Did you know that the Bush administration is pushing to spend $6 billion on cyber security in 2008? (Wall Street Journal)
Would you like to know why? If so read the facts below.
Did you know that AL QAEDA’S top cyber terrorist used phishing schemes and other cyber attacks to steal credit card accounts and buy $3 million worth of terrorist equipment? (FBI)
Did you realize that in the past minute over 5,000 significant incidents were reported to HackerWatch.org? (Hackerwatch.org)
Did you realize that the financial impact of computer viruses in 2005 was over $14 billion and continues to grow? (Computer Economics)
Did you know the busiest day of the week for vulnerability disclosures continued to be Tuesday with 1,361 new vulnerabilities disclosed on this day of the week in 2007? (IBM)
Did you know that nearly 90 percent of all the 2007 vulnerabilities could be remotely exploited? (IBM)
Did you know there was a new software vulnerability reported every 82 minutes? (CERT)
Did you know that Symantec recorded an average of 5,213 denial of service (DoS) attacks per day in the second half of 2006? (Symantec)
Did you know that in 2006 of the individuals who reported hard dollar losses the largest median losses were from the Nigerian letter fraud ($5,100) followed by check fraud ($3,744) and other investment fraud ($2,695). (Internet Computer Complaint Center)
Did you know that only about 1% of users follow corporate data and computer security policies? (Absolute Software Research Survey)
Did you know that 27% believe their company has experienced a data security breach? (Absolute Software Research Survey)
Did you know that so far this year there have been 44 corporate and governmental data breaches (reported)? That is about 1 per day when I collected this data. (Privacy Clearing House)
Did you know that all three branches of the military have cyber warfare /information warfare units, including: Navy Network Warfare Command; Air Force U.S. Cyber Command; Army — TRADOC G2.
Did you know that in a two week period five cables were severed in various parts of the Mediterranean Sea, leading to large scale disruption of the Internet and telecom services in the Middle East and parts of Southeast Asia. Two of the five cables were cut in two different places. (Reuters)
Did you know that organized crime has used the internet for criminal activity for some time. Recently, (2 years ago) there has been a huge increase in mob based attack sophistication that has moved organized crime over the internet from an irritation to a serious problem. (IT Security)
After reading the above information, how could anyone dismiss the threats we face in cyberspace? Yet some do, and some on here think I am overstating the threat. It has been my experience the one of the biggest security threats to an organization is the attitude of their Chief Security Officer. Most of the individuals I work with wake up every morning and ask themselves three questions.
1. What has happened that I dont know about?
2. What do I need to know that I dont?
3. Who are my new adversaries today?
The I know everything attitude of many of these individuals, increase the risk of a successful attack significantly. I was in one such meeting in the DC area where the CSO actually stated, I have it all under control yet they have lost three laptops in about a year and none of the hard drives were encrypted. And they contained sensitive data.
Consider this point: if the information provided here is publically available, what do you think the threat looks like to those of us with security clearances and who work in the area of international cyber warfare and attacks? You can be sure it is not better looking.
{ 42 comments… read them below or add one }
Did you know that Kevin Coleman has made a business out of scaring the living daylights out of people?
Seriously guys, this sort of writing is so very tiresome. Thank goodness Christian is back.
For the love of God, grammar, and all that is informative, please can this guy.
I didn’t know that a very, very long string of uncited statistics followed by a defense of one’s job constitutes journalism. Especially when plenty of the uncited stats sound a little goofy: “Did you know that 27% believe their company has experienced a data security breach?” 27% of what or whom? 27% of well-informed CSO’s, or 27% of hamburgers at McDonalds?)
For the love of God what? What is your problem folks? Is there anything in Kevin’s post that’s untrue? If so, build a counter-argument and have at it here. Each of those statistics WAS cited in his original draft, but to save time I didn’t put them in because they seemed pretty obvious to me. If you want, I’ll re-edit and put them in.
But please stop the childish whining.
If max and C would be so kind as to post some personal information we’d be happy to see what we can see about them. Where they live & work, what they enjoy, where they spend their money. They don’t seem work in the industry…and if they did they wouldn’t have responded as they have. If they did work in the industry and understood anything about anything, they’d probably shrug it off and go fix something.
Seeing as how they responded in the middle of the day, they must have access to the internet at work. When their CSO/CIO pulls the plug on that access, they may get a better idea of what the threat looks like. You don’t need port 80 or 443 to do your job now do you?
