businessinsider.com
Right now, some of your most sensitive corporate data is being stolen by corporate spies.

These spies work for the competition, looking to get the edge over you, and they work for investors

, hoping to get ahead of the market.

A new book by Eamon Javers, Broker, Trader Lawyer, Spy: The Secret World Of Corporate Espionage, reports that such companies as Goldman Sachs, SAC Capital, and KPMG have employed these spies.

In digging for information on a company, the spies look for sources who usually come in one of two flavors:

• The first is a “male in his mid 20s who is somewhat bored, likes to party, needs money, likes women, sports and risk, is disrespectful to his managers, and is patriotic.”

• The second is a young woman who is insecure, overweight, and bitchy. She doesn’t have a boyfriend and except for a strong relationship with her mother, has only fake friends.

But it’s not enough to get just the profile of the potential sources inside your company. We’ve gone through Javers’ book and identified the 20 common tactics used in corporate espionage.

More…

usatoday.com

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.

More…

Aviation Week is hosting an A&D Cybersecurity Forum, “Protect Your Enterprise with Secure and Resilient Information Flow”, March 31 – April 1, 2010 at the Hyatt Regency Washington Capitol Hill in Washington, DC. From their website:

AVIATION WEEK’s  A&D Cybersecurity Forum will bring together executives from leading A&D companies, government agencies and security experts to share best strategies on minimizing cybersecurity risks with efficiencies in cost and operations. The Forum will consider changing dynamics of cyber-threats, transitioning from theoretical assessments to technical and practical sessions, focusing on:

• Protection of essential data flow & intellectual property
• Cyber threat identification, assessments and disruption prevention
• Secure information sharing and access
• Training and Awareness for human operability
• Analysis and measurements of cybersecurity efficiencies
• Global perspectives on vulnerabilities of international information enterprises

More information is available at Aviation Week.

Via Computerworld and other sources:  China has announced the shutdown of what the BBC says “is believed to be the country’s biggest training website for hackers,” Black Hawk Safety Net, resulting in the arrests of three.  The WSJ confirms the arrests actually occurred in November, leading to speculation that this may be an attempt to ward off negative press from its recent flap with Google.

Whether or not that’s true, the shutdown of this site does signal that China is having to navigate a difficult balance with cybersecurity issues as Internet use grows. On the one hand, the growth of nationalist hacker groups has afforded the government the advantage of plausible deniability for activities ranging from campaigns against Tibetan exiles to sophisticated penetration attempts of U.S. government and industry databases. On the other hand, the sheer volume of trained hackers (or untrained, armed with a few easy-to-use tools) combined with a growing e-commerce market makes for … a fertile (if illicit) opportunity, sized at $1B in 2008 and fuel for a $35M “hacker training” industry.

China has closed what it claims to be the largest hacker training website in the country and arrested three of its members, domestic media reported on Monday. The “Black Hawk Safety Net” website taught hacking techniques and provided malicious software downloads for its 12,000 members in exchange for a fee, the Wuhan Evening News newspaper reported this weekend, citing police in Huanggang, just east of Wuhan. Hacking from China has received international attention since Google Inc threatened to quit China last month after a serious hacking attempt originating from China, resulting in the theft of its intellectual property. China has denied involvement in the hacking episode and said it does not condone hacking. The website was shut in late November and three of its members arrested on suspicion of criminal activity, the newspaper reported, without saying why the news was only released now

http://uk.reuters.com/article/idUKTRE6170H420100208

The Following is a list of influencers on the subject of Cyber Security.

A more comprehensive search would turn up many more — including professors at programs such as Johns Hopkins University Information Security Institute.

