Feeds:
Posts
Comments

Posts Tagged ‘cyberwar’

If you want the full financial and operational value of Cloud Computing, then you want to use a public cloud. The advantages over private clouds include:

  • Low upfront costs.
  • Clear relationship between cost and benefit with pay-for-use model.
  • Easy to try new projects, easy to make change.
  • Flexible.
  • A wide choice of Service Level Agreement choices (SLAs).
  • Easy to provide a world-wide presence.

Of course, there are some public cloud disadvantages, the most critical being security, performance and availability. At this point in time, you can easily meet most performance and availability requirements from a variety of CSPs; security is more difficult. In a public cloud environment, you do not control physical access, and you have no control over who is sharing common infrastructure including networks, server hardware, and storage systems. But there is a way to secure your data both between your facility and your public cloud CSP and within the CSP’s infrastructure: combine Unisys Stealth with Amazon Web Services (AWS).

The basic principle behind Stealth is to only allow a device to communicate with another device if they share a Community of Interest, a COI.  A COI is nothing more than a group of people and servers.  Data can be shared freely within a COI, but must not be shared with any person or server not in the COI.  In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on.

If you are responsible for protecting your company’s proprietary information, your customers’ private information, or concerned with compliance you should at least look at Unisys Stealth. If you are responsible for a government database involving individuals’ information or classified data, you should also be looking at Unisys Stealth.

I have talked about Unisys Stealth before, Amazon Secure Storage Service (Amazon S3), and the combination in “Secure Public Cloud” back in 2013. What has changed are some significant “under the covers” enhancements to Unisys Stealth, the incorporation of Stealth into the AWS Marketplace, and additional operational facilities to enable you to easily extend your datacenter into the AWS cloud to handle expected, or unexpected, sudden increases in resource demand.

The combination protects communication between your AWS virtual servers even within the same physical server, encrypts all communication among the servers in your data center and the servers in the AWS cloud, and controls access based on roles. You control the security access policies that define who and what can communicate, allowing you to isolate applications within your environment for business or compliance reasons.

Stealth subscriptions are sold through the AWS Marketplace; you get one bill from Amazon for everything including Stealth. It is available in every AWS region. Suddenly you can open a presence anywhere quickly and inexpensively, and react to unexpected growth from anywhere.

One of the most important characteristics of Unisys Stealth and AWS is that there is no back door. Unisys, Amazon, and any network component between do not have your encryption keys. Your government cannot force Unisys or Amazon to provide access to your data; they do not have a way to break in. Even if you are OK with your government gaining access to your information at any time without providing notice to you, you should be very concerned. If your government can get in, then so can any other government, cybercriminal or cyberterrorist by using the same back door for access. Another important benefit of Stealth is that even if a cybercriminal as able to insert malware on one of your servers in the AWS cloud, that server would not be able to transmit anything back to the cybercriminals because Stealth will prevent your server from communicating to any device that is not part of a community of interest that you have defined.

The last word:

Unisys has been around since 1886, and is one of the few survivors of the initial computer revolution designing and building commercial and government computers since the 1940s, computer systems that continue to perform “bet the business” functions. Support is a key element of that environment, and no matter how big or small your company is, you still get that enterprise level support from Unisys. Sure, Unisys has the on-line self-help site with all of the technical documentation and discussion you might want, but you can always pick up the phone and talk to a real person who is knowledgeable on the product, and is probably located within one or two time zones of you.

Curious? Check it out with a Unisys AWS test drive.

Comments solicited.

Keep your sense of humor.

Walt.

Advertisements

Read Full Post »

ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

linkIn my last post I urged you to be careful when you click on a link in an email, in a blog or on a website. If there is anything strange or unusual about the website, blog post, or email, then either simply say “no” and move on, or carefully inspect the link. In case you are not sure of the danger I am worried about, I am repeating part of an earlier post.

I received an email indicating we had added a new payer to our E-Z Financial bank account. (Yep, it had a real bank name you would recognize, but that bank had nothing to do with this so I won’t mention it and use “E-Z Financial” instead.) The payer name was clearly a name we did not recognize, and it requested we click on a link if we had not done this. My wife was suspicious for several reasons, primarily because she didn’t know we had an E-Z Financial bank account.

