Langevin

A spokesman for Rep. Jim Langevin, D-R.I., has just contacted LastWatchdog to point out that Langevin’s cybersecurity bill, which is the major comprehensive one in the House, is not exactly the same as the White House proposal.

The major difference is that Langevin’s bill calls for a  National Office for Cyberspace with the Office of the President to oversee the security of agency information systems and infrastructure. While the Langevin bill entrusts the Department of Homeland Security with a  significant role, this is a bit different than the White House and Senate versions, which basically center everything in DHS.

Here is a  summary of Langevin’s proposed cybersecurity  legislation, much of which passed the House last year and was held up because the Senate was planning to cover even more ground in its own bill, but that never got done:

Executive Cyberspace Coordination Act of 2011, sponsored by Rep. Jim Langevin, D-Rhode Island

Background

In 2011, the CSIS Commission on Cybersecurity for the 44th Presidency released their second report with recommendations to increase the Federal government’s ability to protect itself and the American public from increasing cyber threats. Similar to the first report released in 2008, the second edition continues to recommend that the White House take a leadership role and direct national strategy for cyberspace; the public sector enlist the help of the private sector in providing better quality software; and the American public be better engaged in what was previously a private discussion about the digital threats that could disrupt their everyday lives. The second report notes that after two years, the only significant progress has been the extent to which the American public is discovering the profound effects of the internet on their daily lives, and the importance of government efforts to ensure the safety of our networks.

Many in both the government and private sector are frustrated with the pace of progress in cybersecurity. Analysts and senior officials in Washington talk about a “cyber 9/11″ scenario, reflecting a belief that as a nation, we will be unable or unwilling to take any meaningful action on cybersecurity until after a catastrophic event. The Executive Cyberspace Coordination Act of 2011 will update our nation’s federal cyber policy and bring strong cyber protections to our nation’s power grid and other critical infrastructure.

National Office for Cyberspace

The bill establishes a National Office for Cyberspace (NOC) within the Executive Office of the President to coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies will be responsible for reporting on their information security threats, practices and history to the NOC before submission of their budgets to OMB. The Director of the NOC would be appointed by the President, subject to Senate confirmation, and will also have a seat on the National Security Council. This will allow the Director to review agency information security budgets and make recommendations back to the Agencies as well as the President.

Increased coordination for Departments of Defense and Homeland Security

Recognizing the need for closer cooperation between the Departments of Defense and Homeland Security, the bill brings both agency partners to the table to better coordinate their resources but under the appropriate authority of the Office of the President.

Closing Gaps in Authority to Protect Critical Infrastructure

Homeland Security Presidential Directive-7 provides authority to the Secretary of Homeland Security to coordinate the protection of critical infrastructure. This bill clarifies this authority to include the creation, verification, and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. This does not give DHS control over private systems, but it allows them to establish risk-informed security practices and standards for critical infrastructure.

Secure Federal Acquisition Policies

The bill requires the development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.

Establishing Cyber Challenge Programs for Students

Given the great deficiency of advanced cybersecurity capabilities in today’s workforce, it is imperative that the government support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

Agency Annual Independent Audit

The bill requires agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.

Agency Automated and Continuous Monitoring

This legislation sets forth requirements for agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency’s information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

The recent rash of disclosures about cyberspying — aimed at undermining the United States — comes as the White House is making its third attempt to push through a historic federal cybersecurity law.

The timing is no coincidence, some cybersecurity analysts say. After two previous bills went nowhere, the White House needs to garner public support for a new law that could equip America for cyberwarfare.

UPDATE -Click here: DHS has slightly reduced role in Langevin bill vs. White House and Senate versions

Adams

“The best way to do that is to get folks worried that we’re under attack from some foreign state like China or North Korea,” says Ed Adams, CEO of Security Innovation, which integrates security systems for government agencies. “Most people don’t realize how much of this is premeditated.”

Recent disclosures of cyberattacks against the International Monetary Fund, Google and several defense contractors coincided with an unprecedented pronouncement last week by CIA Director Leon Panetta, who warned a U.S. Senate panel that the U.S. needs to take “defensive measures as well as aggressive measures” to win at cyberwarfare.

