Security Blog

By now most of the security industry has heard the rumors and threats that Anonymous intends to flood the 13 DNS servers throughout the world in a attempt to blackout the internet for a unknown period of time. This attack is the result of politically fueled opinions of some of today's most influential hacktivists. According to a post on pastebin.com the attack will essentially involve the use of a Reflective Amplification or 'ramp' toolkit to DDoS the root DNS servers which will stop them from responding to DNS resolution requests and thus stop users from accessing websites via DNS names i.e. 'www.google.com', 'www.facebook.com', etc.

This attack is under great scrutiny by professionals and hackers across the web. Some say it may be possible other say at best it will be very limited and do minimal damage while the rest say that Anonymous has its information all wrong. Does this threat have any substance or is it only another empty threat? Only time will tell as the attack date of March 31, 2012 grows nearer. 

Historically, years before this attack and hacking group even rose to popularity, in a post on the ICANN Blog, Kim Davies attempts to dispel any and all rumors that there are even 13 lone DNS servers around the world. In a more recent blog post by Errata Security, blogger Robert Graham presents even more reasons why the attack will not be possible. One blogger even goes as far as calling Anonymous' actions some kind of April fools joke.

Among the non-believers lies a handful of fearful individuals that see this brazen threat as an indicator of worse things to come. Boy Genius Report recently published a story outlining the underlying fears of U.S. officials in lieu of Anonymous' growth and increased threat potential to U.S. national security. It is no mystery that the U.S.'s cyber infrastructure is much weaker than most people think it is. We lack a structured cyber army and choose to hinder those with the potential to protect us in the event of a cyber war. I agree with Misha Glenny's ideas in his TED talk last year where he discussed an alternative to punishing hackers and instead setting up reform programs to bring these individuals back from the criminal world and get them on the good guys team again.

The bottom line is that progress remains slow when dealing with cyber attacks. The governments approach of allowing less and less freedom and availability to these cyber miscreants only seems to frustrate them further. Top agents in charge of cyber security are beginning to get beaten down by the constant threats and attacks in addition to the constant failures of consideration for better funding by higher ups in government. The only hope in the fight against cyber crime and an impending cyber war will be not only an increase in IT security budgets but also a change in the mindset that all hackers are our enemies. These rouge hackers possess important skills and knowledge that the government cannot afford to lose to the dark side.

Those interested in a first hand look into the health status of DNS servers during this weekends 'attack' can check it out on Team CYMRUs website dedicated to tracking the health of DNS servers around the world.

As if Android security controls weren’t bad enough it seems even more malicious software applications have made their way onto users devices. This new breed of malware is unlike any other. With the increasing power and capabilities of Smartphone’s, soon to include quad core processing power, attackers have begun to broaden their focus on exploiting desktop and laptop computers and are now targeting mobile devices for their Botnets.

Smartphone’s are the perfect target. They are small, powerful, mobile, and best of all thriving with connectivity. Their size and mobility make them great for spreading malware throughout multiple corporate and public areas, anywhere someone might travel to and connect to an open, unencrypted Wi-Fi network. Their increasing processing power has made them just as suitable as higher powered machines for running various attacks and malicious campaigns. Best of all, the connectivity and collaborative information we process through our devices allows malicious attackers to have a field day with our contacts and information.

Unlike most fully functional operating systems, mobile device operating systems are much more lightweight, and are also designed very differently than our traditional operating systems. Yes we still run various applications but many more exist on our mobile devices for specified purposes. On a standard PC, when you want to check your bank account balance or social networking, you generally log in through a browser. Smartphone application developers have simplified this process by allowing you access to specialized applications that will retain your login credentials for easy, efficient, instant access to these accounts.

What’s worse than writing down your passwords? I say it’s saving them for automatic logins in our applications, especially if these applications are infected with malware.

Picture this: You download an innocent looking banking or social networking application, one recommended by friends or one you have seen advertised on the web, through email, etc. You install the application and log in with your banking and/or social networking credentials. Expecting to see your account balance or messages from friends, you are surprised to find yourself now bombarded with spam advertisements, false banking information, and not a friend to be seen. To make matters worse your credit card has now run up a few hundred dollars worth of charges within a few minutes. Welcome to the new world of mobile malware.

The applications infected by the Trojan virus in these two news stories, by Computerworld and ZDNet may not be for banking or social networking, but in an application rich environment we must always consider the impact of fraudulent applications making their way to our most trusted environments. If they can trick us with fraudulent websites then there is no doubt they can trick us with fraudulent applications.

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

1.       In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?

2.       I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.

3.       Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.

4.       Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.

5.       Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.

