War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”
While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).
While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…
- More of this type of cyber-crime is occurring today than the stuff showing up on the front page of any newspaper; and
- What we mean when we say “Cyber Warfare” is really just the 21st century version of crime; criminals using cyber means.
I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:
- One of the sessions I participated in was entitled “Why Does the Crime Rate Continue to Decline?” The speaker (a well-respected professor) informed us that crime in America is actually down to the levels it was in 1964—this represents a significant drop. I asked the question “Did crime really drop or have criminals begun to use technology to steal rather than a pistol?” His response was “criminals aren’t smart enough to use computers.” I found this very hard to believe. Criminals have always adapted to stay a step ahead of law enforcement, and I fear that they now have a significant upper-hand, especially if law enforcement feels the way the speaker did and they fail to re-tool their ranks to detect, deter, and dismantle the new cyber-oriented criminal threats.
- Another session I attended was entitled “A Clear and Present Threat: A Look at Cybercrime.” In this session, one of the speakers spoke of the growing problem of crime in virtual worlds—people with avatars in virtual worlds are stealing other peoples virtual property and assets, and real lawsuits are being tried in real courts by real people. If you don’t believe me, read this article – Virtual add-ons draw real-world lawsuits – that I found in researching this further. I would submit that today’s criminals are more tech/cyber-savvy and have realized that there are safer (cyber) ways to steal money and property without having to physically point a gun at someone’s face.
Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?
Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.
your comments and thoughts welcome…r/Chuck
The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.
In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.
Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.
What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?
Some factors they considered in computing the cost of the breach included:
- Direct costs - communications costs, investigations and forensics costs and legal costs
- Indirect costs - lost business, public relations, and new customer acquisition costs
The report also lists a number of causes for the data breaches, such as:
- 82% of all breaches involved organizations that had experienced more than one data breach
- 42% of all breaches studied involved errors made by a third party
- 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
- 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf
Thoughts and comments welcomed…r/Chuck
Remember what your mother told you?…wear your mittens, look both ways before you cross the street, don’t swim until 30 minutes after you eat, cigarettes are bad for you, use a condom…” Well, today’s mothers should also be telling you to “be safe” when you surf the internet.
What does it mean to practice safe web surfing? Here are seven points I adapted from a poster that my colleagues at the NewYork City Metro InfraGard chapter developed to comunicate what you should do to practice “safe web surfing.”
- Use passwords that have at least eight characters, and mix it up a bit–lowercase, uppercase, numbers and special symbols. Here’s an example: rather than “amysmith” as a password, use “@mySm1th”…get it? For more information on strong passwords, click here: Strong Passwords. To generate r-e-a-l-l-y strong passwords, use this tool: Password Generator
- Contrary to what you’ve heard before, write your passwords down and store them (somewhere other than under the keyboard on your desk). There is a greater chance that an easy to remember password will be cracked than there is for someone to break into your house or office and steal that sticky you wrote them down on. Bruce Scheiner talks about this in his blog here: Write Down your Passwords
- Use virus scanning and spyware software–Microsoft has a free one available. Also, make sure your virus scanning software is turned ON and that it’s signature files are up-to-date.
- Only open email attachments from people you know. No matter how enticing they appear to be…Free Cell Phone…Make Your (whatever) Bigger (or Smaller)…Verify Your Bank Account! …DO NOT open the attachment.
- Do NOT click on any web links in emails from people you do not know–if there’s a web address you want to go to, type web address directly into your browser–www.goodsite.commay actually take you to a malicous website.
- Parents can use the administrative capabilities of Microsoft Windows to lockdown sites/domains you don;t want you kids to visit. See instructions for doing this here: Block a Website
- Be very careful downloading and installing toolbars from non-reputable sources. They might offer you all kinds of need smiley faces and cool tools, but they could also be stealing your personal information and doing other nefarious things. Here’s one article that talks about a fake toolbar for a very well known website: Dangerous Toolbar
Let me know if you have other ideas I should add to this list…comments and thoughts welcomed..r/Chuck
If you’re like most folks, you stopped reading the “fine print” terms and conditions on free online appliactions like Google Apps, Windows Live, Zoho, and MySpace. I did too, until today. I caught an article on NetworkWorld.com today entitled “Privacy groups rip Google’s targeted advertising plan” that described how privacy advocates are concerned about Google’s foray into the world of behavioral targeting in its DoubleClick advertising business. So, that got me curious…what can Google (and others) do with your personal data, files, etc?
I did a quick check of four online appliactions that I use–Zoho, Windows Live, MySpace and Google Apps–here’s what I found.
