Hacking is an ACT of WAR: The Pentagon

If the attack is a threat to national security, or the attack is directed to the military, then this should be considered and act of war. But to whom do you send the missile to? Where the IP address is located?

And if this stand will be taken by every country that shall be hacked, can you picture now what's the world situation going to be?

The Pentagon is sending a warning to nations who are considering engaging the US in cyber-warfare and has concluded that attacks coming from another country can constitute an “act of war,” which gives U.S. the right to respond using traditional military force, according to a report from The Wall Street Journal.

Similar to how international treaties guided traditional wars, the Pentagon is now laying out its first formal cyber strategy to be discussed with its allies, which represents an early attempt to adjust to a changing world where even hackers could pose as a significant threat to the U.S.

“If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

The Pentagon, which believes that most sophisticated computer attacks are supported by a country’s government, is proposing the notion of “equivalence” wherein:

“If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a “use of force” consideration, which could merit retaliation.”

The proposal, however, is sure to spark debate over a range of sensitive issues the Pentagon has left unresolved, including the certainty of an attack’s origin, and the kinds of cyber attack that would constitute the use of force.

The Journal says that many military planners believe the trigger for retaliation should be the amount of damage—actual or attempted—caused by the attack.
These reports come shortly after the U.S. government outlined a new strategy for cyberspace, which included references to security.

Editor's Note: Cross post from: TNW

Eyes on the Big Boys now! PBS News Site Hacked!

Epsilon, Sony, Lockheed, PBS News, who is next?
The latest hack on the PBS News site is the best hack ever.

Tupac Shakur is alive!

Not.

Check off the main news website for the Public Broadcasting System, PBS NewsHour, as the latest victim of a hacking attempt that has interrupted the site’s main activity. Hackers from “LulzSec”  were able to break into the site and posted a fake story that said rapper Tupac Shakur was still alive.

This is (now) the third high-profile cyber attack in a little more than a month on important computer networks that are increasingly seeming vulnerable to cyber attacks. A cyber attack on Sony’s PlayStation Network (PSN) led to hackers stealing sensitive information from potentially more than 100 million PSN and Station.com users. Hackers were able to break into Sony’s network on April 19, forcing the company to bring it down and beef up security.

Defense contractor Lockheed Martin was also hit by a cyber attack last week, but the company said it successfully fended off the “tenacious and significant attack” and said no information was compromised. While sensitive information about 100 million consumers was at risk during the PSN attack, sensitive information about defense contracts and advanced technology could have been at risk during the attack on Lockheed Martin’s private network.

Hacker group “LulzSec” has apparently claimed responsibility for the attack, according to its Twitter feed. But it was quick to remind the general public that it was not a part of hacktivist group Anonymous — which regularly takes up political causes and sometimes commits hacks like this for amusement. Those within Anonymous — an amorphous and loosely associated group of hackers that are regulars on message boards like 4chan — typically use the term “lulz” to describe the amusement they get out of hacks like these.

“We aren’t Anonymous you unresolved cow-shart,” the group posted in its main Twitter feed.

And, for a little while according to PBS NewsHour, he was alive and well in New Zealand 15 years after he was reportedly killed. The news publication furiously denied the story was true with its Twitter account and has been tirelessly communicating with its audience to tell everyone that the story is fake. As a reminder, Tupac Shakur died from his wounds suffered in a drive-by shooting in 1996. The rapper was known for his lyrics that glamorized the life of a “player.”

A full transcript of LulzSec’s admission to the hack is pasted below, which makes reference to a PBS story called “WikiSecrets: The inside story of Bradley Manning, Julian Assange and the largest intelligence breach in U.S. history”.

“Greetings, Internets. We just finished watching WikiSecrets and were less than impressed. We decided to sail our Lulz Boat over to the PBS servers for further… perusing. As you should know by now, not even that fancy-ass fortress from the third… Pirates of the Caribbean movie (first one was better!) can withhold our barrage of chaos and lulz. Anyway, unnecessary sequels aside… wait, actually: second and third Matrix movies sucked too! Anyway, say hello to the insides of the PBS servers, folks. They best watch where they’re sailing next time.”

