Can You Trust Social Media?

Can You Trust Social Media?

Interesting article in BBC about a project underway to develop a system that will rate information on the Internet as trustworthy or not.

Considering how quickly we get information from the Net and how easy it is to start crazy rumors, manipulate financial investors, or even cause a near panic, it would be good to know whether the source is legitimate and the information has been validated.

Are we simply getting someone mouthing off on their opinions or what they think may happen or perhaps they are unknowingly spreading false information (misinformation) or even purposely doing it (disinformation)?

Depending how the Internet is being used–someone may be trying to get the real word out to you (e.g. from dissidents in repressive regimes) or they may be manipulating you (e.g. hackers, criminals, or even terrorists).

To have a reliable system that tells us if information being promulgated is good or not could add some credibility and security online.

What if that system though itself is hacked? Then lies can perhaps be “verified” as truth and truth can be discredited as falsehood.

The Internet is dangerous terrain, and as in the life in general, it is best to take a cautious approach to verify source and message.

The next cyber or kinetic attack may start not with someone bringing down the Internet, but rather with using it to sow confusion and disarm the masses with chaos. 😉

(Source Photo: Andy Blumenthal)

Remodulate The Shields For Cyber Security

I really like the concept for Cyber Security by Shape Security.

They have an appliance called a ShapeShifter that uses polymorphism to constantly change a website’s code in order to prevent scripted botnet attacks–even as the web pages themselves maintain their look and feel.

In essence they make the site a moving target, rather than a sitting duck.

This is like Star Trek’s modulating shield frequencies that would prevent enemies from obtaining the frequency of the shield emitters so they could then modify their weapons to bypass the shield and get in a deadly attack.

In real life, as hackers readily change their malware, attack vectors, and social engineering tactics, we need to be agile and adapt faster than the enemy to thwart them.

Changing defense tactics has also been used by agencies like Homeland Security to alter screening methods and throw potential terrorists off from a routine that could be more easily overcome.

I think the future of IT Security really lies in the shapeshifter strategy, where the enemy can’t easily penetrate our defenses, because we’re moving so fast that they can’t even find our vulnerabilities and design an effective attack before we change it and up our game again.

And hence, the evil Borg will be vanquished… 😉

Catching More Flies With Honey

Catching More Flies With Honey

There’s an old saying that you can catch more flies with honey than with vinegar.

And this is true in cyberspace as well…

Like a honey pot that attracts cyber criminals, organizations are now hiring “ethical hackers” to teach employees a lesson, before the bad guys teach them the hard way.

The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.

The point of this is not to make people feel stupid when they fall for the hack–although they probably do–but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.

One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.

Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.

While I think it is good to play devil’s advocate and teach employees by letting them make mistakes in a safe way–I do not think that the people should be named or reported as to who feel for it–it should be a private learning experience, not a shameful one!

The best part of the article was the ending from a cyber security expert at BT Group who said that rather than “waste” money on awareness training, we should be building systems that don’t let users choose weak passwords and doesn’t care what links they click–they are protected!

I think this is a really interesting notion–not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace–where every misstep or mistake doesn’t cost you dearly in terms of compromised systems and privacy. 😉

(Source Photo: Dannielle Blumenthal)

One-Two-Three Punch For Cyber Security

Punch

Here are three crafty ideas for improving our cyber security that can be used to protect, prevent, and recover from attacks:

1) Intrusion Deception (not detection)–Mykonos Software aims to protect websites by putting up a virtual minefield–“setting traps to confound hackers.” When the software detects hackers trying to infiltrate, it can flood hackers with false information on vulnerabilities that goes nowhere, mess with the hackers computers such as by pop-up flashing maps of their locations and local defense attorneys, and disrupt their connections and slow down their hacking attempts (Bloomberg BusinessWeek).

