October 20, 2014
Shining A Light On Your Privacy
Check out this special report...
~Half a billion~ downloads of the top 10 Flashlights Apps--the ones we all have on our smartphones--and guess what?
All/most are malware/spyware from China, India, and Russia that are spying on you!
Your contacts, banking information, even your location, is being intercepted by hackers abroad,
The cybersecurity experts Snoopwall (that conducted this study and are offering a free opensource "privacy flashlight") are recommending that you don't just uninstall these flashlight apps, because they leave behind trojans that still are functioning behind the scene and capturing your information.
So instead doing a backup of key information and then a factory reset of the smartphone is advised.
Pain in the you know what, but these flashlight apps are shining a light and compromising your personal information.
Snopes points out that the flashlight apps may be no more vulnerable to spyware than other apps you download and that perhaps the screening process from the app stores help to protect us somewhat.
When the cyber hackers decide to exploit those apps that are vulnerable, whether for political, military, or financial gain, it will likely be ugly and that flashlight or other app you use may prove much more costly than the download to get them. ;-)
(Thank you Betty Monoker for sharing this.)
February 22, 2014
National State Of Cyber Insecurity
This video is a wake up call on the state of our national cyber insecurity.
It is the opening statement (about 6 minutes) of Chairman Michael McCaul (R-TX) of the Homeland Security Subcommittee of Oversight, Investigations, and Management.
What he describes is quite grave and every American should listen carefully about the state of our cyber insecurity that poses a real and significant threat to our economy and national security.
We are under attack by cyber criminals, terrorists, and hostile nation states.
Our adversaries seek to and can paralyze our critical infrastructure, steal our intellectual property, conduct espionage, and access our personal and financial information.
The collapse of our military networks, financial system, energy, transportation, and electricity "is not science fiction."
The cyber attacks are "real, stealth, and persistent, and can devastate our nation."
It is "not a matter of if, but when a Cyber Pearl Harbor will occur."
And "we have been fortunate that up until this point that cyber attacks on our country have not caused a cataclysmic event."
I read from the Center for Strategic and International Studies (2011) that cybersecurity has taken a back seat after 9/11 to the War on Terror as well as the economic fight after the recession of 2008, with the result that "the United States is unprepared to defend itself."
Chairman McCaul critically states at the end of his opening statement, "Let's do something meaningful [now] because it is not a tolerable situation!"
National State Of Cyber Insecurity
March 29, 2013
Catching More Flies With Honey
And this is true in cyberspace as well...
Like a honey pot that attracts cyber criminals, organizations are now hiring "ethical hackers" to teach employees a lesson, before the bad guys teach them the hard way.
The Wall Street Journal (27 March 2013) reports that ethical hackers lure employees to click on potentially dangerous email links and websites, get them to provide physical access to data centers and work site computers, or give up passwords or other compromising information through social engineering.
The point of this is not to make people feel stupid when they fall for the hack--although they probably do--but rather to show the dangers out there in cyberspace and to impress on them to be more careful in the future.
One ethical hacker company sends an email with a Turkish Angora cat (code-named Dr. Zaius) promising more feline photos if people just click on the link. After sending this to 2 million unsuspecting recipients, 48% actually fell for the trick and ended up with a stern warning coming up on their screen from the cyber security folks.
Another dupe is to send an faux email seemingly from the CEO or another colleague so that they feel safe, but with a unsafe web link, and see how many fall for it.
While I think it is good to play devil's advocate and teach employees by letting them make mistakes in a safe way--I do not think that the people should be named or reported as to who feel for it--it should be a private learning experience, not a shameful one!
The best part of the article was the ending from a cyber security expert at BT Group who said that rather than "waste" money on awareness training, we should be building systems that don't let users choose weak passwords and doesn't care what links they click--they are protected!
I think this is a really interesting notion--not that we can ever assume that any system is ever 100% secure or that situational awareness and being careful should ever be taken for granted, but rather that we need to build a safer cyberspace--where every misstep or mistake doesn't cost you dearly in terms of compromised systems and privacy. ;-)
(Source Photo: Dannielle Blumenthal)
Catching More Flies With Honey
October 13, 2011
Increase Security On Your Google Account
After reading the article Hacked! in The Atlantic (November 2011), I looked into Google's new security feature called 2-Step Verification (a.k.a. Two Factor Authentication).
Increase Security On Your Google Account
March 6, 2010
Overcoming the Obstacles to Cyber Security
There continues to be a significant shortfall in our cyber security capabilities, and this is something that needs our determined efforts to rectify.
Often I hear a refrain from IT specialists that we can’t wait with security until the end of a project, but rather we need to “bake it into it” from the beginning. And while this is good advice, it is not enough to address the second-class status that we hold for IT security versus other IT disciplines such as applications development or IT infrastructure provision. Cyber Security must be elevated to safeguard our national security interests.
