Will Auzzie Internet Security Program Alert US Consumers of Account Hacking?

November 2, 2010

Escalating attacks by hackers and other criminals on consumer, government, and business computers has increased the need to find viable defenses. Now, officials in the Obama administration have met with industry leaders and experts to look for new ways to increase online safety while balancing securing the Internet with guarding people’s privacy and civil liberties.

One option the government and industry experts are reportedly reviewing is an Australian technology that enables consumers to get warnings from their ISP (Internet Service Provider) if their computer is taken over and used in a botnet or other crime by hackers. (Learn more about botnets, see my blog What are Bots, Zombies, and Botnets?)

White House cybersecurity coordinator Howard Schmidt told The Associated Press that the United States is looking at a number of voluntary ways to help the public and small businesses better protect themselves online. Note the inclusion of the word voluntary -  any move toward Internet regulation or monitoring by either the government or the industry could set off fierce consumer protests.

If a company is willing to give its customers better online security, the American public will go  along with that, Schmidt said. “Without security you have no privacy. And many of us that care deeply about our privacy look to make sure our systems are secure,” Schmidt said in an interview, adding that ISP’s, he added, can help “make sure our systems are cleaned up if they’re infected and keep them clean.”

Given U.S. consumer’s fears over monitoring, the government has thus far avoided a potentially controversial aspect of the Australian plan that would allow ISP’s to block or restrict online access of users who fail to clean up their infected computers.

Some efforts to alert and help consumers have begun

At the same time, Comcast Corp. has begun rolling out a program to alert users when the service identifies their computer as being a part of a botnet. The program does not require customers to fix their computers or limit the online usage of people who refuse to do the repairs.

“We don’t want to panic customers. We want to make sure they are comfortable. Beyond that, I hope that we pave the way for others to take these steps” said Cathy Avgiris, senior vice president at Comcast.

Facebook has also taken steps in increasing site security by identifying users with the Koobface virus, and they have partnered with McAfee to help infected users clean the virus off their machines.

Will we see mandatory measures?

Dale Meyerrose, vice president and general manager of Cyber Integrated Solutions at Harris Corporation says voluntary programs will not be enough. “There are people starting to make the point that we’ve gone about as far as we can with voluntary kinds of things, we need to have things that have more teeth in them, like standards,” said Meyerrose. For example, coffee shops or airports might limit their wireless services to laptops equipped with certain protective technology, or ISP’s might qualify for specific tax benefits if they put programs in place.

Australian ISP’s will, as of December, be able to take a range of actions when they have identified an infected computer. These range from issuing warnings, to restricting outbound email, or even temporarily quarantine compromised machines while providing customers with links to help fix the problem.

First, do no harm

Mandating consumer’s computers be safe to use the internet sounds good on the surface – its like requiring all students get inoculated so they don’t infect your child. But there are many layers to consider – what happens if a user’s phone service is part of the internet package – would they be blocked from making emergency calls? What if the computer is core to a business – should an ISP be able to shut down their business? Can cybercriminals leverage a policy like this to disable consumers across the country – giving a rather different meaning to the term ‘denial of service’ attack? What would a consumer’s experience be like if they constantly have to repair their computer to get online?

Advising consumers that their computer is infected, and providing tools for them to clean up the mess is one thing. Following the Australian plan is far more complicated.

And, at the end of the day this still leaves us playing catch up and clean up, rather than figuring out the far more pressing issue – how to thwart criminals from infecting machines in the first place.

Linda

Comments Off | Linda's Blog | Tagged: , , , , | Permalink
Posted by Linda Criddle

Malware-Riddled Flash drive Created “Worst” U.S. Military Breach

September 3, 2010

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the “most significant breach of” the nation’s military computers ever, says William J. Lynn III, deputy secretary of defense in a newly released essay titled “Defending a New Domain: The Pentagon’s Cyberstrategy,” for the September/October issue of Foreign Affairs magazine. (you must register to read full article)

The article says the flash drive is believed to have been inserted by a “foreign intelligence agency” and the malware infiltrated the U.S. Central Command network and spread undetected on classified and unclassified systems creating a “digital beachhead, from which data could be transferred to servers under foreign control”. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” writes Lynn.

