jump to navigation

(URGENT) NASA’s JPL “pwnd” (owned) by Chinese Hackers March 1, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

According to a report on Foxnews, Chines hackers took control of NASA’s Jet Propulsion Labratory in November, 2011.  According to a report issued by the Inspector General the hackers had sufficient control that it: “…could have allowed them delete sensitive files, add user accounts to mission-critical systems, upload hacking tools, and more”  He further stated that: “The attackers had full functional control over these networks,” The information was released in the report released on February 26th, 2012 titled (download here): “NASA Cybersecurity; An Examination of The Agency’s Information Security.”

The report further stated: “In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems,” … “These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit.”

This is yet another example of the sophistication of hackers.  It is not longer feasible to rely upon network or even application layer controls.  It is imperative that companies protect the proverbial crown jewels by encryption.  On that note (I have no relation to the company at all) one of my favorite encryption vendors is a company called Vormetric.  Check out their website here or visit their blog here.  XWMDG8UN4JGC

“Goodnight Sweetheart, Its Time To Go…” Away from Gmail…over Privacy March 1, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , ,
add a comment

Starting today, Google will consolidate over 60 (that’s right…60) privacy policies into one, big, fluffy, wonderful new privacy policy.  Unfortunately, some of the changes are less than appealing and are simply too much for me to live with.  You can read more about the changes on CNN.com.  According to Google: “We just want to use the information you already trust us with to make your experience better. “If you don’t think information sharing will improve your experience, you don’t need to sign in to use services like Search, Maps and YouTube. “If you are signed in, you can use our many privacy tools to do things like edit or turn off your search history, control the way Google tailors ads to your interests and browse the Web ‘incognito’ using Chrome.”  My beef comes from the fact that they will be compiling a personal ‘dossier’ on every user.  They crawl through Gmail to look for advertising opportunities etc.  After watching J Edgar on Vudu a few days ago, I don’t want to end up with a personal file. (that was a joke by the way)  In the event you decide to stay with Google, here is a guide published by the Electronic Frontier Foundation (EFF) that explains how to use the services while protecting your privacy to some degree.  Form more privacy related information, please visit: www.DrHeatherMark.com.

“Don’t Eat Your Hash without Salt”- Zappos Data Theft February 29, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
1 comment so far

On January 12, 2017 it was announced on MSNBC.com that an Amazon owned shoe company, Zappos, experienced a data breach of more than 24 million accounts.  According to the report, the breach captured the names, email addresses, telephone numbers, last four digits of the credit card, and the “cryptographically scrambled passwords”.   The report on MSNBC then states:  “Using the clues gleaned from Zappos accounts, the hackers may now have enough clues to gain access to a user’s e-mail or other important accounts. So while Zappos passwords may still be relatively secure, all those other pieces of information can offer clues to a user’s password. That information can also be used to answer a weak set of security questions correctly.”  Unfortunately, this article is somewhat misleading.

The description of ‘cryptographically scrambled’ passwords is referring to passwords that have been stored using one-way cryptographic functions known as ‘hashing algorithms’.   A hashing algorithm like MD5, SHA1, SHA256 is called ‘one way’ because the same input will always result in the same output.  If given the output, it approaches mathematical impossibility (because nothing is truly impossible) to derive the input.  Why would you want a ‘one way hash’ to secure passwords?  (more…)

“New cybersecurity reality: Attackers are winning” – You don’t say? February 29, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , ,
add a comment

The title of this blog was taken from a CNN article published today which quotes RSA chief executive Arthur Coviello.  The article, and Mr. Coviello, finally concede that the bad guys (cyberthieves, hackers, hactivists) are “winning”.  Forgive my cynicism but this has been well known for some time and loudly proclaimed by numerous people.  “In the area of cybercrime, it’s the criminals who are winning.”; “The criminals are absolutely ripping us to shreds, We’re not even slowing them down.” ;“We’re losing the battle, That’s the reality of it.” This was not a comment by RSA from 2012 rather a comment by me (Chris Mark) in October 2010 at an InfraGard meeting at which I was speaking.  You can read the Salt Lake Tribune Article here.

The point is not for me to attempt to say “I told you so” rather to point out that what RSA is, in 2012,  finally conceding has been well known, and acknowledged for some time by numerous others within the area of cybersecurity.  It is not until RSA experienced their own breach of their vaunted SecureID system that they recognize that they are as fallible as the rest.  As stated by Mr. Coviello: “Our networks will be penetrated. We should no longer be surprised by this.”   RSA further states: “The reality today is that we are in a race with our adversaries, and right now, more often than not, they are winning.”

The issue at hand is one that is familiar to those who have worked in the payment card or other industries for any amount of time.  It is a sense of arrogance and infallibility until it is your own network that is penetrated.  At that point we often see companies conceding what it appears RSA is conceding here.  (not their quote) “If we can be breached then there is no hope for anyone.”  The point is security should not be reactive.  Companies need to recognize the threat before it hits their own networks and should take steps to address the vulnerabilities and mitigate the risk.  I am personally a fan of SecureID and two-factor authentication and have recommended RSA more times than I can count.  That being said, there appears to have been a degree of complacency on their part and now their mea culpa is to concede that “we are losing the battle”.

“Another BRIC in the Wall”; 2012- The Year of Internet Regulation? February 27, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , ,
add a comment

The Internet started life in the 1960s as a project funded by DARPA known as ARPANET. ARPANET was decommissioned in 1990 and in 1995 NSFNET was decommissioned opening the network for commercial use.  The Internet was officially born.  The impact of the Internet on science, culture, and politics cannot be overstated.  The Internet is a wordwide network of interconnected computers.  It operates without a centralized governing body although ICANN and the DNS root changes are primarily governed by the US.  The fact that the Internet allows for the free flow of information and that it is not ‘regulated’ in a conventional sense is what makes the Internet such powerful tool for science, revolution, politics, medicine, education and about every other aspect you can image, as well as such a threat to some.

On December 8th, 2011 FCC Commissioner Robert McDowell stated: The communications public policy effort that may affect all of us the most in 2012, however, will take place far from our shores. As we sit here today, scores of countries, including China, Russia and India (*the RIC in BRIC), are pushing hard for international regulation of Internet governance.  While we have been focused on other important matters here in the U.S., the effort to radically reverse the long-standing international consensus to keep governments from regulating core functions of the Internet’s ecosystem has been gaining momentum. The reach, scope and seriousness of this effort are nothing short of massive. But don’t take my word for it. As Russian Prime Minister Vladimir Putin said last June, “the goal of this effort is to establish “international control over the Internet using the monitoring and supervisory capabilities of the International Telecommunications Union.” (more…)