“RSA Doesn’t Dine Alone” – China Suspected In Pipeline Attack May 13, 2012
Posted by Chris Mark in cybersecurity, InfoSec & Privacy, terrorism.Tags: china, Chris Mark, cybercrime, cyberespionage, cybersecurity, data breach, Pipeline Breach, RSA, security, terrorism
add a comment
For background on this story, please read the previous post, as well as an earlier post titled: “Cyberattack underway against US Pipelines”. While the timing of this story is fortuitous for this author, the event is frightening. According to the Christian Science Monitor “Those analyzing the cyberspies who are trying to infiltrate natural-gas pipeline companies have found similarities with an attack on a cybersecurity firm a year ago. At least one US government official has blamed China for that earlier attack.” The referenced security firm is RSA. Again quoting CSM: “Investigators hot on the trail of cyberspies trying to infiltrate the computer networks of US natural-gas pipeline companies say that the same spies were very likely involved in a major cyberespionage attack a year ago on RSA Inc., a cybersecurity company. And the RSA attack, testified the chief of the National Security Agency (NSA) before Congress recently, is tied to one nation: China.”
Anyone who doubt that the US is under attack by China should read about the attacks against Dupont, RSA, Lockheed Martin, and more.
“Communist Chinese Cyber-Attacks, CyberEspionage and Theft of American Technology” May 13, 2012
Posted by Chris Mark in cybersecurity, Data Breach.Tags: china, Chris Mark, cybercrime, cyberespionage, cybersecurity, InfoSec, IP Theft, malware, mark consulting group, security
1 comment so far
Since it is Mother’s day, I will not ramble on with inane commentary 😉 Instead, here is a link to the report of the same name as the blog title (too lazy to retype)…from the 112 Congress’ Congressional Hearing before the Subcommittee on Oversight and Investigations of the Committee of Foreign Affairs; House of Representatives. It is very interesting and provides some valuable insight into IP theft. Don’t forget to thank Mom today!
“Doing Time Before Being Convicted?” – Analyist Accuses Merchant of PCI Non-Compliance May 11, 2012
Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: bankinfosecurity, Chris Mark, cybersecurity, data breach, Gartner, opening ceremony, PCI DSS, security
add a comment
I wrote this in May 2012. Given the current position in the industry if proclaiming victims of cybercrime to be wholly responsible, I thought it appropriate to publish again.
I was reading a an article on BankInfoSecurity.com titled: “Online Retailer Breached”. I am taken aback at the attitude of the quoted analyst. A Gartner analyst took a very bold step of accusing the merchant of “non compliance” then seemingly qualifying his statement by adding: “The attacker was probably able to attack unencrypted card numbers,” he says. “But given the lack of details, it’s hard to say for certain.” (more…)
“CyberSecurity Cold War” – Spending ourselves into Oblivion May 8, 2012
Posted by Chris Mark in competitive intelligence, cybersecurity, Industry News.Tags: bloomberg, Chris Mark, cold war, cybersecurity, mark consulting group, reagan, risk management, security, soviet union, victory school
1 comment so far
A recent report published by Bloomberg outlines the challenges of securing critical infrastructure against cyber attacks in the 21st century. According to a survey of 172 companies in six industries, current security measures are only stopping 69% of cyber attacks against banks, utility companies and other ‘critical assets’. To stop 95% of attacks, companies would need to spend 7 times more than they are today. This would increase spending from $5.3 billion$30.8 million average) to $46.6 ($270.9 million average). This, it is estimated, would still only prevent 95% of attacks. While not a consistent increase, it could be calculated that for every 1% increase in protection, another $1.588 billion would need to be spent by the group. This amounts to roughly $9.23 million per company…for each 1% increase in protection. If this is indeed accurate, it is clear that the current perspectives and strategy of cybersecurity is fatally flawed.
During the 1980’s the US and Soviet Union were fully engaged in a Cold War. With the election of President Ronald Reagan, the US’s strategy changed. A major component of Reagan’s strategy was to exploit the inherent inefficiencies in the Soviet Union’s command economy. By increasing spending, and forcing the Soviets to match spending on an arms race, the theory held that the SU could be bankrupted. This has become known as the “Reagan Victory School” and while not completely responsible for the collapse of the Soviet Union, can be credited as hastening their demise. As outlined in a Stanford piece: “A central instrument for putting pressure on the Soviet Union was Reagan’s massive defense build-up, which raised defense spending from $134 billion in 1980 to $253 billion in 1989. This raised American defense spending to 7 percent of GDP, dramatically increasing the federal deficit. Yet in its efforts to keep up with the American defense build-up, the Soviet Union was compelled in the first half of the 1980s to raise the share of its defense spending from 22 percent to 27 percent of GDP, while it froze the production of civilian goods at 1980 levels.” (more…)
“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.Tags: Apple, Chris Mark, cybercrime, cybersecurity, encryption, FileVault, InfoSec & Privacy, mark consulting group, password, security
add a comment
For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system. According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days. It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area. This effectively renders the encryption useless as the keys (the passwords) are not secure. While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger. Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.” Key management and password security continue to be the weakest link in most encryption implementations.
Global Security, Privacy, & Risk Management 