Showing posts with label Cyber Crime. Show all posts
Showing posts with label Cyber Crime. Show all posts

October 13, 2012

Amazing Internet Statistics 2012

Star_wars
So what happens in only 1 minute on the Internet--this cool magazine Ideas and Discoveries (October 2012) provides some amazing examples:

- Information Sharing--639,800 gigabytes of data are exchanged
- Information Generation--6 new Wikipedia articles are created
- Information Visualization--20,000,000 photo looked at on Flickr
- eMail--204,000,000 emails are sent
- eCommerce--$83,000 of sales on Amazon
- Social Networking--320 new users on Twitter and 100 on LinkedIn (wonder how many for Facebook...)
- Cyber Crime--20 new victims of identity theft

And in the same month, Harvard Business Review reported on the growing significance to commerce with the Internet contributing to GDP (in 2010) as much as:

- 8.3% in the UK
- 7.3% in South Korea
- 5.5% in China
- 4.7% in the US
- 4.7% in Japan
- 4.1% in India

Moreover in HBR, this is what was reported that people are willing to give up instead of the Internet for a year--and the numbers are pretty startling--check this out:

- 91% of UK would give up fast food
- 89% of Indonesians would give up smoking
- 86% of Japanese would give up chocolate
- 85% of Chinese would give up coffee
- 78% of Indonesians would give up their shower
- 60% of Japanese would give up exercise
- 56% of Chinese would give up their car
- 56% of Japanese would give up sex--go figure! ;-)

While this is all sort of light, there is also a very seriousness dimension to this. For example, in the Wall Street Journal today, it quotes Secretary of Defense, Leon Paneta warning that with Iran's digital assault on the U.S., the concerns of cyberwar are growing with the SecDef going so far as to say "Is there a cyberwar going on? It depends on how you define war."

Yes, the Internet is amazing for so many reasons and we can't take it for granted--we need to be vigilant and defend the Internet (cyber) with the same zeal and commitment as the other domains of war--land, sea, and air--all are vital to national security and for the preservation of life, liberty, and the pursuit of happiness.

This is a lesson we need to learn quickly and decisively--before the old Star Wars is passe and cyberwar turns deadly. 

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

December 31, 2011

The Not So Candid Camera

When you're at the swimming pool, it's a time for swimming, splashing, and fun.

With family and friends, it's even a great time to catch some scenic photos of loved ones having a great time.

You expect to see cameras and smartphones taking some discreet pictures or videos.

Not a new problem, but some people take advantage of the people swimming or tanning to take compromising shots.

When people are knowingly scantily clad in public--people will argue what level of responsibility they have for the way they present themselves.

However, when others take advantage of that--let's be clear, the predator is the aggressor!

At the pool, I saw this taken to a whole new level today--and by someone and in a way I would not have expected.

This older-looking guy, with a hat on, strolls up to the pool with a huge tripod mounted video camera on a WALKER and starts taking rolling video on a pool almost exclusively filled with little children.

There was no warning, no request--"may I", no do you mind, just a video camera mounted on a walker at the head of the pool with lots of little kids, and also some teens, women, and more.

First, I watched to see what this guy was doing...then I thought, I better capture this and I took a series of photographs of the guy--who had no apparent compunction about invading everyones privacy.

But the story isn't over--it get's worse.

All of a sudden, I notice my computer picking up a wireless network with a name that self identified them with a clear inclination for child pornography (I am withholding the actual name so as not to tip off the criminal). I capture this too--with a screenshot. Was it the same guy with mounted video camera or someone else?

So much for a relatively serene vacation, and some quiet private time.
I just saw Dateline's "To Catch A Predator" early this week and I almost can't believe this is happening. I think to myself--is this real? Unfortunately it is.

I reported both incidents to hotel security. At their request, I email them the screenshot of the wireless network name that would make anyone cringe. Next call is to the National Center for Missing and Exploited Children and CyberCrime.com.

Normally, I believe in live and let live, but we all have to do our part to protect children and other innocent victims.

Share/Save/Bookmark

June 19, 2011

Crashing The Internet--Are We Prepared?


Almost week after week, I read and hear about the dangers of cyber attacks and whether "the big one" is coming.

The big one is what some experts have called a pending "digital Pearl Harbor."

Just last week, the Federal Times (13 June 2011) wrote that the "U.S. government computer networks are attacked about 1.8 billion times per month."


The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require "stronger and more proactive leadership."

