(Reuters) – The United States is launching its first test of a new plan for responding to an enemy cyber-blitz, including any attack aimed at vital services such as power, water and banks.
Thousands of cyber-security personnel from across the government and industry are to take part in the Department of Homeland Security’s Cyber Storm III, a three- to four-day drill starting Tuesday.
The goals are to boost preparedness; examine incident response and enhance information-sharing among federal, state, international and private-sector partners.
“At its core, the exercise is about resiliency — testing the nation’s ability to cope with the loss or damage to basic aspects of modern life,” said a release made available at DHS’s National Cybersecurity and Communications Integration Center in Arlington.
The simulation tests the newly developed National Cyber Incident Response Plan, a coordinated framework ordered by President Barack Obama.
The plan is designed to be flexible and adaptable enough to mesh responders’ efforts across jurisdictional lines. Refinements may be made after the exercise, DHS officials said.
The test involves 11 states, 12 foreign countries 60 private companies.
Read more…
How confident are you that your computer is safe from an online attack?
Chances are you rely on vendors like Microsoft and Apple to let you know when a security update is ready to be installed. (Google updates systems automatically.)
But until a patch is released, that hole–known as a zero-day vulnerability–in effect makes your computer a sitting duck for anyone who writes an exploit for it and bothers to distribute it via e-mails and drive-by downloads on Web sites.
EEye Digital Security launched a Web site yesterday that lists current zero-day vulnerabilities and offers an archive on ones that have been patched. The Zero Day Tracker compiles information on publicly disclosed security holes and provides details on them including what software they affect, how severe they are, the potential impact and suggestions for workarounds and other protection techniques.
Marc Maiffret, co-founder and chief technology officer of eEye, describes the free site as a “one-stop shop” for zero-day information.
“For the longest time the only company that would notify you about zero-days was Microsoft, and recently Adobe has started doing that,” he said. “But there are still many other companies that have zero-day vulnerabilities that go unreported.”
The most widely used database of software vulnerabilities is the National Vulnerability Database sponsored by the Department of Homeland Security’s National Cyber Security Division/US-CERT and run by the National Institute of Standards and Technology. There is also the Open Source Vulnerability Database, the US-CERT Vulnerability Notes Database and one run by SecurityFocus. But you have to do some digging on the sites to find the vulnerabilities that are unpatched.
Read more…
International cyberwar would be “worse than a tsunami” and should be averted by a global cybersecurity peace treaty, according to the head of the International Telecommunications Union.
Hamadoun Touré, who has been secretary-general of the UN agency since 1999 and is up for reelection in a few weeks’ time, has targeted cybersecurity issues in his electoral pledges. Speaking at a London roundtable on Thursday, he said he had proposed such a treaty this year, but it had met “a lot of resistance” from industrialised nations.
“My dream, I said in Davos this year, is that I would like to have a cyber peace treaty,” Touré said. “Some people think it’s a sin. People who think they are secure don’t want anyone else to talk about it. I say there is no [online] superpower.”
“We need to avoid a cyberwar starting. After the cases of Estonia and Georgia, you need to realise how fragile the world is becoming. A cyberwar will be worse than a tsunami — we have to avoid it,” he added.
In 2007, Estonia suffered a series of denial-of-service attacks, which followed its relocation of a statue deemed sensitive to the Russians. Although there were suggestions that the Russian government itself was behind the attacks, which shut down banking systems and also targeted government systems, others believe they were the work of an online flashmob of disgruntled individuals. Georgia’s web infrastructure was knocked out in 2008, coinciding with a physical invasion by Russian forces.
Read more…
The cyber attack on the Atlanta-based subsidiary of the Royal Bank of Scotland (RBS) began Nov. 4, 2008, even as Americans went to polls to elect a new president. While Mr. Obama’s supporters were savoring political victory, Sergei Tsurikov and alleged members of his hacker gang in Eastern Europe were nearing their own celebration: Having cracked the encryption protecting prepaid payroll cards of the bank’s WorldPay, the cyber criminals were allegedly orchestrating a lightning-strike theft.
After providing 44 fake payroll debit cards and stolen PIN numbers to a platoon of “cashers,” Mr. Tsurikov and his partners watched on computer screens as the cashers withdrew $9.4 million from 2,100 ATMs in at least 280 cities around the world – all in less than four days, according to a federal indictment.
Until recently, cyber thieves behind sophisticated thefts like the one at RBS had little to fear. Often operating from distant nations and across jurisdictional boundaries, law enforcement authorities in the US and elsewhere found it difficult to catch the suspects, much less get them to court.
Now come small yet substantial signs that the good guys may be gaining a bit of ground in the cyber fight. The Federal Bureau of Investigation (FBI), US Secret Service, and others cheered last week as Tsurikov was extradited from Estonia to Atlanta, where he now sits in a federal cell awaiting trial. On Friday he pleaded “not guilty” to federal charges concerning his alleged role in the RBS WorldPay cyber heist.
