SCADA Security Incidents and Critical Infrastructure Insecurities

A decent article on the topic of the most hyped cyberterrorism threat of them all - direct attack on the critical infrastrcture of a country by attacking the SCADA devices -- despite increased connectivity and integration with third-party networks, for the time being misconfigurations and failures in maintainance make their impact. What is critical infrastructure anyway? In the days when it used to be a closed network, that is one isolated from the Internet and performance-obsessed top management, dealing with threats was benefiting from the controlled environment compared to the open Internet. Converging both infrastructures to maximize performance, project demand and supply, thus achieving cost-cutting and profits results in the basic truth that poluting the Internet would inevitably influence the what used to be closed critical infrastructure one -- and it already happened on several occasions. Incident in Australia :

"That was the case in Australia in April 2000. Vitek Boden, a former contractor, took control of the SCADA system controlling the sewage and water treatment system at Queensland's Maroochy Shire. Using a wireless connection and a stolen computer, Boden released millions of gallons of raw sewage and sludge into creeks, parks and a nearby hotel. He later went to jail for two years. Not surprisingly, U.S. companies are hesitant to talk about the security of their SCADA networks for fear they may give clues to hackers. But security consultants say problems with them are widespread. Allor's company, for instance, regularly does audits of SCADA systems at major installations such as power plants, oil refineries and water treatment systems.

Almost invariably, Allor said, the companies claim their SCADA systems are secure and not connected to the Internet. And almost invariably, he said, ISS consultants find a wireless connection that company officials didn't know about or other open doors for hackers. Realizing the growing threat, the federal government two years ago directed its Idaho National Laboratory to focus on SCADA security. The lab created the nation's first "test bed" for SCADA networks and began offering voluntary audits for companies."

And more security incidents courtesy of Filip Maertens - Cyber threats to critical infrastructures slides :

1992 -- Chevron -- Emergency system was sabotaged by disgruntled employee in over 22 states
1997 -- Worchester Airport -- External hacker shut down the air and ground traffic communication system for six hours
1998 -- Gazprom -- Foreign hackers seize control of the main EU gas pipelines using trojan horse attacks
2000 -- Queensland, Australia -- Disgruntled employee hacks into sewage system and releases over a million liters of raw sewage into the coastal waters
2002 -- Venezuela Port -- Hackers disable PLC components during a national unrest and general workers strike, disabled the country's main port
2003 -- U.S East Coast blackout -- A worm did not cause the blackout, yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout
2003 -- Ohio Davis-Besse Nuclear Plant -- Plant safery monitoring system was shut down by the Slammer worm for over five hours
2003 -- Israel Electric Corporation -- Iran originating cyber attacks penetrate IEC, but fail to shut down the power grid using DoS attacks
2005 -- Daimler Chrysler -- 13 U.S manufacturing plants were shut down due to multiple internet worm infections (Zotob, RBot, IRCBot)
2005 -- International Energy Company -- Malware infected HMI system disabled the emergency stop of equipment under heavy weather conditions
2006 -- Middle East Sea Port -- Intrusion test gone wrong. ARP spoofing attacks shut down port signaling system
2006 -- International Petrochemical Company -- Extremist propaganda was found together with text files containing usernames & passwords of control systems

Go through the results of the Cyberstorm cyber exercise, and a previous post on The Biggest Military Hacks of All Time to grasp the big picture of what cyberterrorism and asymmetric warfare is all about. Continue reading →

Terrorist Letters and Internet Intentions

A juicy recently de-classified letter to Zarqawi courtesy of the Combating Terrorism Center, reveals possible intentions for Internet based communications :

"We advise you to maintain reliable and quick contact, with all the power you can muster. I am ready to communicate via the Internet or any other means, so send me your men to ask for me on the chat forum of Ana al-Muslim, or others. The password between us is that thing that you brought to me a long time ago from Herat. Then, after that, we would agree with them about e-mails, or you should instruct your men who are in the country that I live in to develop communications with us. We are ready to write to you and to consult with you regarding opinions anytime directly. “By the time, Surely man is at a loss, Except for those who believe and do good, and exhort one another to Truth, and exhort one another to patience."

