Wednesday, August 24, 2011

What's newsworthy?

There hasn't been much infosec-related news recently. I don't know if it's been overlooked because of earthquake and Libya, or that nothing newsworthy has happened. Although given how low the standard of newsworthiness is set, I'm surprised nothing's been reported. Maybe it's just a calm before another storm, or another tempest in a teapot.

Monday, August 22, 2011

Kevin Mitnick on Anonymous and LulzSec, and how he thinks the government overreacted to his exploits

I can't believe it's been seven years since Mitnick took that stage at the 2004 Infosecoworld. Nor can I believe that some certification organization boycotted the conference because of it. I recall, probably incorrectly, that he was interviewed by the guy who prosecuted him. Both the interview and Mitnick's stage presence and "tricks" were great. It might have been around the time his book on social engineering was published. Now, he's published his memoirs, although considering how his life and exploits have been documented so far, one wonders if there's anything new to recount. In this interview on Salon, he talks about Anonymous, LuzeSec, and other contemporary hacks, and touts his book.

Friday, August 19, 2011

New editon of The Security Risk Assessment Handbook

Doug Landoll just updated The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition. It gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting, this updated edition provides the tools you need to solicit and review the scope and rigor of risk assessment proposals with competence and confidence.

Thursday, August 18, 2011

... the More Things Stay the Same

Earlier this year I surveyed some authors about what they considered their top 5 information security issues. While there were some surprises, such as supply chains, there was more consensus. Among the top issues are cloud security, malware and advance persistent threats, smart phones and other mobile devises, social media in the workplace, data loss, and critical infrastructure protection and cyberwarfare. As I said, no surprises.

Lately, though, we’ve been reading and hearing in the consumer press about malware, cyberwarfare, tons of data loss, and security and privacy problems with social media as well as more invasive and insidious tracking. So, there’s increasing awareness of these threats by the general population, or should be, and convergence between what they and people working in information security consider risky. Maybe.

There’s a lot of distance between being aware of something and doing something about it. People are still flocking to smart phones and social networking, sharing far too much data and information, and leaving themselves at risk to threats they really don’t appreciate. Ignorance is bliss until calamity strikes, and it will.

Wednesday, August 17, 2011

Congressional approval rating ties all-time low; Blame for critical infrastructure weaknesses starts with Congress

I'd guess there's no direct link between Congress' record setting approval rating and its failure to act to protect the nation's critical infrastructure. Threats to the nation's critical infrastructure probably doesn't rank high on many people's list of what's wrong with Congress, if they're even aware of it. I wonder when we'll be hit with a Stuxnet-like attack. You know it's being reverse-engineered now. Should we be worried?

Tuesday, August 16, 2011

Cyberwar? What cyberwar?

The White House recently released its International Strategy for Cyberspace, which addresses actions the US can take in response to cyber threats. The Department of Defense then released a cyber strategy that the Joint Chiefs say does't go far enough in outlining an offensive response. Meanwhile, the U.S. Cyber-Security Coordinator, Howard Schmidt, said there is no cyberwar. Jim Tiller has some interesting things to say about this. There seems to be plenty of evidence for cyberwar--Georgia, Stuxnet, reputed Chinese attacks on 72 organziations--if it exists.

Monday, August 15, 2011

China: Agency Reports 500,000 Cyberattacks in 2010

is this a tit-for-tat? Is China making a clumsy effort to detract from it's own actions? Over the past years, I've heard some scary-smart guys talk about which security threats worry them most, and it's always China. Whether it's cyber espionage and warfare or malware burned into firmware, China is always at the top of the list. As long is China remains the low cost provider, the firmware threat will increase. But it is worrisome to think about all the computers, including those in sensitive areas, that have Chinese components always calling home. At least the US government is preventing Chinese companies from buying US high-tech manufacturers and service providers. Eventually, though, the Chinese will spread enough money around Congress to make this happen, too. This makes Russian cybercrime look pretty tame.

Anonymous denies it's behind the 'kill Facebook' campaign, but retaliates against BART

Does it matter that Anonymous didn't hit Facebook? When Bay Area Transit shut off cell phone service to prevent a protest, which Anonymous didn't like, it hacked BART systems and released customer data, more than likely data of some of its supporters. Sounds like asymmetric warfare to me. What does Anonymous care about a little collateral damage. As a commuter rail rider, though, I would not complain it all public transportation systems blocked all cell phone traffic.

Friday, August 12, 2011

South Korean government pushes to phase out online real-name policy

Good bye Big Brother!? Amazing, isn't it, that a government is backing off on something like this. True, like gun control laws that ensure only criminals have guns, such a policy doesn't prevent any online action that someone really wants to do. And, the information does exist online in other places. Still, just as there's no reason to use SSNs, there's no reason for South Korea to require resident registration codes as part of an online verifiation process.

Thursday, August 11, 2011

Cyber attacks drive demand for network security staff

Is this just another knee-jerk reaction? It didn't take long for the online schools to jump on it, though. I saw an ad on CNN this morning stating 60,000 new security jobs, and urging people to enroll today to qualify for one of them. This seems like a lot of jobs. If true, the hacker community is doing more to generate new jobs than Congress or US business. It may not make systems any safer, but more people at work is a good thing.

Wednesday, August 10, 2011

When does hacktivism become a criminal activity?

