Thursday, December 22, 2011

China Hackers Hit U.S. Chamber of Commerce

According to this WSJ report, the attacks breached computer systems and stole email. And the story gets better.

"The Chamber continues to see suspicious activity, they say. A thermostat at a town house the Chamber owns on Capitol Hill at one point was communicating with an Internet address in China, they say, and, in March, a printer used by Chamber executives spontaneously started printing pages with Chinese characters."

A thermostat communicating with an IP address in China?! The interconnected, M2M, IoT world--what's not to love?

Thursday, December 15, 2011

Feds Investigate Carrier IQ Phone Tracking

Too little, too late; too reactive. Carrier IQ's problem is likely that they didn't contribute enough to Congress, or spread enough samolians around K Street.

In the latest CRYPTO-GRAM, Bruce Schneier wonders if Apple's dropping Carrier IQ has more to do with Apple now doing the tracking itself than with Apple trying to do the right thing. We all know they would never do that.

Tuesday, December 13, 2011

IT Governance Discussion Group

Dan Swanson has organized IT Governance discussion group with numerous senior people on it. It has been operational since November 2006. He's learned a lot and highly recommends it as truly a great learning vehicle. On average, the group has between two and five emails per day, and sometimes more for particularly important issues, but it's always great content. Traffic does vary widely. Participation is always on a best efforts basis, and many people go silent around their quarter ends and year ends, and then pipe back up when an issue is on interest. Email Dan at if you'd like to join.

Monday, December 12, 2011

Dallas convicts no longer shred confidential data

This is a really great one, especially in light of the prevalence of cell phones in prisons, which enables inmates to continue to conduct business will in the hoosegow. What's next? Having them process visa applications?

Wednesday, December 7, 2011

Jim Tiller's latest book, "CISO's Guide to Penetration Testing: A Framework to Plan, Manage, and Maximize Benefits," publishes

Presenting the underlying methodologies and concepts required for successful penetration testing, CISO's Guide to Penetration Testing discusses the process of penetration testing from both consultative and technical perspectives. Jim provides an overview of the common tools and exploits used by attackers along with the rationale for why they are used. He depicts attack scenarios to show the complete cycle of attack from the hacker’s perspective. His methodology provides a comprehensive solution to meeting the objectives of penetration testing. Jim covers the deliverables, including the final report, explaining how to use the information from the text. The book includes a six-panel fold out process map.

Tuesday, December 6, 2011

Symantec November 2011 Intelligence Report

Symantec released another of its threat reports. I have to admit. I really enjoy reading these. There concise and informative, even if they do occasionally scare the stuffing out of me. Among the findings are the number of daily targeted attacks has increased four-fold compared to January this year; the public sector has been identified as the most frequently targeted industry during 2011, with approximately 20.5 targeted attacks blocked each day; and large enterprises consisting of more than 2,500 employees received the greatest number of attacks.

Friday, December 2, 2011

Symantec's Top Trends in IT Security from 2011 and for 2012

With the end of the year close at hand, Symantec has taken a look back at the top trends in IT security from 2011 that we think will continue throughout 2012. No surprises here. Advance persistent threats and smart mobile devices top the list.

Shameless plea: I'm still looking for someone to write an book about APTs.

Tuesday, November 29, 2011

Just because you’re paranoid …

Yesterday afternoon I received the strangest call on my cellphone. Aside from the fact that almost no one calls me on the cell, the caller claimed to have found on the campus of a local community college a notebook for a history course. My name and phone number were written inside the notebook, which the caller wanted to return.

Keep in mind that the last history course I took was probably as a college freshman many, many moons ago, and that I’ve never been on that campus much less taken a course there.

So, mindful of scams, social engineering, and other things of that ilk, I was suspicious. How did that person get my name and number? Was the call a probe? When I answered the call, the caller’s number appeared, but not his name. That seemed suspicious, too, although if neither the number nor the name appeared I won’t have answered the call.