Here are some recent statements from some our most respected leaders in our defense establishment demonstrating the dire strait of our IT security posture:
· “We’re the most vulnerable, we’re the most connected, we have the most to lose, so if we went to war today in a cyber war, we would lose.”- Retired Vice Admiral Mike Mullen (Federal Computer Week 24 February 2010)
· The United States is "under cyber-attack virtually all the time, every day” - Defense Secretary Robert Gates: (CBS, 21 April 2009)
· “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.” (White House CyberSpace Policy Review, 2009)
Further, the number of attacks is increasing; for example, SC Magazine 20 November 2009 reported that the number of cyber attacks against the Department of Defense was increasing year-over-year 2009 to 2008 by some 60%!
And the penetration of our critical systems spans our industrial, civilian, and defense establishment and even crosses international boundaries. Most recently reported, these included the following:
· F-35 Joint Strike Fighter $300B program at Lockheed Martin,
· The Space Shuttle designs at NASA
· The joint U.S. South Korean defense strategy
· The Predator feeds from Iraq and Afghanistan and more.
Thankfully, these events have not translated down en-masse and with great pain to the individuals in the public domain. However this is a double-edged sword, because on one had, as citizens we are not yet really “feeling the pain” from these cyber attacks. On the other hand, the issue is not taking center stage to prevent further and future damage.
This past week, I had the honor to hear Mr. James Gossler, a security expert from Sandia National Labs speak about the significant cyber security threats that we face at MeriTalk Innovation Nation 2010 on the Edge Computing panel that I was moderating.
For example, Mr. Gossler spoke about how our adversaries were circumventing our efforts to secure our critical cyber security infrastructure by being adept and agile at:
· Playing strength to weakness
· Developing surprising partners (in crime/terror)
· Changing the rules (“of the game”)
· Attacking against our defenses that are “naïve or challenged”
In short, Mr. Gossler stated that “the current state-of-the-art in information assurance [today] is significantly outmatched” by our adversaries.
And with all the capabilities that we have riding on and depending on the Internet now a days from financial services to health and transportation to defense, we do not want to be outgunned by cyber criminals, terrorists, or hostile nation states threatening and acting in ways to send us back to the proverbial “stone-age.”
Unfortunately, as a nation we are not moving quickly enough to address these concerns as retired Navy vice admiral Mike McConnell was quoted in Federal Computer Week: “We’re not going to do what we need to do; we’re going to have a catastrophic event [and] the government’s role is going to change dramatically and then we’re going to go to a new infrastructure.”
Why wait for a cyber Pearl Harbor to act? We stand forewarned by our experts, so let us act now as a nation to defend cyber space as a free and safe domain for us to live and thrive in.
There are a number of critical obstacles that we need to overcome:
1) Culture of CYA—we wait for disaster, because no one wants to come out first—it’s too difficult to justify.
2) Security is seen as an impediment, rather than a facilitator—security is often viewed by some as annoying and expensive with a undefined payback, and that it “gets in our way” of delivering for our customers, rather than as a necessity for our system to work
3) We’ve become immune from being in a state of perpetual bombardment—similar to after 9-11, we tire as human beings to living in a state of fear and maintaining a constant state of vigilance.
Moreover, to increase our cyber security capabilities, we need to elevate the role of cyber security by increasing our commitment to it, funding for it, staffing of it, training in it, tools to support it, and establishing aggressive, but achievable goals to advance our capabilities and conducting ongoing performance measurement on our initiatives to drive results.
Overcoming the Obstacles to Cyber Security
December 7, 2009
Let's Not Understate the Cyber Threat
Wow. I read with some surprise and consternation an article in Government Computer News, 4 December 2009. In this article, the author portrays the fears of a “digital Pearl Harbor” or overwhelming cyber attack on the United States as overblown—almost as if it’s of no real possibility or significant impact. In short, the article states:
“What good would it do an attacker to take down the vital U.S. networks? While the damage to this country could be great, the benefit to an attack would be nil if it could not be followed up. The real threat of cyber warfare is not in stand-alone attacks, but in attacks coordinated with military action.”
While, I agree that a coordinated attack is obviously more dangerous than a cyber attack alone, the threat and potential damage of a cyber attack could potentially be devastating—with or without military action.
Let’s think for a second about how the military traditionally projects force around the world through conventional warfare—taking control of the air, land, and sea. Control the sea-lanes and you have power over 90%+ of international commerce. Control the land and you have power over people’s daily lives—including their ability to satisfy even basic needs for food, clothing, and shelter, their personal safety, and even their ability to govern themselves. Control the air and you control freedom of movement on the ground, people’s basic comings and goings. Traditional military power can affect just about every facet of people’s lives including ultimately the taking of life itself i.e. paying “the ultimate price.”
