Reflections on 2009
Just over a year ago, I was invited to join ongoing discussions with retired Lt. General Harry Raduege, Scott Charney and Representatives Langevin and McCaul and other industry, academia, and government representatives, and engaged in an impassioned debate. The topic? Cybersecurity strategy and direction for the next President. How would we advise the incoming President about protecting and securing our country’s information systems?
Formulated within the Center for Strategic and International Studies (CSIS), we discussed the evolving online threats, how our current approaches and technologies stack up against these threats, and how these factors – and others – impact the online world in ways that affect U.S. critical infrastructure and our way of life. In late December 2008, we completed and delivered the Securing Cyberspace for the 44th Presidency report, which outlined our recommendations.
When President Barack Obama came into office, he appointed Melissa Hathaway – who chaired a multiagency group called the “National Cyber Study Group” that was instrumental in developing the Comprehensive National Cyber Security Initiative to direct U.S. Federal cybersecurity efforts – leading to a comprehensive “60-Day Review” of the U.S. cybersecurity infrastructure. The ensuing Cyberspace Policy Review published in May 2009 by the Obama administration includes key findings and recommendations from the 60-Day Review. This report examines important cybersecurity challenges and sets the focus and path toward increasing the security of government, critical infrastructure and consumer systems, both domestically and globally.
Fast-forward to this past December 22. President Obama’s appointment of Howard Schmidt as U.S. Cybersecurity Coordinator should regenerate the momentum needed for the U.S. – and the world – to protect national and economic interests online. Mr. Schmidt is faced with the arduous task of reinvigorating and building upon the significant efforts to date, forging new relationships while expanding upon collaborations already underway between the private and public sectors, and international leaders.
Read More »
Tags: 2009 annual security report
The Town of Poughkeepsie, NY was in the news this past week because the municipality’s bank account was targeted by international computer thieves. This is a prime example of the warning issued by the FS-ISAC last August, which I discussed here. In light of the incident that cost Poughkeepsie’s government nearly US$300,000, I thought it would be prudent to revisit automated clearinghouse (ACH) wire fraud.
Read More »
To Hide is to Thrive
Malware is just plain insidious. It can do very wicked things on a very large scale. Ostensibly, to do the dirt, malware must fly under the radar of the good guys’ defenses. When it comes to the art and science of detecting and concealing malware, for decades an escalating war of complexity has raged on betwixt the benevolent and the malevolent. This article aims to be a 98% assembly language free (mov al, 61h) examination of that arms race, with a specific focus on a brief history of malware obfuscation.
Obfuscation of malware serves the one ultimate purpose: Survival.
Early on, malware authors learned that for their dark little creations to spread and prosper, they must be kept hidden from the sentinels of light. The longer a piece of malware can stay undetected, the longer it has to spread and evolve. If malware didn’t take measures to conceal itself, it would be easy pickins for the front-line troops in the AV vendors’ armies, the pattern matchers. Additionally, as malware stays enshrouded, it eschews analysis by the experts, which further complicates efforts to scrutinize its internal yum-yumness (and subsequently come up with methods to detect and destroy).
Read More »
Recently, the Electronic Frontier Foundation (EFF) and the International Secure Systems Lab (iSec Lab) have publicized methods of de-anonymization. The EFF released a tool to demonstrate de-anonymization via browser fingerprinting, while a iSec Lab paper was featured in Heise Security that discusses the authors’ attempts to use browser history and the unique properties of social networks to identify individuals. The threats to user privacy continue to grow more evident and sophisticated.
Read More »
I have a confession to make. I sometimes leave my company-issued laptop in my car when I run errands between work and home. My laptop bag, particularly after I have stuffed it with papers, lunchbox, laptop, cords and other detritus, feels like a sack of bricks on my shoulder. When running into the supermarket with my environmentally friendly cloth shopping bag, the last thing I want is an extra 50 pounds to carry around. Or let’s say I am going into a restaurant for a relaxing dinner. Do I carry my laptop with me or leave it in the car? Remember, if I bring it with me, I have to carry it to the restroom as well.
Read More »