BCA

By John Riley

 Access to the Internet is easier than ever. It provides an unending fountain of  information on entertainment, credit and financial services, sports, politics, and countless other subjects. However, there is a downside… many internet users are careless in protecting their assets and identities in operating their websites/blogs as well as surfing the net.  As a result, hackers find a fertile landscape where they can ply their trade often with  stunning success.  Neither business, government or individuals are immune. While many businesses and the government have sophisticated layers of security in place to protect their systems, individuals must rely on commercial services.  Here’s what some of those experts suggest for individuals and families  to better secure your systems:

 Password security  (Information Technology Consultants Update Oct 9, 2009)

 If there is any indication your website/blog has  while surfing the Internet that your password has been compromised, immediately change that password and  investigate all your other passwords. Too often, a person will wait a day or two before taking action and by then it may be too late to prevent an economic loss.

 Stop re-using your password for multiple websites. If  the hacker figures out your password he will be able to access bank information, private e-mail or your other accounts.

 Vary your  mix of letters, numbers and symbols and use at least 8 characters for your  password. You can also mix up capital letters with lower case letters,

 Avoid using passwords that are personal, i.e. birthdays, wedding dates, addresses or children’s names.  If you write down your passwords, keep the papers in a secure location.

 Computer security (OnGuard Online.Gov 2010)

 Hackers will try to find home computers that are not well protected by security software and  install ‘malware’. Or they might send you an e-mail with attachments that will install malware when you open them. Once the bad software is installed, the affected computer becomes a BotNet and anonymously sends out thousands of spam e-mails. Millions of homes are part of BotNets and most families are unaware of it. That’s why it’s important to keep operating systems and Web browsers up to date at all times.

 Phishing is the biggest threat to the loss of personal information. Never reply to a phone call or e-mail requesting personal or financial information. Most reputable organizations do not use those means to obtain such information. Know who you are dealing with. Check out unknown callers by using Google Search, especially if they represent a ‘company’.  If they claim to represent a company, call the company and check. If not, be very cautious.

 Use security software that updates automatically. Be sure you have anti-virus, anti-spyware and a firewall at a minimum. And back up your important files regularly, i.e. daily or weekly.

 Wireless security (OnGuardonline.gov 2010)

Convenience and mobility are driving more computer users to utilize wireless connections to the Internet without realizing the risk.  A hacker with a wireless-ready computer can take over a users network and if the hacker commits a crime or sends spam, the incident can be traced back to the user’s account creating problems for the user. On Guard Online suggests  the following steps to protect yourself:

1)      Encrypt or scramble communications over the network. Buy a wireless router that has encryption features.

2)     Use anti-virus and anti-spyware software with a firewall

3)     Turn off wireless router identifier broadcasting that sends out signals to any device in the area announcing its presence.

4)     Routers usually have an identifier and a pre-set password for administration. Turn off the identifier and change the default password.

5)     Turn off your wireless network when you aren’t using it

6)     Don’t assume public ‘hot spots’ are secure

 When you have been attacked, report it immediately

Hacking or Computer Virus:  Send to the  FBI at www.ic3.gov.  Be sure to include the information in the hacker’s e-mail’s header (sender’s Internet Service Provider) and routing information along  with any other information you have. Without that information, the FBI has nothing to work with.

 Internet Fraud: Any fraud attempt involving shopping online or an Internet auction,

report it to the Federal Trade Commission, at ftc.gov

 Deceptive Spam:  Send the e-mail header and routing information to spam@uce.gov

 Phishing e-mail: The Anti-Phishing Working Group is a consortium of Internet Service Providers (ISP) security vendors, financial institutions and law enforcement agencies that rely on user reports to fight phishing. Send your report to reportphishing@antiphishing.org

 Identity Theft:  Send your report to the Federal Trade Commission at ftc.gov  

Go to ftc.gov/idtheft for information on how to minimize risk of theft identity.

 Most successful hackers succeed, not so much because of their prowess and analytical skills, but because so many people fail to realize or accept the threat to their security. It can be a costly mistake.  