- Windows Live had a different twist:
“Microsoft does not claim ownership of the materials you provide to Microsoft (including feedback and suggestions) or post, upload, input or submit to any Services or its associated services for review by the general public, or by the members of any public or private community, (each a “Submission” and collectively “Submissions”). However, by posting, uploading, inputting, providing or submitting (“Posting”) your Submission you are granting Microsoft, its affiliated companies and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft Services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; to publish your name in connection with your Submission; and the right to sublicense such rights to any supplier of the Services.”
- MySpace pretty much mirrors Microsoft’s terms:
“After posting your Content to the MySpace Services, you continue to retain any such rights that you may have in your Content, subject to the limited license herein. By displaying or publishing (“posting”) any Content on or through the MySpace Services, you hereby grant to MySpace a limited license to use, modify, delete from, add to, publicly perform, publicly display, reproduce, and distribute such Content solely on or through the MySpace Services, including without limitation distributing part or all of the MySpace Website in any media formats and through any media channels, except Content marked “private” will not be distributed outside the MySpace Website.”
So, what’s the moral to this story? Three things…
- Take the time to read the fine print; make yourself and others aware of the privacy and terms of service conditions for these and other (free or fee-based) online appliacations;
- If your federal, state or law enforcement agency, fusion center, or other government agency are using any of these services, make sure you have written policies about what can and cannot be posted, stored, or shared through these services; and
- Assume anything you do post or share will a) make its way outside of the United States and b) reused in some way for marketing or advertising purposes.
Play it safe; don’t assume your information posted to these services will remain private. Remember, once out, that privacy genie will be nearly impossible to get back in the bottle.
As always, your thoughts and comments are welcomed…r/Chuck
Time Magazine just released “Fusion Centers: Giving Cops Too Much Information?” – another article in a long line of articles and papers published over the last few years by many organizations describing how fusion centers are a threat to our personal privacy. In the article, they quote the ACLU as saying that
“The lack of proper legal limits on the new fusion centers not only threatens to undermine fundamental American values, but also threatens to turn them into wasteful and misdirected bureaucracies that, like our federal security agencies before 9/11, won’t succeed in their ultimate mission of stopping terrorism and other crime”
While I disagree with their assertion that “legal limits” are the answer (we already have lots of laws governing the protection of personal privacy and civil liberties), I do think that more can be done by fusion center directors to prove to groups such as the ACLU that they are in-fact operating in a lawful and proper manner.
To help a fusion center director determine their level of lawful operation, I’ve prepared the following ten question quiz. This quiz is meant to be criterion based, meaning that ALL ten questions must be answered “yes” to pass the test; any “no” answer puts that fusion center at risk for criticism or legal action.
Fusion Center Privacy and Security Quiz
- Is every fusion center analyst and officer instructed to comply with that fusion center’s documented policy regarding what information can and cannot be collected, stored, and shared with other agencies?
- Does the fusion center employ a documented process to establish validated requirements for intelligence collection operations, based on documented public safety concerns?
- Does the fusion center document specific criminal predicate for every piece of intelligence information it collects and retains from open source, confidential informant, or public venues?
- Is collected intelligence marked to indicate source and content reliability of that information?
- Is all collected intelligence retained in a centralized system with robust capabilities for enforcing federal, state or municipal intelligence retention policies?
- Does that same system provide the means to control and document all disseminations of collected intelligence (electronic, voice, paper, fax, etc.)?
- Does the fusion center regularly review retained intelligence with the purpose of documenting reasons for continued retention or purging of outdated or unnecessary intelligence (as appropriate) per standing retention policies?
- Does the fusion center director provide hands-on executive oversight of the intelligence review process, to include establishment of approved intelligence retention criteria?
- Are there formally documented, and enforced consequences for any analyst or officer that violates standing fusion center intelligence collection or dissemination policies?
- Finally, does the fusion center Director actively promote transparency of its lawful operations to external stakeholders, privacy advocates, and community leaders?
Together, these ten points form a nice set of “Factors for Transparency” that any fusion center director can use to proactively demonstrate to groups like the ACLU that they are operating their fusion center in a lawful and proper manner.
As always, your thoughts and comments are welcomed…r/Chuck
Have you noticed a lull in the amount of spam your agency has been seeing? I did for a while. Well, a recent article by Government Computer News may explain what is happening.
In a March 5, 2009 article entitled “Spammers retool for a renewed assault” they lay out a very scary explanation for the recent drop in spam and paint a not so comfortable description about what spammers are planning–here’s a quote:
“The bot masters are trying to build their botnets back up,” Masiello said. “There is a lot of variance even on a daily basis on how much spam is being sent and received…they are likely going to be used for ID theft, mostly,” Masiello said. But the data also could be used to tailor fraudulent e-mails that could be convincing enough to entice even wary recipients to visit malicious Web sites or download malicious code.”
