Popular account password Hack Me Please

If Your Password Is 123456, Just Make It HackMe

By ASHLEE VANCE

Published: January 20, 2010

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Google's Secret Struggles With Chinese

Inside Google's Secret Struggles With Chinese Cyber Power

U.S. intelligence officials have concluded that December's mass cyber attack against 33 American companies was most likely the result of a coordinated espionage campaign endorsed by the Chinese government.

Google's revelation that they'd been hit was deemed a "watershed" moment by security industry analysts, but the other 32 companies who were hit have not followed suit and have begged the government to keep their identities a secret. The government has no choice but to protect their identities -- even as U.S. policy encourages greater transparency about the scope of such attacks.

The attackers exploited security vulnerabilities in at least two widely used software programs to gain information about dissidents as well as proprietary information. Reports suggest that the penetration of Google allowed the hackers to get a good look at how the FBI and the National Security Agency sift through information gleaned from warrants served to Google.

"The recent cyber intrusion that Google attributes to China is troubling and the U.S. government is looking into it," said Nicholas Shapiro, a White House spokesperson. "We read Google's statement and are strongly opposed to the practices it describes, particularly the illicit targeting of private email accounts for political reasons. We welcome Google's decision to discontinue censorship of search results on google.cn. The United States has frequently made clear to the Chinese our views on the importance of unrestricted Internet use, as well as cyber-security. We look to the Chinese for an explanation of what happened," he said.

On Thursday, Secretary of State Hillary Clinton will speak on cyber power and she is expected to address, in some fashion, the attack. Administration officials have said that a variety of responses are on the table, including the lodging of a formal protest to a request to the World Trade Organization to investigate. Behind the scenes, there is panic in the cyber world.

"Some people hint by saying these attacks are from China, that they are very sophisticated, and that the attackers are looking for information from Chinese human rights advocates," a U.S. official said. "What is left unsaid is that the attacks are likely sponsored by the Chinese government."

Officially, Google has no contact with Chinese authorities about censorship. Unofficially, it has engaged in a war of attrition with the government. In March of 2009, China blocked YouTube from being accessed in the country and never acknowledged its action. The reasons for its decision were spurious. Traffic dropped off dramatically. And then, half a way later, YouTube access in China was suddenly restored. In September, YouTube was taken away again -- and the presence of pornography was cited as the reason. Google could not find the pornography. Porn -- and national security information -- seem to be the de facto public excuses that China provides for its capricious and unpredictable censorship.

James Fallows has provided us with an extensive examination of how China censors the net. Google's experience brings to light some new details, and reveals the banality of the entire enterprise. According to sources with knowledge of the process, the State Council Information Office sends lists of censored sights and words to companies operating search engines. The companies passively accept the lists. If there are small updates, Chinese officials will communicate via instant messenger to companies to keep them up to date on the latest banned sights. In China, this process itself is considered a state secret. Any active role that China plays in banning IP addresses directly is denied -- the world's worst kept secret is the existence of the Great Firewall.

Prove it to yourself. Go to this Web site. It allows you to experience what search is like for the Chinese. I tried it out -- and about half of the websites I was browsing are suddenly no longer available.

Google-dot-com is available in China and is not filtered on the back end. Google's China site, Google.CN, is subject to the laws of the local authority. On Google.com, the Chinese government cannot prevent Google from returning search results. But clicking on those results often leads to content that is not available. As Fallows has explained, the government employs "packet sniffing" after the Google search results come back through the firewall to weed out objectionable content. China has variously blocked Google's basic search engine, Gmail, a proprietary music search and other Google apps -- often for hours, sometimes for days, without explanation or comment. In July, China publicly accused Google of providing links to pornography; Google responded by voluntarily disabling several of its high-profile search features.

There are at least seven different agencies responsible for Internet policing in China. They often fight with one another for bureaucratic territory. Companies like Google are left to their own devices to figure out how to comply with the law--and whatever specific emanations the law requires. Google employees in China really never know what they can and cannot do. Violating the law means, potentially, prison.

