Security

Cyber scammers are banking on the notion that many people who might not fall for a phishing scam via e-mail may still be easy targets through their mobile phone, according to security report released Tuesday from Cisco Systems.

Text message scams are on the rise, particularly fake messages that appear to come from a legitimate bank, said the report, which covers a wide variety of cybercrime topics.

In many of the scams, the SMS messages direct the recipient to call a telephone number where an automated message prompts the caller to provide log-in ID or account number and PIN. Other messages provide a URL that leads to a phishing site looks like a legitimate site.

Specific scams have targeted cell phone users in Fargo, N.D., along with customers of First Community Credit Union and Buffalo Metropolitan Federal Credit Union in New York and of BCT Federal Credit Union in New York and Pennsylvania, the report said.

"People are giving up information through the voice channel in a way they never would do through e-mail or the Web," said Patrick Peterson, Cisco's chief security researcher.

Meanwhile, cybercriminals are continuing to get more sophisticated and borrowing from real-world business models. For instance, researchers have come across a service called VirTest that will test malware and viruses against products from the major antivirus vendors for a fee, Peterson said.

Two U.S. senators introduced legislation on Wednesday that calls for naming a national cybersecurity adviser who reports directly to the president and who would have the authority to disconnect federal or critical infrastructure networks from the Internet if they were deemed to be at risk of attack.

This proposed legislation comes amid a review ordered by the Obama administration into the government's policies for defending itself against cyberattacks and follows the resignation of Rod Beckström as director of Homeland Security's National Cybersecurity Center in response to what he said was a power grab by the NSA for cybersecurity leadership.

The legislation, proposed by Sen. John D. Rockefeller IV (D-W.Va.) and Sen. Olympia Snowe (R-Maine) would establish an Office of the National Cybersecurity Advisor that would take the lead on Internet security matters and coordinate with the intelligence community and the private sector.

The legislation also calls for the creation of a Cybersecurity Advisory Panel composed of outside experts from industry, academia, and nonprofit groups that would advise the president, as well as creation of a public-private clearinghouse for cyber threat and vulnerability information sharing, establishment of measurable and auditable cybersecurity standards from the National Institute of Standards and Technology. It would also require that cybersecurity professionals be licensed and certified.

In addition, the legislation would require that the cybersecurity adviser conduct a review of the U.S. cybersecurity program every four years and require officials to complete a number of reviews and reports. Officials would be asked to: do a threat and vulnerability assessment of public systems and private sector operated infrastructure; conduct a legal review of the federal statutory and regulatory framework for cybersecurity; complete a report on identity management and civil liberties, and one on risk management that attempts to put a dollar value on cybersecurity threats and includes civil liability and government insurance.

Other provisions of the legislation call for the creation of state and regional cybersecurity centers to help small and midsize businesses adopt security measures, an increase in funding for cybersecurity research and development at the National Science Foundation, and the establishment of a Secure Products and Services Acquisitions Board that would certify that products the government purchases meet security standards it sets.

Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?

One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.

Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.

To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", co-sponsored with CyberStreetSmart.org and i-Safeworking, and is working to team with various online safety organizations such as the National Crime Prevention Council, the FTC's Bureau of Consumer Protection, CyberStreetSmart.org, i-Safe, the National Cyber Security Alliance, and Consumers Union, and Protection from Brand Infection.

The tips, which should be familiar to most online users, include:

• Don't open attachments because most legitimate e-cards include links to the company's Web site that allow you to go directly to your card.
  
• If something looks a little strange or "phishy" just delete the card.
  
• Use security software on your desktop.
  
• Watch out for misspelled words or names, a disguised name (such as Your Friend, A Secret Admirer), or an odd URL.
  
• Always read the fine print before accepting any terms.
  

Also on the site is a free 90-day trial of AVG Internet Security, which includes antivirus, antispyware, and antirootkit protection plus a personal firewall and Linkscanner protection against malicious Web sites.

China is actively conducting cyber espionage as a warfare strategy and has targeted U.S. government and commercial computers, according to a new report from the U.S.-China Economic and Security Review Commission.

"China's current cyber operations capability is so advanced, it can engage in forms of cyber warfare so sophisticated that the United States may be unable to counteract or even detect the efforts," according to the annual report (PDF) delivered to Congress on Thursday.

The report cites news articles and testimony from U.S. officials like Col. Gary McAlum, chief of staff for the U.S. Strategic Command's Joint Task Force for Global Network Operations. It concludes that Chinese cyber attacks, authoritarian rule, and trade violations are impediments to U.S. economic and national security interests.

A spokesman for the Chinese foreign ministry, Qin Gang, said the report was misleading, impeding cooperation between the U.S. and China, and "unworthy of rebuttal," according to an article published late Monday in Secure Computing Magazine.

China is targeting government and private computers in the U.S., including systems operated by the biggest U.S. defense contractors, according to the report, which cited news articles. In 2005, hackers from China nabbed NASA files on the propulsion system, solar panels, and fuel tanks, and an aviation mission planning system for Army helicopters and Army and Navy flight planning software were stolen from the Army Aviation and Missile Command at Redstone Arsenal in Alabama, the report said.

China can access an unclassified U.S. military network called the NIPRNet (Non-secure Internet Protocol Router Network) and "views is as a significant Achilles' heel and as an important target of its asymmetric capability," according to the report. This "gives China the potential capability to delay or disrupt U.S. forces without physically engaging them--and in ways it lacks the capability to do conventionally."

