UPDATE 1-U.S. struggles to ward off evolving cyber threat
* Spies, criminals, terrorists eye U.S. networks
* Terabytes of data stolen, threat evolving quickly (Adds details on new U.S. cyber command)
By Phil Stewart and Jim Wolf
WASHINGTON, May 12 (Reuters) - The United States is losing enough data in cyber attacks to fill the Library of Congress many times over, and authorities have failed to stay ahead of the threat, a U.S. defense official said on Wednesday.
More than 100 foreign spy agencies were working to gain access to U.S. computer systems, as were criminal organizations, said James Miller, principal deputy under secretary of defense for policy.
Terrorist groups also had cyber attack capabilities.
"Our systems are probed thousands of times a day and scanned millions of times a day," Miller told a forum sponsored by Ogilvy Washington, a public relations company.
He said the evolving cyber threat had "outpaced our ability to defend against it."
"We are experiencing damaging penetrations -- damaging in the sense of loss of information. And we don't fully understand our vulnerabilities," Miller said.
His comments came as the Obama administration develops a national strategy to secure U.S. digital networks and the Pentagon stands up a new military command for cyber warfare capable of both offensive and defensive operations.
The Senate last week confirmed National Security Agency Director Keith Alexander to lead the new U.S. Cyber Command, which will be located at Ft. Meade, Maryland, the NSA's headquarters.
Miller suggested the new organization, which is expected to be fully operational in October, had its work cut out for it.
Among its challenges are determining what within the spectrum of cyber attacks could constitute an act of war.
Miller said the U.S. government also needed to bolster ties with private industry, given potential vulnerabilities to critical U.S. infrastructure, like power grids and financial markets.
STAGGERING LOSS
Hackers have already penetrated the U.S. electrical grid and have stolen intellectual property, corporate secrets and money, according to the FBI's cybercrime unit. In one incident, a bank lost $10 million in cash in a day.
"The scale of compromise, including the loss of sensitive and unclassified data, is staggering," Miller said. "We're talking about terabytes of data, equivalent to multiple libraries of Congress."
The Library of Congress is the world's largest library, archiving millions of books, photographs, maps and recordings.
U.S. officials have previously said many attempts to penetrate its networks appear to come from China.
Google (GOOG.O) announced in January that it, along with more than 20 other companies, had suffered hacking attacks that were traced to China. Google cited those attacks and censorship concerns in its decision to move its Chinese-language search service from mainland China to Hong Kong.
Miller took an example from the Cold War playbook to explain how the United States military would need to prepare for fallout from a cyber attack, which could leave cities in the dark or disrupt communications.
In the 1980s, the Pentagon concluded that the military needed to prepare to operate in an environment contaminated by the use of weapons of mass destruction.
"We have a similar situation in this case. We need to plan to operate in an environment in which our networks have been penetrated and there is some degradation," he said.
One of the challenges Miller singled out was the development of enough U.S. computer programmers in the future.
"In the next 20 to 30 years, other countries including China and India will produce many more computer scientists than we will," he said. "We need to figure out how to not only recognize these trends but take advantage of them."
* Gmail passwords appear safe - NY Times
* Google declines to elaborate upon Jan. 12 announcement (Adds Google comment in paragraph 8; edits paragraphs 1, 6, 9)
NEW YORK, April 19 (Reuters) - A December cyberattack on Google Inc (GOOG.O) computers hit the company's password system that millions of people worldwide use to access almost all of the company's Web services, The New York Times said, citing a person with direct knowledge of the investigation.
The closely-guarded program is considered a crown jewel at Google, enabling users and employees to sign in with their password only once to operate various services including e-mail and business applications, the newspaper said in its April 20 edition.
Code-named Gaia for the Greek goddess of the earth, and still in use under the name Single Sign-On, the program was described publicly only once at a technical conference four years ago, the newspaper said.
The intruders do not appear to have stolen passwords of Gmail users, and Google quickly started to bolster security, the newspaper said.
But the theft leaves open a possibility, perhaps faint, that the intruders may find weaknesses that Google might not know about, the newspaper said, citing independent computer experts.
Google disclosed the hacking on Jan. 12, when on its website it reported having detected "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google."
