Thursday, September 30, 2010

Please Talk to Your Kids - Cybersnooping is an invasion of privacy - It cost a young man his life this week

It was a tragic week this week for the family of a young college freshman.


A male student (Tyler Clementi) from Rutgers posted on Facebook that he was jumping off a bridge in NY.  

Why did he end his life so suddenly and tragically? 

Law enforcement thinks they know why.

Several days earlier, his roommate logged into a computer in their dorm room from another room.

He and a female student allegedly used skype to webcam in and streamed video of the gay student and another man in an intimate situation.   They took the streaming video and posted it on the internet outing Tyler.

What a tragedy for all involved.  

Do not wait, discuss this horrible tragedy with your children and young adults that you know.

Let's not lose another life over this.  We need to insure that children and young adults understand the rights to privacy.

Three Talking Points:
1.  Digital is forever
2.  Just because you can invade someone's privacy, does not mean you should
3.  Make your kids aware of technology and what people with bad intentions might do, given the chance; help protect your kids so they are not a victim of someone's cybersnooping

Don't be tricked into being a money mule

Earlier this week, the UK announced that they had busted a major cybercriminal ring.  The crime ring was using the Zeus trojan and it is estimated that they stole $30 million from bank accounts across the globe.

The mules are people that have been recruited by the cybercriminals to open bank accounts and transfer funds.  Some mules are drawn in, unknowingly, by sophisticated schemes where they even apply for jobs, interview, and work for a "company".  Some mules know exactly what they are working on.

People could get tricked via jobs posted on help wanted web sites and social networking sites.

The cybercriminals and mules used many different companies to spread out their evil.  They hit banks in the UK and the US.  Ally, Chase, PNC, B of A, TD Bank are some of the banks named in the Wall Street Journal article.


Sources:

"More details emerge on cybercriminal ring that stole $30 million", Byron Acohido, USA Today, 9/30/10.

"Millions Netted in Global Bank Hack", Chad Bray and Cassell Bryan-Low, Wall Street Journal, 10/1/10.

Tuesday, September 28, 2010

Privacy, National Security & Your Internet Traffic

The recent attempt to bomb Times Square was a vivid reminder that intelligence before, during, and after a crime are key to understanding motive, protecting citizens, and moving swiftly to avoid future attacks.  Federal Investigators found that the man suspected of the attempted bombing used pre-paid phones to communicate and coordinate the bombing.  So why didn't law enforcement know this in advance?  The bad guys know that pre-paid cell phones help avoid tracking.  There is no requirement to provide id when purchasing a pre-paid phone.


There is a law in effect to aid law enforcement called The Communications Assistance to Law Enforcement Act.  It was passed in 1994 and it requires telecommunications companies to allow court authorized access to their information, often in real time.  It is not broad enough to cover newer technologies that provide "communications" but not within the legacy telecommunications framework.


Law Enforcement agencies do not have the same capability afforded to them for the newer technologies that many of us have adopted and use.  Examples of this in the Wall Street Journal article include  Facebook and BlackBerry Messenger.  Another example would be Skype, which was mentioned in the New York Times article.


The New York Times reported that the F.B.I., Justice Department, the National Security Agency, the White House and other agencies are working together to develop an approach.


As found in Newsmax:
" 'We're talking about lawfully authorized intercepts," said FBI lawyer Valerie E. Caproni. 'We're not talking about expanding authority. We're talking about preserving our ability to execute our existing authority in order to protect the public safety and 
national security.' "


As found in the Wall Street Journal:
" 'The way we communicate has changed dramatically since 1994 but telecommunications law has not kept up,' said an administration official. The government doesn't want new powers, but wants to ensure that communications companies outside of the telephone business have the technology to respond to court orders for information, the official said."


The bill is still under consideration and will likely be submitted next year according to Newsmax.  


The New York Times reports that the current proposal may have these elements:


-Ability to unscramble encrypted messages so Law Enforcement can read them

-Any foreign companies (RIM of BlackBerry) that have U.S. based business must provide a U.S. office capable of performing intercepts for Law Enforcement.

-Peer-to-peer communication providers must build in capabilities to their service to allow interception.