Oh, and Ed Felton just published a great paper how if you KNOW the laptop contains good juicy stuff, and is in “sleep” mode when you steal it, full disk encryption does no good!
Also, we have SEEN a cyber attack launched against the intrusion detection systems of a US military network, with DELIBERATE spillover into the civilian world:
http://www.cc.gatech.edu/~akumar/witty.html
Christian, i can sit around posting factual information all day and to what end would it be? the issue isn’t that it isn’t factual (it is), the issue is that the contributions he makes on this site are essentially ripped from his security services website. on top of that, he uses a post to “call out” his detractors. i know this is only a “blog” and journalism is a concept with very vague definitions in that context. I simply dislike the way the content seems to have shifted from the snippets of tech and events that affect or are affected by tech to a chest-thumping, fearmongering diatribe by your two prime authors during your recent trip to Iraq.
no worries, i’ll stop the childish whining. unfortunately it’s bundled with the DT reading.
by the way i’m not falling for your pathetic bait, “Chris”.
Did you know?
Did you know that virtual gaming environments, so called metaverses, have transactions in the tens of millions of dollars per day and are now becoming some entrepreneurs single source for profitable income?
The Defense Community at large needs to wake up to the new realities of this technical world. The information age is here and those that can harness its power for their purposes, be it for good or bad, will become the power brokers for tomorrow.
My 2 cents… :)
No offense to anyone, but let’s get to the “Tech” side of things. I know “cyber attacks” are bad & one day the sky could fall… but let’s move onto the nut’s & bolts of the stories. In other words, bring out the specifics & how it relates to the .Mil
For instance:
Cisco’s NERV (Network Emergeny Response Vehicle) is coming out… It has really cool flashing lights?
Cisco.com (video under Latest News – 19 Feb 2008)
“The Russian Cyber War Army Attacks” – Do we need to “draft” American PC’s?
http://www.strategypage.com/htmw/htiw/articles/20061122.aspx
“Air traffic control uses AI” – Could it be hacked or just tickled to death?
http://www.theinquirer.net/gb/inquirer/news/2008/02/12/air-traffic-control-uses-ai
“NATO plans software defences” – Didn’t they already have one?
http://www.theinquirer.net/gb/inquirer/news/2008/02/14/nato-plans-software-defences
Why do DDoS attacks still work? Is it really a threat to Internet p0rn?
http://www.theinquirer.net/gb/inquirer/news/2006/08/06/dns-amplification-attacks-explained
Do we need to build a Super Firewall & will it have a Hemi?
http://www.theinquirer.net/gb/inquirer/news/2006/07/14/boffins-build-super-firewall
Why are rogue DNS servers on a rampage? Wasn’t Rampage a great game back in the 80′s?
http://www.theinquirer.net/gb/inquirer/news/2008/02/14/rogue-dns-servers-rampage
BTW…Aren’t there 3 Departments & 5 Branches?
One of you asked a valid question – what is the answer? So let me put my two cents in on that topic. I think three things are needed.
1. Increased investment in security technology R&D. Behavioral modeling of software and communications that detect abnormal activity.
2. Federal laws covering information security that set minimum standards for any device that connects to the internet. Secondly I would suggest a law covering electronic trespass (any organization that places anything on your hard drive without your knowledge and approval. Finally harsh measures to anyone who does not timely report software vulnerabilities, system breaches and loss of data control to a central clearinghouse .
3. Awareness programs that so that the I did not know defense won’t work and to reduce the problems caused by users who just did not realize how what they were doing caused security problems.
I saw the NY Times article on John McCain (affair) this morning and the first thought that popped into my mind was your article on Cyber Assassination. As a gentleman I will not tell a few people on here where they should go (straight to h – - -). Keep up with the awareness work it is of great value to all of us.
Christian you should can the cry babies! Talk about tiresome reading. They were the ones everyone picked on in grade school. They are also the ones who that get passed over for the really important jobs. I would be willing to be they are full of envy and that is the motivation. Or perhaps a competitor to this site. All is I know is that Kevin’s work is referenced all the time in the security reports I see and even the Army’s Cyber Operations and Cyber Terrorism Handbook. I wonder if his critics have anything published much less used as widely as the work he produces.
But Christian – do proof read his work. I know he is a busy man and is in a hurry and tries to fit this in and fresh eyes proof reading this would increase the readability. THANK BOTH OF YOU!
