Archive for March 2012

Top FBI cyber-cop: U.S. is losing the war against hackers

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

His comments weren’t directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks for critical U.S. infrastructure, such as electrical-power plants and nuclear reactors. Though few cybersecurity experts disagree on the need for security improvements, business advocates have argued that the new regulations called for in one of the bills aren’t likely to better protect computer networks.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.

“I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,” Mr. Henry said.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry’s assessment may sound, “I am actually a little bit gloomier.”

More from WSJ.com @ http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html

‘Total Information Awareness’ surveillance program is back

A new feature story in this month’s Wired blows the lid off plans for a massive new National Security Agency data center in Utah that represents the resurrection of a program that Congress killed in 2003, known as “Total Information Awareness,” targeting literally all electronic communications all over the world — including those made by American citizens.

The proposal was to build computing systems that could suck up every electronic communication on the planet and filter them through a smart super-computer that would flag certain conversations, emails, transactions and other items of interest for further review. It was a program so monstrous in scope that after a brief legislative battle, Congress imposed strict regulations on the type of technology that could accomplish those ends, prohibiting it from ever being used against Americans.

But if well sourced intelligence reporter James Bamford is to be believed, as of this year, their efforts to stop it are moot.

According to Bamford, the NSA’s new data center in Utah will be the most all-encompassing spy machine ever conceived, capable of breaking almost any encryption, reading any email and recording any phone call anywhere in the world, even if it’s not made over the Internet. A network of ultra-sensitive satellites enhance the center’s intelligence-finding capabilities with the unique ability to sniff electronic communications from a massive distance.

More troubling still, Bamford’s three covert sources who worked for the NSA reportedly claim that the agency is dumping Americans’ communications into the mix, knowingly violating the U.S. Constitution in pursuit of a modern-day Manhattan Project.

When Congress struck down the Pentagon’s “Total Information Awareness” program, they did, however, authorize funding for ”processing, analysis, and collaboration tools for counter terrorism foreign intelligence,” which is precisely how the NSA describes this data center. Just a year after that authorization, Bamford notes that the Department of Energy founded a computing facility where scientists developed technology that was secretly being funneled to the NSA for the data center currently under construction.

More at Wired Magazine at http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

Text from RawStory.com: http://www.rawstory.com/rs/2012/03/16/total-information-awareness-surveillance-program-returns-bigger-than-ever/

FBI warns of new banking (phishing) scam

In a new warning, the Federal Bureau of Investigation warns account holders of a new spam email scheme that involves a type of malware called “Gameover.” The scheme involves fake emails from the National Automated Clearing House Association, the Federal Reserve or the FDIC. These messages attempt to trick recipients into clicking on a link to resolve some type of issue with their accounts or a recent ACH transaction. Once you click on the link, Gameover takes over your computer, and thieves can steal usernames, passwords and your money.

The FBI also warns the thieves’ hacking capabilities can navigate around common user authentication methods banks use to verify your identity, which is certainly a cause for concern. Those additional authentication steps — often personal questions, birth dates or other pieces of private information — are meant to provide some extra security padding.

While phishing scams are nothing new to the world of online banking, this type of warning serves as a reminder of just how susceptible account holders can be to malicious attacks. As more account holders begin to jump on the mobile banking bandwagon, it’s important to remember that a smartphone essentially acts as another computer. While this additional connection to the Internet is convenient, it also serves as another outlet where your information can be compromised.

Here are a few crucial steps to take to avoid falling victim to this type of Internet crime.

1) Keep your computer and mobile device updated with the newest versions of anti-virus software.
2) If you have any doubts about an email sender’s authenticity, do not click on any embedded links.
3) Remember, banks never request any personal information via email.
4) Be vigilant about checking your account balances. The sooner you notice and report any type of fraudulent activity, the more likely you’ll be able to be reimbursed for any missing funds.

