Monday, August 30, 2010

Cybercriminals have no shame. They even steal from a church!

Sent to me by Jerry Tylman, Founder of Greenway Solutions:

Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.
Full article:

Tuesday, August 24, 2010

Question I get from Parents - Is My Kid Ready for Email?

I get a lot of questions from parents asking if their kids are "old enough" for email.

See the WBTV video with Kim to see how she handled this situation with her daughters:
WBTV Video on Email & Kids

Consider this:
8 hours a day!  And we’re not talking about your work day.  We’re talking about the time your kids spend surfing the net, on a smartphone, TV or electronic devices.    Your kid also wants their own email account but is this smart or even safe?   

According to the recent Kaiser Family Foundation study, kids 8 to 18 spend almost 8 hours a day connected to devices.  That’s a lot of connectivity.  Then your kid asks you for their own email account, is this safe & should you let them have one?   

It’s become a rite of passage for your kids.  Changing their fashion or hairstyles, listening to new music, and getting their drivers’ license.  All things you went through as a kid but there’s a new twist to growing up now…getting that email account!   

Under a certain age, I know parents want me to tell them “No!” and use me as the bad guy but I think email can be a good way to test responsibilities with your kids.

Before you answer “yes” consider these points:
1.     How mature is your kid with communications with others when they are happy, sad or mad?  Internet email might not be a good fit for them.
2.     How old is your child?  Many email providers have minimum age requirements – you should not lie about their age to get them their own account.

    If you decide to say “yes”, I have 4 quick tips to keep your kids safe:
    • ACCOUNT NAME:  Choose an email that does not identify their name, age, gender

    • RULES:  Discuss ground rules about appropriate email communication; discuss the perils of cyberbullying, sexting, and sending pictures via email; the rule of “don’t talk to strangers” also applies; teach them to be wary of clicking on links in emails

    • ATTACHMENTS:  Tell them not to open attachments without consulting with you first.  Kids are notorious for clicking on all kinds of sites online and then sending infected attachments.

    • REVIEW:  Tell them you will be reviewing their emails regularly and to make sure their friends know the email account will be monitored.

    Monday, August 16, 2010

    Intern Guest Post - Steven Elliott - Cyberwarfare: Fact or Fiction

    Topic:  Cyberwarfare
    Research by:  Steven Elliott
    Date: 07/25/2010; Final Version:  8/14/2010

    TEASER/TITLE: Cyberwarfare:  Fact or Fiction


    “There is no cyberwar,” stated Howard Schmidt, the cybersecurity czar for President Obama; however in a Washington Post article Michael McConnell, the former Director of the National Security Agency (NSA), wrote “the United States is fighting a cyberwar today, and we are losing.” (Singel 2010, McConnell 2010). These contrasting statements represent a critical quandary in the cyber security field: whether or not cyberwarfare exists. The opposing sides are adamant that they are correct and wish to implement different security strategies dependent upon their beliefs. The conflict is not disputing the vulnerability of the United States’ network infrastructure or cyber attacks on numerous corporations and nations but rather the definition of cyberwar. Both camps cite a wide variety of evidence to support their drastically differing opinions but both will need to come to a consensus in order for the U.S. to work towards a more secure future.

    ·      The cyber security community is divided on the definition and implications of the term “cyberwar”.
    ·      Experts that do not believe war can be fought entirely in cyber space argue that government and military expansion into cyberspace would cause massive privacy violations.
    ·      Some cyber security experts desire the capability to retaliate if there were a cyber attack on the U.S.
    ·      The government and military has already started moving towards an expansive definition of cyber space with the creation of Cyber Command, the NSA’s Perfect Citizen program, and the new bill asserting that protecting cyber space is a national asset.


             Cyberwar has created a division amongst information security specialists – not regarding the existence of cyber attacks but rather the term itself.