This incident is reportedly the most significant breach of U.S. military computers to date, and served as a wake-up call. In response, the Pentagon launched Operation Buckshot Yankee marking a turning point in U.S. cyberdefense strategy.

In the article, Lynn estimates that over 100 foreign intelligence agencies are working to hack into U.S. networks and that some countries already have the ability to disrupt our communications, saying “Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks that control critical civilian infrastructure. Computer-induced failures of U.S. power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption.”

The scope of intrusions by hostile organizations and countries is staggering. Over the last ten years, the sophistication and frequency and of probes into U.S. military networks have increased exponentially. Every day, U.S. military and civilian networks are scanned millions of times a day, and Lynn says and files including weapons blueprints, operations plans, and surveillance data, have been stolen.

Lynn highlights the threat of counterfeit computer hardware which has been found in systems purchased by the Department of Defense, and of hardware and software that has been tampered with en route to the U.S..

“The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyber threat. Tampering is almost impossible to detect and even harder to eradicate. Rogue code, including so-called logic bombs, which cause sudden malfunctions, can be inserted into software as it is being developed. As for hardware, remotely operated ‘kill switches’ and hidden ‘backdoors’ can be written into the computer chips used by the military, allowing outside actors to manipulate the systems from afar,” says Lynn.

“Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous. and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same,” he wrote. “In the long run, hackers’ systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy.”

What this means to you, and your role in protecting the country’s infrastructure

Every computer connected to the internet has the potential to impact the safety of the broader ‘net. In spite of the serious threats, the answer isn’t to unplug your computer and head for the hills. Instead, it is essential that you make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses, bots, and other malware your financial information and passwords and identity will be stolen harming you, and potentially spreading the malware to others. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
  2. Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Safe passwords don’t have to be hard to create; just hard to guess
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do not have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself. Learn how to Mitigate Risks When Using Shortened URL’s.

Linda

Additional Resources

Comments Off | Linda's Blog | Tagged: , , , , , , , , | Permalink
Posted by Linda Criddle

Mitigate Risks When Using Shortened URL’s

February 11, 2010

Lengthy URLs are hard to share with others, difficult (if not impossible) to remember, are more likely to break in emails, and can simply be too long to fit into short messaging sites like Twitter – which limits posts to 140 characters. To solve all these issues, several great free programs are available to shorten URL’s.

Of course, criminals are not stupid. Internet tools that are helpful for good users can be even handier for crooks. Spammers, scammers, ID thieves, etc. use URL shortening tools in hopes of increasing your likelihood of landing on their malicious sites.

For example, if you received an email, or saw a posting saying “hey, check out these cool cartoons” and saw the URL you were directed to click on was http://let-me-give-you-a-nasty-virus, you wouldn’t click on it. However, if the URL was shortened to look like http://bit.ly.12xtdf, you might not take the same care – even though it takes you to the exact same malicious site.

To reap the benefits of shortened URL’s without falling victim to criminals, stick to the advice that you only click on links from trusted sources, or on trusted sites – or find the site yourself. The trick is how to find out what site is hidden behind that shortened URL begin testing it for safety….

Below are the instructions for creating a shortened URL, AND for discovering the safety of a shortened URL:

Creating a shortened URL:

  1. Begin by selecting a URL shortening service like TinyURL, Doiop, MemURL.com, ReadthisURL, dwarfURL.com, or bit.ly
  2. Enter the full length URL into the specified field
  3. Create a short name (optional in some, not available in other products)
  4. Then, press the button to generate the new, shorter version

My personal favorite URL shortener is TinyURL.com because it offers two great features. (Note: my views are my own, I do not accept remuneration to promote any service) The first great feature is the ability to customize your shortened URL, which is a whole lot more intelligible than the automatically generated random number and letter sequences the service creates on its own.