Read more at Bankrate.com: http://www.bankrate.com/financing/banking/fbi-warns-of-new-banking-scam/#ixzz1p6DoAXmd

Whitehouse Cybersecurity Research Agenda

This very important strategic plan establishes four cybersecurity R&D themes to unify and focus the cybersecurity research community on a common set of problems. The intent of each theme is to delineate the scope of a compelling hard problem in cybersecurity against which there can be a focused Federal investment to inspire and foster new ideas, and to engender innovative, game-changing solutions.

These themes are fundamentally interdisciplinary, draw upon a number of sciences and technologies, and foster synergy among researchers:

1. Designed-In Security – Builds the capability to design, develop, and evolve high-assurance, software-intensive systems predictably and reliably while effectively managing risk, cost, schedule, quality, and complexity. Promotes tools and environments that enable the simultaneous development of cyber-secure systems and the associated assurance evidence necessary to prove the system’s resistance to vulnerabilities, flaws, and attacks. Secure, best practices are built inside the system. Consequently, it becomes possible to evolve software-intensive systems more rapidly in response to changing requirements and environments.

2. Tailored Trustworthy Spaces – Provides flexible, adaptive, distributed trust environments that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. Recognizes the user’s context and evolves as the context evolves.

3. Moving Target – Enables us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.

4. Cyber Economic Incentives – Develops effective incentives to make cybersecurity ubiquitous, including incentives affecting individuals and organizations. Incentives may involve market-based, legal, regulatory, or institutional interventions. Sound economic incentives need to be based on sound metrics, including scientifically valid cost risk analysis methods, and to be associated with sensible and enforceable notions of liability and care.

Trustworthiness of cyberspace is not a fixed end-state, but a dynamic state, in which there is a continuous process of defensive adjustments and anticipatory adaptations. Moreover, in cyberspace environments related to national security and military activities, there must be a fundamental assumption that the environment is suspect and that its trustworthiness must be continuously monitored and analyzed. Requires advances in understanding the motivations and vulnerabilities of both markets and humans, and how these factors affect and interact with technical systems.

For more information, see http://cybersecurity.nitrd.gov.

Legislation will create partnership between the NSA and U.S. corporations

A bill currently being considered by the House Select Committee on Intelligence would intertwine the National Security Agency (NSA) with corporate America, exposing vast amounts of private civilian data to unprecedented levels of monitoring, all in the name of “cybersecurity.”

H.R. 3523, introduced last year by Rep. Mike Rogers (R-MI), purports to help safeguard American corporations from espionage and cyber crime by allowing the NSA and other federal spy agencies to work directly with large corporate players, funneling them classified information on threat assessments to enable companies to defend themselves.

The bill is openly supported by companies like AT&T, Lockheed Martin, Microsoft, Facebook, Boeing and Intel.

ACLU legislative counsel Michelle Richardson cautioned Wednesday that it is not something to be taken up lightly.

“[The Rogers bill] will encourage companies to share personal and private data with the government,” she said. “And then with very little oversight, allow the information to be used in a number of different ways.”

“If you put the government int he middle of an information sharing scheme, it is absolutely critical that you clarify that it must be run by a civilian agency,” Richardson added. “One of our biggest criticisms of the Rogers bill is that they either explicitly say information should go to the National Security Agency and Cyber Command, or they’re otherwise silent and allow companies to choose where they want to send information, including to these different military facilities.”

Rogers contended that the NSA is full of “brilliant” people who “spend their day trying to figure out what the bad guys are doing to people, and what potential bad things are out there that we ought to be looking for.”

From RawStory.com at: http://www.rawstory.com/rs/2012/03/07/bill-would-create-partnership-between-nsa-and-u-s-corporations/

New Secure Remote Desktop Tech Via USB

IBM’s research team in Zurich, Switzerland have been working on solving a huge security issue: Secure, remote, corporate desktop PC environments, delivered within seconds by simply plugging in a USB stick into your existing personal PC.

The new technology, called the Secure Enterprise Desktop, is a modified version of an earlier device called the Zone Trusted Information Channel, or eZTIC, which was first developed by IBM almost three years ago specifically to help Swiss banks — famously among the most secure, private and well-regarded in the world — to protect users against the increasing threat of “man in the middle” attacks. These type of attacks take advantage of even supposedly secure Web banking software to intercept user information.