Yes, I should probably call back and determine if the call was legitimate or it. Maybe someone wrote my name and number in his notebook, and then lost it, although I can’t image who would do that. Am I worrying too much about this?

Monday, November 28, 2011

Ease of theft of IRS refunds has eveyone doing it

This is a scary story from the Miami Herald about street criminals joining scammers to steal IRS refunds, as well as identities, with ease. Imagine killing a postman on his rounds to get the master key to condo mailboxes. The arrest and conviction rate is certainly higher for street crimes than for cybercrimes. Evidently the ease of the former make it attractive nevertheless.

Wednesday, November 23, 2011

From The Moscow Times, Recent trends in legal regulation of information security

The article claims Russia has strict regulations on privacy and security, but acknowledges problems. The problem with news from Russian media is that it's rank with propaganda, most of it not too subtle. The Cold War lives on. Is it heating up?

Wednesday, November 9, 2011

Yawn. European Information Security Agency warns about data-profiling risks to minors

Sure there are risks, and risks can be mitigated. So, why is this news? Where are parents in this? Pull the plug, or except and attempt to mitigate the risk.

This isn't so different from the rants that surrounded BoA's announcement of monthly fees for debit card use. If someone doesn't want to pay the fee, don't use the card. Use cash, or charge it, or don't buy.

BoA isn't forcing anyone to use the card, and no one is forcing kids to use the Internet, although, unfortunately, many are pushing pretty hard.

Tuesday, November 8, 2011

Friday, October 28, 2011

The "Be evil" company says U.S. government requests for data rising

I wonder if Google, the "Be evil" company, sees itself as the defender of our privacy? It's okay if they use the data for any nefarious purpose they want, but no way will they let the government. The irony is killing me.

Monday, October 24, 2011

Google Bashing

LA councilman claims Google 'unable to meet' security needs of city email.

So Google--the Teflon-coated company--takes it on the chin again, not that it really matters. Remember the good old days when Microsoft was public enemy #1. Microsoft now seems absolutely altruistic when compared to Google, the "do everything evil we can get away with, then apologize, dissemble, or blame someone else" company.

Wednesday, October 19, 2011

Can Anonymous cripple critical U.S. infrastructure?

A few weeks ago, Anonymous threatened to take Wall St. offline. Supposedly they, or someone, succeeded for a short time. Now, an article in Informationweek raises the question whether the group can take down critical infrastructure. Whether or not they can create a Stuxnet-like attack, most agree, I think, that critical infrastucture is a relatively easy target for a cyber attack. But I recall a conversation several years ago with a notable hacker who, while acknowledging the possibly of a cyber attack, asked, "Why not just plant a bomb?" Good point, especially for a domestic attacker on a domestic target. As we saw from the Stuxnet attack on Iran, they were able to recover from the system attack. I wonder, though, if recovery would have been so quick from a physical attack.

We just happen to have several books dealing with issues of critical infrastructure protection. They are:

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS

Critical Infrastructure: Understanding Its Component Parts, Vulnerabilities, Operating Risks, and Interdependencies

Risk Assessment for Water Infrastructure Safety and Security

Critical Infrastructure: Homeland Security and Emergency Preparedness, Second Edition

Friday, October 14, 2011

Microsoft says computer viruses are our fault

As reported by CNN, Microsoft’s Security Intelligence Report found that 45% of computer viruses are caused because of a users’ actions, with phishing being the most common attack.

I can't find fault with this assessment. The question is how to increase user awareness to the point that they don't click on suspicous email, no matter how well disguised. We know a lot of these schemes are very cleverly done. Is it even possible to get most of the people to be aware most of the time?

Thursday, October 13, 2011

GAO: Progress Made and Challenges Remaining in Interagency Sharing of Terrorism-Related Information

The GAO may claim it, but I'm still incredulous. To think that the various DHS agencies willing share everything is a stretch, but that DHS and DOJ share anything defies belief.

