jump to navigation

“SpyGames” – Global Cyber Espionage Ring Discovered January 15, 2013

Posted by Chris Mark in Uncategorized.
Tags: , , , , , ,
add a comment

ctmay2012In an article published today in RT Magazine, it was disclosed that recently Russia’ Kaspersky labs uncovered. “A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries…” “The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,”  Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.  Kaspersky is also the company that identified Stuxnet, Flame, and Duqu malware.

According to the article: “The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.”

In August, 2012, I published an article in The Counter Terrorist Magazine titled: “The Rise of CyberEspionage” which outlines the International efforts to steal data from Western nations.  Unfortunately, while many companies are busy trying to protect NPI, PII etc. advanced efforts are being undertaken to steal their intellectual property.  Stay tuned for a February 2013 article in The Counter Terrorist, as well!

Offensive Cyber Attacks – A Dangerous Proposition December 8, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

iStock_000000499912Large 2Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure.  You can read my paper: “Failed State of Security” to learn more.  On that note, Foxnews had a story today that had me scratching my head.  The recommendations were pedestrian at best, and dangerous in the most severe cases.  In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks.  Some of the recommendations include:

“Misinformation campaigns” such as planting fake documents and data for criminals to steal.   As stated in the article: “One such strategy involves creating a disinformation campaign by distributing  fake documents throughout a company’s own network to confuse and potentially  misguide potential adversaries.”  Companies today have a difficult time managing their own ‘real’ documents.  This approach is inefficient, and bound to cause confusion among employees.  How do you differentiate between the “real” and the “fake” internally?

Jim Cilluffo, Director of George Washington Universitie’s Homeland Security Policy Institute stated in front of Congress: “We should provide opportunities and responsibilities to the private sector to  hack back,”   REALLY?  Vigilante justice is being proposed by a Director of a major universities’ homeland security institute?   We are going to trust commercial entities to use the authority to ‘hack back’ judiciously?  What about when they hack into a competitor and claim they were being hacked?  What if a company hacks into a personal computer and the person decides to exact revenge on their employees for the act by escalating the issue to violence?  Many of these ‘cyber criminals’ are associated with organized crime.  These are not the types of groups you generally want to attack.  This ‘mall cop’ mentality has not place in corporate America.

More disturbingly is the correlation between vigilante justice and bank robberies. “If someone were to rob a bank today, doesn’t the bank have a responsibility to  protect its customers and employees from someone armed? They don’t simply wait  until someone shoots innocent victims,” said Frank Cilluffo, director of George  Washington University’s Homeland Security Policy Institute.  The difference is stark.  A person walking into a bank with a weapon is a ‘clear and present danger’ to people’s safety.   A company being hacked may e angry, offended, insulted, etc. but the hacker is endangering a person’s safety in the same way a person with a gun would be.

While an executive order from the White House could be forthcoming, Cilluffo  said legislation from Congress would be far more helpful and could even  indemnify companies from lawsuits.

“We need to have these conversations because the current approach is doomed  for failure. We’re losing too much,” said Cilluffo.

Autocracy, Anocracy, & Democracy – “Verbal Masterba(bleep!)…” November 15, 2012

Posted by Chris Mark in Laws and Leglslation, Politics.
Tags: , , , , , , ,
add a comment

Election season in the US is always interesting.  Passions run high and people are quick to proclaim their positions on government and politics.  Unfortunately, as many will likely agree, election season also gives voice to many who should probably remain silent.

Recently I was taken to task on Facebook and lectured on the concept of governance and democracy by a particularly obtuse and offensive individual.  When I attempted to explain that democracy should NOT be considered a strictly binary proposition and that the US was indeed a democracy, his attacks became personal and I was accused of (among other things) “verbal masturbation”.  According to this master of the English language: “Most folks like me would call your ideas verbal masturbation.  They sound good from the outside but are really kinda stupid”…he actually wrote: “Kinda”…somehow this person drew a line between my comments on democracy and his belief that the federal government would force parents to stand by while their 12 year old daughters got abortions without consent.  I am at a loss as to the logic… But…I digress.  Back to democracy!

To understand governance and democracy it is important to understand the concepts.  One great resource is the Polity IV project.  Democracy, while seemingly simple, can be a quite difficult concept to explain especially when considering the many different governments in the World.  The Polity project attempts to quantify and qualify governance and code them based upon their level of autocracy to democracy.

First…let’s understand democracy.  Wikipedia states that Democracy:

“… is a form of government in which all eligible citizens have an equal say in the decisions that affect their lives. Democracy allows eligible citizens to participate equally—either directly or through elected representatives—in the proposal, development, and creation of laws. It encompasses social, economic and cultural conditions that enable the free and equal practice of political self-determination.” 

At its core, democracy is principle of government by the people.  So why the confusion and what is the relevance of the Polity IV study?  Good questions!

Democracy, as described by the Polity study, is defined by three factors.  Each democratic government may implement these in different ways.  Democracy requires the “…existence of Processes and Institutions through which citizens can 1) affect their government 2) constrain the power exercised by the executive and 3) guarantee civil liberties.”  (BTW: You can read this in Dr. Heather Mark’s Dissertation found here.)

There are numerous forms and styles of democratic governments.  There are direct democracies in which citizens take part in the process directly.  There are representative democracies (like the US) where the citizens vote for representatives who then represent the interests of their constituents.  Each of these general types of government then have sub-types.  The US is a Presidential Republic, the UK is a Parliamentary Republic, and so on.  It is much like dogs.  All Rottweillers are dogs but not all dogs are Rottweillers.  So is a Poodle more of a dog than a German Shepard?  It is this type of question that the Polity study addresses.  The Polity study ranks each form of government based upon the ‘democratization’ of the government.   Countries can be more autocratic or more democratic.  All governments will find themselves somewhere on the spectrum.  Governments with a score of +6 to +10 are counted as democracies, with the higher scores representing more democratic governments.  A perfect 10 is reserved for those that are absolutely democratic.  Those who range from a -5 to a +5 are considered Anocracies. As Polity states: “Anocracies are a middling category rather than a distinct form of governance. They are countries whose governments are neither fully democratic nor fully autocratic but, rather, combine an, often, incoherent mix of democratic and autocratic traits and practices.” Those with a score -6 to a -10 are Autocratic with a -10 representing complete autocracy.

All governments will fall somewhere in the spectrum. Simply because the United States is a Presidential Republic does NOT mean we are NOT a democracy any more than the ugly dog down the street is NOT a dog because it does not look like my rugged, handsome, purebred Rottweiller (he is good looking but not very smart, sad to say…and still pees in the house!).  While the US System of democracy is implemented one way, the UK system is implemented another way.  There are benefits and drawbacks to each but each IS a democratic system of government.

Chris in October 2012 Issue of PenTest Magazine October 30, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

Check out the October 2012 issue of PenTest Magazine for tons of valuable information on the PCI DSS and how Pen Testing can be used to support compliance and validation.  I have an article in the magazine titled: “Introduction to PCI DSS for the PenTester”  You need to register as a user or subscribe to access the articles.

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

Follow

Get every new post delivered to your Inbox.

Join 230 other followers

%d bloggers like this: