On January 18th tens of millions of users (and possibly more) found themselves without access to some of the internet’s most popular websites, and others found themselves witness to very public corporate protests. To help us better understand the impact on the Stop Online Piracy Act (SOPA) and what it potentially means for the practicing Web Professional, I reached out to Jeff MacGurn, VP of Earn Media and Serach Engine Optimization at Covario a San Diego, CA company and Brent Norris, WebProfessionals.org member and Web Designer from 808Digital.com from the State of Hawaii.

QandA with Jeff MacGurn, VP of Earn Media and Serach EngineOptimization at Covario

* Who Did the SOPA Blackout Really Affect?
* Why has this just become such a visible issue within the last few days?
* Why this is not just an issue for websites inside of the U.S.?
* What is the Marketing impact for Web professionals?

QandA with Brent Norris, WebProfessionals.org member and Web Designer from 808Digital.com

* What is SOPA all about from a Web professional perspective?
* Who’s behind this?
* Why should Web professionals care?
* What’s next?
* Where do we go from here

Transcript:

Bill Cullifer: On January 10th, tens of millions of users and possibly more found themselves without access to some of the most popular websites, and others found themselves witness to some very public corporate protest. To help us better understand the impact of the Stop Online Piracy Act, SOPA, and what it potentially means for the practicing web professional, I am reaching out to Jeff MacGurn, VP of Earned Media & Search Engine Optimization at Covario, a San Diego company and Brent Norris, webprofessionals.org member and designer from 808 Digital from the State of Hawaii. Good afternoon gentlemen, thanks for agreeing to the interview.

Jeff MacGurn: Hey thanks for having me.

Brent Norris: Good afternoon, Bill and thanks for taking some time to address the subject.

Bill Cullifer, WebProfessionals.org: Jeff let’s start with you. Now you recently posted a blog poster about whom did the SOPA black out really affect, can you expand on that article?

Jeff MacGurn: Yeah, we essential, you know there’s a lot of information out there about what SOPA was, what PIPA was, and the politics going on, who is involved with protesting it, but I think a lot of people really kind of missed who is actually affected by the blackout and what type of effect it would actually have, and I think that was the whole point of the blackout that people didn’t really realize what blacking out an entire major sites on the internet or censoring major sites on the internet would have on people, and so we really wanted to take a deep dive and look at what the overall impact of this blackout was, to maybe try and give people an understanding of you know what that impact could be in the future.

Bill Cullifer, WebProfessionals.org: Some of the key findings.

Jeff MacGurn: Well some of the key findings were you know really what we wanted to look at was, number one, we started looking at the demographical distribution of each of these major websites, and we picked four of the largest sites that were blacking out, that is to say, Wikipedia, Reddit, WordPress and Craigslist. And then we took a look at using Google Insights and some of their brand search data, to try and understand what the distribution of their user base was throughout the United States and we found some really fascinating things about exactly who was affected. Interestingly enough, all of those sites seemed to have really be densely used on the West Coast, which maybe that wasn’t so surprising, doesn’t really surprised me the people on the West Coast tend you know, tend to use technology, there are a lot of technology jobs out on the West Coast. The age groups that tend to be the most affected by these sites really were between 18 and 34, once again not completely surprising, and for the most part, I think most of the sites were just slightly over a bit more male skewed than female. But our estimates really put the number of people affected in the tens of millions, but the extension you know, if you consider how many people have Facebook friends, you know the average Facebook user I think have a 150 or so friends, and with the saturation of Facebook, you might say that by extension you know, many hundreds of millions of people were affected world wide.

Bill Cullifer, WebProfessionals.org: Why do you think this is, just becomes such a visible issue within the last few days?

Jeff MacGurn: Well I think you know, that’s an interesting question, I don’t think it’s a, I think it’s only become visible if you are not really participating in social media, because this has been a really big issue from a social media perspective for the last couple of months. I think it’s really only come into the main stream media over the past few days, because you have seen a social media grassroots movement that started to direct a lot of energy towards, or rather against the SOPA bill.

Bill Cullifer, WebProfessionals.org: Why is this not just an issue for websites inside of the US?

Jeff MacGurn: Well you know, SOPA itself covers websites outside of the US, and blocking websites outside of the US, but I think above and beyond that you know, we have a site here that, the internet is not really on a country by country basis that we are seeing a big internationalization of websites and indeed online marketing, so you know really, changing a website in one place can have huge repercussions throughout the world. Even if you are talking about you know in English only version of a website those are still accessed you know throughout the world.

Bill Cullifer, WebProfessionals.org: We represent web professionals world wide, and I am trying to hone in on why is this important to them, and to that end I’d like to know you know, what’s the marketing impact for web professionals?

Jeff MacGurn: So you know, I think, the marketing impact for web professionals comes in, you know in a number of different ways. First of all, I think it is a great lesson on how to understand social media trends, see what’s going on, on social media, and leverage those social media trends, not only you know, if you were against SOPA, obviously you with the business, or web marketer, may want to voice your opposition or you know, on behalf of your company. If your company was so inclined to do so, but by the same token you may also be able to leverage this as an opportunity to gain further visibility and exposure. If you take a look at the sites that went down, I mean one might argue that they could have potentially lost money, and you know we looked at Craigslist, and you know we found that on an average day, Craigslist posts about 33,000 jobs right, and they charge $25 a job post, which would then amount to about $825,000.

