Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it–like a ticking time bomb.

A simple threat will follow:

“I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history.”

So how valuable is your data to you?  

– Your personal information–financial, medical, legal, sentimental things, etc.

– Your corporate information–proprietary trade secrets, customer lists, employee data, more.

How long would it take you to reconstitute if it’s destroyed?  How about if instead it’s sold and used for identity theft or to copy your “secret sauce” (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 

Data is not just inert…it is alive!

Data is not just valuable…often it’s invaluable!

Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 

When the time comes, how much will you pay to save your data?

(Source Comic: Andy Blumenthal)

Six Internet Creepoids To Beware Of

There are a lot of basket cases out there–both in the physical world and in the virtual one.

The New York Times today has an article by Henry Alford about people who act or are mainly just perceived as creepy online.

He gives examples of people who take out their smartphones (with cameras) in the locker room, who show their online photos and whoops there’s an indecent doozie, who mistakenly send a critical email to the wrong person or distribution list, who say the wrong thing online because of autocorrect or autofill, and who act the detective looking up too much information about others.

At the end, Alford calls for “more tolerance toward the gaffe-makers.”

And while we should be good people and forgive genuine mistakes, some things are not accidents and deserve the seal of “ick!”

Here’s the list of 6 Internet Creepoids to seriously beware of:

1) Overly Cyber Friendly or Familiar: People who chat, text, email, or comment in a way that portrays an inappropriate knowing or intimacy with others.

2) Cyber Stalkers: Those who unsolicitedly and unwanted or obsessively follow, friend, monitor, or harass others on the Internet.

3) Internet Trolls: Individuals who giddily sow discord with argumentative, inflammatory or extraneous messages online narcissistically or just to be jerks.

4) Cyber Exhibitionists or Voyeurs: People who inappropriately or compulsively expose themselves or watch others naked or engaged in sexual activity online.

5) Cyber Impersonators or Identity Thieves: Those who falsify their identities by exaggerating or masking their true selves, pretend to be someone else, or otherwise steal someone’s online identity.

6) Cyber Freaks: Individuals who behave online in extreme unusual, unexpected, and frightening ways.

So while some things are innocent or accidentally creepy from otherwise nice and decent people, other actions are genuinely such from the real online creepoids. 😉

(Source Photo: Andy Blumenthal)

Balancing Cybersecurity And Citizen Freedom

There is a very interesting discussion of the protection of Federal Networks and the Fourth Amendment in “Cybersecurity, Selected Legal Issues,” Congressional Research Service (CRS) Report for Congress (3 May 2012).

The Department of Homeland Security (DHS) in conjunction with the National Security Agency (NSA) rolled out EINSTEIN, an intrusion detection system (IDS) in early iterations, and later an intrusion prevention system (IPS) at all Internet points of presence (POPs) for the government.

The system works through copying, storage, and deep packet inspection of not only the metadata for addressing information, but also the actual contents of the flow. This handling is necessary in order to identify suspicious malware signatures and behavior and alert the United States Computer Emergency Response Team (US-CERT) in order to block, quarantine, clean, and respond to the attacks and share information about these.

However, the civil liberties and privacy issue with EINSTEIN is that according to the Fourth Amendment, we are protected from unreasonable search and seizures. Thus, there are concerns about the violation of the Fourth Amendment, when DHS monitors and inspects addressing and content of all email and Internet communications to and from federal agency employees and the public–including not only from government email accounts and systems, but also from private email accounts such as Yahoo and Gmail and social media sites like Facebook and Twitter.

The justification for the use of EINSTEIN includes:

1. The government cannot reasonably get warrants in real time in order to safeguard the federal network and systems at the speed that the attacks are occurring.

2. The government places banners and user agreements on all Federal networks notifying users of monitoring, so there is no expectation of privacy in the communications.

3. The monitoring is conducted only for malicious computer activity and not for other unlawful activities—so “clean” traffic is promptly removed the system.

4. Privacy protections are ensured though review mechanisms, including Attorney General and Director of National Intelligence (DNI) reporting to Congress every six months and a sunset provision requiring monitoring reauthorization every four years.

This tension between monitoring of Federal networks and traffic and civil liberties and privacy is a re-occurring issue when it comes to cybersecurity. On one hand, we want cybersecurity, but on the other hand, we are anxious about this security infringing on our freedoms—whether freedom of expression, from search and seizure, from surveillance, or from potentially costly regulation, stifling innovation, and so forth. It is this tension that has stalled many cybersecurity bills such as the Stop Online Privacy Act (SOPA), Cyber Intelligence Sharing and Protection Act (CISPA), The Computer Security Act of 2012 and more.

In the absence of a clear way forward with legislation to regulate and enforce, or incentivize, standards and best practices for cybersecurity, particularly for critical infrastructure protection, as well as information sharing, the White House released Presidential Policy Directive/PDD-21 on Critical Infrastructure Security and Resilience to establish DHS and other federal agency roles in cybersecurity and to manage these on a risk-based model, so that critical infrastructure is identified, prioritized, assessed, and secured accordingly.

While PDD-21 is a step in the right direction, it is an ongoing challenge to mediate a balance between maintaining our values and constitutional freedoms, while at the same time securing cyberspace.

One thought is that perhaps we can model cybersecurity after the Posse Comitatus Act of 1878 that separated federal military from domestic national guard and law enforcement powers. Using this model, we can create in cyberspace a separation of cybersecurity from our borders outward by the federal government, and within the domestic private networks by our national guard and law enforcement.

Thus, we can create stronger security radiating out at the national periphery, while maintaining our important freedoms within, but always working together to identify and neutralize any and all threats to cyberspace. 😉

(Source Photo: Andy Blumenthal)