The bill is gaining bipartisan support in Congress. It would establish a framework for distributing billions of dollars for new cybersecurity systems, while placing responsibility for securing cyberspace with the Department of Homeland Security.

Langevin

In an op-ed piece Tuesday in The Hill, Rep. Jim Langevin, D-R.I., the bill’s chief sponsor, underscored the need to engage Americans “in a continuous dialogue about threats we face and steps taken to protect them.”

In that vein, the FBI will help investigate what’s believed to be the theft of e-mails and other documents related to the IMF’s role in stabilizing currency exchange rates and keeping global trade in balance.

“This is part of a wave of economic espionage putting additional pressure on the U.S. economy,” says Alan Paller, research director at SANS Institute, a cybersecurity think tank.

Mike Baker, president and co-founder of consultancy Diligence, agrees that the threats are palpable. The data thieves’  agenda could involve terrorists or military goals, such as disrupting critical  infrastructure, or economic cheating to influence currency exchange rates.

“At the end of the day if I’ve got more information than you, then I’m going to win — however I define winning,” says Baker.

The recent breach disclosures, which include losses of strategically important data at EMC’s RSA security division, Lockheed Martin, L-3 Communications and Northrop Grumman,  help provide  supporting evidence for the importance of a strong cybersecurity bill, says Harry Sverdlove, chief technology officer at security firm Bit9.

Sverdlove

“One of the provisions of the cybersecurity bill proposed by the White House is a federal data breach notification statute. Almost every state already has its own data breach notification law, but in today’s global economy, having a consistent set of guidelines that can be enforced across the nation is essential,” says Sverdlove.

Google recently voluntarily revealed that hackers pilfered information from the Gmail accounts of hundreds of high-profile individuals, including U.S. government officials. “The dialogue around cybersecurity has definitely become politicized and militarized,” says Dave Jevans, chairman of IronKey, which secures data and online access.

By pinpointing Jinan, China, as the origination point of the Gmail hack, Google “elevated the awareness of the enemy,” says  Sverdlove. “That could influence both the cybersecurity bill … (and) the rules of engagement for cyberwarfare being debated by the Pentagon,” says Sverdlove.

Sverdlove, for one, isn’t convinced that the traditionally tight-lipped  IMF was manipulated into making its disclosure to support the push for a new U.S. cybersecurity law.  Says Sverdlove:

When Google announced that the Gmail accounts of specific and highly influential individuals had been hacked, I speculated that the timing was designed to influence public policy. Google made their disclosure in the midst of news on the recent breaches at defense contractors Lockheed Martin, L-3 Communications, and Northrop Grumman. In that case, while the cyber attacks on the defense contractors were described as sophisticated and, at least in the Lockheed Martin case, related to the data breach at RSA months earlier, no one was publicly identifying the source of the attacks.

In the IMF case, however, I don’t believe an international organization within the United Nations has such overt and nation specific motives. More likely, assuming the timing was a conscious decision, the disclosure was more about hiding amidst the noise; there have been so many high profile attacks recently that, while this one might be the most frightening from a global impact perspective, it also just becomes one in a long list of recent breaches (RSA, Lockheed Martin, Citigroup, Sony, PBS, Gmail, …).

SEATTLE — Stop. Think. Connect.

That’s what a high-powered coalition of federal agencies, tech companies, retailers and non-profit groups want you to do every time you use the Internet.

Today, the group launched a milestone public awareness campaign. The goal: to engrain “stop-think-connect” as deeply into culture as the seatbelt reminder “click-it-or-ticket” and Smokey Bear’s quote, “Only you can prevent forest fires.”

“Cybersecurity is a shared responsibility for all of us,” says Joe Sullivan, Facebook’s chief security officer. “People will have a better experience on the Internet if they do some basic things.”

The campaign stems directly from President Obama’s May 2009 pronouncement that the U.S. will assume a leadership role in making the Internet safer.

Overseen by the Department of Homeland Security, the coalition includes Microsoft, Facebook, Google, Intel, AT&T, Visa, PayPal, Wal-Mart, Costco, the Department of Justice and the IRS among its 28 founding members.