Wednesday, October 12, 2011


B.Y.O.T. No, it's not a typo. It's a trend. It stands for Bring Your Own Technology, or we're going to use what we want, and IT needs to support it.

I wish I was as clever as the headline writers for the NY tabloids. They, like great caricaturists, routinely do a great job of finding the subjects' weak points.

Why do I bring this up? I thought the "B.Y.O.T." headline in a recent CIO magazine article was pretty funny, too. This seems to be getting hotter every day, reminiscent of the early days of PCs and departmental computing. I expect that here, too, the voice of the people will be heard.

Tuesday, October 11, 2011

White House “WikiLeaks Order”

As reported by "Wired," The White House has issued an executive order to improve the security of classified networks to prevent further leaks by insiders. Unfortunately, it also establishes committees to study how.

Monday, October 10, 2011

Computer Virus Hits U.S. Drone Fleet

Here's a good one. It seems these systems at one air base are not connected to the Internet. The suspect virus, which is proving hard to eradicate, was introduced by UBS drive or something similar. Accident? Sloppiness? Cyberwar?

Friday, October 7, 2011

Cloud Security: Closing the Barn Door after the Horses Have Fled

The GAO says that says that the Feds haven’t done enough about a cloud strategy, including security. Isn’t it too late to worry about that? Enterprises, government, and even individuals, driven by cost considerations and dubious cost/benefit analyses, continue to flock to the cloud regardless of security concerns.

After all, if it’s an Internet-facing application, does it really matter whose application it is or where the data resides? Enterprises haven’t done a great job of protecting data when it’s stored in-house. How can the cloud be any worse?

As Jim Tiller pointed out, there’s a change coming in information security, from protect and detect to respond. Protect isn’t working too well, and detect is too slow, especially in the face of APTs. Attacks are increasingly more sophisticated, whether from governments or organized crime, and data increasingly less secure, regardless of where is resides. The days of reactive security are nigh.

Wednesday, October 5, 2011

Tuesday, October 4, 2011

Monday, October 3, 2011

Sad Day

Gene Schultz has passed away. It seems he died Sunday of a head injury he suffered in a fall at the Minneapolis airport last week.

Monday, September 26, 2011

Informal survey

Which of the following represents a greater threat to your organization?
a. Rootkits
b. Insiders
c. Mobile devices

Friday, September 23, 2011

Dog bites man

Another new survery, another yawn. The latest poll reveals that email main source of data leaks in organizations. This is largely due to policy violations. Policies are good, but they don't trump human nature. I suspect even the best awareness training isn't sufficient to slay this beast. One benefit of these surveys is that they get companies in the news.

Wednesday, September 21, 2011

Security Takes a Vacation

Well, I just returned from vacation at a fairly remote part of Cape Cod. So remote, in fact, that Internet access, and frequently cell access, was a faint dream. Still, because I had a compelling urge to check email, especially work-related, I’d head out to one of the distant coffee shops that offered FREE WIFI. I figured it was worth the price of an over-priced, acidic cup of joe to find out what was happening at work, put out any fires that ignited while I was gone, and practice a little CYA, too.

As luck had it, I couldn’t connect to any of the hotspots; or to be more precise, I connected, but couldn’t get Internet access. Fortunately, or not, there were several unprotected wireless nets around. Because this is a vacation area I made a knowingly false assumption that the local town or Chamber of Commerce provided the access. Thus deluded, I blithely accessed all my email accounts over the Web.

So, what was the risk? Was someone really going to hijack my sessions? Probably low, and probably not. But still, the thought lingered as I guiltily checked mail and did a little surfing. And will I do it again? Probably yes. I’m not sure that the advertised hotspots are any more secure than the unprotected ones the PC discovers; just as I’m not sure that labeling a wireless net as “public” means much. Nothing like living fast and loose, huh?

Monday, September 19, 2011

Another day, another hack

So, another big name site's been hacked, and names and PII allegedly taken. This time it's the Intelligence and National Security Alliance (INSA). This is news, but it's becoming old news.