6.       Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to the false pages, without warning, without suspicion. This information is then used for political and financial gain, all fueling the machine and allowing further attacks to break down the fragile system we all hold dear.

APTs are one of many emerging threats on the frontlines of IT security. Other hot topics in the industry include Cloud Computing security, new challenges in Cryptography, and emerging Exploits. Even business related aspects of IT are changing rapidly such as the many improvements to be made to Risk Management procedures all influenced by the recent natural disasters on the east coast along with the 10 year anniversary of 9/11.

So many emerging topics, so little time.

But there is hope for security professionals. IP³ now offers an all new way for security professionals to learn about all of these new emerging threats and technologies and at the same time keep up on their certifications by earning valuable CPEs, all for an incredible price, wrapped up in a package that fits the lifestyle of the even the busiest IT security professional.

Click here for more information on IP³ Inc.’s industry first CPE ToGo program.

We all know digital certificates are meant to keep us safe while browsing the web. They are installed on our systems from birth, require digital signatures to be altered, and establish a supposedly unbreakable chain of trust. But what happens when that chain of trust is in fact compromised? What happens when a digital certificate falls into the wrong hands?

Hackers have recently obtained Google’s digital SSL certificate from DigiNotar, a Dutch certificate authority. Proof has already been flaunted on pastebin.com of this valuable takeover. It is still unclear how the certificate was obtained. There may have been a possible breach on DigiNotar’s website allowing access to the certificate or there may have been a lack of oversight by DigiNotar. Either way this event presents a significant security risk to users.

This certificate allows the hackers a trusted reputation for each of Google’s many services including Gmail, Google search, and Google Apps. This would easily allow them to poison DNS addresses and launch a massive spam attack which could relay back to false sites, then use these sites to compromise users accounts through a man-in-the-middle attack.

According to security professionals, based on the information posted on Pastebin, the certificate is in fact valid. This leaves endless possibilities for the hackers to exploit the certificate. Also, since the certificate is valid, users will not be displayed with a warning message, even if they are on a malicious site posing as Google.

Google has been expected to quickly patch Google Chrome’s certificate’s and will most likely urge Microsoft, Mozilla, Apple, and others to follow in their footsteps for the safety of the internet. 

The recent 5.9 magnitude earthquake in Mineral, VA was a complete surprise to those within its reach. Although damages were minimal this still reminds us of the importance of disaster recovery and business continuity planning. So far reports only show minimal injuries, a safety shutdown of local nuclear plants, and some cell network disruption. These effects are minor as compared to other major disasters. The most important thing we must take from this event is that these things can happen anywhere and everyone must be prepared.

Your office may not be near a fault line, in tornado alley, or along hurricane path, but these natural events do deviate from their means from time to time. In a way there is no 100% safe place to be. It is always a good practice to plan for every disaster possible and not just those that are common for your area.

This also raises some questions regarding the placement of our disaster recovery providers. Chances are your disaster recovery provider has chosen a backup location that on a normal day is exposed to minimal risk of disaster. They probably claim this location has been chosen due to its low risk factor and generally safe environment. But as I just stated there is no end all be all safe haven for data and IT centers to set up shop. So what happens if your disaster recovery provider is knocked out by a natural disaster? Do you have a backup for your backup?

In another side of the story, the Tuesday quake may not have thrown any industries into disaster recovery mode but it did shed light on the aging infrastructure throughout cities along the East coast. Disaster recovery plans can help to rebuild and enable business continuity after a damaging event however, they do not generally take into account the fragility of the infrastructure currently in place. Many disaster recovery plans would be much less likely to be activated if the infrastructures they are set up for are solid and secure from the start.

With hurricane Irene bearing down on the East coast within the next week we can only hope the minor damage already done by the quake is not magnified by the hurricane. Be prepared, batten down the hatches, and have your disaster recovery and business continuity plans ready.

Compliance is never easy and cloud computing only adds to the challenge of keeping up with standards and regulations. Until now U.S. government agencies have found it difficult if not impossible to get their sensitive information onto the cloud despite federal programs aimed at doing just that. The issue has always been with compliance and security. The management of sensitive data has strict regulatory requirements that must be followed in order to protect information.

A few of those important regulatory requirements are location and access control. Sensitive data from U.S. agencies is required to be stored within US boundaries and only be accessible by users residing within the U.S. With most cloud services spanning across a few continents the challenge of keeping that data contained is nearly impossible.

Amazon Web Services hopes to defeat this challenge with their newly announced GovCloud offering.

A description from Amazon Web Services about GovCloud:

AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. Previously, government agencies with data subject to compliance regulations such as the International Trade and Arms Regulation (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS GovCloud is physically and logically accessible by U.S. persons only, government agencies can now manage more heavily regulated data in AWS while remaining compliant with strict federal requirements.