Now if indeed they were unable to post those 33,000 jobs that day because their site was down, that could cost them a significant stream of revenue right, however, if you look at it from a web marketing perspective, and I am not saying that this was entirely PR [indiscernible] [00:05:46] for Craigslist, I’m sure all of the sites that participated in the black out really strongly believed that SOPA is a bad thing, but if you look at it purely from a web marketing perspective, you are actually gaining a lot of visibility from your you know, for your web site. People would have linked in to all of these major websites that have blacked out, they were taking screenshots, mentioning them in tons of news articles, blogs, Facebook, Twitter, Reddit, StumbleUpon, all these places were abuzz with the sites that had gone down because of the simple black out, sending lots of you know, what you are talking about search engine optimization, lots of off page relevancy signals, but then of course, there’s also lot of traditional media exposure that these sites got as well, and I don’t think you could watch the news last night or the day before without hearing about Craigslist, Wikipedia, Reddit, or any media and WordPress, any of the other sites that went down. So you know, ultimately they may have lost in streams of revenue, but I am sure they made up for that with exposure of their sites.

Bill Cullifer, WebProfessionals.org: So Brent, how about you, so you know we have an interest in educating web professionals as to what these issues are all about, and why they should pay attention, and why it’s important and how it can impact them, so with that said, you know give us some background, what is this all about?

Brent Norris: Well I guess first and foremost, it’s supposed to be about copyright protection, it seems to be a little bit more about fear, the Motion Picture Association has concerned it, as it is the recording industry of America that their profits will continue to decline, and their business model will suffer, unless they can get hold of the bits and bites that are really distributing their movies, and their music without their control and so, the Stop Online Piracy Act was something that was intended along with PIPA, to really get control of that, at the internet’s foundation at the IT level. Now that’s what everyone is reading, and that seems to be what a lot of folks are thinking about, SOPA and PIPA, but the truth is the Motion Picture Association hired Senator Chris Dodd, well two months I guess after he left the Senate to become their Chairperson and they started really gaining the system, they worked to put the US Attorney General, Eric Holder in-charge of the internet in unprecedented ways, so much so in fact, what we are learning is that the same time this was making headline news, the FBI was in eight different countries shutting down different websites and organization businesses that were engaged in file sharing, so it’s not like we really needed these two additional bills, when the Federal Government can go into other countries and shut websites down, and take people to jail, it’s an indication that we don’t need new legislation that the legislation we have is working, and in fact all of these things are covered under the Digital Millennium Copyright Act, and two additional acts that are in Congress right now are up for discussion.

So there is a lot of background information that a lot of folks aren’t getting, and this could be you know, in part due to the fact that lot of people get their news from television, and television does show a lot of motion pictures, and television’s biggest competitor is the internet. So there is a lot that I guess, and I think that right now we are just seeing the very, very beginning of this story, I think this is going to get much larger as, maybe as lines are drawn between some of the players, and you know, one could say that all of this is about the transparency that digital brings to people’s lives. This is really a much bigger issue than web professional jobs, in my opinion, although it can affect jobs in very profound ways, and we are starting to run with this art.

Bill Cullifer, WebProfessionals.org: Yeah let’s dwell into that for a minute, so you know why is this issue important to web professionals?

Brent Norris: Well if you just take a web designer for example, we know that about 50% of Adobe Photoshop users are using illegal copies of the software, and as these users sometimes, first time users, start to use this professional tool, as they become professionals, get clients, pay for the software, then they find that their valuable work is stolen from them, and they find that they are not getting compensation, and their rights are taken away, so copyright law is very complex, and if it were broken, I am not sure that we will call the government to fix it, and I think that we would probably try and adapt our business models differently to try and address the issue. So for the common web professional we don’t want our material, we don’t want our content stolen without our permission, and used without compensation.

Bill Cullifer, WebProfessionals.org: Well thanks Brent for that so, you know, where do we go from here?

Brent Norris: Well I think that web professionals should care about these issues for several reasons, and one of course, like Mark Zuckerberg said the other day, is the world needs political leaders who are pro-internet. It’s not enough to elect local, state and federal officials and leaders that are just in support of the internet, or in support of copyright laws so on and so forth, we need people that really are taking the time to understand the issues. I think that we need to do what Finland is doing, which is basically ensure that our laws are written in such a way that uphold internet access is a basic human right first and foremost, so that we can access the information.

Then I think it’s, it’s important to understand how SOPA and PIPA could affect opportunities in jobs and education. Now we know that any time we fight for innovation, we are going to have set backs, not because we can’t recover from the set backs, but because the internet doesn’t stop moving. We have got all sorts of competitors in the internet space; I was reading a report from IBM that ranks in the United States 3rd in terms of digital economy, so it is important to put all of this in context of the competition that’s out there and the rules and laws that they are abiding by, so if government is going to play a role, in my opinion I think the role that they should play is that of a more agile government that is working with the Department of Education to develop web standards that allow us as a country to develop a workforce instead of always looking for these other countries that have developed the workforce to help us build the internet, and I think that’s probably a primary role and I am sure that web professionals agrees that we can do a lot in that area to make it better.

Bill Cullifer, WebProfessionals.org: So what do you think web professionals or the community at large do to support this effort?