4 Recommendations:
1.  Let's Debate:  I would like to see open and vigorous debate where the voices of both Privacy advocates and National Security & Law Enforcement agencies are heard.  By hearing and vetting the pros and cons of the issue, I believe the country can craft a law that accommodates the concerns and needs of both sides.


2.  Don't Kill Innovation:  We need to be careful about the regulatory burdens and dictating specifically how companies are to comply.  Tell them what is needed and let them figure it out.  Regulatory burdens could kill many start up companies that are not even sure if consumers will adopt their product and they will not have the money to build a government specific framework.  We should not shoe horn the newer technologies and force them to fit into the old framework of the phone companies.


3.  Don't Dictate or Design "Back Doors":  If the regulation specifically outlines a "back door" and the design expectations for the back door, that does provide insights to the bad guys which could be used to infiltrate the "back door". 


4.  Maintain Checks and Balances:  We have court oversights in place for requesting warrants and how information can be used when gathered via surveillance and wiretaps.




Sources:
"New Technologies Prompt Push for Better Wiretap Law", Evan Perez, Wall Street Journal, Septemer 27, 2010.


"U.S. Tries to Make It Easier to Wiretap the Internet", Charlie Savage, New York Times, September 27, 2010.


"US Would Make Internet Wirtetaps Easier", Newsmax, September 27, 2010.

Thursday, September 23, 2010

Twitter bug and hack exploit explained

This week was a tough one for Twitter.  Not only did they have an odd bug hack but it was well publicized after it hit Press Secretary Robert Gibbs...His Twitter account said, "My Twitter went haywire - absolutely no clue why it sent that message or even what it is...paging the tech guys."

On 9/21, Twitter users started seeing strange pop ups, pornography, and messages that were obviously spam.

The problem was actually within the Twitter code itself which left a hole open and cybercreeps used it to get in and spread malicious links.  What was very sinister about this bug hack was you could get tricked without clicking a link, just hovering over it!

The good news is, if you use Twitter apps such as HootSuite or Tweetdeck, you were not impacted.  This was confined to an older version of Twitter.







Source: The Christian Science Monitor, Twitter Hacked?  Not really.  Here's the scoop, Chris Gaylord, September 21, 2010

Careful of what you click on especially free iPad offers

A cybercreep found a hole in the photo upload system for Facebook and was able to use that to send spam to Facebook & Twitter accounts that promised free iPads.

The cybercreep was able to upload the photos to people's walls, without their permission making the photo and the free iPad offer look like it was endorsed by the person.

In a twist of irony, a friend of CEO Mark Zuckerberg had their account hacked.

Evidently thousands of Facebook users were impacted.

How to protect yourself:
1.  Don't click on links for "free" items unless you are on a company web page
2.  Make sure you use strong passwords
3.  Don't use the same password on more than one social site


Source:  Article in the Guardian, Posted by Charles Arthur, September 6, 2010

Friday, September 17, 2010

Google Street View - Why is the Czech Republic Using a Ban? Should the U.S.?

According to Prague AP, the Czech Republic banned Google from expanding Google Street View.
The ban still allows Google Street View to show photos of Prague but they are not allowed to collect new photos.

Google is facing privacy concerns across Europe related to the pictures but also by the news that Google's Street View cars were recording traffic from online activities over Wi-Fi networks.  France launched a privacy investigation.  Germany has insisted that its citizens be given the options to blur their photos.  They are also under investigations in Spain and Australia.

Google was quoted in the Silicon Republic as saying, "We have in place robust procedures to protect privacy, such as face and number plate blurring and removal tool.

"Street View has proved a popular and useful tool for consumers and businesses around the world and we look forward to finding a solution to bring additional imagery to people in Czech Republic," they said.

Connecticut's Attorney General, Richard Blumenthal, is representing a 37-state coalition in the U.S..  North Carolina is part of the coalition.  The coalition is looking into the privacy and security issues with Google Street View, especially related to their data collection from personal and company Wi-Fi networks without permission.  It is possible that the Wi-Fi traffic reveals emails, web browsing habits, passwords, and other confidential information.