Rather primitive suggestion compared to the alternatives, it sounds more of a loyal jihadist trying to demonstrate his determination of making an impact. The other day I came across to an article mentioning the possibility of "suicidal hackers", that is hackers who doesn't care whether they'll be caught or not in a possible information warfare scenario -- chinese hackers have been utilizing the power of masses, thus disinforming on the actual sophistication of the attack and directing the traceback efforts to script kiddies.

However, in this case that's an example of a suicidal jihadist.

Continue reading →

Filtering "Good Girls" and IM Threats

Respecting your kids' right to privacy while wanting to ensure you're aware of the type of people they IM with? Consider a recently launched initiative, IMSafer aims to filter, not spy on kids :

"Keeping children safe from predatory adults in online communication is a service in high demand, but in order for children to participate the parental control needs to be kept to a minimum. IMSafer is a service that launched today and promises to filter IM communication for conversation deemed potentially predatory. The company says it worked with law enforcement specialists to develop its filtering rules and some of them are quite interesting - the phrase “you’re a good girl” is believed to be common language for building a dominance/submission based relationship, for example. Only questionable excerpts from IM conversations will be shown to parents; the company hopes that this relative privacy will help buy-in from kids."

Yet, this is a great example of marginal thinking when it comes to detecting potential child abuse activities with respect to little princess's -- why not prince? -- right to digital privacy. Whereas in the spirit of Web 2.0, the concept is primarily driven by the collective wisdom of parents participating and shaping the service's database and increasing interactions, IMSafer has already predefined categories of alerts :

"1. Someone looking to make direct contact (i.e. coming to your house)
2. Someone looking to make indirect contact (i.e. calling a phone)
3. Personal information (i.e. phone numbers)
4. Obscene language
5. Specific and sexual references to body parts
6. Specific references to sexual acts
7. Anything related to pedophilia"

Issues to keep in mind :
- the differently perceived dangerous or offensive conversation by parents
- the presumption that the "predator" would be using the same username next time, thus establishing long-lasting reputation
- how kids feeling in the middle of a silent war with their parents could simply IM from another location, one without the software installed excluding the possibilities of bypassing it with nerdy talk or vulnerabilities and hacks appearing on-the-fly
- monitors IM only, thus email, IRC, and forums remain an option for further communication

Don't emphasize on spying, not even filtering, but on educating your kids, thus gaining their participation in the process of building awareness on what's are potentially dangerous IM activities. From another perspective, do bored or adventurous kids spend time chatting with strangers? I think boringness, loneliness, the lack of strong, even developed communications with their folks is the root of the problem. And yes, predators acting as online stalkers, thus improving their chances of utilizing a long-lasting conversation.

Related posts:
What's the potential of the IM security market? Symantec thinks big
"IM me" a strike order Continue reading →

Mark Hurd on HP's Surveillance and Disinformation

Straight from the source - HP's CEO, one that compared to Fiorina's qualitative approaches decided to shift the company's strategy to a quantitative internal benchmarking model -- one is always fulfilling the other and vice versa -- and he succeeded, but with today's competitive environment and seek for "the next big thing" some companies are sacrificing productivity for insider fears related investigations. Not that there aren't any, it's just that this particular case is nothing more than a bored top management employee sending signals to the press. Next time it would be a top floor hygiene COO's comments on how HP are definitely up to something given the late hour conference meetings, the press will quote as "an insider source leaked this to us" type of quotation :

"Now the question is do you pick up the document and turn to page whatever, or do you say, 'are you sure?' He says 'I'm sure.' So then you say, 'what are we going to do?' Now let me give you two thoughts. You could react by not confronting the problem. You talk about ethics. We've gone down the backward looking view. There's also the dimension that says, are you going to bury this or confront it. Pretty big question, right? And I want to make something clear. I only know of the facts around the one leak. I don't know, there's been a lot of speculation around tens of leaks, and they associate with this one person [Jay Keyworth, a longtime HP board member]. This fact was about one leak from this one person who is a really good guy in the sense of contributions he made to Hewlett Packard over many years.

So now you're confronted with data that says, great contributor, and the team is looking at Pattie [Then board chairman Patricia Dunn] and saying 'what are you going to do.' And I can tell you if you're looking down at this room as you're making a decision, my first reaction wasn't to say, 'hey Pattie, why don't you look backward at how the data was collected.' The stress was, how are you going to confront the fact that was being presented to you. You're going to do what?