The new service is also compliant with FISMA, SAS-70, ISO 27001, FIPS 140-2 compliant end points, PCI DSS Level 1, and HIPAA. This will most definitely make compliance auditing far less taunting and increase security of data in the cloud. Hopefully this new service will lead more federal agencies to begin joining in the cloud movement and finally begin to fulfill goals outlined in Vivek Kundr's Federal Cloud Computing Strategy.

It's 2a.m on a Monday, the workweek starts in 6 hours, and your cloud service provider just notified you that their services are down. What do you do?

This is the same question European consumers were asking themselves when Amazon's EC2 cloud services and Microsofts BPOS cloud services were taken out by a lightening strike in Dublin early this week.

Despite a proper disaster recovery and business continuity plan developed by these cloud providers, things do not always go as smoothly as they look on paper. Amazon has backup generators that should have powered up in perfect synchronization to cover the power loss however, the lightening strike was so substantial it knocked out the phase control system which synchronizes the power loads. Thus the backup generators had to be powered up and load managed manually resulting in a noticeable outage for customers.

This is something for cloud services consumers to keep in mind. You have been reminded time and time again during security training that proper cloud integration involves strict audits of your cloud service provider. These audits are sure to include disaster recovery and business continuity planning procedures. Having all this on paper is only one half of the equation for effective system resilience and reliability, the implementation of those procedures under pressure is the true test of recovery performance.

This brings us to what many IT security professionals see as the most important aspect of disaster planning, having a backup. This can include file backups, virtual image backups, and even fully operational system backups (what many of us recognize as "hot sites").  Most cloud service providers will offer you extensive features to include many of these protection services. Although bundling them all into the same provider may be more convenient it can also lead to further disaster in times of peril.

As we have seen by the abundance of cloud outages so far this year, bad things do happen to cloud services. The cloud will go down. This brings an increased importance to third party services to keep you running while your main cloud service provider gets back on their feet again. Just as it isn't smart to "put all of your eggs in one basket," it probably isn't a good idea to place all of your computing power and resources in the hands of one provider.

Forget about LulzSec and Anonymous. Those political hacktivist groups are only amateur script kiddies compared to hackers recently revealed by McAfee. The newly discovered groups five year long attack, which struck at least 72 identified organizations, seems to have originated out of China, although no official location has been determined.

Dubbed Operation Shady RAT, which stands for remote administration tools, employs spear phishing techniques which mimic legitimate email messages (just as many other phishing attacks do), then once users open attachments their systems become infected with malware allowing them to be controlled by a command-and-control server hosted by the hackers. Unlike other attacks we have seen, this hacking group doesn't seem to be out for laughs or a quick payout. It's data mining they are after, and lots of it.

The longevity of their attacks has led to the compromise of petabytes worth of data thus far. The damage and loss of proprietary information is far more valuable than anyone would have predicted, and until the attackers are shut down, it is only expected to get worse.

This attack brings to light a concept we have been throwing at IT security professionals for quite some time now. Anyone who has attended Ken Kousky's Strategy to Reality seminars has most definitely heard about Advanced Persistent Threats (APTs). This was the same attack approach used in the SCADA attacks on Iraq's nuclear facilities and in Operation Aurora against Google and a dozen or more organizations. For those that need a brush up on APT attacks think of them as interactive, polymorphic attacks with the ability of their controllers to evolve and adapt to any security system. You build a wall, they knock it down, you dig a moat, they swim across it. APT attacks represent an new revolution of unstoppable cyber attacks.

The only way to stop an APT attack is to cut it off at its driving source, the C&C; server. McAfee is working with a variety of US government agencies to shut down the C&C; server however the attackers 5 year head start along with jurisdictional issues is sure to make this quite the challenging task.

Another issue is many organizations failure to report or admit a compromise, thus making these attacks even more difficult to follow. Security professionals must keep in mind that despite your organizations reputation or pride, you have a duty to disclose attacks to the proper authority. These attacks cannot be ignored and cannot be fought alone.

Microsoft has even started a program offering a $250,000 incentive to anyone who contributes outstanding solutions to these attacks in defense of the future of computing technology.

If your wondering if your organization could be a target then just ask yourself one question. Does my information hold any value whatsoever? I'm guessing that for 95% of organizations this answer is yes.

Although early cloud computing adopters boast of its cost savings, there seems to be a catch that many organizations are not prepared for. The cost savings in IT is no myth, your organization will save on its IT budget however this money saved may not be going directly into your pocket right from the start. This money must be reinvested and distributed among other company resources to ensure a safe transition to the cloud. These other resources include security and auditing. Without receiving corporate permission to increase these budgets and implement a new approach to measure cloud security, the transition can fail and the result will be reports showing a lack of funding and lack of security.

