Targeted Attacks Focus On Economic Cyberterrorism 73
Orome1 writes "When it comes to dangerous Web threats, the only constant is change and gone are the days of predictable attack vectors. Instead, modern blended threats such as Aurora, Stuxnet, and Zeus infiltrate organizations through a variety of coordinated tactics, usually a combination of two or more. Phishing, compromised websites, and social networking are carefully coordinated to steal confidential data, because in the world of cybercrime, content equals cash. And, as a new Websense report illustrates, the latest tactics have now moved to a political and nationalistic stage. Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."
"Legacy"? (Score:5, Insightful)
Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."
Calling something legacy implies that there's something better to replace those technologies with. Those technologies have not been replaced by some revolutionary new technology that does all that and holds your d--- while you piss too. And they were never intended to be a pancea -- they are intended to augment information security, not act as a substitute for it.
Re: (Score:1)
but you missed the point!
IT'S SCARY!
AND WE SHOULD GIVE SOMEONE MONEY TO FIX THE PROBLEM!
I'm sure if we get scared enough and give enough money to companies which promise to make the problem go away then we'll be fine.
if not then we just have to get scared enough and give enough money to government agencies which promise to make the problem go away.
I'd say that if security is a big issue on a given system then white-listing is vastly more secure than the blacklisting that is anti-viruses, it's a massive pain
Re:"Legacy"? (Score:5, Funny)
but you missed the point!
IT'S SCARY!
AND WE SHOULD GIVE SOMEONE MONEY TO FIX THE PROBLEM!
I'm surprised you can get internet out at your ranch, George.
Re:"Legacy"? (Score:5, Insightful)
If it's about giving someone the money to fix the problem, then all you have to do is follow the slurs to find the money.
So the terror monger here is likely to be someone who makes money through (producing or advertising) two factor authenticator, an alternate active-DNS, or an ISP selling the "we filter the internet for you" service.
And checking net-security.org's "about us:"
I think we have a winner. Why does the cynical approach have to be right so often?
Re: (Score:3, Funny)
remember, they added the word cyber, so we need new legislation!
as opposed to, you know, economic terrorism.
Re: (Score:3, Funny)
Actually, legislation might not be a bad idea. I propose that it be illegal to store passwords in plaintext (or equiv), allow passwords that John the Ripper can break, not QA code correctly, not encrypt traffic, provide identity verification that is bogus, or provide APIs that allow the protection in place to be bypassed. First-time offenders should be forced to read my posts - not because they're necessarily useful on issues of security, but because they're usually long and occasionally tedious. Repeat off
Re: (Score:2)
Repeat offenders should pay for the carpal tunnel syndrome surgery I'll eventually need because of all the writing of long and occasionally tedious posts.
Every opinion eventually reduces to a way to make the author rich. Case in point: asking for unnecessary surgeries and then pocketing it and buying an ergonomic keyboard or hiring someone in Somalia to write your posts for you.
Re: (Score:3, Insightful)
what you're talking about is more about setting standards, not legislation. There are already best practices in place for stuff like this, it's more that people don't follow them.
Re: (Score:2)
Re: (Score:2)
sure you can have both at the same time, but that doesn't mean they're in harmony or any more effective by having both go on at the same time.
How many drugs are released to the market and then later retracted by the FDA? How well is that system gamed by companies like GSK?
yeah. Laws by themselves, standards by themselves, it's all about the execution - standards and legislation together don't mean it's going to be magically more successful.
Re: (Score:2)
What do you mean "could"? The Internet Auditing Project revealed a third of Unix systems were insecure, and more recent surveys have revealed Windows boxes getting broken into within minutes of connecting to the Internet.
If the mandated security brought systems up to a minimum standard equal to an NSA-recommended install of Linux or a Trusted OS, circa 2010, with a "sunshine" clause that required the law be revised or automatically expire within, oh, 8 years, the odds are extremely high that we'd have a bul
Re: (Score:2)
Technology may improve within 2-3 years, but so what? Technology improving won't change whether a buffer overflow is bad, and won't change whether mandatory access controls are good.
Improved technology might help people QA their software, but it won't eliminate the need for QA to be applied.