Now to your point, knowing what we know now I wish we'd looked at a different set of facts. But even at that point, what had been done had been done. You'd have been reacting at that point in time. I don't want to shirk any of this. The buck stops with me. But you can't have a CEO of a company our size being the backstop. The thought that I'm going to catch everything -- revenue, costs, personnel decisions, investigations... you know the scale of this company."

Catch up with the case through a previous post on the topic, and keep on reading. Continue reading →

Government Data Mining Programs - Interactive

A very extensive visualization of various U.S government data mining programs :

"Individually, each piece of information gives only a small glimpse into people’s lives -- but over time, these bits of personal information can begin to reveal patterns. Such as the places they go, the products they buy, or perhaps the type of people they associate with.This pattern-recognition process is called “Data Mining” or sometimes “Knowledge Discovery.” Since September 11, the federal government -- especially intelligence and law enforcement agencies -- have turned to data mining programs to make sense of growing oceans of data. The end result isn’t always about discovering what people have done -- but what people might do tomorrow. What does a terrorist look like? What is the culmination of their credit, contacts, purchases and travel? Is it possible that you might share these similar patterns? Chances are at least some of these programs sift through personal information about you."

Go through the questionnaire for a specific case, directly on a program of interest and see its relationship with the rest, if any of course. Go through a previous post on Able Danger's Intelligence Unit Findings Rejected to find out more about the state of information sharing. Continue reading →

Satellite Imagery of Secret or Sensitive Locations

Continuing the Travel Without Moving Series, and a previous post on Open Source North Korean IMINT Reloaded, this collection of Google Earth, Google Maps, Local Live and Yahoo Maps versions of secret or sensitive locations is worth browsing through. Included coordinates for over 80 locations, for instance :

- Predator Drone Returning From Mission
- Predator Drones at Remote Airstrip
- Predator Drone Taking Off From Remote Airstrip
- TAGS 45 'Waters'
- M80 'Stiletto' Stealth Boat
- U-2 Being Readied For Mission
- Underground Hangars at Sunchon Airbase
- North Korean No-Dong Missile Assembly Building
- Former MI6/FCO high security SIGINT enclave at Poudon
- Former NSA/DoD satellite intercept site
- CIA 'Black Site' for terrorist interogations
- Russian Foreign Intelligence (SVR) Headquarters
- CFS Leitrim - Satellite Singal Interception station
- Russian Don-2NP Pill Box Radar
- Star Wars missile defense support site
- AN/FRD-10 Classic Bullseye Antenna
- Radomes on Fort Belvoir
- Northrop "Secret" Research Facility
- Classic Bullseye listening antenna array

As you will find out the data provided is a historical one -- the UAVs and B2s have already dissapeared for instance. Does the publicly obtainable imagery represent a threat to these locations? Not necessarily, as threats from which these facilities were supposed to be protected from have been replaced by ones requiring a different perspective. The dishes however, are still there, listening..

Related posts and resources:
Satellite
Defense
Military
Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems
Stealth Satellites Developments Source Book
Anti Satellite Weapons Continue reading →

NSA Mind Control and PSYOPS

Basics of recruiting, interrogations, brainwashing and PSYOPS on the foundations of Visual Hallucinations, Event-Triggered (conditional) Implant Delivery, and Complete Quiet Silence? Maybe, but this article is full of interesting concepts, consider however skipping the part on how the NSA brainwashed Curt Cobain :

"Curt Cobain of the musical group "Nirvana" was another victim of NSA brainwashing and was terminated by NSA. Cobain had started writing clues to the NSA activities into his music to communicate it to his music followers. He referred in music to the NSA as the "Friends inside his head". Once the NSA puts on the highest level of brainwashing pain, the subject expires quickly. Cobain used heroin to numb and otherwise slow the effect of the brainwashing."

He had different "friends".

Related resources:
Intelligence
NSA Continue reading →

Anti-Counterfeiting Technologies

Handy overview of various anti-counterfeiting technologies and where they're primarily used at, such as Holograms, Optically variable inks, Microlenticular technology, Special inks, Nanomarkers, and yes, RFID tags, but keep in mind that they used to be "covert" decades ago, but in the passports of some nowadays.

