November 23, 2011

National Cybersecurity

Mills, E. (2011, November 22). DHS denies report of water utility hack. CNET. Retrieved from http://news.cnet.com/8301-27080_3-57330029-245/dhs-denies-report-of-water-utility-hack/

The Department of Homeland Security and FBI today dismissed the conclusions of a report that a cyber intrusion caused a pump at an Illinois water utility to burn out. But the statement doesn't explain why an Illinois state terrorism intelligence center would say it was a hacker when it wasn't.  In the meantime, the DHS is investigating a claim by a hacker who goes by "pr0f" who claimed to have compromised a Texas water utility last week. 

 

Global Cybersecurity

& broadly applicable items 

Cyberwar explodes in Syria. (2011, November 22). CNN. Retrieved from http://www.cnn.com/2011/11/22/world/meast/syria-cyberwar/index.html

For the past eight months, Syria has been locked in a bloody cycle of anti-regime protests and violent crackdown. The United Nations accuses government security forces of systematic torture, disappearances and the use of deadly force to crush dissent. More than 3,500 people have been killed since March. The UN's top human rights monitoring commission has repeatedly accused the Syrian regime of carrying out crimes against humanity.  But this bloody test of wills is not only being fought in the streets. Activists, diplomats and IT specialists say there is also a high-stakes war of information being waged in cyberspace. [Related article: "Senators ask for investigation of U.S. companies’ surveillance technology in Syria" (Government Security News).]

Khakkar, M. (2011, November 22). Indian govt. servers compromised and used against China.  ZDNet. Retrieved from http://www.zdnet.com/blog/india/indian-govt-servers-compromised-and-used-against-china/767

Sources within Indian government’s IT arm – the National Informatics Center (NIC) have raised some really dangerous concerns. According to them the government’s IT infrastructure has been used by black hat hackers to attack China. Talking to the Times of India a source said that the government servers have been compromised and used by foreign perpetrators. 

NIST expands database designed to help programmers improve software security. (2011, November 23). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/22201/nist-expands-database-designed-to-help-programmers-improve-software-security/

The National Institute of Standards and Technology has dramatically enlarged a databases intended to improve applications that help programmers identify security weaknesses in software, the agency announced this week.  The database, known as the Software Assurance Metrics and Tool Evaluation Reference Dataset (SRD) version 4.0 . . . encompasses more than 60,000 specific cases of code errors, and addition of 100 more categories and 30 times the number of cases in SRD version 3.0.

Swerdlove, H. (2011, November 21). The most vulnerable smartphones of 2011. Retrieved from http://www.bit9.com/file /Bit9Report_SmartPhones2011.pdf

In this report, we analyzed the mobile market and identified the most vulnerable smartphones of 2011. What we found is that Android phones, which account for the majority of all new smartphones purchased in 2011, have the most complex software distribution model. Phone manufacturers and the phone carriers are responsible for distributing important updates, instead of Google, the makers of the Android operating system. The result is that Android phones are most likely to run for long periods of time with known security flaws. All 12 of the top most vulnerable phones in our report are Android models.

November 18, 2011

National Cybersecurity

Cybersecurity: Assessment and outlook: Hearing before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security, 112th Cong. (2011). [Full text available via UMUC Library OneSearch: 1, 2, 3, 4].

Testimony from James A. Baker, Michael Chertoff, and others.

Engleman, E. (2011, November 18). Reid to move on Senate cybersecurity measure in early 2012. BusinessWeek. Retrieved from http://www.businessweek.com/news/2011-11-18/reid-to-move-on-senate-cybersecurity-measure-in-early-2012.html

Senate Majority Leader Harry Reid intends to bring comprehensive cybersecurity legislation to the Senate floor for debate early next year.  Cyber attacks and espionage are “causing billions of dollars of damage to our economy and are severely compromising critical national security capabilities,” Reid, a Nevada Democrat, wrote in a letter yesterday to Senate Minority Leader Mitch McConnell, a Kentucky Republican. The letter was released today by Reid’s office.

