My new professional development course!

New Professional Development Online Course from Iowa State University taught by Steffen and me.  

1st. Lesson is free.  Follow the link below to get more information!

http://goo.gl/ewWZK

"Information Security & Identify Theft Policy"

NSA Cyberprotection

Did you know that one of the strongest criticisms about United states cybersecurity is that the US government does not provide security for non-governmental organizations or corporations? This is very surprising and alarming because attacks against defense contractors,electric power companies, dams, universities, banks, and other systems are actually a serious threat to US national security and stability. So now comes the first news that the government may be moving in the right direction - of using the cyberwarfare and cyberintelligence tools of the government to more broadly protect the United States and American public and private interests.

"The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, senior defense and industry officials say. (The Constitutional risks are that the intrusion will violate American's civil liberties and privacy. We do NOT want to become an Orwellian 1984 with "Big Brother" everywhere.)

The novel program, which began last month on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation’s largest defense firms. Such attacks, including one last month against Bethesda-based Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets." The Washington Post

We hope this is only the opening shot of a battle that will be long, hard fought, and very sophisticated. It's about time that we man up and muscle up the defensive capabilities of the United States to counteract a fast developing global cyberwar at the military as well as commercial level. It's WW III folks and we civilians cannot fight it alone.

LATE BREAKING NEWS. "The hacker group LulzSec claimed credit Wednesday, June 15, 2011 for taking down the CIA’s Web site for a couple of hours, the latest in a string of embarrassing Web site disruptions the group has pulled off — apparently more to poke fun and highlight vulnerabilities than to cause real damage. At 5:48 p.m., LulzSec, which dubs itself “the world’s leaders in high-quality entertainment at your expense,” posted an alert on Twitter: “Tango down — cia.gov — for the lulz.” Source - Wash Post

So the question remains, is our government any better prepared to take down or penetrate Internet sites than civilians? The answer is not yet!
.

.

Feds Tighten Noose on Bank Security

As Ronald Reagan used to say "Here we go again!" The Internet insecurity just keeps rolling on threatening more and more American consumers as well as critical infrastructure such as power plants, dams, and national security related facilities. Here are some excerpts from the article.

"Federal regulators are pushing banks to keep customer financial information more secure after about 200,000 Citigroup credit card accounts were hacked last month.

The Federal Deposit Insurance Corp., which regulates the nation's banks, is pushing for stronger account security measures at those institutions. The agency is specifically developing "additional guidance to enhance authentication procedures when customers access their online accounts," FDIC Chair Sheila Bair said in a statement.

"The FDIC continually monitors (security) vulnerabilities as they evolve to prevent and deal with these risks and their impact on institutions and their customers," the statement reads. "Both banks and regulators must remain vigilant."

Although the Citigroup accounts were hacked more than a month ago, the breach was first made public Thursday."

Clearly this is an example of rampant negligence. Imagine if it took a month to report a rape or car accident! There would be a huge public outcry and heads would roll. The problem continues to be that these breaches are almost viewed as "acts of God" and no one is held responsible or punished for negligence!

For an ID Theft Awareness certification course taught by us through Iowa State University Engineering Extension please go here http://www.eol.iastate.edu/Professional-Development/Courses/idtheft.html

Course Summary:
Professionals in the insurance, law enforcement, financial services, education, healthcare, and other industries need to be trained and certified in information security to meet federal and state best practices. This short Internet class provides professionals with the necessary security and Identity theft awareness training and awards a certificate upon successful completion. The class is very user friendly guiding the students through each module to completion at their own pace. We have included video clips and other visual material to make the class interesting as well as practical.

Can You Get "Frogged?" - Did Congressman Weiner?

Hacking and creating dangers for Internet users proliferate with new apps and services. Ever hear of ImageShack's yFrog? No? Well lots of people use it and it could be trouble. Read all about it.

"Did Congressman Anthony Weiner really tweet a photo of his, well, wiener? It's possible, but he also might have been "hacked" via an image service vulnerability that makes it easy for anybody to send a photo to a user's account.

The incident happened over Memorial Day weekend: Weiner's official Twitter account sent a link to a photo on ImageShack's yFrog service of a man's bulging underpants. Weiner immediately denied sending the photo, claiming that his account was hacked. As this is a common defense used by politicians and celebrities against Twitter and Facebook boo-boos, many Weiner-watchers took the hacking claim with a grain of salt.