Now think for a second, about what a massive cyber attack could potentially do to us. At this stage in history, we have to ask ourselves not what elements could be affected by cyber attack, but what elements of our lives would not be impacted? This is the case since virtually our entire civil and elements of the military infrastructure are dependent on the Internet and the computers that are connected to them. If you “pull the plug” or corrupt the interconnected systems, “watch out” seems apropos.
The same areas that are vulnerable to traditional military attack are threatened by cyber attack: Commerce, Energy, Transportation, Finance, Health, Agriculture, (Defense)…are all deeply interwoven and dependent on our interconnected computer systems—and this is the case more and more.
Think e-Commerce, online banking and finance, manufacturing production systems, transportation systems, food production and safety, the energy grid, electronic health records, C4ISR, and so on.
While thank G-d, we have been spared a really devastating attack to date (if you exclude the massive data compromised/stolen in recent cyber attacks), we would be derelict in responsibilities for ensuring safety and security if we thought that was it.
Further, while unpleasant as it may be, we should consider the impact in terms of potential for physical harm or loss of life in the event of a serious cyber attack?
While many brush aside this possibility, there is certainly the potential. Even putting aside the potential public panic/chaos and ensuing loss of life and property that could occur in a serious attack, how about just taking out a single, major facility—like a dam, power plant, reservoir, electrical hub, transportation system, and so on. This is an important focus of efforts to ensure critical infrastructure protection, a public-private sector partnership initiative.
Rep. Lamar Smith, R-Texas said "Until we secure our cyber infrastructure, a few keystrokes and an Internet connection is all one needs to disable the economy and endanger lives.”
Sure, a severe and consequential attack would require ample skills, knowhow, resources, and sophistication—it is no small feat—but with the hosts of cyber criminals, terrorists, and hostile nation states out there increasingly trying to hack our systems, there is valid cause for concern.
This recognition of what’s possible does not mean it is probable or imminent. However, the awareness and understanding of our increasing dependence on the Internet and related systems and the acknowledgement that there are those out there—as in 9-11—who seek to do our country harm, should not blind us with fear, but rather spark us to constructively deal with the challenge and take proactive actions to secure the ever expanding realm of cyberspace.
The Executive Summary in the CyberSpace Policy Review that was conducted by the White House in 2009 sums it up, this way:
“The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.”
We should not and cannot understate the possible threats against our nation, but rather we need to act responsibility and rationality, with resolve to protect our nation, before and not only after. As the CyberSpace Policy Review states:
“The Nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat. We need to demonstrate abroad and at home that the United States takes cybersecurity-related issues, policies, and activities seriously.”
Fortunately, our nation has recognized the potential threat and is acting, as Security Focus reported on June 24, 2009: “The U.S. Secretary of Defense ordered the military to create a unified command to act as the nation's central hub for cyber capabilities and commanded the Pentagon to develop a policy framework for cyberspace operations.”
On a personal note, I am grateful for the many good, hardworking people in our military, civilian and private sector that are working to secure cyberspace for us, and believe we need to do this with vigor and resolve. It’s necessary in order to safeguard our future that is ever reliant on technology.
Let's Not Understate the Cyber Threat
November 22, 2009
Personal Technology Trumps Work IT
The pendulum has definitely swung—our personal and home technology is now often better than what we are using in the office.
It wasn’t always that way. Early on, technology was mysterious to those not professionally engaged as system engineers or IT professionals. Technology was expensive and made sense for business purposes, but not for home use. IT was a professional enabler to get the job done, but consumer applications were scarce and not intuitive for anything but the office.
The world has turned upside down. Now as consumers, we are using the latest and greatest computers, smart phones, gaming devices, and software applications, including everything social media and e-Commerce, while in the office, we are running old operating systems, have nerdy phones, locked down computers, applications that aren’t web-enabled, and social media that is often blocked.
The Wall Street Journal (16 November 2009) summed up the situation this way:
“At the office, you’ve got a sluggish computer running aging software, and the email system routinely badgers you to delete message after you blow through the storage limits set by your IT department. Searching your company’s internal website feels like being transported back to the pre-Google era of irrelevant results…This is the double life many people lead: yesterday’s technology for work, today’s technology for everything else…The past decade has brought awesome innovations to the marketplace--Internet search, the iPhone, Twitter, and so on, but consumers, not companies, embrace them first and with the most gusto.”
What gives and why are we somehow loosing our technical edge in the workplace?
Rapid Pace of Change—We have been on technological tear for the last 20 years now; virtually nothing is the same—from the Internet to cloud computing, from cell phones and pagers to smart phones and iPhones, from email to social media, and so much more. From a consumer perspective, we are enamored with the latest gadgets and capabilities to make our life easier and more enjoyable though technology. But at work, executives are tiring from the pace of technological change and the large IT budgets that are needed to keep up with the Jones. This is especially the case, as financial markets have seized in the last few years, credit has tightened, revenue and profitability has been under extreme pressure, and many companies have laid off employees and others have even gone kaput.
