Patrick Lin, who is Assistant Professor and Director of Ethics and Emerging Science Group at California Polytechnic State University, penned  a thought provoking piece titled ‘Stand Your Cybergound’ Law: A Novel Proposal for Digital Security in The Atlantic magazine in which he offers up a proposal allowing private industry to conduct cyber retaliation against foreign attackers. He rightly points out that a majority of cyber attacks against the United States or its interests are against private companies. It was reported just this week that the Department of Homeland Security  has sent out several alerts warning of a “gas pipeline sector cyber intrusion campaign” against multiple companies, which began earlier this year and is still under way. The face that companies are expected to fend for themselves is huge vulnerability in our national cyber defense. The Department of Defense protects military networks. The Department of Homeland Security defends other federal government networks. And everyone else is basically left to stand or fall on its own. It is the case  that there have been increased collaboration  between the public and private sectors in recent years. And the policy makers are looking at additional means for increased information sharing and collaboration. The  proposed Cyber Intelligence Sharing and Protection Act (CISPA) is one such effort. But if private company  is under attack, there is no calvary coming. Couple this with the fact that approximately 85% of the US critical infrastructure is owned and operated by private industry. It would take more that information sharing to adequately implement an effective national cyber defense. Our current cyber defense  is  mostly dependent on private for-profit companies making business decisions about how much to spend on their security overhead. That is certainly a recipe for disaster. It is imperative that government, business and academia join forces and develop better options for addressing this issue.

In the article, Lin writes, “ we may not be ready yet for the government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved [International humanitarian law] issues, including Geneva and Hague Conventions [which] requires that we take care in distinguishing combatants from noncombatants.”

I would first draw a distinction between passive defense ( i.e. blocking attacker access, removing a vulnerability being exploited, etc ) and active defense ( i.e. launching a counter attack to disable the attackers capabilities).

All entities, government and private sector, are engaged in the former. Some more successfully than others. Some with greater effort than others. There are no legal or ethical questions there except a much broader sense . If gas pipelines are considered critical national infrastructure and these pipelines are owned and operated by private companies, should/can the government do more to defend them from attack? More than information sharing and increased collaboration, that is.

As to active defense, I have heard have seen proposals or discussions in security circles of the government launching counter cyber attacks against foreign adversaries on behalf of private companies. Lin’s proposal would create a legal framework that would allow the companies themselves to retaliate. He seems to find inspiration in the much talked about ” stand your ground” laws such as the one in Florida that came to national attention as a it is reportedly invoked in the defense of the fatal shooting an unarmed teenager by an armed neighborhood watch volunteer.

Notwithstanding his references to armed citizens taming the wild, wild west. I find this proposal problematic on three fronts. From the purely cyber security perpective ,from a business perspective, and as a matter of national security policy. I’ll reiterate, in fairness, that Lin is not necessarily endorsing this as a solution, but contributing to a much needed discussion on nation cyber defense policy.

• Security: In most cases, it is difficult to nearly impossible to ascertain the real identity of the attacker. Attackers use other compromised systems (victims) to launch attacks. Lin makes the point that ” There is a reasonable argument in claiming that a botnet is not fully innocent and therefore not immune to harm.Most, if not all, botnets are made possible by negligence in applying security patches to software, installing anti-malware, and using legally purchased and not pirated, vulberable copies of software“. In other words, you allowed your systems to by hacked, so you deserve it if caught in a counter attack. I certainly agree that most reported successful attacks or breaches are a result of some degree of negligence. Most security professionals would agree that no system is immune to attack. We are trained to practice due diligence in making reasonable attempts to identify vulnerabilities and risk. You can never eliminate all risks all the time nor can you afford to mitigate all identified ones.

• Business: Typical business security incidence response practice includes: Detecting the attack, containing the damage, remediating effects of attack and gathering evidence, returning systems to normal and some follow-up. Lin’s proposal would require additional steps to gather sufficient forensic evidence to identify an actual perpetrator. He proposes allowing companies to present this evidence to some governmental body to review and sanction retaliation. Companies will then have to plan and execute the counter attack. Few companies have in-house expertise to do this. Few business managers will be willing to fund such activities. Whats the return? You get hacked from a $500 laptop and you spend $50,000 to do what exactly?

• National Security: We know for a fact some of the attacks on our private owned critical infrastructure have been attributed to foreign government affiliated networks. Would it really be wise to license private companies to attack these networks? I would think not. Most of these folks can’t even patch their servers or encrypt their sensitive data. The last think we need is an international incident started by some system administrator at some SMB. I mean a government allowing private entities to conduct cyber attacks against a foreign nation with a wink and a nod is not exactly a novel concept. Google ‘Russia Georgia Cyberwar”.