RIM is threaten with being hacked if it for helps UK cops stop riots. Credit card companines were hacked for cutting off Wikileaks. When does hacktivism become a criminal activity? It's an interesting situation. Many would argue that Wikileaks engaged in criminal activity by releasing the State Dept documents, and that cyberthugs got payback. It's really not a big step to from using social media to organize demonstrations to using it to organize flashmobs for rioting and looting. The role of social media in the Middle East uprisings not withstanding, does it's use to forment crime warrant warrant cooperation between service provides and government. Civil disobediance frequently leads to demonstrations, and demonstratios to riots as the original intent is corrupted by those who see an opportunity for criminal profit.

What's this say about the security of service providers? I don't know why I was surprised that Wilileaks supporters were able to hit MasterCard and Visa. You'd assume their security was good, and obviosuly the assumption was wrong. Is RIM as vulnerable? It'll be interesting to see if it's hacked regardless of whether or it cooperates with UK cops. Is there anything it can do to prevent it now that it's been warned.

Jim Tiller suggested that enterprises really can't "protect and detect," but can only "respond." If true, then perhaps hackers don't need to penetrate systems, but just threaten. This opens a new area of threat.

Tuesday, August 9, 2011

North Korean programmers hired in South Korea to write security software

Now this has all the elements of spy fiction, or an urban myth. The article cites lower labor costs for the North Koreans, who, according to the report, travel to South Korea on fake Chinese passports. Of course, the South Koreas know who they're hiring. I couldn't find anything to collaborate this.

Monday, August 8, 2011

TIME Covers the Black Hat Conference

Another sign that security is going mainstream. TIME magazine covered Black Hat. True, Black Hat has much more entertainment value than most infosec conferences, but the fact that is was covered is, I think, significant.

Friday, August 5, 2011

Headline: Dog Bites Man

Are you getting tired of all the reports about threats and intrusions?

InformationWeek – “Banks face ongoing cyber threats”

NetworkWorld – “Advanced persistent threats force IT to rethink security priorities

This isn’t really news to us. It’s more of the same, and it hasn’t change much, if anything.

The “Man bites dog” headlines directed at the general public are different.

Calgary Herald –“Oil industry prime target for hackers …”

ABC News – “Nation’s infrastructure still vulnerable to cyber attacks”

When these types of reports make the news, whether it’s names stolen from Sony or an intrusion at RSA, someone with the ability to act may take notice. Still, I suspect that most enterprises still consider information security as insurance; a cost to be minimized. Security training likely isn’t offered through HR along with classes on how to manage conflict or drive safely while on company business.

It’s likely, too, that despite the increased noise directed at non-techies about security-related issues, whether it’s fraud, theft, espionage, terrorism, or warfare, that the threats, the risks, and the attacks will continue to increase, and security will remain an afterthought.

Thursday, August 4, 2011

Help Wanted: Hackers in India

The Time of India reported that India is looking to hire ethical hackers in both the public and the private sectors to help protect Websites and data from attack. I wonder what took them so long, or this is a concerted push to beef up its defenses? Can an offensive capability be far behind?

Zero Day: A Novel

Just finished “Zero Day: A Novel,” a tale of a Cyber 9/11 managed by a wealthy Saudi jihadist who’s intent on bringing down the West. Of course, he’s fully Westernized once he leaves the Kingdom.
As in Stephen Coont’s “Hong Kong” and Winn Schwartau’s “Pearl Harbor Dot Com,” a guy with too much money and too much hate tries to take down the critical infrastructure and bring the world to its knees. This time the bad guy uses the Internet. He recruits an international team of hackers to create rootkits and others components of the payload and to launch its variations from around the world.
Written by Mark Russinovich, with a foreword by Howard Schmidt and blurb from Bill Gates, it’s a pretty good yarn of how such an attack could be successful. Basically, anyone with enough money and determination can make this happen. It doesn’t require a state actor. (If anyone needs a good reason why the Bush tax cuts should expire, it’s this: it’ll keep disgruntled or fanatical rich guys from wrecking havoc on the rest of us by reducing their discretionary income.)
The technical aspects of the plot are intriguing and well done; the rest not so much. It continually amazes me that innocents in books like this are drawn into physical violence and win. Here, the heroes move from the cyber to the physical world. After escaping an assassination attempt in New York, sanctioned by the Saudi jihadist, they fly to Moscow, where they attempt to track down the Russian author of the rootkit. He’s killed by the same Chechnyan killer who tried to nail them in NY, and who kills the hacker just as they arrive, and tries to get them again. They leave him dead outside the hacker’s apartment, along with the latter’s father-in-law for reasons you’ll have to read the book to discover.
After patching a bullet wound, they chase the hacker’s wife to Italy. When she fled, with a bullet wound to her head from the Chechnyan, she took her husband’s hard drive with the source code for the rootkits. The heroes, of course, need the code to stop the planned zero day.
The wife discovers that the Saudi had her husband killed, so borrows a gun and hops a train for Paris looking for serious payback. Hot on her trail, the heroes take a plane. They all meet—good guys and bad guys—at the Saudi’s Paris office where the inevitable drawn down takes place; not, alas, at high noon.
“Zero Day: A Novel” is very enjoyable and scarily plausible. I suspect that’s the point: to increase awareness of the threats and maybe goad people to action. I suspect, too, that it’s preaching to the choir.

Wednesday, August 3, 2011

Advanced Persistent Threats: Made in China

RSA released a report on advanced persistent threats. Basically, we're all screwed. This coincides with a story today about Operation Shady RAT, the infiltration of the networks of 72 organizations going back several years. The attacks are attributed to a state actor, China. China seems to be behind all espionage and cyberware attacks, not to mention threats hidden in firmware and other components. I wonder why they're not blamed for financial hacks, too, but that seems to be Russians and Eastern Europeans.