Don’t “can” anyone. It’s a blog and, like it or lump it, this kind of conversation is what they’re for — although they could be more respectful in their wording. For example, I completely agree that there is a real and present “cyber” risk to every nation’s well-being. However, I disagree with the manner in which Mr. Coleman puts that to paper. That doesn’t mean I don’t have faith in his intent and credentials, but it does mean I don’t think it’s the way to draw attention to and get action on this issue. Nothing personal and hopefully worded to show Mr. Coleman the respect most humans deserve (all too often lost in blogs).
I’m going to add one item that I think Mr. Coleman should have included in his “what is the answer?” list: real security metrics; actually grasping the value of your information assets and intelligently prioritizing them. Real triage.
If you are in the security field and haven’t read Andrew Jaquith’s “Security Metrics: Replacing Fear, Uncertainty and Doubt” you should take the time do so. He argues very well that security is not a product (and I think he would stretch that to include legislated product standards), it is a process. I’m particularly fond of his “Hamster Wheel of Pain” model and how it seems to be how the security industry actually operates.
Great now Nothing is Secure or Safe.
Great.
Hello 666.
Cyber-terorism is posible, but it’s mostly a government scarecrow. You would thought that Al Qaeda invented hackers. After more than 10 years publicly wide use of internet globaly, there’s just nothing new under the sun. Scaring the public and using it as excuse to get more dollars for the military is old also. Especialy in USA, but in other countries as well. 3 mil worth of phishing? I don’t believe it.
Every single one of your posts asks questions, none offer answers or even highlight specific technology that is being used to fight your “Cyber-War”. You have not offered any useful information to the readers of this blog.
The sheer amount of words in your articles with “cyber-” tacked in the front of them is tiring. Everyone in the IT field knows the trick of inventing buzzwords (probably learned that trick from the military) to scare management. Chief Strategist at Netscape? Chief Strategist is code for the marketing department. You talk big, but can’t back it up.
You run a for-profit company that capitalizes on the “threat of a cyber attack”. You are biased.
The way I see it, you only view your posts here as an opportunity to market yourself and your company. If that isn’t the case, prove it by writing something that contains substance.
sounds like the hackers are striking back, lol
To the last poster. Technolytics is a for profit company and doing quite well thank you. Second, technology is not the answer, it is much more complex and requires laws, technology, R&D and organizational change management. The approach is to get the readers to give their opinions on solutions to the issues presented. If you look at the interactions on this one I listed the three things I feel needs to be done. Finally if this is so bad, why are so many people reading it and using the data which included DoD?
If you have specific questions or would like to see a specific topic covered all you have to do is ask!
Speaking of cyberattack, anybody else having problems using Google search right now? Our whole office is getting an error message making it seem like Google it is under attack from automated searchers.
Now see what i mean? People are geting scared. If Google is down that for sure must be the “cyber-Al Qaeda”. Ofcurse not! Most likely somewhere a janitor tripped over some cables and unplugged them. Also you should have in mind that internet is just that – a network of computers and the path to a certain page could be quite diferent from another. So your ISP could experience technical problems with delivering you a connection to a single web page. If that is new to you – you must be new to the internet.
I have been using Google all morning to research the arrest of 17 hackers in Canada and have had no problems.
STORY HEADLINE
Canadian Authorities have cracked an alleged ring of 17 hackers, saying it inflicted $45-million in damage in 100 different countries.
Simple solution for the average small business or personal server owner. Firewall China and other problem regions.
We block all of China, Russia, the middle and far east and much of eastern Europe. Once we did that, spam and hacking attempts dropped 98% or more. China was and continues to be the biggest offender.
If you do business with these countries, then you have a problem because you have to open specific IPs or ranges so certain customers can get through. We won’t do business in those regions simply because the risk of fraud is so high.
Unfortunate that we have to block billions of people because of the threat but that’s life.
It takes less than 1800 firewall rules to take these problem regions out of the picture.
RICK
Can you say what industry you are in and the rough size of the business?
I’ve used Google constantly for year and never saw this error message:
“We’re sorry, but your query looks similar to automated requests from a computer virus or spyware application.”
It goes on asking you to enter one of those oddly shaped alphabet soup passwords, only then letting you in.
It is affecting every computer in the office but admittedly we are on a local server and local network, and I’m not a computer guy.
I figure if we ever went to war with China, their underwater internet lines would be cut first thing. Between that and no electricity, don’t think they would be doing to much hacking.;)
Sure Kevin. Our server does double duty, I use it in my engineering/consulting business mainly for colaboration and client communication. My wife is an artist and she has several public web sites from which we sell products and services. None of this approaches the level of national security but we do have sensitive data ranging from industrial machines I am working on to our cart software and personal data of our own and that of customers. I take security very seriously and for us, blocking problem regions to stave off the bulk of attacks makes perfect sense.
