People Are Our Greatest Asset, Goodbye!

The Chinese are smart and talented, and there is a cyberwar going on. 

They are suspected are having just stolen the personnel information of 4 million federal government workers.

And there are 4.2 million active, including 1.5 million military personnel. 

So if as they are apt to say, “people are our greatest asset”…

…then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing. 

Oops!

This is getting scary folks. 

When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything…then we got some big vulnerabilities!

If we can’t defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! 😉

(Source Photo: Andy Blumenthal)

Shining A Light On Your Privacy

Check out this special report…

~Half a billion~ downloads of the top 10 Flashlights Apps–the ones we all have on our smartphones–and guess what?

All/most are malware/spyware from China, India, and Russia that are spying on you!

Your contacts, banking information, even your location, is being intercepted by hackers abroad,

The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource “privacy flashlight”) are recommending that you don’t just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information.

So instead doing a backup of key information and then a factory reset of the smartphone is advised.

Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.

Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.

When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. 😉

(Thank you Betty Monoker for sharing this.)

The *S*p*y* Named Snowden

So was Edward Snowden a whistleblower (some even call him a patriot) or one of the most ruthless spies this country has ever known?

An editorial in the Wall Street Journal by Edward Jay Epstein makes a strong case that Snowden was a spy galore, and the whistleblowing was his cover.
What he stole? – 1.7 million documents from the NSA with “only a minute fraction of them have anything to do with civil liberties or whistleblowing.” Instead, the vast majority “were related to our military capabilities, operations, tactics, techniques, and procedures”–otherwise known as the “keys to the kingdom.” Moreover, it seems clear that a “top priority was lists of the computers of U.S. adversaries abroad that the NSA has succeeded in penetrating.”
When he stole them? – Snowden took the Booz Allen Hamilton job as a contractor for NSA in March 2013–this was at the “tail end of his operation.” Moreover, the Foreign Surveillance Intelligence Act (FISA) court order for Verizon to provide metadata on U.S. phone calls for 90 days had only been issued in April 2013. And Snowden told reporter James Rosen in October 2013, that his last job at NSA gave him access to every active operation against the Chinese and “that is why I accepted the position.”
Where did Snowden end up? – First in Hong Kong and then under the protection of the FSB (aka the old KGB) in Russia, which “effectively compromises all the sources and methods” and ties all too nicely with what he stole. A former cabinet official has indicated that the Snowden heist was either Russian espionage, Chinese espionage, or a joint operation.
If Snowden really was a spy as indicated, then the Whistleblowing of domestic surveillance in the U.S. was a most brilliant ploy by his operators to distract our nation from the true nature of the exfiltration and the harm done to our national security. In a way, it falls right in line with Russia’s creative storyline/coverup in taking Crimea in saying that they were only protecting ethnic Russians. Score 2 for Russia!

Are we so easily lied to and manipulated…is public opinion really just jello in the hands of the global spymasters.

We’ve got to be smart enough (i.e. critical thinkers) to interpret the noise in the intelligence signals, political speeches, and news stories to unveil the truth of what is really going on. In advertising, when exposing the truth of products and companies, this is sometimes referred to as culture jamming. Can we apply this to the complicated intrigue of global politics and get past the storyline that is fed to us to expose truth?

It’s high time to outmaneuver those that may seek to manipulate the public (whether from outside or even sometimes from within) with some brilliance of our own–in not believing every snippet that is fed to us and instead looking at the bigger picture of political theater, special interests, and national security to see who is now zinging whom and why. 😉

(Source Photo: Andy Blumenthal)

Security Is A Joke!

Fascinating video with Dan Tentler on the Shodan Search Engine…which CNN calls the “scariest search engine on the Internet.”

The search engine crawls the Internet for servers, webcams, printers, routers, and every type of vulnerable device you can imagine.

It collects information on more than 500 million devices per month and that was as of last year, so it’s already probably a lot more.