Soon after Google's announcement last week, reports circulated that Google had stopped filtering its Google.CN site; that would directly violate Chinese law. Not true. The truth is more insidious. Enterprising consumers decided to see if results that were previously blocked had suddenly become unblocked. Somehow, pictures of the Tiananmen Square massacre were able to be accessed. Google unblocked! But no -- in this case, Google hadn't done anything. There were no changes to the filter and no updates that day. The truth is that, in this instance, the Chinese users of the Google.CN domain were censoring themselves; it had not occurred to them to search for such pictures before. To be clear, Google.CN is censored (by Google, "voluntarily,") but the lack of transparency in the process can grind down the will of even the world's largest Internet company, if not the intellectual interests of millions of Chinese.

Given this context, it's easy to why Google's had enough.

Then there are the U.S. network security rules of engagement. Defend, don't attack -- unless there's a secret presidential finding, which, to the best of knowledge, there isn't one on China.
For example, if a U.S. site comes under attack from a Chinese site, the site -- assume it's an intelligence agency -- can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them -- but once that threshold is crossed, it cannot attack the sites. The Chinese have no such rules. In fact, the Chinese government teaches attack techniques to a large group of state-sponsored hackers, and part of the classroom work is for them to conduct actual attacks on sites around the world, including the U.S.

The question is natural: if China is so intent on stealing stuff from us, why haven't we responded?

One, we may well have responded, in ways that are classified. But the U.S. has an extraordinarily complex and vital economic relationship with China - one that China would never compromise. There is no fear among U.S. officials that China would ever mount a crippling cyber attack against U.S. infrastructure, even though they have mapped our electrical grid and probably left behind some malware that could be triggerable at a later date. (For what it's worth, the U.S. has also mapped China's electrical grid.)

China, in fact, needs a secure and stable U.S. infrastructure to do business. (As James Lewis of the Center for Strategic and International Studies puts it, "Since they own Wall Street, the last thing they want to do is crash it.") But China also wants to control the information flowing in and out of its country. In the absence of an international treaty defining what cyber sovereignty consists of, it is hard to figure out the boundaries, much less police them effectively. Third, the U.S. is aware of a debate within the Chinese government about whether it should pursue a globalist or nationalist technology policy; should China depend on the rest of the world for its cyber needs; should it become a part of the grid; should it pursue its activities independently? This is linked to a central organizing question of modern Chinese society: will it be open, modern, forward-looking? Or forever consigned to a second-rate status?

The geopolitics of cyber power suggests that centrally directed government espionage is...tolerated by U.S. officials. A 2007 intrusion, where Chinese hackers broke into classified Department of Defense computer databases, alarmed officials -- but the response, largely, was defensive. There is a reason; ambiguity provides more policy options for the U.S., and the lack of an offensive reaction -- aside from Clinton's comment -- prevents the situation from escalating.

Over the next few weeks, Google will determine whether to suspend its business operations entirely. Very quietly, through intermediaries, it has engaged the Chinese government. The U.S. government is informally advising the company and is being kept in the loop.

USB security flaw triggers first FUD laced news cycle of 2010

USB security flaw triggers first FUD laced news cycle of 2010
by Steve Ragan - Jan 12 2010




Now that the cat is out of the bag, and it is known that the authentication method used on certain secure USB devices is broken, there has been a ton of hype and confusion in the news. So much so, that the NIST is now looking into the matter after being dragged into the hype by the press.

Last week, The Tech Herald published a small article on the Kingston announcement that three of their secure USB drives were being recalled after security researchers from SySS discovered a weakness in the method used to authenticate access to the drive. The Kingston drives in question are DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and the DataTraveler Elite - Privacy Edition.

Soon after Kingston’s announcement, SanDisk and Verbatim announced problems with some of their secure USB drives, each of them impacted by the authentication flaw.