    *    Those opposed to the term “cyberwar,” such as Bruce Schneier, a cyber security expert, claim that “if we frame the debate in terms of war, we accept the military's expansive cyberspace definition of ‘war’” (Schneier 2010).
    *    The author of Inside Cyberwarfare, Jeffrey Carr, believes that a war cannot be fought entirely in cyberspace, but rather that cyber warfare techniques are a tool that the military can use to gain the advantage in a conflict (Greenberg 2010).  In short, he does not believe that any type of war occurs until “metal is flying through the air” (Greenberg 2010).
    *    Richard Stiennon defines cyberwar as “using networks and computers and applications and the people that run them coincident with more traditional means of warfare, such as invasion and missile launches” (Chabrow 2010).
    *    Carr, Schneier, Stiennon, and many other cyber security experts are concerned that the NSA and the military will overstep privacy boundaries if all cyber attacks are considered to be cyberwar.
    *    Marc Rotenberg, the executive director of the Electronic Privacy Information Center, states “Our argument is that we have to be very careful about allowing a single, secret, unaccountable government agency, which has been fighting for 25 years to take control of Internet security, to become the dominant authority for the Internet, which is what will happen if you accept the proposition that the threat of cyberwar has not been grossly exaggerated” (Rotenberg 2010).

    *    Richard Clark, the author of Cyberwar, also believes that cyberwar has begun and that the U.S. should start preparing.
    *    NATO has formed a Cooperative Cyber Defence Center of Excellence in Estonia in response to cyber attacks on that nation.  Israel, China, Russia, and the U.S. are only a few of the nations that have formed special military units to respond to cyberwarfare.
    *    On June 8, 2010, ABC hosted a debate about the statement “The Cyberwar Threat Has Been Grossly Exaggerated,” the consensus among the studio audience was that the threat of cyberwar has not been exaggerated.
    o   Pre-debate:  Yes (Exaggerated)-24% No (Not Exaggerated)-54% Undecided-22%
    o   Post-debate:  Yes-23% No-71%, Undecided-6%
    *    Many other security experts including Mike McConnoll, the former Director of the NSA, claim “the effects of full-blown cyberwar are much like nuclear attack[s]” (The Economist 2010). 
    o   “In a nation as free and as wonderful as ours is, leading the world in human rights and privacy and civil liberties, it's getting the debate framed right to mitigate the risk, to protect the nation consistent with our values and our laws” (Mike McConnell, 2010).

    ·      The NSA will start to “detect cyber assaults on private companies and government agencies running [sic] critical infrastructure” with a new program entitled “Perfect Citizen” (Gorman 2010). This program demonstrates that the government believes that cyberspace defense is within its jurisdiction.
    ·      New U.S. legislation could be implemented to ensure that the government takes responsibility for cyber attacks.  For example, the ‘Protecting Cyberspace as a National Asset Act of 2010’ S.3480 is a bill introduced to Congress in June 2010. (Community Central 2010)
    ·      Congress and the U.S. military will ultimately need to define cyberwar and the consequences of cyberwarfare attacks on the United States.
    ·      Regardless of the definition of cyberwar, thousands of attacks are being deployed on the private sector and government networks.  These important networks will need to be secured (as much as currently possible) or cyber attacks will result in the loss of sensitive data.

