Posted on Mon, Nov 23, 2009 @ 08:54 AM
Huh? That was probably your reaction when you read the title. What does the H1N1 virus, called swine flu, and Michael Jackson have to do with network security? I'm glad you asked. One of the methods increasingly used by cyber criminals to infect, hi-jack and ransom user's data are malicious websites promoted via search rankings based on popular news items.
Here's how it works. A person wants to know more about swine flu, so they type the term in Google and various websites appear in Google's search results. You click on a website, but it doesn't have anything to do with swine flu so you leave the website. Bam! You've been infected by a "drive-by download."
Drive-by downloads describe the installation of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window.
In 2008 Symantec reported that there were 18 million drive-by download attempts. In the first half of 2009 there were already 17.5 million attempts. This threat appears to be increasing. One of the more nefarious schemes is malware is downloaded, in a drive-by, which encrypts the user's data on their computer. The criminal then sends a ransom notice, stating the key to unlock the data will be released if the victim makes a payment.
What can you do to protect yourself? Maintain and keep up-to-date all facets of your security and risk prevention systems. As cyber criminals become craftier in their methods, our security needs to be one step ahead.
Posted on Thu, Nov 19, 2009 @ 02:58 PM
Effective December 1, 2009 the FTC ruling, "
Guides Concerning the Use of Endorsements and Testimonials in Advertising" takes effect. Essentially this ruling was directed towards online media and specifically blogging and aims to provide the same type of consumer protection found in traditional advertising media.
If a company or its advertising agency provides a blogger or other online commenter with incentives in the hopes of getting a favorable review or positive buzz for its products, the online comments will be treated legally as endorsements.
The ruling requires full disclosure by bloggers, on their blog post, when they are either receiving compensation or free product by organizations whose products or services are discussed in said blog. By having full disclosure, readers can make a decision on whether a blogger discussing a particular product, service or company may have been incentivized and thus influenced by that company.
The potential impact on corporations and their legal departments is this. For vendors or suppliers, if you provide incentives (freebies) to a community of "preferred users" who blog about your product, you may be liable for any misleading statements (exaggerations, unsubstantiated claims) made by that blogger.
For customer organizations, if you have an employee who receives an evaluation sample and maybe free tickets to a vendor event, and the vendor asks your employee to evaluate the sample product and post a blog about his findings, and the employee is positioned as representative of your organization, you may be liable for any statements (positive or negative) made by that employee.
Blogging therefore has now fallen under the content filtering and compliance monitoring activity required of corporate legal departments. The FTC states "...the extent that consumers' willingness to trust social media depends on the ability of those media to retain their credibility as reliable sources of information..." "Nonetheless, if the advertiser initiated the process that led to these endorsements being made - e.g., by providing products to well-known bloggers or to endorsers enrolled in word of mouth marketing programs - it potentially is liable for misleading statements made by those consumers."
Andrew Baer, a lawyer handling technology issues gives this recommendation:
"It's now a best practice to treat company-initiated social media and blog posts as official corporate communications that require consideration of regulatory, securities, litigation and reputational risk issues, and possibly prior legal or regulatory review. The possibility that third-party posts may now be deemed company-initiated endorsements makes it vital to bring all social media marketing activities under one comprehensive policy."
The FTC rules impose compliance regulations in what was previously considered an unregulated area of communications on the web. Thus we increasingly see life on the information highway means you can't travel safely without considering the costs for security, risk management, compliance monitoring, content and communications filtering. Collectively we can call all of these things a security and risk policy. And as one famous commercial use to say: "don't leave home without it."
Posted on Wed, Nov 11, 2009 @ 12:45 PM
The Internet Corporation for Assigned Names and Numbers (ICANN), the governing body that is a steward for the Internet domain naming conventions, announced in October that they will expand the domain name system (DNS) to include non-Latin characters (non- English) for the first time. So in addition to English domain names, starting in 2010 there will domain names in Chinese, Arabic, Russian and other languages over time.
Domain names-the Internet addresses that end in ".com" and other suffixes-are the key addresses behind every Web site and e-mail address. Since their creation in the 1980s, domain names have been limited to the 26 characters in the Latin alphabet used in English-A-Z-as well as 10 numerals and the hyphen. Technical tricks have been used to allow portions of the Internet address to use other scripts, but until now, the suffix had to use those 37 characters.
This is an exciting event for the hundreds of millions of online users whose native language is not English. However, how will this impact network security going forward?
The well-known security researcher Dan Kaminsky is famous for a critical flaw he found in the Domain Name Service protocol last summer. DNS is the protocol that translates domain names (such as zonealarm.com) to the numeric Internet Protocol address (such as 209.87.209.206). By exploiting the flaw, Kaminsky discovered a DNS server can be tricked into resolving the domain name to a different IP address.
This would allow the attacker to trick someone visiting CityOnlineBank.com to a fake replica of the website that they control. The user would unwittingly give their online bank password to the attacker's fake website. This is called DNS Hijacking.
That vulnerability has since been patched, but the DNS protocol itself in many ways remains fundamentally insecure. With the advent of non-Latin domain names, could we be heading into a nightmarish scenario with rogue cyber terrorists?
DNSSEC is a proposed protocol that would secure the DNS protocol using public key encryption, but its adoption has been slow due to many factors. It is notoriously complicated to implement and maintain.
With the domain name system vulnerable, a website's "forgotten password" feature also becomes an easy target to hackers. By hijacking the CityOnlineBank email.com, an attacker could then go to Facebook, Ebay, or any number of online web services and request a new password sent to a user's email address. This password would then be intercepted by the attacker when it is sent not to the real CityOnlineBank email.com, but the fake one in the control of the attacker. The real user is never involved or aware of the attack at any point.