For the common good

Kaiser

The members understand that each of their respective organizations stands to benefit from a unified effort to advance public awareness about Internet threats, says Michael Kaiser, executive director of the non-profit National Cyber Security Alliance. Each will incorporate the stop-think-connect slogan and theme into existing and new public education initiatives.

Facebook, for instance, is preparing a seven-question quiz, which it will make available sometime this month on its security issues page and home page. It will also donate 35 million ad impressions to promote the quiz, which espouses best practices for passwords and browser use.

This is all intended to slow down cybercriminals, who are having a field day. One estimate puts identity theft losses, much of it due to online scams, at $4.5 billion in the past two years, making it the fastest-growing crime in America, says Kaiser.

Online safety has yet to be elevated to a major public safety issue, akin to the way society views drunk driving, forest fires and seat belt usage, he says.

The coalition selected “stop-think-connect” after a year-long process of research, focus groups, polling and government-industry collaboration. That research confirmed that most folks view cybersecurity as a personal responsibility and that any public safety message must address the individual. The founding members voted to go with a message that could be used globally to effect a “big cultural change,” says Kaiser.

The group strove to “simplify the messaging and speak in one voice,” says Facebook’s Sullivan. “If we’re using the same terminology, it’s going to make the whole process much more effective.”

Apple conspicuously absent

One absence at launch: Apple, which has risen to become one the world’s most highly valued companies, measured by its stock price, on the strength of Internet-connected products such as the iPhone and iPad.

Company spokeswoman Natalie Kerris declined comment.

However, the door remains wide open for Apple and others to join the coalition, says Kaiser.

“It takes a group of leaders to start a movement,” says Kaiser. “I’m optimistic others will join the effort. We’re trying to solve the problem for the benefit of all concerned, not just for the benefit of any individual company.”

By Byron Acohido

Students grades 5 through 8 can compete for a cash prizes, as well tech gear from AMD and Microsoft.  Another competition is geared for college-age contestants; a top cash prize of $25,000 awaits the creator of the top technology with “high potential to reach underserved communities, such as games built for basic mobile phones that address urgent educational needs among at-risk youth.

This is another piece of the puzzle that should help shape a new generation of cybersecurity professionals highly trained and motivated to defend the Internet. This program joins the ongoing Collegiate Cyber Defense Competition and The University of Maryland University College  first-of-its kind cybersecurity bachelor’s and master’s academic  degree program that’s just getting underway this month.

LastWatchdog caught up with Allyson Peerman, corporate vice president of AMD Public Affairs and president of the AMD Foundation, just after the President announced the competition.

LW: So the concept here is to boost the cool factor of the sciences?

Peerman: The concept is to make learning about science and math more appealing for students, and a very effective way to get kids excited is through video game development. If kids think the contest is cool, that’s an added bonus.

LW: At the end of the day, how will you measure if these contests are a success?

Peerman: I think the success of this contest will be measured by whether we excite kids about learning math and science. Long term, if some of the contestants opt to pursue higher education and careers in math, science and engineering, then that’s an even bigger win.

LW: The U.S. leads the world in, well, chip technology, among other things. Yet we lag in teaching the basic sciences to our youngsters. How do you explain that?

Peerman: Young people are craving relevance in their math and science education, and I think we need to find ways to do a better job of providing that relevance. Some of the best in-school and out-of-school programs are helping kids make that connection and helping make it fun. That’s one of the reasons AMD Changing the Game has been so effective; the programs we’ve supported and enabled are making math and science relevant and fun for kids. It’s all about meeting young people where they are and inserting the learning on their own turf; in this case it’s through video games.

LW: Do most CEOs of the top tech companies get that this is important?

Peerman: Absolutely. Tech industry CEOs know better than anyone how important it is to have a workforce that’s deeply steeped in math and science education. At AMD, for example, our success as a company directly depends on the strength of our engineering talent pool. AMD’s primary co-sponsors for the National STEM Video Game Challenge are both tech companies, as well. And if you look at the roster of 100 member companies that joined Change the Equation, the tech industry is very well represented.

LW: How important has it been to have the President get out in front of this?

Peerman: It’s hugely important for the President to set the tone and raise the conversation to a level where it’s getting a lot of focus. People have been talking about improving STEM education in the United States for years, but we need concerted, cooperative efforts by enterprise, non-profits and public entities to move the needle. This is a national priority, it’s a priority for corporations and it’s a priority for students.