A quick inspection of the email seemed to say this was a real email from E-Z Financial; the link back started out as http://online.EZFinancial.com, which certainly looks valid. We do not have an account with them. But that was not what triggered my concern, since someone could have opened an E-Z Financial account in my name, probably not to give me money. I went to the bank’s web site and sure enough on their security alert page was an example of this email. What was wrong with the link was a period instead of a forward slash after the EZFinancial.com. The link was actually

http://online.EZFinancial.com.73716221993037644.
kb5.is-an-account.com/po/index2.php?billerid=702255558758&
cancelaction=505875555933249&r=417206213755550114683771584

Please do not try this link in your browser. I have modified it some, but possibly not enough to make the scam fail.

URL, the “easy to read” address of a web site or page, can be quite long and complex, but is actually fairly simple to take apart. For example, if you go to Amazon’s web site and click on “Today’s Deals” you end up at

http://www.amazon.com/gp/goldbox/ref=cs_top_nav_gb27

Scan after any leading “http://” to the first forward slash “/”. Then scan back past the previous period and then back to the beginning or next period to get the domain name. In this case the domain name is “amazon.com.” That is the web site. Everything after that first slash just means a particular page perhaps with parameters on the web site (“gp/goldbox” is a particular page on amazon.com, and “ref=cs_top_nav_gb27” is a parameter passed to that page).

linkex

On the scam link, the domain name is not “EZFinancial.com” but “is-an-account.com”. The stuff before that is called a subdomain, but is owned by “is-an-account.com,” not “EZFinancial.com.”   I tend to be suspicious of strange domain names.

linkex2

When you go to a web page, it is a good thing to look up in the URL window at the top of your browser and see where it really is. Some browsers, like FireFox, actually highlight the domain name for you just for this reason. If it isn’t what you think it should be, close the browser window, make sure your virus check software is up to date and do a full scan of your system.

The last word:

Always practice safe clicking.

Pass the word to your children and your employees.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

VoteIn addition to being a huge source of interest, amusement, annoying commercials, robo-calls, and anguish to all of us in the US, the 2016 election cycle is likely to drive cybercriminal and hacktivist activity. The Forcepoint 2016 Cybersecurity Predictions Report describes some interesting possibilities.

As an individual, expect to be targeted. By the 2012 election cycle, social media was an important method of getting a candidate’s message out, gauging voter interest, collecting donations, and promoting engagement hopefully leading to a vote. For some candidates, social media is at least as important as the traditional new media. Attackers will use the intense interest in this election cycle to create highly effective email lures and misdirects to push malware to the unsuspecting public.

Some of these attacks will be advanced cyber attacks against specific organizations unrelated to the election, potentially including your company. The cybercriminals will target individuals pursuing election-related information, with the expectation that the cybercriminals can gain access to personal or company information for financial gain or negative business impact unrelated to the election.

The candidates themselves, as well as the news media, will become vulnerable to attacks on their social media sites. These attacks may be by opponents, foreign governments, or hacktivists with a specific political agenda. Expect to see these attacks used to spread inaccurate messages and information. Even if a candidate can quickly correct the information, the false information lives forever and may impact the outcome of an election. In the US political circus, the message is critical.

These attacks on a candidate’s social media could also impact the data the candidate is collecting on probable voters and donations. Corrupting that data could have a huge negative impact on a candidate’s ability to run or fund a campaign.

InfoSec Institute published “Which Top 5 Presidential Candidate is Most Likely to Be Hacked?” back in October, 2015. The only candidate with an “A” rating was Ben Carson (remember him?), largely because he outsources donation and volunteer services and does not have an on-line store; he has a very small attack server. Hillary Clinton and Donald Trump got a “B,” Bernie Sanders and Jeb Bush got a “C.” Several of these candidates are using unsecured or only partially secured WordPress sites that may leak internal usernames and other information, making them relatively easy targets. While she did get a “B,” Hillary has the largest attack surface based on a quickly built custom application. Her development team’s motto is “ship early and often; done is always better than perfect.” Security may not be high on the team’s priority list, and security testing is likely to be a low priority task.