You might find a previous post "Pass the Scissors" worth reading as well. Continue reading →

Afterlife Data Privacy

Have you ever asked yourself what's going to happen with your digital data in case the worst happens, or most importantly, the pros and cons of privacy in such a situation?

Taking passwords to the grave is always be default, and while your email service provider may get socially engineered -- or have to comply with a court order -- under the excuse of emotional crisis, family relations, reconsider how you would like to have your (accounting) data handled :

"The situation poses a dilemma for e-mail providers that are pilloried by privacy rights advocates at the mere suggestion of sensitive data being exposed, at the same time they are expected to hand over the digital keys to family members when a customer dies. Last year, Yahoo was forced to provide access to the e-mail of a U.S. Marine killed in Iraq to his father, who got a court order in the matter. "The commitment we've made to every person who signs up for a Yahoo Mail account is to treat their e-mail as a private communication and to treat the content of their messages as confidential," said Yahoo spokeswoman Karen Mahon. Beyond acknowledging that Yahoo complies with court orders, Mahon declined to discuss Yahoo's requirements for providing family members access to the e-mail accounts of their deceased loved ones. Google will provide access to a deceased Gmail user's account if the person seeking it provides a copy of the death certificate and a copy of a document giving the person power of attorney over the e-mail account, said a Google spokeswoman."

Whereas some inboxes should never be opened -- your spouse's one for instance -- leading email providers have already established practices when dealing with such requests and I feel the lack of reliable stats on the occurrences of such isn't proving the necessary discussion. The majority of people I know don't just have a black and white sides of their characters, they're too colorful to hide it both offline and online, and that's what makes them "people I know". Changing a provider's privacy policy wouldn't necessarily have a significant effect unless an author's email communication truly becomes his property, while on the other hand local laws could ruin the effect. It would be highly flexible if users are offered the opportunity to speak for themselves and their privacy while still able to do it.

Sometimes, on your journey to happiness and emotional balance you end up opening more and more of pandora's boxes, when what you're looking for is right inside your head - the clear memory of the person in question, not the pseudo-individuality in all of its twisted variations. Make sure what you wish for, as it may actually happen!

The ultimate question - Why does a deceased soldier’s email thoughts become the property of a company? Continue reading →

Media Censorship in China - FAQ

Controversial to the generally accepted perspective that China's Internet censorship efforts are primarily a technological solution only, I feel it's self-regulation as a state of mind that's having the greatest impact on the success of their efforts -- the very same way you're being told not to misbehave while seeing yourself on a monitor when entering a store for instance. Self-censorship as a state of mind by itself is a way of hiding the plain truth that the Chinese government is aware it cannot fully control what information is coming in, and going out of the country. That of course doesn't stop it from speculating it still can. Here's a recent FAQ on the Media Censorship in China answering the following questions :

What is the current media policy in China?
How free is Chinese media?
What are the primary censoring agencies in China?
How does China exert media controls?
How does China control the influence of foreign media?
How do journalists get around media control measures?

The main agencies responsible for history engineering :

"But the most powerful monitoring body is the Communist Party’s Central Propaganda Department (CPD), which coordinates with GAPP and SARFT to make sure content promotes and remains consistent with party doctrine. Xinhua, the huge state news agency (7,000 employees, according to official statistics), is beholden to the CPD and therefore considered by press freedom organizations to be a propaganda tool. The CPD gives media outlets directives restricting coverage of politically sensitive topics—such as protests, environmental disasters, Tibet, and Taiwan—which could be considered dangerous to state security and party control."

Centralization as the core of control, why am I not surprised? Don't tolerate censorship, learn how to undermine it. Continue reading →

Terrorism and Response 1990-2005

Very informative and objective retrospective on the response to terrorism from 1990 to 2005. The syllabus by Bruce D. Larkin and Ben Lozano is even more resourceful with its "what if" brainstorming questions.