I commend Dr. Lin for his contribution to this very important discussion. I don’t necessarily agree with the proposed approach but as a nation, we really need to come to terms with how best to improve our national cyber defense as we are in dire straits.

Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses.

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

Talk about throwing out the baby with the bath water. The Financial Times reported on Monday that Google has begun telling new employees that they are no longer able to request Windows PCs, giving them the choice of Mac or Linux systems. Google has long offered its employees their choice of work operating system but will no longer do so. According to a Google employee, any exceptions will require will require CIO approval. [ I find that assertion questionable though ].

Google is apparently making this decision in response to the hacking attacks on late last year in China. The attackers  used vulnerabilities  in Microsoft’s Internet Explorer 6 to go after Google’s intellectual property, believed to be source code.  One could argue that if they had updated their browsers, the attacker would have had to find other vectors for attacks.

Could this be a strategic move by Google to prove that an Enterprise can survive WITHOUT Microsoft? With Google’s Chrome OS on the horizon, this may just be the warm-up act.

Source: http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.

So…. I made this post about the Social Media fallacy that is Blippy. Well true to form, here we are less than two months later finding out…

“Blippy, a social networking site that allows users to share their purchases and discuss shopping with others, will revamp its security plans and hire a Chief Security Officer after an embarrassing incident in which the site accidentally published a few of its members’ credit card numbers on Google.

Blippy Co-founder and CEO Ashvin Kumar said in a blog post this week that the slip-up occurred as a result of a technical oversight back in February that caused raw transaction data to appear within the HTML code on some Blippy pages for about half a day. ”

Who didn’t see this coming a mile away? Presenters at Shmoocon this year noted that penetration testers [and hackers] absolutely love this the Blippy platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: “I joined Blippy and all I got was jacked at the ATM.”"

Sigh

Yesterday, a faulty McAfee anti-virus update labeled a critical Microsoft system file as a “virus” causing hundreds of thousands of computers around the world with Windows XP Service Pack 3 running  to go into a continuous reboot cycle [duh!].

Today, however, Sophos is reporting hackers are compounding the problem by using blackhat SEO (search engine optimisation) techniques to create webpages stuffed with content which appears to be related to McAfee’s false alarm problem – but are really designed to infect visiting computers.

Sophos has identified malicious webpages which appear on the first page of Google results if users search for phrases associated with McAfee’s false positive.

“It’s bad enough if many of the computers in your company are out of action because of a faulty security update, but it’s even worse if you infect your network by Googling for a fix,” explained Graham Cluley, senior technology consultant for Sophos. “These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them. If you visit the links you may see pop-up warnings telling you about security issues with your computer. The warnings are fake and designed to trick you into downloading dangerous software, which could result in hackers gaining control of your corporate computers or the theft of your credit card details.”

From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

Picture this: You’re at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop’s management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along. That may sound ridiculous, but if you’re using public-access Wi-Fi without taking the proper precautions, you might as well be asking your coffee compatriots to partake in confidential company information.

That’s an abstract from a pretty good article in NetworkWorld. I previously also posted about the dangers of public wireless networks.

Consider however, how probably is it that a competitor or anyone else for that matter is lurking steal your data? You don’t know and neither do I. Just remember that it’s very easy to do so protect yourself.

Read full article: http://www.networkworld.com/news/2010/041310-how-to-stay-safe-on.html

Here’s an interesting story. Who didn’t see this coming?

“Police say a hacking investigation in Fairfax County, Virginia started with a Facebook pregnancy announcement. But, it turns out the woman is not expecting a baby.

According to police, someone hacked into her Facebook account and posted the fake status update. The victim, who is from Springfield, also claims someone accessed her Hotmail account and sent out nasty emails.

All of the victim’s classes at Northern Virginia Community College were canceled by the hacker.

Police are investigating the Facebook and Hotmail hacking claims, but so far no charges have been filed.”

Source: http://www.myfoxdc.com/dpp/news/local/woman-says-facebook-account-was-hacked

Is this a divorce or separation?  I chronicled Google’s dysfunctional marriage to China last month. This week Google shut down its search service on the Chinese mainland last night after a two-month standoff with Beijing over censorship and the much talked about hacking incident.

Google.cn now redirects visitors to google.com.hk – where they are greeted by a message reading: “Welcome to Google search in China’s new home.”

The move allowed Google to stop self-censoring the service, although the government’s filtering system would still prevent mainland users from seeing the results of many “politically sensitive” searches.