Archive for the ‘Computer Security’ Category

Ponemon 2013 Live Threat Intelligence Impact Report

Friday, August 9th, 2013

 

August 8, 2013

“We are pleased to announce the release of a new study, Live Threat Intelligence Impact Report 2013, that reveals the facts behind the impact that weak intelligence can have on organizations and why the ability to quickly gather, analyze and use actionable intelligence is essential to cyber defense. According to the study sponsored by Norse, the companies that seem to be most successful in thwarting compromises to networks and enterprise systems say the optimal age of actionable intelligence is no longer than 4.6 minutes. To learn more about the value of immediate and live intelligence, we hope you will read the full report.

 

Center for Strategic and International Studies: Economic Impact of Cybercrime and Cyber Espionage

Friday, July 26th, 2013

 

July 25, 2013

Center for Strategic and International Studies July 2013: “The wide range of existing estimates of the annual loss—from a few billion dollars to hundreds of billions—reflects several difficulties. Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value. Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is that those who answer the questions “self-select,” introducing a possible source of distortion into the results. Given the data collection problems, loss estimates are based on assumptions about scale and effect—change the assumption and you get very different results. These problems leave many estimates open to question.”

 

Electronic Products: Microsoft helped NSA get around its encryption systems so agency could more easily spy on users

Monday, July 22nd, 2013

 

July 22, 2013

Microsoft helped NSA get around its encryption systems so agency could more easily spy on users

According to reports given to The Guardian newspaper by whistleblower Eric Snowden, the NSA was provided with work-around access to most of Microsoft’s programs,…more

 

SIM card flaw said to allow hijacking of millions of phones by Steven Musil

Monday, July 22nd, 2013

 

by Steven Musil

July 21, 2013

(Credit: Amanda Kooser/CNET)

A vulnerability on SIM cards used in some mobile phones could allow malware infection and surveillance, a security researcher warns.

Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times that he has identified a flaw in SIM encryption technology that could allow an attacker to obtain a SIM card’s digital key, the 56-digit sequence that allows modification of the card. The flaw, which may affect as many as 750 million mobile phones, could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset’s owner, Nohl warned.

Crypto expert Karsten Nohl. (Credit: Seth Rosenblatt/CNET)

"We can remotely install software on a handset that operates completely independently from your phone," warned Nohl, who said he managed the entire operation in less than two minutes using a standard PC. "We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

The vulnerability was found in the Digital Encryption Standard, a cryptographic method developed by IBM in the 1970s that is used on about 3 billion cell phones every day. While the encryption method has been beefed up in the past decade, many handsets still use the older standard.

Tests showed that 1,000 cards in Europe and North America exhibited signs of the flaw. Nohl, who plans to detail the flaw at the Black Hat security conference in Las Vegas next month, said he has already shared the results of his two-year study with GSM Association, a trade group representing the cell phone industry.

GSM Association spokeswoman Claire Cranton told the Times that her organization had already passed the results on members of its group that still rely on the older standard.

"We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," Cranton said in a statement.

Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines in 2008 by publicizing weaknesses in wireless smart card chips used in transit systems around the globe. A year later, he cracked the algorithm used on GSM (Global System for Mobile Communications) cell phones, which is designed to prevent attackers from eavesdropping on calls.

LINK: http://news.cnet.com/8301-1009_3-57594754-83/sim-card-flaw-said-to-allow-hijacking-of-millions-of-phones/

 

The Future of US Cyber Command By Jason Healey

Monday, July 22nd, 2013

 

World War Web Advisory: CyberWar, courtesy watchingfrogsboil/flickr
Creative Commons - Attribution-Noncommercial-Share Alike 2.0 Generic Creative Commons - Attribution-Noncommercial-Share Alike 2.0 Generic

 

11 July 2013

By Jason Healey for Atlantic Council

World War Web Advisory: CyberWar

The US military’s cyber arms have had many institutional homes over the last 20 years – the latest being US Cyber Command. Today, the Atlantic Council’s Jason Healey explores the possible next-step option – breaking Cyber Command away from its unwieldy parent, US Strategic Command.


For months it has been an entertaining parlor game in the nation’s capital: guessing what will happen next with U.S. Cyber Command, the military organization designed to defend the country’s networks and attack its adversaries. The topic will increasingly be in the spotlight as the head of that command, General Keith Alexander, is also the director of the National Security Agency, which is beset by revelations of cyber snooping—possibly a damaging link if the crisis does not blow over.

Cyber Command is only a few years old, but the history of its predecessors helps give clues to what is to come. For fifteen years, the military has tried to integrate or “normalize” cyber, but the meaning of normal and how to achieve that has shifted several times.

The U.S. military began to organize around cyber and information warfare just after the first Gulf War of 1991. The Air Force Information Warfare Center was launched in 1993 and the other services followed soon after. Offense and defense operations were combined in the operational 609th Information Warfare Squadron in 1995. These units, however, were all single-service and generally could not direct cyber defenses, only making suggestions with little Pentagon control.

To “normalize” cyber, in 1998 the Pentagon created the real predecessor to U.S. Cyber Command, the twenty-four-person Joint Task Force–Computer Network Defense (JTF-CND) to be in charge. Two years after it was stood up, the unit was given responsibilities for offense as well as defense, as one of the perceived lessons of the past was that the same commander should handle both.

However, this lesson proved to be transient, as offense and defense were split apart in 2004, with the National Security Agency getting the offensive mission and the Defense Information Systems Agency getting defense, since it seemed more “normal” to have the main military IT organization also defend all the IT. But that solution itself only lasted a few years, when to be more “normal” the missions were recombined into the new U.S. Cyber Command, whose commander was also the director of the NSA. Since NSA had so much cyber capability, it seemed natural to have the same four-star officer run both cyber and signals intelligence; the revelations of cyber spying might just break that connection if it appears having cyber warfighting responsibilities distracted General Alexander from his NSA job.