The second great feature is their preview option. Though it adds 8 additional characters, using the preview feature allows recipients to see the original URL of the site they will be taken to if they proceed. See the example here:

Discovering the safety of a Shortened URL:

If the shortened URL was created using TinyURL, and the creator used the preview feature, click on the preview link. It will take you to a landing page that shows the full URL address (see image). You can compare this to the original URL in the previous image and see they are a match.

To discover where other shortened links are going to take you requires using an “UNshortening tool”, several of which are also free.

If you frequently consider clicking on shortened links, installing a free tool like UnShortenEmAll, TinyURL Decoder Expand url shortening service urls make a lot of sense, these will either automatically display the URLs in their original form, or show you the real URL if you hover over them. All of these require that you download a Greasemonkey plugin to your Firefox browser to run, but they’re easy to install and use.

If you only occasionally consider clicking on shortened links, the website Unshorten.com may be just right for you. To use it, simply enter in the shortened URL, and it will return the real location as shown in the image below:

Keep in mind that simply discovering the full URL, does not mean the site is legitimate – it just means you’re ready to use standard methods for determining the safety of a site

Steer don’t be pulled. Once you have found the proper URL, use a search engine – combined with a malware filter like McAfee’s Site Advisor (it’s free) to be sure the site is legitimate before clicking the link.

In the example above, you see that full URL behind the link blogof.francescomugnai.com. To check the safety of this website, I copied and pasted this text into the SEARCH box (not address field) of your search engine and looked to see two things. 1) The site exists, and 2) the site has been tested by McAfee Site Advisor’s malware filters and found to be safe (the little green check mark next to each result is how McAfee’s tool shows the safety or risk level of tested sites.)

Keep your computer protected at all times using anti-virus, anti-spam, and anti-phishing tools and follow these simple safety steps when navigating to websites to have a safer, more enjoyable online experience.

Linda

Comments Off | In The News | Tagged: , , , | Permalink
Posted by Linda Criddle

$100 Billion-A-Year Medical Care Fraud

January 17, 2010

Healthcare fraud is big business. Last year scammers and organized crime groups bilked an estimated $100 billion last year according to a new article Health care: A ‘goldmine’ for fraudsters from CNNMoney.com.

Medical Identity theft is the most lucrative aspect of the medical fraud business, and the most common method of gaining access to personal medical records is when someone with legitimate access to the data sells the information to criminals. But that’s changing.

According to the CNN article “Increasingly, criminal groups are hacking into digital medical records so that they can steal money from the $450 billion, 44-million-beneficiary Medicare system — making the government, by far, the “single biggest victim” of health care fraud, according to Rob Montemorra, chief of the FBI’s Health Care Fraud Unit.”

To learn more about the risks you face when your medical records go online, see my blogs:

While the government is the “single biggest victim”, every individual whose records are stolen will feel the pain.

The most common way scammers and criminals make their money is by sending in false bills to insurance companies and Medicare for medicines, equipment, in-home health care, or treatments that were not prescribed or requested.  Criminals also ‘resell’ an individual’s medical records to an uninsured person in need of medical care.

While the aim of the criminals behind medical ID theft and fraud is to steal money, the tampering with your medical information can place you at serious risk if doctors base medical decisions about your care on the falsified information in your file.

The government isn’t the only one footing the bill. In addition to the indirect costs to the government and insurance companies that every consumer pays for medical fraud, the average cost to an individual victim of medical ID theft was close to $1,200 according to Javelin Strategy & Research, a research firm specializing in trends in security and fraud initiatives. Javelin’s research also found that in 2008 the average incident of health care identity fraud netted the criminal $19,000, which is four times the earnings of overall ID theft.

In addition to the risk to your medical records, these thieves also gain access to the information that accompanies your records – including your name, address, phone number, social security number, insurance company, and more – placing you at high risk for traditional ID theft as well.

Stay vigilant

Always check your insurance benefits statements to see if there are charges or claims that are not yours. Notify your insurance company if your financial ID has been stolen, and notify your financial institutions if your medical ID has been stolen.