Brent Norris: Well I think most of the action is happening at the federal level, so we need a top-down approach, we need to make sure that while we sleep, [indiscernible] [00:13:14] restrict our access or shut down large networks that we use to do our jobs, but we need a strong bottom-up approach. In other words we have to work in our local community, I took a quick poll, I skidded around a lot of counties around the United States, which we have thousands of counties in the US., and in my particular county as an example, they were reporting the news on the various websites, there are about 10, 20 websites, but nothing was being reported on these two issues, and the reason that’s important is in the past, our national issues didn’t necessarily get a lot of coverage at the local level, but these aren’t just national issues, these are county issues, as well, these are community issues.

When you are not able to do your job as a web professional, in your home, it’s an issue in your home, so my point in all of this is we need to work with our county constitution, and we need to amend those constitutions so that they have open and transparent government amendments to them, to assure that everyone is going to have access and everyone is going to be able to have access to uncensored information. So it is important to work on the amendments to our local county constitutions, and to elect local officials that get it, that are pro-internet, and that are able to make decisions, and come out and talk about these issues as they come up.

So I think that that is super important and I think it is really critical that we all raise our awareness, our honest issues, because again it’s much larger than SOPA and PIPA, these are, some people call them, calling it the beginning of the Internet Freedom War, and so only time will tell but I should appreciate your asking the right questions Bill, and getting involved in the issues.

Bill Cullifer, WebProfessionals.org: Norris from 808digital.com and Jeff MacGurn from Covario, thank you so much for your time today.

Brent Norris: Thank you so much Bill, sorry if I sounded a little too far enough, but this one strikes close to home.

Jeff MacGurn: All right, thank you very much.

A Look at White House’s National Strategy for Trusted Identities in Cyberspace

The need to improve the current state of online identity has been hailed at the highest levels of the U.S. government.

“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation,” President Obama said in a statement on Launch of the National Strategy for Trusted Identities in Cyberspace. This podcast covers the topic from the point of view of the U.S. Chamber of Commerce.

The NSTIC proposes the creation of an “identity ecosystem” online, “where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” The strategy puts government in the role of a convener, verifying and certifying identity providers in a trust framework.

First steps toward this model, in the context of citizen-to-government authentication, came in 2010 with the launch of the Open Identity Exchange (OIX) and a pilot at the National Institute of Health of a trust frameworks — but there’s a very long road ahead for this larger initiative.

Why is this important?

* 10 Trillion Dollars of Online Transactions
* Could ensure the growth of the Web
* Could ensure the success of the Web profession
* Could ensure private sector involvement
* Cyber crime cost consumers 37 billion dollars a year
* Could serve as a identity protection program for consumers

The final version of NSTIC is a framework that lays out a vision for an identity ecosystem. Video of the launch of the NSTIC at the Commerce Department is embedded below:

ber crime cost consumers 37 billion dollars a year

Is the Web Becoming Less Secure? A PBS Analysis

In the wake of the Gawker Media hacking over the weekend, Jeffrey Brown gets a wider perspective about the vulnerability of online information and the danger of further cyberattacks from James Lewis of the Center for Strategic and International Studies and Larry Clinton of the Internet Security Alliance.

Transcript

JEFFREY BROWN: Now some wider perspective on all this from two who follow the online world closely.

James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies here in Washington. And Larry Clinton is president and CEO of the Internet Security Alliance, an industry trade group that represents companies and organizations focusing on Internet security.

Welcome to both you.

Jim Lewis, how — we listen to this. Now, broaden it out. How vulnerable is the system and where do you see the main problems?

JAMES LEWIS, Center for Strategic and International Studies: The main problem is that we’re using 1970s technology, or, at best, 1990s technology, and it just isn’t appropriate anymore for a global infrastructure.

And there are some things, like this Gawker website, that we’re just never going to be able to fix. Passwords are very difficult to make secure, maybe impossible. So if you’re depending on a password, chances are you’re going to be in trouble. And I know that might frighten people, but that’s the reality.

JEFFREY BROWN: Reason for being frightened? What do you see?

LARRY CLINTON, president & CEO, Internet Security Alliance: Well, there is reason for being frightened.

We have an insecure system that was designed to be open, not to be secure. And we’re expanding that system with all sorts of new devices, handheld devices, smartphones, et cetera. So, the system is becoming generally less secure.

JEFFREY BROWN: It’s interesting, because a lot of this isn’t about high technology. This is human nature, right? People want to simplify their lives, so we use the same password.

LARRY CLINTON: Well, that’s right. I mean, the problem really…

JEFFREY BROWN: They even use the password for password.

LARRY CLINTON: Exactly, or 12346, the most common password.

(LAUGHTER)

JEFFREY BROWN: Yes.

LARRY CLINTON: The problem isn’t that we couldn’t build secure systems. The problem is really more that we won’t buy secure systems. We want easy and we want cheap.

And we’re going to have to begin to look at cyber-security as much more than just a technological issue. It’s a strategic and economic issue. And we’re going to have to take a full-scale look at all these things in an integrated fashion.

JEFFREY BROWN: Well, give us a little sort of news that viewers can use here. I mean, what should consumers, what should they do? Especially, here we are in the holiday season, and a lot of people are online shopping, for example.

