From malware on Google's Android phones to the U.S. Defense Advanced Research Projects Agency trying to understand how stories or narratives impact security and human behavior, the security world certainly is never boring. Here we take a look at 20 security stories that have shaped the industry in the past few months.
MORE SECURITY: What's up with encryption?
Should revenge assaults be just another security tool large IT shops use to counter cyberattacks? It's a controversial idea, and the law generally frowns on cyberattacks in general. But at the Black Hat DC conference in January, some speakers took up the issue of whether and how organizations should counterattack against adversaries clearly using attack tools to break into and subvert corporate data security. One idea that got plenty of attention here was the notion of exploiting vulnerabilities in attack tools and botnets to try to determine what the attacker was going after or feed fake data, or even dive into the attacker's network lair.
Point-of-sale payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave. Trustwave, which investigates payment card breaches for companies such as American Express, Visa and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices. "Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud," according to Trustwave's Global Security Report 2011.
The Google Android Market for apps is supposed to be an apps showplace, but the fact that Google this week yanked down about 50 Android apps it found out were malicious came as something of a jolt to many in the security industry. "We believe they all had the same malware," said Kevin Mahaffey, CTO at Lookout Mobile Security, which has taken to calling it the DroidDream infection. The apps were released under the Google-registered developer names "Kingmall2010," "we20090202" and "Myournet," which Lookout Mobile suspects are all the same person or group. At least one of the malicious apps is based on stolen software that was Trojanized and submitted to Google. Most of the malicious Google Android apps to date have been on third-party Web sites, but this week's episode of the malicious Google Apps on the Android market calls into question the vetting process.
The FBI's 10th annual Internet crime report finds that complaints and money losses are at an almost all-time high with nondelivery of payment or merchandise, scams impersonating the FBI and identity theft leading to top 10 online complaint parade. The report -- which is issued through the FBI's partner the Internet Crime Complaint Center (IC3) and the National White Collar Crime Center (NW3C) -- found that in 2010, IC3 received 303,809 complaints of Internet crime, the second-highest total in IC3's 10-year history. IC3 also reached a major milestone this year when it received its 2 millionth complaint. On average, the group receives and processes 25,000 complaints per month.
Can the U.S. government and private industry unite to fight off those who are intent on waging cyber anarchy? The Defense Department hopes so and it has devised a plan to help promote that cooperation. Securing the nation's networks will require unprecedented industry and government cooperation, Deputy Defense Secretary William J. Lynn told attendees at the RSA security conference. "Through classified threat-based information, and the technology we have developed to employ it in network defense, we can significantly increase the effectiveness of cybersecurity practices that industry is already carrying out," Lynn said. Lynn noted that more than 100 foreign intelligence agencies have attempted intrusions on U.S. networks.
It's a new twist on an old scam. The Army Times newspaper reported details of the growing trend of fraudsters stealing the identities of U.S. Army soldiers from social network sites and then using that information to set up false profiles on Internet dating sites. The profiles are uses to dupe prospective dates out of their money. But there are other consequences too. From the Army Times: "The unwitting soldiers are sometimes victims when their loved ones discover the online profiles and believe their soldiers are looking to cheat. [Master Sgt. C.J. Grisham, who uses his blog, 'A Soldier's Perspective,' to expose scammers using the soldier dating con] said the scam is a new twist on the so-called Nigerian 419 advance fee scam, and its popularity is growing, fueled by soldiers' routine use of social networking sites and the Internet's penetration into third-world havens for con men. 'In the past year, the traffic on my site related to the scams I write about has tripled,' Grisham said. 'I'll get 30 to 40 comments a day and 20 e-mails a day asking me to look into whether or not they're being scammed.'"
Since it sounds like a not-so-basic- science fiction script, you won't be surprised that the scientific masterminds at the Defense Advanced Research Projects Agency are behind it. DARPA in a nutshell wants to know about how stories or narratives or whatever one might like to call them influence human behavior. To this end, DARPA hosted a workshop called "Stories, Neuroscience and Experimental Technologies (STORyNET): Analysis and Decomposition of Narratives in Security Contexts," on Feb. 28 to discuss the topic.
"Stories exert a powerful influence on human thoughts and behavior. They consolidate memory, shape emotions, cue heuristics and biases in judgment, influence in-group/out-group distinctions, and may affect the fundamental contents of personal identity. It comes as no surprise that these influences make stories highly relevant to vexing security challenges such as radicalization, violent social mobilization, insurgency and terrorism, and conflict prevention and resolution. Therefore, understanding the role stories play in a security context is a matter of great import and some urgency," DARPA stated. "Ascertaining exactly what function stories enact, and by what mechanisms they do so, is a necessity if we are to effectively analyze the security phenomena shaped by stories. Doing this in a scientifically respectable manner requires a working theory of narratives, an understanding of what role narratives play in security contexts, and examination of how to best analyze stories -- decomposing them and their psychological impact systematically."
The U.S. Air Force is trying to decide whether or not to use commercial off-the-shelf (COTS) smartphones, such as Android-based devices or iPhones, and how it can securely process classified voice and data using them. The Air Force has issued a request for information, not a formal contract solicitation as it is trying to come up with the best plan. Securing smartphones for military use is an absolute necessity if the devices are to find wide applications for field use. The Army has made smartphone development a priority as well.