Linda

Comments Off | In The News | Tagged: , , , , , | Permalink
Posted by Linda Criddle

Symantec’s Cybercrime Intelligence Report Aug 2009

August 31, 2009

The news on the cybercrime front remains grim. According to Symantec’s MessagLabs report for Aug 2009, cybercriminals continue to expand their reach and hone their tactics; botnets are so sophisticated, they can be back up and running 48 hours after a crippling distribution blow; criminals now optimize for efficiency – and favor repurposing malware rather than developing new tactics. Scammers continue targeting ‘hot topics’ for their campaigns – and have the botnet capacity to distribute billions of spam a day.

If that didn’t leave you unsettled, here’s a closer look at Symantec’s MessageLabs findings for August:

  • Cutwail, one of the largest botnets globally, is responsible for approximately 15 to 20 percent of all spam today.
    • Following the shutdown of an ISP in Latvia, Cutwail’s volumes fell by as much as 90 percent, and global spam volumes fell by as much as 38 percent in the subsequent 48-hour period.
    • In a matter of days Cutwail was back to its former self, demonstrating just how powerful the botnet really is in recovering and reinventing itself.
  • Despite the brief downturn in spam levels, the figures for August remain fairly steady at 88.5%, due to the activity levels of other major botnets
  • Another prolific botnet called Donbot distributed ten billion emails in just one day using shortened URLs in its spam runs. Note: Shortened URL services are invaluable on services like Twitter where only 140 characters are available – many URL’s are longer than that. However, they mask the real website being pointed to and are therefore very appealing to internet criminals.
    • Leveraging the heightened interest in health related issues, Donbot email subjects include ‘Health care – get meds now’, ‘Save 89% on Meds’, ‘Purchase Meds Online’.
  • The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.
  • Cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics.
    • In August, of 3,510 websites being blocked daily, 36.1 percent of domains were new. Similar analysis of malware being blocked each day highlights that only 11.9 percent was newly developed malware.

We can read this sobering report and throw up our hands, or we look for additional countermeasures to help in thwarting these exploits.

I was particularly struck by the high level of repurposing of malware. It makes of course the best business sense from a criminal’s point of view, but perhaps it opens another avenue for countermeasures.

As an industry, companies need to work more closely together to block cybercriminals ability to repurpose exploits across various services and technologies. Far too often when an exploit first arises – let’s say in email – we see email providers scramble to create solutions; then the exploit pops up in IM; and then in one or more social networking sites; and so on.

We need to figure out how to work better across companies and services segments to stop the repurposing in its tracks and reduce the opportunity for financial gains by the criminals behind these exploits.

Click to read the full report.

Linda

Comments Off | In The News | Tagged: , , , | Permalink
Posted by Linda Criddle

Cybersecurity Draft Strengthened

August 28, 2009

Stronger focus on creating a trained workforce to thwart high-tech threats, increased frequency of national cyber-reviews, and the development of a workforce plan to address skill deficiencies and an analysis of barriers to recruitment of cybersecurity professionals are among the changes introduced over the August recess to the cybersecurity legislation by Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine.

Though the revisions have not yet been approved, they incorporate excellent feedback to this important legislation. As a nation, we simply do not have enough qualified cybersecurity experts within law enforcement, government bodies, and companies to effectively combat the mounting threats against our infrastructure, and this legislation is an excellent step towards changing this shortfall.

Also encouraging, is that even in these difficult economic times the original bill’s provision of a National Science Foundation scholarship program is preserved, and that significant funding is set aside for the National Institute of Standards and Technology to conduct competitions to woo students into cybersecurity careers.

Another alteration to the bill is the curtailment of what was a highly contentious provision, which had the potential to give the White House the authority to effectively turn off the Internet during a cyber crisis. The redrafted proposal directs the president to work with the industry during cyber emergencies on a national response as well as the timely restoration of affected networks.

The significant and escalating threats to our economy, infrastructure, and safety demand a strong response, and shift in course that this legislation, if appropriately crafted, will begin to address.

Linda

Comments Off | In The News | Tagged: , , , , , , | Permalink
Posted by Linda Criddle

McAfee, Inc. Names Jessica Biel the Most Dangerous Celebrity in Cyberspace

August 25, 2009

Mix celebrity status and media presence and you create a magnet for cyber-scammers. McAfee has just released its third annual “Most Dangerous Celebrity in Cyberspace report and it highlights that though the actors of the moment change, the tactics cybercriminals use remain the same.