JAMES LEWIS: Yes. And if you pay a little attention to your password, you can make it harder, and you’re going to knock out the lower-end hackers, which is mainly what we have seen in a lot of these WikiLeaks and Gawker things. You know, don’t use your pet’s name.

If you have personal information on Facebook or a social networking site, don’t use that as your password.

And a lot people do that. And, finally, the default password on all equipment when you buy it is password. Change the default.

JEFFREY BROWN: What would you add to that for…

LARRY CLINTON: Well, that’s all good advice. And it does begin to scratch the surface of the problem.

But we need to get much deeper with the problem. Enterprises need to be much more involved in overall cyber-security. One of the least publicized facts in this field is that we know tons about how to secure these systems.

JEFFREY BROWN: We do?

LARRY CLINTON: We do.

JEFFREY BROWN: What do we know, for example?

LARRY CLINTON: Well, enterprises need to have a risk management plan. Most don’t. They need to have somebody in charge of the plan. Most don’t. We need to be beginning to fund the investment in cyber-security equal to the upside that we do invest.

Most businesses are happy to invest in online marketing and all the advantages for cyber-security. They are not investing in the cyber-security defensive structures that they need to be putting in place, many of which are highly effective. There are standards, practices, technologies that could protect many of these sites. They’re simply not investing in them.

JEFFREY BROWN: Is that correct, in your experience, that they don’t want to invest, even after we see something with Gawker? And we see it — of course, that’s just the tip of the iceberg, right?

JAMES LEWIS: Yes, it’s a question of investment. It’s a question of practices. And it is, to some extent, a question of technology.

To some extent, this technology is just not securable. And so there’s always going to be an element of risk. One of the things that’s nice about these denial of service attacks is it…

JEFFREY BROWN: Explain. Explain what that is.

JAMES LEWIS: Denial of services, as we heard, people launching hundreds or thousands, tens of thousands of messages at a company, to the point where their computer on the receiving end is overloaded and crashes.

That’s right.

And that’s an avoidable problem. That’s a problem that people have figured out how to beat. So when you see somebody falling prey to denial of service attack, it means they haven’t been paying any attention for the last five or six years.

JEFFREY BROWN: But so what do you tell — let’s focus on companies for a moment. We talked about individuals. What should companies be doing, do you think?

JAMES LEWIS: Companies have to take this a lot more seriously. And the denial of service is the low end of the threat.

The high end of the threat is espionage or sabotage. We have seen a lot of espionage. For denial of service, as for espionage, you have to say, am I doing the basic hygiene things? Am I making sure my systems are patched? Do I have a risk management plan? Have I put in place the technologies that will let me track who is trying to do what to my network?

All of this is out there. And, in fact, the whole WikiLeaks thing with DOD, with the right technologies, we could have avoided WikiLeaks. So this is a problem maybe of will, maybe of incentives. But it’s something that is fixable if we can get our act in gear.

JEFFREY BROWN: And yet you’re saying that, when you go to companies, a lot of companies just say, this is last on our list, after marketing and various other things?

LARRY CLINTON: Well, if you’re a small business, you want one thing, which is to become a big business. There are about a third of our major corporations that are investing adequately in this.

But in two-thirds of American businesses, investment in cyber-security is actually going down. And I think Jim is absolutely right. We need to put in place a 21st century partnership between government and industry, so that we get the proper incentives put in place to expand the perimeter of cyber-security, and, that way, we don’t have to be training our grandparents to update their Twitter accounts properly.

JEFFREY BROWN: What about the hackers? I mean, we refer to this phrase now hacktivists, right? Do you see them that way? Are they pranksters? Is it worse? And how organized is this all?

JAMES LEWIS: Well, one of the nice things about the Internet is it lets virtual communities spring up. And it can be virtual communities of people interested in the same kind of dog, or it can be people interested in the same kind of nutty political cause.

It empowers them both. And so what we have got now are groups that share views widely distributed around the globe and have a technology that will let them express their opinions. We have seen this in Estonia. We see it all the time in Asia.

It’s a way to — it’s a new form of politics. And it’s like those anarchists who come and demonstrate in front of the IMF, except, these times, they can hide behind the Internet. They can do — make a lot more noise, do a lot more damage.

JEFFREY BROWN: And do we know much about how organized they are as groups? I mean, we’re talking about Gawker. We’re talking about the Wikipedia — WikiLeaks. Excuse me.

LARRY CLINTON: Yes, they’re very organized. Actually, the biggest problem is organized crime.

The organized criminal syndicates, particularly in Eastern Europe and in China, are the ones who are providing the basis for a lot of this nefarious behavior. And then we get a lot of attention paid to the hacktivists, which generate attention.

But the real insidious threats are things like the advanced persistent threat, which, unlike a hacktivist attack, like we’re seeing with the WikiLeaks, is not designed to generate attention. It’s designed to get into a system, and so you don’t even know that it’s there. And it quietly steals, not only personal data, but corporate intellectual property, national secrets, et cetera.

And this is very, very organized. And it’s driven by the attempt to make money.

JEFFREY BROWN: And mostly quiet, right?

LARRY CLINTON: Very, very quiet.

JEFFREY BROWN: And that’s the kind of discussion — those are the things we don’t discuss, usually, and we don’t hear about.

LARRY CLINTON: That’s right.

JEFFREY BROWN: All right, Jim Lewis and Larry Clinton, thank you both very much.