So the broadening of the Internet to include non-Latin characters is a great thing for the world, but could usher in a new round of security troubles.
Posted on Mon, Nov 09, 2009 @ 09:03 AM
This blog is one in a series of blog postings regarding a review of legislation currently before the US Congress. It should be noted that there is a re-write of the bill however, as of this writing, that version is not posted in either the Library of Congress or the Government Printing Office websites.
Mention George Orwell and/or the book "1984" and immediately terms like "Big Brother", "invasive surveillance", "totalitarianism" and others come to mind. It would seem that parts of the Cybersecurity Act of 2009 would inch us closer to this becoming a reality.
Section 5 of this Act states that "the Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards." These Centers will be comprised of non-profit institutions/organizations or a consortium of said entities. The purpose of these centers will be to enhance the cybersecurity of small- and medium-sized businesses in the United States through (as outlined in (b)(2)of this section) the participation of individuals from industry, universities, state government, other Federal agencies, and, when appropriate, the Institute in cooperative technology transfer activities. As encompassing as that sounds, with the Government providing much of the funding, the implied power rests with the Department of Commerce.
Section 5, Part (c) - Activities states that these centers will disseminate/transfer cybersecurity technologies, standards, best practices based on research by NIST to small- and medium-sized companies. Paragraph 3 of this section calls for the government to "make loans, on a selective, short-term basis, of items of advanced cybersecurity countermeasures to small businesses with less than 100 employees."
Without more details to me this begs several questions:
(1) Is the Government going to determine which is the best technology and/or device in the marketplace and force these on small/medium organizations? Even if the government maintains a list of technologies/devices it could be a disaster for security vendors not "approved" by the government.
(2) Loaning out cybersecurity countermeasures is one thing but what about the expertise to install and/or implement them into the client network? Generally speaking most organizations of under 100 employees do not have security experts on staff (as a primary function) and thus they will need help putting the countermeasures in place. Along with the countermeasure (which may have already been purchased by the Department of Commerce or the Regional Center) installation/implementation costs money. Is the government going to "loan" out the security expertise as well as the countermeasures and if so will these experts be from the public or private communities?
(3) If I am a small/medium business with fewer than 100 employees it is tempting to ponder ever buying such countermeasures. If we can get one for free, then why purchase? Without more details on the limits of the loan period - if any - this seems a reasonable discussion to have.
(4) What if the small/medium business does not want to subscribe to the NIST standards? Will they then be excluded from obtaining these advanced countermeasures?
This sounds like, although I could be wrong, a big brother approach to cybersecurity. The Government (Department of Commerce) is going to establish Regional Centers to disseminate (require?) standards developed by NIST down to small/medium businesses.
Now, all notions of "1984" aside, I do think that small/medium businesses need some sort of help with security. Many studies and articles have shown that they are as much of, if not more than, a target as larger organizations. And let's be honest - cybersecurity is not cheap, whether done in-house or outsourced it still costs money. And I can imagine that the "advanced cybersecurity countermeasures" mentioned in the Act are probably outside the budgets of small/medium businesses.
I also admire, and praise, the hard work that the fine folks at NIST have (and continue) to do. I have used many of their security publications in the course of my work. The same admiration goes out to the list of entities that will make up these consortiums. Basically a lot of people from lots of industries, to include government, are working hard to make our assets more secure.
However I don't know that, certain regulated industries aside, the government should be forcing small/medium businesses to adopt their security standards or else. Given the broad powers to monitor data traffic (albeit under supposed certain circumstances) whether users of these centers will be opening up their networks to more monitoring but that will be another blog entry.
Posted on Mon, Nov 09, 2009 @ 08:49 AM
This was the headline after the Secretary of the Department of Homeland Security (DHS), Janet Napolitano, said the concept of a cabinet-level IT position for cyber security was overkill. Secretary Napolitano noted that IT networks and services underlie most operations today, therefore all we need is for citizens to be more careful when they are online. Really? Is it me or does this sound like the campaign for teens to "just say no?"
We can't escape the fact that our society has evolved where public trust is the foundation of our technologically based culture. And if trust becomes faint due to lack of accountability for cyber security, we'll take a step back into the stone ages (pen and paper letters, standing in teller lines, ordering through catalogs -remember those days?).
Seriously, in private industry and in the largest, most complex organizations there is someone accountable for the network security function. I ask you why the government should be any different.
If nothing else, with the Katrina disaster of several years ago, we learned that when no one is accountable for critical functions, or assumes the "other guy" is handling it, things fall through the cracks. I agree with Secretary Napolitano that "It's really hard to segregate [IT] out." In her speech she states, "I'm not sure that I think that a cabinet-level position is necessary. And the reason is that cyber runs through everything that we do as a government."
This is all the more reason to have that cyber security czar at the helm. The threat to America is no longer limited to long range missiles, but closely targeted network attacks that could disable everything from traffic lights, to electric grids, nuclear plants, financial systems, even our phone systems. To date these scenarios have been the stuff of movies. But I can guarantee you there is some terrorist thinking about the possibilities.
As a country we've witnessed the shift of our culture from agrarian, manufacturing, and now to services. And this services-based economy is built on the embedding of technology in almost every aspect of American society. Literally all our personal, community, industrial and governmental processes interface with technology in some form or fashion. From ATMs to booking a flight. If you want to take step backwards as a society, imagine if we lost trust in the very networks which support our way of life.
Accountability and vigilance in security has to be a high priority if we are to enjoy the standards and reap the benefits of the technology age we live in.
A security czar coordinating among the various departments and championing the standards that impact government, jobs, global trade, social services and industry seems like a no-brainer.