Shuyuan Mary Ho Metcalfe

WASHINGTON — Online scams including identity theft schemes, “advance fee” and “romance fraud” cost Americans some $485 million in 2011, a report prepared for the FBI said Thursday.

The Internet Crime Complaint Center annual report said the number of complaints about online fraud rose 3.4 percent to 314,246.

The most common complaints included FBI-related scams, in which criminals impersonate the FBI to gain sensitive data, identity theft and advance fee fraud — schemes in which emails pledge to release funds for a transaction fee.

One of the newer schemes involves fraudulent auto sales — in which a criminal posts a car for sale at an attractive price, pretending to be desperate to sell before moving or deploying overseas, and then seeking a deposit to hold the vehicle.

Other fraud schemes include the “non delivery” of merchandise bought online or through an auction, and “overpayment fraud” in which someone receives an check with instructions to deposit it in a bank account and send excess funds or a percentage of the deposited money back to the sender.

More available at TPM: http://www.rawstory.com/rs/2012/05/10/online-scams-cost-485-million-in-u-s-in-2011-survey/

The adage “never discuss politics” has never applied much to the Web.

But on Friday, political discussion surrounding a new cybersecurity bill turned into an all out messaging war between the bill’s critics and its backers.

The bill, the Cyber Intelligence Sharing and Protection Act or CISPA, for short, seeks to allow the government and private companies to share more information, including customer information, about perceived national cybersecurity threats.

Introduced on November 30, 2011 by co-sponsors Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD), CISPA has since received the backing of a total 111 lawmakers among both parties and upwards of 800 companies in the private sector, including Web heavyweights Google and Facebook.

And yet, with the bill scheduled to be voted upon by the House the week of April 23, fierce opposition has mounted.

Web freedom and consumer advocacy groups, writers and other media outlets have drawn parallels between CISPA and another, older lightning-rod of a bill, the Stop Online Piracy Act (SOPA), which sought to fight online piracy by forcing U.S. websites to break internet links and financial ties to foreign websites accused of copyright infringement.

From TPM IdeaLab at http://idealab.talkingpointsmemo.com/2012/04/in-battle-over-cybersecurity-bill-cispa-backers-turn-to-twitter.php?ref=fpb

SOPA did not generate much support amongst the masses. CISPA is different. Facebook, Microsoft, Oracle, IBM, Intel, AT&T, Verizon have already sent letters to congress voicing support for CISPA. And that should come as no surprise. Whereas SOPA and PIPA were bad for many companies that do business on the Internet, and burdened them with the unholy task of policing the Web (or facing repercussions if they didn’t), this bill makes life easier for them; it removes regulations and the risk of getting sued for handing over our information to The Law.

From DigitalTrends.com: http://www.digitaltrends.com/opinion/cispa-is-not-the-new-sopa-heres-why/

CISPA is about companies and the government sharing information. CISPA places no explicit limits on the type of information that may be shared with the government, or between private companies, as long as it is somehow related to cyber threats. This could result in the government blocking access to websites on the basis of copyright infringement, or sites like Wikileaks under the guise of national security.

Text of the bill at govtrack.us: http://www.govtrack.us/congress/bills/112/hr3523/text

The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

His comments weren’t directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks for critical U.S. infrastructure, such as electrical-power plants and nuclear reactors. Though few cybersecurity experts disagree on the need for security improvements, business advocates have argued that the new regulations called for in one of the bills aren’t likely to better protect computer networks.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.

“I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security,” Mr. Henry said.

James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies, said that as gloomy as Mr. Henry’s assessment may sound, “I am actually a little bit gloomier.”

More from WSJ.com @ http://online.wsj.com/article/SB10001424052702304177104577307773326180032.html

A new feature story in this month’s Wired blows the lid off plans for a massive new National Security Agency data center in Utah that represents the resurrection of a program that Congress killed in 2003, known as “Total Information Awareness,” targeting literally all electronic communications all over the world — including those made by American citizens.

The proposal was to build computing systems that could suck up every electronic communication on the planet and filter them through a smart super-computer that would flag certain conversations, emails, transactions and other items of interest for further review. It was a program so monstrous in scope that after a brief legislative battle, Congress imposed strict regulations on the type of technology that could accomplish those ends, prohibiting it from ever being used against Americans.

But if well sourced intelligence reporter James Bamford is to be believed, as of this year, their efforts to stop it are moot.