“The main issue for the banks was that no matter how secure their servers are, end-users possibly still have malware on their PCs,” said Dr. Michael Baentsch, the IBM researcher who developed the technology, in a telephone interview with TPM.

“What this meant is that we needed to create an additional level of protection outside the level of the PC itself, a piece of hardware combined with security software running outside the PC,” Baentsch elaborated. “What we came with was a USB device with its own crypto-engine.”

Once plugged into a user’s Windows or Linux computer, the encrypted USB sidesteps the actual PC itself and establishes a direct connection with the corporate servers, serving up a fully-loaded corporate desktop environment entirely remotely within just 2 minutes, including software the user doesn’t even have on his or her PC, such as Microsoft Office products.

“Whatever software you want will work,” said Baentsch.

The result, as an IBM informational release explains, is that “malicious software (either in the network or on the user’s PC) cannot interfere with the data transmitted between eZTIC and backend server.”

The encrypted USB device itself appears on a user’s PC as a storage drive, and presents a message if the computer failed to boot the remote desktop environment correctly, indicating a possible security breach. Even if a worker manages to lose the encrypted USB device or someone steals it, the network and the device itself are protected, as the device itself doesn’t contain application data, just instructions for communicating with the cloud. The USB also has additional layers of protection, such as requiring password entry or even a physical badge to be scanned.

Moreover, one the initial desktop has been loaded from the cloud, the user can access it any time thereafter even offline, using the USB. That’s because the USB contains disk images for loading the entire desktop environment as it was last accessed and store changes made offline. Once reconnected to the cloud, the USB will save any changes that the user made on his or her desktop environment back again to the cloud.

From TPM IdeaLab at: http://idealab.talkingpointsmemo.com/2012/03/ibm-debuts-swiss-bank-tested-secure-mobile-desktop-via-usb.php?ref=fpnewsfeed

FBI chief warns that cyber crime is on par with terrorism

FBI director Robert Mueller warned a gathering of Internet security specialists that the threat of cyber attacks rivals terrorism as a national security concern.

The only way to combat cyber assaults is for police, intelligence agencies and private companies to join forces, Mueller said during a presentation at an annual RSA Conference in San Francisco on Thursday.

“Technology is moving so rapidly that, from a security perspective, it is difficult to keep up,” Mueller said. “In the future, we anticipate that the cyber threat will pose the number one threat to our country.”

It’s essential that private corporations and government agencies across the globe coordinate on cyber crime, Mueller said, in part because nefarious hackers are already forming alliances.

“We must work together to safeguard our property, to safeguard our ideas and safeguard our innovation,” Mueller said. “We must use our connectivity to stop those who seek to do us harm.”

Gone are the “good old days” of teenage boys hacking into websites for fun, Muller said. Today’s hackers are savvy and often work in groups, like traditional crime families.

Private sector computer security researchers have attributed waves of cyber assaults to nations out to steal government or business secrets.

“Once isolated hackers have joined forces to form criminal syndicates,” Mueller said.

More from RawStory.com: http://www.rawstory.com/rs/2012/03/02/fbi-chief-warns-cyber-crime-on-par-with-terrorism/

NASA Inspector Gen. Says Stolen Laptop Contained Space Station Control Codes

NASA “reported a loss or theft” of 48 computers between April 2009 and April 2011 including a laptop that was stolen in March 2011 containing “algorithms used to command and control the International Space Station.”

That laptop, like 99 percent of NASA’s portable computing devices, wasn’t encrypted.

But the case of the stolen laptop containing Space Station control codes is hardly the only cyber security issue plaguing NASA. In fact, the agency appears to be rife with security flaws.

“Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs. Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files.”

More from TalkingPointsMemo.com @ http://idealab.talkingpointsmemo.com/2012/03/nasa-inspector-gen-says-stolen-laptop-contained-space-station-control-codes.php?ref=fpnewsfeed