McCullagh, D. (2011, November 17). Sandia Labs: SOPA will "negatively impact" U.S. cybersecurity. CNET. Retrieved from http://news.cnet.com/8301-31921_3-57326956-281/sandia-labs-sopa-will-negatively-impact-u.s-cybersecurity/

Leonard Napolitano, Sandia's director of computer sciences and information systems, warned in a letter that the legislation is "unlikely to be effective" and will "negatively impact U.S. and global cybersecurity and Internet functionality." Napolitano sent a letter in response to a request for a critique of the Stop Online Piracy Act, or SOPA, from Rep. Zoe Lofgren, a California Democrat who represents the heart of Silicon Valley. Lofgren is leading opposition in the House of Representatives to SOPA. 

Mills, E. (2011, November 17). Was U.S. water utility hacked last week? CNET. Retrieved from http://news.cnet.com/8301-27080_3-57327030-245/was-u.s-water-utility-hacked-last-week

Intruders compromised a water utility network last week and destroyed a pump, according to a state government report cited by a critical infrastructure security expert today.  It appears that hackers breached the network of a company that makes SCADA (supervisory control and data acquisition) and stole customer usernames and passwords, said Joe Weiss, managing partner of Applied Control Solutions. "There was damage--the SCADA system was powered on and off, burning out a water pump," he wrote in a brief blog post.  The report did not identify the water utility attacked or the SCADA software vendor compromised, Weiss said in an interview with CNET.

Rockwell, M. (2011, November 16). DOJ wants to prosecute cyber criminal activity under racketeering law. Government Security News. Retrieved from http://www.gsnmagazine.com/node/24997

The set of laws that has allowed federal prosecutors to bring down traditional organized crime gangs should be applied to international cyber crime rings, a top Department of Justice official told a congressional committee on Nov. 15. The recommendation was one of several DoJ Deputy Section Chief Richard Downing said should be made to the Computer Fraud and Abuse Act (CFAA) during a House Judiciary Subcommittee on Crime, Terrorism and Homeland Security hearing on cyber security’s new frontiers. The committee is considering updating the law. 

Thaw, D. B. (2011). Characterizing, classifying, and understanding information security laws and regulations: Considerations for policymakers and organizations protecting sensitive information assets. (Doctoral dissertation). [Full text available in the Dissertations and Theses database.]

Current scholarly understanding of information security regulation in the United States is limited. Several competing mechanisms exist, many of which are untested in the courts and before state regulators, and new mechanisms are being proposed on a regular basis. Perhaps of even greater concern, the pace at which technology and threats change far outpaces the abilities of even the most sophisticated regulators.  My Ph.D. dissertation focuses on understanding these laws - how we can classify them, what effects they have, and what are the implications of these effects for organizations and professionals. I explore these concepts through a mixed methods approach, utilizing both qualitative semi-structured interviews and quantitative data on breach incidence. 

Enterprise Cybersecurity

Wright, A. (2011). Hacking cars. Communications of the ACM, 54(11), 18-19. doi:10.1145/2018396.2018403 [Full text available in the IEEE Computer Society Digital Library database.]

Researchers have discovered important security flaws in modern automobile systems. Will car thieves learn to pick locks with their laptops?

Norway's oil, gas and defense industries hit by major data theft. (2011, November 18). Infosecurity. Retrieved from http://www.infosecurity-magazine.com/view/22125/norways-oil-gas-and-defense-industries-hit-by-major-data-theft/

The Norwegian National Security Authority, the NSN, said in a press statement late yesterday that a number of industrial secrets had been stolen and sent out digitally from Norway, but not further information on the data thefts have been revealed.  The Associated Press, meanwhile, quotes the NSN agency as saying that more than 10 different cyber attacks were discovered in the last year, but that the agency feels that the number may have been much higher because other victims might not have yet realised that their computers have been targeted. The case, notes the newswire, may be significant as Norway's oil and gas industry is ranked the third largest in the world, where 2.8 million barrels are produced every day.   

Global Cybersecurity

& broadly applicable items

Felt, A. P., Finifter, M., Chin, E., Hanna, S., & Wagner, D. (2011, October). A survey of mobile malware in the wild. Paper presented at the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Device, Chicago, IL. [Full text available in the IEEE Computer Society Digital Library database.]