Why should you care?  Google Street View can be a very helpful tool!  I have found many a soccer field or business client using it.  However, there are concerns that someone could case your business or house for points of entry, places to hide, etc. in the cover of internet darkness.  Could they do that in person?  Yes.  However, they have a higher likelihood of being caught in person.

What is your opinion?  Love it?  Hate it?  Neutral?


Sources:
World News, "Czechs ban Google from expanding 'Street View'", AP, September 17, 2010

Silicon Republic, "Czech Republic bans Google Street View data gathering", September 15, 2010


The Register, "Czechs tell Google to stop StreetView Another dissident against Schmidt's glorious privacy-free future", John Oates, September 14, 2010


The Precursor Blog, "37 States now investigating Google StreetView snooping", Scott Cleland, Julyy 21, 2010.

New Identity theft sounds like an HGTV reality show - "Steal My House"

ZDNet reported this week that a Western Australian man was the victim of a new bizarre twist of identity theft.

According to the report, Roger Mildenhall, was contacted by a neighbor saying he had seen one of his investment houses for sale.  Mildenhall looked into it and found that it was for sale .  He was also surprised to learn that he sold another property in June.  In this economy, you might jump for joy.  Roger was dumbfounded since he never intended to sell these properties - this was done unauthorized by him.

ALL transactions were made via email, telephone, and fax.  No human interaction.

The report indicates that alleged scammers hacked into Mildenhall's email account.  From there they were able to get to his personal and property documents.  They sold the house and sent the cash to bank accounts in China.

So far, the investigation has not found any wrongdoing by the real estate agent.

In the meantime, Roger Mildenhall, is half a million dollars poorer.

STEPS TO PROTECT YOURSELF:
1.  Strong email passwords
2.  Do not reuse passwords
3.  Avoid sending sensitive information, such as property data, via email
4.  U.S. Banks and Mortgage companies may want to review their fraud prevention processes


Sources:
ZDNet, "Crims use hacked email to steal house", Darren Pauli, September 14, 2010

Remember the worm spreading like kudzu? Might have been a cyber-jihad

The "Here you have" worm of last week was annoying and, in some cases, debilitating.  Talented organizations were not immune from the worm that hit last week.  Organizations such as Disney, Proctor and Gamble, ABC, Comcast, Florida DOT, and NASA were on the hit list.

CISCO reported that more than 14% of global spam came from the "Here you have" worm.

Sometimes the virus ends up just being a nuisance.  If cybercriminals or hactivists are involved, there may be more evil behind the trojan, virus or worm than meets the eye.

SC Magazine, a cybersecurity publication, talked to Joe Stewart from SecureWorks about his research.  They report that the research found the worm is directly tied to a group upset over the U.S. military deployed in Iraq.  SC Magazine said the malware creator behind the virus was the "iraq_resistance".  Federal News Radio indicated that the "iraq_resistance" might be part of the cyber-jihad organization "Brigades of Tariq ibn Ziyad" which has a stated goal of infiltrating U.S. Army agencies.

A video was posted to YouTube by a person claiming to be the creator of the "Here You Have" worm.  Excerpts from SC Magazine:

"My name is Iraq Resistance," the person says in a computer-generated voice. "What I wanted to say is that the United States doesn't have the right to invade our people and steal the oil under the name of nuclear weapons. Have you seen any there?"...


"I could smash all those infected computers, but I wouldn't," he says on the video. "And don't use the word 'terrorist' please. I hope that all people understand that I am not a negative person."


HOW TO PROTECT YOURSELF:
1.  Keep your A/V and browsers up to date
2.  Be wary of emails with links and attachments - call the sender and ask if they sent you an attachment

See last week's post from Fortalice:  "Houston we have a problem-spam.  Virus email spreading faster than kudzu"

Sources:

Federal News Radio, September 16, 2010

SC Magazine US, September 13, 2010

Thursday, September 16, 2010

Do your kids download free movies, ringtones or songs? You may get more than what you asked for. Cybercreeps hide their evil behind free downloads.

Do your kids download free movies, ringtones or songs?  You may get more than what you asked for.  Cybercreeps hide their evil behind free downloads.