We do have customers in Japan and Australia so it took some work to block most of Asia without removing access to those people as well. A person can take out most if not all of APNIC with a couple hundred firewall rules if you don’t care about the countries in that region who are not a problem.
Rick
“We’re sorry, but your query looks similar to automated requests from a computer virus or spyware application.”
That would indicate that your network might be blacklisted by Google due to suspicious activity. It’s a safety feature for you to confirm to Google that you are a human being and not a piece of computer code, malicious one or otherwise. Blame your internet service provider and contact them for a solution. It might be your internet is routed thru Mexico, Cambodia, Ethiopia or some other lustrous place like that, you know to save cash. So as I said call your ISP and clear that with them.
Thanks insaint.
I called our head IT guy locally and he already knew about it and they were having the same problem in another building.
I googled the words in the error message and noted several other folks complaining about the same problem in the last few days.
Cole,
It’s funny that you bring up Google & malicious code…
“Hackers use Google to find website vulnerabilities”
http://news.yahoo.com/s/afp/20080222/tc_afp/lifestyleitinternetcrimecompanygoogle;_ylt=AvvOZfUaG8KSk5D1OLXBv.ojtBAF
“Infamous computer hacker group Cult of the Dead Cow (CDC) said Friday it is offering a software tool that lets people use Google to scan websites for security flaws.”
I haven’t read a story about the CDC… probably not since Back Orifice… what was it 31337.
Regarding underwater internet lines… EGP routing protocols like BGP would just enable traffic to take a different direction across the internet. In other words you’d have to physically or virtually cut/disable every connection, including wireless connections (like satellite, cell phone, etc…). Not to mention malicious programs can be triggered by time and/or events. Theoretically, you could remotely attack an enemy using your enemies allies in a “proxy war”. There are also advantages to maintaining open, but controlled, lines to your enemy & an enemy would probably think the same… but that’s another story.
Or something like that… maybe… could be… dunno.
CAMP
The rerouting comment is true only if the ones leasing the cables have the agreement with carriers using the other cables. Egypt dropped about 70% of its internet capacity and one of the carriers that serviced India was almost completely down. The info came from a NATO briefing I got to hear so the source of the data was good. PLAN AHEAD is the lesson and don’t put all the eggs in one basket or in this case IP.
Good thing NATO is increasing is forces in the cyber area.
BOB
Today there are over 53 million broadband connections in China and they are expected to pass the United States in that number in 2008. Somehow we have to come up with standard laws and enforcement expectations for every country connected to the internet along with fines for non compliance. With all the business to business purchases the US does with China – the banning I am afraid may hurt us as much as it does them.
“The average joe in China has no access to computers as it is a closed communist society. I know that the chinese government had to authorize the usae of computers and that this was training for hacking and cyber security assaults by the people’s liberation army of the people’s republic of China. Who else had the control of the computers there but the military?”
You are a victim of propaganda. That’s simply not the case. China is THE largest market of hi-tech products now, way bigger than Japan. And those products are not bought by the government or the military. Your vision of communist countries is very distorted and false, or to be absolutely corect it is exaggerated by far on its negative characteristics.
>With all the business to business purchases the US does with China – the banning I am afraid may >hurt us as much as it does them.
Some one here values economy much more than human rights. If you love Communism so much, go immigrate to China.
>”Hackers use Google to find website vulnerabilities”
There is something better. Just select “source” from “view” on IE, and skim through the source code for vulnerabilities. I’d rather use a port scanner to knock every door to check for any doors open. Just say “Knock! Knock! Can I invade your port 80?”
>Did you know that Kevin Coleman has made a business out of scaring the living daylights out
>of people?
Bussiness? Prediction and prevention of catastrophy is not pure bussiness, and I’ll bet that it might even save your life some day. I’ll tell you cyber attacks can kill people and in fact attempts were made. I can tell you Kevin probably has very good source and connections, and not a man to mess with :-)
There are more scary stories that you will never imagine, and more tools of devastating catstrophies that has not reached the public yet.
Dear Pedestrian
You missed the point. The point is that with so much B2B with China and the resulting economic impact the chance that Washington would ever be able to make that move is ZERO. A solution has to be realistic and acceptable – banning all B2B with China doesn’t meet those requirements!
