People Are Our Greatest Asset, Goodbye!

People

The Chinese are smart and talented, and there is a cyberwar going on. 


They are suspected are having just stolen the personnel information of 4 million federal government workers.


And there are 4.2 million active, including 1.5 million military personnel. 


So if as they are apt to say, “people are our greatest asset”…


…then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing. 


Oops!


This is getting scary folks. 


When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything…then we got some big vulnerabilities!


If we can’t defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! 😉


(Source Photo: Andy Blumenthal)

Shining A Light On Your Privacy


Check out this special report…



~Half a billion~ downloads of the top 10 Flashlights Apps–the ones we all have on our smartphones–and guess what?



All/most are malware/spyware from China, India, and Russia that are spying on you!



Your contacts, banking information, even your location, is being intercepted by hackers abroad,



The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource “privacy flashlight”) are recommending that you don’t just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information.



So instead doing a backup of key information and then a factory reset of the smartphone is advised.



Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.



Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.



When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. 😉



(Thank you Betty Monoker for sharing this.)

The *S*p*y* Named Snowden

The *S*p*y* Named Snowden

So was Edward Snowden a whistleblower (some even call him a patriot) or one of the most ruthless spies this country has ever known?

An editorial in the Wall Street Journal by Edward Jay Epstein makes a strong case that Snowden was a spy galore, and the whistleblowing was his cover.
What he stole? – 1.7 million documents from the NSA with “only a minute fraction of them have anything to do with civil liberties or whistleblowing.” Instead, the vast majority “were related to our military capabilities, operations, tactics, techniques, and procedures”–otherwise known as the “keys to the kingdom.” Moreover, it seems clear that a “top priority was lists of the computers of U.S. adversaries abroad that the NSA has succeeded in penetrating.”
When he stole them? – Snowden took the Booz Allen Hamilton job as a contractor for NSA in March 2013–this was at the “tail end of his operation.” Moreover, the Foreign Surveillance Intelligence Act (FISA) court order for Verizon to provide metadata on U.S. phone calls for 90 days had only been issued in April 2013. And Snowden told reporter James Rosen in October 2013, that his last job at NSA gave him access to every active operation against the Chinese and “that is why I accepted the position.”
Where did Snowden end up? – First in Hong Kong and then under the protection of the FSB (aka the old KGB) in Russia, which “effectively compromises all the sources and methods” and ties all too nicely with what he stole. A former cabinet official has indicated that the Snowden heist was either Russian espionage, Chinese espionage, or a joint operation.
If Snowden really was a spy as indicated, then the Whistleblowing of domestic surveillance in the U.S. was a most brilliant ploy by his operators to distract our nation from the true nature of the exfiltration and the harm done to our national security. In a way, it falls right in line with Russia’s creative storyline/coverup in taking Crimea in saying that they were only protecting ethnic Russians. Score 2 for Russia!

Are we so easily lied to and manipulated…is public opinion really just jello in the hands of the global spymasters.

We’ve got to be smart enough (i.e. critical thinkers) to interpret the noise in the intelligence signals, political speeches, and news stories to unveil the truth of what is really going on. In advertising, when exposing the truth of products and companies, this is sometimes referred to as culture jamming. Can we apply this to the complicated intrigue of global politics and get past the storyline that is fed to us to expose truth?

It’s high time to outmaneuver those that may seek to manipulate the public (whether from outside or even sometimes from within) with some brilliance of our own–in not believing every snippet that is fed to us and instead looking at the bigger picture of political theater, special interests, and national security to see who is now zinging whom and why. 😉

(Source Photo: Andy Blumenthal)

Security Is A Joke!

Fascinating video with Dan Tentler on the Shodan Search Engine…which CNN calls the “scariest search engine on the Internet.”

The search engine crawls the Internet for servers, webcams, printers, routers, and every type of vulnerable device you can imagine.

It collects information on more than 500 million devices per month and that was as of last year, so it’s already probably a lot more.