By Byron Acohido

By Patricia Titus

The 2009 proposed bill, introduced by Sen. John Rockefeller (D-W. Va.) and Sen. Olympia Snowe (R-Maine), clearly called for a Presidential internet kill switch and spawned visuals of President Obama sitting in the Oval Office with his hand hovering over an “easy button.”

Several industry groups spent countless hours debating the language of that earlier bill and its implications, offering guidance to the members and staffers writing the legislation. In response to this, Sen. Joseph Lieberman (ID-CT) softened the language in his bill and added good clarifying terms. In my estimation, there is currently no language that would suggest an “internet kill switch” is being placed in the hands of the President. Rather the language allows decision making within the executive branch to protect our national interests and critical infrastructure, and achieve this through consensus.

The Lieberman bill highlights the need for a public/private partnership to help set policy to define what constitutes a cyber attack. This is where many of us are skeptical. For years we’ve been hearing the term “public/private partnership” or “P-cubed.” We’ve already seen several examples of failed P-cubed. Without this critical governance partnership, the job of successfully negotiating these policies will surely fail. Lack of a cohesive plan could be catastrophic for the country. Imagine if a portion of critical infrastructure were taken off the internet, resulting in an interruption of international trade communications. Economic stability could be placed at risk, and the cascading effect could have far reaching implications for years to come.

Organizations that own our critical infrastructure must be held accountable to immediately determine which stakeholders from both the public and private sector need to participate in negotiations. Representatives from every relevant sector of government and industry should participate in comprehensive discussions to determine appropriate actions to be taken by the President and to provide guidance. Perhaps involvement from think tanks would add great value.

Also, we cannot allow the international community to be cut out of this discussion; there could be great implications for them as well.

As always, the devil is in the details. But without participation by both the government and the private sector, this legislation will surely fail. We currently have a surfeit of cyber security legislation, yet we seem to lack the ability to make much of it stick. With the pending recess and elections, it’s possible all this work will lead to nothing. Our country will remain at risk while our new legislators come up to speed.

Speaking at the award ceremony, Obama alluded to ESET as helping  to  strengthen ” public/private partnerships both cooperatively on the domestic as well as the international side.”

DHS handed out seven awards to organizations, business and one individual. This is all  part of DHS working toward crafting a comprehensive national cybersecurity plan, which it is slated to officially unveiled in October as a part of Cybersecurity Awareness Month.

Since 2008, ESET has been rallying San Diego-area  consumer advocates, business owners, law enforcement investigators, government regulators and elected officials to form partnerships to boost cybersecurity awareness and best practices.

“The journey to get to this point was beyond exciting,” says ESET’s Liz Fraumann, Director of Cybersecurity Awareness & Education. “With 200 stakeholders representing all segments of the greater San Diego community we are well on our way to achieving our mission of ‘making San Diego a place where we can all live, work and play in a cybersecure city.’ ”

By Byron Acohido

Wanted:

Perks: Employer has search monopoly — and warm leads at top spy organizations.

That’s one takeaway of reports that Google has asked the secretive National Security Agency to help track down the cyberattackers who recently breached its network. More on this below.

Reporter Ellen Nakashima’s front page story in the Washington Post yesterday, 04Feb2010, has rekindled simmering concerns about corporations collaborating in the shadows with the government’s top sleuth agency. Nakashima’s report used Deep Throat sources to flush out a substantive development in the finest tradition of Woodward and Bernstein.

You may recall how privacy and civil liberties activists raised a hew and cry in 2006 after an investigation, by USA TODAY’S ace telecom reporter Leslie Cauley, revealed how the NSA secretly analyzed phone records of tens of millions of Americans.

High potential for abuse

At the time, public backlash was directed mainly at telecom giants AT&T, Verizon and BellSouth for so readily giving up their customers’ private phone records to a government agency.

In a similar vein, Google, the world’s dominant search service, amasses data on the surfing habits of most Internet users, and stores vast amounts of sensitive data belonging to users of its popular Gmail and Google Apps online services, says Amrit Williams, CTO of security firm Big Fix.