Editor's Note: Cross post from www.venturebeat.com

Other reference: PBS hacked in retribution for Fronline Wikileaks episode

STOP! - LOOK! - OBSERVE! Bad People Around

Sometimes we get too technical that once we protect ourselves from external threats we feel confident and safe already. And we become too trusting to the people within our organization. Well, stop, look around and observe vigilantly.

Just recall the most recent $10M incident in Bank of America, where an insider sold customer data to outsiders. Yeah, an insider did it!

A survey showed that 40% of IT staff admit that they could hold their employers hostage - even after they’ve left for other employment - by making it difficult or impossible for their bosses to access vital data by withholding or hiding encryption keys.

A third of the Venafi survey respondents said that their knowledge of and access to encryption keys and certificates, used for both system authentication and data protection, means they could bring the company to a grinding halt with minimal effort and little to stop them. This is due to lack of oversight and poor management of their organisation’s encryption keys.

They claim that even after they have left they still could cause havoc with their knowledge of the encryption keys, shared passwords and weak controls. 40% of respondents admitted that they would still have access to vital information and could manipulate it to their own ends—both to their company's financial and reputational detriment.

31% of respondents astonishingly said that they could still access organisational data because they could easily retain the encryption keys when they left and access the information remotely.

Finally, 24% of respondents to the survey admitted that their fear of losing encryption keys is what is deterring them from investing in encryption key and certificate solutions to protect digital assets and secure sensitive system communications.

The survey shows that 82% of companies now use digital certificates and encryption keys, however, 43% admit to being locked out from their own information - because people have left the organization or keys are lost - and 76% would use automation if they knew it existed.

These same companies are unaware of how to manage their keys and certificates, leaving them exposed to unplanned system outages, security risks and reduced access to critical data. 

Jeff Hudson, Venafi CEO, said: “It’s a shame that so many people have been sold encryption but not the means or knowledge to manage it. They have found out the hard way—after being locked out from their own information—that they need an automated solution to manage the thousands of keys and certificates they have. Once the data's protected with encryption, the key becomes the data and the thing that must be managed and protected. Key Encryption is only half the solution. IT departments must track where the keys are and monitor and manage who has access to them. What this survey reveals is that organisations need to quickly come to terms with how crucial encryption keys are to safeguarding the entire enterprise as well as the heightened need for automated key and certificate management with access controls, separation of duties and improved polices. It’s no longer rocket science. Yet recent, costly breaches at Sony, Epsilon and elsewhere reinforce the need for both more encryption and effective management. There are some great solutions on the market that can manage and automate these assets at a click of a switch.”

Get the complete survey information from here.


Editor's Note: Cross post from Help Net Security.

Online Safety in the office: YES, But how about the CHILDREN at HOME?

The Internet didn’t arrive for most of today’s parents until after they had passed adolescence. Online behavior was something they were able to approach with the disposition of an adult (even if some chose not to).

Their children, however, were born into a very different situation. It’s not uncommon to see an iPad next to the crib, and 7.5 million children younger than 13 have Facebook profiles.

If parents don’t teach online safety, their children might not recognize imprudent online actions or realize their consequences.

“Younger kids certainly don’t know that what they post is out there for everyone,” explains Jeff Godlis, the director of communications for Internet literacy education publisher i-Safe. “As you get older, the kids keep pushing the barriers… Parents need to be parents, and they have to be involved.”

1. Understand Internet Safety Before You Explain It

Many adults aren’t savvy Internet users themselves. A 2010 study, for instance, found that only 51% of participants recognized that ad companies frequently determine what ads to show based on the history of prior websites that they visited.

“Kids are learning about all of the facets of social media online. It’s happening much earlier,” explains Hilary DeCesare, the CEO of tween social network Everloop. “It’s parents that aren’t keeping up…The real dilemma is, how do you teach kids about something that you’re uncomfortable with?”