This history helps inform the debate about what should happen next with U.S. Cyber Command. There are a few leading options:

Splitting NSA and Cyber Command: This had already been a leading option, even before the recent leaks. General Alexander had planned to retire in early 2014, but it is possible he won’t last that long, now that President Obama has had to publicly discuss programs that the General’s organization was supposed to keep secret. This option of splitting the command is probably the most likely, as the president would understandably want a director of NSA able to work it as a full-time job, rather than sharing time with the sexier offensive missions of Cyber Command.

This division of roles would return to the command relationship of 2004, with a three-star NSA director from intelligence reporting and a four-star general from a more traditional warfighting background.

Combatant Command: Cyberspace may be so different from the other domains of air, land, sea and space that it makes little sense for U.S. Cyber Command to be subordinate as a subunified command to U.S. Strategic Command. Cyberspace and operations there transcend geographic regions, domains and the normal spectrum of conflict. Thus, an elevation to its own unified command is justified. This option makes sense if cyber is indeed important but unlikely to be a truly new domain.

In one sense, this is just the next step of a natural progression since 1998 of ever-larger commands with higher-ranking generals in charge. But proponents of creating a new command should be wary of the precedent set by U.S. Space Command. Created in 1985 when space was the domain of the future, it only lasted until 2002, since it turns out that space isn’t all that different or critical. In the rush to claim that the domain was different, the space community potentially overreached and their command is mostly forgotten today. Yet this remains a likely path for cyber.

Special Operations: Another argument is that cyber is so special it can’t ever be normal. After all, the geeks who dominate cyber often don’t excel in (or necessarily even need) traditional soldiering discipline, fitness or skills. In this option, U.S. Cyber Command should not belong to U.S. Strategic Command but rather should be under U.S. Special Operations Command. This option makes sense if cyber conflicts in the future are predominantly shadowy irregular conflicts and the Pentagon wants to emphasize this aspect above all others.

Even though the covert actions and proxy/irregular cyber conflicts are indeed increasingly prevalent, the special-operations model ignores the bulk of what happens in cyberspace, the day-to-day grunt work of cyber defense and network management. This does not require any particularly special expertise, just patience and attention to detail over time, which is one reason why this is not a likely option.

New Cyber Service: If cyber truly is important and a new domain of warfighting, then perhaps the most normal option is not to elevate or reassign a command but create an entirely new service. After all, the land, sea and air domains each have a respective service. This new Department of Cyberspace would then parcel cyber forces to the combatant commands and provide common cyber services to all, especially for technologies like long-haul networks.

This is the least likely option as it is too bold and not necessarily warranted by the current circumstances. The space domain again provides the example: there are consistent and periodic calls for it to have a separate service, yet the military seems fine without a space command, much less a separate service. Moreover, with the problems faced by NSA, there may be retrenchment as the Washington takes a less aggressive posture.

Status Quo: It is entirely reasonable if the national military leadership decides to keep the present arrangements. But with NSA in such trouble, this is increasingly unlikely.

The final decision may depend on the personalities of the generals and admirals available for command, the legacy of General Alexander, and above all, cost. Regardless of which is the smarter option in the long term, the overwhelming pressure of operating during the sequester suggests that the cheapest options—the status quo or splitting NSA and Cyber Command—are the most likely.

Cheap has another advantage: cheap is simple. Each redrawing of command lines has meant more distraction from actually solving the underlying cyber problems, which have been remained similar for decades.

Regardless of the final decision on U.S. Cyber Command, it will only be one more step—and by no means the last—as the U.S. military seeks to keep pace with conflict in cyberspace.

Jason Healey is the director of the Cyber Statecraft Initiative at the Atlantic Council and editor of the first book on the history of cyber conflict, A Fierce Domain, Cyber Conflict from 1986 to 2012. This piece was first published by The National Interest.

LINK: http://www.isn.ethz.ch/Digital-Library/Articles/ …

BOOK: A Fierce Domain: Conflict in Cyberspace, 1986 to 2012  by Jason Healey

Book Description

Publication Date: June 1, 2013

A Fierce Domain: Conflict in Cyberspace, 1986-2012 is the first book of its kind- a comprehensive, accessible history of cyber conflict. A Fierce Domain reaches back to look at the major "wake-up calls," the major conflicts that have forced the realization that cyberspace is a harsh place where nations and others contest for superiority. The book identifies the key lessons for policymakers, and, most importantly, where these lessons greatly differ from popular myths common in military and political circles.

 

Technorati Tags: ,,

Cyber-crime, securities markets and systemic risk – Rohini Tendulkar

Friday, July 19th, 2013

 

July 16, 2013

Cyber-crime, securities markets and systemic risk. Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges. Author: Rohini Tendulkar (IOSCO Research Department). Survey: Grégoire Naacke (World Federation of Exchanges Office) and Rohini Tendulkar.

“This report and survey is intended as part of a series exploring perspectives and experiences with cyber-crime across different groups of securitiesmarket actors. The purpose of the series is predominantly to : (1) deepen understanding around the extent of the cyber-crime threat in securities markets; (2) highlight potential systemic risk concerns that could be considered by securities market regulators and market participants; and (3) capture and synthesize into one document some of the key issues in terms of cyber-crime and securities markets in order to increase general understanding and awareness.”

 

LINK: http://www.world-exchanges.org/files/statistics/pdf/IOSCO_WFE_Cyber-crime%20report_Final_16July.pdf