Jessica Biel now has the dubious distinction of being the most dangerous celebrity to search in cyberspace. Whether fans search for “Jessica Biel” or “Jessica Biel downloads,” “Jessica Biel wallpaper,” “Jessica Biel screen savers,” “Jessica Biel photos” or “Jessica Biel videos”, they have a 20% chance of landing at a Web site containing spyware, adware, spam, phishing, viruses or other malware.

Somewhat surprisingly, McAfee’s results showed that  the U.S. President and First Lady are not among the most risky public figures to search ranking 34th and 39th, respectively.

McAfee’s top riskiest celebrity searches include:

  1. Jessica Biel – Almost half of “Jessica Biel screensavers” search results contain malicious downloads with spyware, adware and potential viruses.
  2. Beyoncé – Inputting “Beyoncé ringtones” into a search engine yielded a dangerous Web site linking to a distributor of adware and spyware.
  3. Jennifer Aniston – More than 40% of the Google search results for “Jennifer Aniston screensavers” contained nasty viruses, including one called the “FunLove virus.”
  4. Tom Brady – The New England Patriot seems to attract many fans who want a free download of the athlete in action, but not the Trojan that comes with it.
  5. Jessica Simpson – Searching for “Jessica Simpson videos” can mislead unsuspecting surfers to sites with potentially damaging downloads.
  6. Gisele Bundchen – A search for “Gisele Bundchen photos” can direct users to sites that breached browser security in McAfee’s tests.
  7. Miley Cyrus – Web sites related to Miley Cyrus’ image link to harmful sites containing spyware.
  8. Megan Fox, Angelina Jolie – tied for the number of search results containing risky downloads, proving cybercriminals are in the business of capitalizing on the world’s most famous faces.
  9. Ashley Tisdale – The “High School Musical” star is a popular search term when it comes to searching for screensavers. A host of screensaver Web sites contained numerous malware-laden downloads.
  10. Brad Pitt – Brad Pitt fell towards the bottom of this year’s list, resulting in a few less, but just as dangerous, Web sites.
  11. Reese Witherspoon – Searching for “Reese Witherspoon” and “Reese Witherspoon photos” returns results promoting free files with hidden malware.
  12. Britney Spears – McAfee SiteAdvisor technology found a single site promoting free Britney Spears wallpaper that was embedded with more than 50 potentially infected downloads.

Don’t play roulette on a search engine

Searching the web without using tools that identify malicious websites is asking for trouble – you simply will not be able to tell which are legitimate. Cybercriminals aren’t stupid, they want to target the broadest number of users and therefore closely watch for the most popular search terms.

In addition to having up-to-date security software in place, you need to use a product that visibly identifies for you the potential for malicious code on search results. I’ll mention McAfee’s Site Advisor solution (it’s FREE folks) first as they generated this report, and it’s the one I use on all my machines. Additionally, both Firefox and Internet Explorer have features you can use to alert you to malicious sites, and several other companies offer similar services.

Linda

Comments Off | In The News | Tagged: , , , , | Permalink
Posted by Linda Criddle

130 Million Credit and Debit Card Numbers Stolen – Is Yours Secure?

August 17, 2009

The largest case of ID theft ever prosecuted reads like a thriller. A small group of men stole more than 130 million credit and debit card numbers between 2006-2008. At the same time, the ringleader, Alberto Gonzalez, 27, played informant for federal investigators helping them catch his cohorts.

It appears that at the ripe age of 22, Gonzalez began his career into ID theft stealing Credit card information from a string of stores including Office Max, Barnes & Noble, Marshalls, and TJ Maxx, 7-Eleven, Heartland Payment Systems, and at least two unnamed national retailers. It is still unclear how many of these credit and debit card numbers were then sold online through the internet black market and used by other criminals to make unauthorized purchases and withdrawals from banks.

It is also unclear whether all victims have been notified that their cards were stolen as not all states have laws requiring stores to notify consumers of data breaches. NOTE: As of July 27, 2009, forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information according to the National Conference of State legislatures.