Because the NSA is an “opaque intelligence organization . . .the potential for abuse of private information at the intelligence or government level is very high,” he says.

Google CEO Eric Schmidt did little to allay the fears of privacy and civil liberty advocates in this interview last December with CNBC financial reporter Maria Bartiromo. Schmidt says on camera:

The reality is that search engines, including Google, do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

It’s understandable the Google and other corporations might covet the NSA’s expertise at quelling cyber attacks; the agency possess unsurpassed intelligence gathering technologies and know how, says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.

Mysterious agenda

Yet the cyber attackers who breached Google’s network and some 30 other tech, financial and media corporations in late December and early January used conventional messaging trickery and infection methods. So much so that security firm McAfee with in a couple of days of Google’s crying foul went public with extensive analysis of the distinctive  attacks, dubbed “Operation Aurora.”

So why tap the NSA when top-notch forensics is readily available from dozens of tech security firms?

“Company’s don’t usually run and ask the government to get involve in their business,” says Westby. “The attacks may be more sophisticated than we think. I think they (Google) is really trying to preserve their brand.”

Gunter Ollman, head of research at security firm Damballa, says there is a “a high probability” that Chinese nationals were involved. Whether anyone can prove the Chinese government was behind the attacks is another matter. Attacks that trace back to China are “state sponsored, endorsed or, at the very least, ignored by the Chinese government,” observes Ollman.

Given that long-held conventional wisdom, Jeff Chester, executive director of the Center for Digital Democracy, wonders what a search company that collects and distributes public and private data for commercial reasons might gain by turning to a U.S. spy agency for help.

Selling to spy agencies

He points out that Google is actively seeking an experienced sales rep at its Washington D.C. offices whose job will be to sell to the intelligence community. According to Google’s job description, whoever gets the job selling its wares to spy agencies must:

• Be responsible for the entire sales process from Prospecting to Close.
• Lead Generation/outbound calling and warm lead follow up.
• Understand Customer Needs and requirements.
• Present and articulate advanced product features and benefits of Google Enterprise solutions.
• Provide on-line demonstrations.
• Close Sales and achieve sales quotas. Be able to sell and differentiate in a competitive environment.

“Another real problem is that Google is working to curry favor with the NSA, CIA, DoD and others in order to sell its services and make greater profits,” says Chester.

Big Fix CTO Williams offers this takeaway:

The NSA is also one of the nations most secretive and opaque intelligence organizations and creating a balance between the information and enablement they can provide to private sector companies, such as Google, and the impact this may have on personal privacy is the major concern. The potential for abuse of private information at the intelligence or government level is very high. Some may argue that national security is more important than personal privacy and that if you have nothing to hide you have nothing to fear, but imagine the impact on one’s willingness to speak frankly about life threatening medical or legal issues if one felt that the privacy, that we as US citizens are guaranteed and hold so dear, will be compromised for the sake of security.

The United States has always struggled with finding a balance between national security and civil liberties, the question that we need to pose today is are we ready to compromise our liberty for the perception of short-term safety, especially knowing that this relationship sets a very dangerous precedent for the future involvement of Government within evolving commercial technologies of the tomorrow?

A Google spokesperson pointed out the company’s Jan. 12 public statement about cyberattacks and censorhips in China and declined further comment.

By Byron Acohido

“It isn’t just China,” says Matt Moynahan CEO of applications security firm Veracode. “They are the most aggressive. But all large governments are doing this, as are organized non-government actors.”

Indeed, China, Russia, North Korea, Iran, Israel, France, the United States and the United Kingdom are widely known to possess state-of-the-art cyber espionage know-how which is put to use gathering  economic and military intelligence. Details of covert cyber-ops get discussed at numerous conferences attended by military brass, federal regulators, law enforcement officials, privacy advocates and tech security analysts.

“The consensus discussion is that everybody is busy spying on everybody else,” says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.  “These countries are doing it to us, but we’re also doing it to them.”

With little fanfare, Secretary of Defense Robert Gates, underscored as much on 24Jun2009. Gates stood up a new Department of Defense subcommand focused on cybersecurity under the U.S. Strategic Command.