For instance, DeCesare says, many parents list their first and last names on social networking sites, and may not realize that their children shouldn’t do the same.

Fortunately, it’s easy to brush up on Internet safety guidelines. The American Academy of Pediatrics, theFederal Bureau of Investigation and the Federal Trade Commission are just a few organizations that provide robust resources.

2. Teach, Don’t Rule

“We have always been on the education side,” Godlis says. “Teach someone and they’ll learn it and they’ll understand it. They are empowered to do the right thing.”

The right message, DeCesare says, is “I care.” Not, “if you do X, I’ll ban the Internet.” When it comes to keeping your children safe on the web, the goal is to ingrain positive behaviors rather than just enforcing strict rules. Threatening children with revoked Internet privileges might even create a dangerous environment.

“Kids aren’t comfortable telling adults (about problems they encounter online like cyberbullying) because they think they’re going to get in trouble, or worse, they’re worried that they will pull their privileges of being able to use the Internet,” she says.

3. Consider Age-Appropriate Social Networks

Legally speaking, children younger than 13 shouldn’t be on Facebook, MySpace or Twitter. The Children’s Online Privacy Protection Act prevents websites from collecting information from children without their parents’ permission. Many children bypass this law, even on sites that enforce it, by simply adjusting their birthday. But DeCesare says that parents should still be wary of social sites designed for adults.

“Facebook was never intended for kids younger than 13,” she says. “Kids click on things. Which can be a problem, not just with friending people, but also the malware they pick up online.”

In a recent study by the Kaiser Family Foundation, 75% of 7th through 12th graders surveyed said they had a profile on a social media site. Parents would have a hard time barring social media sites entirely, but they can easily introduce age-appropriate social networks to their children instead of the grown up standards.

Most of these networks restrict content and provide a parental oversight component, either by alerting parents when something seems fishy or asking them to approve certain actions, like new friends.

4. Monitor With Care

No matter your price range or parenting philosophy, there’s an appropriate software option for monitoring your children’s online safety.

But Godlis cautions parents against the notion that using such a service alone is sufficient.

“I think that filters and monitors give parents a false sense of security — as long as the filters are on, I don’t have to worry,” he says. “They certainly can over-rely on it. Kids are pretty smart and they get around everything. They know how to use proxy servers and they know how to do things that parents don’t.”

Editor Note: This is a cross post from: http://goo.gl/LMIXR by Sarah Kessler

Social Engineering gains ever more credibility.

ignosecond – ig no sec ond – \‘ig nə se kənd – The time between the moment one does something inherently stupid and the moment one realizes that it is too late to stop the results of that action. Examples include pushing a locked car door closed and realizing that the keys are in the ignition or opening an attachment or clicking on a link in an email message from supposedly a business associate or friend and recognizing the telltale signs of a phishing scam.

It is turning out that the latest breaches were the result of an ‘ignosecond’ by one or more employees that in turn caused a security breach to be possible. All it took was an email message to personnel that included a piece of malware hidden in a file attachment that exploited a vulnerability that then allowed the installation of a backdoor and viola, another compromise.

This should be a wakeup call to all security professionals. It does not matter how sophisticated your security technology is, it only takes one person to cancel all that out. This is why the PCI DSS dedicates requirements in 12.6 to security awareness. The requirements in 12.6 state:Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

• Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
• Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

The problem is that a lot of security professionals give only lip service to security awareness training.  Let us face it; security awareness training is not as sexy as security technologies like SEIM and WIPS.  And besides, our users are, well, users. Even if you train them, they still make mistakes, so why bother with security awareness training? However, at the end of the day, everything in an organization’s security posture comes down to the people that interact with the information you are trying to protect. As I stated earlier, it only takes one person having a bad day or a “bad apple” to make all of an organization’s security technology and other controls impotent

This is why security awareness is such an important part of an organization’s security posture. Whether you like it or not, there are human beings in the equation and human beings are fallible. The only way to address this situation is to educate your fellow employees on how to make things secure and avoid being taken in. But remember, human beings are fallible, so no matter how hard you press security awareness in your organization, you are still going to have incidents. Therefore, the goal of security awareness training is to minimize the number and impact of those “ignoseconds.”