The U.S. government also is at risk as a result of the global computer supply chain, the commission said. Computer components used by the U.S. and manufactured in China are "vulnerable to tampering by Chinese security services, such as implanting malicious code that could be remotely activated on command and place U.S. systems or the data they contain at risk of destruction or manipulation," the report said. Hundreds of counterfeit routers made in China were found in systems throughout the Defense Department, it said.

The Chinese government is training citizens in cyber operations at military academies, and tolerates, or even encourages, actions taken by an estimated 250 hacker groups there, the report said.

Chinese military officials believe the U.S. is doing cyber espionage against China, and believe that by striking first with a cyber attack they can plant misinformation and hide their tracks, according to the report.

U.S. officials and lawmakers have complained about specific incidences where they believed Chinese representatives breached their systems. This summer, two congressmen who have been longtime critics of China's human rights record accused China of compromising computers that had information related to political dissidents. In the spring, government sources told the Associated Press that they were looking into allegations that Chinese officials copied data from a laptop left unattended in China by the commerce secretary.

On Wednesday, HBGary announced that Andy Purdy has joined their advisory board.

Purdy, while a member of the White House, co-drafted the 2003 edition of the National Strategy to Secure Cyberspace, then joined the Department of Homeland Security. There, he served on the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He went to head both organizations and was dubbed by the media as the "cyberczar" of the United States until DHS appointed Greg Garcia as assistant secretary for cybersecurity and communications.

In 2006, Purdy oversaw the first large-scale mock cyberattack, code-named Cyber Storm. A second mock attack, under Garcia, was held earlier this year.

In August, HBGary has announced a partnership with McAfee to provide forensic tools for its enterprise offerings. HBGary specializes in monitoring information systems for external and internal threats.

Eighteen months after a denial-of-service attack, the Estonian Ministry of Defense has posted a detailed report (PDF) on the attacks. While focusing on specific steps the nation needs to take to prevent another attack, the report contains global recommendations as well.

In May 2007, the Baltic nation experienced a series of denial-of-service (DoS) attacks as a result of its government's decision to relocate a statue honoring an unknown Russian person killed during World War II. At Black Hat in 2007, security expert Gadi Evron said the attacks were not directed by the Russian Federation, or any government entity; he suggested it was the work of a "flash mob" of individuals from all over the world. In January, a native Russian in Estonia was convicted for his involvement in the event.

The report calls for Estonia to apply a graduated system of security measures, develop high awareness of information security to the highest standard, develop appropriate regulatory and legal framework of information systems, and promote international cooperation toward achieving global cybersecurity.

On the latter topic, Estonia will seek global condemnation of cyberattacks given the impact on individuals' livelihoods. In Estonia, a nation that is well-wired per capita, the DoS attacks shut down local ISPs and prevented people from buying food, getting gas, or completing bank transactions for several days.

The report concludes that Estonia should seek the cooperation of all nations in strengthening local cybersecurity law enforcement by presenting its expertise and experience at global security conferences.

LAS VEGAS--The security issues we face today in cyberspace are the same ones the country faced during the American Civil War when Abe Lincoln was relying on telegraph transmissions to help keep the country united, a top U.S. cybersecurity official said in a keynote speech at the Black Hat security conference here Thursday.

Lincoln was obsessed with reading telegrams that delivered updates from the battlefield, using them to learn about the military strategies and to offer feedback, said Rod Beckstrom, director of the National Cyber Security Center in the Department of Homeland Security.

"If he were alive today we would probably call him an e-mail junkie or a cyber junkie," he said. "He was the first wired president; (telegraph) was a fixed wire" that could be severed or tapped.

Security lessons from battle were available even earlier in American history, according to Beckstrom. In the French and Indian wars, British forces relied on traditional warfare formations and often got slaughtered by French frontiersmen and their Native American supporters, who used guerrilla tactics like roadside ambushes.

One officer fighting on the side of the British who survived such attacks--George Washington--took the lessons of flexible fighting and guerrilla warfare with him in fighting for American independence, he said.

Even that American revolutionary war was almost lost because of "one of greatest threats we face today in cyberspace"--insider threats and hackers, Beckstrom said, displaying a portrait of Benedict Arnold, a disgruntled commanding officer who was passed over for promotion and charged with corruption after facing financial difficulties.

"He saw an opportunity," and was selling plans for West Point and other military secrets to the British, but was caught in the end, Beckstrom said.

"We have the same threats today, just on different technology and mediums," Beckstrom said.

Today, however, nations, businesses, and individuals also confront a single point of failure in cyberspace, with the Internet protocols and technologies, like the Domain Name System, he said. (A serious DNS vulnerability was the subject of a session at Black Hat on Wednesday.)

"Invest in protocols because it may be the cheapest security dollars we can invest," Beckstrom said. The Department of Homeland Security is funding research related to DNS security, among other initiatives, he added. "We've got to move forward because we've got to change the odds of this game."

The IP dependencies in the telecommunications sector put emergency communications, like mobile phone texting, at risk, Beckstrom said, noting that he was in New York City on Sept. 11, 2001, and in Pakistan when the 2005 earthquake hit and saw firsthand how crucial texting is. A cell phone tower can handle 200 or more calls simultaneously and about 5,000 text messages a second, according to Beckstrom.

And don't forget the plain old telephone system, which will still be operational if the IP system goes down, he said.

Without elaboration, Beckstrom said: "Why can't we quarantine computers that are disrupting the Internet?"

He touched on issues of punishment, "cyber justice," and cyber diplomacy, and ended the talk asking more questions than he answered.

"What are the new cyber rules?" he asked. "How do we develop an international framework and move toward cooperation?"

Click here for full coverage of Black Hat 2008.