Speaking about the case and the involvement of Gonzalez in so many data breaches Erez Liebermann, an asst. U.S. attorney in the Justice Department’s New Jersey office, said it suggests that “perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought.”

The indictment alleges that Mr. Gonzalez and his conspirators (11 have been indicted) reviewed Fortune 500 companies and selected which companies to target then visited targeted company stores to determine which payment systems were used. The criminals then launched attacks against these sites using flaws in the SQL programming language, commonly used for databases. Their malware programs intercepted credit card transactions in real time and transmitted the numbers to leased computers in the U.S, the Netherlands and Ukraine.

Sobering reality

Richard Wang, manager of SophosLabs, said the case demonstrates that retailers and banks need to strengthen industry standards. Current practices are that major banks only agree to encrypt this data only when it is stored, moving forward credit card numbers should be encrypted when passed between computers.

Mr. Wang also doubted that the world had seen the last significant theft of credit card numbers. “I’m not sure how likely it is that they [prosecutors] are going to get the Russian co-conspirators, obviously there are still plenty of people with the necessary expertise to pull off these kinds of attacks.”

To learn more about his case read

Linda

Comments Off | In The News | Tagged: , , , | Permalink
Posted by Linda Criddle

Threat Report – Cybercrimes Continue to Rise in 2009

July 26, 2009

New research just published by Sophos Security outlines the increase in sophistication of cyber attacks and the new vectors criminals are targeting for their exploits. It also points out that it is the US, not some foreign entity, that hosts more malware and distributes more spam than any other country – nearly 3 times the amount of China which ranks second on malware hosting, and 50% more than Brazil which ranks second in spam.

Sobering statistics from their report:

  • 23,500 new infected web pages are discovered every day. That’s one every 3.6 seconds, 4 times worse than what it was in the same period in 2008.
  • 15 new bogus anti-virus vendor websites are discovered every day. This number has tripled, up from an average of five detected per day, during 2008.
  • Approximately 6,500 new spam-related websites are discovered every day – accounting for one new website every 13 seconds, 24 hours a day. This figure is almost double what it was in the same period in 2008.
  • Over 99% of spam is sent from home computers that have become part of botnets because they were not properly protected with up-to-date anti-virus software, firewalls and security patches.

Existing exploits persist, and new threats emerge

Data loss/theft remains a top concern in 2009 as many corporations and government institutions have failed to protect employees and customers sensitive information.

Hacking legitimate websites so they distribute malware continues. Infected sites have included government and educational sites that consumers know and trust, yet simply visiting these sites, or downloading materials leaves users infected.

Email attacks continue and an even greater percentage of these come from the US in 2009 with 15.7% as compared to 14.9% in the same period in 2008.

Criminals have begun to leverage social networks in a concerted way to expand their methods of exploitation. Sophos found that 25% of businesses have been the victim of spam, phishing or malware attacks generated through networks like Twitter, Facebook, LinkedIn and MySpace.

2009 has also seen an increase in using USB sticks to spread malware, and hackers are moving beyond traditional programs to find and exploit security holes in programs and tools like Adobe Flash and PDFs.

Digital espionage in the first half of 2009 continued to expand in spite of governments increasing the shutdowns, arrests and harsher sentences for criminals involved in cybercrimes.

Bleak Predictions

Sophos believes Web 2.0 sites like Facebook, Twitter and MySpace will become the primary battleground for malware authors, identity thieves and spammers. Cybercriminals will increase the number of legitimate, but hacked, web pages. The variety, and number of attacks will continue to increase, as criminals find new security holes, adopt new techniques, and create new disguises to infect the unsuspecting. Compromised computers will continue to be the primary source of spam. ID theft will become an even larger problem and will adversely affect customer trust. Email and web attacks will increasingly use Word Documents and PDFs to trigger unseen downloads of viruses and Trojans.

Prevention is better than a cure

The report concludes by noting the current path does not have to continue. Detection of new malware threats is at an all-time high, and with solid security practices, up-to-date security software, and a commitment to stay safe we can go a long way towards defending home computers and business networks.