Here's another map of terrorist networks in America for 1991-2005, based on states and possible cell of operation -- two more previous versions available. Continue reading →

Able Danger's Intelligence Unit Findings Rejected

The much hyped Able Danger Intelligence unit which has supposedly collected and identified information on the 9/11 terrorist attacks claim was officially rejected :

The report found that the recollections of most of the witnesses appeared to focus on a “single chart depicting Al Qaeda cells responsible for pre-9/11 terrorist attacks” that was produced in 1999 by a defense contractor, the Orion Scientific Corporation.

While witnesses remembered having seen Mr. Atta’s photograph or name on such a chart, the inspector general said its investigation showed that the Orion chart did not list Mr. Atta or any of the other Sept. 11 terrorists, and that “testimony by witnesses who claimed to have seen such a chart varied significantly from each other.” The report says that a central witness in the investigation, an active-duty Navy captain who directed the Able Danger program, had changed his account over time, initially telling the inspector general’s office last December that he was “100 percent” certain that he had seen “Mohamed Atta’s image on the chart.”

Issues to keep in mind:
- the chaotic departamental information sharing or the lack of such, budget-deficit arms race, thus departments wanting to get credited for anything ground breaking
- prioritizing is sometimes tricky, wanting to expand a node, thus gather more intelligence and more participants might have resulted in missing the key ones, marginal thinking fully applies
- OSINT as this Social Network Analysis of the 9-11 Terror Network shows, is an invaluable asset and so is the momentum and actual use of the data

Despite that if you don't have a past, you're not going to have a future, true leaders never look into the past, they shape the future and don't mind-tease what they could have done. Necessary evil moves the world in its own orbit now more than ever, and if you really don't have a clue what I'm trying to imply here, then you're still not ready for that mode of thinking.

So, the man who knew, but no one reacted upon his findings in a timely manner, or a case-study of how terrabytes of mixed OSINT and Intelligence data weren't successfully data mined? I go for the first point.

Able Danger chart courtesy of the Center for Cooperative Research. Continue reading →

HP's Surveillance Methods

Seems like it's not just Board of Directors' Phone Records that were obtained by HP under the excuse of enforcing an exemplary corporate citizenship, but on pretty much everyone that communicated with them or is somehow in their circle of friends -- no comments on the boring minutes of meetings shared with the press as the main reason all this. Besides passing the ball to the next board member over who's been aware of, more details on the exact methods used by HP emerge :

- HP obtained phone records for seven current or former HP board members, nine journalists, and their family members;

- HP provided investigators with the Social Security number of one HP employee, in addition the Social Security numbers of 4 journalists, 3 current and former HP board members, and 1 employee were also obtained by investigators;

- HP investigators attempted to use a tracer to track information sent to a reporter;

- The concept of sending misinformation to a reporter and the contents of that email were approved by Mr. Hurd, although no evidence was found to suggest that he approved the use of the tracer for surveillance;

- Investigators hired by HP monitored a board meeting, a trip to Boulder taken by a board member, as well as the board member's spouse and family members;

- In February of 2006, investigators watched a journalist at her residence and in February of 2006 “third party investigators may have conducted a search of an individual’s trash.”

By the time HP provided the associated parties SSNs, they've pretty much left them on the sharks to finish the rest, disinformation though, is something I previously thought they didn't do, but with dumpster diving in place as well, I guess they did order the entire all-in-one surveillance package.

Megacorp ownz your digitally accumulated life, and yes, it can also engineer and snoop on your real one. All they were so talkative about, is publicly available information that every decent analyst should have definitely considered starting from HP's historical performance as a foundation for future speculations. In between HP is (was) also sponsoring a Privacy Innovation Award.

Who's the winner at the bottom line? That's ex-CEO Carly Fiorina -- phone records also obtained -- whose upcoming book will profitably take advantage of the momentum. Continue reading →

Hezbollah's DNS Service Providers from 1998 to 2006

Nice visual representation trying to emphasize on the U.S hosting companies connection :

"In the following, we examine the Hizballah domains in light of which companies have provided DNS service. A domain's whois record specifies DNS servers, and the DNS servers tell browsers what IP address/server is currently hosting the domain. This is a mission critical service without which the domains in question would be unreachable. Despite the fact that Hizballah is a designated Terrorist entity in the United States, American companies have been, and continue to be the primary providers of service to Hizballah. We now know of 40 domains of Hizballah, based largely on a list provided by Hassan Nasrollah on a previous incarnation of his own web site. Of those 40 domains, 23 are now or have been provided DNS services by Alabanza Inc. of Baltimore, Maryland. No other provider comes close. Alabanza's domain name registration business, Bulkregister, is Hizballah's registrar of choice. See our report regarding the registrars of Hizballah's domains."