The truth, though, is that it is possible that the Weiner-wiener incident was pulled off by pranksters who knew how to manipulate yFrog into posting a photo to Weiner's account. yFrog, like many other image services, allows users to send a photo to a specialized e-mail address made for that person's account; when the service receives the message, it gets posted automatically and then tweeted out to the world" More Here: http://arstechnica.com/tech-policy/news/2011/06/lewd-prank-on-congressmans-twitter-account-might-be-yfrogs-fault.ars

So be very careful as you blithely sign up for trivial, fun, and entertaining (but non essential) Internet services and sites. It's not all free, fun, and benign. There are current or future dangers in EVERY social media or other site with which you register. Ask "Do I really need this? What could it do to my career and future?)

Steffen Schmidt

More Sony Hacker Trouble

I am working as hard as I can but it's almost impossible to keep ahead of the assaults in Internet companies. Here is the latest from The Independent, a very serious British newspaper.

Hackers claim another raid on Sony accounts

By Kevin Rawlinson

Friday, 3 June 2011

It was supposed to be the day Sony clawed back some pride. Yesterday morning, the company announced that its PSN network was back online after the biggest hacking attack in history more than a month earlier.

Last night, though, the Japanese manufacturer was dealing with another disaster, after hackers claimed to have broken into its network yet again, saying they had stolen more than one million users' personal account details and posted them online.

The hackers claimed the data taken during the attacks on Sony and BMG included passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. A statement from the hackers read: "Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5m 'music coupons'."

The "hacktivist" group LulzSec claims to have carried out the attack – as well as recent ones on the PBS and Fox networks.

On its Twitter account, the group said it had also stolen "unencrypted admin accounts, government and military passwords saved in plaintext" [sic]. The alleged hacking is the latest in a series to be carried out on high profile companies and heaps more embarrassment on the highest profile of them all: Sony. In early May, The Independent reported rumours in the hacking community that the company was to be the target of another group of hacktivists."

Well this is certainly bad news! You'd think that a huge sophisticated company like Sony would have or put in place quickly radical internet security. Truth is these big giants have neglected security for many years. now we reap the biter, bitter fruit of that neglect.

The hackers actually said, "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure:"

Howdja feel about being upbraided and browbeaten by a bunch of hackers Sony?!

What's most disgraceful is that when you go to the Play Station web site and the Sony web site THERE IS NOT ONE WORD ABOUT THE HACK! I guess "Screw our customers we are going to play this quiet and close to the chest and hope that most of our huge customer base won't know their private information has been hacked."

Steffen Schmidt, Professor

.

.

New Poll! 53% Say Major Cyberattack Should Be Viewed As Act of War

I get daily briefings by e mail from the Rasmussen poll. Since they ask us to share the results with others I wanted to pass this one on to you because it is a rare and very complete poll on cyber attacks and Internet use.

53% Say Major Cyberattack Should Be Viewed As Act of War

Thursday, June 02, 2011

Voters express strong concern about the safety of America’s computer systems and think a major cyberattack on the United States should be grounds for forceful military retaliation.

A new Rasmussen Reports national telephone survey finds that 82% of Likely U.S. Voters are at least somewhat concerned about the safety of the country’s computer infrastructure from cyberattack. Just 17% don’t share that concern. These findings include 35% who are Very Concerned but only three percent (3%) who are Not At All Concerned. (To see survey question wording, click here.)

The Pentagon is currently considering a new defense strategy that would classify a major computer sabotage attack from another country as an act of war justifying a forceful U.S. military response. Fifty-three percent (53%) of voters agree with this proposed new strategy and think a major cyberattack on the United States by another country should be viewed as an act of war. Twenty-two percent (22%) disagree, and another 25% are undecided.

A plurality (45%) of voters regards a cyberattack by another country as a greater economic threat to the United States than a traditional military attack. Twenty-two percent (22%) still see a traditional attack as a bigger threat. One-in-three voters (33%) are not sure which is the greater threat.

Similarly, 45% of Americans said in December 2009 that a cyberattack by terrorist hackers poses a greater economic threat to the United States than another 9/11 attack on New York City and Washington, D.C. Twenty-four percent (24%) disagreed, and 32% were undecided.

The survey of 1,000 Likely Voters was conducted on May 31-June 1, 2011 by Rasmussen Reports. The margin of sampling error is +/- 3 percentage points with a 95% level of confidence. Field work for all Rasmussen Reports surveys is conducted by Pulse Opinion Research, LLC. See methodology.