Improved technology might eliminate the need for passwords, but it won't eliminate the need to ensure that password-protected systems can't be attacked by use of a rainbow table.
Improved technology might help produce sup
Re:WhiteListing (Score:2)
I'm a little fuzzy on WhiteListing - is that browser specific?
I could really see a hybrid system with "favorite sites" on a "WhiteList Browser", then when extended surfing, put a proposed link into a "BlackList Browser" to see if it's any good. Then there would be some easy way to add it to the WhiteList browser.
Most of my web usage is covered by a top-100 list, and TFA's from Slashdot or Fark, which I haven't seen come through too often with real malware.
Re: (Score:2)
I was talking about white-listing processes on systems which absolutely have to be secure.
As it stands antivirus software just blacklists virus code which is just an example of Enumerating Badness : http://www.ranum.com/security/computer_security/editorials/dumb/ [ranum.com]
Re: (Score:2)
Those technologies have not been replaced by some revolutionary new technology that does all that and holds your d--- while you piss too.
Why would I want anybody to hold the door while I piss? I want the fucking door CLOSED!
Re: (Score:2, Insightful)
Firewalls, anti-virus, and URL blockers are not legacy systems at all. They are the state of the art in security precisely because they have to protect legacy operating systems and applications, or new systems built to be backward compatible with legacy systems, which are the real "legacy" problem.
People use all sorts of old software because they have such a huge investment in systems and applications that are built on them. But that old software keeps needing to be patched. For example, there's Windows, of
Re: (Score:2)
Re: (Score:3, Interesting)
They help to make sure that even though millions of people want to live under Sharia law, I don't have to. Yet.
Re:Nations are stupid (Score:4, Interesting)
No. Nations that don't have a constitutional framework founded in liberty (freedom of speech, assembly, etc) might fit that description, but not all nations. Nations are either subject to the rule of law (as backed up by their founding documents) or they are just mob rule (or a fuedal society). A nation that doesn't prevent thugs from telling you what to do isn't keeping people free. A nation that is constititionally chartered around the idea of keeping thugs (individual or governmental) in check is, in fact, a preserver of liberty.
That doesn't mean that it always goes well, but that's the general idea. You seem to be suggesting that ALL nations are oppressive because some nations are oppressive to thugs. Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.
Re: (Score:2)
Gee. No, I'm not saying the opposite of what I'm saying, actually.
Re: (Score:2, Insightful)
That doesn't mean that it always goes well, but that's the general idea. You seem to be suggesting that ALL nations are oppressive because some nations are oppressive to thugs. Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.
All laws benefit one group by disadvantaging another. What you're calling liberty is just screwing over a minority to benefit a majority, and what you're calling tyranny is benefiting a minority by screwing over a majority. Both are oppressive, the difference is one group knows it and the other group posts on slashdot about how great it is to live in a "free" society.
Re: (Score:2)
Which is a terrible idea. That's how you get the tyranny of the majority. Governance must be based on principle, not consensus.
Re: (Score:2)
Re: (Score:2)
Sure, OK. And you have a problem with taking away the advantage (the consequenceless use of violence) held by criminals? You really think that a rapist or a murderer has the moral equivalence of a carpenter or a teacher, and can't see that it's rational to give non-aggressors an advantage over violent parasites?
Re: (Score:2)
Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.
Well then there is no such thing as oppression. Or Liberty. Or something. That's a shakey ground or slippery slope that I wouldn't stand behind, it's far too black and white.
What qualifies as "denying liberty" to others? The fact that I'm using a computer right now means that I've supported computer companies that set up sweat shops in a lot of third world countries for all their goods and resources which means I've contributed to the poor state of their economy and I'm essentially keeping people in poverty
Re: (Score:2)
And you would be
Re: (Score:1, Funny)
So we should act quickly, before the people who want sharia law can get onto the internet en masse.
Re: (Score:3, Informative)
Why do we still have nation-states? What good do they serve?
Nations are an emergent phenomena. It all starts with small tribes of people that are small enough that the leaders know everybody, and then grows as the technology and institutions grow to be able to keep more people under its umbrella. Once the group of nations grow large enough, they then have the choice of either attempting to dominate one another until no others remain or cooperating. The eventual result of either of these paths would probably be one singular world government, assuming that either u
Re: (Score:1)
The internet is global. The economy is global. Politics are local. Why do we still have nation-states? What good do they serve?