    The differing opinions concerning cyberwar represent a challenge for security professionals. Some private sector companies may believe that the government should be responsible for securing cyber space and, in turn, slacken security procedures. Other companies may benefit greatly from the cyberwar hype by receiving millions of dollars in government contracts. (Schneier 2010) Many of those opposed to cyberwarfare point out that Mike McConnell is an Executive Vice President with cyberwar contractor Booz Allen Hamilton (Doesburg 2010). The constant argument over cyberwar will not likely disappear. Those that believe that there is a cyberwar will highlight the attacks on Estonia, Georgia, South Korea, the United States, Google, and Lockheed Martin and argue that the government should prepare itself for cyberwar.  On the other hand, those opposing the concept of cyberwar argue that nationalist hackers could have performed many of those attacks, that blocked websites are simply an annoyance, and that stolen data is actually espionage, not war.
    While the definition of cyberwarfare is still a hot debate topic, the cyber security community agrees that gaping holes in United States’ network infrastructure need to be fixed.
    *    Bruce Schneier noted that “the threats are real; the threats are serious; cyber space is not a safe place” (Schneier 2010).
    *    General Keith Alexander, the Director of the NSA, Commander of the U.S. Cyber Command, and a proponent of the cyberwar concept, stated that “looking at a nation’s perspective, what’s on those networks that we have got to secure? Well it’s our intellectual property, it’s the future of our country, it’s the future of our industry, [and] it will make up the future of our nation. We have got to protect it.” (Alexander 2010).
    There is a clear consensus that U.S. networks are unsecure and the government, private industries, and private citizens need to work towards securing their networks and avoiding unsafe Internet practices. The cyber security community understands the potential threat to the U.S., but in order to move towards a comprehensive cyber security strategy, the cyber security community must come to a consensus on the definition of cyberwar.

    ·      The cyber security community will need to continue to define and reach consensus on the term “cyberwar”.  Definitions and industry standard protocols will focus the community on fixing unsecure networks.
    ·      The United States needs to create a comprehensive strategy for securing its networks.
    ·      Private corporations, especially those involved with critical infrastructure, must focus on improving cyber security.
    ·      The government should take responsibility for cyber warfare but should also avoid massive violations of privacy.
    ·      Educating Internet users in basic security practices will help reduce the risk of a successful cyber attack.


    Alexander, Keith B. "Video: Cybersecurity Discussion with General Keith B. Alexander, NSA Director, Commander Cyber Command." Speech. Center for Strategic and International Studies. 3 June 2010. Web. 28 July 2010. .
    Chabrow, Eric. "Defining, Surviving Cyberwar." Government Information Security News, 26 May 2010. Web. 28 July 2010. .
    "Cyberwar: War in the Fifth Domain." The Economist. 1 July 2010. Web. 28 July 2010. .
    Doesburg, Anthony. "Anthony Doesburg : Cyberwar? It's a Phoney War, Says IT Expert." NZ Herald. 2 Aug. 2010. Web. 03 Aug. 2010. .
    Gorman, Siobhan. "U.S. Program to Detect Cyber Attacks on Infrastructure -" The Wall Street Journal. 8 July 2010. Web. 28 July 2010. .
    Greenberg, Andy. "The Real Meaning Of Cyberwarfare." 3 Mar. 2010. Web. 28 July 2010. .
    McConnell, Mike. "Mike McConnell on How to Win the Cyber-war We're Losing." 28 Feb. 2010. Web. 03 Aug. 2010. .
    "New Cybersecurity Bill Introduced in US." Continuity Central. 15 June 2010. Web. 28 July 2010. .
    Rotenberg, Marc, Bruce Schneier, Mike McConnell, and Jonathan Zittrain. "The Cyber War Threat Has Been Grossly Exaggerated." Debate. Intelligence Squared U.S. 8 June 2010. Web. 28 July 2010. .
    Schneier, Bruce. "The Threat of Cyberwar Has Been Grossly Exaggerated." Schneier on Security. 7 July 2010. Web. 28 July 2010. .
    Singel, Ryan. "White House Cyber Czar: ‘There Is No Cyberwar’." Wired News. 4 Mar. 2010. Web. 28 July 2010. yberwar/>.

    Intern Guest Post - Steven Elliott - Cyber Warfare and its Impact on the Conflict in Iraq

    Topic: Cyber Warfare

    Research by: Steven Elliott

    Date: 7/12/2010; Final Draft:  8/14/10

    TEASER/TITLE: Cyber Warfare and its Impact on the Conflict in Iraq


                When most Americans think about the conflict in Iraq, cyber warfare does not immediately come to mind.  However, this high-tech advancement is starting to become more popular with United States military officials and is being utilized in the current conflict in Iraq. Therefore, the U.S. must develop legislation regulating cyber warfare or the slow process of receiving top-level approval could harm future efforts. This paper recognizes some denied and approved cyber attacks that have been used in Iraq, identifies the major causes of the United States’ apprehension about using cyber warfare, and analyzes how the United States can streamline future use of cyber warfare.