Magnificent Technology Failures—Along with the rapid pace of change, has come huge IT project failure rates. The Standish group reported this year that 82% of IT projects are failing or seriously challenged. Why in the world would corporate executives want to invest more money, when their past and present IT investments have been flushed down the toilet? Executives have lost faith in IT’s ability to upgrade their legacy systems and fulfill the promises behind the slew of IT investments already made. Related to this is the question of true cost-benefit and total cost of ownership of all the new technologies and their associated investments—if we haven’t been able to achieve or show the return on investment on all the prior investments, why should we continue investing and investing? Is the payoff really there? Perhaps, we are better off putting the dollars into meeting core mission requirements and not overhead, like IT?
Security Risks Abound—With all the technology has come a whole new organizational risk set in terms of IT security. Organizations are hostage to cyber criminals, terrorists, and hostile nation states who can with a few keyboard strokes or mouse clicks disable the company transaction capability, wipe out its memory, steal its information, or otherwise neutralize it from functioning. And the more technology we add, the more the risk level seems to increase. For example, the thinking goes that we were safer when we ran everything in a locked down, tightly controlled, mainframe environment. The more we push the envelope on this and have moved to client server, the web, and now to even more transparency, information sharing, and collaboration—through social media, cloud computing, and World 2.0—the thinking is that we are potentially more open to local and global threats than ever before. Further, with the nation under virtually constant cyberattack and our capabilities to slow or stop these attacks seemingly not existent at this time, executives are reluctant to open up the technology vulnerability spigot any further.
While there are many other reasons slowing or impeding our technology adoption at work, we cannot stop our march of IT advancement and progress.
We are in a global competitive marketplace and the world waits for no one. The problems resulting from the speed and cost of change, the high IT project failure-rate, and the cybersecurity danger/challenges cannot be allowed to inhibit us from progress. We must address these issues head on: We have got to achieve efficiencies from technological advancement and plow the cost-savings into next generation technologies. We have got to drastically improve our IT project success rate though mature implementations of enterprise architecture, IT governance, project management, customer relationship management, and performance measurement (Reference: The CIO Support Services Framework). And we must invest heavily in IT security—with money, people, policy, training, new technology safeguards, and more.
Innovation, technological prowess, and information superiority is what gives us our edge—it is tip of our spear. So yes, we must carefully plan/architect, wisely invest, execute well, and secure our IT. But no, we cannot dismiss the evolving technologies outright nor jump in without proper controls. We must move rationally, but determined into the future.
Personal Technology Trumps Work IT
May 2, 2008
Cyber Warfare and Enterprise Architecture
Security is a cross-cutting perspective in Enterprise Architecture, but I treat it as its own EA perspective because of its importance. And this is especially true in a law enforcement and defense readiness organization.
While security in EA is generally of a defensive nature, we must remember that as a nation, we must be ready to not only defend ourselves, but also to launch offensive operations and take out the enemy.
According to Military Information Technology Magazine, 9 April 2008, in an interview with Major General William T. Lord, the Department of Defense is standing up a new Cyberspace Command in the U.S. Air Force.
Why do we need this new Cyberspace Command?
There are many threats to us that emanate from cyberspace that include:
- Cyber-criminals—looking to steal your identity or your money
- Cyber-terrorists—“wants to disrupt, dissuade, or deter us from doing something
- Nation States—“some of which are out to interrupt U.S. interests anywhere in the world.”
Cyberspace is a dangerous place, especially if you’re DoD; they “get about 3 million attempted penetrations” a day!
This is why defense in depth is so important, so that if an enemy manages to get through the perimeter of our network security, we can still stop them at the second or third tiers of our defensive capabilities.
In terms of offensive capabilities, sometimes you have to take the battle to the enemy. At times, it is necessary to “disrupt an enemy prior to the conduct of kinetic combat operations, [so] that the enemy could not figure out what its command and control system was, had false data, could not see an attacking force, and was making decisions based on information systems that been manipulated in advance of combat operations.”
To architect the defensive and offensive cyberspace capabilities necessary to combat our enemies, it is imperative to continuously build information sharing and partnership between the parties involved, such as the Departments of Defense, Homeland Security, Justice and the Director of National Intelligence. This is a core tenet of user-centric EA.
Just as we invest in the latest and greatest kinetic weapons to defeat our enemies, we must also invest in non-kinetic weapons including “our electronic warfare, space systems, and cyber-systems. As Major General Lord, stated: “it’s not always about destroying things, but about changing behavior, so that an enemy concludes that the costs of whatever they had in mind is too great and will stop. [Then again,] sometimes you have to be able to whack somebody in the nose.”
Cyber Warfare and Enterprise Architecture