As the Forcepoint report points out, “Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).” It is also likely true that technology decision made during a campaign may give a hint as to how that candidate will behave relative to data security when elected. If you see a candidate reacting to incorrect information on their web site or social media, then expect that their concern about data security is very low. Put that on your scorecard as one factor as you decide how you will vote.

It will not be just the candidates’ web sites and social media sites, but also those of the hundreds of issue-related websites that represent PACs and other special interest groups.

The bottom line is that you need to be very careful. Before you click on a link in an email or on a website, carefully look at it. Even if you know the sender of an email, if all it says is something like “check this out” or some other short message, be careful: the email may only appear to be from a friend or co-worker. The safest way is to copy the link (right-click on the link and select “Copy Link Location”) and then paste that into your browser’s URL line and make sure you recognize the web site.

The last word:

SEAIf you think it unlikely that a foreign government would attack a candidate, consider the Syrian Electronic Army (SEA), a group of attackers supporting Syrian President Bashar al-Assad. Beginning in 2011, the SEA targeted political opposition groups within Syria, western news organizations (including the BBC, Associated Press, and The Washington Post) and human rights groups. The SEA has managed to send false tweets from Twitter accounts for 60 Minutes, Reuters, Associated Press, ITV News London, and many others. It has defaced the web sites of Forbes, NBC, CBC News, and hundreds of other sites including the National Hockey League.

Of course, the SEA is only one potential government sponsored hacktivist organization, and in my view, not the most dangerous by far. There is a reason why the US and China agreed to a pact to not use cyberattacks to steal company records for financial gain. Of course, China does not admit to ever having done anything like that. A careful reading of the pact indicates that the pact does not bar cyberattacks for other reasons such as political.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

If your IT security folk tell you they need to strengthen your network perimeter, they are probably right. If they tell you that is all they need to do, they are probably wrong. Far too many companies are being hacked because someone stole valid credentials from an employee or a partner’s employee. As I mentioned earlier, in 2011 Lockheed Martin suffered a serious data breach of confidential defense and proprietary information because Chinese government hackers were able to steal credentials from an employee of a partner’s parent company.

Your own employees and contractors are also a security risk. After all, you have given many of them access to your sensitive information, including information protected by laws and regulations. As you move more to the Cloud and BYOD (bring your own devices), you have wittingly or unwittingly opened your network to devices and locations you cannot monitor nor control. Either by intent (e.g., Edward Snowden) or by accident, these employees or contracts could suddenly expose your information.

You can’t tell whether the credentials are used by the person you gave them to, or are being used by someone who has stolen them. In any case, if they are doing something strange, you better find out about it quickly.

The bottom line: securing content with access controls alone is not sufficient in the current threat environment.

Microsoft SharePoint is a web application platform in the Microsoft Office suite that combines content management, document management, business intelligence, workflow management and an enterprise application store across local, wide-area, and Internet-based networks. SharePoint is used by many mid-sized companies and large departments within larger companies. As of 2013, 80% of Fortune 500 companies use it, and Microsoft was adding 20,000 users every day.

If you use SharePoint either in the Cloud or just within your own datacenter, you should look at Metalogix ControlPoint. Announced on November 2, 2015, ControlPoint 7.0 adds real-time situational awareness into suspicious SharePoint user activity. ControlPoint 7.0 introduces a learning detection engine that analyzes user behavior for suspicious activity, and automatically takes action when it finds suspicious activity patterns.

Consider an employee who works primarily from the office and sometimes from home largely during normal business hours, and who looks at about a dozen sensitive documents on an average day. You might like to know if it appears like that employee is downloading hundreds of documents at 2:30 in the morning from what looks like a Chinese IP address. Actually, any of the attributes of that access are suspicious. This is the kind of activity that ControlPoint 7.0 is looking for.

