual attack systems.  2013 might also see problems with globalized supply chains.  Here is a list of some of the other issues deemed serious by the panel:


Globalized Supply Chains - There is a very real risk that products manufactured in other countries could have security flaws that allow for cyber espionage and even cyber attack.


Search History Poisoning - Manipulating search engine algorithms and controlling what information is seen by an internet user can be a powerful tool for someone who wants control over what people see.


Mobile Threats including Browser and Wallet Vulnerabilities - This threat is not as severe as previously thought thanks to the app store model.  However, the growth in popularity of mobile devices, combined with the high use of the mobile web and mobile wallet, makes mobile devices a tempting target for cyber criminals.


Malware Counteroffensive - Malware authors will make every effort to make their malicious code more robust.  They might incorporate techniques similar to DRM and find new ways to make their malware less detectable.

Clearly education is the key to protecting the public.  With the push toward cloud computing and mobile devices, businesses and consumers will need to be more vigelent in the protection of their data.

Blog Entry #19: Congress Inaction

 
            The Senate again held a vote on, and failed to approve, legislation which would provide comprehensive cyber security regulatory reform.  The bill in question is the Cyber Security Act of 2012.  In recent months, security professionals and national security officials have urged Congress to act, but Republicans and the U.S. Chamber of Commerce seem to feel the bill is inadequate and will cost too much to implement.  In light of the lack of action by Congress over the past few months, President Obama has "signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks."  The official White House stance is that if Congress is not willing to act, they will.  It is unclear how much of this is political posturing, even after the election, but what is clear is the need for cyber security improvements for the government and private sector.  The White House has also prepared a draft executive order, concerning cyber security.  This order would "direct the NIST to set cyber security standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cyber security regulations for those industries." 
            This executive order might be a bandage for the time being, but it is not comprehensive and will not offer good long term protection where it is needed most.  As Harry Reid points out, there is no liability protection for companies should they be hit by a cyber attack.  After reading about the U.S.-China Economic and Security Review Commission report it is clear now more than ever this country is at risk of being hurt by a cyber attack.  The report called China "the most threatening actor in cyberspace".  Hopefully, this will not be another case of reactive government.  They need to take a proactive approach in order to prevent what some would call a cyber Pearl Harbor.

Thursday, November 8, 2012

Blog Entry #18: Homeland Security




            More and more articles have been showing up lately concerning the cyber threat threatening the United States.  Several key government officials have given talks concerning the topic, including Leon Panetta and most recently Janet Napolitano.  Her concern as Homeland Security Secretary is well warranted.  According Tony Romm, Napolitano's talk was one of many lately to stress the importance of shoring up the nation's cyber defenses and infrastructure.  She referenced the damage done by hurricane Sandy and compared it to an attack that could just as easily wreak havoc on our utilities.  As of today, there are still people without power and fuel shortages.  A group that had even moderate resources might be able to inflict far worse damage in the US. 

            Romm notes that legislation is on tap to make cyber security reforms, but he also says "stakeholders are less than optimistic the chamber will pass a bill."  Hopefully now that Obama has been elected he will be more likely to enact an executive order that will provide better security for our major infrastructure.  Even if some in the government are not happy with Obama's progress, Napolitano feels the Obama administration is committed to creating a more secure environment and is even "putting money into cybersecurity."  Let's hope this is true.  After all, we are completely dependent on eletricity and gasoline.  If a larger area was without power and fuel for weeks, it could be a horrible situation.

Tuesday, November 6, 2012

Blog Entry #17: ANONYMOUS

Link: http://www.theregister.co.uk/2012/11/05/anon_nov5_protests/

            Anonymous was back in the news on the 5th. They have reportedly attacked Paypal, ImageShack, and Symantec. The attack was part of a global day of protest, paying tribute to Guy Fawkes Night. John Leyden reveals that Anonymous has boasted it leaked 28,000 passwords, emails, and names of customers from Paypal. Named on their twitter feed as #OpNov5, The AnonymousPress twitter feed tweeted out the details of various attacks that took place and some that were allegedly planned by various factions of the hacktavist group. Symantec may have had "email addresses and other personal data from hundreds of security researchers" leaked. A couple of the big attacks today were carried out by exploiting zero-day bugs.
            In addition to the data theft attacks, "several NBC websites were defaced with the message "Remember, remember the fifth of November" (extracts from a nursery rhyme about Guy Fawkes and the Gunpowder plot to blow up the UK Parliament in 1605). These less political attacks seem to be deepening the rift between various groups within anonymous. Personally, they don't seem to serve any purpose outside of showing that the sites can be hacked.