The unexpected “reinvestment clause” regarding a cloud transition has taken many federal organizations by surprise. Since the recent cloud-first mandate by United States Chief Information Officer, Vivek Kundra, federal organizations have been urged to transition three services over to the cloud within the next year. Many have been transitioning their low hanging fruit and resources of minimal importance which has taken some weight off of the organizations but still does not offer the benefits that the mandate aims to succeed. Other organizations that have gone for broke have done exactly that, gone broke. Data has shown that 79% of federal organizations are complaining of a lack of funds. If only these organizations would have planned on reinvesting in auditing and risk management they would have been able to report financial gains instead of money woes.

“The policy and risk assessment work just hasn’t been done.” said Paul Sand, Vice President of IP³ Inc. A transition to the cloud takes planning, auditing, research, and careful budgeting. If you are smart about it, and take note of hidden factors, your organization has the potential to gain great success by joining the cloud movement. This methodology reminds me of an old proverb, “Those who fail to plan should plan to fail.”

While we are on the topic of cloud transition it is also important to note the consequences of a failure to budget properly.  On top of those with funding concerns,  71% of organizations reported having fears regarding cloud security. The mindset that the cloud should just be secure is only a fallacy. A secure cloud takes initiative and constant monitoring and measuring by all responsible parties. This includes doing your homework and researching proper security controls, configuring SLAs to ensure proper controls  are implemented by cloud service providers, and also auditing those controls. But without a budget these tasks may go unmarked on the security checklist.

The lack of funds has also caused some organizations to sacrifice their privacy and security for multi-tenant, shared, private cloud implementations. This leaves these organizations at risk of spillover and cross contamination with neighboring information. Granted the multi-tenant implementation saves money, it still does not change the fact that it sacrifices security. Since the information being stored and used is usually highly classified federal information, the last thing we would want to do is make a choice based on an inadequate budget that scarifies security.

A transition to the cloud is not something that will happen overnight. It will take planning, budgeting, risk assessment and plenty of audits along the way. Be sure you know what your organization is getting into before you decide to take off into the clouds.

Most recently, with our advancement in mobile technologies and IP networks, we have been able to expand our available communication channels to include many new technologies. Mobile email, mobile instant messenger, texting, and VoIP chat are rapidly replacing our more standard communication networks such as postal services and Plain Old Telephone Service (POTS). With these new technologies we have been able to introduce an advancement in security over previous mediums including networked encryption of communication channels, encrypted voice data, etc. But there was one thing we forgot when introducing these new technologies, they all must fall under the same communications laws and Privacy Acts we had for our older communication media. Compliance with these laws will very well unravel the entire security structure we have put in place.

I'll give you an example, one being Skype. Most recently since their $8.5 billion acquisition of Skype, Microsoft has patented a new technology add on that will assist the VoIP and video chat application in compliance with government mandated wiretapping and surveillance requirements. The new technology add on, deemed " Legal Intercept ", will act as a middle man in Skype allowing silent recording of conversations.

The revamped software works by intercepting a Skype connection request and rerouting the connection through a recording channel, then routes the connection to the requested endpoint.

This type of monitoring is nothing new to communications technology however, it has yet to hit any of our newest IP technologies. An addition like this is likely to undo any and all security progress we've made in the VoIP world. The trusted connections, encrypted tunnels, and secure data we establish during a VoIP connection will now hold the ability to be altered so that it may be monitored, thus opening a backdoor for malicious attacks. We are taking a technology designed not to be intercepted and intercepting it on purpose, all to suite big brother. We must remember though that big brother will not be the only one capable of listening .

This should really by raising some questions. What security is in place to ensure these communication channels can only be intercepted by authorized government monitoring agencies? What security is being implemented on the recorded sessions once they are captured? What back doors are being used with our data to enable these recording channels? I am all for national security however, opening more back doors and vulnerable channels seems to outweigh the security introduced by this technology. For now this new technology really only seems to be introducing national insecurity.

Lulz Security, a seemingly innocent name you may actually confuse for a legitimate security company, has rapidly been boosting their hacking reputation since early 2011. They have managed daily hacks on dozens of websites all across the internet and even managed to set up call forwarding attacks on many customer support lines. Some of the most notable being hacks of Sony, the US Senate, the FBI, and the CIA. Many of their attacks have been simple perimeter breaches of security, things that many security professionals should have secured a long time ago.