Tentler shows the unbelievable amounts and type of things you can access with this, including our critical infrastructure for the country –from utilities to traffic lights, and power plants:

– Private webcams
– Bridges
– Freeways
– Data Centers
– Polycoms
– Fuel cells
– Wind farms
– Building controls for lighting, HVAC, door locks, and alarms
– Floor plans
– Power meters
– Heat pump controllers
– Garage doors
– Traffic control systems
– Hydroelectric plants
– Nuclear power plant controls
– Particle accelerators
– MORE!!!!

Aside from getting information on the IP address, description of the devices, locations (just plug the longitude and latitude into Google for a street location), you can often actually control these devices right from YOUR computer!

The information is online, open to the public, and requires no credentials.

– “It’s a massive security failure!”

– “Why is this stuff even online?”

Where is our cyber leadership????

>>>Where is the regulation over critical infrastructure?

If there is a heaven for hackers, this is it–shame on us. 😦

We’re Giving It All Away

Nice little video from Mandiant on “The anatomy of a cyber attack.”

Despite the typical firewalls, antivirus, and intrusion detection system, cyber attacks can and do penetrate your systems.

This happens through social engineering (including phishing attempts), automated spam, and zero-day exploits.

Once inside your network, the cyber attacker takes command and control of your computers, surveys your assets, steals user names and passwords, hijacks programs, and accesses valuable intellectual property.

Mandiant performs security incident response management (detecting breaches, containing it, and helping recovery efforts), and they are known for their report “APT1” (2013) exposing an alleged significant government-sponsored cyber espionage group that they state “has systematically stolen hundreds of terabytes of data from at least 141 organizations.”

Another fascinating report on a similar topic of advanced persistent threats was done by McAfee on Operation Shady Rat (2011) that reveals over 70 organizations (governments, commercial entities, and more) that were targeted over 5 years and had terabytes of information siphoned off.

The overall risk from cyber espionage is high and the McAfee report states:

– “Every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”

– “What we have witnessed…has been nothing short of a historically unprecedented transfer of [intellectual] wealth – closely guarded national secrets…disappeared in the ever-growing electronic archived of dogged adversaries.”

In short we can’t keep a secret–we’re putting endless gobs and gobs of our information online and are not adequately protecting it in cyberspace, with the result that our adversaries are able to access, exfiltrate, disclose, modify, or destroy it.

In short, we’re giving it all away – why?

National State Of Cyber Insecurity

This video is a wake up call on the state of our national cyber insecurity.

It is the opening statement (about 6 minutes) of Chairman Michael McCaul (R-TX) of the Homeland Security Subcommittee of Oversight, Investigations, and Management.

What he describes is quite grave and every American should listen carefully about the state of our cyber insecurity that poses a real and significant threat to our economy and national security.

We are under attack by cyber criminals, terrorists, and hostile nation states.

Our adversaries seek to and can paralyze our critical infrastructure, steal our intellectual property, conduct espionage, and access our personal and financial information.

The collapse of our military networks, financial system, energy, transportation, and electricity “is not science fiction.”

The cyber attacks are “real, stealth, and persistent, and can devastate our nation.”

It is “not a matter of if, but when a Cyber Pearl Harbor will occur.”

And “we have been fortunate that up until this point that cyber attacks on our country have not caused a cataclysmic event.”

I read from the Center for Strategic and International Studies (2011) that cybersecurity has taken a back seat after 9/11 to the War on Terror as well as the economic fight after the recession of 2008, with the result that “the United States is unprepared to defend itself.”

Chairman McCaul critically states at the end of his opening statement, “Let’s do something meaningful [now] because it is not a tolerable situation!”

Insuring Against Cyber Attacks

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack.

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy’s unclassified network.

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system.

But the security breaches still often impose lasting damage, since you can’t get the lost data or privacy information back or as they say “put the genie back in the bottle.”

Also, you aren’t always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack.

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like “breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach.”

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as “cyber espionage and attacks against SCADA industrial controls systems are usually not covered.

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity,” because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack.

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance.

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery.

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. 😉

(Source Photo: Andy Blumenthal)