Monday, October 29, 2012

Blog Entry #16: The Payback


            The article, “Data breach victims could get damages from careless firms” relates strongly to my previous post about what is going on in South Carolina.  Until recently, victims who had their private information stolen from a company or government agency had limited options with the legal system and often saw small restitution amounts.  With the changing digital landscape though, judges have begun to realize that there is real immediate, and future, harm when ones personal information gets in to the wrong hands.  Data theft victims now have the ability to file class action lawsuits, “[making] companies liable for steps taken to prevent financial harm, such as insurance to cover the costs associated with identity theft."  According article author Antone Gonsalves, the average settlement per plaintiff in a data breach class action suit is $2500.  Add to that an average of $1.2 million in lawyers fees and these lawsuits can get expensive for companies. 
            This can mean only good things for consumers.  The high cost of lawsuits might act as a catalyst, getting IT departments to beef up security and implement more than adequate best practices.  Companies will realize that if they do all they can to secure sensitive information, the amount of liability they are responsible for might be far less.  A bill pending in Congress might also help along the process of securing private information.  The bill would “set a national standard for data breach notification, replacing the variety of state laws that exist today. Introduced in June, the Data Security and Breach Notification Act would also set maximum damages and define what is considered a breach.”  The most important thing for all companies and agencies to realize is the fact that it is only a matter of 'when' an attack will occur.  As long as a company hosts sensitive data, there will be someone who wants access to it.

Blog Entry #15: South Carolina's Unsecured Systems


            South Carolina was the latest victim of data theft by a hacker. According to a report released by Reuters, “As many as 3.6 million Social Security numbers and 387,000 credit and debit card numbers used by state taxpayers” could have been stolen.  This theft has put the residents of South Carolina at risk of being victims of identity theft.  The investigation into the cause of the breach is in its early stages and so far investigators know that the hacker operated from a foreign IP address.  Understandably Governor Nikki Haley is quite upset about the breach, and for good reason. 
            According to the article, not all of the data kept by the state’s Department of Revenue was encrypted.  None of the Social Security numbers and about 16,000 credit card numbers kept by the government agency was encrypted. This fact points to a lapse in maintaining best practices for securing sensitive information.  On the plus side, no public funds were stolen by the hacker, and the vulnerability that led to the breach was found and closed up.  There is no telling what the stolen data may be worth, but if even a small amount of personal data is used for fraud, the cost to the citizens of the state will be huge.
It seems that there were multiple warning signs that South Carolina had security issues with their systems.  According to a state official, two attempts were made to “probe” the South Carolina Department of Revenue’s network in September and one attempt was made in August.  Also in September, two intrusions occurred in which the hacker was able to steal data for the first time.  What’s more troubling is the fact that attacks against South Carolina’s government systems are not isolated to these instances at the department of revenue.  Early in 2012 police arrested a South Carolina state health agency employee who stole the information of 230,000 Medicaid recipients.  Additionally, a hacker was able to access the personal information of 34,000 students and faculty from the University of South Carolina.  It would seem that whoever is in charge of maintaining the systems used by the government in South Carolina should assess and restructure the security practices of the state.

Blog Entry #14: Attacks on the Banks



            Again the focus of international cyber criminals has turned to western Banking institutions.  Over the last few weeks numerous banks have been hit by the Izz ad-Din al-Qassam Cyber Fighters.  A story was reported in the news back in September that this attack would occur.  HSBC was the latest bank to experience an attack.  Similar to attack on other banks, HSBC servers were attacked causing websites to be inaccessible to customers for a short time.  The attack occurred on Thursday the 18th and was under control by early Friday London time.  The group has vowed that the attacks will continue "until the anti-Islamic ‘Innocence of Muslims’ film trailer is removed from the Internet."
            What makes this attack unique is that a group claiming to have ties to Anonymous has also claimed they had a hand in the attack.  According to a source in the article though, “the technique and systems used against HSBC were the same as the other banks.”  Of course this does not mean that some other group did not help out the Islamic Cyber terrorists.  Some in the US government believe that Iran is behind the attacks but researchers think otherwise.  What is agreed upon is the fact that this attack is fairly sophisticated.

During the last two weeks, the following banks have been attacked:
Bank of America
Capital One
SunTrust
Regions Financial
BB&T
HSBC
Wells Fargo