Who knew Hezbollah are indeed the rocket scientistics they pretend to be? UAVs, night vision gear, SIGINT gear, or has rocket science became so "outsourceable" nowadays?

Cyberterrorism isn't dead, it's just been silently evolving under the umbrella provided by the mainstream media -- wrongly understanding the concept, and stereotyped speculations. Continue reading →

Interesting Anti-Phishing Projects

Seven anti-phishing projects, I especially find the browser recon and countermeasures one as a trendy concept, as phishers are already taking advantage of vulnerabilities allowing them to figure out a browser's history, thus establish a more reputable communication with the victim -- adaptive phishing.

01. Social Phishing
The fundamental purpose of this study was to study the effects of more advanced techniques in phishing using context. Receiving a message from a friend (or corroborated by friends), we hypothesized the credibility of the phishing attempt would be greater

02. Browser Recon and Countermeasures
One can use a simple technique used to examine the web browser history of an unsuspecting web site visitor using Cascading Style Sheets. Phishers typically send massive amounts of bulk email hoping their lure will be successful. Given greater context, such lures can be more effectively tailored---perhaps even in a context aware phishing attack

03. Socially Transmitted Malware
People are drawn in by websites containing fun content or something humorous, and they generally want to share it with their friends. This is considered social transmission: referral to a location based on reccommendation of peers. We measured possible malware spread using social transmission

04. Phishing with Consumer Electronics: Malicious Home Routers
It is easy to "doctor" a wireless router like the ones found at home or at a local WiFi hotspot to misdirect legitimate browser links to phoney and often harmful website.

05. Net Trust
Individuals are socialized to trust, and trust is a necessary enabler of e-commerce. The human element is the core of confidence scams, so any solution must have this element at its core. Scammers, such as phishers and purveyors of 419 fraud, are abusing trust on the Internet. All solutions to date, such as centralized trust authorities, have failed. Net Trust is the solution -- trust technologies grounded in human behavior

06. A Riddle
Could your browser release your personal information without your knowledge?

07. Phroogle
Exploiting comparison shopping engines to bait victims

You might also be interested in Google's Anti-Phishing Black and White Lists. Continue reading →

Airport Security Flash Game

Ever wanted to snoop through the luggage of others in exactly the same fashion yours gets searched through? Try this game, and make sure you keep an eye to the instantly updated "dangerous items" unless you want to be held responsible, and lose your badge. Continue reading →

Soviet Propaganda Posters During the Cold War

Posters are a simple, yet influential form of PSYOPS, and their type of one-to-many communication method successfully achieves a decent viral marketing effect. Here's an archive of Soviet propaganda posters against the U.S during the Cold War you might find entertaining -- here's part 2. "Capitalists from across the world, unite!"

North Korea's not lacking behind, and despite the end of the Cold War, is still taking advantage of well proven and self-serving psychological techniques to further spread their ideology.

Here are some collections of ITsecurity related ones as well. Continue reading →

Banking Trojan Defeating Virtual Keyboards

The folks behind VirusTotal, just released an analysis and an associated video of trojan generating video sessions of the infected end user's login process, thus bypassing the virtual keyboard many banks started providing with the idea to fight keyloggers.

"Today we will analyze a new banking trojan that is a qualitative step forward in the dangerousness of these specimens and a new turn of the screw in the techniques used to defeat virtual keyboards. The novelty of this trojan lies in its capacity to generate a video clip that stores all the activity onscreen while the user is authenticating to access his electronic bank.

The video clip covers only a small portion of the screen, using as reference the cursor, but it is large enough so that the attacker can watch the legitimate user's movements and typing when
using the virtual keyboard, so that he gets the username and password without going into further trouble. It would obviously be place a heavy burden on the resources of the computer to capture the complete screen, both when generating the video clip as well as sending it to the attacker. The main reason for doing only a small portion of the screen referenced to the cursor is that the trojan guarantees the speed of the capture to show all the sequence and activity with the virtual keyboard seamlessly."