After years of struggle, US law enforcement officials and private cyber security firms say they have made some strides despite a massive and growing cyber theft problem.
“In just one day, an American credit-card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted,” United States Attorney Sally Quillian Yates said in a statement about the RBS WorldPay case. “With cooperation from law enforcement partners around the world, and most particularly in Estonia, we have now extradited to Atlanta one of the leaders of this ring.”
Read more…
Senator Joe Lieberman’s draconian Internet takeover legislation, the 197-page Protecting Cyberspace as a National Asset Act, is being promoted as a vital tool to protect vulnerable infrastructure hubs from terrorist attacks, but as a recent Wall Street Journal report makes clear, large industrial power and water plants are not even connected to the public Internet.
Lieberman has been busy over the last several months pushing the cybersecurity agenda, with a bill that would hand President Obama the power to shut down parts of the world wide web for at least four months with no congressional oversight in the event of a cyber attack on critical infrastructure systems in the U.S.
However, the primary purpose of cybersecurity and Lieberman’s legislation is to combat a problem that doesn’t exist.
Having A Supply Of Healthy Foods That Last Just Makes Sense
As a recent Wired News article highlighted, power grid and drinking water systems, “Are rarely connected directly to the public internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.”
The article explains that it would take a gargantuan national effort on behalf of a nation state, utilizing a plethora of national resources, to even begin to attempt taking down complex power and water systems. This isn’t merely a case of a rag-tag terrorist group hacking into a website via their laptops.
Read more…
Last week’s International Conference on Cyber Security 2010 brought together global leaders and representatives from more than 40 countries in emerging cyber threat analysis and enforcement at Fordham University’s Lincoln Center campus in New York City.
Held Aug. 2-5, the joint effort between the FBI and Fordham University gathered representatives from various law-enforcement and government agencies, academic institutions and private industries. Among other related topics, participants discussed advancements in cybersecurity and emerging cyber threats.
Speaking at the conference, FBI Director Robert S. Mueller, III said a cyber attack could have the same impact as a well-placed bomb.
“To date, terrorists have not used the Internet to launch a full-scale cyber attack,” he said. “But they have executed numerous denial-of-service attacks and defaced numerous websites.”
He added later in his speech that no one entity can stop cyber crime.
“A ‘bar the windows and bolt the doors’ mentality will not ensure our collective safety,” he said. “Fortresses will not hold forever; walls will one day fall down. We must start at the source; we must find those responsible.”
Acting Assistant Director in Charge of the FBI New York Division George Venizelos said in addition to the domestic partnerships, the international partnerships give invaluable contributions and intelligence-sharing efforts for use in examining the field of cybersecurity.
Read more…
Hackers at DefCon are gathering to prove that smooth talk works better than software skills any day, in order to launch a computer network attack.
The contest challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.
Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor and Gamble.
One employee was conned into providing specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.
“You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” News.com.au quoted Mati Aharoni of Offensive Security, a company that tests company computer defences, as saying.
“It is much easier to use social engineering techniques to get to the same place,” he added.
“We wanted to show that social engineering is a legitimate attack vector.”
One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate, but the hacker convinced him not to do that, saying he was under ‘immense pressure’.
Read more…
Could the NSA’s new “Perfect Citizen” actually be used for spying on every citizen in the U.S.?
The name sounds like an action movie — the heroic vigilante chases down the bad guys to aid his country and prevent a nuclear armageddon. It also sounds like the worst possible name for a government program intended to protect citizens, not spy on them.
The NSA’s new cyber-security program Perfect Citizen will monitor nuclear power plants, train stations, and the electric power grid to safeguard against cyber-assaults.
And as the Wall Street Journal reported, the new program is intended to monitor cyber-terrorist threats and “would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack.”
According to that report, Raytheon was awarded a $100M contract to develop Perfect Citizen. (Raytheon declined to comment to FoxNews.com, as did the NSA other than describing Perfect Citizen in an official statement as a “research and risk-assessment” project that does not use sensors.)
How would such a system work? Why do experts fear it could be turned against us? And should the government really be in the business of installing sensors on the private power grid and at nuclear plants owned by private companies?
Fighting cyber-attacks
Your local power plant was built long before Google became a household name. Yet just about every nuclear power plant, train station, subway system and local power company now connects to the outside Internet, either for employees to access their e-mail or just to check the weather.
And many utility companies provide remote access for workers to monitor these utility systems; some plants are even interconnected over the Internet to share data.
Read more…
The Perfect Citizen project is purely a research-and-engineering effort, not an attempt to monitor companies against cyberattack, the National Security Agency said Thursday.
