DHS - Enabling Distributed Security in Cyberspace
Enabling Distributed Protection in Cyberspace - Building a Nutritious and Resilient Cyber Ecosystem with Automated Collective Action, March 23, 2011
"Like organic ecosystems, the cyber ecosystem comprises various varied participants personal companies, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life. This discussion paper explores the idea of a healthy, resilient and fundamentally more secure cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near‐real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. In this future cyber ecosystem, security capabilities are built into cyber devices in a way that allows preventive and defensive courses of motion to be coordinated within and among communities of devices. Power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies."
Report: 2010 U.S. Cost of a Data Breach
News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."
FTC Offers Tips on Wise Use of Wi-Fi Networks
News release: "The Federal Trade Commission, the nations consumer protection agency, released tips to help people protect their personal information while they use public wireless networks Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places. While convenient, public Wi-Fi networks often are not secure. When using wireless networks, its best to send only personal information that is encrypted either by an encrypted website or a secure network. Encryption scrambles information sent over the internet into a code so that its not accessed by others. An encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. To determine if a website is encrypted, look for https at the beginning of the web address (the s is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isnt encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in."
OnGuard Online: Tips for Using Public Wireless Networks
Facebook Enables Full-Session Encryption
EPIC: "Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and protection, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their Account Settings; however,
Office Standard 2007 Key, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA, to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009,
Office Pro Plus 2010 Key, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Googles cloud computing services to determine the adequacy of privacy and protection safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy."
Reports that White House e-mail system used in UK cyberattack
Federal Computer Week: "The White House's unclassified e-mail system is back up after an eight-hour outage, but the e-mail security problems may go deeper. It was disclosed February 4, 2011 that some officials alleged White House e-mails were the source of a cyberattack against British officials two months ago. Officials from the United Kingdom said today that alleged White House e-mail accounts were the source of a malware attack against U.K. government officials in late December, according to news report."
"The UK Government highlighted attacks upon UK cyberspace as a priority risk in its National Security Strategy published in October 2010. The setting for the Foreign Secetary's speech is the 47th Munich Security Conference on 4 February. The UK delegation is led by Prime Minister David Cameron. [Read Foreign Secretary's speech in full - snipped here: "Government systems are being targeted too. ZEUS is a well-known piece of malware that attempts to steal banking information and other personal details. In late December a spoofed email purporting to be from the White House was sent to a large number of international recipients who were directed to click on a link that then downloaded a variant of ZEUS. The UK Government was targeted in this attack and a large number of emails bypassed some of our filters. Our experts were able to clear up the infection, but more sophisticated attacks such as these are becoming more common."
Majority of Federal Employees Go Beyond Mandatory IT Security Requirements
News release: "Most Federal employees go beyond baseline IT protection requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information...The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."
Mobile Computing at Federal Agencies: Frequency, Functionality, & Safety - A Candid Survey of Federal Executives
OMB: Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems
January 3, 2011 - M-11-08, UNCLASSIFIED - Initial Agency Self-Assessment Program for User Access to Classified Information in Automated Systems: "Each department or agency that handles classified information should assess the agencys and its employees adherence to the policy issuances noted below,
Windows 7 Activation Key, the requirements to safeguard classified information with an emphasis on their application in automated systems, and any process the agency has designed to detect purposeful misuse of information technology systems. If your agency does not have any of the required programs/processes listed, you should establish them."
See related postings on WikiLeaks
WaPo: WikiLeaks cable dump reveals flaws of State Department's information-sharing tool
Follow up to previous postings on WikiLeaks, via WaPo's Joby Warrick: "Investigations into the attacks concluded that government agencies had failed to share critical information that could have helped uncover the Sept. 11 plot. Because of that lapse, Congress tasked the Office of the Director of National Intelligence with pressuring key government agencies - including the Pentagon, the Homeland Security Department and the State Department - to find ways to rapidly share information that could be relevant to possible terrorist plots and other threats. The State Department, with its hundreds of diplomatic posts worldwide, was already making tens of thousands of classified cables available to intelligence and military officials with secret protection clearances. But in 2005, the DNI and the Defense Department agreed to pay for a new State Department computer database that could allow the agency's cables to flow more easily to other users throughout the federal government. Net-Centric Diplomacy was launched in 2006 and tied into a giant Defense Department system known as the Secret Internet Protocol Router Network, or SIPRnet. Soon, nearly half a million government employees and contractors with safety clearances could tap into the diplomatic cables from computer terminals around the globe...The State Department's new database quickly garnered praise as a model of interagency collaboration. The database was named a finalist for an Excellence in Government award in 2006...The flaws did not become apparent until much later. One of biggest problems: Sensitive cables were often dumped willy-nilly into the database regardless of whether they belonged there, according to two department officials familiar with the internal procedures for data storage."
