National Cybersecurity
Kravets, D. (2011, December 6). Senator demands telcos & HTC come clean on Carrier IQ. Wired. Retrieved from http://www.wired.com/threatlevel/2011/12/carrier-iq-franken/
Sen. Al Franken (D-Minnesota) wants handset manufacturers and mobile
carriers to explain what user data is being vacuumed to Carrier IQ,
whose software is secretly installed on about 150 million mobile phones
in the United States. Franken is demanding
that Sprint, HTC and AT&T cough up some answers, though the senator
should also consider asking T-Mobile as well, because it uses Carrier
IQ. Carrier IQ, which records [information] so that carriers can troubleshoot
their networks, came under intense scrutiny the past week after a
Connecticut-based Android developer posted a YouTube video showing the software has enormous access to usage information.
MIT Energy Initiative. (2011, December 5). The future of the electric grid: An interdisciplinary MIT study. Retrieved from http://web.mit.edu/mitei/research/studies/documents/electric-grid-2011/Electric_Grid_Full_Report.pdf [Chapter 9: Data Communications, Cybersecurity, and Information Privacy]
This report aims to provide a comprehensive, objective portrait of the
U.S. electric grid and the challenges and opportunities it is likely to
face over the next two decades. It also highlights a number of areas in
which policy changes, focused research and demonstration, and the
collection and sharing of important data can facilitate meeting the
challenges and seizing the opportunities that the grid will face. [Related article from Information Week].
Nakashima, E. (2011, December 8). Cyber-intruder sparks massive federal response — and debate over dealing with threats. Washington Post. Retrieved from http://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_story.html
The first sign of trouble was a mysterious signal emanating
from
deep within the U.S. military’s classified computer network. Like a
human spy, a piece of covert software in the supposedly secure system
was “beaconing” — trying to send coded messages back to its creator. An
elite team working in a windowless room at the National
Security Agency soon determined that a rogue program had infected a
classified network, kept separate from the public Internet, that
harbored some of the military’s most important secrets, including battle
plans used by commanders in Afghanistan and Iraq.
United States. Department of Defense. (2011, November). Department of Defense cyberspace policy report. Retrieved from http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf
Report responding to questions posed RE: in 2010's Senate Report 111-201. [Related article from the Washington Post.]
Leavitt, N. (2011, December). Internet security under attack: The undermining of digital certificates. Computer, 44(12), 17-20. doi:10.1109/MC.2011.367 [Full text available in IEEE Computer Science Digital Library database.]
Several attacks this year against organizations issuing digital certificates are
creating doubts about the system.
United States. Executive Office of the President. (2011, December). Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program. Retrieved from http://www.whitehouse.gov/sites/default/files/microsites/ostp/fed_cybersecurity_rd_strategic_plan_2011.pdf
This report . . . was developed by the Networking and Information
Technology Research and Development agencies and directly responds to
the need for a new cybersecurity R&D strategy. As recommended in the
Cyberspace Policy Review’s near-term action plan, Trustworthy
Cyberspace replaces the piecemeal approaches of the past with a set of
coordinated research priorities whose promise is to “change the game,”
resulting in a trustworthy cyberspace. As called for in the policy
review’s mid-term action plan, this plan identifies opportunities to
engage the private sector in activities for transitioning promising
R&D into practice. In addition, and consistent with the PCAST
recommendations, it prioritizes the development of a “science of
security” to derive first principles and the fundamental building blocks
of security and trustworthiness. [Related article from Information Week.]
Enterprise Cybersecurity
Batteau, A. W. (2011). Creating a culture of enterprise cybersecurity. International Journal of Business Anthropology, 2(2), 36-47. Retrieved from http://na-businesspress.homestead.com/IJBA/BatteauAWWeb2_2_.pdf
In
this article I describe the fundamental dimensions of a security
culture, a concept that builds on the experience of “safety culture” in
several high-hazard industries. After outlining the concept and
subtleties of corporate culture, I apply these concepts to issues of
security, focusing on issues of trust, identification and authentication
in complex environments. These issues become more challenging in
virtual environments, as familiar tokens of identity such as
face-to-face recognition are absent, and where trust becomes a
weakest-link problem. I conclude with a description of the challenges of
“managing” the emergent phenomenon of culture, and how trust can be
cultivated.
Global Cybersecurity
& broadly applicable items
Cyber attack adds pressure on GNP leaders. (2011, December 6). Korea Herald. Retrieved from http://www.koreaherald.com/national/Detail.jsp?newsMLId=20111206000814
The ruling [Korean] Grand National Party’s decision-making body is once again
being pressed to resign en masse, amid mounting criticism over a cyber
attack on the national election watchdog by an aide to one of its
lawmakers. Even members of the Supreme Council suggested that the
party should rebuild itself from scratch if it is to stand a chance in
the upcoming elections. Council member Rep. Won Hee-ryong and
nine other lawmakers issued a statement Tuesday, demanding that the GNP
disband itself and start as a new political party. [More from the Los Angeles Times.]