Wednesday, September 14, 2011

SIEM Is Dead

So, a new survery reveals that 65% of security professionals say SIEM is dead. Evidently, relying on log file analysis isn't sufficient to keep on top of who's doing what. I'm sure it has nothing to do with the time, effort, and cost of set up and management. Still, if anyone's interested in writing a book on SIEM, let me know.

Thursday, September 1, 2011

So, how insightful is this?

CSO magainze has a little piece on a minor hacker who opines that "good liars undermine information security." Okay, so don't liars undermine just about everything?

Wednesday, August 24, 2011

What's newsworthy?

There hasn't been much infosec-related news recently. I don't know if it's been overlooked because of earthquake and Libya, or that nothing newsworthy has happened. Although given how low the standard of newsworthiness is set, I'm surprised nothing's been reported. Maybe it's just a calm before another storm, or another tempest in a teapot.

Monday, August 22, 2011

Kevin Mitnick on Anonymous and LulzSec, and how he thinks the government overreacted to his exploits

I can't believe it's been seven years since Mitnick took that stage at the 2004 Infosecoworld. Nor can I believe that some certification organization boycotted the conference because of it. I recall, probably incorrectly, that he was interviewed by the guy who prosecuted him. Both the interview and Mitnick's stage presence and "tricks" were great. It might have been around the time his book on social engineering was published. Now, he's published his memoirs, although considering how his life and exploits have been documented so far, one wonders if there's anything new to recount. In this interview on Salon, he talks about Anonymous, LuzeSec, and other contemporary hacks, and touts his book.

Friday, August 19, 2011

New editon of The Security Risk Assessment Handbook

Doug Landoll just updated The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition. It gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting, this updated edition provides the tools you need to solicit and review the scope and rigor of risk assessment proposals with competence and confidence.

Thursday, August 18, 2011

... the More Things Stay the Same

Earlier this year I surveyed some authors about what they considered their top 5 information security issues. While there were some surprises, such as supply chains, there was more consensus. Among the top issues are cloud security, malware and advance persistent threats, smart phones and other mobile devises, social media in the workplace, data loss, and critical infrastructure protection and cyberwarfare. As I said, no surprises.

Lately, though, we’ve been reading and hearing in the consumer press about malware, cyberwarfare, tons of data loss, and security and privacy problems with social media as well as more invasive and insidious tracking. So, there’s increasing awareness of these threats by the general population, or should be, and convergence between what they and people working in information security consider risky. Maybe.

There’s a lot of distance between being aware of something and doing something about it. People are still flocking to smart phones and social networking, sharing far too much data and information, and leaving themselves at risk to threats they really don’t appreciate. Ignorance is bliss until calamity strikes, and it will.

Wednesday, August 17, 2011

Congressional approval rating ties all-time low; Blame for critical infrastructure weaknesses starts with Congress

I'd guess there's no direct link between Congress' record setting approval rating and its failure to act to protect the nation's critical infrastructure. Threats to the nation's critical infrastructure probably doesn't rank high on many people's list of what's wrong with Congress, if they're even aware of it. I wonder when we'll be hit with a Stuxnet-like attack. You know it's being reverse-engineered now. Should we be worried?

Tuesday, August 16, 2011

Cyberwar? What cyberwar?

The White House recently released its International Strategy for Cyberspace, which addresses actions the US can take in response to cyber threats. The Department of Defense then released a cyber strategy that the Joint Chiefs say does't go far enough in outlining an offensive response. Meanwhile, the U.S. Cyber-Security Coordinator, Howard Schmidt, said there is no cyberwar. Jim Tiller has some interesting things to say about this. There seems to be plenty of evidence for cyberwar--Georgia, Stuxnet, reputed Chinese attacks on 72 organziations--if it exists.