SanDisk says that their Cruzer Enterprise USB drives are impacted, which include the 1GB, 2GB, 4GB, and 8GB versions of the Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46. Verbatim reports that their Corporate Secure USB and Corporate Secure FIPS Edition drives are vulnerable, and both companies are offering fixes to the problem. Kingston is offering technical support as well, but you will need to call them to work out the details.

Once the Kingston story broke, the news slanted towards the fact that secure USB drives were busted, and that “hackers” could access the data contained on them at will. This simply isn’t the case, and despite the blogosphere’s and technical trade’s opinions on the matter, this is not an issue of broken encryption. This is an issue of how authentication is implemented, and why trusting a computer is a bad idea.

For those curious, the flaw discovered by SySS centers on how the listed USB drives access the encrypted data. When you go to decrypt the data you enter a password, which must be checked, before you can do anything with the drives. The process of checking the authentication is the heart of the problem.

Each device vulnerable to the methods detailed in the SySS research has software that will reside on the host computer to verify the password used to decrypt the drive. This software will send an unlock code if the password is correct. The problem is that the unlock code is essentially the same, no matter the vendor or device. SySS developed an application that will skip the process used by the host software to check passwords, and simply send an unlock code. As you can tell by the number of USB drives listed, they had a decent amount of success with their work.

This is a design flaw, not a failure in encryption. So when news started to spread that the National Institute of Standards and Technology (NIST) was looking into the matter, more FUD appeared across the wires.

No one thought to ask why NIST is involved, choosing instead to focus on a statement from them that said they are looking into their certification criteria. Most of the recent media reports hinge on the fact that the vendors and products impacted by SySS’s work tout Federal Information Processing Standard (FIPS) 140-2 certification.

Essentially, FIPS is an accreditation standard used to certify encryption algorithms. FIPS 140-2 consists of four levels, most of which deal with the usage of at least one approved encryption algorithm or security function and various degrees of tamper resistance. It is great for a company’s marketing to have a product FIPS certified. At the same time, FIPS is a security guideline, and like other guidelines, such as PCI, FIPS does not mean secure, nor does it promise actual data security.

At no time will FIPS certify that the method used to authenticate the owner of the device is secure. This is up to the manufacturer of the device, and because of that a lot of trust is placed into their hands.

However, scanning the headlines, the larger picture is missing and the focal point of many of the stories online is that three of the larger vendors in the secure USB sector are vulnerable to attack, and as a result, so are their customers. While that is true in a sense, it only skims the surface. Not all of the customers using SanDisk, Verbatim, or Kingston are vulnerable.

Each of the vendors impacted by the SySS research offers other products that can be used for data security. There are other vendors, such as IronKey or SPYRUS, which do not use the vulnerable method of authentication. IronKey for example, never once uses the host system for authentication checks. There is biometric protection as well if you wanted it.

Still, you are better off using TrueCrypt and a regular USB drive if you have to encrypt data. The only problem is, because USB drives are easily lost, stolen, or broken, Enterprise or Government operations ban the use of USB media. Another point missing is that in several of the larger Government agencies, even Enterprise on some levels, they disable USB access completely on the network.

If you have to encrypt something, spend $20.00 on a normal USB drive and use TrueCrypt. If you have to purchase a secure drive, remember that FIPS 140-2 is a great certification for a product to have, but it does not mean proof of data security.

The problems in the authentication processes discovered by SySS are the result of solid research. SySS did a great job, both in how they went about the work and reported it to the public. However, the coverage related to their work is quickly becoming the first FUD-based news cycle for 2010.

SySS Report on Kingston

SySS Report on SanDisk

Read more: http://www.thetechherald.com/article.php/201002/5068/USB-security-flaw-triggers-first-FUD-laced-news-cycle-of-2010#ixzz0cROvFd45

http://www.dhs.gov/files/programs/gc_1158611596104.shtm

National Cybersecurity Awareness Month

• How You Can Contribute to Cybersecurity Awareness
• Cybersecurity Awareness Events 2009
• Cybersecurity Resources

October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school.

Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace.

It is Our Shared Responsibility to stay safe online.

How You Can Contribute to Cybersecurity Awareness

Here are a few steps that you can take to not only participate in National Cybersecurity Awareness Month, but also enhance cybersecurity 365 days a year:

Take Action - There are many things businesses, schools, and home users can do to practice cybersecurity during National Cybersecurity Awareness Month and beyond.

• Make sure that you have anti-virus software and firewalls installed, properly configured, and up-to-date. New threats are discovered every day, and keeping your software updated is one of the easier ways to protect yourself from an attack. Set your computer to automatically update for you.
• Update your operating system and critical program software. Software updates offer the latest protection against malicious activities. Turn on automatic updating if that feature is available.
• Back up key files. If you have important files stored on your computer, copy them onto a removable disc and store it in a safe place.

Endorse - Demonstrate your commitment to cybersecurity.

• Show your organization's commitment to cybersecurity and National Cybersecurity Awareness Month by signing the online endorsement form at www.staysafeonline.org.
• Create a section for cybersecurity on your organization's Web site. Download banners atwww.staysafeonline.org and post them on your organization's home page.
• Add a signature block to your e-mail:
  "October is National Cybersecurity Awareness Month. Stay Safe Online! Visithttp://www.staysafeonline.org for the latest cybersecurity tips."

Educate - Find out what more you can do to secure cyberspace and how you can share this with others.

• Participate in the National Cyber Security Alliance Cyber Security Awareness Volunteer Education (C-SAVE) Program and help educate elementary, middle, and high-school students about Internet safety and security. For more information or to download the C-Save curriculum, visit www.staysafeonline.org/content/c-save.
• Review cybersecurity tips with your family.
• Print and post these cybersecurity tips near your computer and network printers.
• Use regular communications in your business—newsletters, e-mail alerts, Web sites, etc.—to increase awareness on issues like updating software processes, protecting personal identifiable information, and securing your wireless network.

For more information on Awareness Month and for additional material, please visit www.us-cert.gov and www.staysafeonline.org/ncsam.

Cybersecurity Resources

The Department partners with a number of cybersecurity organizations throughout the year to educate all citizens on the importance of implementing effective cybersecurity practices. These partnerships also make National Cybersecurity Awareness Month possible by uniting public and private sector efforts to secure cyberspace. National Cybersecurity Awareness Month materials and resources can be found at the following sites:

• The National Cyber Security Division outlines the Department's strategic national cybersecurity objectives.
• The U.S. Computer Emergency Readiness Team (US-CERT) offers safety tips, incident reports, and the latest cyber alerts.
• The National Cyber Security Alliance (NCSA) is a collaborative effort among experts in the security, non-profit, academic, and government fields to teach consumers, small businesses, and members of the education community about Internet security by providing free tips, checklists, and best practices for remaining safe while online.
• The Multi-State Information Sharing and Analysis Center (MS-ISAC) comprises members of all 50 states, local governments, and U.S. territories and districts, and provides downloadable awareness materials including newsletters, posters, bookmarks, and briefings.
• The Federal Trade Commission's OnGuard Online Web site provides practical tips and downloadable print and Web materials about how to avoid Internet fraud and how to protect personal information.

NATIONAL CENTER FOR CRITICAL INFORMATION PROCESSING AND STORAGE

NATIONAL CENTER FOR CRITICAL INFORMATION PROCESSING AND STORAGE

The Committee recommends $46,130,000 within Security Activities for data center development. This includes the budget request level (which includes operation and maintenance costs for the National Center for Critical Information Processing and Storage [NCCIPS] and the second data center) and an additional $22,300,000 solely to be used to support transition of Department systems to NCCIPS, to support the dual cost of operation and maintenance during the transition, and to develop a sharable common operating environment. NCCIPS is a federally owned and managed facility established to reduce Federal data center costs and to protect critical Federal information.