Cyberattacks try to silence Russian dissenters. (2011, December 6). Deutsche Welle. Retrieved from http://www.dw-world.de/dw/article/0,,15582220,00.html
Two days after parliamentary elections in Russia, incumbent Prime
Minister Vladimir Putin's party, United Russia, has emerged with a
narrow victory, but allegations of denial of service attacks have led to
calls of foul play. Organizations critical of United Russia party say
they came under sustained online attack during the parliamentary ballot
over the weekend. In addition, prominent online critics have been arrested, including
Alexei Navalny, a well-known anti-corruption blogger. He was taken into
custody late Monday night, as he was leading an unauthorized rally.
After appearing before a Moscow court on Tuesday, on charges of
obstructing traffic, he will likely face up to 15 days in prison.
Cyber warfare market worth US$15.9 billion in 2012. (2011, December 7). defenceWeb. Retrieved from http://www.defenceweb.co.za/index.php?option=com_content&view=article&id=21910
Global spending on cyber warfare will reach US$15.9 billion next year,
up from an estimated US$12.5 billion this year as governments respond to
a range of cyber threats, a new report says. Visiongain’s Cyberwarfare Market 2012-2022 report says that governments
around the world will continue to invest in a range of cyber warfare
systems and solutions designed to offer protection against a wide range
of cyber threats including protecting information and infrastructure
from hostile states, as well as non-state actors both at home and
abroad.
European Network and Information Security Agency. (2011, December 7). Proactive detection of network security incidents. Retrieved from http://www.enisa.europa.eu/act/cert/support/proactive-detection/proactive-detection-report/at_download/fullReport
This
document is the final report of the "Proactive Detection of Network
Security Incidents" study. The goal of the study was to investigate ways
in which CERTs [Computer Emergency Response Teams] – national and
governmental ones in particular – proactively detect incidents
concerning their constituencies, identify good practice and recommended
measures for new and already established CERTs, analyse problems they
face and offer recommendations to relevant stakeholders on what can be
done to further this process. It is important to note that the results
of the study are largely community driven. That is, they are based not
just on research and the experience of the experts who conducted the
study, but to a large extent on the results of a survey carried out
amongst 105 different CERTs (which resulted in 45 responses overall) and
external expert group input. The outcome is thus a work by the
community for the CERT community.
Grace, M., Zhou, Y., Wang, Z., & Jiang, X. (2012, February). Systematic detection of capability leaks in stock Android smartphones. Paper to be presented at the 19th Network and Distributed System Security
Symposium, San Diego, CA. Retrieved from http://www.csc.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
Recent
years have witnessed a meteoric increase in the adoption of
smartphones. To manage information and features on such phones, Android
provides a permission-based security model that requires each
application to explicitly request permissions before it can be installed
to run. In this paper, we analyze eight popular Android smartphones and
discover that the stock phone images do not properly enforce the
permission model. Several privileged permissions are unsafely exposed to
other applications which do not need to request them for the actual
use. To identify these leaked permissions or capabilities, we have
developed a tool called Woodpecker. Our results with eight phone images
show that among 13 privileged permissions examined so far, 11 were
leaked, with individual phones leaking up to eight permissions. By
exploiting them, an untrusted application can manage to wipe out the
user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission. [Related article from Ars Technica.]
Graham, A. (2011, December 6). Canada's critical infrastructure: When is safe safe enough? (National Security for Canada Series 2). Retrieved from http://www.macdonaldlaurier.ca/files/pdf/Canadas-Critical-Infrastructure-When-is-safe-enough-safe-enough-December-2011.pdf
In a new study published by the Macdonald-Laurier Institute . . . author
Andrew Graham stresses the need for a cohesive plan to protect Canada’s
vulnerable infrastructure before it is too late. Included in the list
of such CI are vital systems most Canadians never think about: energy
generation and distribution, financial institutions, our food supply
system, information and communications technology and health care
institutions. CI vulnerability, in other words, extends to every aspect
of Canadians’ lives. What are the serious threats to Canada’s CI? The author identifies a
number, including natural disasters, terrorism, theft, hackers and
vandals and simple neglect and underinvestment by infrastructure owners.
Increasing integration of information technology into all forms of
infrastructure mean that cyber threats, including cyber attacks by
foreign governments and others, is adding a whole new layer of
vulnerability. Professor Graham assesses current efforts to address
those threats and suggests themes for moving forward and building on the
work already done in government and the private sector.