These hacks highlight the waste of time many security managers spend attempting to secure only their outer defenses. True security should live directly around your most precious assets. The security method deployed by most sites hit by LulzSec have been primarily perimeter based security. This type of security is like building a wall around your home yet leaving your doors unlocked and expecting only the wall to keep people out. As we can now see, that methodology is unacceptable and simply is not enough.

Though this group has caused some major disruptions in many networks they do not seem to have a truly malevolent motive in these attacks. They do not seem to be out for financial or political gain. As their tweets and even their name 'Lulz' (a reference to 'laughs') suggests, they are doing this simply for the entertainment and the sport of it. They have even been operating what I like to call a hack-by-request system where anyone is free to contact them with a target to be hacked. The truly surprising fact is that they have actually been able to hack nearly every target they are given whether it be a simple gaming forum or a high level government website. They are breaking through what should be the most secure websites on the internet using simple DDoS and packet flooding attacks.

Beyond exposing a lack of perimeter defenses their hacks have also brought to our attention many other security issues that most of us are still ignoring. Their hack on Sony revealed not only inadequate security defenses on Sony's part but also an astonishing amount of password reuse by users, which we all know is one of the most prevalent security flaws that exists.

Lets face it, these attacks have been happening for years and organizations have simply been able to keep quiet while sweeping the mess under the rug. LulzSec's public hacking escapade has finally brought these attacks to the attention of the general public. They are exposing many organization's security systems for what they really are, weak. There is no more ignoring our simple mistakes. It is time we all step up our security to the level it needs to be at in this world of cyber threats. This should be a true eye opener for security professionals. It may be your only chance to get things right before your information is truly at risk of theft and misuse that will indeed result in financial loss and legal liability.

For those that don't know, tomorrow is world IPv6 day. A day when over 400 corporation, government, and university websites will switch their networking over to IPv6 protocol for a 24 hour period. The changeover will signify the start of a new generation of internet protocol and hopefully give credit to the IPv6 system, which has been driven into the market since 1999. With the now imminent depletion of all existing available IPv4 addresses, IPv6 day aims to push the remaining non-conformers over to the new system and bring much more attention to it as a necessary protocol. Though this will be a landmark day due to its introduction of the largest wide scale implementation of IPv6 to date, it could also be D-Day for the largest wide scale implementation of DDoS attacks. 

Though the trial changeover will only last from 8:00p.m. tonight  until 7:59p.m. tomorrow night, there is still the possibility for some major issues. One of the most probable being DDoS attacks. These attacks rely on jamming up network routers and devices with overwhelming amounts of traffic and thus causing the network to crash and deny all remaining requests. Since IPv6 header packets are four times the size of IPv4 header packets, they take four times as long to process by routers. In a digital world this takes only nanoseconds but multiply this by thousands of requests a minute or even per second combined with the increased processing time it takes to handle a larger IPv6 header and the system can potentially jam up very quickly.

Many large corporate websites on the IPv6 trial list, such as Google, Facebook, and Juniper, have seen their fair share of attempted attacks in the past. This vulnerable new system still in its infancy could be the perfect opportunity for hackers to finally break through to the information they want.

One advantage to being on this list of the 400 is that these corporations have done their homework on IPv6 and their systems have been built to handle this protocol. Another attack vector comes with those companies who have yet to make the switch to a dual stack implementation of their packet inspection network systems to handle both IPv4 and IPv6 traffic. These companies will be accepting uninspected IPv6 traffic through their devices thus holding the potential for a broad array of network attacks.

This trial period will be a major learning experience for all IPv6 amateurs. If your corporation has plans to implement increased network security, today would be the day to do so.  Be prepared to hear more about this all across the cyber world as the day goes on.

No more than a week after the Pentagon's military threats in the event of a cyber attack, the U.S. receives its first test of might.

Paul Sand, Vice President, IP3 Inc., offered this statement:
“Last week, IP3 assessed the Pentagon’s decision to consider a cyber attack as an act of war. We clearly determined that there was no strong strategic or tactical benefit for doing so. Apparently, a cyber attack on the Atlanta InfraGard Chapter was launched in retaliation for the Pentagon’s aggressive stance.  Taking action that raises your profile without any clear benefit is usually a bad move.”

I'm sure most of you have heard the ancient Japanese proverb, "The nail that sticks out gets hammered down." The U.S. government may have just targeted themselves as that very nail. By introducing such a strong statement, we have invited other less agreeable entities to test our claims of military force.

Another phrase that comes to mind is the African proverb "Speak softly and carry a big stick." Which was popularized by Theodore Roosevelt in his Big Stick ideology regarding peaceful negotiations backed by the threat of military force. So what happens when that threat of force is tested? Is it truly customary to take out the big stick and start swinging? This will be the true test of something I will call "cyberwar policy." 