Click here to read the full report.

Linda

Comments Off | Linda's Blog | Tagged: , , , , | Permalink
Posted by Linda Criddle

REMARKS BY PRESIDENT OBAMA ON SECURING OUR NATION’S CYBER INFRASTRUCTURE

June 30, 2009

President Obama spoke to the nation last month about his plan and vision for securing the nations infrastructure against attacks from terrorists, countries conducting cyberwarfare, organized crime, and other forms of threats.

His message was both powerful and insightful and because of this, his remarks in their entirety are printed below.

REMARKS BY PRESIDENT OBAMA ON SECURING OUR NATION’S
CYBER INFRASTRUCTURE

THE PRESIDENT:  We meet today at a transformational moment — a moment in history when our interconnected world presents us, at once, with great promise but also great peril.

Now, over the past four months my administration has taken decisive steps to seize the promise and confront these perils.  We’re working to recover from a global recession while laying a new foundation for lasting prosperity.  We’re strengthening our armed forces as they fight two wars, at the same time we’re renewing American leadership to confront unconventional challenges, from nuclear proliferation to terrorism, from climate change to pandemic disease.  And we’re bringing to government — and to this White House — unprecedented transparency and accountability and new ways for Americans to participate in their democracy.

But none of this progress would be possible, and none of these 21st century challenges can be fully met, without America’s digital infrastructure — the backbone that underpins a prosperous economy and a strong military and an open and efficient government.  Without that foundation we can’t get the job done.

It’s long been said that the revolutions in communications and information technology have given birth to a virtual world.  But make no mistake:  This world — cyberspace — is a world that we depend on every single day.  It’s our hardware and our software, our desktops and laptops and cell phones and Blackberries that have become woven into every aspect of our lives.

It’s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation.  It’s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history.

So cyberspace is real.  And so are the risks that come with it.

It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.  And this paradox — seen and unseen — is something that we experience every day.

It’s about the privacy and the economic security of American families.  We rely on the Internet to pay our bills, to bank, to shop, to file our taxes.  But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets.  Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied.  According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.

I know how it feels to have privacy violated because it has happened to me and the people around me.  It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics.  What isn’t widely known is that during the general election hackers managed to penetrate our computer systems.  To all of you who donated to our campaign, I want you to all rest assured, our fundraising website was untouched.  (Laughter.)  So your confidential personal and financial information was protected.

But between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans.  And we worked closely with the CIA — with the FBI and the Secret Service and hired security consultants to restore the security of our systems.  It was a powerful reminder:  In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.

This is a matter, as well, of America’s economic competitiveness.  The small businesswoman in St. Louis, the bond trader in the New York Stock Exchange, the workers at a global shipping company in Memphis, the young entrepreneur in Silicon Valley — they all need the networks to make the next payroll, the next trade, the next delivery, the next great breakthrough.  E-commerce alone last year accounted for some $132 billion in retail sales.

But every day we see waves of cyber thieves trolling for sensitive information — the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world — and they did it in just 30 minutes.  A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million.  It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.

In short, America’s economic prosperity in the 21st century will depend on cybersecurity.

And this is also a matter of public safety and national security.  We count on computer networks to deliver our oil and gas, our power and our water.  We rely on them for public transportation and air traffic control.  Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.

Our technological advantage is a key to America’s military dominance.  But our defense and military networks are under constant attack.  Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country — attacks that are harder to detect and harder to defend against.  Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer — a weapon of mass disruption.

In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software — malware.  And while no sensitive information was compromised, our troops and defense personnel had to give up those external memory devices — thumb drives — changing the way they used their computers every day.

And last year we had a glimpse of the future face of war.  As Russian tanks rolled into Georgia, cyber attacks crippled Georgian government websites.  The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phones using voice-over-the-Internet.

For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.

It’s also clear that we’re not as prepared as we should be, as a government or as a country.  In recent years, some progress has been made at the federal level.  But just as we failed in the past to invest in our physical infrastructure — our roads, our bridges and rails — we’ve failed to invest in the security of our digital infrastructure.