JAMES LEWIS: Thank you.

LARRY CLINTON: Thank you, Jeff.

A Gawker Analysis On PBS

Gawker Media, one of the web’s largest publishers, was hacked over the weekend and information for about 1.3 million users was made public. Jeffrey Brown speaks with the NewsHour’s Hari Sreenivasan about the cyber attack and what it means for personal security online.

Transcript

JEFFREY BROWN: And we turn to now to the vulnerability of the Internet, after a week of very visible hacks and attacks.
ARTICLE TOOLS

In the days following the release of classified government documents by WikiLeaks, thousands of the site’s supporters, so-called hacktivists, have launched online attacks aimed at companies and groups they deem hostile to WikiLeaks and to the free flow of information.

Last week, a group calling itself Anonymous targeted the websites of Visa, MasterCard and PayPal, among others, after the companies stopped processing donations to WikiLeaks. Government websites, too, have been vulnerable. The Senate website was slowed last week after Senator Joe Lieberman criticized sites enabling WikiLeaks.

The attacks used software that chain together hundreds of computers that all request information from the same website at the same time, causing a traffic jam that makes the site inaccessible.

RYAN SINGEL, staff writer, Wired.com: This is a little bit more like what happened in the ’60s when protesters took over buildings at, you know, universities, where people couldn’t get in the building, but it’s not really them blowing up the building.

JEFFREY BROWN: While all that goes on, this weekend, there was another example of online hacking, this one affecting the popular site Gawker, an eight-year-old digital media company that hosts blogs on media, technology, and pop culture.

A group calling itself Gnosis raided Gawker, burrowing inside its databases to unlock the user names, passwords, and e-mail addresses of some 1.3 million people who had left comments on the site. Gawker was forced to stop publishing temporarily Sunday and urged its users to change their passwords.

There were signs the hackers had acted in retaliation after a war of words with Gawker. They also appeared to send a message about the vulnerability of usernames and passwords, listing several thousand accounts in which the password for the account is the word “password.”

Our own Hari Sreenivasan covers technology developments for us online, has been — and has been following the Gawker situation. He joins me now for an update.

So, Hari, first, for those who don’t know much about Gawker, tell us a little bit more. What is it?

HARI SREENIVASAN: Well, it is one of the largest publishers on the Web. And it’s really an amazing set of sites. Whether you care about cars or you care about gadgets, it’s one of the must-check sites on the Internet.

And it’s almost like a modern-day salon, because people come there for information, but they’re coming just as much for the comment threads and to leave a comment and really to be part of a conversation.

JEFFREY BROWN: All right, we talk about this group called Gnosis. How much do we know about what — who they are? And what did they do to Gawker?

HARI SREENIVASAN: Well, a lot of these sort of hacker groups are very shadowy in nature, in the sense that they — there’s no card-carrying membership that says, I’m part of this club. I’m the one who did this, and here is my address and phone number.

So, really, what they did to Gawker was come in behind the scenes in the past few weeks, past few months, figure out vulnerabilities, and essentially start to take the keys to the kingdom. Everything that Gawker held dear, most important, the user information, they took all of that out and splayed it out across the Internet.

They didn’t hide the information for themselves for some sort of kind of nefarious means. They said, here, take it, because this is really — they’re the crown jewels for a website.

JEFFREY BROWN: And you were telling me earlier today that you went online last night.

HARI SREENIVASAN: Yes.

JEFFREY BROWN: So, give us examples. What could you see there?

HARI SREENIVASAN: Well, something very minimally invasive was that I could see what the future of the Gawker website was supposed to look like, which is something pretty important that you want to try to keep secret.

If I was a real kind of a technologist, I could actually see the content management system. I could see the databases. I could see where they store their passwords. I could see the advertising information, which could be very important.

But the most important, again, the crown jewels, were the usernames, the passwords, and the e-mail addresses connected to them of some 1.3 million users. That’s really the stuff that I, as a complete novice, could see.

JEFFREY BROWN: Now, how are those people affected, in what ways?

HARI SREENIVASAN: Well, so, the thing — it kind of gets back to a little bit of social engineering.

So a lot of times people don’t make separate passwords and separate usernames for different websites. Sometimes, they use the same website or same e-mail address that I have for work on to a site like Gawker, and then maybe that’s the same password that gets me into Facebook, and then it’s also connected to Twitter.

So, as we see all of these different kind of communities that we participate in during the day, people aren’t very good at keeping these walls separate. So, that’s where the real influence is.

JEFFREY BROWN: And I heard today that — so, today, they used to that affect Twitter as well, right?

HARI SREENIVASAN: That’s right. So…

JEFFREY BROWN: And this would be people who use the same password for Gawker and Twitter.

HARI SREENIVASAN: That’s right, the same username or the password. So, basically, somebody between last night and this morning wrote a small computer program that figured out that little exploit.

And, so, while hundreds or maybe thousands of people are asleep, their Twitter accounts were automatically sending out advertisements for the acai berry or acai berry, however you say it, the super berry, right? So, while you were sleeping, you were actually a victim to somebody else’s marketing scam.

JEFFREY BROWN: Now, what if I or what if our viewers don’t go on Gawker? Should they care?

HARI SREENIVASAN: Well, they should care because this actually exploits larger vulnerabilities into their workplaces.