But we need to be honest about all of this. Human beings are fallible and we all have our “moments.” As a result, even with a lot of appropriate security awareness training and periodic reminders, one or more personnel can have a “moment” and create the possibility of a breach. Even with defense in depth, all it takes is one well crafted attack, a fallible human and your security is breached. As I have repeatedly stated, security is not and never will be perfect. And this is particularly true when human beings are involved.

My favorite story about such a situation is from years ago when I was conducting a social engineering attack against a subsidiary of a Fortune 500 company. We had crafted a very real looking email message from a known Human Resources consulting firm indicating that they were conducting a survey of the subsidiary’s employees on behalf of the corporate parent. We instructed recipients to log into a phony Web site and take the survey. All they had to do was use their network logon credentials to gain access to the survey. We only got two hits before the parent company’s HR department sent out an urgent email message telling employees that our message was bogus. One of the two people caught was the CFO of the subsidiary that had hired us. His comment when confronted with the fact of his “moment?” “I suppose I shouldn’t have done that.” What an understatement!

But this story points out the problem all security professionals face and this is one problem that technology is not going to solve. In the end, people are always going to make mistakes and all we can do is minimize the impact of those mistakes. Minimizing the impact means real security awareness training coupled with social engineering testing to assess how the security awareness training is working. In addition, you need to structure your preventative, detective and corrective controls such that you address any points in your controls where one “moment” results in a compromise. In some cases, you may need to restrict peoples’ access to certain resources or divide up responsibilities.

Most security professionals loathe social engineering tests and rightly so. As someone famously said a while back, “When on a witch hunt, you are always going to find at least one witch.” As I have already stated, everyone has their moments and as social engineers such as Kevin Mitnick have shown, there are always ways to social engineer your way into any organization. Not that organizations have done themselves any favors in this area. For the last quarter of a century, most organizations have been focused on customer service improvements. A by-product of this customer service improvement focus has been to train employees to be customer friendly to a fault. It is those faults that are now being used against them by social engineers. While good customer service is necessary, customer service training needs to be coupled with a healthy dose of skepticism to ensure that information is not provided without proper authorization.

The best example of customer service gone awry is from the 2010 DEF CON “How Strong Is Your Schmooze” contest. This contest was a social engineering exercise against large companies that resulted in some very embarrassing results. Contestants had two weeks to prepare for their social engineering exercise by conducting research on their target. Of the 15 organizations contacted and 25 available “flags” that could be obtained, 14 gave up one or more “flags.” To add insult to injury, the social engineers had only 25 minutes to perform their telephone calls in front of a live audience. If you have read the report you may have issues with the 25 “flags” that were used (God knows the FBI was very concerned and advised the DEF CON people on what they considered okay information to obtain), but you must remember that if this sort of information was obtainable, then probably just about anything could be obtained.

The lesson to be learned in all of this is that if you are not worrying about social engineering and conducting security awareness training, then you are kidding yourself if you think your organization is truly secure. Yes, there is little you can do to stop human beings from having “ignoseconds.” But you can take steps to minimize the impact and one of the most important is to get serious about your security awareness training and to follow that training up with social engineering testing. Just acting on those two items can make a significant difference in the impact of a social engineering attack.

Let's always keep in mind that information security is a human enterprise. Keeping your people in the organization out of participation in protecting your information is just as good as making your weakest link in the information security infrastructure.

Editor's Note: This is a cross-post from PCI Guru.

Information Security is a Human Enterprise

Editor's Note: This is a cross post from the article of Robb Reck at InfoReck

Security is viewed as a non-negotiable requirement of being ‘in business'. [Allen, Julia. “Governing for Enterprise Security: An Introduction.” June, 2005. ]

Everytime I do a lecture, seminar, workshop, training on Security I always emphasize the point that Information Security implementation is a human enterprise. No organization will be successful enough to implement Information security without getting to the end-point (the users).