 The final article, Cyber Espionage (5 of 5) Preparing for the Future,  will appear April 11.

 

By John Riley

 “People should be aware that an extraordinary treasure chest of information has been stolen. And the same people doing the military espionage are engaged in economic espionage using the same or very similar techniques to steal information from organizations that are working on business ventures in the attackers’ country” says Alan Paller, director of research for the Sans Institute, a computer security company, in a PC World article, March 8.

 In a Wired Magazine article, February 3,   Kevin Mandia, CEO of Mandiant, a computer forensic security firm revealed, “The attack that hit Google is identical to publicly undisclosed attacks that have quietly plagued thousands of other U.S. companies and government agencies since 2002 and are rapidly growing. The scope of this is much larger than anybody has conveyed. There are thousands of companies compromised. Actively, right now. And they represent a sea of change from the attacks that have commonly hit networks.”

 Mandia  points to an incident last year: “a spear-phishing campaign (waves of targeted e-mail attacks) that targeted an unnamed, high ranking counterterrorism official, and two coordinators of local, state and federal intelligence. The report doesn’t indicate how successful the attacks were other than to say the intruders stole e-mail and information that helped them map networks and locate valuable data.” 

 Attacks are rarely detected by antivirus or intrusion programs

 “Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. The non-APT hackers target only financial data or sensitive customer data for identify theft, while the APT attackers never target such data. Instead, their focus is espionage. They attempt to take every Microsoft Work, Power Point, and Adobe PDF document from every machine they compromise, as well as all e-mail,” says Mandia.

 A Sans Institute study, September 2009,  shows 60% of total attack attempts are against web applications. Unrelenting e-mail attacks have penetrated Adobe PDF Reader, Quick Time, Adobe Flash and Microsoft Office and have been the major source of infection of client side computers. Users are fooled by expecting trusted sites to be safe when, in fact, downloaded documents or music may carry malware. In some cases, there is no need to open a document to become infected; visiting the infected site is all that is necessary . What few people realize is that these user applications can also be attacked remotely.

 Hackers are making an enormous effort to infect trusted web sites so they become malicious websites distributing infected content. Confronted with unending and escalating attacks, organizations have difficulty knowing which threats offer the greatest risk and what resources should be allocated.

 Mobile devices are the new target

 Now,  mobile devices are emerging as the  new frontier of cyber espionage  as they come under attack from malware,  reports bitDefender, a software security firm. According to Bogdan Dumitru, Chief Technology Officer, “there are numerous, documented cases recently of targeted malware attacks against business, usually employing infected MSOffice files.” Thus far, infection has not spread beyond the targeted accounts suggesting the malware used was written for specific companies. However, all of the security concerns of the Internet are now present in the mobile world where the integration of mobile devices with web browsers enable access to the always-on Internet.”

 Hackers have a variety of reasons for doing what they do, but none are more important than  stealing data or installing a back door through which they can return later. For that reason,  major organizations will patch their operating system weaknesses first and then patch client side application problems which usually take twice as long.

 Over the years, defenders who have learned attacker techniques have become the people most effective in combating them. As a White House spokesperson recently commented, “offense must inform defense” or in other words, those with experience countering attackers need to help train those who have spent all their time defending against them.

 U.S. is the primary cyber espionage target

 The Sans Institute concludes the United States has presented greater value propositions for attackers than other countries, reaching nearly 35 million server-side HTTP attacks by destination over a recent six month period. All other countries, including China and the Russian Federation have received less than 5 million attacks. There is little doubt the U.S. has become the world’s cyber battleground.

 Cyber Espionage (4 of 5) Prevention Takes Many Forms will appear April 7.

By John Riley

 When President Obama appointed The Commission on Cyber Security to advise him on the subject, their report contained an ominous challenge: America’s failure to protect cyber space  is one of the most urgent security problems facing the administration. This was no doubt influenced by the testimony of Dennis Blair, Director of National Intelligence, March 10, 2010, who said the intelligence community assessment is that a number of nations already have the capability to conduct crippling attacks against the United States.  