Cyber policies will soon become a very hot topic in lieu of recent events. One event being the government controlled network outages that began in Egypt, which now seem to be trending seeing as the Nigerian government has done the same. This caused questioning in the U.S. which led to the introduction of "kill switch" litigation now being passed throughout Congress. A second event was the Pentagon's consideration of cyber attacks as acts of war. 

These recent events have begun to outline rules of cyberwar. There are many questions to be asked and much policy to be drawn up regarding these and future events. One thing is certain, our representatives had better get a handle on this policy soon before things get out of control.

The U.S. government, in statements by the Pentagon, now classifies cyber attacks on our nations infrastructure as acts of war and is implementing a strategy which will allow for military retaliation in the event of a cyber attack on the U.S.

Paul Sand, Vice President, IP3 Inc. says: 

"Declaring cyber attacks as acts of war is an unnecessary escalation. While I imagine that the Pentagon is striving to achieve a deterrence effect, traditional military retaliation to a cyber attack faces some big challenges. First and foremost, attribution is a problem.  Attribution is assigning responsibility for the attack to the appropriate party.  With spoofing and masquerading exploits so readily available and easy to use, an attacker will be hard to identify and may just be aiming to trigger retaliation against a third party. So, retaliation is a  path filled with significant chances for profound mistakes."

This statement by Paul Sand is understandable considering most cyberattacks and hacking incidents are not formulated by a governing body. They are generally run by a small group of rouge individuals acting independent of any government. Take for instance the group "Anonymous", which is nothing more than a large informal collection of hackers spanning across various continents. How will a target be decided in the event of an attack from multiple locations? Also keep in mind that most hackers are still in their teens. Are we to expect our government to discharge nuclear weapons on an innocent country because some adolescent hacked into one of our government sites from a computer in his basement?

Paul Sand continues:

"Further, cyber attacks that are “war-like” are not likely to be independent attacks.  The 2011 OECD report “Reducing Systemic Cybersecurity Risk” lays out a strong argument that cyber attacks will be coincident with conventional “kinetic” military actions. In that event, this new doctrine of response to the cyber attack is not necessary … existing doctrine governing the response to the kinetic attack will be sufficient and is much less susceptible to problems with accurately attributing the act to the true attacker."

"All in all, the Pentagon has not made the cyber world any safer by concluding that cyber attacks are an act of war."

In other news:

Lockheed Martin has acknowledged a significant cyberattack on their infrastructure. Evidence has surfaced linking this attack to the recent hack of RSA and the theft of RSAs SecureID authentication tokens. These tokens were used in an attack on Lockheed Martin in an attempt to obtain sensitive information from the security and defense company. Luckily Lockheed was able to thwart the attack very quickly after it propagated on their systems and assures everyone that no data was stolen. 

This attack on Lockheed Martin arrives on the landscape with an abundance of other cyberattacks including those on broadcaster PBS, EMC Corp.'s RSA security unit, Epsilon Data Management, LLC, and Sony Corp.'s PlayStation Network.

Todays networks are erupting with cyberattacks and cyberwarfare and governing bodies are struggling to keep a hold on their authority. Though the litigation is still unclear, the message should be clear to hackers. You've been warned! The next time you press enter and launch that malicious code, you could end up with a USAF B-52 Bomber over your head.

Since when does innovation call for imitation of security? In todays world users demand portability. This involves designing devices and services to operate on much smaller platforms. Which means taking that 15 inch laptop from the office and crushing it down to a 4 inch pocket sized supercomputer, not only that but also taking those web browsers and applications and stripping them down to their minimal aspects to ensure lightweight, simple operation. In the process of stripping down these devices we are leaving out an important aspect, the security.

Although the convenience of having a pocket sized computer seems to trump most of our performance concerns we are actually giving up more than we can afford. Full sized devices offer us many integral features which we now take for granted. These features include security checks and warnings which are key to our safe networking.

For example, while using a standard full sized browser it is clear to see within the URL bar when a user is accessing a secure site. You are generally presented with the SSL security lock, or some other form of green light identifiers which assure you that the page you are currently accessing is encrypting your information and is safe. 

Our strive for mobile simplicity has led us to throw out these security checks and therefore opens the doors to spoofed websites which can potentially present us with false information and fake logins. There are only a handful of users with the knowledge to detect such websites on our mobile devices. We are making the prediction that phishing attacks relate to this type of mobile spoofing will become one of the most abundant threats in the upcoming years to mobile users.