Do you follow Celebrity news of actors, actresses, athletes, royalty?  

Does anyone at your home or office click on ads they see online?

If so, you or your kids or employees may be opening the door to cybercreeps and cybercriminals.


Anyone at your home following Lady Gaga on Twitter?  When McAfee, the internet security software firm, did a search in May for "Lady Gaga" on Twitter, they were led down a dark path of pornography and other adult animated content.

Got Justin Bieber fans in your house?  If your kids went to YouTube on July 4, they were redirected to porn sites.

Cybercriminals love to hide their evilness behind music and movie sites.  According to McAfee's report, especially behind "free" downloads.

When the word "free" is added to the search for music ringtones, there was a 300% increase in the riskiness of sites returned by your favorite and popular search engines.  Think Google or Bing.

McAfee's report called "Digital Music & Movies Report:  The True Cost of Free Entertainment" also noted that fan clubs have ads that may be hiding malware.  Not to be left out, YouTube and Twitter also had malicious code hiding behind links and comments when it came to fan clubs and celebrity news.

"It is fairly common to find multiple fan sites built by cybercriminals with the express purpose  of attempting to corral traffic to sell ads or infect users." Source:  McAfee Report.

It is estimated that roughly 7% of the websites providing unauthorized content, such as a free movie that should not be free, are directly linked to known cybercrime organizations.  

Even sites like the New York Times and Yahoo! Inc have had ads with malicious code sneak through their processes.  This is called "MALVERTISING".

How They Trick You:
The sites look very professional
Some sites give you a free trial period
Once they are in your computer, they may "FINGERPRINT" your computer by capturing your  software versions and other pertinent information that can be sold to 3rd parties. 

5 Easy Steps to Protect Yourself:
Keep your browsers and antivirus software up to date

Think twice or avoid clicking on links or ads altogether.  If you are really interested, go to a search engine, type in what you want to look at plus the word, "scam" and see what pops up before you click.

Tell your kids to avoid using the word "free" when searching for something and have them ask you for permission to download files to the computer

Only download music, ringtones, and movies from commercial companies

When in doubt about a company, check with your Better Business Bureau

Sources:
San Jose Business Journal, "McAfee: Digital music, video cyberthreats growing", Elizabeth Kim, September 14, 2010.

McAfee Press Release, Business Wire, September 14, 2010.

McAfee Report, "Digital Music & Movies Report:  The True Cost of Free Entertainment", by Paula Greve.

Friday, September 10, 2010

NASA: 'Houston we have a problem...Spam' Virus email spreading faster than kudzu

A virus hit the globe yesterday creating a nuisance for some and a real outage for others.

At some companies that attack was so bad that email in baskets were overflowing with the spam.

The spam went right past most anti virus software.

Organizations noted as impacted by ABC News were NASA, Comcast, AIG, Disney, Proctor and Gamble, Florida Department of Transportation, and Wells Fargo.

The Florida Department of Transportation took down their email to deal with the attack and, according to ABC News, their spokesman noted that 6 other agencies in Florida had been hit.

Unofficially, I was contacted by various colleagues at large companies asking if I knew what was going on.

HOW TO PROTECT YOURSELF:
1.  Keep your A/V up to date

2.  In this case, YOU are the first line of defense, it may slip right past your A/V software.  If you receive an email with an attachment or a link, call the person who sent it to you to verify that they sent it.

WHAT THIS SPAM LOOKS LIKE:
"Hello:  This is the Document I told you about, you can find it here" and the link includes a PDF file.

or,

"Just for you" and "This is the free download sex movies, you can find it here."

WHAT TO DO IF IT HITS YOUR INBOX:
1.  Do not open it

2.  Delete it from inbasket and trash

3.  Notify your technology department

WHAT CAN THE VIRUS DO?
1.  Right now, the virus appears to be focused on infecting machines for an unknown reason but often this tactic is deployed to create a botnet

2.  To date, there has not been issuance of a warning that it is stealing information from infected computers

Why should citizens care? Pentagon considers preemptive strikes as part of cyber-defense strategy

In case you did not see the Washington Post article, I have included it in the blog post below.