    ·      Former President George W. Bush’s administration cancelled several planned cyber attacks during the Iraq invasion of 2003 because they were concerned about the potential collateral damage of the attack.
    ·      Since as early as 2005, the United States has used cyber attacks to jam Taliban and Iraqi insurgent’s communications devices (Harris 2009).
    ·      Cyber attacks have proved beneficial to the war effort.
    ·      Fear of retaliatory attacks and collateral damage is the main reason the U.S. government is wary of using cyber warfare. 

    ·      Learn from past mistakes to hone cyber attack skills.
    ·      Form effective policies that will guide future cyber war.
    ·      Harden U.S. networks against potential pre-emptive and retaliatory threats.

    Before the conflict in Iraq, there was almost no precedence for U.S. employment of cyber attacks.  Although there had been a couple of assaults on Iraqi communications systems, using bombs and attacks to disrupt the power flow using carbon-carbon fiber during the Persian Gulf War, neither of which involved true “cyber warfare” (PBS 2003).  In Kosovo, the United States hacked into the Serbian air defense system and distorted images to deceive the Serbian air traffic controllers (PBS 2003).  This cyber attack was “essential to the high performance of the air campaign” said John Arquilla, a professor of defense analysis at the U.S. Naval Postgraduate School, in a 2003 PBS interview (PBS 2003).

                In 2003, during the months leading up to the invasion of Iraq, the United States planned a cyber attack that would have affected Iraq’s financial system and frozen billions of dollars during the opening stages of the war (Markoff and Shanker 2009).  This attack would have effectively shut off Saddam Hussein’s cash flow and, according to one senior Pentagon official, it was planned and could have worked (Markoff and Shanker 2009). However, the plan was never approved by former President George W. Bush’s administration for fear of the potential collateral damage.  The Iraqi banking system is connected to networks in France and an attack could have shut down banks and ATM’s all across Europe and even in the United States (Smith 2003). Since this first aborted attack, there have been several successful attacks during the Iraq war on both infrastructural and military targets. Also, President Obama’s administration appears to be increasing its cyber warfare capabilities.

    ·      There will be new international laws pertaining to cyber war.  In 2005, the United Nations Institute for Training and Research posted ideas for a law regarding cyber space (Kamal 2005). A formal law has not been written but with the increasing rate of cyber attacks, that may change soon.
    ·      There will be an increase in the use of cyber warfare by the United States especially give the new Cyber Command Center (Daniel 2010).
    ·      The Cyber Command Center and Congress will work collaboratively to create policies regarding cyber warfare (Daniel 2010).


                There have been some successful cyber attacks during the Iraq conflict.  In 2007, former President George W. Bush’s administration ordered a cyber attack on cell phones, computers, and other communication devices that terrorists were using to plan and carry out roadside bombs (Harris 2009).  This attack was coordinated with the surge of military troops.  The operation allowed National Security Agency (NSA) hackers to provide false information to the insurgents to lead them into a trap (Harris 2009).  These cyber attacks are credited with allowing the military to kill some of the most influential insurgents, according to former U.S. officials (Harris 2009).  One other assault occurred at the beginning of the war and involved electronic jamming and destroying communication grids (Markoff and Shanker 2009).  Former President G. W. Bush’s administration approved the attack because the collateral damage, inconveniencing telephone services in countries that share cell phone and satellite systems with Iraq, was an acceptable tradeoff (Markoff and Shanker 2009).