Thankfully many mobile browsers now support SSL and https transmissions, however, that is only when the user chooses to use the securely protected website. Not many custom mobile sites have been designed to handle this type of security yet. Anyone who has accessed a full sized webpage on a mobile device knows how difficult it can be to read small text and press submit buttons. This makes custom built mobile sites the optimal choice for convenience but definitely not for security.

There is work being done to prevent mobile site spoofing. But until this type of security is optimized and becomes the new standard in the industry we will constantly be bombarded with fake login pages and spoofed sites.

On another note our mobile apps could also use a security overhaul. It is only a matter of time before cyber criminals begin implementing malicious app installations by fooling our mobile carriers into thinking their app is good then flipping a switch on a server and transforming the app into one that commits malicious tasks, said Kevin Mahaffey, chief technology officer and founder of mobile security software vendor Lookout.

Innovations in mobile computing and browsing should make no exceptions to the rules of security, no matter how convenient it may be for user performance. Users these days have it all wrong. For those of you demanding power and portability, take a step back and demand your security first!

The evolution of mobile apps has become a viral topic among technologists. Developers are rapidly transitioning their skills from PC based programming back to the minimalist programming seen in the early stages of computing where resources were limited. There are already an estimated 350,000 apps on the Android market and more than a half-million in the iOS App Store. With these mobile app environments growing so quickly, PC companies are struggling to keep up and searching for a beneficial solution.

Enterprises have been exploring the idea of virtualization of applications to allow functionality on various platforms for a long time now. Much of this development can already be seen today on mobile devices and PCs that run Java environments to power universal applications. What they are really searching for is a solution that allows for universal operation of applications that use little to no system resources. If these apps can run on less powerful smartphones then they should have potentially amazing capability on PC platforms.

Well now this solution is within reach. Bluestacks is currently developing technology that will allow Android apps to be run on a PC. Though this seems great for integrating our bulky yet powerful desktop and laptops in with our mobile devices, it should also be raising some red flags. 

According to research published by Juniper Networks, mobile malware on the Android operating system went up 400% in the six months prior to 2011. Thats should be a frightening statistic! Why would we ever want to allow these applications to run on our PCs?! As if our PCs didn't already have enough malware to defend against, we are going to add mobile malware into the equation.

The technology will be virtualized so there is an assumed level of security associated with such technologies. This security is usually provided through the use of a hypervisor to manage communications between software and hardware and also between the hosted operating systems themselves however, the technology pitched by Bluestacks seems like it will stray from this model. 

"End users don't have to toggle between operating systems. They can simply click on an icon for an Android application, for instance, to launch and use it." Rosen Sharma, president and CEO of Bluestacks said.

From a security standpoint, we find this methodology very risky. We expect to see malware propagating through this new attack vector very soon, you can count on it. "This will be the number one attack vector within a year!" Ken Kousky, president and CEO of IP3 Inc. said.

We must all understand that the net is fragile and it can be taken down. We have seen this 'kill switch' in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of 'Internet Kill Switch' from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only be concerned with the authorities doing it but everyone else who can now see that this capability does indeed exist.

Taking down the Internet is easier then you may think. The net has two fundamental services. First being a name and address service, this is handled through the Domain Name Service infrastructure and without it we don't have email, VoIP, web traffic or any web 2.0 technologies, including the growing Cloud infrastructure. The second service is routing. IP routers run software and can be attacked through a wide range of exploits. Last week, researchers at the University of Minnesota described a targeted DDoS attack that could knock out these services.

Another aspect the Egyptian outage showed us is that nation-states either already have or are aggressively building the tools to disrupt the internet. Think back to the Stuxnet attacks, Iran acknowledges that a joint effort between the United States and the Israelis caused serious damage to the Iranian power infrastructure by damaging centrifuges in their nuclear power plant. If we can attack their infrastructure and get away with it, why would we think they won't attack ours. Mass terrorism could very well go cyber sooner than we know it. Last week, the head of the National Security Agency said that the United States should expect to be attacked. Thats right, EXPECT it.

I think the message is clear, for Cloud computing and for general business continuity, resiliency and back up systems are not luxuries, they're mandatory!

~KWK

Mobile devices continue to become our main source of productivity throughout our lives. Making phone calls and checking email are one thing but now we can browse full web pages and even edit documents. Mobile apps make our lives easier and…well…more mobile.

In todays world it is hard to find a task that cannot be completed in the palm of your hand. We can now conduct entire business meetings from an iPad, monitor our servers remotely through our smartphones, and take care of our banking and finances all while on the run. This could be a fatal mistake if we are not careful. We need to slow down for a minute and consider some serious security implications of our mobile actions.

