From the category archives:

Web Security

Trusted Identity in Cyberspace

by Bill Cullifer on May 5, 2011

A Look at White House’s National Strategy for Trusted Identities in Cyberspace

The need to improve the current state of online identity has been hailed at the highest levels of the U.S. government.

“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation,” President Obama said in a statement on Launch of the National Strategy for Trusted Identities in Cyberspace. This podcast covers the topic from the point of view of the U.S. Chamber of Commerce.

The NSTIC proposes the creation of an “identity ecosystem” online, “where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” The strategy puts government in the role of a convener, verifying and certifying identity providers in a trust framework.

First steps toward this model, in the context of citizen-to-government authentication, came in 2010 with the launch of the Open Identity Exchange (OIX) and a pilot at the National Institute of Health of a trust frameworks — but there’s a very long road ahead for this larger initiative.

Why is this important?

* 10 Trillion Dollars of Online Transactions
* Could ensure the growth of the Web
* Could ensure the success of the Web profession
* Could ensure private sector involvement
* Cyber crime cost consumers 37 billion dollars a year
* Could serve as a identity protection program for consumers

The final version of NSTIC is a framework that lays out a vision for an identity ecosystem. Video of the launch of the NSTIC at the Commerce Department is embedded below:

ber crime cost consumers 37 billion dollars a year

{ 0 comments }

Is the Web Becoming Less Secure?

by Bill Cullifer on December 16, 2010

Is the Web Becoming Less Secure? A PBS Analysis

In the wake of the Gawker Media hacking over the weekend, Jeffrey Brown gets a wider perspective about the vulnerability of online information and the danger of further cyberattacks from James Lewis of the Center for Strategic and International Studies and Larry Clinton of the Internet Security Alliance.

Transcript

JEFFREY BROWN: Now some wider perspective on all this from two who follow the online world closely.

James Lewis is director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies here in Washington. And Larry Clinton is president and CEO of the Internet Security Alliance, an industry trade group that represents companies and organizations focusing on Internet security.

Welcome to both you.

Jim Lewis, how — we listen to this. Now, broaden it out. How vulnerable is the system and where do you see the main problems?

JAMES LEWIS, Center for Strategic and International Studies: The main problem is that we’re using 1970s technology, or, at best, 1990s technology, and it just isn’t appropriate anymore for a global infrastructure.

And there are some things, like this Gawker website, that we’re just never going to be able to fix. Passwords are very difficult to make secure, maybe impossible. So if you’re depending on a password, chances are you’re going to be in trouble. And I know that might frighten people, but that’s the reality.

JEFFREY BROWN: Reason for being frightened? What do you see?

LARRY CLINTON, president & CEO, Internet Security Alliance: Well, there is reason for being frightened.

We have an insecure system that was designed to be open, not to be secure. And we’re expanding that system with all sorts of new devices, handheld devices, smartphones, et cetera. So, the system is becoming generally less secure.

JEFFREY BROWN: It’s interesting, because a lot of this isn’t about high technology. This is human nature, right? People want to simplify their lives, so we use the same password.

LARRY CLINTON: Well, that’s right. I mean, the problem really…

JEFFREY BROWN: They even use the password for password.

LARRY CLINTON: Exactly, or 12346, the most common password.

(LAUGHTER)

JEFFREY BROWN: Yes.

LARRY CLINTON: The problem isn’t that we couldn’t build secure systems. The problem is really more that we won’t buy secure systems. We want easy and we want cheap.

And we’re going to have to begin to look at cyber-security as much more than just a technological issue. It’s a strategic and economic issue. And we’re going to have to take a full-scale look at all these things in an integrated fashion.

JEFFREY BROWN: Well, give us a little sort of news that viewers can use here. I mean, what should consumers, what should they do? Especially, here we are in the holiday season, and a lot of people are online shopping, for example.

JAMES LEWIS: Yes. And if you pay a little attention to your password, you can make it harder, and you’re going to knock out the lower-end hackers, which is mainly what we have seen in a lot of these WikiLeaks and Gawker things. You know, don’t use your pet’s name.

If you have personal information on Facebook or a social networking site, don’t use that as your password.

And a lot people do that. And, finally, the default password on all equipment when you buy it is password. Change the default.