            The halted 2003 attack, illustrated a large gap in our understanding of cyber weapons and the policies that govern the use of them.  Because the world is so interconnected, “it’s virtually certain that there will be unintended consequences,” said Herbert Lin, a senior scientist at the National Research Council in a 2009 interview (Markoff and Shanker 2009). Cyber space is an entity with no bounds and, as such, it is difficult to only hit the intended target.  Understanding the consequences of cyber attacks has a tremendous effect on whether attacks will be authorized and how public policy should outline cyber warfare techniques.  “Policy makers are tremendously sensitive to collateral damage by virtual weapons, but not nearly sensitive enough to damage by kinetic weapons,” said John Arquilla, an expert in military strategy at the U.S. Naval Postgraduate School (Markoff and Shanker 2009).  The worst-case scenario in a cyber attack would involve shutting down the power to a hospital that had been linked to a targeted network. Keeping these scenarios in mind, Congress will need to work with top cyber warfare experts to devise a set of policies because “cyber [war] was moving so fast that we were always in danger of building up precedent before we built up policy," said former CIA director Michael V. Hayden in relation to the former President G. W. Bush administration’s attempts to cultivate policy as operations took place (Nakashima 2010). 
    Seven years after the denied 2003 attack, there was still no official policy on how the U.S. can and should attack using cyber war techniques.  Without definitive policy “cyber warriors are held back by extremely restrictive rules of engagement,” noted Arquilla (Markoff and Shanker 2009).  General Keith Alexander, the director of the NSA and commander of the U.S. Cyber Command, believes that the United States needs “the cyber-equivalent of the Monroe Doctrine, a set of clearly defined interests and the steps the government would take to protect them” (Harris 2009).
    The use of cyber warfare techniques is also hindered by the fear of a retaliatory attack. In 2003 a meeting involving prominent figures in academia, industry, and government was held at the Massachusetts Institute of Technology (MIT) to discuss whether or not cyber warfare should be used by the United States (Graham 2003). One major concern voiced at this meeting was U.S. vulnerability to attacks. "A lot of institutions and people are worried about becoming subject to the same kinds of attack in reverse," said Harvey M. Sapolsky, an MIT professor (Graham 2003). Unfortunately, in the world of cyber warfare, "our defense is informed by our offense" noted Bob Gourley, the former chief technology officer for the Defense Intelligence Agency (Harris 2009).  In order to develop a strong defense the U.S. must have strong offensive capabilities. Furthermore, the United States should ensure that cyber security is a top priority for the military as well as hospitals, power plants, and other infrastructural necessities. The military understands that cyber warfare is a valuable asset that can and should be utilized in Iraq and other future conflicts, but the lack of policy governing this evolving technology and weak infrastructural cyber security is hindering what could be an indispensable tool.
    ·      Given the success of cyber warfare techniques in Iraq, it seems logical to assume the U.S. will increase the frequency of attacks.
    ·       The military is expanding their mission to focus on cyber war.  In May 2010 the U.S. Air Force announced that 30,000 troops would be re-assigned to “the frontlines of cyber warfare” (Beaumont 2010).
    ·      With the formation of Cyber Command and the growing importance of cyber warfare the defense budget will shift from physical weapons to electronic ones. 
    ·      The government and military will be forced to create policies regarding cyber war in order to utilize its capabilities.
    ·      The new policies created will most likely limit the capabilities of cyber weapons to lessen the impact of cyber war on civilian networks.
    ·      The United States will accept cyber security as a necessity and focus on hardening its networks.

    ·      Limit the disruptive capabilities of cyber weapons through scenario planning  and ensuring that the rules of engagement minimize effects on civilians.
    ·      Adopt policies that define cyber warfare and official acts of cyber war.
    ·      Adopt policies and legislation that regulate the use of cyber weapons, but also minimize civilian impacts.
    ·      Adopt policies to ensure that the United States is adequately protected against cyber attacks.
    ·      Continue to use cyber warfare to benefit the current conflicts and any future conflicts.
    ·      Train more men and women in the science of cyber warfare to ensure that the cyber war effort has well-trained U.S. Armed Forces.


