Sunday, July 19, 2009

Cybersecurity: Senate bill would make international cooperation a priority

US and EU are both going in the direction of International cooperation. On the 30th of March 2009, European Commission Directorate General Information Society and Media released a communication on Critical Information Infrastructure Protection. Below you find an articole abou the new US legislation proposal, introduced on July 10.

Apart from the declarations, we need to define the building blocks of international cooperation. In particular:
a. Research funds that can be obtained by international consortia (all US and UE funds are closed only to US or EU members)
b. Cooperation legislation framework: a new legislation framework should be defined in order to allow exchange of data (data sets for researchers), information sharing (threats, vulnerabilities, incidents) and information exchanges between operators and government agencies from the same sectors
c. Establish clear point of contacts and responsibilities: who do you contact in US or EU in case of incidens/attacks
d. Exercices and simulations

(FederalComputerWeek) A new Senate bill would encourage the secretary of state to work with other governments to further cooperation on cybersecurity and would require the secretary to submit a report to Congress about those efforts.

The legislation, introduced by Sen. Kirsten Gillibrand (D-N.Y.) on July 10, states the secretary should work with other governments to:

  • Develop cooperative activities.
  • Encourage international cooperation for improving cybersecurity.
  • Develop safeguards for privacy, freedom of speech and commercial transactions to be included in agreements or other cybersecurity activities.

The bill would require the secretary to submit a detailed report to congressional committees about actions taken to meet these goals in 270 days of the legislation’s enactment.

“Relevant international cybersecurity agreements focus only on issues relating to cyber crime and common operating standards, and have not been signed by certain countries from which cyberattacks may be launched,” the bill states.

The Obama administration’s cyberspace policy review, released in May, also emphasized the need for international cooperation to secure cyberspace.

"International norms are critical to establishing a secure and thriving digital infrastructure," the policy review states. "The United States needs to develop a strategy designed to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility, and use of force."

The review recommended that the government develop positions for an international cybersecurity policy framework and strengthen its international partnerships related to cybersecurity.



Saturday, July 18, 2009

Internet’s Anonymity Makes Cyberattack Hard to Trace

(NYTimes) It is an axiom that “on the Internet nobody knows that you are a dog.”

By the same token, it is all but impossible to know whether you are from North Korea or South Korea.

That puzzle is plaguing law enforcement investigators in several nations who are now hunting for the authors of a small but highly publicized Internet denial-of-service attack that briefly knocked offline the Web sites of some United States and South Korean government agencies and companies.

The attack, which began over the Fourth of July weekend and continued into the next week, led to South Korean accusations that the attack had been conducted by North Korean military or intelligence agents, possibly in retaliation for new United Nations sanctions. American officials quickly cautioned that despite sensational news media coverage, the attacks were no different from similar challenges government agencies face on a daily basis.

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world.

“It would be incredibly difficult to prove that North Korea was involved in this,” said Amrit Williams, chief technology officer for Bigfix, a computer security management firm. “There are no geographic borders for the Internet. I can reach out and touch people everywhere.”

But researchers said that law enforcement investigators were likely to be aided in their pursuit by a second computer security truism — that the only ones who get caught are dumb, unsophisticated or both.

For starters, the attacking system, which cannibalized more than 50,000 computers and which is known as a botnet, was actually small, computer researchers said, compared with similar computer malware programs that are now routinely used by members of the computer underground.

Moreover, independent researchers, who have examined the programmer’s instructions used to lash together the tens of thousands of computers, said that it showed that the program, known as a D.D.O.S., or a distributed denial of service attack, revealed a high degree of amateurism.

That fact suggested that the authors, who hid themselves by masking their actions behind an international trail of Internet-connected computers, might have left telltale fingerprints that will ultimately be their undoing.

Last week, investigators quickly located computers that were involved with the control of the botnet in Britain and several other countries. However, the Internet service provider whose systems were implicated in the attack quickly issued a news release stating that the attack was actually coming from Miami. The company said that it was cooperating with the Serious Organized Crime Agency, a law enforcement agency that is part of the British government.

