Thursday, November 19, 2009

Report: Countries arming for cyber warfare

A new report issued by McAfee, Inc., entitled “Virtually Here: The Age of Cyber Warfare” reveals that the global cyberarms race has moved from fiction to reality.  The report found that politically motivated cyberattacks have increased, and five countries – the United States, Russia, France, Israel and China – are now armed with cyberweapons.

McAfee began to warn of the global cyberarms race more than two years ago, but now we’re seeing increasing evidence that it’s become real,” said Dave DeWalt, McAfee President and CEO.  “Now several nations around the world are actively engaged in cyberwar-like preparations and attacks.  Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats.

... the efforts of nation-states to build increasingly sophisticated cyberattack capabilities, and in some cases demonstrate a willingness to use them, suggest that a Cyber Cold War may have already begun.
McAfee, Inc. — Virtually Here: The Age of Cyber Warfare
The report includes insights from dozens of the world’s leading experts in international relations, including Dr. Jamie Saunders, counselor at the British Embassy in Washington D.C. and security experts with experience at the U.S. National Security Agency and the Australian Attorney-General’s Department.  Former White House advisor Paul Kurtz compiled the report on McAfee’s behalf.

The report reveals how the private sector will get caught in the crossfire.  Government disclosure is a major issue, as cyber initiatives and information are often classified by the government, hindering cybercrime defense in the public and private sector.  Experts call for a clear definition and an open debate on cyberwarfare.  Without an open discussion among the government, private sector and the public, future cyberattacks targeting critical infrastructure could be devastating.

This year’s report identifies the following challenges:

  • Cyberwarfare is a Reality – Over the past year, the increase in politically motivated cyberattacks has raised alarm and caution, with targets including the White House, Department of Homeland Security, U.S. Secret Service and Department of Defense in the U.S. alone.  Nation-states are actively developing cyberwarfare capabilities and involved in the cyberarms race, targeting government networks and critical infrastructures.  The result of a cyberattack of this nature can result in physical damage and death – it’s not just a war between computers; cyberwarfare can cause real devastation.
  • Cyberweapons Are Targeting Critical Infrastructure – Attackers are not only building their cyberdefenses, but cyberoffenses, targeting infrastructure such as power grids, transportation, telecommunication, finance and water supplies, because damage can be done quickly and with little effort.  In most developed countries, critical infrastructure is connected to the Internet and lacks proper security functions, leaving these installations vulnerable to attacks.  Without the appropriate protection combined with the current lack of preparedness, an attack on these infrastructures would be detrimental and will cause more destruction than any previous attacks.
  • Cyberwar is Undefined – Cyberwarfare entangles so many different actors in so many different ways that the rules of engagement are not clearly defined.  Additionally, there is debate on how much responsibility should be placed on organizations to protect and educate the public on preventing cyberattacks.  Without a proper definition in place, it is nearly impossible to determine when a political response or threat of military action is warranted.
  • Private Sector is the Most at Risk – Critical infrastructure is privately-owned in many developed countries, making it a huge target for cyberwarfare.  The private sector relies heavily on the government to prevent cyberattacks.  If virtual shooting starts, governments, corporations and private citizens may get caught in the crossfire.  Without insight into the government’s cyberdefense strategy, the private sector is not able to be proactive and take the proper precautions.  Experts call for a public discussion on cyberwarfare, bringing it out of the shadows.
Nations have been reluctant to use those capabilities because of the likelihood that [a big cyberattack] could do harm to their own country.  The world is so interconnected these days”, says Dmitri Alperovitch, Vice President of Threat Research at McAfee.

However, experts are putting dots together and seeing patterns that indicate that there is increasing intelligence gathering and building of sophisticated cyberattack capabilities.

While we have not yet seen a ‘hot’ cyberwar between major powers, the efforts of nation-states to build increasingly sophisticated cyberattack capabilities, and in some cases demonstrate a willingness to use them, suggest that a ‘Cyber Cold War’ may have already begun,the report says.

Over the next 20 to 30 years, cyberattacks will increasingly become a component of war.
William Crowell, fmr. Deputy Director, U.S. National Security Agency
For instance, Alperovitch speculates that the July 4 denial-of-service attacks on Web sites in the U.S. and South Korea could have been a test by North Korea to see if flooding South Korean networks and the transcontinental communications between the U.S. and South Korea would disrupt the ability of the U.S. military in South Korea to communicate with military leaders in Washington, D.C., and the Pacific Command in Hawaii.  “The ability of the North Koreans to disable cybercommunications between the U.S. and South Korea would give them a huge strategic advantage [if they were to attack South Korea]”, Alperovitch said.