The Mountain View, California-based company said the attack appeared to target Chinese human rights activists, and that only two Gmail accounts appeared to have been accessed. [ID:nN12133127]
"We're not going to comment beyond our original blog post," Jay Nancarrow, a spokesman for Google, said on Monday night. "That remains our statement of record on the issue."
When it revealed the attack, Google said it would stop censoring search results on Google.cn.
In March, it closed its China-based Web search service and began redirecting users to an uncensored portal in Hong Kong. That decision came amid heightened tensions between China and Washington, D.C.
10 Security Reasons to Quit Facebook (And One Reason to Stay On)
You can't go a day without logging in to see what your Facebook friends are up to? Consider these factors and you may decide being connected brings on too much risk.
Last year, Baby Boomers quit Facebook at a faster pace than they joined.
That's according to data published last year by the site Inside Facebook. After a huge growth in Facebook membership among the over-55 age group took place at the end of 2008 and the beginning of 2009, that same demographic began to defect in large numbers, just months after signing up.
Boomers were the the only shrinking age demographic on the site. What do Boomers know that others don't? Boomers have discretion, according to Scott Wright, a security consultant based in Canada who also researches and writes about social media and security awareness on his site streetwise-security-zone.com.
While the numbers certainly continue to indicate that more people are joining Facebook than quitting, certain web sites that help people "kill" your online self have gained popularity, too. Facebook recently issued cease and desist orders to several of these sites, including one called Web 2.0 Suicide Machine.
Also see The 7 Deadly Sins of Social Networking
Why would someone decide to sign off Facebook forever? Here are ten observations from security and privacy pros about the risks of social media.
Your privacy is history
Wright took part in a panel discussion recently on the topic of privacy and said he was intrigued by the opinion of one academic who pointed out that the notion of privacy differs widely among generations.
"The 20-something view of privacy is basically that their parents not see what they are doing. That's about it," said Wright.
Facebook founder Mark Zuckerberg apparently agrees. Zuckerberg made controversial remarks to a live audience earlier this year at an awards event and stated that openly sharing information with many people is today's social norm. He went on to say "We view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are." Many have translated this to mean Facebook doesn't think its users want much privacy, and the policies of the site reflect that view.
Whether Zuckerberg is right or wrong depends on who you ask. And that leaves us to consider: As younger generations define privacy in new ways, it really good for us? Bethan Tuttle, an Washington-based independent consultant and privacy advocate, says no. Tuttle said she is concerned about some of the newer changes to Facebook that force users to share certain information because, in her words, without privacy, we don't have civil liberties.
"If you can't maintain privacy online and off, then you can't speak freely," said Tuttle. "These security issues need to be addressed in such a way that our privacy can be protected."
Tuttle thinks the massive and quick growth Facebook has experienced in the last two years, coupled with a lack of privacy-centric leadership has left end user privacy as casualty. (Read more in Six Ways We Gave Up Our Privacy.)
They don't have your best interests in mind
As Tom Eston, creator of the web site socialmediasecurity.com points out, the very business model Facebook, and other social networking sites like Twitter, stands on is making user information as public as possible in order to generate new ways to make money.
"They are really startups if you think about it. They don't have a true business model," said Eston. "Their philosophy is the more you share, the more information they have to make money with."
With that in mind, can you really count on them to protect you? And do you know just how much information you are sharing that can be used not only by Facebook, but by the application developers that create those fun quizzes and games? Wright says most people don't.
Case in point: A quiz designed by the ACLU that shows Facebook users just how much information they hand over to application developers every time they agree to install a new app. Want to take that quiz to find out who you were in a past life? Each time you do, almost everything on your profile, even if you use privacy settings to limit access, is made available to the creators of that application.
Frequent redesigns affect privacy settings
"Just when people figure out the privacy settings on Facebook, they go and change them again," said Wright. "It always seems like it is being done in everyone's best interest, but if you really examine it, they have never done anything other than to try and get people to share more information."
The latest Facebook redesign in December now makes public, and searchable, certain user information that was previously private, such as which pages you are a fan of and your profile picture. And many of the features you can make private are left public unless you go in and adjust your privacy settings, which is no small task, according to Tuttle.
"I am really good online but it took me several tries to get my Facebook privacy settings where I needed them to be," she said. "I think Facebook actually implemented some great changes with this redesign, but they need to make those easier and more stable. Privacy settings need to not be changed so many times in such a short period. People need to know weeks ahead of time exactly what to do and a method of not waking up one day and finding out all of their information has gone public."