Mobile malware is rapidly becoming a serious threat. In this paper, we survey the current state of mobile malware in the wild. We analyze the incentives behind 46 pieces of iOS, Android, and Symbian malware that spread in the wild from 2009 to 2011. We also use this data set to evaluate the effectiveness of techniques for preventing and identifying mobile malware. After observing that 4 pieces of malware use root exploits to mount sophisticated attacks on Android phones, we also examine the incentives that cause non-malicious smartphone tinkerers to publish root exploits and survey the availability of root exploits.

Hoffman, L. J., Burley, D., & Toregas, C. (2011, November 1). Thinking across stovepipes: Using a holistic development strategy to build the cybersecurity workforce. (Report GW-CSPRI-2011-8). Retrieved from http://www.cspri.seas.gwu.edu/Publications, Papers, and Research/Stovepipes GW CSPRI Report 2011 8.pdf

This article proposes a holistic approach to developing the cybersecurity workforce based on careful integration of workforce development strategies into a plan that involves educators, career professionals, employers, and policymakers. First, it motivates this by describing how other fields such as medicine have successfully done this and arguing that cyber security is, like medicine, inherently cross-disciplinary at multiple levels of expertise and performance, making it similar in complexity to the medical profession and thus a good candidate for some of the solutions developed there. The article then focuses on one element of a holistic strategy – education -- and discusses the findings of a recent workshop on cybersecurity education. It then places those findings in the context of the broader discussion and suggests some practical steps. They encourage computer science educators, human resources professionals, and the functional experts from disciplines that will attract computer science graduates to think beyond their “stovepiped” fields and collaborate so that holistic, integrated solutions can be developed, accepted, and implemented.

Horwath, J. (2011, November 11). iPad security settings and risk review for iOS 4.X. Retrieved from http://www.sans.org/reading_room/whitepapers/apple/ipad-security-settings-risk-review-ios-4x_33826

Many corporations are starting to investigate the us of mobile computing devices by staff and field agents. The introduction of consumer devices such as the iPad into the business world, brings a new set of risks and concerns to a corporation. The settings defined in this document try to balance a corporation’s regulatory and customer obligations to reduce risk while still allowing the user population an enjoyable user experience. The paper will investigate this problem from a deployment in an effort to give sales and marketing a business edge.

November 10, 2011

National Cybersecurity

Baldor, L. C. (2011, November 7). Cyber weaknesses should deter US from waging war. Associated Press. Retrieved from goo.gl/uvudv

America's critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday.  Richard Clarke, a top adviser to three presidents, joined a number of U.S. military and civilian experts in offering a dire assessment of America's cybersecurity at a conference, saying the country simply can't protect its critical networks.

Donovan, F. (2011, November 9). Obstacles facing the US cybersecurity initiatives. Infosecurity Magazine.  Retrieved from http://www.infosecurity-magazine.com/view/21850/obstacles-facing-the-us-cybersecurity-initiatves-/ [Requires free registration.]

Although the US government is paying more attention than ever to the issue of cybersecurity, the recent battles in Washington over budgets and austerity measures mean that funding could potentially dry up in an instant. Fred Donovan surveys the experts to get their take on where the nation’s cybersecurity program is heading.

Hoover, J. N. (2011, November 7). DARPA boost cybersecurity research spending 50%. InformationWeek. Retrieved from http://www.informationweek.com/news/government/security/231902495

The Defense Advanced Projects Research Agency, birthplace of the Internet, plans to increase its spending on cyber research 50% over the next five years, and will increasingly focus on offensive cyber capabilities as well as defensive capabilities, agency director Regina Dugan said Monday. "Modern warfare will demand the effective use of cyber, kinetic, and combined cyber and kinetic means," Dugan said, speaking before the DARPA Cyber Colloquium, a gathering of cyber professionals. "We need more options, we need more speed, and we need more scale. We must both protect its peaceful shared use as well as prepare for hostile cyber acts that threaten our military capabilities." DARPA sought $208 million in cyber spending in fiscal 2012, up from $120 million the year before, and that's just the start of the jump in spending.

Rockwell, M. (2011, November 9). Interagency group defines common cybersecurity language and skills. Government Security News. Retrieved from http://www.gsnmagazine.com/node/24942?c=cyber_security [Related documents from the National Initiative for Cybersecurity Education.]