Not only were they’re Gmail and Yahoo! accounts. There were a lot of government accounts. There were a lot of edu, which means universities or educational institution, accounts.

So if these people don’t change their passwords, don’t get a little stronger about their own protections, those systems could also be compromised. I mean, all of those e-mail addresses are now out there for other hackers to exploit.

JEFFREY BROWN: And what of Gawker? I said they temporarily stop publishing. They’re certainly back now. But have they taken any steps that we know of to prevent this in the future?

HARI SREENIVASAN: Well, they said that they are. They apologized to their users profusely on their blog. They said, we’re really embarrassed and really we want to try to help you go ahead and change your password.

But, ironically enough, this morning, if I wanted to delete my account on Gawker, I couldn’t do that because the database that would have allowed me to do that was corrupted by the hackers last night.

JEFFREY BROWN: All right, Hari Sreenivasan, thanks a lot.

Last week, a congressionally chartered commission released a report about what China’s rise means for the U.S. economy and security. Included in the findings were the details of a little-known incident involving the hijacking of online data by a firm owned by the Chinese government.

Transcript

JUDY WOODRUFF: As holiday shoppers flock to the Web to make purchases, new questions about Internet security are surfacing.

Ray Suarez tells the story.

RAY SUAREZ: At a communications company outside Washington, D.C., computer network engineers monitor Internet traffic. Normally, the Internet works by swiftly finding the shortest, most efficient trip between two computers anywhere on Earth.

An 18-minute diversion of Internet traffic through China has raised security concerns around the world — especially for governments and people in critical infrastructure — and raises new concerns for online shoppers just ahead of Cyber Monday.

Courtesy of PBS

Electronic routers direct the traffic flow, insuring the shortest path, like these green lines here. But, back in April, electronic communication looking for the shortest route was sent through China.

Watch the red line. For 18 minutes, the traffic on 35,000 to 50,000 computer networks elsewhere in the world began flowing toward China, before getting routed to their final destinations. China Telecom had created a massive detour.

But traffic didn’t stop. The affected computer connections took just a tiny fraction of a second longer. Whether someone was logging into check a bank balance, sending a child’s photo to grandma, or shopping online, the Net still worked.

However, at the computer operations center outside Washington, D.C., engineers noticed this Internet routing phenomenon immediately. Their computer screens lit up with red alerts.

RODNEY JOFFE, Neustar, Inc.: We noticed the sudden change. During the period, there were alarms that went off.

RAY SUAREZ: One of the architects of the modern Internet, Rodney Joffe, said this diversion was a very big deal. He says it was caused when computer routers in China belonging to China Telecom began signaling to other computer routers on the Internet that they could provide the quickest path between different computers.

RODNEY JOFFE: They, all of a sudden, began announcing the fact that they were an optimal path to about 15 percent of the destinations on the Internet, that, in fact, they were a way to get to a large number of destinations on the Internet, when, in fact, they were not. We have never seen that before on this scale ever.

RAY SUAREZ: Joffe is senior vice-president and senior technologist at Neustar, a global technology and communications company. He’s also a computer security expert who consults for the U.S. government and industry.

RODNEY JOFFE: In the grand scheme of things, this was a seminal event. So, this wasn’t a minor security event. This wasn’t a hiccup — 99.9 percent of the world didn’t even think this could be done. Engineers didn’t even think about it.

Every one of them is now thinking about it day and night, what the effects would be on their networks, and how they might use it, depending on whether they wear a white hat or a black hat.

RAY SUAREZ: Last week, the U.S.-China Economic and Security Review Commission, a congressionally chartered panel, issued a stinging report.

Its conclusion? That a state-owned Chinese communications firm, China Telecom — quote — “hijacked massive volumes of Internet traffic.”

The Chinese government and China Telecom deny this. A Foreign Ministry spokesman said, “This report ignores the facts and is full of Cold War thinking and political bias.”

When all the communications from tens of thousand of computer networks was routed to China, that included all the Web traffic, e-mail, and instant messages to and from dot.mil — that’s the Department of Defense — and dot.gov — those are U.S. governments departments. The U.S. Senate and NASA also had all their traffic diverted.

Companies like Dell, Yahoo!, Microsoft and IBM had their data diverted by China Telecom, too. On that day in April, officers logging into a Pentagon Web site ended up looking at an image that came to their screen via China.

It’s not clear what China did with the Internet traffic routed through its computers, and it’s not clear if the data that passed through China was saved to be examined later.

But Larry Wortzel, a member of the commission that investigated the incident, is worried.

COL. LARRY WORTZEL (RET.), United States-China Economic and Security Review Commission: The real concern is that it was intentional, and these communications were recorded, and that they will be exploited over time to create either penetrations or to create networked malicious viruses.

RODNEY JOFFE: Once traffic goes through Chinese routers or switchers, Chinese devices, it’s possible for the traffic itself to be manipulated. It could either just be filtered and dropped, or, in fact, it can be read, so that a log could be made of the content of the traffic, or changes could be made.

So, for example, I could substitute one word for another or one e-mail for another, and the — the users on both ends would have no idea that this has occurred.

RAY SUAREZ: Joffe says hijacking Internet traffic is consistent with previous Chinese activities.