There have been earlier attacks that smack of cyberwarfare too.  Estonian government and commercial sites suffered debilitating denial-of-service attacks in 2007, and last year sites in Georgia were attacked during the South Ossetia war, orchestrated by civilian attackers.  Recently, in August of 2009, Twitter, Facebook and other sites suffered denial-of-service attacks that appeared to be aimed at a single university professor in Georgia who had been blogging about the Georgian war.  Those attacks, timed closely with the one-year anniversary of the conflict, affected hundreds of millions of users.

Over the next 20 to 30 years, cyberattacks will increasingly become a component of war,” says William Crowell, a former Deputy Director of the U.S. National Security Agency.  “What I can’t foresee is whether networks will be so pervasive and unprotected that cyber war operations will stand alone.

The complete McAfee Virtual Criminology Report 2009 is available for download at http://resources.mcafee.com/content/NACriminologyReport2009NF

Wednesday, November 11, 2009

The “Lady in the Dunes”: A Cold Case Reopened

Here’s a great example of an appropriate use of leading-edge technology with significant relevance to Provincetown and outer Cape Cod.

On July 26, 1974 the body of an unidentified white female was found in the dunes approximately one mile east of Race Point Beach.  Her head was nearly severed, and both her hands were amputated and have never been recovered.  Police at the time estimated that she had been dead anywhere from five days to three weeks, and the cause of death was determined to be from blunt force injuries to the head.  They said that she was between 25 and 40 years old, with long red hair.  She weighed about 145 pounds, was a little over 5 feet 6 inches tall, and had thousands of dollar’s worth of dental work done, but still they could not identify her.

As reported in the Cape Cod Times last week, the unsolved murder, dubbed the “Lady in the Dunes” case, has stumped investigators since the discovery was first made 35 years ago.  Since then, local and state police investigators — and even a 2006 episode of Court TV’s “Haunting Evidence” — have tried to identify the woman.  But, even with the help of clay head sculpting, DNA testing, age-regression renderings, computerized photographs, artists sketches and psychic profiles, investigators are no closer to figuring out the woman’s identity.  According to an article in the Provincetown Banner, it is Provincetown’s only unsolved murder case, and the state’s oldest cold case.

Age Regression of the “Lady in the Dunes” (click to enlarge)

Age Regression of the “Lady in the Dunes”, from the Provincetown Police Dep’t.
Provincetown Police Chief Jeff Jaran hopes a new computerized likeness of the victim will help identify her.  He and Provincetown Detective Monica Himes met last week in Washington D.C. with Dr. David Hunt, a renowned forensic anthropologist with the Smithsonian’s National Museum of Natural History, and with representatives from the National Center for Missing and Exploited Children.

Likeness created from the skull in 2006 (click to enlarge)

Likeness created from the skull in 2006, from the Provincetown Police Dep’t.
The Museum has a special three-dimensional CAT scan machine where the skull will be rotated and mapped by a computer.  Scientists will then attempt to assess the victim’s ethnicity, which will help them reconstruct her face and create a new, hopefully more accurate computer rendition of what the young woman looked like at the time of her death.

“‘The Lady in the Dunes’, that’s always figured into one of the top unsolved mysteries in the country,” said Gerald Nance, the Center’s forensic services unit supervisor.  “She was one [case] that caught on.  We’re pretty confident we’ll be able to help.”

The Center has been successful in locating 96 percent of the missing children reported to it.  For older cases in which Nance’s forensics unit is involved, the success ratio is lower; however, some 400 cases have been resolved over the last 10 years.  Many of the tools used to solve these kind of difficult cases are new, including imaging computer technology that rebuilds faces from skeletal remains.

Image of a human skull half-covered with skin-depth offset markers, and half with a clay face sculpted onto it

Traditional facial reconstruction w/ offset markers & clay.
The likeness of the Lady in the Dunes depicted above was created in 2006 using a traditional approach to facial reconstruction.  That approach, as illustrated to the right, relies on placing spacing offsets on the skull, and then adding clay and sculpting it directly onto the skull.  The process is time-consuming, to say the least.  Making even a minor change requires a major effort, perhaps starting from scratch.  With today’s computer-based techniques, the computer model can be updated down the road, as new information becomes available.  If the age, ethnicity or even gender are changed, a new likeness can be generated nearly instantaneously after making a few simple changes in the database.

Let’s hope this new model sheds some new light and finally brings this 35-year-old case closer to closure.

Tuesday, November 10, 2009

Microsoft Future Vision Montage 2009

Microsoft’s Office Labs has released a series of “envisioning videos”, containing a forward vision of how emerging technologies, evolving trends, and global change might come together to transform how we live and work in the not-too-distant future.  The technology behind most of what you see is already existing, so this isn’t much of a stretch!


Future Vision Montage 2009 from Microsoft

This 2-minute clip is taken from a somewhat longer video that was released in the spring of 2009.  That video pulled together scenes from videos produced over the previous 5 years.  The resulting montage illustrates concepts for how leading edge technologies might be used in real world settings – such as health care, manufacturing, banking and retail – over the next 5-10 years. To see the full series, check out Microsoft Office Labs’ Envisioning Project.