    Beaumont, Peter. "US Appoints First Cyber Warfare General." Latest News, Comment and Reviews from the Guardian | 23 May 2010. Web. 15 July 2010. .
    Daniel, Lisa. "Cyber Command Synchronizes Services’ Efforts." United States Department of Defense ( American Forces Press Service, 09 July 2010. Web. 15 July 2010. .
    "Frontline: Cyber War!" PBS. 24 Apr. 2003. Web. 15 July 2010. .
    Graham, Bradley. " Bush Orders Guidelines for Cyber-Warfare." Stanford University. Washington Post, 7 Feb. 2003. Web. 15 July 2010. .
    Harris, Shane. "The Cyberwar Plan." National Journal Online. 14 Nov. 2009. Web. 15 July 2010. .
    Kamal, Ahmad. The Law of Cyber-space: an Invitation to the Table of Negotiations. Geneva: UNITAR, 2005. Print.
    Markoff, John, and Thom Shanker. "Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyberwar Risk." The New York Times. 1 Aug. 2009. Web. 15 July 2010. .
    Nakashima, Ellen. "Dismantling of Saudi-CIA Web Site Illustrates Need for Clearer Cyberwar Policies." Washington Post, 19 Mar. 2010. Web. 15 July 2010. .
    Smith, Charles R. "Cyber War Against Iraq." America's News Page. 13 Mar. 2003. Web. 15 July 2010. .

    Cyberwarfare - The Debate

    Two security leaders - two quotes - two positions?
    1.  “There is no cyberwar,” Quote from Howard Schmidt, White House Cybersecurity Director for President Obama.
    2.  "The United States is fighting a cyberwar today, and we are losing," Quote from  Michael McConnell, the former Director of the National Security Agency, written in a Washington Post article.

    You will read a post by Fortalice intern, Steven Elliott, about Cyberwarfare shortly.

    It has been an interesting debate out there about the term, "Cyberwarfare".

    Ask anyone in law enforcement or even a small business who has been hacked and they may tell you that they feel they are at war with cybercriminals.

    The term cyberwarfare has been used and critiqued by leaders in the security community.

    Critics: "Warfare" in the traditional sense implies a level of involvement from Department of Defense.  You cannot label trojans, viruses, and other malware that steals identities or helps criminals commit fraud as "warfare".

    Supporters of Warfare:  Typically use the term "Warfare" in a broader sense.  A focus on the larger picture sees fraud as a potential source to fund criminal activities that fund terrorists.  An assault on our critical infrastructure that creates a lack of confidence in the infrastructure is also seen as "warfare".

    Whatever your position on the debate, I hope you will enjoy Steven's posts.

    As always, we are open to ideas, suggestions, and feedback.

    Thursday, August 12, 2010

    New Facebook Bug Invades Your Privacy...Again

    Does the title of my post sound like a repeat?  New bug, repeat problem - privacy issues.

    The Facebook community learned this week that a new bug at the login point to Facebook will reveal names and photos -- even if you have locked your privacy settings down tightly.

    Here is how it works:
    1.  Someone logs into Facebook using your email address & they guess the wrong password
    2.  Facebook displays a screen that tells them to try the password again and displays the picture you have on file and the name you have put on your profile

    This is a treasure trove of information that cybercreeps and cybercriminals can use.

    The bug is now fixed but this is a friendly reminder to do the following:
    1.  Go to your Facebook account and choose "Preview My Profile".  What does it say about you?  Does it say anything you would NOT want a cybercreep to read?

    An example might include:  You may not want to list your full birthdate, including year

    2.  Check your privacy settings to make sure they are set to the level you feel most comfortable with.
    You have a lot of settings to choose from and can lock down information to just "friends", or "friends of friends" or you can go wide open

    3.  Review any pictures you have posted - do they identify you in a way the compromises you to fraudsters?  Are you giving too much identifiable information about your children and their schedules?  Are you providing too much information that could be used for social engineering?

    4.  Go to your favorite search engine and type in "your name, Facebook" to double check.  Do the same for your loved ones.

    You can stay on top of the latest security and privacy issues by tracking Facebook's security page and the page updated by Sophos.

    1.  Security Page on Facebook

    2.  Sophos Security Suggestions for Facebook

    As always, I'm open to questions & suggestions.