Keizer, G. (2011, December 7). Symantec confirms Flash exploits targeted defense companies. Computerworld. Retrieved from http://www.computerworld.com/s/article/9222496/Symantec_confirms_Flash_exploits_targeted_defense_companies
Security researchers at Symantec today confirmed
that exploits of an unpatched Adobe Reader vulnerability targeted
defense contractors, among other businesses. "We've seen [this
targeting] people at telecommunications, manufacturing, computer
hardware and chemical companies, as well as those in the defense
sector," said Joshua Talbot, senior security manager in Symantec's
security response group, in an interview Wednesday.
Leavitt, N. (2011, December). Internet security under attack: The undermining of digital certificates. Computer, 44(12), 17-20. doi:10.1109/MC.2011.367 [Full text available in IEEE Computer Science Digital Library database.]
Lockheed, other defense firms targeted by hackers. (2011, December 8). Reuters. Retrieved from http://www.reuters.com/article/2011/12/08/lockheed-cyber-idUSN1E7B707920111208
Lockheed Martin Corp.
and other U.S. defense firms were targeted by hackers using a
previously unknown vulnerability in Adobe Reader, the latest in
a series of increasingly persistent attacks against U.S.
weapons makers, security experts said on Wednesday. Lockheed, the Pentagon's biggest supplier, said it detected
the attempted attack through normal monitoring activities and
immediately notified Adobe, but its information
systems were never breached. [Related article from Computerworld, more from Ars Technica.]
Serious security flaws identified in cloud systems. (2011, December). Computer, 44(12), 21. doi:10.1109/MC.2011.379 [Full text available in IEEE Computer Science Digital Library database.]
German
researchers report finding serious problems with two cloud systems and
say these flaws probably exist in other cloud architectures. The Ruhr
University Bochum team said the vulnerabilities could let attackers gain
administrative rights to host systems. The investigators found flaws
with Amazon Web Services (AWS) and informed Amazon, which has since
patched the problems. They also discovered vulnerabilities with the open
source Eucalyptus private-cloud software framework.
Storm, D. (2011, December 7). Mobile security at TakeDownCon: Hackers handing out a healthy dose of paranoia. Computerworld. Retrieved from http://blogs.computerworld.com/19391/mobile_security_at_takedowncon_hackers_handing_out_a_healthy_dose_of_paranoia
Smartphones are mini-computers packed with financial and personal [information] . . . to ignore the need for mobile security
is a bit like choosing to run a computer without any regard to security
precautions. Not wise at all. Even without any malicious intent by app
developers, many are not concerned about security; their apps may ask
for overreaching access permissions. Mobile and wireless security news is pouring out of TakeDownCon in Las Vegas. [Related article from Ars Technica.]
Tarzey, B., Nicholds, D., & Gold, S. (2011, December 6). Defending mobile devices against the rising avalanche of security threats [recorded Webinar]. Retrieved from http://www.infosecurity-magazine.com/webinar/278/defending-mobile-devices-against-the-rising-avalanche-of-security-threats/
Welcome
to the world of mobile device security – but where do you start? This
60-minute webinar will help – our team of experts will guide
you through the jungle that is mobile security, allowing you to better
understand the risks involved with using mobile devices in a business
environment. Armed with this information, you can plan your defense
strategies,
adapting and re-tasking your existing security defenses – and augmenting
them with leading-edge security policies. [NOTE: The next Infosecurity
webinar, "Understanding the Need for Consolidated Security in the Modern Business" will be held on 12/13/11. Registration is free.]
Wagner, R., Nicolett, M., Orans, L., Pescatore, J., Kavanagh, K. M., Firstbrook, P. . . . Feiman, J. (2011, November 29). Gartner
predicts 2012: Sophisticated attacks, complex IT environments and
increased risks demand new approaches to infrastructure protection (G00223301). [Full text available in the Gartner database.]
Sophisticated
new threats – especially targeted attacks – the financial and
reputational damage from attacks, and the growing "consumerization" of
IT are among the factors increasing the complexity, difficulty and
criticality of protecting enterprise IT infrastructure.
Zetter, K. (2011, December 7). Eight out of ten software apps fail security test. Wired. Retrieved from http://www.wired.com/threatlevel/2011/12/veracode-report/
Desktop and web applications remain a wasteland of bugs and holes
that only a hacker could love, according to a report released Wednesday
by a company that conducts independent security audits of code. In fact, eight out of ten software applications fail to meet a
security assessment, according to a State of Software Security report by
Veracode. That’s based on automated analysis of 9,910 applications submitted to Veracode’s online security testing platform
in the last 18 months. The applications are submitted by both
developers – in the government and commercial sectors – as well as
companies and government agencies wanting an assessment of software they
plan to purchase. [Full report available with free registration.]