Why not graduate to something more modern, like internet-based governance? [wikipedia.org]
Politics are local? Huh, that's funny. Drezner (2007) says that All Politics is Global. He even has a chapter in his book that deals with the internet. To quote from the conclusions of this chapter: "The evidence presented here suggests that both international governmental organizations and nongovernmental organizations have roles to play in global governance. At times they can act as independent agenda-setters and advocates, but they become more important when they provide services as the agents of st
Re: (Score:2)
Debatable, but they're certainly singular.
Firewalls are obsolete?! (Score:2)
Legacy technologies?!
I don't think that word [wikimedia.org] means what you think it means.
Time for IBM to work on the ZTIC successor? (Score:5, Informative)
Maybe its time to work on better out of band authentication and confirmation devices.
Take the IBM ZTIC that plugs into a USB port, and communicates encrypted from the device itself to the bank, just using the computer as a passthrough. This is what needs to be worked on, and maybe banks should start handing these out to customers. This way, even if an end user's computer is infected, their bank account couldn't be logged into without the device, and even if someone was to gain access upon logging on, all bank transfers would have to be confirmed on the ZTIC, so a quick transfer of funds would be caught and denied.
Applying this to MMOs, maybe the ZTIC device to confirm character transfers or deletion, as well as be needed to confirm logging on.
The advantage of using the ZTIC device over a cellphone for this is that the ZTIC device is simple -- it isn't a full fledged computer like a cell phone, and only does one task. Of course, exploits might be found, but the attack surface for this device is a lot smaller than a general purpose machine.
Re: (Score:2)
It still astonishes me how utterly awful the whole credit card system is in terms of security, public key crypto should have made stealing someone's credit card into a physical problem of actually stealing some kind of physical object by now rather than a simple number.
but since it's the merchants who pay the CC companies have no incentive to fix it.
Re: (Score:2)
It is because the consumer pays for it in the end anyway. For businesses, security has no ROI, so beyond the basic PCI-DSS 2.0 standard, businesses gain nothing by offering better security. Banks don't really care. The credit card makers have it factored into the fees charged merchants, so the fees go up.
Lets say some organization (so people can't say "OMG, it's backdoored by 'x' government or organization") made a generic ZTIC like key. It would have a serial number on it, and a few buttons to help aid
Re: (Score:3, Interesting)
Have a look at Cronto - it's an out-of-band authentication system, similar to ZTIC but doesn't use an electrical connection to the computer that could be impacted by a malware infection on the PC. Instead it transfers encrypted/signed transaction details via visual code to the Cronto device (or Cronto app running on a camera-enabled smartphone). There are a few other similar systems from other vendors, but Cronto is the only one I've seen with a mobile app so far.
Re: (Score:2)
The difference between Cronto and other apps that run on a phone versus a ZTIC is that the ZTIC is a very simple device and only does one function in life.
Because of this, it is a lot harder to compromise, than a targeted attack that compromised cellphones, and PCs, which makes multiple factor authentication moot.
We can look at smart cards. Yes, they have been hacked sometimes, but I have yet to hear about someone being able to pluck a key out of any recent cryptographic token without access to a chip fab.
Was This Story Summary Written By (Score:1, Insightful)
this book salesman [npr.org]? Because it has NO content.
Yours In Electrogorsk,
Kilgore Trout.
Cyberterrorism? (Score:4, Funny)
Were cyberbombs detonated on a cybertrain?
Re: (Score:1, Funny)
Were cyberbombs detonated on a cybertrain?
I'm sure you're objecting to the cliche of putting "cyber" in front of everyday words. However, these cyberterrorists are no different than the terrorists who shop lift from Walmart. Shockingly, I saw a terrorist steal a six pack of beer from Walmart last week. He slipped it past the cashier while she rang up his other groceries. The cyber prefix in cyberterrorism just means they're using computers to help steal stuff.
