Showing posts with label Cyber Spying. Show all posts
Showing posts with label Cyber Spying. Show all posts

July 21, 2013

Like Buying A Nuke On The Black Market

Buying a serious computer vulnerability is now like acquiring a nuke on the black market. 

Nations and terrorists will pay to find the fatal flaw in computer programs that will enable them to perpetrate everything from subversive cyber spying to potentially massively destructive cyber attacks. 

As the world is focused on nuclear non-proliferation, computer weapons are the new nukes--able to do everything from a targeted strike on an organization or agency to taking out vast swaths of our nation's critical infrastructure.

According to the New York Times (13 July 2013), there is a great interest in buying "zero-day exploits"--one where governments or hackers can strike using a computer vulnerability before anyone even knows about it and can correct it. 

The average zero-day exploit persists for "312 days--before it is detected"--giving amble time for attackers to cash-in!

Brokers are now working to market the computer flaws for a 15% cut, with some even "collecting royalty fees for every month their flaw is not discovered."

The average flaw "now sells for around $35,000 to $160,000" and some companies that are selling these are even charging an annual $100,000 subscription fee to shop their catalog of computer vulnerabilities in addition to the cost for each one that varies with it's sophistication and the pervasiveness of the operating system behind the exploit. 

While governments and terrorists are on the prowl to buy the exploits for offensive purposes, technology companies are competing to purchase them and are offering "bug bounties" in order to identify the flaws and fix them before they are exploited. 

We've come a long way from people and organizations buying software with their regular upgrades and patches to nations and hackers buying the knowledge of the flaws--not to patch--but to spy or harm their adversaries. 

You can buy the bomb shelter or software patch, but someone else is buying the next more lethal bomb or vulnerability--the question is who will pay more to get the next exploit and when and how will they use it. 

(Graphic by Andy Blumenthal adapted from here with attribution for the mushroom cloud photo to Andy Z.)
Share/Save/Bookmark

November 26, 2011

Espionage, Social Media Style

You are being watched!
Good guys and bad guys are tracking your movements, rants and raves, photos, and more online.
For example, The Atlantic reported on 4 November 2011 in an article titled How the CIA Uses Social Media to Track How People Feel that "analysts are tracking millions of tweets, blog posts, and Facebook updates around the world."
Further, in January 2009, "DHS established a Social Networking Monitoring Center (SNMC) to monitor social networking sites for 'items of interest.'"
And even more recently in August 2011, DARPA invited proposals for "memetracking" to identify themes and sentiments online and potentially use this for predictive analysis.
The thinking is that if you can use online information to predict stock market movements as some have attempted, why not criminal and terrorist activity?
Similarly, The Guardian reported on 16 March 2010 FBI using Facebook in fight against crime and cautions that "criminals dumb enough to brag about their exploits on social networking sites have now been warned: the next Facebook 'friend' who contacts you may be an FBI agent."
This is reminescent of the work of private sector, Dateline NBC in using Internet chat rooms to catch sexual predators online by luring them to a house where the predators believed they were going to meet up with a underage girl for a tryst.
While these efforts are notable and even praiseworthy by the good guys--assuming you can get over the privacy implications in favor of the potential to have a safer society to live in--these activities should be carefully safeguarded, so as not to infringe on the rights and freedoms of those who behave legally and ethically.
But the good guys are not the only ones using the tools of the trade for monitoring and analyzing social networking activities--the bad guys too recognize the implicit information treasure trove available and have you in their crosshairs.
For example, in the last years Arab Spring, we have nation states tracking their citizens political activities and using their power over the Internet to shut off access and otherwise surpress democracy and human rights. Further, we have seen their use for cyberspying and testing offensive cyber attack capabilities--only the most recent of which was the alleged infiltration of a SCADA system for a Illinois water plant.
Moreover, this past week, Forbes (21 November 2011) reported in The Spy Who Liked Me that "your social network friends might not be all that friendly."
From corporate espionage to market intelligence, there are those online who "steadfastly follows competitors' executives and employees on Twitter and LinkedIn."
In fact, the notion of online monitoring is so strong now that the article openly states that "if you're not monitoring your competitors activity on social media, you may be missing out on delicious tidbits" and warns that "it's easy to forget that some may not have your best intersts at heart."
Additionally, while you may not think your posts online give that much away, when your information is aggregated with other peoples posts as well as public information, it's possible to put together a pretty good sketch of what organizations and individuals are doing.
Forbes lists the following sites as examples of the "Web Spy Manual" with lots of information to pull from: Slideshare, Glassdoor.com, Quora, iSpionage, Youtube as well as job postings and customer support forums.
When you are on your computer in what you believe to be the privacy of your own home, office, or wherever, do not be deceived, when you are logged on, you are basically as open book for all the world to see--good guys and bad guys alike.
(Source Photo: here)

Share/Save/Bookmark

August 20, 2011

Cloud Second, Security First

Leadership is not about moving forward despite any and all costs, but about addressing issues head on.

Cloud computing holds tremendous promise for efficiency and cost-savings at a time when these issues are front and center of a national debate on our deficit of $14 trillion and growing.

Yet some prominent IT leaders have sought to downplay security concerns calling them "amplified...to preserve the status quo." (ComputerWorld, 8 August 2011)

Interestingly, this statement appeared in the press the same week that McAfee reported Operation Shady RAT--"the hacking of more than 70 corporations and government organizations," 49 of which were in the U.S., and included a dozen defense firms. (Washington Post, 2 August 2011)
The cyber spying took place over a period of 5 years and "led to a massive loss of information."(Fox News, 4 August 2011)

Moreover, this cyber security tragedy stands not alone, but atop a long list that recently includes prominent organizations in the IT community, such as Google that last year had it's networks broken into and valuable source code stolen, and EMC's RSA division this year that had their SecurID computer tokens compromised.

Perhaps, we should pay greater heed to our leading cyber security expert who just this last March stated: "our adversaries in cyberspace are highly capable. Our defenses--across dot-mil and the defense industrial base (DIB) are not." (NSA Director and head of Cyber Command General Keith Alexander).

We need to press forward with cloud computing, but be ever careful about protecting our critical infrastructure along the way.

One of the great things about our nation is our ability to share viewpoints, discuss and debate them, and use all information to improve decision-making along the way. We should never close our eyes to the the threats on the ground.

(Source Photo: here)

Share/Save/Bookmark