1. Bytes and Badges: http://bytesandbadges.com/
2. Catching Mice in China: http://www.vaubanconsulting.com/blog/
3. Cuckoo’s Egg: http://gucosc011.blogspot.com/
4. Cyber Strategies: http://cyberstrategies.wordpress.com/
5. Dark Reading: http://www.darkreading.com/index.jhtml
6. Defintel: http://defintel.blogspot.com/
7. Fraud Control: http://newsaboutfrauds.blogspot.com/
8. Fraud War: http://fraudwar.blogspot.com/
9. GarciaStrategies: http://cyberstrategies.wordpress.com/
10. InformationWarfareMonitor:http://www.infowar-monitor.net/
11. Potpourri: http://blog.vorant.com/
12. Intel Fusion: http://intelfusion.net/wordpress/
13. J.D. Abolins: http://jabolins.livejournal.com/
14. Malware Info: http://malwareinfo.org/ 
15. NetworkWorld http://www.networkworld.com/community/node/36250
16. Security Bloggers Net: http://www.securitybloggers.net/
17. Security4all: http://blog.security4all.be/
18. Tao Security: http://taosecurity.blogspot.com/
19. The Dark Visitor: http://www.thedarkvisitor.com
20. The ITSecurity Guy: http://theitsecurityguy.blogspot.com/
21. Ubiwar: http://ubiwar.com/
22. Jeffrey Carr, blogger at IntelFusion and author of Inside Cyber Warfare: Mapping the Cyber Underworld:
23. Joel Dubin, blogger at TheITSecurityGuy and author of The Little Black Book of Computer Security:
24. The anonymous blogger, who states he retired from the military in 2003 after serving 20 years as a Nay Cryptologist, who runs CyberStrategies.

A 17-year-old bug in Windows will be patched by Microsoft in its latest security update.

The February update for Windows will close the loophole that dates from the time of the DOS operating system. First appearing in Windows NT 3.1, the vulnerability has been carried over into almost every version of Windows that has appeared since. The monthly security update will also tackle a further 25 holes in Windows, five of which are rated as “critical”.

Home hijack

The ancient bug was discovered by Google security researcher Tavis Ormandy in January 2010 and involves a utility that allows newer versions of Windows to run very old programs. Mr Ormandy has found a way to exploit this utility in Windows XP, Windows Server 2003 and 2008 as well as Windows Vista and Windows 7. The patch for this vulnerability will appear in the February security update. Five of the vulnerabilities being patched at the same time allow attackers to effectively hijack a Windows PC and run their own programs on it.

As well as fixing holes in many versions of Windows, the update also tackles bugs in Office XP, Office 2003 and Office 2004 for Apple Macintosh machines. The bumper update is not the largest that Microsoft has ever released. The security update for October 2009 tackled a total of 34 vulnerabilities. Eight of those updates were rated as critical – the highest level.

In January 2010, Microsoft released an “out of band” patch for a serious vulnerability in Internet Explorer that was being exploited online. The vulnerability was also thought to be the one used to attack Google in China. Following the attack on Google, many other cyber criminals started seeking ways to exploit the loophole. Also this week, a security researcher has reported the discovery of a vulnerability in Internet Explorer that allows attackers to view the files held on a victim’s machine. Microsoft has issued a security bulletin about the problem and aims to tackle it at a future date. At the moment there is no evidence that this latest find is being actively exploited online.

http://news.bbc.co.uk/1/hi/technology/8499859.stm

An email “phishing” fraud against the European Union’s greenhouse gas Emissions Trading Scheme (ETS) has prompted the executive European Commission to revise its Internet security guidelines, the Commission said. German officials said on Wednesday that online fraudsters had targeted international carbon markets to steal emissions permits from companies and sell them illegally. The ETS is the 27-country European Union’s main tool to force industry to cut greenhouse gas emissions. It allows companies to buy emissions permits from others when cutting those emissions is too expensive. The permits are administered by registries. “The Commission intends to review the security measures applicable to ETS registries and will prepare revised security guidelines for registries and an action plan aiming at harmonising approach in case of future such incidents,” the EU executive said on Thursday. The Commission said a limited number of fraudulent transactions had been carried out, with fake emails sent to users asking them to log on to a malicious website, pretending to be that of a registry, and disclose their user codes and passwords. This kind of scam is known as “phishing.” They said six German companies had been hit by the scam, and companies in New Zealand and Australia had also been affected. The EU executive said it was alerted by the Netherlands and Norway, and it had informed all other member states to take appropriate security measures immediately.

http://uk.reuters.com/article/idUKTRE6135IX20100204

Say, is that old “CB” radio still out in the garage? Betterrrr go get it outttt! Better brush off your Smokey and the Bandit era communication skills 10-4, cause you’re a gonna need ‘em.