2) Scamming The Scammers–Notorious email spams such as from Nigeria that look to ensnare victims into wiring money overseas in order to secure some lost fortune costs $9.3 billion in losses in 2009. Psychology professors Chris Chabris and Daniel Simons suggest that we can prevent many scammers from succeeding by raising the cost of their doing business by scamming them with ” baiters” that send responses to scammers and occupy them but never actually send any money. They suggest that artificial intelligence could actually be used to create “automated scam-baiters bots” simulating potential gullible victims. These bots could even be programmed to provide phony account numbers and data to scammers to really get them spun up. (Wall Street Journal)

3) Insuring Again Losses–Insurance is a common way to manage risk by purchasing coverage for potential liabilities–this is used to indemnify against losses for everything from auto accidents to home fires, personal theft, and business interruptions. However, according to Bernard Horovitz, CEO of XL Insurance’s Global Professional Operations, businesses (and of course, individuals) are rarely are covered by insurance for hacker attacks. Insurance companies are now offering specialty products to recover from the insuring liabilities. Additionally, the insurers will “help with preventing and mitigating cyber crime” through security audits. (Wall Street Journal)

These three cyber security strategies are great examples of how we can make it technically and financially more difficult for cyber attackers to succeed in geting in a knockout punch on their victims. 😉

(Source Photo: Minna Blumenthal)

The Information High

Kids_and_technology

A new article by Andy Blumenthal called “The Information High” at Public CIO Magazine (29 November 2012).

“In addition to being slaves to our things–including technology gadgets–we are also addicted to the data and information they serve up.”

Hope you enjoy! 😉

Andy

(Source Photo: Andy Blumenthal)

Taking Down The Internet–Not A Pipe Dream Anymore

Internet

We have been taught that the Internet, developed by the Department of Defense Advanced Research Projects Agency (DARPA), was designed to survive as a communications mechanism even in nuclear war–that was its purpose.

 

Last year, I learned about studies at the University of Minnesota that demonstrated how an attack with just 250,000 botnets could shut down the Internet in only20 minutes.

 

Again last month, New Scientist (11 February 2012) reported: “a new cyberweapon could take down the entireInternet–and there is not much that current defences can do to stop it.”

 

Imagine what your life would be like without Internet connectivity for a day, a week, or how about months to reconstitute!

 

This attack is called ZMW (after its three creators Zhang, Mao, and Wang) and involves disrupting routers by breaking and reforming links, which would cause them to send out border gateway protocol (BGP) updates to reroute Internet traffic.  After 20 minutes, the extreme load brings the routing capabilities of the Internet down–” the Internet would be so full of holes that communication would become impossible.”

 

Moreover, an attacking nation could preserve their internal network, by proverbially pulling up their “digital drawbridge” and disconnecting from the Internet, so while everyone else is taken down, they as a nation continue unharmed.

 

While The Cybersecurity Act of 2012, which encourages companies and government to share information (i.e. cybersecurity exchanges) and requires that critical infrastructure meet standards set by The Department of Homeland Security and industry are steps in the right direction, I would like to see the new bills go even further with a significant infusion of new resources to securing the Internet.

 

An article in Bloomberg Businessweek (12-18 March 2012) states that organizations “would need to increase their cybersecurity almost ninetimes over…to achieve security that could repel [even] 95% of attacks.”

 

Aside from pure money to invest in new cybersecurity tools and infrastructure, we need to invest in a new cyberwarrior with competitions, scholarships, and schools dedicated to advancing our people capabilities to be the best in the world to fight the cyber fight. We have special schools with highly selective and competitive requirements to become special forces like the Navy SEALS or to work on Wall Street trading securities and doing IPOs–we need the equivalent or better–for the cyberwarrior.

 

Time is of the essence to get these cyber capabilities to where they should be, must be–and we need to act now.

 

(Source Photo of partial Internet in 2005: here, with attribution to Dodek)

 

Big Phish, Small Phish

Phishing
Phishing is an attack whereby someone pretends to be a trustworthy entity, but is really trying to get your personal information in order to steal from you or an organization.
Phishing is a type of social engineeringwhere fraudsters try to deceive and spoof their victims by sending email or instant messages (or even by calling) and pretending to be a legitimate private or public sector organization. They then either request personal information, provide links to fake websites, or even create unauthorized pop-ups from legitimate websites to get you to give them your personal data.Additionally, phishing emails can contain attachments that infect recipient’s computers with malware, creating a backdoor to control or compromise a system and its information.

In all of these cases, the intent of phishing is impersonate others and lure consumers into providing information that can be used to steal identities, money, or information.

The word phishing alludes to the technique of baiting people and like in real fishing, fooling at least some into biting and getting caught in the trap.In this fraudulent type, perpetrators pretend to be legitimate financial institutions, retailers, social media companies, and government agencies in an attempt to get you to divulge private information like date of birth, social security numbers, mother maiden names, account numbers, passwords and more.