Social engineering attacks are getting more targeted If you are using Facebook, surely you have received messages by now on your wall asking "Have you seen this video?" or "Is this you in this photo?" If you click on the link, you run the risk of being infected by malware. These are known as social engineering attacks, and they are becoming more sophisticated said Wright. (Read more in 9 Dirty Tricks: Social Engineers' Favorite Pickup Lines.)
"They are becoming very targeted. Even seasoned security professionals are falling for them," he said.
The more information you share, coupled with a decrease in privacy, only means it is even easier for cyber criminals to get information about you that can be used to trick you into clicking on a bad link.
You can't trust the ads
Even if you, unlike many users, know better than to click on a suspicious message or link in your Facebook account, what about the advertisements? While you may think the advertisements are harmless, unfortunately some contain malicious links. One common scenario involves a pop-up from the ad that claims your computer is infected and prompts you to download software to fix it. Instead of helpful software, you end up downloading something nasty instead. This is now commonly known in the security community as "scareware," and it's still a very effective way to snare unsuspecting users.
Spam
Blackberry owners using the mobile Facebook application have been experiencing increased amounts of spam lately that claims to be from Facebook, said Eston.
Many users simply wonder "Why is Facebook sending me this?" and instinctively open the message and log in to what turns out to be a fake screen that steals credentials.
You don't really know your friends
A report from security firm Cloudmark that was released at the end of 2008 concluded that close to 40 percent of new Facebook profiles are actually fake. If you are one of those people with hundreds of "friends," what are the chances you might have a fake friend or two out there in your network? Pretty high, said Wright.
Having lots of friends is dangerous is because it opens you up to additional security risks. Wright said those who get targeted for hacking are the ones who have lots of friends. The more friends you have, the more reach a criminal will have when he breaks into your profile and sends out a bad link to everyone.
You can't help yourself from being dumb
The recent attention around the site pleaserobme.com has brought to light the safety concerns around social networking. Pleaserobme aggregates the Twitter feeds of people who play Foursquare, a location-sharing application that allows users to "check in" from their various geographic whereabouts. The problem is, in playing the game, many users are also publicly broadcasting that their home is likely unattended and a good "opportunity" (as the site terms it) for thieves.
As Tuttle puts it, you need to think about what you are doing and many people are not. Whether you're updating your Facebook status or playing a location-sharing game through Twitter, you're putting yourself out there in potentially dangerous ways, particularly if you don't know all of your "friends" that well (See "You don't really know your friends" above).
"If you are posting that you have arrived at a hotel at 11:00 at night and you are a female with a cute photo, you're giving someone incentive to put on their shoes and go look for you. Are you even thinking about that?" she said.
The great unknown
The layout and privacy settings keep changing. There is a lot of analysis and speculation about a potential Facebook IPO in the future and generally a lot of discussion of Facebook's future business strategy. What does this mean for users? Wright said some fear it means an increase loss of privacy as the social networking site inevitably looks for ways to make money by offering up valuable user information to advertisers and developers. Will you stick around to see how the site evolves? Or will others take a cue from the Boomers and opt out?
"One of the things I find most interesting is that there are still many people who are scared to death of social networking sites," said Wright. "These are usually the people who don't see value in them. In the end, they may be the wisest of us all."
Ex's, creeps and parents
George Straight once sang, "All my ex's live in Texas, that's why I hang my hat in Tennessee." There is little doubt that if Straight were break up with a girlfriend in today's information age, he'd have to do more than simply move across state lines to avoid being found again. Facebook is making it possible for people who break up to be cyber stalked, even if they aren't friends anymore, said Eston. Although the virtual connection is broken along with the actual relationship, having mutual friends makes it easier for your ex to keep tabs on you. The same goes for any creepy guy or girl you are trying to avoid.
Or you may get a friend request from a parent, which Wright claims many 20-something users he talks to considers the worst thing that could ever happen in the history of social networking.
"That is big driver for quitting," he said. "Once the parent friends some of these people they immediately think 'I've got to get out of this!'"
Of course, if you're the parent and you're concerned about kids revealing too much on social networks, this is the promised reason you might want to STAY on Facebook—it might make your kids quit.