“This is about trying to figure out how we, within this department, within the United States military, can better coordinate the day-to-day defense, protection and operation of the department’s computer networks,” Pentagon Press Secretary Geoff Morrell told reporters at the time.

And last month, on 22Dec2009, when many of us were doing last minute gift shopping, President Obama named Howard Schmidt to the newly created post of White House cybersecurity adviser. Schmidt’s assignment: coordinate economic and military cybersecurity policy.

Schmidt, former Microsoft exec and Bush Administration appointee, is the cyber czar Obama said he would name in a watershed 29May2009 speech. He is the linchpin personnel piece to Obama’s plan for taking a leadership role in making the Internet safer.

Cyber black-ops

The cyber-espionage slice of the Internet underground traces its beginnings back to 1993 when the Russians first began developing black-ops teams to concentrate on intelligence gathering using the Internet, says Alan Paller, managing director of The Sans Institute think tank.

China was fully into cyber-spying by 2003 when a Chinese black-ops team, designated Titan Rain, roamed deep inside U.S. Department of Defense networks. By 2006, corporations in the U.S. and Europe were heavily infiltrated by China and other nation-states, says Paller.

A watershed warning came in December 2007. Jonathan Evans, Britain’s Director-General of MI5, cautioned 300 senior execs to guard against Internet assaults from “Chinese state organizations.” Such attacks, Evans warned, are designed to “defeat best-practice IT security systems.”

Evans said at the time ” ‘If you’re doing business in China, your company’s network and your company’s lawyer’s network are very likely being penetrated,’ ” says Paller.

Cyber-intruders today routinely go after corporations, their law firms — and even their public relations firms, according to an Evans-like warning issued by the FBI last November. “They’re after the corporate playbook,” says Paller.

Google’s patience runs out in 4 years

It took Google this week threatening to pull the plug on its China operations, to shed a bright  light on the rising collateral damage caused by unchecked cyber espionage –  for  economic and military strategic gain. Since agreeing to submit to China’s censors in exchange for opening a beachhead office in Beijing in January 2006,  Google CEO Eric Schmidt has stated on numerous occasions, as recently as October, 2009:  “China has 5,000 years of history, Google has 5,000 years of patience.”

In Chinese culture, the numbers five, eight and nine are auspicious. The number four is associated with death and considered extremely unlucky. On Tuesday, 12Jan2010,  after just four years in Beijing,  Google’s patience died.  Citing irritation over cyberattacks it loosely linked to censorship dictates, the search giant said it will no longer adhere to censorship rules as they stood.

Google chief legal counsel David Drummond issued a press release with  details about how Google got hacked and why its patience had run out:

• In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.  First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses . . .   Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists…
• … These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results… over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The power of ‘no mas’

Google had stepped  forward and made  the same choice boxer Roberto Duran made, when Duran could tolerate no more elusive footwork and peppering blows from Sugar Ray Leonard. This  seemed to give permission for other Western companies to speak up. Subsequently, Adobe, Northrup and Juniper came forward to disclose that they, too, were similarly targeted and breached by presumed Chinese attackers.

Then on Thursday, 14Jan2010, security firm McAfee contacted LastWatchdog with information that several of its customers had been likewise  hit. McAfee CTO George Kurtz told me his  researchers had isolated a sample of the attack sequence and malicious codes used.

According to Kurtz, the attackers began by sending emails and instant messages personally addressed to senior technical managers, enticing them to click on a corrupted Web page link. Clicking on the link activated a freshly-discovered security hole in Internet Explorer web browser, which Microsoft embeds on all Windows PCs. Through this hole the attackers installed a program that allowed them to  take control of the PC.

They then  “began probing the network for high value intellectual property,” says Kurtz. Extracted data was sent to servers hosted by Rackspace, a San Antonio, Tex, web hosting company, and then transferred again to other servers.

This type of hybrid attack wasn’t at all innovative, nor was the attackers’ use of a security hole that exists in all versions of Microsoft’s Internet Explorer Web browser. This is referred to as a zero-day vulnerability. Microsoft has patched hundreds of zero-day vulnerabilities since 2004. The software giant said Thursday it has begun work on a patch for the latest zero-day — the one intruders used to extract data from Google.