JEFFREY BROWN: What would you add to that for…

LARRY CLINTON: Well, that’s all good advice. And it does begin to scratch the surface of the problem.

But we need to get much deeper with the problem. Enterprises need to be much more involved in overall cyber-security. One of the least publicized facts in this field is that we know tons about how to secure these systems.

JEFFREY BROWN: We do?

LARRY CLINTON: We do.

JEFFREY BROWN: What do we know, for example?

LARRY CLINTON: Well, enterprises need to have a risk management plan. Most don’t. They need to have somebody in charge of the plan. Most don’t. We need to be beginning to fund the investment in cyber-security equal to the upside that we do invest.

Most businesses are happy to invest in online marketing and all the advantages for cyber-security. They are not investing in the cyber-security defensive structures that they need to be putting in place, many of which are highly effective. There are standards, practices, technologies that could protect many of these sites. They’re simply not investing in them.

JEFFREY BROWN: Is that correct, in your experience, that they don’t want to invest, even after we see something with Gawker? And we see it — of course, that’s just the tip of the iceberg, right?

JAMES LEWIS: Yes, it’s a question of investment. It’s a question of practices. And it is, to some extent, a question of technology.

To some extent, this technology is just not securable. And so there’s always going to be an element of risk. One of the things that’s nice about these denial of service attacks is it…

JEFFREY BROWN: Explain. Explain what that is.

JAMES LEWIS: Denial of services, as we heard, people launching hundreds or thousands, tens of thousands of messages at a company, to the point where their computer on the receiving end is overloaded and crashes.

That’s right.

And that’s an avoidable problem. That’s a problem that people have figured out how to beat. So when you see somebody falling prey to denial of service attack, it means they haven’t been paying any attention for the last five or six years.

JEFFREY BROWN: But so what do you tell — let’s focus on companies for a moment. We talked about individuals. What should companies be doing, do you think?

JAMES LEWIS: Companies have to take this a lot more seriously. And the denial of service is the low end of the threat.

The high end of the threat is espionage or sabotage. We have seen a lot of espionage. For denial of service, as for espionage, you have to say, am I doing the basic hygiene things? Am I making sure my systems are patched? Do I have a risk management plan? Have I put in place the technologies that will let me track who is trying to do what to my network?

All of this is out there. And, in fact, the whole WikiLeaks thing with DOD, with the right technologies, we could have avoided WikiLeaks. So this is a problem maybe of will, maybe of incentives. But it’s something that is fixable if we can get our act in gear.

JEFFREY BROWN: And yet you’re saying that, when you go to companies, a lot of companies just say, this is last on our list, after marketing and various other things?

LARRY CLINTON: Well, if you’re a small business, you want one thing, which is to become a big business. There are about a third of our major corporations that are investing adequately in this.

But in two-thirds of American businesses, investment in cyber-security is actually going down. And I think Jim is absolutely right. We need to put in place a 21st century partnership between government and industry, so that we get the proper incentives put in place to expand the perimeter of cyber-security, and, that way, we don’t have to be training our grandparents to update their Twitter accounts properly.

JEFFREY BROWN: What about the hackers? I mean, we refer to this phrase now hacktivists, right? Do you see them that way? Are they pranksters? Is it worse? And how organized is this all?

JAMES LEWIS: Well, one of the nice things about the Internet is it lets virtual communities spring up. And it can be virtual communities of people interested in the same kind of dog, or it can be people interested in the same kind of nutty political cause.

It empowers them both. And so what we have got now are groups that share views widely distributed around the globe and have a technology that will let them express their opinions. We have seen this in Estonia. We see it all the time in Asia.

It’s a way to — it’s a new form of politics. And it’s like those anarchists who come and demonstrate in front of the IMF, except, these times, they can hide behind the Internet. They can do — make a lot more noise, do a lot more damage.

JEFFREY BROWN: And do we know much about how organized they are as groups? I mean, we’re talking about Gawker. We’re talking about the Wikipedia — WikiLeaks. Excuse me.

LARRY CLINTON: Yes, they’re very organized. Actually, the biggest problem is organized crime.

The organized criminal syndicates, particularly in Eastern Europe and in China, are the ones who are providing the basis for a lot of this nefarious behavior. And then we get a lot of attention paid to the hacktivists, which generate attention.