Only nine percent (9%) of voters think it is possible to make any computer system secure from a cyberattack. Sixty-three percent (63%) say it is not possible to have that level of cybersecurity, but 27% aren’t sure.

Male voters (63%) feel more strongly than female voters (45%) that a major cyberattack by another country should be viewed as an act of war.

Sixty-six percent (66%) of Republicans and 52% of voters not affiliated with either major party share that view, compared to 42% of Democrats.

Middle-aged voters believe more strongly than those in other age groups that a cyberattack poses a greater economic threat to America than a traditional military attack.

Fifty-seven percent (57%) of Mainstream voters believe a major cyberattack should be seen as an act of war justifying a strong military response, while those in the Political Class are almost evenly divided on the question. But then while 49% of those in the Mainstream see a cyberattack as a greater economic threat to the United States than a traditional military attack, the plurality (45%) of Political Class voters are not sure.

Most Americans (57%) are at least somewhat confident in the security of online transactions and banking, including 17% who are Very Confident.

In an effort to enhance online security and privacy, the Obama administration has proposed that Americans obtain a single ID for all Internet sales and banking activity. But most Americans want nothing to do with such an ID if the government is the one to issue it and hold the information.

Just 19% of Americans say they rarely or never use the Internet. But 44% consider the Internet the best way to get news and information.

Seventy percent (70%) of adults are concerned that Americans have become too dependent on electronic devices, including computers and calculators, with 41% who are Very Concerned.

New Poll! 53% Say Major Cyberattack Should Be Viewed As Act of War

53% Say Major Cyberattack Should Be Viewed As Act of War

Thursday, June 02, 2011

Voters express strong concern about the safety of America’s computer systems and think a major cyberattack on the United States should be grounds for forceful military retaliation.

A new Rasmussen Reports national telephone survey finds that 82% of Likely U.S. Voters are at least somewhat concerned about the safety of the country’s computer infrastructure from cyberattack. Just 17% don’t share that concern. These findings include 35% who are Very Concerned but only three percent (3%) who are Not At All Concerned. (To see survey question wording, click here.)

The Pentagon is currently considering a new defense strategy that would classify a major computer sabotage attack from another country as an act of war justifying a forceful U.S. military response. Fifty-three percent (53%) of voters agree with this proposed new strategy and think a major cyberattack on the United States by another country should be viewed as an act of war. Twenty-two percent (22%) disagree, and another 25% are undecided.

A plurality (45%) of voters regards a cyberattack by another country as a greater economic threat to the United States than a traditional military attack. Twenty-two percent (22%) still see a traditional attack as a bigger threat. One-in-three voters (33%) are not sure which is the greater threat.

Similarly, 45% of Americans said in December 2009 that a cyberattack by terrorist hackers poses a greater economic threat to the United States than another 9/11 attack on New York City and Washington, D.C. Twenty-four percent (24%) disagreed, and 32% were undecided.

The survey of 1,000 Likely Voters was conducted on May 31-June 1, 2011 by Rasmussen Reports. The margin of sampling error is +/- 3 percentage points with a 95% level of confidence. Field work for all Rasmussen Reports surveys is conducted by Pulse Opinion Research, LLC. See methodology.

Only nine percent (9%) of voters think it is possible to make any computer system secure from a cyberattack. Sixty-three percent (63%) say it is not possible to have that level of cybersecurity, but 27% aren’t sure.

Male voters (63%) feel more strongly than female voters (45%) that a major cyberattack by another country should be viewed as an act of war.

Sixty-six percent (66%) of Republicans and 52% of voters not affiliated with either major party share that view, compared to 42% of Democrats.

Middle-aged voters believe more strongly than those in other age groups that a cyberattack poses a greater economic threat to America than a traditional military attack.

Fifty-seven percent (57%) of Mainstream voters believe a major cyberattack should be seen as an act of war justifying a strong military response, while those in the Political Class are almost evenly divided on the question. But then while 49% of those in the Mainstream see a cyberattack as a greater economic threat to the United States than a traditional military attack, the plurality (45%) of Political Class voters are not sure.

Most Americans (57%) are at least somewhat confident in the security of online transactions and banking, including 17% who are Very Confident.

In an effort to enhance online security and privacy, the Obama administration has proposed that Americans obtain a single ID for all Internet sales and banking activity. But most Americans want nothing to do with such an ID if the government is the one to issue it and hold the information.