Charles Dodd, a cyber security consultant in D.C. warns that "You've bought a stick to a gunfight, and you're arrogant about your capabilities."
So the question is--are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?

Certainly, with so much critical infrastructure--from government, military, and private industry--dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on "Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime" as follows:

--"There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives."

It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has "demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet."

And it took only 20 minutes to trigger the chain reaction in which "manipulated routers overloaded all other Internet routers worldwide...mak[ing] it impossible for Internet address to be found."
Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts...that does not seem like an inordinate amount to press forward with for a coordinated attack.

So the Internet in theory can be crashed!

Just think for a moment about how that would impact you and what you do every day...would anything be the same? Could we even function normally anymore?

As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.

In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified.
This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.

If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won't be sorry later.
(All opinions are my own)

(Source Photo: Heritage and History.com)

Share/Save/Bookmark

March 20, 2011

Fixing The Information Flow

So check this out--H2Glow has an LED faucet light that it temperature sensitive and turns blue for cold water and red for hot.

When I saw this, I thought this would be a great metaphor for managing the information flow from our organizations--where we could quickly and simply see whether the information flowing was sharable and for public consumption ("blue") or whether something was private and proprietary ("red").

The Economist, 24 February 2011, in an article called "The Leaky Corporation" writes: "Digital information is easy not only to store, but also to leak. Companies must decide what they really need to keep secret, and how best to do so."

Like a faucet that gushes water, our organizations are releasing information--some with intent (where we are in control) and much without (due is spillage and pilferage).
In the age of WikiLeaks, computer hackers, criminals, terrorists, and hostile nation states, as well as the insider threat, information is leaking out uncontrollably from our organizations and this puts our vital competitive information, national secrets, and personal privacy information at risk (i.e. health, financial, identity, and so on).

Of course, we want the proverbial blue light to go on and information to be shared appropriately for collaboration and transparency, but at the same time, we need to know that the light will turn red and the information will stop, when information is justifiably private and needs to be kept that way.

Being an open and progressive society, doesn't mean that that there is only cold water and one color--blue. But rather, that we can discern the difference between cold and hot, blue and red, and turn the faucet on and off, accordingly.

Information is proliferating rapidly, and according to IDC, a market research firm, the "digital universe" is expected to "increase to 35 zettabytes by 2020."--a zettabyte is 1 trillion gigabytes or the equivalent of 250 billion DVDs.

Therefore, the necessity of filtering all this digitally available information for inside use and outside consumption is going to become more and more critical.

According to The Economist article, we will need to employ the latest techniques and automation tools in:

- Enterprise Content Management--to "keep tabs on digital content, classify it, and define who has access to it."

- Data Loss Prevention--using "software that sits at the edge of a firm's network and inspects the outgoing data traffic."

- Network Forensics--"keep an eye on everything in the a corporate network and thus...detect a leaker."

Of course, as the Ciso chief security officer says: "technology can't solve the problem, just lower the probability of accidents."
In the end, we need to make sure people understand the vulnerability and the dangers of sharing the "red" information.
We can focus our employees on protecting the most critical information elements of the organization by a using a risk management approach, so that information with the high probability of a leak and with the greatest possible negative impact to the organization is filtered and protected the most.

The leaky faucet is a broken faucet and in this case we are all the plumbers.

Share/Save/Bookmark

January 22, 2011

When My Friend Got Hacked

True story.

So an old friend of mine had his account hacked on Facebook.

And the hacker is sending chat messages to my friend’s Facebook contacts—like me—pretending to be him—with his picture and name and all his online information.

He says that he is stuck in London, just got mugged—at gunpoint—losing his money and phone and needs my help.

At first, I’m thinking oh crap; my friend is in trouble and needs me. Then, I’m like wait a second, he’s pulling my leg. So I ask “are you joking?”

The hacker—pretending to be my friend—continues how it was such a terrible experience, but thank G-d they are still alive.

I’m on the other end of this chat—and questioning now if this person is really who they say they are—despite the REAL picture and profile.

I ask who are you with?

The hacker replies with the name of my friend’s wife. Her real name!

And the hacker continues with the mugging story and how they are leaving in a few hours for their return flight to the States, but need help.

Ok, I am happy to help my friends, but I want to know this is really my friend. Behind the scenes, I am contacting other mutual friends, family and so on to verify this story and resolve this.

On the chat, I ask—can you tell me something that only the two of us would know?

The hacker starts flipping out and gives me "?!?!?!...."