While spammers will continue to react and adapt to whatever tecnical means we have to prevent their attacks from harming our systems and data, there are three simple and very effective things you can do to thwart these evil doers:
- SPAM/VIRUS SCANNING TOOLS: This is your agency’s first line of defense against spam-initiated virus, spyware, and trojan attacks. While it’s hard to find an agency that is not using virus and spam scanning tools, periodically check to a) make sure your users have not turned off those tools, and b) that their tool definitions are up to date. On the network side, make sure your enterprise scanning tools are configured for maximum protection and that definitions are kept up to date with current spammer tactics.
- PERSONAL REMINDERS: You hear it all the time, 80-90% of information security issues are because of what “people” do (or fail to do). And, I hope you’re not counting on your agency’s annual IT security training to get them to protect themselves and your systems. An old adage frommy Navy training days used to say “if you want them to listen, you gotta tell’em seven times, in seven different ways.” This continues to be good advice. You are going to have to continually remind users to not open any attachments or click on any links in emails from people they do not know. Some ways include: a short email to all your users once every 30-45 days and include an example of a targeted spam email; place a note in agency newsletters; or have leadership mention it at stand-ups/watch turnover.
- OUTBOUND SCANNING AND IP BLOCKING: While most agencies are filtering inbound spam email and IP addresses, i’d guess that many of them are NOT doing the same on OUTBOUND emails and IP addresses. A good layered defense takes into account the chance that something may get past your inbound scanners. It’s a good practice to also scan and filter OUTBOUND emails and IP connections to make sure that trojan isn’t “calling home”; there are a number of websites out there to help you set this up.
As always, your thoughts and comments are welcomed…r/Chuck
The IJIS Institute announces the appointment of Chuck Georgo, founder of NOWHERETOHIDE.ORG, as the Chairperson of the IJIS Institute’s Security and Privacy Advisory Committee.
The purpose of the IJIS Institute’s Security and Privacy Advisory Committee is to provide advice and counsel to the Department of Justice’s Office of Justice Programs (OJP), as well as other national organizations, on issues of information system security and privacy as applied to integrated justice and public safety information systems, and to develop materials and seminars to educate industry and government staffs on security and privacy measures, designs, and related issues.
The Security and Privacy Advisory Committee strives to be vendor agnostic in all activities and work products and to be the authoritative source for establishing effective privacy and security measures throughout the justice, public safety, and homeland security information sharing community. Additionally, the committee’s goals include increasing government and industry awareness and understanding of technical and non-technical privacy and security requirements and improving the privacy and security posture for federal, state, local, and tribal justice information sharing efforts. In order to achieve these goals, the committee performs research, issues white papers, develops and conducts training, participates in advisory working groups, and supports technical assistance projects.
Chuck Georgo, regarding his appointment, noted that, “Successful information sharing requires trust. I believe that to get trust you need two things—honorable motive and reliability. Organizations must know that your motives benefit the social good and that your means to protect shared information from compromise is achievable and durable. While honorable motive is in the hands of law enforcement and justice agency executives, I believe that the IJIS Institute, through the Security and Privacy Advisory Committee, can help government and industry to employ effective ways for achieving the reliable means to protect that information. I look forward to working with my fellow committee members to further advance the cause of information sharing through robust security and privacy principles and practices.”
Chuck Georgo has nearly 28 years of experience in intelligence, national security, defense, and law enforcement arenas. He has served as a strategic planner, business analyst, and technologist supporting the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, and many other public and private sector organizations.
# # #
About the IJIS Institute — The IJIS Institute serves as the voice of industry by uniting the private and public sectors to improve mission critical information sharing for those who protect and serve our communities. The IJIS Institute provides training, technical assistance, national scope issue management and program management services to help government fully realize the power of information sharing. Founded in 2001 as a 501(c)(3) non-profit corporation with national headquarters on the George Washington University Virginia Campus in Ashburn, Virginia, the IJIS Institute has grown to more than 240 member and affiliate companies across the United States. For more information visit www.IJIS.org.
About NOWHERETOHIDE.ORG – NOWHERETOHIDE.ORG, LLC, was established to help federal, state, and local law enforcement, justice, and homeland security agencies to better achieve their public safety and national security objectives. As our name implies, we want to help these agencies become so effective that criminal elements have nowhere-to-hide from justice. We offer planning, assessment, and technology consulting services to help law enforcement, justice, and national security agencies identify and resolve the issues that currently stand in the way of achieving high performance standards. For more information visit www.nowheretohide.org.
Doris Girgis | Communications Specialist | IJIS Institute | Ph: 703.726.1096 | www.ijis.org
Realize the power of information.
Support the IJIS Institute by ordering your gifts from one of 700 stores on the iGive portal and selecting the IJIS Institute as your organization of choice.
January 6, 2009