The Committee also includes language in the bill withholding the availability of $200,000,000 for obligation until the Department of Homeland Security submits to the Committee the report on data center transition required by Senate Report 110-84, which is to include: (1) the schedule for data transition by Department component; (2) costs required to complete the transition by fiscal year; (3) identification of items associated with the transition required to be procured and the related procurement schedule; and (4) the identification of any transition costs provided in fiscal years 2007 and 2008. The report submitted should separate these requirements and costs by data center and include fiscal year 2009 data.

Consistent with section 888 of Public Law 107-296, the Committee instructs the Department to implement the consolidation plan in a manner that shall not result in a reduction to the Coast Guard's Operations Systems Center mission or its Government-employed or contract staff levels. A general provision is included for this purpose.

HOMELAND SECURE DATA NETWORK

Included in the amount recommended by the Committee is $47,673,000, as requested in the budget, for the Homeland Secure Data Network.

ANALYSIS AND OPERATIONS

Appropriations, 2008 1	$306,000,000
Budget estimate, 2009	333,262,000
Committee recommendation 2	320,200,000
1 Excludes a rescission of $8,700,000 pursuant to Public Law 110-161.
2 Excludes a rescission of $2,500,000.

The account supports activities to improve the analysis and sharing of threat information, including activities of the Office of Intelligence and Analysis and the Office of Operations Coordination.

COMMITTEE RECOMMENDATIONS

The Committee recommends $320,200,000 for Analysis and Operations. This is an increase of $14,200,000 from the fiscal year 2008 level and a decrease of $13,062,000 from the budget request. The details of these recommendations are included in a classified annex accompanying this report.

DHS INTELLIGENCE EXPENDITURE PLAN

No later than 60 days after the date of enactment of this act, the Secretary shall submit a fiscal year 2009 expenditure plan for the Office of Intelligence and Analysis [I&A], including balances carried forward from prior years, that includes the following: (1) fiscal year 2009 expenditures and staffing allotted for each program, as identified in the March 2008 expenditure plan submitted to the Committee, as compared to each of years 2007 and 2008; (2) all funded versus on-board positions, including Federal full-time equivalents [FTE], contractors, and reimbursable and non-reimbursable detailees; (3) an explanation for maintaining contract staff in lieu of Government FTE; (4) a plan, including dates or timeframes for achieving key milestones, to reduce the office's reliance on contract staff in lieu of Federal FTE; (5) funding, by object classification, including a comparison to fiscal years 2007 and 2008; and (6) the number of I&A funded employees supporting organizations outside I&A and within DHS.

STATE AND LOCAL FUSION CENTERS

The Committee directs the Department's Chief Intelligence Officer to continue quarterly updates to the Committees on Appropriations that detail progress in placing DHS intelligence professionals in State and local fusion centers. These reports shall include: the qualification criteria used by DHS to decide where and how to place DHS intelligence analysts and related technology; total Federal expenditures to support each center to date and during the most recent quarter of the current fiscal year, in the same categorization as materials submitted to the Committees on Appropriations on March 23, 2007; the location of each fusion center, including identification of those with DHS personnel, both operational and planned; the schedule for operational stand-up of planned fusion centers and their locations; the number of DHS-funded employees located at each fusion center, including details on whether the employees are contract or government staff; the privacy protection policies of each center, including the number of facility personnel trained in Federal privacy, civil rights, and civil liberties laws and standards; and the number of local law enforcement agents at each center approved or pending approval to receive and review classified intelligence information.

U.S. Homeland Security 1,000 cybersecurity experts

U.S. Homeland Security wants to hire 1,000 cybersecurity experts

Dept. of Homeland Security needs experts needed to fill out vast network protection goals
By Michael Cooney , Network World , 10/01/2009The Department of Homeland Security is looking to hire 1,000 cybersecurity professionals in the next three years according to the agency’s secretary Janet Napolitano.