Fortunately, we have laws that allow us to send these terrorist (cyber or not) to Gitm
Re: (Score:2)
> I saw a terrorist steal a six pack of beer
I'll bet if the feds investigated they'd find at least one educator with links to that terrorist. That's what really shocks me - how they've infiltrated our schools.
Re: (Score:2)
I don't know. I'm waiting for the Cybermen to get back from their meeting with their Cyberleader on the issue of Cyberbombs.
Re: (Score:2)
-Cybersample cyberwitness cybertestimony ~2020.
Seri
Porn now safer than news! (Score:1)
Money for nothing and chicks for free (Score:4, Insightful)
Hey I bet Websense will sell you the solution to the problems cited in the report who wants to take a bet.
Cybercrime != Cyberterrorism (Score:5, Insightful)
I think any sensible definition of "terrorism" has to involve violence -- people in meatspace getting killed or at least hurt. I read TFA and the only connection it had to terrorism was in the headline. Skimming credit card numbers is not terrorism (though it could be used to finance terrorist activities). Spreading malware through Facebook is not terrorism (though a botnet could be used in conjunction with a terrorist attack, maybe).
I am not aware of terrorists ever having made a "cyber terror attack." Most extremist groups are looking for a bigger shock value than they can get by knocking out Google's Web server or even bringing down the electric grid in half the United States (either of which could be accomplished by a misplaced backhoe or a freak thunderstorm). Actually they would much rather blow up a school bus or something. A lone gunman can create more of a scare and get more PR for the cause than could a group of crack cyber-terrorists who managed to reproduce the U.S. blackout of 2005.
To label any and all malicious activity is disingenuous. It grabs some attention and helps you sell something in the short run, but in the long run, crying wolf is a disservice to the public and it doesn't pay off.
Re: (Score:3, Interesting)
Re: (Score:1, Insightful)
No.
Terrorism is a method. You achieve effects by creating terror among your targets.
Damage is not the same. That's an attack, but it isn't terrorism.
Re: (Score:1)
They need to relate cybercrime to terrorism so they can throw out the constitution and go after petty cybercriminals with the full power and authority granted by the PATRIOT act.. In other words, declare them a terrorist because some member of a bureaucracy determines it to be so.. No trial, judge, jury or any other petty rights a human deserves..
This is why we have auto-cutoffs for regions (Score:1)
While you can't shut down botnets in-country, you can shut down entire countries if they start launching attacks, severing their undersea cable and communications satellite connections, reducing the activation of more attacks.
Which is why we maintain the ability to pull the plug on China, who persist in using their military to launch attacks on US sites.
it's the end of the interweb as we know it (Score:2, Interesting)
Countries and organizations are going to have to realize that connecting their in-house network to "the internet" securely is HARD and sometimes the best thing to do is to have an "ip gap" or better yet an "air gap" between their in-house data and the outside world. Oh, and turn off of those USB ports or at least treat them as untrustworthy. This isn't easy either, so there is a trade-off.
Many governments already do this for their sensitive networks.
This won't stop inside jobs and it won't stop the most d
Attacks build immunity. (Score:3, Insightful)
I'd like to see a much more hostile internet to coerce better security practices. People in general won't care about such things unless and until it is forced upon them by events.
If they won't change unless someone "breaks their shit", then that needs to happen.
Sweden (Score:2)
What the hell Sweden?!? You guys are hosting 37% of the phishing sites out there. Get your act together, or I might starting thinking about issuing a verbal warning which is only 3 steps away from a written warning.
There was a movie on this (Score:1)
A great movie came out with Robert Redford, about this type of cyber crime that could virtually cause a full collapse of a nation, or country. This is not far off, get a few more stock exchange collapses in a row, and we are off to mad max land!
China or Japan? (Score:2)
The Chinese and Japanese can both do a lot of shenigans with their US treasury reserves.
1) Blanket the market and buy as many call options as you can.
2) Announce that your treasury is dumping 100% of it's US treasuries, and you will only take hard assets or Euro as payment.
3)Stock prices now soar on inflation.
4)Exercise all your call options.
5)Blanket the market and buy as many put options as you can.
6)Announce that you have decided not to sell your US treasuries after all as the bids "weren't as high as yo