Anything you type can be keylogged, but generating videos of possibly hundreds of infected users would have a negative effect on the malware author's productivity, which is good at least for now. Follow my thoughts, the majority of virtual keyboards have static window names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore doing a little research on the most targeted bank sites would come up with a pattern, pattern that should be randomized as much as possible. Trouble is, the majority of phishing attacks are still using the static image locations of the banks themselves, when this should have long been randomized as well.
OPIE authentication, suspicious activity based on geotagging anomalies, and transparent process for the customer -- please disturb me with an sms everytime money go out -- remain underdeveloped for the time being. You might find Candid Wüest's research on "Phishing in the Middle of the Stream" - Today's Threats to Online Banking informative reading on the rest of the issues to keep in mind.

No Anti Virus Software, No E-banking for You, or are Projection Keyboards an alternative? Continue reading →

Results of the Cyber Storm Exercise

The Cyber Storm exercise conducted in January "simulated a sophisticated cyber attack campaign through a series of scenarios directed at several critical infrastructure sectors. The intent of these scenarios was to highlight the interconnectedness of cyber systems with physical infrastructure and to exercise coordination and communication between the public and private sectors. Each scenario was developed with the assistance of industry experts and was executed in a closed and secure environment. Cyber Storm scenarios had three major adversarial objectives:

- To disrupt specifically targeted critical infrastructure through cyber attacks
- To hinder the governments' ability to respond to the cyber attacks
- To undermine public confidence in the governments' ability to provide and protect services"

Seems like the results from the exercise are already available and among the major findings are related to :

- Interagency Coordination
- Contingency Planning, Risk Assessment, and Roles and Responsibilities
- Correlation of Multiple Incidents between Public and Private Sectors
- Training and Exercise Program
- Coordination Between Entities of Cyber Incidents
- Common Framework for Response and Information Access
- Strategic Communications and Public Relations Plan
- Improvement of Processes, Tools and Technology

Frontal attacks could rarely occur, as cyberterrorism by itself wouldn't need to interact with the critical infrastructure, it would abuse it, use it as platform. However, building confidence within the departments involved is as important as making them actually communicate with each other.

Go through a previous post on the Biggest Military Hacks of All Time in case you're interested in knowing more on specific cases related to both, direct and indirect attacks. Continue reading →

Examining Internet Privacy Policies

Accountability, public commitment, or copywriters charging per word, privacy policies are often taken for fully enforced ones, whereas the truth is that actually no one is reading, bothering to assess them. And why would you, as by the time you've finished you'll again have no other choice but to accept them in order to use the service in question -- too much personal and sensitive identifying information is what I hear ticking. That's of course the privacy conscious perspective, and to me security is a matter of viewpoint, the way you perceive it going beyond the basics, the very same way you're going to implement it -- Identity 2.0 as a single sign on Web is slowly emerging as the real beast. The marketing perspective, offers unprecedented and fresh data whose value may be the next big project, balance is the key.

Here's an interesting research on "Examining Internet Privacy Policies Within the Context of Use Privacy Values" :

"In this paper, we present research bridging the gap between management and software requirements engineering. We address three research questions. 1) What are the most stringently regulated organizations (health care related organizations including health insurance, pharmaceutical, and drugstores) saying in their privacy policy statements? 2) What do consumers value regarding information privacy? 3) Do the privacy policy statements provide the information that consumers want to know?

Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacyaware website development efforts. This paper is organized as follows. First, we discuss relevant research on privacy, policy analysis, and software requirements engineering. Next, we cover the research methodologies of content analysis and survey development, and then the survey results. Finally, we discuss the results and implications of this work for privacy managers and software project managers."

The only time privacy policies get read is whenever a leak like AOL's one happens, and mostly for historical purposes, where's the real value, not the perceived one? Don't responsibly generate privacy policies, consider preemptively appointing chief privacy officers, thus commiting yourself to valuing your users's privacy and having a strategy in mind.

Related resources:
Privacy
Snooping on Historical Click Streams
A Comparison of US and European Privacy Practices Continue reading →