Cybersecurity Vulnerabilities Database

There is a very useful article in Bloomberg about how the U.S. is taking too long to publish cybersecurity vulnerabilities. 

And the longer we take to publish the vulnerabilities with the patch/fix, the more time the hackers have to exploit it!

Generally, the U.S. is lagging China in publishing the vulnerabilities by a whopping 20-days!

Additionally, China’s database has thousands of vulnerabilities identified that don’t appear in the U.S. version. 

Hence, hackers can find the vulnerabilities on the Chinese database and then have almost three weeks or more to target our unpatched systems before we can potentially catch up in not only publishing but also remediating them. 

Why the lag and disparity in reporting between their systems and ours?

China uses a “wider variety of sources and methods” for reporting, while the U.S. process focuses more on ensuring the reliability of reporting sources–hence, it’s a “trade-off between speed and accuracy.”

For reference: 

The Department of Commerce’s National Institute of Standards and Technology publishes the vulnerabilities in the National Vulnerability Database (NVD).

And the NCD is built off of a “catalog of Common Vulnerabilities and Exposures (CVEs) maintained by the nonprofit Mitre Corp.”

Unfortunately, when it comes to cybersecurity, speed is critical.

If we don’t do vastly better, we can be cyber “dead right” before we even get the information that we were vulnerable and wrong in our cyber posture to begin with.  😉

(Source Photo: Andy Blumenthal)

Your Score Is Your Life

Absolutely fascinating article in the Washington Post. 

China is working on a plan to use big data to score people on their social behavior. 

Every interaction you make in life either increments or decrements your social score. 

You social score determines how trustworthy you are. 

The social score would vacuum up data from the “courts, police, banking, tax, and employment records.”

People in service professions like teacher, doctors, and business could be scored for their professionalism. 

Doing positive social actions like caring for the elderly earn you added points and doing negative social actions like DUI or running a red light subtracts points from your score. 

As the score includes more and more data feeds over time, you could eventually be scored for doing your homework, chores in the home, how you treat your wife and children, the community service you do, how hard you perform at work, how you treat people socially and on dates, whether you are fair in your business dealings and treat others well, whether you do your religious duties, and so on. 

People can get rated for just about everything they do.

And these rating get aggregated into your social score. 

The score is immediately available to everyone and so they know how good or bad you are on the scale of 1 to a 1,000.

If you think people are stressed out now, can you imagine having to worry about everything you do and how you will be rated for it and how it can affect your score and your future. 

If you have a bad score, say goodbye to opportunities for education, employment, loans, friends, and marriage prospects. 

Imagine people held hostage by others threatening to give you a bad score because they don’t like you, are racist, or for blackmail. 

What about society abusing this power to get you to not only follow positive social norms, but to enforce on you certain political leanings, religious followings, or policy endorsements. 

Social scores could end up meaning the ultimate in social control. 

Personal scores can manipulate your behavior by being rewarding or punitive and rehabilitative to whatever end the scoring authorities dictate. 

Moreover, hackers or the people who control the big data machinery could destroy your life in a matter of milliseconds. 

So this is what it comes down to: You are your score!

Play along and do what you are told to do…you are the Borg and you will follow. 

Conform or you are dead by number!

Transparency is everywhere. 

Pluses and minuses every day. 

What is my score today? 

Today, I am desirable and successful, and tomorrow, I am disregarded and a loser. 

Please don’t kill my score.

Please don’t destroy me. 

Please, I will be socially good. 

Please, I will not resist. 😉

(Source Graphic: Andy Blumenthal)

Preventing Cyber Disaster

So I liked this ad from Palo Alto Networks on the side of the bus, over the windows:

“Dinosaurs react.
Professionals prevent.”

That’s some very good marketing for a cyber security company.

It’s almost a daily occurrence now to hear about the infiltrations into our networks and exfiltrations or manipulations of data that is taking place across government and industry.

Just today again, another NSA contractor accused of stealing highly classified computer code.

The day before Guccifer 2.0 and Wikileaks releases trove of stolen documents from the Clinton Foundation. 

And again, J&J reveals that it’s insulin pump is vulnerable to hacking following allegations in August that St. Jude heart devices were subject to life-threatening hacking. 

Certainly, we can’t afford to sit back and wait to react to the next attack…damage control and remediation is much harder than getting out in front of the problem in the first place. 

Prevention and deterrence is really the only solution…keep the hackers out and make sure they know that if they mess with us and our systems that we can identify who they are, find them, and take them out. 

These are the capabilities we need and must employ to dominate the cyber realm. 

In the presidential debates, candidates struggled to articulate how to deal with cybersecurity. 

But this is not a game of cyberopoly, rather national security, critical infrastructure, vital intellectual property, and our economy is at risk. 

Giving away Internet control and trying to plug leaks after the fact on a sinking cyber ship is no way to manage our vital technology resources.

It’s high time for the equivalent Cold War determination and investment that ensures we win a free and safe cyberspace with all our networks and data intact. 

This is the only way that we don’t go the way of the dinosaurs. 😉

(Source Photo: Andy Blumenthal)

My Ashley Madison

So Ashley Madison is now a well-known adulterous website, particularly after hackers stole 37 million records on the site participants, and have released that information to the public.


These tens of millions of users seek companionship for loveless or sexless marriages or perhaps are just plain liars and cheaters–who knows? 


But yikes, now everyone knows!


Huffington reports that divorce lawyers are anticipating a deluge of new clients seeking divorces. 


And BBC reports that two people have already taken their lives in Canada as a result of the release. 


What is incredible as well are the 15,000 people who used their .gov or .mil accounts presumably to hide their infidelity from their spouses, but now are in potentially huge trouble with their government agencies.