Once criminals have this valuable information, they can commit identity theft, break into your accounts, and steal money or information.Spear-phishing is a derivative of this scam that is targeted on specific people, and whaling is when the scam is perpetrated on organization executives or other high profile targets,  which can be especially compromising and harmful to themselves or the organizations they represent.

The first recorded phishing attack was in 1987.  Over the years, the prevalence of these attacks have steadily increased. According to the Anti-phishing Working Group (APWG), there were some 20,000-25,000 unique phishing campaigns every months through the first half of 2011, each targeting potentially millions of users.  Additionally, as of March 2011, there were as many as 38,000 phishing sites.  The most targeted industry continues to be financial services with 47% of the attacks.
There are a number of ways to protect yourself against phishing attacks.

  1. Delete email and messages that are unwarranted and ask for personal information
  2. Do not click on links, instead go directly to a website by using a search engine to locate it or copying the link and pasting it into the browser
  3. Configure your browser to block pop-ups
  4. Use anti-virus, firewalls, and anti-spam software
  5. Set up automatic security updates
  6. Input personal information only into secure sites, such as those that begin with “https”
  7. Only open attachments when you are expecting them and recognize where they are coming from
  8. Check financial statements upon receipt for any fraudulent activity
  9. If you are caught in a phishing scheme, notify law enforcement and credit reporting authorities immediately
  10. Always be cautious in giving out personal information
Whether you consider yourself a big fish or a small fish, beware of those trying to catch you up on the Internet–hook, line, and sinker.

Online Presence, Your Calling Card

In the age when Facebook has surpassed 800 million users, I still often hear people say that they don’t like to join social networks or put any information about themselves on the Internet.

Whether or not their apprehensions about their privacy being compromised is justified or whether they feel that “it’s simply a waste of time” or that they “just don’t get it,” the impetus for us to all establish and nurture our online presence is getting more important than ever.

In the competition for the best jobs, schools, even mates, and other opportunities, our online credentials are becoming key.

We’ve heard previously about jobs checking candidates backgrounds on the Internet and even bypassing candidates or even firing employees for their activities online.

Numerous examples of people badmouthing their companies or bosses have been profiled in the media and even some politicians have been forced out of office–remember “Weinergate” not too long ago?

Now, not only can negative activities online get you in trouble, but positive presence and contributions can get you ahead.

The Wall Street Journal (24 January 2012) reports in an article titled No More Resumes, Say Some Firmsthat companies are not only checking up on people online, but they are actually asking “applicants to send links representing their web presence” in lieu of resumes altogether.

What are they looking for:

– Twitter Accounts
– Blogs
– Short Videos
– Online Surveys/Challenges

The idea is that you can learn a lot more about someone–how they think and what they are like–from their history online, then from a resume snapshot.

Of course, many companies still rely on the resume to screen applicants, but even then LinkedIn with over 135 million members is sometimes the first stop for recruiters looking for applicants.

Is everything you do and say online appropriate or “fair game” for people screening or is this going over some sacred line that says that we all have professional lives and personal lives and what we do “when we’re off the clock” (as long as your not breaking any laws or doing something unethical) is no one’s darn business.

The problem is that when you post something online–publicly–for the world to see, can you really blame someone for looking?

In the end, we have to be responsible for what we disclose about ourselves and demonstrate prudence, maturity, respect, and diplomacy, perhaps that itself is a valid area for others to take into account when they are making judgments about us.

When it comes to children–parents-beware; the Internet has a long memory and Facebook now has a “timeline”, so don’t assume everyone will be as understanding or forgiving for “letting kids be kids.”

One last thought, even if we are responsible online, what happens when others such as hackers, identity thieves, slanderers, those with grudges, and others–mess with your online identity–can you ever really be secure?

Being online is no longer an option, but it is certainly a double-edged sword.

(Source Photo: here; Image credit to L Hollis Photography)

SCADA Beware!

In case you thought hacking of our critical infrastructure and SCADA systems only happens in the movies, like with Bruce Willis in Live Free or Die Hard, watch these unbelievable videos of what Max Corne seemingly does to the energy, maritime infrastructure, and highway transportation systems.Max apparently is able turn off (and on) the lights in entire office towers–one and then another, control a drawbridge (up and down)–and has people and cars waiting and backed up, and even changes traffic signals–from speeds of 50 to 5 as well the message boards to motorists.