RODNEY JOFFE: The Chinese government has made it clear, as early as six or seven years ago, publicly, that they can see that one of the next frontiers for conflict is going to be settled in cyberspace. This would seem to be something along the same lines.

RAY SUAREZ: Larry Wortzel came to the U.S.-China Commission after a career in Army intelligence. He served as a U.S. military attache in China.

COL. LARRY WORTZEL: I think it’s important to understand that you can do an awful lot with 18 minutes of traffic. A good intelligence officer, for instance, could get 18 minutes of traffic from the whole Department of Defense, and — and get the Internet address, let’s say, to the military assistant or the executive officer to the Joint Chiefs of Staff and everyone he communicates with on certain issues, and their Internet addresses.

And then you could socially engineer an e-mail, and make it look like it came from one of those individuals in the network to all the others, and insert an attachment that contained a very malicious virus.

RAY SUAREZ: Wortzel says he’s been the subject of these types of computer attacks.

COL. LARRY WORTZEL: About eight months ago, I got an e-mail that looked like it came from the Naval Warfare Systems Command that invited me to a meeting on a particular missile system, and asked me to open the attachment to get the agenda for the meeting.

Well, I knew very well that I had not communicated with anybody in the Navy for quite a long time on that issue. And I actually called the person that was purported to have sent the e-mail. And she said, “I didn’t send you an e-mail.”

So, we had the attachment checked, and it was a very malicious virus that it would have done exactly that. It would have permitted somebody to take over a computer.

RAY SUAREZ: Even with no evidence of mischief, tampering, or theft, Rodney Joffe says governments and business have to harden their security systems, have to make sure this so-called hijack is made harder in the future, and, just to be safe, assume this wasn’t an accident.

RODNEY JOFFE: If, in fact, the traffic was being examined and your traffic passed through the network in China, your user I.D.s and passwords may have been compromised.

If I was a large enterprise or a large organization involved in critical infrastructure, if I was in government, I would be sweating bullets currently.

RAY SUAREZ: And Joffe says the mere example of this hijacking taking place has served as an inspiration to cyber-criminals around the world.

RODNEY JOFFE: We know that the criminals already have been discussing this. We have seen it for probably the last five or six months. It was a great event for them, because it’s given them a vector that most of them had never thought of.

RAY SUAREZ: Joffe and Wortzel agree that the Internet has exploded into worldwide daily use in part because its daily operation is based on trust. Lose that trust, and home users, businesses, and governments will start to stay away, and begin the unraveling of a modern marvel.

Company Boards Must Assume Cyber Attacks Will Occur Says Bloomberg

Cyber attacks are now so common that corporate directors must assume that their companies’ intellectual property will be stolen, according to experts at this summers Bloomberg Link Boards & Risk Conference in Washington. “Boards can’t keep hoping they won’t be attacked because my colleagues Peter Elstrom and Rochelle Garner wrote about corporate boards and cyber attacks in a story published today by Bloomberg News.

Security experts such as Patrick Morley, CEO of enterprise security firm Bit9 say that attacks are on the rise. Morley came to visit me last week in San Francisco after giving an educational seminar about how to stop malware. He predicts that security will move toward so-called white listing, the practice of defining the software that IT departments will let run on computers and mobile devices. Bit9 has created a global registry of known “good software” and offers a product that acts as a sentry, only letting employees download applications that aren’t dangerous.

This works in reverse of the way many anti-virus software programs work. Those programs scan for code that’s known to be bad. The problem, says Morley, is that at this point there are more bad viruses than there are safe software applications on the market.

“We’re all looking for bad but we know what good is,” said Cisco’s chief security officer John Stewart, when I interviewed him in March. Software vendors all know what they publish and the idea is to create a comprehensive list of that software so that everything else is questioned. “I think it’s high time that we continue to look for things that are potentially more effective,” said Stewart.

Intel to Acquire McAfee, Moving Into Online Security

The New York Times is reporting that Intel, the chip maker, has turned into Intel, the security specialist.

The entrance to Intel’s campus in Hillsboro, Ore. Intel’s move to buy McAfee is its biggest effort to date to expand beyond its core chip-making business.

Making one of most eye-catching moves in its 42-year history, Intel announced Thursday that it planned to acquire McAfee for $7.68 billion in cash.

Under the terms of the deal, Intel will pay $48 a share in cash, a 60 percent premium over McAfee’s Wednesday closing stock price of $29.93.

The deal makes Intel a major player in the security software and services market. As such, Intel will shed some of its identity as a component supplier and climb higher up the technology food chain.

Intel expects the market for security technology to grow as electronic gadgets and things like cars and home appliances increase their computing power and tap into the Internet.

Analysts expect that many of the tools that McAfee provides today may be built-in to chips and devices over time.

“Eventually the software features will get embedded in the hardware,” said Ashok Kumar, a technology analyst with Rodman & Renshaw. “So, maybe this is an expensive way for Intel to acquire domain expertise.”

Intel’s chief executive, Paul S. Otellini, said in a statement: “With the rapid expansion of growth across a vast array of Internet-connected devices, more and more of the elements of our lives have moved online. In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences.”

Intel, the world’s largest chip maker, has recovered from the recession well, posting record sales in recent quarters. Its results have been aided by rising sales of PCs to both consumers and businesses, and the expanded use of servers and data centers. After its most recent quarter, Intel had about $12.2 billion in cash and short-term investments on hand.

