Cyberwarfare

Cyberwarfare raises issues of growing national interest and concern.

Cyberwarfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace, as well as denying an adversary’s ability to do the same. Some major problems encountered with cyber attacks, in particular, are the difficulty in determining the origin and nature of the attack and in assessing the damage incurred.

A number of nations are incorporating cyberwarfare as a new part of their military doctrine. Some that have discussed the subject more openly include the United Kingdom, France, Germany, Russia, and China. Many of these are developing views toward the use of cyberwarfare that differ from those of the United States, and in some cases might represent national security threats.

Cyberterrorism is also an issue of growing national interest. Many believe terrorists plan to disrupt the Internet or critical infrastructures such as transportation, communications, or banking and finance. It does seem clear that terrorists use the Internet to conduct the business of terrorism, but on closer inspection, however, it is not clear how or whether terrorists could use violence through the Internet to achieve political objectives.

Although the U.S. government is striving to consolidate responsibility for and focus more attention on cyberwarfare issues, it is not clear how successful those efforts will be. Congress may choose to examine critically the policies, organization, and legal framework that guides executive ranch decisionmaking on issues of cyberwarfare.

Friday, March 26, 2010

Card Hackers Albert Gonzalez

http://i580.photobucket.com/albums/ss248/fantasy_017/CreditCardHack.jpg
A federal judge sentenced the hacker behind the largest compromise of credit and debit card data in U.S. history to a 20-year sentence this week. While the exploits used to swipe data from over 130 million accounts went beyond cracking passwords, there are some basic precautions businesses should take to protect data from similar breaches and minimize the impact if a breach does occur.

Alberto Gonzales, the attacker behind the notorious data breaches at TJ Maxx, and Heartland Systems--among others--caused nearly $200 million in damages for the companies, banks, and insurers impacted by his attacks. That figure doesn't include the money, time, and mental anguish of the individual customers affected by the data breach.

Kevin Haley, Director Symantec Security Response, expressed via e-mail "Organizations and consumer alike can take precautions to lower their security risk. A first step can be effective passwords."

"People choose passwords based on different factors: how easy they are to remember, how strong or complex they are, the sentimental value they have, etc. Symantec developed a survey to see how users are doing today creating and updating their passwords," added Haley.

The Symantec survey yields some interesting results. Here are some of the key findings:

• 44 percent have more than 20 accounts that require passwords

• 45 percent have just a few passwords that are alternated for all accounts

• 10 percent used their pets name when creating a password (a big no-no)

• 63 percent do not change their passwords very often

Sadly, these results are not all that shocking. It is just the most recent in a long line of surveys illustrating why the password is the weakest link in the security chain in most cases. Businesses that implement cutting edge security tools and lock data down tightly, and then "protect" it all with an administrator account with the password "12345" have essentially not protected anything.

Last year Imperva conducted an exhaustive analysis of the 30 million passwords exposed in the Rockyou breach, and found the following:

• About 30 percent of users chose passwords whose length is equal or below six characters.

• Moreover, almost 60 percent of users chose their passwords from a limited set of alpha-numeric characters.

• Nearly 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).

The bottom line is that passwords are the primary security control standing between your sensitive and confidential data and a breach or compromise of that data. Complex passwords are difficult to remember, and constantly changing passwords makes committing them to memory even harder--but not using complex passwords, and not changing them periodically greatly increases the risk of a breach.

Passwords are only part of the equation, though. Businesses must also follow other security best practices to prevent unauthorized access and protect data from breaches--especially confidential and sensitive data like account numbers, Social Security numbers, credit card numbers, and other information. For most businesses, protecting these types of data is governed by one or more compliance mandates requiring at least a minimum level of security measures be in place.

Businesses should also have logging and monitoring tools in place. Hopefully the security controls in place will be sufficient to prevent any breach or compromise, but in the event that such an attack occurs, the logging and monitoring tools will hopefully alert IT staff that something suspicious is going on. Logging also provides forensic evidence to help identify when and how an attack occurred, and which servers or data may have been impacted.

http://www.csmonitor.com/var/ezflow_site/storage/images/media/images/0326-ahacker-albert-gonzalez/7639318-1-eng-US/0326-AHACKER-Albert-Gonzalez_full_238.jpg

Albert Gonzalez, the mastermind behind one of the largest cyber thefts in US history.

Businesses won't have to worry about Alberto Gonzalez for another twenty years, but Gonzalez is a dime a dozen and there is no shortage of hackers seeking out businesses with weak security measures and sensitive data to breach.

Make sure your business isn't the next one making headlines for a data breach by taking basic security precautions and ensuring that the password--the key to the front door--is not easily guessed or cracked.

Tony Bradley is co-author of Unified Communications for Dummies . He tweets as @Tony_BradleyPCW . You can follow him on his Facebook page , or contact him by email at tony_bradley@pcworld.com

Card hacker Albert Gonzalez gets 20 years, but cyber crime rising

Albert Gonzalez cost companies and insurers almost $200 million, federal prosecutors say, earning him the longest sentence ever leveled for cyber crime.

Mr. Gonzalez was sentenced in Boston on Thursday for breaking into the computer systems of major retailers in Massachusetts. A separate sentencing Friday will address similar hacking cases in New Jersey and New York involving companies such as 7-Eleven Inc., New England grocery store chain Hannaford, and payment card processor Heartland Payment Systems.

Gonzalez pleaded guilty to all charges. His escapades cost companies, banks, and insurers almost $200 million, federal prosecutors say. His sentence is the harshest ever leveled for computer crime in an American court, said Mark Rasch, former head of the computer crimes unit at the US Department of Justice.

Authorities say Gonzalez's activities suggest a growing sophistication among homegrown hackers who use software to harvest credit-card data and other personal information through vulnerable Internet signals and hacked ATMs. Data are often sold to overseas operators or used to benefit the hackers themselves.

According to a report published this month by the Internet Crime Complaint Center, a joint operation between the FBI and the National White Collar Crime Center, online crime complaints reached 336,655 in 2009, up 22.3 percent from the previous year. Total loss linked to online fraud was $559.7 million, a 111 percent rise.

The report listed nondelivery or nonpayment of goods as the top cyber crime reported to law enforcement in 2009, at 19.9 percent. Rounding out the top five were identity theft (14.1 percent), credit-card fraud (10.4 percent), auction fraud (10.3 percent) and computer fraud (7.9 percent).

Gonzalez fits the profile of most cyber criminals: He is male and lived in Florida, the state with the second-highest number of known perpetrators. California is first.

Hackers typically do not operate alone. In the Gonzalez case, two foreign codefendants helped him retrieve and transfer the data overseas.

However, a Chicago case involving cleaning service workers shows how cyber crime is not just limited to computer geeks – or even men. On Thursday, Cook County Sheriff Tom Dart announced the arrest of seven people – all women – who stole data to purchase more than $300,000 in jewelry, electronics, and other goods.

The data were stolen from as many as 250 patient files from the offices of the Northwestern Medical Faculty Foundation by workers of a nighttime cleaning service. Mr. Dart said the data were used to open new credit accounts at major retailers or to add names to existing accounts. Warrants were issued for two suspects who remain at large.

Riskiest cities for cyber crime

This week computer software maker Symantec ranked the top ten “riskiest online cities” for cyber crimes this month, based on a combination of online spending and availability, the number of infected computers and Internet vulnerability rates. They are:

  1. Seattle
  2. Boston
  3. Washington, DC
  4. San Francisco
  5. Raleigh
  6. Atlanta
  7. Minneapolis
  8. Denver
  9. Austin
  10. Portland

No comments:

Post a Comment