There’s a constant flow of fresh zero-days because computer code is complex. Researchers, known as Whitehats, continually flush them out so they can be patched. Meanwhile, bad guy programmers, called Blackhats, do the same to sell them to cyber-intruders — for up to $100,000, according to Moynahan — who use them to steal data before any patches exist.

While their methodology was ordinary, the tools and techniques used by the cyberspies who breached its customers’ networks  were no amateurs. “It wasn’t a 13-year-old king who pounded out a quick Trojan,” says Kurtz. “There were no corners cut in targeting these specific companies and in escaping detection as long as possible.

CYBERsitter’s intellectual property stolen, its law firm targeted

At roughly the same time  McAfee’s researchers were reverse engineering the Google attack, a live case of Chinese hackers going after a law firms unfolded in Los Angeles.

Gregory Fayer,  a lawyer at L.A. firm Gipson Hoffman & Pancione received an obviously faked email purporting to come from his managing partner. Fayer told LastWatchdog that  more than a dozen employees at the firm had received similar faked e-mail messages on Monday, 11Jan2010.

A week earlier, Fayer had filed a $2.2 billion lawsuit against China on behalf of Santa Barbara-based CYBERsitter, maker of a Web browser filter parents buy to keep their kids off porn sites. The lawsuit accused China of copying CYBERsitter’s proprietary program and using it lock, stock and barrell in a misguided  state-sponsored child-protection censorship service, called Green Dam.

“The Trojan emails were located within China — the ISP routing shows there was a Chinese source, ” says Fayer. ” I’m not sure I can say a lot beyond that. We feel reasonably confident at this point that there was a connection with China.”

By Byron Acohido

By Patricia Titus

CISO, Unisys Federal Systems

How do we as a nation address the abysmal approach to IT security?  Law makers have been wrestling with the idea of more regulations, but that may not be enough to encourage better security practices.  We already have several regulations that have not gotten us closer to the end zone.  I’m in favor of tax incentives for companies that demonstrate effective IT security practices, but this cannot be done without the development of a well thought out approach.  Critical success factors must be developed in the form of a concise set of performance measures based on standards.

The Department of Commerce has already charged the National Institute of Standards and Technology (NIST) Computer Security Division to develop a set of special publications and guidelines called Federal Information Security Management Act (FISMA). These well thought out guidelines such as the Special Publication 800-53 provide federal government chief information security officers with a standardized approach to effective IT security.  Why can’t this same division be charged with creating the same standards for the private sector?

The language in these guidance documents is so slanted toward the federal government that it’s difficult to get corporate executives to see their value.  Also CEO’s are cost cutting right now and implementing a program that may increase operating or capital expenses may not be appealing.  However, if the adoption of these security standards were tied to a tax incentive, perhaps the CEO would be willing to spend a few dollars to gain this compensation.

The SANS Institute’s report on Top Cyber Risks is by far the most comprehensive accounting of ongoing cyber attacks ever made public. SANS is the well-respected Washington D.C.-based tech security think tank and training center. The organization distilled attack data from 6,000 companies and government agencies protected by defense systems supplied by two leading tech security companies, TippingPoint and Qualys.

SANS’ cornerstone finding: the vast bulk of attacks to infect home and workplace computers, enlist them into bot networks, and then use them to carry out criminal activities spin off two pervasive weaknesses.

The first: unpatched vulnerabilities in popular consumer applications, especially Adobe’s Acrobat Reader and Flash Player, Apple QuickTime and Microsoft Office. The second: security weaknesses in the Web applications that enable all the cool features on Web 2.0 sites.

Hand in glove

These two weaknesses work hand-in-glove — to the benefit of the bad guys. Here’s how:

Many cyberattacks hinge on getting a victim to click on a corrupted URL, as I explained in my 03Sept2009 USA Today news story.

Of course, the bad URL had to be tainted at some point earlier. Attackers most often do this via SQL injection exploits of legit Web pages; these automated attacks seek out and take advantage of Web sites running poorly- written Web applications.

“Organizations need to pay more attention to the security of their critical software applications,” says Roger Thornton, co-founder and CTO of Fortify Software. “Today’s cybercriminals have  moved to the easiest breach points, which is now the applications an organization uses to conduct its business.”