Just 19% of Americans say they rarely or never use the Internet. But 44% consider the Internet the best way to get news and information.

Seventy percent (70%) of adults are concerned that Americans have become too dependent on electronic devices, including computers and calculators, with 41% who are Very Concerned.

http://www.rasmussenreports.com/public_content/politics/general_politics/may_2011/53_say_major_cyberattack_should_be_viewed_as_act_of_war

More on the Chinese Hacking Attack

Here is the latest news on the hack attack against defense contractors and govt officials.

UPI via COMTEX reports that "U.S. anti-terror experts said they were investigating claims Chinese hackers cracked hundreds of senior U.S. and South Korean officials' Gmail accounts. The Department of Homeland Security, charged with protecting U.S. territory from terrorist attacks, FBI and White House National Security Council computer security experts joined Gmail owner Google Inc. in investigating the offensive, whose targets also included military personnel, Chinese political activists, officials of other Asian countries and journalists ..."

I also saw that a US Cabinet member may have been hacked but there is no comment on that one.

We will continue to monitor this story for you but what I found both surprising, ridiculous and not credible was the comment by an NSC person,"We have no reason to believe that any official U.S. government e-mail accounts were accessed." So that basically means that if Sec of State Hillary Clinton's G-mail account was hacked that does not count? (PS Did you also read my blog about the government now switching from Blackberry to iPhones and iPads and Google G-mail for official government e mail service?! Bad timing!)

The news is also that, "The Pentagon intends to deem cyberattacks "acts of war," giving Washington a peremptory right to retaliate against hackers with conventional military strikes, unclassified portions of a U.S. Defense Department report expected to become public next month indicated."

So as we predicted the era of cyberwarfare has indeed arrived and we are hearing the opening shots.

Over a year ago there were other attacks like this that seemed to come from the Lanxiang Vocational School which was founded with funding from the Chinese military.

Military contractors hacked include Northrop Grumman Corp., Lockheed Martin Corp., and L-3 Communications Holdings Inc. L-3 Communications which supplies command and control, communications, intelligence, surveillance and reconnaissance systems and products to the US military. This is serious business since it could compromise US defense and national security in a serious way.

I assume that we will not hear a lot more about this as secrecy is critical in fixing the damage done and in altering the security routines (especially those worthless "security "tokens" that have been used for highly sensitive communication and which now appear to also be damaged goods - see previous blogs on that issue.

Steffen Schmidt

China Hacks G-Mail -

(Here is a screen shot from Contagio of the fake G-Mail page that the scammers used to harvest passwords, and the real sign in.)

The report today that G-mail has been hacked again, and again by China is not surprising. First of all e mail is the "golden" source of intelligence (see Wikileaks) and second hacking is now a routine and easy to do method of getting hold of any sort of information you want. How sad and how dangerous. Here is the story from the New York Times.

"Google said Wednesday [June1, 2011] that some users of Gmail, its e-mail service, had been the targets of a clandestine campaign originating in China that was aimed at stealing passwords and monitoring e-mail accounts.

In a blog post, the company said that the campaign appeared to originate from the city of Jinan, China, and that the attackers had hijacked the personal Gmail accounts of senior government officials in the United States, Chinese political activists, officials in several Asian countries, military personnel and journalists.

It is the second time that Google has pointed to China as the source of an intrusion. Last year it said it had traced a sophisticated attack on its systems to China-based perpetrators."

T0 be realistic there is virtually nothing we can do about it. You and I are helpless since we are not responsible for G-mail security. So, we just grin and bare it - chalk it up to that's life and maybe not use e mail to communicate super sensitive information (don't use your cell hone either because those messages are completely insecure and can be intercepted as they go out wirelessly).

Bloomberg reported (San Francisco Chnonicle that, "The campaign, which appears to have originated in China, probably used a so-called phishing scam to collect passwords with the goal of monitoring e-mail content, Eric Grosse, engineering director on the Google Security Team, said in a blog post today. The company said it detected and disrupted the campaign, secured users' accounts and notified authorities."

Businessinsider reported that, "The attackers would send an email that appeared to be from a friend or business associate, but was actually spoofed. The victim would open a link that directed them to a very realistic looking Gmail sign-in page. In fact, the page was fake, and set up to collect Gmail passwords."

We live in dangerous times. Stay indoors, get a land line, and use the US postal service! And above all DO NOT open that G-Mail that seems to be from Pres. Obama or Newt Gingrich!

Steffen Schmidt, Professor