In a long-running dispute about privacy and security, the U.S. Supreme Court sided with NASA saying its background checks were not invasive and that the information required for not only NASA but most government positions was a reasonable security precaution and that sufficient privacy safeguards existed to prevent any improper disclosures. You may recall that in this case, 28 scientists and engineers at NASA's Jet Propulsion Laboratory filed suit against the U.S. government and the California Institute of Technology (Caltech) in 2007 saying that NASA's background investigations as required by government regulations were invasive. Such regulations are in part aimed at gathering information to develop a common identification standard that ensures that people are who they say they are, so government facilities and sensitive information stored in networks remains protected.
When it comes to preparing for all manner of security threats, the more realistic the training can be the better. That's why the U.S. Secret Service said it has developed a software system that uses gaming technology and 3D modeling to offer high-tech training for its personnel. With funding from Department of Homeland Security (DHS) Science & Technology Directorate, the Secret Service developed the Site Security Planning Tool (SSPT), a training system dubbed "Virtual Tiny Town" to offer service members preparation against chemical, biological or radiological attacks, armed assaults, suicide bombers and other threats, the service stated.
As the country's electricity grid undergoes a transformation and moves toward a more intelligently networked, automated system, it faces an increasing number of cybersecurity issues. Watchdogs at the Government Accountability Office said that while the increased use of smart grid systems may have a number of benefits, "including improved reliability from fewer and shorter outages, downward pressure on electricity rates due to the ability to shift peak demand, an improved ability to transmit power from alternative energy sources such as wind, and an improved ability to detect and respond to potential attacks on the grid," many challenges remain.
The hactivist group Anonymous has won for now its skirmish with the CEO of HBGary Federal, the network security firm whose e-mails were stolen and posted on the Internet, leaving the company red-faced over the content as well as the ease with which its network was hacked. CEO Aaron Barr told Threatpost that he's stepping down in order to help the company regain its reputation and to start improving his own. His promise to expose the names of Anonymous members recently drew an attack that yielded more than 50,000 HBGary Federal e-mails that the group posted on the Internet. The group also detailed publicly how it exploited weak passwords and unpatched servers to crack the network, then used information on passwords it gleaned to break into the company's Gmail accounts.
New York prosecutors indicted 27 people in February as part of a crime ring that bought Apple iPods, iPads and other products with stolen credit card information for resale in the criminal underground. In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang, which split into two operations running from June 2008 through the end of last year, according to a press release from the Manhattan District Attorney's Office.
The shift to cloud computing offers an opportunity to better secure the national digital infrastructure by concentrating the burden of cybersecurity among a relatively small number of service providers rather than thousands of individual businesses, according to a report by a foreign policy think tank. "Cloud computing has weaknesses, but it also offers the opportunity to aggregate and automate cyber defense," according to a new report by the Center for Strategic and International Studies. The report, "Cybersecurity Two Years Later," is a follow-up to "Securing Cyberspace for the 44th Presidency," which the group issued in 2008.
Weaknesses in 802.11p vehicular wireless networks could make them targets for terrorists seeking to wreak havoc on the nation's highways, according to a presentation at the recent Black Hat DC conference. The technology will someday be used for controlling traffic flow and warning drivers of highway dangers -- a system that could be exploited if not implemented properly, says Rob Havelt, director of penetration testing at security vendor Trustwave's SpiderLabs.
Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyberthreats posed by the likes of the Firesheep hijacking tool. The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions. SSL/TLS -- the cryptographic protocols used to protect online Web transactions -- encrypts traffic from visitors' machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does.
What's "pervasive memory scraping" and why is it considered by SANS Institute security researchers to be among the most dangerous attack techniques likely to be used in the coming year? Simply put, pervasive memory scraping is used by attackers who have gained administrative privileges to successfully get hold of personally identifiable information (PII) and other sensitive data held encrypted in a file system, according to Ed Skoudis, senior security consultant at InGuardians who is also an instructor at SANS events. Evidence of this attack is coming up again and again in data-breach cases, he said.
Cisco has unveiled a self-described "complicated" security architecture dubbed SecureX that it says provides a context-aware way to safeguard networks increasingly overrun with smartphones, tablets and virtualization. SecureX, outlined at the RSA Conference in San Francisco last month, will initially give Cisco firewalls -- and eventually its switches, routers and other products -- the ability to dynamically scan and tag data related to a user's identity and application/device usage in order to have a real-time basis for enforcing identity-based security policies.
"Beware the Advanced Persistent Threat"! is the security vendor mantra of the moment. But really, what is an APT? Depends who you ask ... Some claim the term "Advanced Persistent Threat" originated somewhere in the Defense Department and its contractors that face continual cyberattack espionage assaults. "I think it was the Air Force," says Eddie Schwartz, NetWitness chief security officer. "It's persistence of the adversary and the variety of techniques they're using, like malware or social engineering, against a nation's significant economic interests."
The traditional port-based enterprise firewall, now looking less like a guard and more like a pit stop for Internet applications racing in through the often-open ports 80 and 443, is slowly losing out to a new generation of brawny, fast, intelligent firewalls. The so called next-generation firewall (NGFW) describes an enterprise firewall/VPN that has the muscle to efficiently perform intrusion prevention sweeps of traffic, as well as have awareness about the applications moving through it in order to enforce policies based on allowed identity-based application usage. It's supposed to have the brains to use information such as Internet reputation analysis to help with malware filtering or integrate with Active Directory.