But independent investigators who have tracked the botnet cautioned against placing reliance on the locations for the command-and-control computers that have been publicly identified.

“We’re still looking for the initial infection vector,” said Jose Nazario, a network security researcher at Arbor Networks, a computer security provider for large network systems.

Several researchers recalled a similar incident in 2000, when a series of high-profile denial of service attacks were conducted against companies including Yahoo!, Amazon.com, Dell, ETrade, eBay and CNN. The culprit proved to be a 15-year-old Canadian high school student who was identified as a suspect only after publicly bragging about the attacks in an online forum.

Finding attackers who have no desire to reveal their locations — even amateurs — may be far more vexing.

“The truth is, we may never know the true origin of the attack unless the attacker made some colossal blunder,” said Joe Stewart, a director in the Counter Threat Unit at SecureWorks, a computer security consulting organization.

Some experts pointed to an entirely different origin for the attacks, or at least the attention paid to them. Cyberwarfare has become a hot topic in Washington this year, with the Obama administration undertaking a detailed review of the nation’s computer security preparedness.

“There is a U.S. political debate going on right now with high stakes and big payoffs,” said Ronald J. Deibert, director of the Citizen Lab at the Munk Center for International Studies at the University of Toronto. “With the administration cyberreview there are many government agencies orbiting around the policy debate that have an interest in pointing to this incident as evidence with obvious implications.”

Thursday, July 16, 2009

What CEOs Don't Know About Cybersecurity

(Forbes) Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.

According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But compared to lower-level execs, CEOs also tend to underestimate the frequency of cyberthreats their organization faces.

The survey, which was funded by cybersecurity firm Ounce Labs, asked 213 senior executives about their perceptions of data breach risks. Among those respondents, just 17% of CEOs said their company faced attempts by cybercriminals to steal data at least once every hour, compared with 33% of other executives. By contrast, nearly 50% of CEOs said their company experienced an attack "rarely"--less than once a week--while only 32% percent of other executives reported the same frequency of cyberthreats.

That disconnect, says Ponemon founder and lead researcher Larry Ponemon, isn't a matter of CEOs not valuing cybersecurity. On the contrary, about 77% of chief execs said that preventing cyber attacks and insider data theft was "important or very important" compared with just 51% of other respondents.

But Ponemon says that CEOs' staffs may not tell them the full extent of a company's data risks. "Even in the most transparent of companies, there's a bit of hesitance to give the CEO a report of vulnerabilities or even small breaches," says Ponemon. "We don't know how much filtering of bad news happens that keeps CEOs from hearing some of the darker secrets."

There's plenty of evidence to support the views of the survey's more paranoid respondents. Cybersecurity firms, such as Finland's F-Secure, detect more than 20,000 new variations of malicious software churned out by hackers every day. In fact, the rate of publicly known data breaches has been steadily rising for years, with 646 breaches recorded in 2008, a 46% increase over 2007, according to the Identity Theft Resource Center.

In January, Princeton, N.J.-based payment processor Heartland Payment Systems revealed that it had been the victim of a cybercriminal operation that had gained access to as many as 100 million credit card numbers, potentially the largest data breach of all time.

Despite that sort of high-profile hack, the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.




CIP standards may not be enough to secure electric grid

(GNC.COM) Compliance audits that focus on reliability of electric system begin this month
Industry regulators have begun compliance audits this month on mandatory reliability standards for the nation’s bulk electric power distribution system, a step toward implementing critical infrastructure protection standards for the U.S. power grid.

“It’s a big step,” said Joe McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. “It’s the first time they’ll have a critical infrastructure protection standard.”

As the power grid becomes more automated and its control systems networked on a large scale, the system's cybersecurity is becoming a critical issue. The security standards for the system require that operators identify critical cyber assets that support reliable operation of the electric system, using a risk-based assessment. Violators can be fined as much as $1 million a day.

But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.

“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”

The cybersecurity of the power distribution system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.

FERC is the government overseer of the U.S. power grid under the Energy Policy Act of 2005, but the audits are carried out by the North American Electric Reliability Corp., the industry’s designated international self-regulatory authority. Despite FERC’s authority, there is still a high degree of self-regulation in the power system. NERC developed the security standards, which FERC can approve or reject.