Everything listed above I am sure is true and a million other scary stats, but lets be honest here when put into context they are not that big of a deal. The internet is large (Especially given we have come to include LAN and WAN networks as part of it) and with trillions of dollars of transactions (private, public and corporate), plus trillions in time spent (Employment and leisure), and trillions in equipment (military, corp., govt, and private computer routers, fiber cables, etc all count) operating here it’s not hard to see how people could cause a few billion in damage now and again.
So as I have said before and will say again. As a guy really looking at this on the inside (at least from a corp. level), it’s not what people like this make of it. There are very real and very scary (Especially for the individual that is compromised) things that ‘hackers’ can do and it’s something that spending tens even hundreds of billions on is worthwhile. But in anything but the most critical type of systems are these people doing anything more than scratching at the surface, like graffiti artists only allowed to use pencils (It’s annoying but the overall damage is pretty low). As a result systems can easily be put in place to detect you have had a problem and relieve pain and suffering for those affected (Insurance, you bank gives you your credit card money back, etc) which is far cheaper than trying to be 100% protected against these attacks 100% of the time. IE some of these attacks are expected. Never forget to apply simple cost benefit to these problems.
Military data and communications are about the only exception to this, Even Power, water, etc are so old and simple that interruption of the systems on a large scale would require more than sitting at a workstation). These systems people lives really do rely on and as a result even small failures can constitute a catastrophe. These systems need to be 100%, 100% of the time.
Kevin,
You’re right, being dependent upon Service Providers, who do not maintain adequate alternate routes & contracts through different Carriers is a problem. Other variables might also attribute to such events, intended or not. For me, the how & why is where the real story remains. Why didn’t they have the necessary backups in place & what’s being done to fix that. You can also run into management issues, such as when Providers & Carriers don’t implement proper QoS policies, during times of beaucoup traffic.
My earlier reference, to Cole, wasn’t so much about normal traffic, but more to do with the possible actions of determined nation states. Along the idea that just because a connection is ‘virtually’ disconnected, or a single line is physically cut, that won’t guarantee all traffic is eliminated or filtered. Likewise, countries can still affect the internet by or through third party means. And then you have questions such as, what happens when the carrier & service providers are largely owned by an enemy state, it’s ally, or a cover Corp. Etc. Etc.
Regarding NATO’s use of public Carriers. I’d like to think that they’d at least have guaranteed QoS & multiple pipes with all companies that transit through any European country. NATO Expeditionary units hopefully have Comms. contingency plans in place for every operation it conducts, with real-time updates. As well as standing orders & training for regional commands (stars to bars) in case “WTF!” occurs. If it’s not doing it today, then it’ll probably take a swift kick in the balls someday… Unfortunately. :\
On another story. I’m a bit surprised companies like Cisco & Google haven’t already put a High Speed Internet Satellite into orbit over the U.S.. Similar to Japans ‘Kazuna’, “aimed at providing high-speed Internet access across Asia”. While it may not be perfect, Point-to-Point is theoretically optimal & overall cheaper…. That is, as long as redundancies can be maintained.
In the future try sticking more to the How & Why. For example, ‘How was SilentBanker introduced into systems?’, ‘How does it work?’, ‘Why did it work?’, ‘Why didn’t PenTesting prevent this event?’. Just my 2 cents. :)
Then again, I don’t know much…
Insaint,
Did you even read the article, or Dl’d the ‘Goolag Scanner’ for that matter? :)
Bob,
IP’s can be “spoofed” & manipulated to mask or falsify the actual address. So it may or may not have originated from China… could have been your neighbor. ;) Kevin & Insaint are also correct, China ain’t what it used to be.
I wish to expand a bit on what
I played RO that I used the first account was a girl number of wave, a knight. The number also has a little ro zeny. I still remember that the world has just stepped into the RO; I stood the door of Pulongdela South, I even have my own way can not see, I looked at the lawn in front of do not know how to operate. At that time, wave on the line, he stood outside and said: come out, come out to see, use a mouse.
the lingering shadow of shaking in my face, in order to play this game I spend money to buy the flyff penya, the BB again left me at the same time, same situation when I hard to get it, my angry can not use the words describe
All things are the memories, before all things have been imprinted in my mind, the friends all have left the 2moons, sometimes before when the sleeping I often think of the previous screen, together with friends upgrade, earn the 2moons dil and together play with friends, playing now I also feeling some tired, I do not know what things I persist in?
href=”http://tiffany.order24hours.com”>Tiffany Jewelry Official Store; Buy the cheapest and top quality Tiffany; Up To 38% Discount; Free Shipping; Order Now!!!