According to Bamford, the NSA’s new data center in Utah will be the most all-encompassing spy machine ever conceived, capable of breaking almost any encryption, reading any email and recording any phone call anywhere in the world, even if it’s not made over the Internet. A network of ultra-sensitive satellites enhance the center’s intelligence-finding capabilities with the unique ability to sniff electronic communications from a massive distance.

More troubling still, Bamford’s three covert sources who worked for the NSA reportedly claim that the agency is dumping Americans’ communications into the mix, knowingly violating the U.S. Constitution in pursuit of a modern-day Manhattan Project.

When Congress struck down the Pentagon’s “Total Information Awareness” program, they did, however, authorize funding for ”processing, analysis, and collaboration tools for counter terrorism foreign intelligence,” which is precisely how the NSA describes this data center. Just a year after that authorization, Bamford notes that the Department of Energy founded a computing facility where scientists developed technology that was secretly being funneled to the NSA for the data center currently under construction.

More at Wired Magazine at http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1

Text from RawStory.com: http://www.rawstory.com/rs/2012/03/16/total-information-awareness-surveillance-program-returns-bigger-than-ever/

In a new warning, the Federal Bureau of Investigation warns account holders of a new spam email scheme that involves a type of malware called “Gameover.” The scheme involves fake emails from the National Automated Clearing House Association, the Federal Reserve or the FDIC. These messages attempt to trick recipients into clicking on a link to resolve some type of issue with their accounts or a recent ACH transaction. Once you click on the link, Gameover takes over your computer, and thieves can steal usernames, passwords and your money.

The FBI also warns the thieves’ hacking capabilities can navigate around common user authentication methods banks use to verify your identity, which is certainly a cause for concern. Those additional authentication steps — often personal questions, birth dates or other pieces of private information — are meant to provide some extra security padding.

While phishing scams are nothing new to the world of online banking, this type of warning serves as a reminder of just how susceptible account holders can be to malicious attacks. As more account holders begin to jump on the mobile banking bandwagon, it’s important to remember that a smartphone essentially acts as another computer. While this additional connection to the Internet is convenient, it also serves as another outlet where your information can be compromised.

Here are a few crucial steps to take to avoid falling victim to this type of Internet crime.

1) Keep your computer and mobile device updated with the newest versions of anti-virus software.
2) If you have any doubts about an email sender’s authenticity, do not click on any embedded links.
3) Remember, banks never request any personal information via email.
4) Be vigilant about checking your account balances. The sooner you notice and report any type of fraudulent activity, the more likely you’ll be able to be reimbursed for any missing funds.

Read more at Bankrate.com: http://www.bankrate.com/financing/banking/fbi-warns-of-new-banking-scam/#ixzz1p6DoAXmd

This very important strategic plan establishes four cybersecurity R&D themes to unify and focus the cybersecurity research community on a common set of problems. The intent of each theme is to delineate the scope of a compelling hard problem in cybersecurity against which there can be a focused Federal investment to inspire and foster new ideas, and to engender innovative, game-changing solutions.

These themes are fundamentally interdisciplinary, draw upon a number of sciences and technologies, and foster synergy among researchers:

1. Designed-In Security – Builds the capability to design, develop, and evolve high-assurance, software-intensive systems predictably and reliably while effectively managing risk, cost, schedule, quality, and complexity. Promotes tools and environments that enable the simultaneous development of cyber-secure systems and the associated assurance evidence necessary to prove the system’s resistance to vulnerabilities, flaws, and attacks. Secure, best practices are built inside the system. Consequently, it becomes possible to evolve software-intensive systems more rapidly in response to changing requirements and environments.

2. Tailored Trustworthy Spaces – Provides flexible, adaptive, distributed trust environments that can support functional and policy requirements arising from a wide spectrum of activities in the face of an evolving range of threats. Recognizes the user’s context and evolves as the context evolves.

3. Moving Target – Enables us to create, analyze, evaluate, and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.

4. Cyber Economic Incentives – Develops effective incentives to make cybersecurity ubiquitous, including incentives affecting individuals and organizations. Incentives may involve market-based, legal, regulatory, or institutional interventions. Sound economic incentives need to be based on sound metrics, including scientifically valid cost risk analysis methods, and to be associated with sensible and enforceable notions of liability and care.