Here is why I think you should care and the beauty of America is it will be open for discussion and debate.

Safety & privacy - they can coexist but there is a healthy tension.  Sometimes we give up privacy to be secure.  Sometimes we guard our privacy and knowingly or unknowingly give up some of our security.

It's a true conundrum.  We all want to be safe but what privacies are we willing to give up for that safety?

Are you willing to have your internet traffic "watched" and "read" to prevent a cyber or physical attack?

Many people say no until you put it in real terms...For example:  what if by "monitoring" emails we were to learn that terrorists were going to hold elementary schools in key parts of the country hostage on a certain date?  Would "monitoring" and potentially reading emails  be okay then?

I would love to hear from you regarding your opinion.

Couple of highlights from the article:
1.  The Pentagon is wrestling with the legal implications of preemptive actions

2.  Cyber Command is staffed with 1,000 elite military hackers and spies

3.  Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

2 QUOTES OF NOTE:
"We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can."


FROM THE WASHINGTON POST:

Pentagon considers preemptive strikes as part of cyber-defense strategy
By Ellen Nakashima
Washington Post Staff Writer
Saturday, August 28, 2010; 10:00 PM

The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas - but it is still wrestling with how to pursue the strategy legally.

The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of adversary information systems" and that can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.

But officials are reluctant to use the tools until questions of international law and technical feasibility are resolved, and that has proved to be a major challenge for policymakers. Government lawyers and some officials question whether the Pentagon could take such action without violating international law or other countries' sovereignty.

Some officials and experts say they doubt the technology exists to use such capabilities effectively, and they question the need for such measures when, they say, traditional defensive steps such as updating firewalls, protecting computer ports and changing passwords are not always taken.

Still, the deployment of such hardware and software would be the next logical step in a cyber strategy outlined last week by Deputy Secretary of Defense William J. Lynn III. The strategy turns on the "active defense" of military computer systems, what he called a "fundamental shift in the U.S. approach to network defense."

Though officials have not clearly defined the term and no consensus exists on what it means, Lynn has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. Blocking bad code at the border of its networks is considered to be within the Pentagon's authority.

On the other hand, destroying it in an adversary's network in another country may cross a line, and officials are trying to articulate a clear policy for such preemptive cyber activity.

"We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us," Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month.

The command - made up of 1,000 elite military hackers and spies under one four-star general - is the linchpin of the Pentagon's new strategy and is slated to become fully operational Oct. 1.

Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.

"We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."

Another senior defense official said, "I think we understand that in order for us to ensure integrity within the military networks, we've got to be able to reach out as far as we can - once we know where the threat is coming from - and try to eliminate that threat where we can."

One senior defense official said that active defense is akin to being in a battle zone when someone is firing a machine gun at you, detecting the bullets, putting up a shield and knocking down the bullets. "Wouldn't it be a far better idea to get the machine gun? So that's an extension of a real-time defense - just shut the threat down."

Perhaps the most difficult issues are technological and operational. Because the precise configuration of an adversary's computer is difficult to discern through the Internet, it can be very difficult to, for example, disrupt that computer's ability to attack without affecting other computers that might be connected to it. The military's dismantling in 2008 of a Saudi Web site that U.S. officials suspected of facilitating suicide bombers in Iraq also inadvertently disrupted more than 300 servers in Saudi Arabia, Germany and Texas, for example, and the Obama administration put a moratorium on such network warfare actions until clear rules could be established.

"Why are you talking yourself into this massive debate when no one has said this works 100 percent of the time and it's worth the fight?" said an industry official who formerly worked at the Pentagon.

But a senior defense official familiar with state-of-the-art technology said, "I would tend to say that we can be much more precise than people could imagine." The official, like others quoted for this story, was not authorized to speak on the record.

Alexander, who also heads the National Security Agency, which was set up in 1952 to spy electronically overseas, acknowledged in Tampa that offensive capabilities must be based on "the rule of law," according to the Military Tech blog Cnet News.