FERC approved the current Critical Infrastructure Protection Standards this year. FERC will review the audit results and take part in a number of them. “Not every audit,” McClelland said. “Just to check to see how they are being conducted.”



CIP standards may not be enough to secure electric grid

(GNC.COM) Compliance audits that focus on reliability of electric system begin this month
Industry regulators have begun compliance audits this month on mandatory reliability standards for the nation’s bulk electric power distribution system, a step toward implementing critical infrastructure protection standards for the U.S. power grid.

“It’s a big step,” said Joe McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. “It’s the first time they’ll have a critical infrastructure protection standard.”

As the power grid becomes more automated and its control systems networked on a large scale, the system's cybersecurity is becoming a critical issue. The security standards for the system require that operators identify critical cyber assets that support reliable operation of the electric system, using a risk-based assessment. Violators can be fined as much as $1 million a day.

But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.

“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”

The cybersecurity of the power distribution system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.

FERC is the government overseer of the U.S. power grid under the Energy Policy Act of 2005, but the audits are carried out by the North American Electric Reliability Corp., the industry’s designated international self-regulatory authority. Despite FERC’s authority, there is still a high degree of self-regulation in the power system. NERC developed the security standards, which FERC can approve or reject.

FERC approved the current Critical Infrastructure Protection Standards this year. FERC will review the audit results and take part in a number of them. “Not every audit,” McClelland said. “Just to check to see how they are being conducted.”



US and UK prepare fightback against eastern hackers

Hackers are being targeted for attack by US and UK security authorities eager to launch a cyber counteroffensive to kick them off the net

(Guardian) Hackers who attack defence or commercial computers in the US and UK in future may be in for a surprise: a counterattack, authorised and carried out by the police and defence agencies that aims to disrupt and even knock them off the net.

The secret plans, prompted by the explosion in the number of computer-crime incidents from east Asia targeting commercially or politically sensitive information, are known as "strikeback", and are intended to target hackers' computers and disrupt them, in some cases involving denial of service attacks.

According to well-placed sources, work on "strikeback" has already begun in the UK, with the Serious Organised Crime Agency (Soca) and the Metropolitan police's e-crime unit working to deploy teams. The measures are being adopted because of the unprecedented level of attacks being suffered from hacking groups in China, Russia and North Korea, which are suspected of being state sponsored. Among intelligence circles in Washington, DC, the idea of hitting back at foreign hacking groups is being described as the hottest topic in cyberspace.

"This is considered to be a key activity," said a former CIA officer actively involved in the debate. "We are being penetrated and it is not in our tradition to sit back and do nothing. (continue...)




Cyber attacks on South Korea and U.S. 'could have originated in Britain'

(Mail Online) Britain was the likeliest origin of last weeks crippling cyber attacks on the US and South Korea, a Vietnamese security firm has claimed.  The Korea Communications Commission said the information had come from Vietnamese firm Bach Khoa Internetwork Security.

'The (British) server appears to have controlled compromised handler servers which spread viruses,' said Park Cheol-Soon, a network protection team leader of the government-run communications commission. 

'However, it needs more investigation to confirm whether this server was the final attacker server or not.'

Seoul had previously laid the blame for the attacks - which briefly crippled major government and commercial websites - on its Communist neighbour.

But according to Park Cheol-Soon, the apparent discovery of a master server in Britain neither exonerated nor implicated North Korea.

'It does not either bolster or undermine claims that someone has done the attacks,' he said.  The attacks, which involved sending multiple requests for website access from 166,000 'zombie' computers  in 74 countries, crippled 14 major U.S. sites. These included the State Department, the Homeland Security Department, the Federal Aviation Administration and the Federal Trade Commission. In addition to government sites, the New York Stock Exchange, the Nasdaq electronic exchange and the Washington Post newspaper were also hit. The Korea Communications Commission  downgraded its alert against the cyber attacks on Monday, saying they were 'fizzling out', and most targeted sites had normal traffic restored.