But the real insidious threats are things like the advanced persistent threat, which, unlike a hacktivist attack, like we’re seeing with the WikiLeaks, is not designed to generate attention. It’s designed to get into a system, and so you don’t even know that it’s there. And it quietly steals, not only personal data, but corporate intellectual property, national secrets, et cetera.

And this is very, very organized. And it’s driven by the attempt to make money.

JEFFREY BROWN: And mostly quiet, right?

LARRY CLINTON: Very, very quiet.

JEFFREY BROWN: And that’s the kind of discussion — those are the things we don’t discuss, usually, and we don’t hear about.

LARRY CLINTON: That’s right.

JEFFREY BROWN: All right, Jim Lewis and Larry Clinton, thank you both very much.

JAMES LEWIS: Thank you.

LARRY CLINTON: Thank you, Jeff.

{ 0 comments }

Gawker Analysis

by Bill Cullifer on December 14, 2010

A Gawker Analysis On PBS

Gawker Media, one of the web’s largest publishers, was hacked over the weekend and information for about 1.3 million users was made public. Jeffrey Brown speaks with the NewsHour’s Hari Sreenivasan about the cyber attack and what it means for personal security online.

Transcript

JEFFREY BROWN: And we turn to now to the vulnerability of the Internet, after a week of very visible hacks and attacks.
ARTICLE TOOLS

In the days following the release of classified government documents by WikiLeaks, thousands of the site’s supporters, so-called hacktivists, have launched online attacks aimed at companies and groups they deem hostile to WikiLeaks and to the free flow of information.

Last week, a group calling itself Anonymous targeted the websites of Visa, MasterCard and PayPal, among others, after the companies stopped processing donations to WikiLeaks. Government websites, too, have been vulnerable. The Senate website was slowed last week after Senator Joe Lieberman criticized sites enabling WikiLeaks.

The attacks used software that chain together hundreds of computers that all request information from the same website at the same time, causing a traffic jam that makes the site inaccessible.

RYAN SINGEL, staff writer, Wired.com: This is a little bit more like what happened in the ’60s when protesters took over buildings at, you know, universities, where people couldn’t get in the building, but it’s not really them blowing up the building.

JEFFREY BROWN: While all that goes on, this weekend, there was another example of online hacking, this one affecting the popular site Gawker, an eight-year-old digital media company that hosts blogs on media, technology, and pop culture.

A group calling itself Gnosis raided Gawker, burrowing inside its databases to unlock the user names, passwords, and e-mail addresses of some 1.3 million people who had left comments on the site. Gawker was forced to stop publishing temporarily Sunday and urged its users to change their passwords.

There were signs the hackers had acted in retaliation after a war of words with Gawker. They also appeared to send a message about the vulnerability of usernames and passwords, listing several thousand accounts in which the password for the account is the word “password.”

Our own Hari Sreenivasan covers technology developments for us online, has been — and has been following the Gawker situation. He joins me now for an update.

So, Hari, first, for those who don’t know much about Gawker, tell us a little bit more. What is it?

HARI SREENIVASAN: Well, it is one of the largest publishers on the Web. And it’s really an amazing set of sites. Whether you care about cars or you care about gadgets, it’s one of the must-check sites on the Internet.

And it’s almost like a modern-day salon, because people come there for information, but they’re coming just as much for the comment threads and to leave a comment and really to be part of a conversation.

JEFFREY BROWN: All right, we talk about this group called Gnosis. How much do we know about what — who they are? And what did they do to Gawker?

HARI SREENIVASAN: Well, a lot of these sort of hacker groups are very shadowy in nature, in the sense that they — there’s no card-carrying membership that says, I’m part of this club. I’m the one who did this, and here is my address and phone number.

So, really, what they did to Gawker was come in behind the scenes in the past few weeks, past few months, figure out vulnerabilities, and essentially start to take the keys to the kingdom. Everything that Gawker held dear, most important, the user information, they took all of that out and splayed it out across the Internet.

They didn’t hide the information for themselves for some sort of kind of nefarious means. They said, here, take it, because this is really — they’re the crown jewels for a website.

JEFFREY BROWN: And you were telling me earlier today that you went online last night.