I assume that Ashley Madison prided themselves on their discretion in handling their clients accounts, but lo’ and behold the discretion is for naught compliments of some very naughty hackers. 


Privacy is becoming a very lonely and meaningless word whether you are faithful or a cheater–it’s all open fodder on the net. 😉


(Source Photo: Andy Blumenthal)

tURNING yOUR dEVICE aGAINST yOU!

So interesting article in BBC about the Samsung’s “Listening TV.”

This TV has voice activated controls and they don’t just take commands, but…

“If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

So aside from hackers (and spies) being able to turn your phone and computer mics, cameras, and GPS location data on and off to surveil and eavesdrop on you, now the dumb television set can listen in as well. 

You can be heard, seen, and found…whether you know it or not. 😉

(Source Photo: Andy Blumenthal with eyes and ears from here and here with attribution to Firas and Simon James)

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 

Once the hacker has control of it, with or without exfiltration, they will attach malware to it–like a ticking time bomb.

A simple threat will follow:

“I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history.”

So how valuable is your data to you?  

– Your personal information–financial, medical, legal, sentimental things, etc.

– Your corporate information–proprietary trade secrets, customer lists, employee data, more.

How long would it take you to reconstitute if it’s destroyed?  How about if instead it’s sold and used for identity theft or to copy your “secret sauce” (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 

Data is not just inert…it is alive!

Data is not just valuable…often it’s invaluable!

Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 

When the time comes, how much will you pay to save your data?

(Source Comic: Andy Blumenthal)

Shining A Light On Your Privacy

Check out this special report…

~Half a billion~ downloads of the top 10 Flashlights Apps–the ones we all have on our smartphones–and guess what?

All/most are malware/spyware from China, India, and Russia that are spying on you!

Your contacts, banking information, even your location, is being intercepted by hackers abroad,

The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource “privacy flashlight”) are recommending that you don’t just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information.

So instead doing a backup of key information and then a factory reset of the smartphone is advised.

Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.

Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.

When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. 😉

(Thank you Betty Monoker for sharing this.)

Data Like Clouds

So data is like clouds…

Clouds want to be free roaming the wild blue skies similar to how data wants to be searchable, accessible, useful, and so on. 

But with data, like clouds, when it rains it pours–and when data blows about with the windstorm and is compromised in terms of security or privacy, then we not only come away wet but very uncomfortable and unhappy. 

Then, as we actually end up putting our data in the great computing clouds of the likes of Amazon, iCloud, HP, and more, the data is just within arm’s reach of the nearest smartphone, tablet, or desktop computer. 

But just as we aspire to reach to the clouds–and get to our data–other less scrupled (cyber criminals, terrorists, and nation states)–seek to grab some of those oh so soft, white cloud data too.

While you may want to lock your data cloud in a highly secure double vault, unfortunately, you won’t be able to still get to it quickly and easily…it’s a trade-off between security and accessibility. 

And leaving the doors wide open doesn’t work either, because then no one even needs an (encryption) key to get in. 

So that’s our dilemma–open data, but secured storage–white, soft, beautiful clouds wisping overhead, but not raining data on our organizational and personal parades. 😉

(Source Photo: Andy Blumenthal)

Safely Detonate That Malware

I like the potential of the FireEye Malware Protection System (MPS).

Unlike traditional signature-based malware protections like antivirus, firewalls, and intrusion prevention systems (IPS), FireEye is an additional security layer that uses a dynamic Multi-Vector Virtual Execution (MVX) engine to detonate even zero-day attacks from suspicious files, web pages, and email attachments.

According to Bloomberg Businessweek, Target’s implementation of FireEye detected the malware attack on Nov 30, 2013 and it alerted security officials, but allegedly “Target stood by as as 40 million credit card numbers–and 70 million addresses, phone numbers, and other pieces of personal information–gushed out of its mainframes”over two weeks!

In fact, FireEye could’ve been set to “automatically delete [the] malware as it’s detected” without human intervention, but “Target’s team apparently “turned that function off.”

FireEye works by “creating a parallel computer network on virtual machines,” and before data reaches its endpoint, they pass through FireEye’s technology. Here they are “fooled into thinking they’re in real computers,” and the files can be scanned, and attacks spotted in safe “detonation chambers.”

Target may have been way off target in the way they bungled their security breach, but using FireEye properly, it is good to know that attacks like this potentially can be thwarted in the future. 😉

[Note: this is not an endorsement of any product or vendor]

Security Is A Joke!

Fascinating video with Dan Tentler on the Shodan Search Engine…which CNN calls the “scariest search engine on the Internet.”

The search engine crawls the Internet for servers, webcams, printers, routers, and every type of vulnerable device you can imagine.

It collects information on more than 500 million devices per month and that was as of last year, so it’s already probably a lot more.

Tentler shows the unbelievable amounts and type of things you can access with this, including our critical infrastructure for the country –from utilities to traffic lights, and power plants:

– Private webcams
– Bridges
– Freeways
– Data Centers
– Polycoms
– Fuel cells
– Wind farms
– Building controls for lighting, HVAC, door locks, and alarms
– Floor plans
– Power meters
– Heat pump controllers
– Garage doors
– Traffic control systems
– Hydroelectric plants
– Nuclear power plant controls
– Particle accelerators
– MORE!!!!

Aside from getting information on the IP address, description of the devices, locations (just plug the longitude and latitude into Google for a street location), you can often actually control these devices right from YOUR computer!

The information is online, open to the public, and requires no credentials.

– “It’s a massive security failure!”

– “Why is this stuff even online?”

Where is our cyber leadership????

>>>Where is the regulation over critical infrastructure?

If there is a heaven for hackers, this is it–shame on us. 😦