Stuff To Ponder:
“Following the Halloweenesque scare fest on Capitol Hill earlier this week — where National Intelligence director Dennis Blair and CIA director Leon Panetta warned of impending terrorist doom — the House has The Cybersecurity Enhancement Act (H.R. 4061).

On February 3, Rep. James Langevin of Rhode Island explained how the government will take over private sector cyber security.

“The House today overwhelmingly passed a bill aimed at building up the United States’ cybersecurity army and expertise, amid growing alarm over the country’s vulnerability online,” reports the New York Times. “The bill, which passed 422-5, requires the Obama administration to conduct an agency-by-agency assessment of cybersecurity workforce skills and establishes a scholarship program for undergraduate and graduate students who agree to work as cybersecurity specialists for the government after graduation.”

Guess What Else?

“obama, who in the past has criticized the media, and specifically “cable chatter,” took a moment during his Q & A with Senate Democrats to reiterate that it’s important to tune out the running political commentary on cable networks and in the blogosphere.

“Do you know what I think would actually make a difference…. If everybody here — excuse all the members of the press who are here — if everybody turned off your CNN, your Fox, just turn off the TV, MSNBC, blogs, and just go talk to folks out there, instead of being in this echo chamber where the topic is constantly politics.

“

Now you and I both know that he was speaking to the American people as well. He has said the same thing numerous times, usually only mentioning Fox though. Dudes losing it.

I will say this though. I have turned Fox off. At 5:00 PM and at 8:00 PM. I now have an effigy of Glenn Beck hanging from my backyard Kenyan Keebler tree that he grew to mock the Constitutionalists with, and I have always considered Bill O’Riley to be a pussy in pants. He’s “no spin” my ass. He’s a softball thrower with no stones in his sack. bah

Pearls from Bill:

“What Mr. Obama should be concerned about is the growing acceptance of lies by some Americans on both the left and the right. For example, by investigating the birth announcements in two Honolulu newspapers in August of 1961, “The Factor” has proven that Barack Obama was indeed born in America. It would have been impossible for anyone to get bogus birth announcements into two newspapers. And why would anyone bother unless they knew baby Barack would someday become President Barack? The birther deal is just madness.”

YES MADNESS!!  Bwwahahahah!

What Americans should be and, well frankly, are concerned about, is the already established habit assholes  like O’Riley have of belittling millions of Americans-the very same people that watch Fox news.

Did Billy look at, and handle these newspaper announcements himself?  Bet not.  Prolly glanced at an online image.   And to advance this most ludicrous of all suppositions: that people believe obamas Grannie  got it into her head to conspire at the moment of obamas birth, that she MUST plant the announcements in the paper to assure that obama would one day be the president…………

That’s pretty batshit crazy Billy.  Pretty sure Alinsky would be right proud of your snarky and disingenuous attack.

In your bid to gain obamas attention and favor you have shown yourself to be a consummate sellout.  How’s that for no-spin buddy?

Lame Cherry:
“Obama has now even been sucked into this in he was at the National Prayer Breakfast and started bringing up his religion (he has no Church) which conjures of Jeremiah Wright’s hatred and racism and then Obama linked this all to his birth certificate in his citizenship.”

Lame Cherry refers to this comment by obama:

(at this year’s National Prayer Breakfast, this morning:)

“You can question my policies without questioning my faith — or for that fact, my citizenship“!

“Some have thought this political strategy, but ask yourself if Obama said, “Hey folks, I did not have sex with my daughters Queenie and Sloven last night”, would Americans be thinking, “Obama is a good dad”, or would they correctly be repeating, “What the hell is he talking about having sex with his kids for like a Letterman pedophile?”
It is the old “do you beat your wife joke”, in “When did you stop beating your wife?”, in classic Groucho routine. Obama has done the political wrong of bringing up a subject no one was thinking on in his group, and now made it a national buzz word.”

AND:
“This is the power of Americans speaking in bringing up Obama said he was British by birth, but it expired (like that can ever expire), and Obama is in mental meltdown over this in he now is linking his fraud religion to his fraud citizenship.”

Testify!