 In a recent Harvard law school paper, “Cyberlaw: Difficult Issues Winter 2010”, the scope of the problem was discussed. Their conclusion was that cyber security is perceived as an almost insurmountable problem. The group’s approach was to look at the vulnerable points in cyberspace by focusing on the most likely points of attack. They concluded the Internet is vulnerable to attack at several different key points, each with a different result and security concern:

 Assessing the Internet’s vulnerability

 The Internet is a large decentralized network which complicates its defense. “A clever hacker could shut down the Internet itself in an extreme case, or more conservatively can re-route the Internet to prevent users from getting where they need to go,” concluded  the paper.  

 When a message is sent through the Internet network, there are many different paths it can take. The path it takes is not necessary the shortest path to its’ destination. Usually the path is determined by which avenue has the least traffic (resistance). To disconnect or disrupt traffic, hackers can reconfigure the message address.

 Remedies are being explored. If network providers can be notified automatically when the virtual location of an Internet address changes, action can be taken to control the situation. A second approach is to handle broadcasts where changes of addresses can be detected as potential threats until  they can be evaluated. That usually takes 24 hours and then they can be accepted as legitimate.

 Assessing network endpoints vulnerability

 SCADA Systems

Every computer connected to the Internet is an endpoint which makes it vulnerable to attack. Computer systems that oversee industrial computer systems are known as supervisory control and data acquisition systems (SCADA). These are the computer systems that control the power grids, traffic lights, regulate dams and other components of civilian infrastructure. According to John Avlon, Right Side News, November 13, 2009, several al Qaida computers were seized in Pakistan that show details of the SCADA systems in America.  Authorities also found one al-Qaida safe house in that was devoted to the operational study of Internet attacks.

 Servers

It is not necessary for an attacker to target individual computers.  By singling out servers and providers, a terrorist can infect and compromise all computers connected to those servers. That includes internal computers and sensitive servers usually assumed to be shielded from unauthorized penetration by hackers. However, when infection occurs, regulators can step in and shut down the systems to prevent further distribution.

 The most common approaches used by hackers are brute force password guessing attacks and web application attacks.  If a valid username/password pair can be identified, it will enable the attacker to penetrate Microsoft SQL, FTP, and SSH servers. Microsoft applications have been a major hacker target in recent years.

 Computers

 One of the most attractive qualities of a computer is its’ ability to create things. However, it is also the computer’s greatest vulnerability. As the paper frames it, the issue becomes, “how do you preserve the generativity, while addressing the growing vulnerabilities that are innate to it?” It is not clear if there is an answer to the question.

 Government Computers

 In 2009, three incidents occurred that were quietly investigated: data about the Presidential helicopter appeared on Iranian laptops, the federal government’s job listing was taken, and a 19 year-old hacker breached Air Force, Navy, Department of Defense , NASA and MIT systems.  This after the Pentagon had spent $100 million to protect its’ systems.  As mentioned in the previous article, the problem was highlighted again earlier this year when it was revealed hackers broke into the Pentagon’s $300 million state-of-the-art Joint Strike Fighter program which raised significant military concerns.

 The policy vulnerability

 The National Security Cyberspace Institute reported March 5, 2010, that a study by the National Research Council, “Technology, Policy, Law and Ethics regarding the U.S. Acquisition and use of Cyberattck Capabilities”  revealed the U.S. has no formal policy for dealing with foreign government-led threats against U.S. interests in cyberspace. It cites three key points:

 1)      The U.S. policy and legal framework for the United States’ use of cyber attacks is “ill-formed, undeveloped, and highly uncertain”.

 2)     “the decision-making apparatus for cyber attack and the oversight mechanists for that apparatus are inadequate”, and

 3)     “secrecy has prevented us from being able to effectively share information and debate about the nature and implications of cyber attacks.”    

 The Cyber Espionage (3 of 5): Threats are Many and Varied,  will appear April 3.