While I understand some have questioned the validity of these videos and have called them hoaxes, the point that I come away with is not so much whether this guy is or is not actually hacking into these computer and control systems as much as that the people and organizations with the right skills coulddo these things.

And rest assured that there those out there that can perform these hack attacks–reference the Stuxnet worm that attacks Siemen industrial control systems such as those used in the nuclear industry (June 2010).

I also heard a story that I don’t know whether it is true or not, about how a cyber expert personally dealt with a very loud and unruly neighbor who was playing Xbox 360 at 3 AM and keeping him awake. So the cyber expert simply hacked into his neighbor’s Xbox game over the Internet and set off a program that whenever his neighbor tried to play it, a timer would automatically turn the Xbox back off again (neighbor turns it on again, hack turns it off again….), until at one point, the cyber expert heard the neighbor pick something up (presumably the Xbox) and throw it against the wall.

In this story, the damage was limited, in other cases as the Max Corne videos demonstrate (in terms of the realm of the possible), when hackers attack our critical infrastructure and control systems, the results can truly be life threatening, majorly disruptive, and can cause widespread chaos.

Every day, there are digital natives (in terms of their advanced computer skills) that are proving what they can do to bypass our firewalls, antivirus protection, intrusion detection systems, and more.

While in the case of the hack attack on the Xbox, that was the end of the problem for the loud playing neighbor keeping this other guy up at night, but in general, the unbelievable ability of some hackers to break into major systems and manipulate controls systems and disrupt critical infrastructure is certainly no game, no laughing matter, and something that should keeps us up at night (Xbox playing or not).

The takeaway is that rather than demonize and discourage those who have the skills to figure this “stuff” out, we should actually encourage them to become the best white hat hackers they can be with it, and then recruit them into “ethical hacking” positions, so that they work for the good guys to defeat those who would do us all harm.

Cyber War – The Art of The Doable

CBS 60 Minutes had a great episode this past June called Cyber War: Sabotaging The System.

The host Steve Kroft lays the groundwork when he describes information or cyber warfare as computers and the Internet that is used as weapons and says that “the next big war is less likely to begin with a bang than with a blackout.”

This news segment was hosted with amazing folks like Retired Admiral Mike McConnell (former Director of National Intelligence), Special Agent Sean Henry (Assistant Director of the FBI’s Cyber Division), Jim Gosler (Founding Director of CIA’s Clandestine Information Technology Office), and Jim Lewis (Director, Center for Strategic and International Studies).

For those who think that cyber war is a virtual fantasy and that we are safe in cyberspace, it’s high time that we think again.

Here are some highlights:

– When Retired Admiral McConnel is asked “Do you believe our adversaries have the capability of bringing down a power grid?”  McConnell responds “I do.” And when asked if the U.S. is prepared for such an attack, McConnell responds, “No.”

– Jim Gosler describes how microchips made abroad are susceptible to tampering and could “alter the functionality” of let’s say a nuclear weapon that needed to go operational, as well as how they “found microelectronics and electronics embedded in applications that shouldn’t be there.”

– Special Agent Henry talks about how thieves were able to steal more than a $100 million from banks in less than half a year, not by holdups but through hacking.

– Jim Lewis tells of the “electronic Pearl Harbor” that happened to us back in 2007, when terabytes of information were downloaded/stolen from our major government agencies–“so we probably lost the equivalent of a Library of Congress worth of government information” that year and “we don’t know who it is” who broke in.

The point is that our computers and communications and all the critical infrastructure that they support–including our defense, energy, water, transportation, banking, and more are all vulnerable to potentially lengthy disruption.

What seems most difficult for people to grasp is that the bits of bytes of cyberspace are not just ephemeral things, but that thy have real impact to our physical universe.

Jim Lewis says that “it doesn’t seem to be sinking in. And some of us call it ‘the death of a thousand cuts.’ Every day a little bit more of our intellectual property, our innovative skills, our military technology is stolen by somebody. And it’s like little drops.  Eventually we’ll drown. But every day we don’t notice.”

Our computer systems are vulnerable and they control virtually all facets of lives, and if the enemy strikes at our cyber heart, it is going to hurt more than most of us realize.

We are taking steps with cyber security, but we need to quickly shift from a reactive stance (watching and warning) to a proactive posture (of prevention and protection) and make cyber warfare a true national priority.