Still, the company’s efforts to put new flavors of lower-power chips into smartphones, TVs, cars and other devices have been slow. As a result, investors have been reluctant to view Intel as a growth bet and continue to see the company as tied to the PC.

The company’s share price has fallen about 20 percent in the last five years, closing on Wednesday at $19.59 a share.

Intel, however, has been bulking up its software arsenal. Last year, it bought Wind River for $884 million, giving it a software maker with a presence in the consumer electronics and wireless markets.

With McAfee, Intel will take hold of a company that sells antivirus software to consumers and businesses and a suite of more sophisticated security products and services aimed at corporations.

In addition, it gives the Silicon Valley veteran a potentially steadier revenue stream than it has found through the often booming and busting computer chip market, since much of the security software is sold on a subscription basis.

McAfee’s revenue rose 20 percent last year to $1.93 billion. Intel’s revenue fell 7 percent to $35.1 billion. At 80 percent, McAfee’s gross margins surpass Intel’s, which tend to be around 65 percent.

The companies are both based in Santa Clara, Calif., with head offices about a mile from each other.

WorldFocus.org takes a look beyond the headlines at increasing concerns over cyber-security, a problem that was recently highlighted by an online assault on Google from China.

This event added to fears of a digital attack that could cripple the information superhighway. In Washington, former security officials have met to role-play how the government would cope with such an attack.

For more, Martin Savidge interviews James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

Lewis discusses the readiness of the government to deal with an attack and the likelihood of one taking place. He also talks about how this issue could impact U.S.-China relations.

Recent press reports reflect that a significant number of corporations, govt agencies infiltrated by `botnet,’ according to news announcements.

According to Wikipedia, a Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

While the term “botnet” can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

A botnet’s originator (aka “bot herder” or “bot master”) can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC “bots”. Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server (“C&C”). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim’s machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a “botnet” is sometimes referred to as “scrumping.”

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated.[4] It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.[5]

According to recent press reports, security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet.

More than 2,400 organizations, including financial institutions and energy companies and federal agencies, were infiltrated by the “botnet,” according to the NetWitness Corp. security firm, which discovered it.

NetWitness didn’t name the companies or agencies whose computers were compromised. The Wall Street Journal said the affected companies included Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. Merck and Cardinal Health said in statements Thursday that one computer in each company was among those in the botnet but no sensitive information was taken.

The victims don’t appear to have been specifically targeted, unlike the recent computer attacks on Google Inc. that prompted the Internet search leader to threaten to pull its business out of China. That’s an important distinction, because it shows how online secrets can fall into the wrong hands even when criminals aren’t necessarily looking for them.

“This kind of stuff is out there and it’s pervasive,” said Amit Yoran, CEO of NetWitness and former cybersecurity chief at the U.S. Department of Homeland Security. Parts of the botnet discovered by his firm likely are still active. He said the network appears to be run from computers in Eastern Europe and China, but it’s not certain the perpetrators are there.

Botnets are networks of poisoned PCs that are remotely controlled by hackers and behave like their criminal robots. The PCs are often infected when their owners visit bad Web sites or open malicious e-mail attachments.

Botnets are a major tool for cybercrime. They help criminals amass troves of stolen data that they can sell on the black market or use for their own schemes, such as yanking money from victims’ bank accounts.

The biggest on record is the one created by the Conficker worm. That infected anywhere from 3 million to 12 million PCs running Microsoft Corp.’s Windows operating system and is still active.

The botnet NetWitness discovered used malicious software called “ZeuS” that steals passwords and other online credentials. It’s primarily focused on poaching Internet banking credentials and is well known in the security community.

The fact that so many companies and government agencies were hit generally appears to have been incidental. Yoran said the attackers were targeting specific information rather than specific organizations.

Still, they were very successful, snatching more than 68,000 credentials over four weeks. Most of those credentials were login details for Facebook and Yahoo and other personal e-mail services. On the face of it those aren’t the most sensitive pieces of information, but they can hold the keys to unlocking other types of online accounts and private data.

Security experts who weren’t part of the NetWitness report said the findings illustrate the growing risk from the ZeuS software, whose authors are constantly updating it to evade detection by antivirus software and other security measures.

A bigger concern, Jackson said, is a new version of ZeuS that has appeared in the last few months and is more powerful and even harder to detect.

Web Security Threats Projected to Grow for 2010

2010 will see increasing Web security threats and are projected to grow to users of social networking and media sites such as Facebook and Twitter, according to security vendor McAfee. “In 2009 we saw increased attacks on websites, exploit cocktails thrown at unsuspecting users, infrastructure failure via natural and unnatural causes, and ‘friendly fire’ become a larger problem than ever.”

The report also warns future users of the Google Chrome operating system to be aware of attacks in HTML 5.

“It really speaks to a Web 2.0 world. People communicate differently today, people transact and pay their bills differently today, and that drives today’s criminals,” ABC Science quoted David Marcus, director of security research and communications for McAfee Labs, which this week released its 2010 Threat Predictions report, as saying. “Bad guys tend to go where the masses go,” he added.

Not only has the volume of threats escalated dramatically, the delivery methods have also become more sophisticated, he said.”With Facebook reaching more than 350 million users, we expect that 2010 will take these trends to new heights,” security vendor McAfee said in its “2010 Threat Predictions” report