I repeat my question and ask if the hacker understands.

The hacker responds that they do.

And then ignoring my questioning, proceeds with the storyline asking me to wire money and that it will be okay, because they will need identification to retrieve the wire.

Now I ignore the hacker’s request and go back to my question about who this person on the other end of the chat really is?

No response.

"U there?"

Hacker is offline...for now.


Share/Save/Bookmark

April 10, 2010

Knowing Who Your Friends Are

You’re on the Internet doing your business, but who is at the other end and how do you know that you can trust them?

That is what so called Reputation Systems are all about—creating mechanisms to authenticate the identities of partners online and measure just how trustworthy they are or aren’t.

Some familiar examples of reputation systems include everything from scores for vendors on Amazon or eBay to activity statistics on Twitter to recommendation distinctions on LinkedIn to networks on Facebook.

The idea is that we measure people’s trustworthiness through the number of transaction they conduct, reviews and recommendations they receive, and associations they keep.

These are all instances of how we unmask the identities and intent of those we are dealing with online—we obtain 3rd party validation. For example, if a vendor has hundreds or thousands of transactions and a five star rating or 99% positive reviews or is a select member of a power seller” network or other select organization, we use that information of past performance to justify our current or future transactions or associations with them.

MIT Sloan Management Review, Spring 2010, has an article about reputation systems called “Online Reputation Systems: How to Design One That Does What You Need.”

According to the article, reputation systems are “the unsung heroes of the web,” because “they play a crucial role is building trust, promoting quality, improving collaboration and instilling loyalty.”

Without some way of knowing whom we are sending a credit card payment to, friending, or chatting with on the Internet, we would be violating the cardinal rule of safety that our parents and teachers taught us from the earliest time that we could understand that you “don’t talk to strangers.”

I remember a very good video for children produced by Service Corporation International (SCI) called “Escape School,” which taught just such lessons by Bob Stuber a former police officer and child safety expert.

Even as we grow up though the dangers from people criminals and predators still exist; hopefully we are a little older and wiser in recognizing it and dealing with it, but this is not always the case.

For example with online dating networks, people sometimes pretend that they are a rich brain surgeon or the proverbial “tall, dark, and handsome” physique to lure someone on a date, only to be exposed for who they really are upon the first date.

People are inherently driven to connect with others, and online we are able to connect easier then ever before—with people from all over the globe, virtually anytime of the day or night—and it is often tempting to let our heart lead and dismiss any concerns about who we are dealing with. Further, the veil of anonymity online seems to only heighten the opportunities for abuse.

The dangers of people pretending to be something they are not and the need for recognizing whom we are dealing with is an age old problem that society struggled with—from the snake oil salesman of time past to those occasional dishonest vendor on sites like eBay today.

The MIT article states “Small, tightly knit communities arguably do not need central reputation systems, since frequent interactions and gossip ensure that relevant information is known to all. [However,] the need for a central system increases with the size of the community and the lack of frequent interaction among members. In web-based communities with hundred or thousands of members, were most members typically know each other only virtually, some form of reputation system is always essential.”

Predators act out online everyday using social engineering to trick people into divulging personnel or organizational information, getting them to send money (like the fake emails from Nigeria or a lottery) or sending out malware when you click on the link that you know you shouldn’t be doing.

Another example with children is evident on NBC Dateline’s “To Catch A Predator” series where Chris Hansen stakes out the child predators who arrange meetings with kids in chat rooms on the Internet and then make their appearance at their homes or other meeting spots. Child predators prey on the fact that the children online don’t realize who they are dealing with and what their evil intentions are. Thank G-d, law enforcement and NBC has been able to turn the tables on some of these predators when law enforcement is pretending to be the vulnerable kids in order to catch the predators---who are fooled into thinking they are talking to children, only to be caught often literally “with the pants down.”

Whether we are socializing online, surfing the Net, or conducting some form of ecommerce, we must always pay attention to the identification and reputation on those we deal with. As the MIT article points out, with reputation systems, we can use ratings, ranking, and endorsements to build up information on ourselves and on others to build trust, promote quality, and sustain loyalty.

Of course, even with reputation systems, people try to manipulate and game “the system,” so we have to be ever vigilant to ensure that we are not duped by those hiding their true intentions or pretending to be somebody or something they are not.

As social creatures, optimists, and those of faith, we are tempted to just trust, but I prefer the motto of “trust and verify.”