ControlPoint 7.0 features and benefits:

  • Mitigates the risk of data loss due to unauthorized access to content, whether by an employee, contractor, or through the use of stolen credentials.
  • Provides audit trails of content access.
  • Provides details of content growth and user activity.
  • Provide automation of governance policies.
  • Minimizes security breaches.
  • Meets compliance requirements for access control.
  • Anticipates future IT needs for growth.
  • Eliminates human error with policy driven security across SharePoint farms.

Right out of the box, ControlPoint 7.0 will provide significant security benefits. It will take it probably two or three months to learn the behavior of your users; the sooner you start the lower your risk.

Metalogix is a Washington DC-based software company founded in 2001. Metalogix provides a unified platform to manage the entire lifecycle of SharePoint users and their collaboration content centered around optimization, security and management. In 2013, it acquired Axceler’s SharePoint business including ControlPoint for SharePoint. MetaLogix continues to put significant resources into enhancing and supporting ControlPoint; ControlPoint 7.0 follows the release of 6.0 just seven months earlier.

The last word:

The Cloud has moved on to the hybrid cloud. Get the latest insights on how to use it from top leaders (like me) in the industry.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Cybersecurity experts will tell you there are two kinds of organizations: those that have been hit by cybercriminals, and those who do not know they have been hit. This is not a joke. Cyberattacks will continue to grow in volume and sophistication. Anyone or anything that is connected to the Internet is vulnerable. When your customers’ data is compromised, you are responsible. If your physical building is compromised or your IT infrastructure is destroyed, your company may be out of business. No masked man on a white horse nor the Seventh Calvary will come riding over the ridge to save you.

Why can’t the government do something about this? One would expect that the natural reaction of governments to national security, financial and privacy attacks would be to militarize cyberspace and police the Internet with centralized bureaucracies and secret agencies to protect us and themselves.

That won’t work, and we unfortunately have an example of this: the War on Terror. The United States government vowed in 2001 to destroy the responsible terrorist organization, long before it had a clue what the enemy really was. Other powerful nations have joined the fight. Where are we after more than a dozen years? We have proven that the most powerful military force in the world can clear out terrorists from a specific physical area at unreasonable cost in dollars and lives, only to have the terrorists return as soon as the US forces leave. But they cannot stop an attack in Europe, the Middle East, or the US.

The bottom line: governments have demonstrated that they cannot win the War on Terror. They cannot even define “winning.”

If the US, or UN, tried to apply the same logic to the Internet, they would of necessity fail, but as Keren Elazari’s TED talk and Scientific American article demonstrate, just trying could actually make things worse.

One of the problems with the War on Terror is that there is no single entity that controls “the other side.” There is no geographic definition of a “front line.” The terrorist organizations keep morphing, recombining and dividing, with new ones appearing in the news with disturbing frequency.

Wait, that sounds like the Internet. The Internet is not like a public highway, or even international waters or a wilderness area. It is not even a collection of territories that governments could control, or even locate. Most of the physical components of the Internet are owned and operated by hundreds of multinational for-profit companies. The number of components is growing at an incredible rate. Cisco systems forecasts that by 2020 over 50,000,000,000 devices will be connected to the Internet. Every one of those devices is a target, and many of these are part of industry, military, and utility operations. The more devices that are interconnected, the more ways there are to gain access. For example, in 2011 an employee at RSA’s parent company EMC opened an innocuous-looking Excel file in an email. The resulting malware compromised RSA systems, enabling hackers to steal Lockheed Martin’s security tokens, thus giving access to the defense contract’s data including highly sensitive product information. The hackers were part of the Chinese government. RSA has been in the encryption business since 1982, and was acquired by EMC Corporation in 2006. Since 1979, EMC has been a global leader in IT and business transformation. Both of these companies take security very seriously, yet still had a serious breach that impacted one of their customers and sensitive national security data.

Which brings up another reason why governments can’t fix the problem: they are conflicted on whether they should. Organizations like the Department of Homeland security have a real interest in protecting US companies and individuals from cyber attacks. That part of the government recognizes the serious national threat a successful attack against the electric grid or the financial infrastructure could be more disastrous than Pearl Harbor and the 9/11 attacks combined. No one on the attacking side even needs to be in he US.