Upon cracking a Web page, the hacker will typically use off-the-shelf, tried-and-true tools, such as Mpack or IcePack, for the next step. These tools will efficiently seek out security holes in  popular PC applications — the everyday programs that can be found on just about any PC, including Internet Explorer, Acrobat Reader, Flash Player, Microsoft Office.

A bot is born

Mpack and IcePack and other similar tools go to work on newly infected computers. They quickly run through an extensive list of known vulnerabilities for all popular consumer apps — and exploit the first unpatched vulnerability they run into. The exploit almost always begins with the installation of a tiny wormhole, called a “Trojan downloader,” that secures ongoing access to the hard drive.

The attacker next uses this wormhole to install a botnet management program that turns the computer into an obedient “bot,” reporting to a command-and-control server operated by the “botmaster.” The top botmasters run mega botnets tens of thousands, or even hundreds of thousands of bots strong, with names like Waledac, Pushdo, Cutwail, Rustock, Mega-D and Storm.

Each freshly infected bot instantly begins to participate in myriad criminal activities – everything from spreading spam to triggering scareware promotions to hijacking online banking accounts to participating in politically-motivated Distributed Denial-of-Service attacks.

Top botmasters make use of infected machines judiciously — they’ll pay attention to time zones and use machines during early morning hours when the owner is asleep, for instance. They will also put bots to sleep for a time and use them again later, like letting farmland go fallow. This is to keep control of the bot for an extended period. For obvious reasons, fresh bots are always in high demand.

“The vast bulk of new bots are created when unsuspecting users visit trusted Web sites that are also infected,” says Alan Paller, SANS research director. “Web attacks take advantage of client-side vulnerabilities that are being given insufficient attention by cyber defenders. The web attacks also take advantage of Web programming errors that are not being picked up by common vulnerability scanners.”

The bottom line, says Paller, is that “two cyber risks dwarf all others and users are not effectively mitigating them.”

Web threats mushroom

Serendipitously, SANS  released the results of its milestone survey the same day Websense released its bi-annual threat report covering the first half of 2009. Websense keeps  track of Web-based attacks hitting the networks of its corporate customers; it reported a whopping 671 percent spike in malicious Web links in the first half of 2009 compared to the first half of 2008.

What’s worse: corrupted legitimate sites account for an estimated 77 percent of the bad links lurking on there in the Internet wild.

Web properties that encourage user-generated content — such as media sites, social networks and popular blogs — have become popular targets. This was vividly demonstrated just last weekend when hackers served up viral advertisements all across the New York Times’ Web site.

In a similar attack on USA Today’s Web site last May, cyber criminals patronized a legit ad placement agency to purchase advertising space on USA Today’s Life home page. The crooks then supplied the ad agency with copies of ads for Roxio Creator 2009 and Phoenix University. Then once every hour or so, the crooks sent through an ad containing a bit of malicious code, as shown below. This bad code redirected the visitor’s PC to an insistent promotion to buy worthless antivirus protection.

“Neither clicking, nor hovering over the ad was required to activate the malicious code,” says Purewire researcher Paul Royal, who discovered the USA Today attack. “In addition, the (corrupted) ad could have been, and likely was, served almost anywhere on USA Today’s website.”

Anyone who happened to visit USA Today’s Life home page at the moment the corrupted Roxio ad appeared was infected. Yet, had an investigator checked shortly thereafter, the crooks’ ad would have been found to be clean of any bad code, says Roger Thompson, senior researcher at AVG. This technique of paying an ad network to post a string of harmless, innocuous ads — sporadically replaced by a corrupted ad — has been used widely for at least two years, Thompson says.

So far this year, community-driven security tools, like those used on YouTube and BlogSpot, are proving to be “65% to 75% ineffective” at protecting users, says Websense CTO Dan Hubbard.

“The last six months have shown that malicious hackers and fraudsters go where the people are on the Web,” he says. “From malicious Twitter spam campaigns and blog comment spam to the massive SQL injection attacks, those perpetrating fraud are exploiting the inherent trust users have of known Web properties and other users.”

Web threats graphic courtesy of Trend Micro

–By Byron Acohido