Any attempt to decide whether a particular action is “bad” or “good” requires some model of what “good” actually means. The only basis for intelligent action in almost any setting is to be able to have a plan for the expected, but also a mechanism for noticing the unexpected — to which some kind of meta-planning can be attached. This is, of course, a crucial part of how we function as humans; we don’t hang as software often does, because if we encounter the unexpected, we do something about it. (Indeed, an argument along this line has been used by J.R. Lucas to argue that the human mind is not a Turing machine.)

But most cybersecurity applications do not try (much) to build a model of what “good” or “expected” or “normal” should be like. Granted, this can be difficult; but I can’t help but think that often it’s not as difficult as it looks at first. Partly this is because of the statistical distribution that I discussed in my last post — although, on the internet, lots of things could happen, most of them are extremely unlikely. It may be too draconian to disallow them, but it seems right to be suspicious of them.

Actually, three different kinds of models of what should happen are needed. These are:

1. A model of what “normal” input should look like. For example, for an intrusion detection system, this might be IP addresses and port numbers; for a user-behavioral system, this might be executables and times of day.
2. A  model of what “normal” transformations look like. Inputs arriving in the system lead to consequent actions. There should be a model of how these downstream actions depend on the system inputs.
3. A model of what “normal” rates of change look like. For example, I may go to a web site in a domain I’ve never visited before; but over the course of different time periods (minutes, hours, days) the rate at which I encounter brand new web sites exhibits characteristic patterns.

An exception to the first model shows that something new is happening in the “outside” world — it’s a signal of novelty. An exception to the second model shows that the system’s model of activity is not rich enough — it’s a signal of interestingness. An exception to the third model shows that the environment is changing.

Activity that does not fit with any one of these models should not necessarily cause the actions to be refused or to sound alarms — but it does provide a hook to which a meta-level of analysis can be attached, using more sophisticated models with new possibilities that are practical only because they don’t get invoked very often.

Again think of the human analogy. We spent a great deal of our time running on autopilot/habit. This saves us cognitive effort for things that don’t need much. But, when anything unusual happens, we can quickly snap into a new mode where we can make different kinds of decisions as needed. This isn’t a single two-level hierarchy — in driving, for example, we typically have quite a sophisticated set of layers of attention, and move quickly to more attentive states as conditions require.

Cybersecurity systems would, it seems to me, work much more effectively if they used the combination of models of expected/normal behavior, organized in hierarchies, as their building blocks.

wired.com

Google is teaming up with the National Security Agency to investigate the recent hack attack against its network in a bid to prevent another assault, according to The Washington Post.

The internet search giant is working on an agreement with the controversial agency to determine the attacker’s methods and what Google can do to shore up its network.

Sources assured the Post that the deal does not mean the NSA will have access to users’ searches or e-mail communications and accounts. Nor will Google share proprietary data with the agency.

But the move is raising concerns among privacy and civil rights advocates.

The Electronic Privacy Information Center filed a Freedom of Information Act request on Thursday, shortly after the agreement was made public, seeking more information about the arrangement. (.pdf)

forbes.com

ARLINGTON, Va. — Activists have long grumbled about the privacy implications of the legal “backdoors” that networking companies like Cisco build into their equipment–functions that let law enforcement quietly track the Internet activities of criminal suspects. Now an IBM researcher has revealed a more serious problem with those backdoors: They don’t have particularly strong locks, and consumers are at risk.

In a presentation at the Black Hat security conference Wednesday, IBM ( IBM – news – people ) Internet Security Systems researcher Tom Cross unveiled research on how easily the “lawful intercept” function in Cisco’s ( CSCO – news – people ) IOS operating system can be exploited by cybercriminals or cyberspies to pull data out of the routers belonging to an Internet service provider (ISP) and watch innocent victims’ online behavior.

More…

If cybersecurity exists to stop bad things happening in computing systems, then it seems to me that there are several implicit assumptions that underlie many approaches and techniques that might not be completely helpful. These are:

• The distinction between “good” (or “allowable”) and “bad” is a binary distinction;
• The decision about this distinction has to be made monolithically in a single step;
• The distribution of likely things that could happen is uniform (flat).

Even to write them explicitly shows that they can’t quite be right, but nevertheless I suspect they exist, unexamined, in the design of many security systems.

What happens if we remove these assumptions?

If the distinction between “good” and “bad” is not discrete, then our systems instead allocate some kind of continuous risk or suspicion to actions. This creates an interesting new possibility — the decision about what to do about an action can now be decoupled from how the action is categorized. This is not even a possibility if the only distinction we recognize is binary.