Share/Save/Bookmark

June 27, 2009

Now We All Have Skin In The Game

It used to be that cybersecurity was something we talked about, but took for granted. Now, we’re seeing so many articles and warnings these days about cybersecurity. I think this is more than just hype. We are at a precipice, where cyberspace is essential to each and every one of us.

Here are some recent examples of major reviews in this area:

  • The White House released its 60-days Cyberspace Policy Review on May 29, conducted under the auspices of Melissa Hathaway, the Cybersecurity Chief at the National Security Council; and the reports states: “Cybersecurity risks pose some of the most serious economic and national security challenges of the 21st century…the nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat."
  • The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th President wrote in a December 2008 report: “America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration…It is a battle we are losing.”

Cyberspace is becoming a more dangerous place as the attacks against it are growing. Federal Computer Week, June 2009, summarized the threat this way:

“Nation states are stealing terabytes of sensitive military data, including some of the most advanced technology. Cybercrime groups are taking hundreds of millions of dollars from bank accounts and using some of that money to buy weapons that target U.S. soldiers. The attacks are gaining in sophistication and the U.S. defenses are not keeping up.

Reviewing the possibilities as to why this is happening: Have we dropped our guard or diverted resources or knowhow away from cybersecurity in a tight budgetary environment and now have to course correct? Or, have our adversaries become more threatening and more dangerous to us?

I believe that the answer is neither. While our enemies continue to gain in sophistication, they have always been tenacious against us and our determination has never wavered to overcome those who would threaten our freedoms and nation. So what has happened?

In my view the shift has to do with our realization that technology and cyberspace have become more and more vital to us and underpins everything we do--so that we would be devastated by any serious disruption. As the Cyberspace Policy Review states definitively: “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S economy, civil infrastructure, public safety, and national security.”

We rely on cyberspace in every facet of our lives, and quite honestly, most would be lost without the connectivity, communications, commerce, productivity, and pleasure we derive from it each and every day.

The result is that we now have some serious “skin in the game”. We have something to lose--things that we deeply care about. Thus, we fear for our safety and survival should something bad happen. We think consciously or subconsciously how would we survive without the technology, Internet, and global communications that we have come to depend upon.

Let’s think for a second:

What if cyberspace was taken down or otherwise manipulated or controlled by hostile nation states, terrorists, or criminals?

Would there be a breakdown in our ability to communicate, share information, and learn? Would there be interruptions to daily life activities, disruptions to commerce, finance, medicine and so forth, concerns about physical safety or “accidents”, risks to critical infrastructure, and jeopardy to our ability to effectively protect ourselves and country?

The point here is not to scare, but to awaken to the new realities of cyberspace and technology dependence.

Safeguarding cyberspace isn’t a virtual reality game. Cyberspace has physical reality and implications for all of us if we don’t protect it. Cyberspace if a critical national asset, and we had better start treating it as such if we don’t want our fear to materialize.


Share/Save/Bookmark

January 29, 2008

Intrusion-Prevention Systems and Enterprise Architecture

Firewalls have traditionally been used to “wall off” the enterprise from computer attack, but now intrusion-prevention systems are augmenting the organization’s defenses.

The Wall Street Journal, 28 January 2008 reports that “intrusion prevention systems promise an even smarter defense” than firewalls.

Firewalls are intended to keep intruders out. However, because certain traffic, such as email, needs to get through, holes or open ports allow in traffic that can carry viruses or malware into the network.

Intrusion-prevention systems work differently—they don’t wall off the enterprise networks like firewalls, but rather like a metal detector, they filter or scan every piece of traffic entering the organization for suspicious activity, and reject any item that is identified as a threat.

According to Wikipedia, Intrusion prevention systems (IPS)... [are] a considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.

Intrusion-prevention systems can be hardware that is physically attached to the network or software that is loaded onto individual computers.

Are intrusion-prevention systems really necessary?

Yes. “According to the Computer Security Institute 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks.”

Gartner analyst recommends antivirus on PCs and an intrusion –prevention system on the network.

Are there any problems with intrusion-prevention systems?

One of the biggest issues is false positives, which if not adjusted for will block desired incoming traffic. One way to handle this is to use the intrusion-prevention system to “detect threats and flag them,” rather than simply block them altogether. Additionally, the organization can adjust the filters that they may not need. This is the tuning required to ensure performance in terms of network speed and an appropriate level of filtering.

If your organization is not using an intrusion-prevention system, this is something your enterprise architecture needs to plan for and implement ASAP.


Share/Save/Bookmark