Forbes: WikiLeaks And The New Corporate Disclosure Crisis
WikiLeaks And The New Corporate Disclosure Crisis - Stephanie Nora White and Rebecca Theim: "If the scandals that have plagued corporate America in the past two years haven't gotten you thinking about your own company's vulnerabilities, then the latest revelations out of WikiLeaks certainly should. In an interview with Forbes' Andy Greenberg, WikiLeaks founder Julian Assange declared that half the documents that have been fed to the organization are from corporations,
Office 2010 License, and that sometime early next year his organization plans what presumably will be the first of many corporate disclosures. It will begin with information about one of the nation's leading banks. The target is rumored to be Bank of America, and the bank's stock tumbled 3% shortly after the rumors were publicized. Got your attention now? WikiLeaks is promising to give a voice to the disenfranchised, disgusted and disillusioned within Corporate America, those who have knowledge of company behavior ranging from distasteful to criminal. "Companies turn people into leakers by their failure to listen, look and respond," says business consultant and author Margaret Heffernan, whose forthcoming book, Willful Blindness: Why We Ignore the Obvious at Our Peril, will tackle the issue. In other words, it will no longer be a company's general counsel who will decide if and when something is disclosed to the public. Now, it's any insider with a flash drive who's troubled or disgruntled by an organization's conduct. And the types of information WikiLeaks is disclosing can be more damaging--and memorable--than a traditional corporate crisis."
Verizon White Paper: Escaping from Microsofts Protected Mode Internet Explorer
Escaping from Microsofts Protected Mode Internet Explorer - Evaluating a potential protection boundary, November 2010
"In Internet Explorer 7 and Windows Vista, Microsoft introduced a new browser protection feature called Protected Mode. According to Microsoft, this mechanism significantly reduces the ability of an attack [against Internet Explorer] to write, alter or destroy data on the users machine.1,2 A clearer description is that the feature attempts to protect the integrity of the client machine in the event the browser is compromised in an attack and prevent malware from being persisted on the targeted machine. This paper will describe why this is not currently the case in Internet Explorer 7 or 8 for remote code execution vulnerabilities, discuss the limitations of the feature by design, identify generic attacks patterns that can be used to bypass the feature (without user intervention) and discuss some inconsistencies in the underlying access control implemented in Microsoft® Windows®."
EFF Tool Offers New Protection Against Exploits of Webpage Protection Flaws
News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a protection tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage protection flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."
State of the Internet 2010: A Report on the Ever-Changing Threat Landscape
State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Safety Business Unit
Internet Protection Intelligence Report, October 2010
"Today approximately 1.8 billion people use the Internet to do everything from conduct business, communicate with friends and family,
Microsoft Office Pro 2007, keep up with current events or simply entertain themselves playing games or watching videos. Each individual and each Internet connected device presents a certain footprint that is exposed and often manipulated for criminal or political gain. Malware, or malicious software, is often the catalyst for this manipulation, while targets span the gamut from corporate and national secrets to personal information that can be used to directly steal money or perpetuate another crime. Technology and the Internet provide the = means and opportunity, while global socioeconomic trends provide the motive to perpetuate these crimes. Supporting this criminal activity and adding to the challenges of protection and law enforcement is the growth of a criminal ecosystem. This network of criminals and services introduces multiple layers of anonymity while providing modular functionality for perpetuating cybercrime. In this paper we have defined this ecosystem as Crimeware-as-a-Service, and we share examples of how this ecosystem is exploiting the latest technology trends of cloud computing and social media. The ability to perpetuate these crimes across the Internet without swift and severe repercussions further fuels this Crimeware, challenging safety professionals and governments alike to find new ways to protect valuable information."