Tentler shows the unbelievable amounts and type of things you can access with this, including our critical infrastructure for the country –from utilities to traffic lights, and power plants:

– Private webcams
– Bridges
– Freeways
– Data Centers
– Polycoms
– Fuel cells
– Wind farms
– Building controls for lighting, HVAC, door locks, and alarms
– Floor plans
– Power meters
– Heat pump controllers
– Garage doors
– Traffic control systems
– Hydroelectric plants
– Nuclear power plant controls
– Particle accelerators
– MORE!!!!

Aside from getting information on the IP address, description of the devices, locations (just plug the longitude and latitude into Google for a street location), you can often actually control these devices right from YOUR computer!

The information is online, open to the public, and requires no credentials.

– “It’s a massive security failure!”

– “Why is this stuff even online?”

Where is our cyber leadership????

>>>Where is the regulation over critical infrastructure?

If there is a heaven for hackers, this is it–shame on us. 😦

We’re Giving It All Away

Nice little video from Mandiant on “The anatomy of a cyber attack.”

Despite the typical firewalls, antivirus, and intrusion detection system, cyber attacks can and do penetrate your systems.

This happens through social engineering (including phishing attempts), automated spam, and zero-day exploits.

Once inside your network, the cyber attacker takes command and control of your computers, surveys your assets, steals user names and passwords, hijacks programs, and accesses valuable intellectual property.

Mandiant performs security incident response management (detecting breaches, containing it, and helping recovery efforts), and they are known for their report “APT1” (2013) exposing an alleged significant government-sponsored cyber espionage group that they state “has systematically stolen hundreds of terabytes of data from at least 141 organizations.”

Another fascinating report on a similar topic of advanced persistent threats was done by McAfee on Operation Shady Rat (2011) that reveals over 70 organizations (governments, commercial entities, and more) that were targeted over 5 years and had terabytes of information siphoned off.

The overall risk from cyber espionage is high and the McAfee report states:

– “Every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”

– “What we have witnessed…has been nothing short of a historically unprecedented transfer of [intellectual] wealth – closely guarded national secrets…disappeared in the ever-growing electronic archived of dogged adversaries.”

In short we can’t keep a secret–we’re putting endless gobs and gobs of our information online and are not adequately protecting it in cyberspace, with the result that our adversaries are able to access, exfiltrate, disclose, modify, or destroy it.

In short, we’re giving it all away – why?

National State Of Cyber Insecurity

This video is a wake up call on the state of our national cyber insecurity.

It is the opening statement (about 6 minutes) of Chairman Michael McCaul (R-TX) of the Homeland Security Subcommittee of Oversight, Investigations, and Management.

What he describes is quite grave and every American should listen carefully about the state of our cyber insecurity that poses a real and significant threat to our economy and national security.

We are under attack by cyber criminals, terrorists, and hostile nation states.

Our adversaries seek to and can paralyze our critical infrastructure, steal our intellectual property, conduct espionage, and access our personal and financial information.

The collapse of our military networks, financial system, energy, transportation, and electricity “is not science fiction.”

The cyber attacks are “real, stealth, and persistent, and can devastate our nation.”

It is “not a matter of if, but when a Cyber Pearl Harbor will occur.”

And “we have been fortunate that up until this point that cyber attacks on our country have not caused a cataclysmic event.”

I read from the Center for Strategic and International Studies (2011) that cybersecurity has taken a back seat after 9/11 to the War on Terror as well as the economic fight after the recession of 2008, with the result that “the United States is unprepared to defend itself.”

Chairman McCaul critically states at the end of his opening statement, “Let’s do something meaningful [now] because it is not a tolerable situation!”

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack.

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy’s unclassified network.

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system.

But the security breaches still often impose lasting damage, since you can’t get the lost data or privacy information back or as they say “put the genie back in the bottle.”

Also, you aren’t always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack.

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like “breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach.”

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as “cyber espionage and attacks against SCADA industrial controls systems are usually not covered.

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity,” because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack.

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance.

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery.

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. 😉

(Source Photo: Andy Blumenthal)

iRobot For Your Windows

A Chinese company, Ecovacs, has developed a robot that cleans your windows–and it looks quite like an iRobot that cleans your floors.