And that is the crux of the debate. For the better part of a year, defense officials have been discussing the options with the White House, Justice Department, Department of Homeland Security and Congress. "I have seen clearly changes in the last two or three months where there's willingness of the senior leaders to start thinking through those scenarios, and that's something I don't think we were seeing a year ago," said a military official who was not authorized to speak for the record.

Still, taking action against an attacker's computer in another country may well violate a country's sovereignty, experts said. And government lawyers have questioned whether the Pentagon has the legal authority to take certain actions - such as shutting down a network in a country with which the United States is not at war. The CIA has argued that doing so constitutes a "covert" action that only it has the authority to carry out, and only with a presidential order.

Policymakers also are grappling with questions of international law. "We are having a big debate about what constitutes the use of force or an armed attack in cyberspace," said Herbert S. Lin, a cyber expert with the National Research Council of the National Academy of Sciences. "We need to know where those lines are so that we don't cross them ourselves when we conduct offensive actions in cyberspace against other nations."

The senior defense official who spoke about the military's capabilities said if cyber operators detected that some attacker was about to issue a network command to a device installed somewhere in the United States that would have "a disastrous effect" causing mass destruction, "I'm hard pressed to imagine that anyone would argue you shouldn't preempt that - even if it was sitting on neutral territory."

But short of that, noted a military official, "there's a lot of reluctance to go into foreign cyberspace and take actions that are preemptive."

Officials have noted they can use other non-cyber options, including diplomatic action, to respond to threats. The United States might approach a foreign government for help in blocking a threat, using the appeal that "it might be aimed at us now, it could be aimed at you later, it might be aimed at us collectively" in terms of the instability it induces in the global networks, said the senior defense official. "That's an approach that is often ignored."

The industry official said his concern is "the militarization" of the international dialogue. "Any time Pentagon leaders start using the terms 'active defense,' " he said, "then my concern is that foreign countries use that as a basis for their doctrine, starting a cycle of tit for tat."

The Pentagon has standing rules of engagement for network defense, such as the right of self-defense. But the line between self-defense and offensive action can be difficult to discern.

"This is a big, big problem," said one former intelligence official who noted that it took years to develop nuclear deterrence doctrine. "We are just at the beginning of figuring this out."

Thursday, September 2, 2010

The new car "jacking"? Car "hacking"?

Have you bought a new car lately?  You probably have more computing power under the hood then your first home computer had!  With the complexity of the computer systems and logic in your automobile comes a potential for hacking.  Just like you needed some new thing to worry about!  

Technology gizmos and gadgets typically outpace "security".  My theory, which is also shared by some of my colleagues, is that the provider of the gadget (Facebook, Iphone, Droid, Laptop, Car) has a very tight delivery cycle.  In addition, some companies seem to find that their best way to learn about design flaws with new gadgets is by releasing the product.  They learn from how their customers use it and then, eventually, how it is exploited.  Perhaps if a company tried to imagine every iteration of use and exploit before deploying, the product may never make it to market.  

So, could someone take control of your car to steal it, cause the driver harm, convince the driver to pull over for "urgent maintenance" or ruin the car?  According to some experts, the answer is yes but heavily caveated - cars are still relatively safe from criminal hackers but the flaws found during recent tests are something that should be addressed.   For starters, they would need to physically connect into the computer systems under your car's hood,  or hack into networks such as General Motors' OnStar, or have very close access to your car to carry out any evil deeds.  

See the sources posted at the bottom for more information.

According to the POPSCI article, a team of scientists at the University of Washington and University of San Diego was assembled to see what they could hack.  The research team wrote their hacking code, affectionately called "CarShark", and accomplished these tasks:
-turned off brakes in a MOVING car
-changed the reading on the speedometer
-blasted the radio volume
-turned the heat up high
-locked passengers inside the car

In another study, scientists from Rutgers University and University of South Carolina, were able to hack into a car's computer system, take over the wireless tire pressure system, and sent false low-air pressure warnings to the car.  They did have to travel closely to the target car to intercept the signal and send the false messages.  

Sources:
Blog Post by Bruce Schneier, "Hacking Cars Through Wireless Tire-Pressure Sensors",  August 17, 2010.