However, other components of the US government, like the National Security Administration and certain other defense organizations, have a vested interest in using the Internet as a weapon, and invest millions of dollars in finding, managing, and perhaps creating flaws that they could use. Remember Stuxnnet, a deliberate and successful physical attack against Iran’s nuclear weapon program done entirely with malware? That was a government attack, probably with US assistance if not direction. Governments, including the US government, participate in the worldwide hacker market, buying and selling information about security flaws. Edward Snowden believes the NSA spends more money on offensive cyber research than on defensive cyber research.

To further complicate the problem, new vulnerabilities are introduced every day. Intense market pressures push technology companies to produce new products and new features at an increasing rate. As these products become more intertwined and interdependent, the probability of introducing flaws increases. “Time to market” pressures reduce the testing that companies feel they can afford to do. As one company executive told me, “that’s what beta testers are for.”

Cybersecurity is like public health. The Centers for Disease Control and Prevention have a very important role to play, but they cannot stop the spread the disease by themselves.

Who can help? According to Ms. Elazari, hackers can help and have been helping. Back in 1995, Netscape Communications created a bug bounty program. It paid independent researches to report security vulnerabilities. If you are trying to remember why “Netscape” sounds familiar, it was the name of the web browser introduced in 1994 that was giving Microsoft’s Internet Explorer a real run for market share.

Largely spurred by significant leaks like those of Edward Snowden, the technology industry and the hacking community are actively working together. Hundreds of companies now have similar bug bounty programs, and are finding it to be a cost-effective way to reduce security vulnerabilities. In addition, private and public communities of security professionals now share information about malware, threats and vulnerabilities. The goal is to create a distributed immune system for the Internet.

What should you do?

  • Expect things to get worse over the next few years, with more targeted attacks, more breaches, and attacks that do physical damage initiated by other governments or terrorist groups.
  • Demand that companies make the software and hardware products your company depends on more secure. Yes, hardware products, too. There is more processing power in the average new car then in a multi-million dollar computer 20 years ago. As recently demonstrated, most if not all of these systems are vulnerable to cyber attack with the possibility of injury or death to the vehicle occupants and others nearby. I suspect a cyberterrorist attack that took over 100 cars scattered on LA freeways in rush hour would be interesting.
  • Demand that the penalties for failing to report a data breach involving personal or proprietary data are increased substantially, with jail time for executives who fail to consistently use best practices to secure that data.
  • Protect yourself and your company. Wash your hands and get vaccinated. If you don’t take care of yourself, you cannot expect anyone else to be able to help.

The last word:

My wife and I met Jim Murray and his wife on a dance floor in Valparaiso, Chile, in 2008. Since then we have managed to get together on a dance floor somewhere about once a year. Jim Murray writes a blog about the intersection of murder and medicine, which I have referenced before. He has just published Lethal Medicine, a thrilling tale of international intrigue, murder and deceit. The hero, Jon Masters, is a well-established pharmacist in San Antonio with a growing statewide company that provides medicinal injection services for people in their homes as they recover from illness or injury, or are under hospice care. When he discovers that the investigational drug study he is managing is a cleverly disguised scam, he finds himself in trouble with both local and federal authorities. One step ahead of the law, he races to Mexico and China to uncover the international conspiracy that threatens to destroy his business, his reputation, and his life.

Early on, Jim told us a scary story about one rainy night when he worked as the midnight shift pharmacist in a mid-city pharmacy. That story is now a short story “Cuffed” which is available in a collection of short stories Unforeseeable Consequences. The collection includes another story by Jim and a story Jim edited from each of five other authors.

I recommend both books, and they are available in Kindle editions on Amazon at the links with each book title above.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

While the US government has never been very good at protecting our personal information against cyber attacks, the Obama Administration has set records for incompetence in the area of data security. The current score: F.

Here are just some of the breaches that have occurred under the current administration. I am sure I have missed some.