The department now has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks, she said.

NetworkWorld Extra: 12 changes that would give US cybersecurity a much needed kick in the pants

“This new hiring authority will enable DHS to recruit the best cyber analysts, developers and engineers in the world to serve their country by leading the nation’s defenses against cyber threats,” Napolitano stated. DHS his the focal point for the security of cyberspace -- including analysis, warning, information sharing, vulnerability reduction, mitigation, and recovery efforts for public and private critical infrastructure information systems.

The hiring authority, which results from a collaborative effort between DHS, the Office of Personnel Management and the Office of Management and Budget, lets DHS staff up to 1,000 positions over three years across all DHS agencies to fulfill critical cybersecurity roles—including cyber risk and strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering.

The need for DHS to bolster its security realm is a hot topic. A Government Accountability Office report this year said that while DHS established the National Cyber Security Division to be responsible for leading national day-today cybersecurity efforts that has not enabled DHS to become the national focal point for security as envisioned.

The GAO said the Defense Department and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions.

The cybersecurity jobs announcement comes on the same day that the FBI said fraudsters are targeting social networking sites with increased frequency and users need to take precautions, the FBI warned.

The FBI said fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected, the FBI stated.

Meanwhile legislators are trying to encourage cooperation among universities and businesses to develop technology needed to carry out a strategic government effort to fight cyber attacks.

A US House subcommittee is recommending a bill that calls for a university-industry task force to coordinate joint cybersecurity research and development projects between business and academia. The Cybersecurity Research and Development Amendments Act of 2009 was approved recently by the House Committee on Science and Technology's Research and Science Education Subcommittee.

The legislation would set up a scholarship program that pays college bills for students who study in fields related to cybersecurity. They would also get summer internships in the federal government. In return the students would agree to work as cybersecurity professionals within the federal government for a period equal to the number of years they received scholarships. If there aren't any jobs there, they would work for state or local governments in the same capacity or teach cybersecurity courses.

Department of Homeland Security on Lookout for IT Security Pros

Department of Homeland Security on Lookout for IT Security Pros

By: Brian Prince

The Department of Homeland Security has gotten the OK to hire as many as 1,000 new IT pros during the next three years to bolster cyber-security.

DHS Secretary Janet Napolitano made the announcement Oct. 1 during remarks tied to the start of National Cybersecurity Awareness Month. The new hiring authority is the result of a collaborative effort between DHS, the Office of Personnel Management, and the Office of Management and Budget.

"Effective cyber-security requires all partners—individuals, communities, government entities and the private sector—to work together to protect our networks and strengthen our cyber-resiliency," Napolitano said. "This new hiring authority will enable DHS to recruit the best cyber-analysts, developers and engineers in the world to serve their country by leading the nation's defenses against cyber-threats."

The list of positions to be filled covers areas such as cyber-risk and strategic analysis, cyber-incident response, and vulnerability detection and assessment.

The need to hire more security pros has been noted by others, such as in a report from the Partnership for Public Service and consulting company Booz Allen Hamilton released in July. In that report, the authors outlined a number of problems involved in recruiting and hiring cyber-security pros, as well as strategies for resolving the problems.

President Obama declared May 29 that his administration was making cyber-security a national priority. As part of that effort, the president authorized a 60-day assessment of the government's cyber-security. In addition, he announced the creation of the position of national cyber-coordinator, but it has not yet been filled.

Napolitano emphasized the importance of partnerships between the public and private sectors in protecting the country's cyber-infrastructure. DHS officials said they do not anticipate needing to fill all 1,000 slots.

"This is impressive and clearly an indication that DHS has won confidence in the White House to lead the federal government's cyber-security response," said Roger Thornton, CTO of Fortify Software.