HARI SREENIVASAN: Yes.

JEFFREY BROWN: So, give us examples. What could you see there?

HARI SREENIVASAN: Well, something very minimally invasive was that I could see what the future of the Gawker website was supposed to look like, which is something pretty important that you want to try to keep secret.

If I was a real kind of a technologist, I could actually see the content management system. I could see the databases. I could see where they store their passwords. I could see the advertising information, which could be very important.

But the most important, again, the crown jewels, were the usernames, the passwords, and the e-mail addresses connected to them of some 1.3 million users. That’s really the stuff that I, as a complete novice, could see.

JEFFREY BROWN: Now, how are those people affected, in what ways?

HARI SREENIVASAN: Well, so, the thing — it kind of gets back to a little bit of social engineering.

So a lot of times people don’t make separate passwords and separate usernames for different websites. Sometimes, they use the same website or same e-mail address that I have for work on to a site like Gawker, and then maybe that’s the same password that gets me into Facebook, and then it’s also connected to Twitter.

So, as we see all of these different kind of communities that we participate in during the day, people aren’t very good at keeping these walls separate. So, that’s where the real influence is.

JEFFREY BROWN: And I heard today that — so, today, they used to that affect Twitter as well, right?

HARI SREENIVASAN: That’s right. So…

JEFFREY BROWN: And this would be people who use the same password for Gawker and Twitter.

HARI SREENIVASAN: That’s right, the same username or the password. So, basically, somebody between last night and this morning wrote a small computer program that figured out that little exploit.

And, so, while hundreds or maybe thousands of people are asleep, their Twitter accounts were automatically sending out advertisements for the acai berry or acai berry, however you say it, the super berry, right? So, while you were sleeping, you were actually a victim to somebody else’s marketing scam.

JEFFREY BROWN: Now, what if I or what if our viewers don’t go on Gawker? Should they care?

HARI SREENIVASAN: Well, they should care because this actually exploits larger vulnerabilities into their workplaces.

Not only were they’re Gmail and Yahoo! accounts. There were a lot of government accounts. There were a lot of edu, which means universities or educational institution, accounts.

So if these people don’t change their passwords, don’t get a little stronger about their own protections, those systems could also be compromised. I mean, all of those e-mail addresses are now out there for other hackers to exploit.

JEFFREY BROWN: And what of Gawker? I said they temporarily stop publishing. They’re certainly back now. But have they taken any steps that we know of to prevent this in the future?

HARI SREENIVASAN: Well, they said that they are. They apologized to their users profusely on their blog. They said, we’re really embarrassed and really we want to try to help you go ahead and change your password.

But, ironically enough, this morning, if I wanted to delete my account on Gawker, I couldn’t do that because the database that would have allowed me to do that was corrupted by the hackers last night.

JEFFREY BROWN: All right, Hari Sreenivasan, thanks a lot.

{ 0 comments }

Web Security – Company Boards Must Assume Cyber Attacks Will Occur

by Bill Cullifer on August 29, 2010

Company Boards Must Assume Cyber Attacks Will Occur Says Bloomberg

Cyber attacks are now so common that corporate directors must assume that their companies’ intellectual property will be stolen, according to experts at this summers Bloomberg Link Boards & Risk Conference in Washington. “Boards can’t keep hoping they won’t be attacked because my colleagues Peter Elstrom and Rochelle Garner wrote about corporate boards and cyber attacks in a story published today by Bloomberg News.

Security experts such as Patrick Morley, CEO of enterprise security firm Bit9 say that attacks are on the rise. Morley came to visit me last week in San Francisco after giving an educational seminar about how to stop malware. He predicts that security will move toward so-called white listing, the practice of defining the software that IT departments will let run on computers and mobile devices. Bit9 has created a global registry of known “good software” and offers a product that acts as a sentry, only letting employees download applications that aren’t dangerous.

This works in reverse of the way many anti-virus software programs work. Those programs scan for code that’s known to be bad. The problem, says Morley, is that at this point there are more bad viruses than there are safe software applications on the market.

“We’re all looking for bad but we know what good is,” said Cisco’s chief security officer John Stewart, when I interviewed him in March. Software vendors all know what they publish and the idea is to create a comprehensive list of that software so that everything else is questioned. “I think it’s high time that we continue to look for things that are potentially more effective,” said Stewart.