Monday, August 15, 2011

China: Agency Reports 500,000 Cyberattacks in 2010

is this a tit-for-tat? Is China making a clumsy effort to detract from it's own actions? Over the past years, I've heard some scary-smart guys talk about which security threats worry them most, and it's always China. Whether it's cyber espionage and warfare or malware burned into firmware, China is always at the top of the list. As long is China remains the low cost provider, the firmware threat will increase. But it is worrisome to think about all the computers, including those in sensitive areas, that have Chinese components always calling home. At least the US government is preventing Chinese companies from buying US high-tech manufacturers and service providers. Eventually, though, the Chinese will spread enough money around Congress to make this happen, too. This makes Russian cybercrime look pretty tame.

Anonymous denies it's behind the 'kill Facebook' campaign, but retaliates against BART

Does it matter that Anonymous didn't hit Facebook? When Bay Area Transit shut off cell phone service to prevent a protest, which Anonymous didn't like, it hacked BART systems and released customer data, more than likely data of some of its supporters. Sounds like asymmetric warfare to me. What does Anonymous care about a little collateral damage. As a commuter rail rider, though, I would not complain it all public transportation systems blocked all cell phone traffic.

Friday, August 12, 2011

South Korean government pushes to phase out online real-name policy

Good bye Big Brother!? Amazing, isn't it, that a government is backing off on something like this. True, like gun control laws that ensure only criminals have guns, such a policy doesn't prevent any online action that someone really wants to do. And, the information does exist online in other places. Still, just as there's no reason to use SSNs, there's no reason for South Korea to require resident registration codes as part of an online verifiation process.

Thursday, August 11, 2011

Cyber attacks drive demand for network security staff

Is this just another knee-jerk reaction? It didn't take long for the online schools to jump on it, though. I saw an ad on CNN this morning stating 60,000 new security jobs, and urging people to enroll today to qualify for one of them. This seems like a lot of jobs. If true, the hacker community is doing more to generate new jobs than Congress or US business. It may not make systems any safer, but more people at work is a good thing.

Wednesday, August 10, 2011

When does hacktivism become a criminal activity?

RIM is threaten with being hacked if it for helps UK cops stop riots. Credit card companines were hacked for cutting off Wikileaks. When does hacktivism become a criminal activity? It's an interesting situation. Many would argue that Wikileaks engaged in criminal activity by releasing the State Dept documents, and that cyberthugs got payback. It's really not a big step to from using social media to organize demonstrations to using it to organize flashmobs for rioting and looting. The role of social media in the Middle East uprisings not withstanding, does it's use to forment crime warrant warrant cooperation between service provides and government. Civil disobediance frequently leads to demonstrations, and demonstratios to riots as the original intent is corrupted by those who see an opportunity for criminal profit.

What's this say about the security of service providers? I don't know why I was surprised that Wilileaks supporters were able to hit MasterCard and Visa. You'd assume their security was good, and obviosuly the assumption was wrong. Is RIM as vulnerable? It'll be interesting to see if it's hacked regardless of whether or it cooperates with UK cops. Is there anything it can do to prevent it now that it's been warned.

Jim Tiller suggested that enterprises really can't "protect and detect," but can only "respond." If true, then perhaps hackers don't need to penetrate systems, but just threaten. This opens a new area of threat.

Tuesday, August 9, 2011

North Korean programmers hired in South Korea to write security software

Now this has all the elements of spy fiction, or an urban myth. The article cites lower labor costs for the North Koreans, who, according to the report, travel to South Korea on fake Chinese passports. Of course, the South Koreas know who they're hiring. I couldn't find anything to collaborate this.

Monday, August 8, 2011

TIME Covers the Black Hat Conference

Another sign that security is going mainstream. TIME magazine covered Black Hat. True, Black Hat has much more entertainment value than most infosec conferences, but the fact that is was covered is, I think, significant.

Friday, August 5, 2011

Headline: Dog Bites Man

Are you getting tired of all the reports about threats and intrusions?