Better yet, to download and try for yourself some very cool concepts and prototypes, check out their Concept Tests and Grassroots Projects.

Saturday, November 7, 2009

FBI: Malware steals bank passwords, up to $100M so far

The FBI issued a press release a few days ago, saying that within the last several months, they have seen a sharp rise in fraud involving malware that steals a user’s online banking password, which is then used to steal funds via transfers using the Automated Clearing House (ACH) or wire transfer.  The FBI is opening several new cases each week, with “attempted losses” reaching $100 million. They haven’t said how many attempts have been successful, but it’s probably a high percentage.

More importantly, the announcement reports several key findings that are quite worth noting.   [In fact, this article touches on so many fundamental security concepts, a number of which will get their own dedicated blog article eventually.]  Here are some highlights from the FBI’s warning:
  • Rather than randomly targeting a general population of computer users, these attacks utilize “spear phishing” e-mail methods to very specifically target certain small and medium businesses, municipal governments, courts, and school districts.
  • Still further, the emails are being targeted to specific individuals within the organizations, generally a person within a company who can initiate funds transfers on behalf of the business, or a credential account holder.
  • Often, the targeted entities have their contact information, such as email address, or an org chart posted on their web site.  This may provide the perpetrators with information on who handles the financial transactions for that business or agency, allowing them to be targeted specifically.
  • The e-mail either has an infected attachment or redirects to a toxic website.  In either case, FBI analysis has identified more than two dozen different pieces of malware on the compromised account holders’ computers, all of which contain key loggers to capture the account information.
  • FBI analysis has found that in most cases, the victims’ accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions.
  • FBI interviews confirm that the threat stems not only from the malware itself, but also from the lack of controls at the bank or ACH provider level.  In several cases, banks did not have proper firewalls or anti-virus software, neither on their server nor desktop computers!  According to the Internet Crime Complaint Center's analysis, “The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system.”
  • In one case, the perps used a “Distributed Denial of Service (DDoS) attack” against a compromised third-party ACH provider to prevent the ACH provider and the bank from recalling the fraudulent transfers before they could cash them out.  The ACH transfers ranged from thousands to millions of dollars.
  • The criminals recruit willing or unwitting people in the U.S., via “work from home” ads or by contacting those who post their resumes on sites like Monster.com.  These “money mules”, as they are called, are used to launder the money by opening new bank accounts to receive the fraudulent transfers, then immediately forwarding a portion of the money to the criminals (typically in Eastern Europe) via transfer services like Western Union.
  • Possibly the most important alarm bell raised by this release is that existing signature-based anti-virus and intrusion prevention systems are losing their effectiveness in the face of a rapidly evolving malicious code environment.
Customers who use online banking services are advised to contact their financial institution to ensure they are employing all the appropriate security and fraud prevention services offered by their institution.

The United States Computer Emergency Readiness Team (US-CERT) has posted information on banking securely online on their website.

Protecting your computer against malicious software is an ongoing activity and, at minimum, all computer systems need to be regularly patched, have up-to-date anti-virus software, and have a personal firewall installed.  Further information is available at: http://www.us-cert.gov/nav/nt01/.

If you have experienced unauthorized funds transfers from your bank accounts, or if you have been recruited via a work-at-home opportunity to receive transfers and forward money overseas, please notify the Internet Crime Complaint Center by filing a complaint at: http://www.ic3.gov/.

Friday, November 6, 2009

Senate committee ok's ID theft, data breach bills

Yesterday, the Senate Judiciary Committee passed two bills on Identity Theft and Data Breach that will now go to the full Senate, and it’s about time.

The first is the Personal Data Privacy and Security Act of 2009 (S.1490), which is “a bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.”

Among other things, it establishes guidelines for performing risk assessments and vulnerability testing and controlling and logging access to sensitive information. There are also provisions tied to protecting data, a set of rules requiring businesses to notify law enforcement, credit reporting agencies and individuals affected by a breach, and penalties for failing to do so. It also creates the Office of Federal Identity Protection under the FTC.

The other bill is the Data Breach Notification Act (S.139), which is “a bill to require Federal agencies, and persons engaged in interstate commerce, in possession of data containing sensitive personally identifiable information, to disclose any breach of such information.”

Depending on the circumstances and severity of the breach, notifications may be required to the Secret Service, FBI, Postal Inspection Service, and state attorneys general.

Symantec’s CEO issued a statement commending the Judiciary Committee’s vote, saying, “According to the Privacy Rights Clearinghouse, more than 330 million records containing sensitive personal information have been involved in data security breaches since 2005. As such, we believe that the United States urgently needs to pass a national data breach law.”

I couldn’t agree more.
 
NXEEX9SHV8HP