There has been a lot of chatter in the news lately about the possibility of a “widespread coordinated” cyber attack against our critical infrastructure  and our ability to successfully defend against it.  Most of this infrastructure ( eg. utilities, finance, transportation, etc) is owned by private companies. Those currently responsible to protecting these networks will tell you that we are already under attack.  Is there a cyberwar going on?  Howard Schmidt, the White House’s Cyber Czar says “No”. But let’s not argue semantics. War, skirmish, tomfoolery…call it what you may. Many experts will confess the US is unprepared for a major cyberattack.

What is the government’s role in protecting these private networks? Should it have a role at all? Although some in the private sector are still debating these questions, the government has already moved in action. Last month, the DoD launched its new Cyber Command, headquartered at Ft. Meade, Maryland. Military observers still aren’t quite sure what this supposed to do. The Pentagon’s number two, Deputy Secretary William Lynn, in a gathering of cybersecurity officials and defense contractors,  floated the idea that the “Defense Department might start a protective program for civilian networks”.

According to Lynn, companies may “opt out ” of the program but by doing so would place us all at risk.  Does that mean, by default, all companies are considered in the program?

The congress also is taking action. A draft bill, co-sponsored by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), gives the Department of Homeland Security authority to keep “critical infrastructure” up and running during a “cybersecurity emergency”.

It would be interesting to see the bill’s definition of cybersecurity emergency.   All would agree that coordinated defense is essential. The federal government is probably the only entity able to provide that coordination on a national scale.  Coordination is one thing. Control, however, well that’s another animal.

Great blog post by RSnake: http://ha.ckers.org/blog/20100314/conversations-with-a-blackhat/

He references his conversation with an actual blackhat. No, not the script-kiddie kind that frequents the hacking forums. I’m referring to the guys who seek no publicity and hire their services out for hefty sums. He blackhat laments the fact that the security practices being put into place a target companies may actually be working. RSnake talks of the potential payday of hackers collaborating with botnet herders for more targeted botnet attacks. My comment on that post is below:

“Interesting post however I don’t see this idea as particularly novel. This is just the natural evolution of the concept of “botnets for rent”. I think the key here is being able to provide the bot herder a list a potential high value targets to go after. This would seem a rather risky proposition for the herder, however, as he would be putting his botnet at greater risk. The secret sauce in a successful botnet is to have it under the radar as long as possible. Bigger risks = bigger rewards, I guess.”-me.

DRM only prevents/annoys  the honest.

Check out this great post: http://www.bradcolbow.com/archive.php/?p=205

Interesting excerpt from article in ITWorldCanada:

“Adi Shamir, a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Cloud AG,” he said.”

So not only do you have to worry about who else is in the cloud with your data and what controls the server provider has in place to secure your data, but whether the government not will have unfettered to all your organizations’ data without your knowledge. They did it with phone records, so…..

If it sounds like a horror movie….well, that’s because is really is. Microsoft is reporting yet another Internet Explorer bug.

In the latest episode of this never-ending saga, there is an unpatched bug in VBScript that hackers can use to drop malware on 32-bit Windows XP machines running IE 7 and 8. I know what you are saying: ” But we told them to upgrade from the nine year old IE6! ”

According to Microsoft’s Senior Security Communications Manager Lead Jerry Bryant, an exploit “was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 [or help] key in response to a pop up dialog box.”

Is it time to change your browser? Maybe the EU has it right.

Microsoft has been ordered to introduce the browser “ballot box” following a ruling by the European Commission that Microsoft’s practice of pre-installing Internet Explorer on every new computer was anti-competitive. The Commission accepted Microsoft’s offer of rolling out the ballot box across its range of Windows machines, which it believes will make it easier for computer users to choose an alternative browser to Internet Explorer. See ballot below:

The ballot box will be pushed to Windows users running XP, Vista and Windows 7, via an automatic software update, and will only be shown to computer users who are not already running a different default browser. The list of offered browsers are:

* Avant
* Google Chrome
* Mozilla Firefox
* Flock
* GreenBrowser
* Internet Explorer
* K-meleon
* Maxthon
* Opera
* Apple Safari
* Sleipnir
* SlimBrowser

I’m not sure how I feel about this. Competition is always good however users savvy enough to care already know they can download and run any of these browsers. I agree with Microsoft on the point that this will just add to the confusion of many users.

Below are my comments to an article posted in CIO Online magazine. Interesting read, especially for security folks:

Actually, I enjoyed the article. I found it very informative. Security in business is a means to an end, NOT the end itself. As a security professional, I can totally appreciate most of the responses here but that’s not the view from the board room. To be effective at the executive level, we have to be able to speak their language and do our best make clear the value of security to the business bottom line. In some cases, that’s fairly easy to do ( as it was when I worked in the financial world ), other times it’s more challenging. Ranting and raving is not the solution, we have to adapt to the business needs as best we can.

Article: http://www.csoonline.com/article/550413/From_the_CIO_Why_You_Didn_t_Get_the_CISO_Job

Steganography is the means of “hiding” information within a larger file of data It poses a risk to ecommerce security because it allows data or malicious programming instructions to be hidden in other media. In the case of the former, malicious insiders (i.e. employees, contractors, etc) with access to customers financial data may improperly access that data and use steganography to forward it to their accomplices without being detected. In the case of the latter, hackers can embed malicious code in other files, such as images, audio and video files. These files can be forwarded to users as spam or made available via web sites and peer-to-peer networks in the guise of items that would attract the interest of web surfers.

Digital steganography requires special software and organizations involved in ecommerce can mitigate the risk of insiders using steganography to steal customer data by controlling the applications that can be installed on employee workstations. Network and Host-based Intrusion Detection Systems can also be used to detect unusually behavior. User education and awareness training can help make users more aware of the risk posed by downloading files from the Internet. Users can also be trained to verify the origin and authenticity of files using the hash files before downloading them.

If one suspects his/her financial information has been compromised by any means, including steganography, one should immediately communicate the fact to all affected financial institutions and close the affected accounts. Keeping an updated antivirus provides some level of protection however antivirus is ineffective against malware whose signature hasn’t been provided by the vendor. Often times, it is nearly impossible to detect ecommerce-based attacks until after the fact. It is important to closely monitor your accounts for unusual activities to be able to respond as quickly as possible

I came across this little tidbit today. Pretty funny but so true.

How well do you know your 500 best friends on Facebook? How much do you trust the 1000 pals you follow on Twitter? Never mind the fact that if any of those accounts are compromised, you’re toast.

Robert Rivard over at MySANews writes:

Effective immediately, I’ve got cyber security religion. It’s scary out there, and I’m going on the defensive. You should, too.

Everybody else is kicking back on a Friday night, sipping a margarita, hanging with friends, planning Super Bowl Sunday. Me?

I’m changing passwords, downloading patches for outdated programs, running redundant anti-virus programs, sniffing for malware.

Read the rest of the great piece at http://www.mysanantonio.com/news/local_news/When_it_comes_to_cyber_security_trust_no_one.html

Michael Gough, an information security specialist and president of the Austin, Texas, chapter of ISSA, owner of the web site skypetips.com gave CSO his thoughts on Skype’s benefits and security challenges in the business environment. Read the full article