You spray the cleaning pad, attach it to your window, and it senses that boundaries of the window and calculates a path to clean them.

The spray pad wipes them, the squeegee collects dampness, and another wipes it dry.

There are multiple safety features including dual suction rings, a safety pod with a tether, and an alarm if Winbot runs into problems.

The spray pads once used can be removed, washed, and dried for another cleaning run.

I like Winbot as long as it is just cleaning windows and not also looking in the window and listening to what you are doing to gain competitive advantages in a cyberspace that these days, knows few, if any, security bounds. 😉

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET.

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China.

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized.

This can even be used to steal intellectual property such as designs for innovations or even products pending patents.

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to “air gap” sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)

Cyberwar, You’re On

There was significant news this week about the U.S. and Israel making major inroads with cyberwar capabilities.

First, the New York Times today (1 June 2011) writes about alleged Bush and Obama administrations’ “increasingly sophisticated [cyber] attacks on the computer systems that run Iran’s main nuclear enrichment facilities”–sabotaging as many as a 1000 centrifuges, delaying their deadly program by as much as 2 years, as well as conducting cyber espionage to strengthen our negotiating hand.

The cyber offensive program code-named Olympic Games allegedly involved cyber weapons codeveloped by the United States’ National Security Agency and Israel’s advanced cyber corps, Unit 8200.

The malware included such programs such as Stuxnet, Duqu, and The Flame and according to Bloomberg BusinessWeek (30 May 2012) may date as far back to 2007.

These cyber attacks have been viewed as the best hope of slowing the Iranian’s sinister nuclear program while economic sanctions have a chance to bite.

Additionally cyber attacks were viewed preferentially over using traditional kinetic military options and potentially causing a regional war in the Middle-east.

At the same time, the use of cyber weapons is a double-edged sword–if we use it on others, this may encourage cyber proliferation and it’s eventual use on us–and as the NYT writes, “no country’s infrastructure is more dependent on computer systems and thus, more vulnerable to attack than the United States.”

Therefore, it was good to see in The Washington Post yesterday (30 May 2012) that the Pentagon’s Defense Advanced Research Projects Agency (DARPA) is pursuing Plan X–“ambitious efforts to develop technologies to improve its cyberwarfare capabilities, launch effective attacks, and withstand likely retaliation.”

“If they achieve it, they’re talking about being able to dominate the digital battlefield just like they do the traditional battlefield.”
The “five-year $110 million research program” is seeking to accomplish three major goals in arming U.S. Cyber Command at Fort Meade for cyber war:

1) Mapping Cyberspace–create realtime mapping of the entire cyberspace and all its devices for commanders to use in identifying targets and disabling them and seeing enemy attacks.

2) Building A Survivable O/S–Just like DARPA invented the Internet as a survivable messaging and communication system, so too, they want to develop a battle-ready operating system for our computers (like a tank) “capable of launching attacks and surviving counterattacks.”

3) Develop (Semi-)Autonomous Cyber Weapons–so cyber commanders can engage in “speed-of-light attacks and counterattacks using preplanned scenarios that do not involve human operators manually typing in code.”

Just to be clear, with cyber warfare, we are not just talking about computers taking out other computers–and end there, but rather this is where computers take out computers that are controlling critical infrastructure such as the power grid, transportation systems, financial systems, supply chain, command, control, and communications, weapons systems, and more.

“Cyberwar could be more humane than pulverizing [targets]…with bombs,” but I doubt it will be.

Imagine, virtually everything you know coming to a complete halt–utter disruption and pandemonium–as well as the physical effects of that which would ensue–that’s what cyber war is all about–and it is already on the way.

So as, Richard M. George, a former NSA cyberdefense official stated: “Other countries are preparing for a cyberwar. If we’re not pushing the envelope in cyber, somebody else will.”

It is good to see us getting out in front of this cyber security monster–let’s hope, pray, and do everything we can to stay on top as the cyberspace superpower.

(Source Photo: Andy Blumenthal taken of mural at National Defense University, Washington D.C.)