The problem of not involving every employee in the implementation of Information Security, in my observation is if you allow your IT people to totally implement it. Almost everything becomes a technical wish list at the end of the day!

Here's a good article written by Robb Reck, Every Employee, a Security Partner. And I totally subscribe to this.

The information security department is responsible for writing policies, creating awareness training, tracking compliance, and generally leading the data security program at an organization. But when it comes down to it, we are not the ones who do most of the practicing. The ground-level implementation of security in the organization simply cannot be the work of a few information security employees; it needs to be performed by every employee in their day to day tasks.

The information security team is responsible for the creation of the policies and standards. This is the framework that a security program is built on. By using a well-tested framework we can ensure that our organization’s security needs are adequately documented. The policies are critical, but they are only the framework. To flesh out the program we need the actual implementation, and that’s where the rest of the staff comes in.

Another essential role of information security is in properly distributing the policies. Having a perfect set of policies and standards is one thing, but if it’s never put into the hands of those who do the work, it is of very limited value. Security awareness training must be more than just a checkbox we check to get through an audit. Awareness of corporate policies and standards should be provided through formal training, but also gorilla marketing, regular staff meetings, reminder emails, and performance reviews.

Once the policies are in the hands of our entire staff, it is up to them to successfully implement data security. Whether the policy is password complexity rules, sensitive data handling, or secure coding standards, we depend completely on our employees to implement it. We cannot overlook any employee group; even the least likely-seeming employee will have access to our organization, and could be used as a jumping off point for an attack. A thorough and consistent security message, delivered to every area of the organization, is required.

In order to ensure that each employee hears the appropriate message, we need to customize their training to their daily experiences. There are some areas that every employee should be taught (secure password rules, avoiding tailgaters, how to spot an intruder), there are many others that are essential in departments, but unnecessary for others (secure coding standards, firewall configuration rules). By tailoring the training to the intended recipients we successfully reduce the amount they need to be taught, while make the training both more interesting and more effective.

Employees partnering in security can give us granular security knowledge that InfoSec cannot otherwise have.

Once we get our employees to view themselves as our partners in security, they will start to point out areas we missed. This provides us significantly improved insight to the organization as a whole. When we have the accounting team providing suggestions on how to improve accounting security, the DBAs helping with database security, and the call-center reps with our customer service process, we get the kind of granular level insight that one central InfoSec team could never have.

Another benefit that this kind of enterprise-wide security implementers is that our employees can work as a human intrusion detection system (IDS). As an example, last year when the “Here You Have” worm hit the internet, the employees at Intel immediately recognized this as malicious and provided the central IT/InfoSec departments a heads-up so they could take immediate actions to prevent exploitation in their organization. The same thing can be said for any type of persistent threat. A server admin may notice continued bad authorization attempts from a specific IP, a receptionist may notice a stranger lingering around the entryway, or a HR employee may forward on suspicious emails that seem specifically targeted against the organization. In any of these situations, our employees can be a first line of defense, and prevent more serious exploits from occurring.

By integrating all employees as information security partners we not only improve the overall quality of our information security program, but we educate our employees to make better choices, both at work and home. By partnering with all our employees we add value to all sides. That sounds pretty good, doesn’t it?

Great article and well said Robb.

People can become the most effective layer in an organization's defense-in-depth strategy with [Ernst & Young. "Global Information Security Survey 2004." ]:

• proper training
• education
• motivation

And most of all, the implementation of Information Security in any organization should be championed by the executives, and the executives themselves should adhere to it, otherwise, the initiative is a waste of effort and resources.

Related articles

• Paying attention to basics is key to healthy security ecosystem, says panel (deurainfosec.com)
• Management's view of information security (iso27001standard.com)
• Activity Finds 80% of UK Companies Have Increased Cyber Attacks (prweb.com)