jump to navigation

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

All’s Fair in Love & (Cyber) War September 17, 2012

Posted by Heather Mark in cyberespionage.
Tags: , , , , , , ,
add a comment

A report released today suggests that the United States government is far more involved in the use of trojans and mal-ware than previously thought.  The US had previously been linked to the Stuxnetvirus that wreaked havoc on the Iranian nuclear program. Speculation at that point was that the US and Israel had collaborated on the program in an effort to derail Iranian nuclear ambitions.  I don’t think many were surprised to hear that supposition.  Today, though, Kapersky Lab and Symantec announced that they have found evidence linking the US to three other, previously unknown viruses.

The use of covert operations on “enemy” governments dates back to the beginning of the civilization, really.  Sun Tzu writes extensively about the subject and the use of “covert operatives” peppers Greek and Roman history, as well.  These historical endeavors share a common purpose with the cyber-espionage that we see today – to gather data, or to provide data, that can be used to bring about the downfall of one’s enemy, or at least provide a significant advantage to the other side. It shouldn’t come as any surprise, then, that any country would make use of the available technology to conduct remote espionage operations.

We know that other countries, China in particular, has a specific focus on launching attacks on Intellectual Property of Western companies.  A recent report in the Baltimore Sun highlights the countries singular focus on hiring cyber-soldiers (for lack of a better word): “Experts estimate that North Korea has as many as 1,000 cyber warfare agents working out of China and is recruiting more every day.”  When we know that our enemies are fully engaged in cyber-warfare tactics, it would be short-sighted and naive to believe that our government is not fighting back.

“The Rise of Cyber Espionage” – The Counter Terrorist Magazine August 5, 2012

Posted by Chris Mark in cyberespionage, cybersecurity, terrorism.
Tags: , , , , , , , , , , , ,
2 comments

UPDATE:  I want to thank The Counter Terrorist magazine staff for including attribution to the article.  They quickly corrected a mistake and the inaccuracy.  Kudos!

Chris Mark (that is me;) has an article in the June/July 2012 issue of The Counter Terrorist Magazine.  The article is titled: “The Rise of Cyber Espionage” and provides an overview of the current cyber espionage issues being faced by US businesses today.  The article covers the breach at RSA to the subsequent attacks at Lockheed Martin, General Dynamics and others as examples of the types of attacks being faced by state sponsored cyber espionage groups. While this magazine may be new for some readers of this particular blog, it in its 4th year and is filled with great information for military, law enforcement, first responders, and even businesses.  This particular issue is 76 pages of information covering Iran’s Nuclear Objectives, Cyber Espionage, First Responder Intelligence, Intelligence for Terror, and a number of great product reviews and other information.  The magazine is subscription based but if you are interested in a copy of this particular issue, leave a comment with your email and other contact information and I can forward a free ezine.

“123456, password, welcome” – Yahoo Password Posted Online July 12, 2012

Posted by Chris Mark in News, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

A story today on MSNBC says that Yahoo Voices was compromised and 450,000 usernames/password posted online.  Not surprisingly, the passwords were not hashed or otherwise protected using encryption.  While the posting of passwords is nothing new what is interesting is what the researchers found when looking at user generated passwords.  The most common passwords were ‘123456’ followed by ‘password’ and ‘welcome’.  Fully 1/3 of the passwords used lower case letters only.  Here is where I get on my soapbox.  According to the story:

“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”

First, strong passwords would not have helped because YAHOO WAS STORING THEM IN CLEARTEXT!..and they were stolen! Second, the company should enforce strong passwords.  While all users should use strong passwords, when dealing with 450K users it is prudent to understand that either some users aht a will not understand what a strong password is or will simply ignore the directions.  Yahoo should have forced strong passwords…

“See, Hear & Speak no Evil”- Google Censorship Requests June 18, 2012

Posted by Chris Mark in Industry News, privacy.
Tags: , , , , , , , ,
1 comment so far

Google today released information related to the censorship requests by Governments around the Globe.  While many are familiar with China and other nations restricting access, it is interesting to see so many “Western” countries requesting censorship.  An interesting example is the Canadian Government requesting the removal of “…YouTube video of a Canadian citizen urinating on his passport and flushing it down the toilet. “  To their credit, Google did NOT comply with this request.  In another request, Google “…received a request from the Central Police in Italy to remove a YouTube video that satirized Prime Minister Silvio Berlusconi’s lifestyle.”  Again, Google did not comply.  The interesting part of these requests is that they request removal of material that is typically considered a right of free speech and protest.  Satire has been used as a form of protest in West for centuries (look at Voltare, Oscar Wilde…etc.etc.) and civil disobedience (urinating on a passport, is a good example) has certainly been used as form of protest.  One has to wonder whether how much more information ‘free’ governments have kept from the public.  You can see the Google removal requests here.