The NSA issued a brief explanation of the new project in response to a Wall Street Journal story that described Perfect Citizen as a government system designed to monitor vital agencies and private utilities against potential cyberthreats. The project would establish a series of sensors installed throughout various computer networks that would raise an alarm in case of a pending cyberattack, according to the Journal.
But in an e-mail statement attributed to NSA spokeswoman Judith Emmel, the agency denied that Perfect Citizen would involve any type of monitoring activity or sensors, and labeled it as “purely a vulnerabilities assessment and capabilities development contract.” She added that “it does not involve the monitoring of communications or the placement of sensors on utility company systems.”
Although the agency called the Journal’s story an “inaccurate portrayal of the work performed at the National Security Agency,” it said that due to the highly sensitive nature of its work, it could not confirm or deny specific allegations addressed in the article. As a result, the NSA shared few details on the project.
Specifically referring to it as a contract, the NSA said Perfect Citizen “provides a set of technical solutions that help the agency better understand the threats to national-security networks, which is a critical part of NSA’s mission of defending the nation.” The Journal had pinpointed Raytheon as the recipient of the initial phase of the contract in a deal worth up to $100 million, though neither the NSA nor Raytheon would confirm that report, according to Reuters.
Read more…
The NSA has a new program called “Perfect Citizen” that lets it monitor the networks of utilities and other “critical” infrastructure to identify potential electronic attacks, The Wall Street Journal reported Wednesday.
Under the $100 million program, the nation’s top spying group will embed surveillance probes in privately owned networks to look for suspicious behavior, the Journal’s Siobhan Gorman reports. The NSA, which has the dual responsibility for eavesdropping on other countries and defending .mil networks, has no authority to order companies to install its spying software, but cooperation can be achieved through a bit of arm-bending, according to the paper.
The NSA, part of the Defense Department, is getting around a broad prohibition against the military operating on U.S. soil by pairing with Homeland Security on the program. The move to expand the NSA and government computer-security defenses beyond the government’s own networks is unprecedented, but not unexpected. Nor is the creepy, Orwellian name “Perfect Citizen” unusual, following the trail blazed by the ostensibly defunct Total Information Awareness project.
Government insiders have recently been whipping up bureaucratic and public support for increased government funding for computer security. Former Director of National Intelligence Michael McConnell convinced President Bush to sign a still-largely-secret computer-security plan in January 2008, after telling him that hackers going after the nation’s banks could cause economic damage worse than the Sept. 11 attacks.
Now back at a government-contracting business, McConnell was given space in The Washington Post to declare the nation was actually in the midst of a cyberwar that it was losing, without actually noting who the country was at war with or where the casualties were being treated.
Read more…
On Thursday, a Wall Street Journal report sparked fear in the public after it described a program capable of deploying sensors to networks that control critical infrastructure, which is being led by the NSA.
According to the NSA, the concern is unwarranted, as the program itself, which the Wall Street Journal report claims is the result of a classified contract between the NSA and defense contractor Raytheon, is “a vulnerabilities-assessment and capabilities-development” project.
Citing sources familiar with the ‘Perfect Citizen’ program, the report also said “surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.”
Raytheon told The Tech Herald that it would not comment on the story, while the NSA responded to public reaction by saying suggestions that “there are illegal or invasive domestic activities associated with this contracted effort are simply not true. We strictly adhere to both the spirit and the letter of U.S. laws and regulations.”
When the Reuters news agency asked the NSA to confirm or deny the details in the Journal’s report, a spokesperson declined to answer, saying it was inappropriate due to the sensitivity of what the NSA does in the national defense arena.
When it comes to the NSA’s efforts to secure cyberspace, Perfect Citizen is nothing new, nor is the notion of the organization working in the private sector. The NSA has long maintained an Information Assurance program that is widely known and used by several major companies. Earlier this year, search giant Google turned to the NSA’s Information Assurance program for assistance after its services were attacked in China.
Read more…
The U.K. has the ability to launch cyber attacks but does not use it for industrial espionage like some other countries, England’s security minister Lord West said.
According to BBC, West has refused to elaborate on the matter and explain whether cyber attacks have been used for military purposes. However, he told BBC Radio 4’s PM program the country faces cyber attacks “on a regular basis” from countries such as Russia and China. He also confirmed the British government had approached the Russian and Chinese governments to ask them to stop the attacks.
“We have had a dialogue with them in the past and I wouldn’t want to go into what goes on in terms of debate at the moment,” West told the BBC.
When pressed on whether Britain have used cyber attacks itself, he said:
“We do not go and attack other nations to try and find from them their industrial secrets.”
But he added: “I think it would be very silly of any nation not to have an ability to use cyberspace for the safety and security of its nation.”
Commenting on Britain’s cyber warfare capabilities, West said it has an ability to do things and “we have got very good and very talented people who have worked on this.”
View Source…