Christian Science Monitor Article, "Scientists hack into cars' computers -- control brakes, engine", Mark Clayton, August 13, 2010.

PCWorld Article, "Car Hackers Can Kill Brakes, Engine, and More", Robert McMillan, IDG News, May 13, 2010.

POPSCI Article, "Proof of Concept CarShark Software Hacks Car Computers, Shutting Down Brakes, Engines, and More", Rebecca Boyle, May 14, 2010.  

China - Builds Up Cyber Capabilities

The Wall Street Journal posted an article in August focusing on China's military build up.  They referred to the annual report released by the Pentagon to Congress.

In the report, it indicated that China's military has built up their electronic warfare capabilities.  They have designed information warfare units to protect their networks and to attack their foes.  Tactics include creating viruses to attack adversaries' systems.

This recent report is consistent with a briefing that took place earlier this year at the House Armed Services Committee.  During the briefing back in January of 2010, the discussion included China's warfare capabilities.  Admiral Robert Willard indicated that the military and government systems in the USA are targets of cyber attacks and that many of those attacks appear to originate from within China.  He also noted that most of the attacks focus on taking information.

The capabilities are considered part of China's Peoples' Liberation Army military modernization program.




Wall Street Journal Article, "U.S. Sounds Alarm at China's Military Buildup", Adam, Entous, August 17, 2010

Defense News Article, "Chinese Buildup of Cyber, Space Tools Worries U.S.", January 13, 2010

Coming to a bank account near you...cyberattacks

Some recent surveys caught my attention as I was preparing to address the Business Innovation Growth council to discuss cyberattacks and what businesses should do to protect themselves.

Symantec released their Internet Security Threat Report in April providing analysis of what happened in 2009 and a look forward to help businesses prepare for the next cyber threats.  From their site:  "Symantec estimates that the top 10 bot networks now control at least 5 million compromised computers. Throughout 2009, Symantec saw botnet-infected computers being advertised in the underground economy for as little as 3 cents per computer."  These are staggering numbers.

Verizon and the United States Secret Service collaborated on a review of approximately 900 cyber breaches.  One of their findings was astonishing - 94% of the breaches they reviewed could have been caught if the victims had implemented existing tools and best practices.

The security firm, Kindsight, firm talked to 1200 people aged 18 through 55 about security.  81% of those surveyed said they were victims of computer infections.  Almost a third of those infections were in the last 90 days.

Panda Security, which provides security software, did a survey of 1,500 U.S. based businesses and 13% of the companies said they do not use anti virus protection.  A different survey indicates that 20% of small businesses do not use antivirus software.

The consequences for businesses that suffer an attack can be devastating:
1.  Business banking accounts hacked

Talk to Hillary Machinery Inc and you will feel their pain.  Cybercriminals stolen over $800,000 from their bank account.  Their bank could only recover $600,000 leaving Hillary Machinery Inc with a gap of $200,000!  They have filed a lawsuit against their bank.

2.  Losing your customer's data & confidence

3.  Theft of intellectual property - I call this the carbon monoxide of cybercrimes - silent, stealthy, and deadly

4.  Loss of equipment & productivity after an infection

As we have discussed before, if you are a business customer, your bank account is not offered the same regulatory protections that consumers have for fraud (Regulation E).

Facebook Places Feature - Fun but be careful!

Facebook as a company is a constant innovator.  It appears that Google and Facebook might be in a race to determine who will be the holder of your data & location based provider of choice.

Unlike GoWalla or Foursquare, Facebook did not roll out location based check ins with treats, ability to earn fun titles such as "Mayor of Starbucks", and coupons.

In its current form, places is location check ins.

You can also check-in your friends when you check in at a location -- even if they are not there.  That could create some odd games of trickery like checking a friend in at a bar when they said they were at the library.

Whether or not you choose to use Facebook's Places, or other location software, is up to you.

3 tips to remember:
1.  Think about where you "check in", is it something you would want your family or boss to know?  Does it portray you in a good light?

2.  If you are alone when you check in, please consider your personal safety.

3.  Your teenagers should not use check-in services unless you have had a conversation with them and you feel they are mature enough to use these services.