Physical security of these devices is key when talking about mobile security. As smartphones get smaller and smaller and our technology keeps up with Moore's Law, we must keep in mind that these devices now become more susceptible to theft. Just think of how easy it is to slip your phone into your pocket, this task is just as easy for criminals.

You may think that your smartphone doesn't carry very important information. This is a huge mistake in the mindset of security. Soon our smartphones will carry more than just our contacts, photos and web access. They will be our main form of identification, our car key, our credit card, and our login token. Google and Apple have already began work on this theory of eliminating passwords and using our mobile phones for complete authentication.

Failing to protect your mobile devices could also soon be hazardous to your health. As medial records continue to transition from paper to digital form we will soon be seeing all of our medical information flashing across our smartphone screens. This is not something you can afford to lose or have maliciously altered. 

Mobile apps still don't stop there. We all know that the banking industry has already taken a huge turn towards mobility. But have you heard you can even file your taxes on your smartphone? Intuit reports that as of February 2011 350,000 downloads of its SnapTax application are already in use by iPhone and Android customers. Thats right, you can even file your taxes on your smartphone. No more trips to the library or even to your computer. 

So what if you lose your phone or it gets stolen? There are options to secure yourself. These options include a growing list of mobile encryption programs. You may also want to check out Apple's Find My iPhone app as well as the beta third party Android version Mobile Defense. These apps, and many like them, are like LoJack for your mobile devices. Lost devices can be located, wiped and protected all from remote locations using these innovative security apps.

These topics barely break the surface of mobile security. Physical security is one small aspect of securing your smartphone. Stay tuned for more information on mobile app security including Cloud computing and how it will affect your smartphone security.

We are living in a world of cyber war. There isn't a single event now of days that doesn't involve the internet. From the malicious stuxnet attack on Iranian nuclear facilities, to Operation Payback's mass execution of the Low Orbit Ion Cannon botnet by thousands of pro-WikiLeaks supporters, even the Egyptian internet blackout, all related to some form of hacktivism or cyber warfare.

Computers and the internet have become a powerful weapon in todays world. Whether it be for financial gain, political activism, or malicious attacks. In properly trained hands a computer can be a more destructive weapon than any knife, gun, or bomb. Mind you not just anyone can walk into a gun shop and purchase a gun, but even young kids can walk into the nearest Best Buy and pick up a computer. With a click of a mouse and tap of a keyboard our worlds most valuable infrastructures can be shattered to bits. With the introduction of stuxnet we were introduced to the real life threat of SCADA system attacks which are able to strike far beyond our bank accounts and damage our much relied on power, nuclear, and utility facilities causing life threatening dangers.

On the banking end of things, for those who have not heard the rumors, the malicious and powerful offspring of the Zeus and SpyEye malware is now being released and is already in use by a few cybercriminals. Banks still fight off Zeus related attacks in attempts to protect customer credentials and prevent malicious transactions. The mutant malware boasts new skills regarding information harvesting and botnet capabilities.  It even offers a graphical user interface, similar to Windows interface, during remote control operations (talk about using our own technology against us).

As mentioned in an earlier entry, the enemy is cloning us bit by bit, byte by byte. With each advancement we make they mimic our actions following in our footsteps. For every piece of technology we release in the fight against cybercrime, malicious attackers have been able to reverse engineer it, thus the battle continues.

Within McAfee's release of the 2011 Threat Predictions we caught a glimpse of what criminals could very well have in mind for the unfolding year. Many of these threats we have already had a taste of in previous years. These threats include Exploiting Social Media, Mobile, Apple, Applications, Sophistication Mimics Legitimacy, Botnet Survival, Hacktivism, and Advanced Persistent Threats. Sounds like the enemy is targeting us for the war of a lifetime. In a nutshell the worst case scenario is that our enemies, for potentially political reasons, will be able to find us no matter where we are, hit us with crippling malware, which they will hide in applications we use and trust everyday, relentlessly strike over and over without fail, and closely monitor their chaos to ensure the most effective damage. Imagine a Stuxnet/Operation Payback attack, with a Zeus/SpyEye malware tool, capable of attacking our increasing array of mobile technologies, stealing our money, stealing our identities, maybe even stealing our lives, and never even giving us a chance to see it coming.

Well here is our chance. To look out beyond the enemy at our gates. We can see their plans and their weapons being built. It's time for us to adjust our game plan and defenses as well. We must use what we know about our enemies to build better strategies and stay on top of security. 

Cyberwar requires the same ideology as chess. A good chess player (our enemy) thinks one move ahead. But we can be that great chess player that thinks five moves ahead.

What are some of your opinions on this years upcoming cyber threats? How do you plan on staying five moves ahead?