An interagency cyber security group has published a document aimed at defining common terms, requirements and skill sets for those charged with guarding against cyber attacks. The National Initiative on Cybersecurity Education (NICE) published a draft document that classifies typical duties and skill requirements of cyber security workers and has posted it for public review. The document is meant to define professional requirements in cyber security, much as other professions, such as medicine and law, have done, said the group in a Nov. 8 statement.

Sternstein, A. (2011, November 3).  Briefing: Corporate intelligence. Government Executive. Retrieved from http://www.govexec.com/story_page.cfm?articleID=49189

Businesses operating critical infrastructure, such as the energy and banking sectors, want to join a new government program that would give them access to classified intelligence on cyber threats. The program, which is currently restricted to certain defense contractors, is aimed at strengthening commercial networks serving the military.  The thinking at the Pentagon is that power companies and other businesses vital to troops should be privy to malware surveillance collected by the National Security Agency, the military's spy branch. The Defense Department does not have the authority to guard civilian systems. That responsibility falls to the Homeland Security Department, which would be a key player in any such initiative.

Zhang, Z. (2011). NERC's cyber security standards: Fulfilling its reliability day job and moonlighting as a cyber security model. Environmental Practice, 13(3), 250-264 [in press]. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1622012

This article gives an overview of the eight mandatory cyber security standards by the North American Electric Reliability Corporation. As an example of how standards are evolving it discusses CIP-002 – Critical Cyber Asset Identification in depth because it establishes whether the remaining seven standards apply. This article then compares the North American Electric Reliability Corporation regulatory regime against critical information infrastructure goals. The comparison finds that, at least on a basic level, the electric industry’s mandatory cyber security standards meet the critical information infrastructure goals and work to secure information networks, resources, and systems from cyber and physical threats. The mandatory cyber security standards promote an increase in technological products, better security management, personnel and public education and trust in the industry. Even though the electric industry’s mandatory standards are imperfect, the fact it satisfies the goals of the cross sector critical information infrastructure indicates that the framework is sound. The electric industry’s experience with mandatory cyber security standards is a valuable source of information and the regulatory regime itself can be a helpful model for other industries looking to develop their own security protection systems. 

Enterprise Cybersecurity

Schwartz, M. J. (2011, November 8). Apple excommunicates iOS cracker. Information Week. Retrieved from http://www.informationweek.com/news/security/mobile/231902576

Apple has given security researcher Charlie Miller the boot from its iOS developer program after he publicly demonstrated a proof-of-concept attack that would enable an app creator to execute arbitrary code on any iPhone, iPad, or iPod Touch running iOS version 4.3 or later. Miller has been suspended from the developer program--which allows people to develop, test, and distribute iOS applications--for one year. "First they give researcher's (sic) access to developer programs, (although I paid for mine) then they kick them out.. for doing research. Me angry," said Miller in a tweet posted Tuesday. In a letter, Apple told Miller that it was kicking him out of the program for breaking its terms of service.

Global Cybersecurity

Estonia takes down massive cybercriminal net. (2011, November 10). Infosecurity Magazine. Retrieved from http://www.infosecurity-magazine.com/view/21937/estonia-takes-down-massive-cybercriminal-net/

Reports are coming in that officials in Estonia – arguably one of the most internet-savvy governments in the world – have taken down a massive DNS-changing cybercrime operation involving a click-fraud program that infected more than four million computers in over 100 countries. Security researcher Brian Krebs has observed that the police action – against the gang that raked in at least $14 million – is possibly the “biggest cybercriminal takedown in history.”

Ionnadis, C., Pym., D., & Williams, J. (2011). Information security trade-offs and optimal patching policies. European Journal of Operational Research, 216(2), 434-444. doi:10.1016/j.ejor.2011.05.050 [Full text available in the ScienceDirect database.]

We develop and simulate a basic mathematical model of the costly deployment of software patches in the presence of trade-offs between confidentiality and availability. The model incorporates representations of the key aspects of the system architecture, the managers’ preferences, and the stochastic nature of the threat environment. Using the model, we compute the optimal frequencies for regular and irregular patching, for both networks and clients, for two example types of organization, military and financial. Such examples are characterized by their constellations of parameters. Military organizations, being relatively less cost-sensitive, tend to apply network patches upon their arrival. The relatively high cost of applying irregular client patches leads both types of organization to avoid deployment upon arrival.