  • Individual rogue employees and contractors, including Edward Snowden, have made public information on more than 2.4 million government personnel available to the media.
  • Tricare, the US military health program, had 4.9 million records stolen from unencrypted backup tapes (Sept. 2011).
  • Stratfor, a global intelligence firm serving the US Government, had 860,000 records stolen by the hacktivist group AntiSec (Oct. 2011).
  • The US Navy Criminal Investigative Service had a breach involving 220,000 military personnel from the database that managers transfers of service members for all branches of the US military (June 2012).
  • The National Oceanic and Atmospheric Administration (NOAA) had a data breach in 2013 that they have not investigated because the data was stolen through a contractor’s personal computer. As of a July 2014 report, NOAA does not know what data was stolen and whether it involves any personal information.
  • The Department of Energy had 104,000 records from their Employee Data Repository database (July 2013).
  • USIS, a company that conducts background checks for the Department of Homeland Security, reported a cyber-attack that impacted 25,000 people (Aug 2014).
  • The U.S. Postal Service had a breach involving the loss of names, Social Security numbers, and addresses that impacted more than 800,000 personnel (Nov. 2014).
  • The State Department has shut down its unclassified email system (Mar. 2015) because of a cyber-attack linked to a breach at the White House (Oct. 2014). This on top of the illegal actions of Hilary Clinton and her staff while she was Secretary of State and after she resigned.
  • The Internal Revenue Service had a data breach that involved the detailed tax-return information on 104,000 taxpayers (May 2015).
  • The Office of Personnel Management, which keeps track of every US government employee and contractors, has had two breaches since July 2014 involving at least 21.5 million individuals. Also potentially impacted are job applicants for federal jobs. Because this database was used for background checks for individuals, spouses and co-habitants, immediate family, close contacts and references could also be impacted. If you may be impacted by this OPM data breach, there is more information here.

Many of these attacks appear to be “practice” attacks. Cybercriminals started by seeing what they could attack and what data they could access. It was only after their success at that stage did they advance to turning a profit from these activities. It did not take them very long to go from “well, that worked” to full-scale general attacks and, more recently, to more focused attacks.

But the larger concern is that stealing the data may not be the real objective. The access to our government’s sensitive data that our enemies have demonstrated with these attacks also gives our attackers the ability to change or remove the data. Image the impact of an attacker deleting around 100 million individual and company records from the IRS databases. Such an attack would be quickly identified, but the fix would not be quick. Even worse would be the impact of making random changes to the data, for example changing filing dates or the amount of tax paid. Those changes would be exceedingly difficult to identify and correct. Image the damage such unauthorized changes could make to FBI, Department of Defense, or other security-dependent databases.

These attacks are not isolated and unusual events. Many of them appear to be organized attacks by other governments, especially China. As such they are acts of war. Our current administration has demonstrated a complete lack of concern and ignorance of the implications of these attacks. President Obama consistently appoints people to high positions who are either totally ignorant of data security or do not care about the welfare of the citizens of the United States, or both. OPM was not monitoring the security of their networks and data and were not encrypting data as required by federal regulations. These people, like Katherine Archuleta, the formal director of the Office of Personnel Management, should not be allowed to simply resign and seek another government job. They should be immediately fired and lose all government pensions, medical coverage, termination bonuses or any other government benefit. In some cases, and Ms. Archuleta is one such case, these so-called leaders should be tried for violating federal data security laws and fined or jailed as specified by those laws if convicted. It is past time for Congress to act to make the punishment fit the crimes these “leaders” commit.

The last word:

What do you do if you believe your personal data has been stolen or, worse modified? You are pretty much on your own. Unlike companies, government organizations do not have to provide any support or even notify you that your data has been compromised. OPM has stated they have notified impacted individuals, and you can request a suite of services including free credit reports. As always, you should be checking all of your financial accounts frequently, more often than once a month since in some cases you only have 30 days to report a problem. Consider using one of the “identity theft prevention” services. I use LifeLock Ultimate Plus, which monitors financial accounts. I get notification of a financial transaction that meets criterion I specify within 48 hours.

At the first hint of a problem, notify the government organization involved. If you do that online or over the phone, make sure you get a “claim number” so you can prove that you did notify them. If you do not get quick resolution, consult your financial advisor or lawyer and notify your Congressional representatives.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

« Newer Posts - Older Posts »