Trustworthiness of cyberspace is not a fixed end-state, but a dynamic state, in which there is a continuous process of defensive adjustments and anticipatory adaptations. Moreover, in cyberspace environments related to national security and military activities, there must be a fundamental assumption that the environment is suspect and that its trustworthiness must be continuously monitored and analyzed. Requires advances in understanding the motivations and vulnerabilities of both markets and humans, and how these factors affect and interact with technical systems.

For more information, see http://cybersecurity.nitrd.gov.

A bill currently being considered by the House Select Committee on Intelligence would intertwine the National Security Agency (NSA) with corporate America, exposing vast amounts of private civilian data to unprecedented levels of monitoring, all in the name of “cybersecurity.”

H.R. 3523, introduced last year by Rep. Mike Rogers (R-MI), purports to help safeguard American corporations from espionage and cyber crime by allowing the NSA and other federal spy agencies to work directly with large corporate players, funneling them classified information on threat assessments to enable companies to defend themselves.

The bill is openly supported by companies like AT&T, Lockheed Martin, Microsoft, Facebook, Boeing and Intel.

ACLU legislative counsel Michelle Richardson cautioned Wednesday that it is not something to be taken up lightly.

“[The Rogers bill] will encourage companies to share personal and private data with the government,” she said. “And then with very little oversight, allow the information to be used in a number of different ways.”

“If you put the government int he middle of an information sharing scheme, it is absolutely critical that you clarify that it must be run by a civilian agency,” Richardson added. “One of our biggest criticisms of the Rogers bill is that they either explicitly say information should go to the National Security Agency and Cyber Command, or they’re otherwise silent and allow companies to choose where they want to send information, including to these different military facilities.”

Rogers contended that the NSA is full of “brilliant” people who “spend their day trying to figure out what the bad guys are doing to people, and what potential bad things are out there that we ought to be looking for.”

From RawStory.com at: http://www.rawstory.com/rs/2012/03/07/bill-would-create-partnership-between-nsa-and-u-s-corporations/

IBM’s research team in Zurich, Switzerland have been working on solving a huge security issue: Secure, remote, corporate desktop PC environments, delivered within seconds by simply plugging in a USB stick into your existing personal PC.

The new technology, called the Secure Enterprise Desktop, is a modified version of an earlier device called the Zone Trusted Information Channel, or eZTIC, which was first developed by IBM almost three years ago specifically to help Swiss banks — famously among the most secure, private and well-regarded in the world — to protect users against the increasing threat of “man in the middle” attacks. These type of attacks take advantage of even supposedly secure Web banking software to intercept user information.

“The main issue for the banks was that no matter how secure their servers are, end-users possibly still have malware on their PCs,” said Dr. Michael Baentsch, the IBM researcher who developed the technology, in a telephone interview with TPM.

“What this meant is that we needed to create an additional level of protection outside the level of the PC itself, a piece of hardware combined with security software running outside the PC,” Baentsch elaborated. “What we came with was a USB device with its own crypto-engine.”

Once plugged into a user’s Windows or Linux computer, the encrypted USB sidesteps the actual PC itself and establishes a direct connection with the corporate servers, serving up a fully-loaded corporate desktop environment entirely remotely within just 2 minutes, including software the user doesn’t even have on his or her PC, such as Microsoft Office products.

“Whatever software you want will work,” said Baentsch.

The result, as an IBM informational release explains, is that “malicious software (either in the network or on the user’s PC) cannot interfere with the data transmitted between eZTIC and backend server.”

The encrypted USB device itself appears on a user’s PC as a storage drive, and presents a message if the computer failed to boot the remote desktop environment correctly, indicating a possible security breach. Even if a worker manages to lose the encrypted USB device or someone steals it, the network and the device itself are protected, as the device itself doesn’t contain application data, just instructions for communicating with the cloud. The USB also has additional layers of protection, such as requiring password entry or even a physical badge to be scanned.

Moreover, one the initial desktop has been loaded from the cloud, the user can access it any time thereafter even offline, using the USB. That’s because the USB contains disk images for loading the entire desktop environment as it was last accessed and store changes made offline. Once reconnected to the cloud, the USB will save any changes that the user made on his or her desktop environment back again to the cloud.

From TPM IdeaLab at: http://idealab.talkingpointsmemo.com/2012/03/ibm-debuts-swiss-bank-tested-secure-mobile-desktop-via-usb.php?ref=fpnewsfeed