Melzer, N. (2011, November). Cyberwarfare and international law.  Retrieved from http://www.unidir.org/pdf/ouvrages/pdf-1-92-9045-011-L-en.pdf

It is the purpose of this paper to provide an overview: (a) of the potential restraints imposed on cyberwarfare by existing international law, (b) of the most important difficulties and controversies raised in the interpretation and application of international law to cyberwarfare, and (c) of the potential humanitarian impacts of cyberwarfare. In view of the constraints in terms of time and space, the envisaged overview cannot be exhaustive but will have to remain selective, focusing on providing a general understanding of the issues most relevant to contemporary state practice. Moreover, in view of the technical and legal complexity of the matter and the still rudimentary state of legal research, the ambition of this paper must remain limited to identifying issues and putting them into context, but cannot be to authoritatively resolve them.

Smith, J. (2011, November 7).  Unresolved questions dog international cybersecurity policies. National Journal. Retrieved from http://www.nextgov.com/nextgov/ng_20111107_6951.php [related report from the U.S. Office of the National Counterintelligence Executive.]

Cyberspace presents international security threats, many that can only be adequately met through international cooperation. But experts say countries around the world are just beginning to work out the complicated questions surrounding international responses to cybersecurity.  In the United States, businesses and government agencies have reported a growing number of sophisticated cyberattacks. In a report to Congress released on Friday, U.S. intelligence agencies said hackers in China and Russia are stealing large amounts of U.S. technological and trade secrets.

November 4, 2011

Amitai, E. (2011). Cybersecurity in the private sector. Issues in Science and Technology, 28(1), 58-62. [Full text available in the Computer and Applied Sciences Complete database.]

The article looks at the issues related to cyber-security in private sector in the U.S. It is mentioned that the current incentives for corporations to better secure their computer systems are not aligned in a way to promote voluntarily actions and no major public funds have been made available. Also given that after major security breaches in 2011, the U.S. Senate has introduced several proposals to enhance cyber security which include a new national data-breach reporting policy.

Gooden, D. (2011, October 27). Insulin pump hack delivers fatal dosage over the air. Retrieved from http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them.  The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker Halted conference in Miami. It was delivered by McAfee's Barnaby Jack, the same researcher who last year showed how to take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills.

Guimares, M. A. M., Said, H., & Austin, R. (2012). Experience with video games for security. Journal of Computing Sciences in Colleges, 27(3), 95-104. [Full text available in the ACM Digital Library database.]

This paper describes the creation of video games to teach security. The first section explains why video games can be effective tools for improving security awareness. The next section provides an overview of existing video games related to security. The third section describes why three platforms for building videogames were selected. The last section describes the prototypes created and the results of classroom testing.

Kapner, S. (2011, October 31). Hackers press the 'schmooze' button. Wall Street Journal. Retrieved from http://on.wsj.com/uAOcbX

Chris Patten called a large investment-management firm to report that he was going through a divorce and was worried that his wife had set up an account under a false name.  And with that story—entirely plausible but in this case a lie—a customer-service representative turned over customer account numbers and other details with a readiness that makes banks and other companies cringe.  ... As banks and other large companies spend large amounts of money on building firewalls and using complex technology to fortify their systems, it is often their own employees who are letting identity thieves in the door.

Papanikolaou, A., Karakoidas, V., Vlachos, V., Venieris, A., Ilioudis, C., & Zouganelis, G. (2011). A hacker's perspective on cybersecurity.  Paper presented at the 15th Panhellenic Conference on Informatics, Kastoria, Greece. [Full text available in the IEEE Computer Society Digital Library database.]

Information Systems Security experts should be able to confront new, unknown threats. Therefore, "out-of-the-box" thinking is a necessary skill which can not be taught using traditional educational methodologies. In order to introduce our students into the mentality of modern adversaries and cyber criminals we designed a course based on the well-established theoretical frameworks of Information Systems Security as well as the unconventional challenges which experienced hackers use for training newcomers. Moreover, we developed additional open source software tools which encourage the collaboration between students and confront plagiarism or cheating attempts during the exams. Our course in a Higher Education Institute has been enriched with the use of the Hackademic tool, a virtual framework that allows students to perform hacking attacks and penetration testing in a deliberately vulnerable, but isolated, safe and controlled environment.