From a purely technical point of view, this means that many different kinds of risk measuring algorithms can be developed and used orthogonally to decisions about what the outputs of these algorithms means. Critical boundaries can be determined after the set of risks has been calculated, and may even be derived from the distribution of such risks. For example, bad things are (almost always) rare, so a list of actions ordered by risk will normally have a bulge of “normal” actions and then a small number of anomalous actions. The boundary could be placed at the edge of the bulge.

Second, what if the decision about whether to allow an action doesn’t have to be made all at once. Then systems can have defence in depth. The first, outer, layer can decide on the risk of a new action and decide whether or not to allow it. But it can be forgiving of potential risky actions if there are further layers of categorization and defence to follow. What it can do is to disallow the clearly and definitively bad things, reducing the number of potentially bad things that have to be considered at later stages.

From a technical point of view, this means that weaker but cheaper algorithms can be used on the front lines of defence, with more effective but more expensive algorithms available for later stages (where they work with less data, and so do not cost as much overall, despite being more expensive per instance).

Third, what if our defence took into account that the landscape of expected actions is not uniform, so that low probability events should automatically be treated as more suspicious. For example, spam filtering does lots of clever things, but it doesn’t build a model of the sources of my email, and flag emails from countries that I’ve never, ever received email from as inherently more likely to be spam. (Yes, I know that sender addresses can be spoofed.)

This idea has been used in behavioral profiling of computer activity, and it sort of works. But it needs to be combined with the ideas above, so that actions can be rated along a continuum from: routine (allow), to unusual but still not that unusual (allow, but maybe with a user question or at least logged for occasional inspection), to very unusual (user better explicitly allow), to bizarre (disallow). Windows has a weak version of this, which hasn’t been accepted well by users, but it flags only one thing (program start) and it doesn’t build a model of typical behavior by each user.

For example, the set of IP addresses with which my computer interacts is quite large, and hard to represent by some kind of convex structure, so intrusion detection doesn’t work very well if it depends on wrapping/categorising those IP addresses that are OK, and blocking traffic from those that are not. And usually the set of OK IP addresses is not derived from those I interact with, but encoded in some set of rules that apply to many computers. But if instead I built a model of the IP addresses I interact with, allowing older ones to get stale and disappear, and then looked at new IP addresses and allowed them if they resembled (tricky) those I already interact with, and asked me about the others, then this might work better than current approaches. An IP address is a hierarchical structure, with a possible country followed by the top octet, and so on, so I can discriminate quite finely about what it might mean. Even a web server that is theoretically visible to every other IP address could still benefit from handling unlikely source IP addresses differently.

OK, maybe this isn’t exactly low hanging fruit, but the ideas are straightforward and (IMHO) should be built into the design of more robust systems.

There’s a rapidly increasing interest in cybersecurity, partly because the penny is finally dropping about the financial impact on government and business, and not just individuals.

I don’t work directly in this area, but it is another adversarial domain, so some of the problems and approaches I think about have some applicability.

But cybersecurity does seem to be an area where some Pareto (80:20) thinking might not go amiss.

For example, botnets use machines that have been compromised but whose owners/users don’t realise this. In my experience there are two reasons for this:

1. The owners don’t realise that things are not right with their machine and put anomalous network and disk traffic down to the general weirdness of computers;
2. The machines do not really have an owner — they drive other bits of hardware, or they are shared among many people who each use them for a short time.

One thing that would really help would be for someone knowledgeable (not e.g. Lifehacker — although that would be a start — but someone from the cybersecurity community) would post a complete guide to hardening the major categories of PCs. Most people know that they should be running a spam filter and antivirus software,  but from comments at a recent conference it seems that many people are still seeing spam, which suggests to me that they haven’t even got this simple part right. But there are many other tools that, if run on almost all machines, would cripple the ability to take them over. For example, I’ve been very happy with Iobit’s Security 360 which routinely finds malware on my machine behind a university “security system”. But I don’t use a VPN when I travel and I probably should. And what else should I be doing that I don’t even know is possible?

Volunteers anyone? (Of course, such a thing may exist, but I haven’t been able to find it.)