InformationWeek – “Banks face ongoing cyber threats”

NetworkWorld – “Advanced persistent threats force IT to rethink security priorities

This isn’t really news to us. It’s more of the same, and it hasn’t change much, if anything.

The “Man bites dog” headlines directed at the general public are different.

Calgary Herald –“Oil industry prime target for hackers …”

ABC News – “Nation’s infrastructure still vulnerable to cyber attacks”

When these types of reports make the news, whether it’s names stolen from Sony or an intrusion at RSA, someone with the ability to act may take notice. Still, I suspect that most enterprises still consider information security as insurance; a cost to be minimized. Security training likely isn’t offered through HR along with classes on how to manage conflict or drive safely while on company business.

It’s likely, too, that despite the increased noise directed at non-techies about security-related issues, whether it’s fraud, theft, espionage, terrorism, or warfare, that the threats, the risks, and the attacks will continue to increase, and security will remain an afterthought.

Thursday, August 4, 2011

Help Wanted: Hackers in India

The Time of India reported that India is looking to hire ethical hackers in both the public and the private sectors to help protect Websites and data from attack. I wonder what took them so long, or this is a concerted push to beef up its defenses? Can an offensive capability be far behind?

Zero Day: A Novel

Just finished “Zero Day: A Novel,” a tale of a Cyber 9/11 managed by a wealthy Saudi jihadist who’s intent on bringing down the West. Of course, he’s fully Westernized once he leaves the Kingdom.
As in Stephen Coont’s “Hong Kong” and Winn Schwartau’s “Pearl Harbor Dot Com,” a guy with too much money and too much hate tries to take down the critical infrastructure and bring the world to its knees. This time the bad guy uses the Internet. He recruits an international team of hackers to create rootkits and others components of the payload and to launch its variations from around the world.
Written by Mark Russinovich, with a foreword by Howard Schmidt and blurb from Bill Gates, it’s a pretty good yarn of how such an attack could be successful. Basically, anyone with enough money and determination can make this happen. It doesn’t require a state actor. (If anyone needs a good reason why the Bush tax cuts should expire, it’s this: it’ll keep disgruntled or fanatical rich guys from wrecking havoc on the rest of us by reducing their discretionary income.)
The technical aspects of the plot are intriguing and well done; the rest not so much. It continually amazes me that innocents in books like this are drawn into physical violence and win. Here, the heroes move from the cyber to the physical world. After escaping an assassination attempt in New York, sanctioned by the Saudi jihadist, they fly to Moscow, where they attempt to track down the Russian author of the rootkit. He’s killed by the same Chechnyan killer who tried to nail them in NY, and who kills the hacker just as they arrive, and tries to get them again. They leave him dead outside the hacker’s apartment, along with the latter’s father-in-law for reasons you’ll have to read the book to discover.
After patching a bullet wound, they chase the hacker’s wife to Italy. When she fled, with a bullet wound to her head from the Chechnyan, she took her husband’s hard drive with the source code for the rootkits. The heroes, of course, need the code to stop the planned zero day.
The wife discovers that the Saudi had her husband killed, so borrows a gun and hops a train for Paris looking for serious payback. Hot on her trail, the heroes take a plane. They all meet—good guys and bad guys—at the Saudi’s Paris office where the inevitable drawn down takes place; not, alas, at high noon.
“Zero Day: A Novel” is very enjoyable and scarily plausible. I suspect that’s the point: to increase awareness of the threats and maybe goad people to action. I suspect, too, that it’s preaching to the choir.

Wednesday, August 3, 2011

Advanced Persistent Threats: Made in China

RSA released a report on advanced persistent threats. Basically, we're all screwed. This coincides with a story today about Operation Shady RAT, the infiltration of the networks of 72 organizations going back several years. The attacks are attributed to a state actor, China. China seems to be behind all espionage and cyberware attacks, not to mention threats hidden in firmware and other components. I wonder why they're not blamed for financial hacks, too, but that seems to be Russians and Eastern Europeans.