No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge.  Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should — with each other or with the private sector.  We saw this in the disorganized response to Conficker, the Internet “worm” that in recent months has infected millions of computers around the world.

This status quo is no longer acceptable — not when there’s so much at stake.  We can and we must do better.

And that’s why shortly after taking office I directed my National Security Council and Homeland Security Council to conduct a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure and to recommend the best way to ensure that these networks are able to secure our networks as well as our prosperity.

Our review was open and transparent.  I want to acknowledge, Melissa Hathaway, who is here, who is the Acting Senior Director for Cyberspace on our National Security Council, who led the review team, as well as the Center for Strategic and International Studies bipartisan Commission on Cybersecurity, and all who were part of our 60-day review team.  They listened to a wide variety of groups, many of which are represented here today and I want to thank for their input:  industry and academia, civil liberties and private — privacy advocates.  We listened to every level and branch of government — from local to state to federal, civilian, military, homeland as well as intelligence, Congress and international partners, as well.  I consulted with my national security teams, my homeland security teams, and my economic advisors.

Today I’m releasing a report on our review, and can announce that my administration will pursue a new comprehensive approach to securing America’s digital infrastructure.

This new approach starts at the top, with this commitment from me:  From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be:  as a strategic national asset.  Protecting this infrastructure will be a national security priority.  We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator.  Because of the critical importance of this work, I will personally select this official.  I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.

Today, I want to focus on the important responsibilities this office will fulfill:  orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.

To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council.  To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.

There’s much work to be done, and the report we’re releasing today outlines a range of actions that we will pursue in five key areas.

First, working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks.  To ensure a coordinated approach across government, my Cybersecurity Coordinator will work closely with my Chief Technology Officer, Aneesh Chopra, and my Chief Information Officer, Vivek Kundra.  To ensure accountability in federal agencies, cybersecurity will be designated as one of my key management priorities.  Clear milestones and performances metrics will measure progress.  And as we develop our strategy, we will be open and transparent, which is why you’ll find today’s report and a wealth of related information on our Web site, www.whitehouse.gov.

Second, we will work with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents.  Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do.  Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur.  Just as we do for natural disasters, we have to have plans and resources in place beforehand — sharing information, issuing warnings and ensuring a coordinated response.

Third, we will strengthen the public/private partnerships that are critical to this endeavor.  The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector.  So let me be very clear:  My administration will not dictate security standards for private companies.  On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.

Fourth, we will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time.  And that’s why my administration is making major investments in our information infrastructure:   laying broadband lines to every corner of America; building a smart electric grid to deliver energy more efficiently; pursuing a next generation of air traffic control systems; and moving to electronic health records, with privacy protections, to reduce costs and save lives.

And finally, we will begin a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.  And that’s why we’re making a new commitment to education in math and science, and historic investments in science and research and development.  Because it’s not enough for our children and students to master today’s technologies — social networking and e-mailing and texting and blogging — we need them to pioneer the technologies that will allow us to work effectively through these new media and allow us to prosper in the future.  So these are the things we will do.

Let me also be clear about what we will not do.  Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic.  We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.  Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.

The task I have described will not be easy.  Some 1.5 billion people around the world are already online, and more are logging on every day.  Groups and governments are sharpening their cyber capabilities.  Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.

But we need to remember:  We’re only at the beginning.  The epochs of history are long — the Agricultural Revolution; the Industrial Revolution.  By comparison, our Information Age is still in its infancy.  We’re only at Web 2.0.  Now our virtual world is going viral.  And we’ve only just begun to explore the next generation of technologies that will transform our lives in ways we can’t even begin to imagine.

So a new world awaits — a world of greater security and greater potential prosperity — if we reach for it, if we lead.  So long as I’m President of the United States, we will do just that.  And the United States — the nation that invented the Internet, that launched an information revolution, that transformed the world — will do what we did in the 20th century and lead once more in the 21st.

Thank you very much, everybody.

Comments Off | Linda's Blog | Tagged: , | Permalink
Posted by Linda Criddle

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 1,753 other followers