{ 0 comments }

Intel to Acquire McAfee, Moving Into Online Security – NY Times

by Bill Cullifer on August 19, 2010

Intel to Acquire McAfee, Moving Into Online Security

The New York Times is reporting that Intel, the chip maker, has turned into Intel, the security specialist.

The entrance to Intel’s campus in Hillsboro, Ore. Intel’s move to buy McAfee is its biggest effort to date to expand beyond its core chip-making business.

Making one of most eye-catching moves in its 42-year history, Intel announced Thursday that it planned to acquire McAfee for $7.68 billion in cash.

Under the terms of the deal, Intel will pay $48 a share in cash, a 60 percent premium over McAfee’s Wednesday closing stock price of $29.93.

The deal makes Intel a major player in the security software and services market. As such, Intel will shed some of its identity as a component supplier and climb higher up the technology food chain.

Intel expects the market for security technology to grow as electronic gadgets and things like cars and home appliances increase their computing power and tap into the Internet.

Analysts expect that many of the tools that McAfee provides today may be built-in to chips and devices over time.

“Eventually the software features will get embedded in the hardware,” said Ashok Kumar, a technology analyst with Rodman & Renshaw. “So, maybe this is an expensive way for Intel to acquire domain expertise.”

Intel’s chief executive, Paul S. Otellini, said in a statement: “With the rapid expansion of growth across a vast array of Internet-connected devices, more and more of the elements of our lives have moved online. In the past, energy-efficient performance and connectivity have defined computing requirements. Looking forward, security will join those as a third pillar of what people demand from all computing experiences.”

Intel, the world’s largest chip maker, has recovered from the recession well, posting record sales in recent quarters. Its results have been aided by rising sales of PCs to both consumers and businesses, and the expanded use of servers and data centers. After its most recent quarter, Intel had about $12.2 billion in cash and short-term investments on hand.

Still, the company’s efforts to put new flavors of lower-power chips into smartphones, TVs, cars and other devices have been slow. As a result, investors have been reluctant to view Intel as a growth bet and continue to see the company as tied to the PC.

The company’s share price has fallen about 20 percent in the last five years, closing on Wednesday at $19.59 a share.

Intel, however, has been bulking up its software arsenal. Last year, it bought Wind River for $884 million, giving it a software maker with a presence in the consumer electronics and wireless markets.

With McAfee, Intel will take hold of a company that sells antivirus software to consumers and businesses and a suite of more sophisticated security products and services aimed at corporations.

In addition, it gives the Silicon Valley veteran a potentially steadier revenue stream than it has found through the often booming and busting computer chip market, since much of the security software is sold on a subscription basis.

McAfee’s revenue rose 20 percent last year to $1.93 billion. Intel’s revenue fell 7 percent to $35.1 billion. At 80 percent, McAfee’s gross margins surpass Intel’s, which tend to be around 65 percent.

The companies are both based in Santa Clara, Calif., with head offices about a mile from each other.

{ 0 comments }

Web Security Predictions for 2010

by Bill Cullifer on January 3, 2010

Web Security Threats Projected to Grow for 2010

2010 will see increasing Web security threats and are projected to grow to users of social networking and media sites such as Facebook and Twitter, according to security vendor McAfee. “In 2009 we saw increased attacks on websites, exploit cocktails thrown at unsuspecting users, infrastructure failure via natural and unnatural causes, and ‘friendly fire’ become a larger problem than ever.”

The report also warns future users of the Google Chrome operating system to be aware of attacks in HTML 5.

“It really speaks to a Web 2.0 world. People communicate differently today, people transact and pay their bills differently today, and that drives today’s criminals,” ABC Science quoted David Marcus, director of security research and communications for McAfee Labs, which this week released its 2010 Threat Predictions report, as saying. “Bad guys tend to go where the masses go,” he added.

Not only has the volume of threats escalated dramatically, the delivery methods have also become more sophisticated, he said.”With Facebook reaching more than 350 million users, we expect that 2010 will take these trends to new heights,” security vendor McAfee said in its “2010 Threat Predictions” report

{ 0 comments }

Phishing, Cyber Crime and the Ugly Truth

by Bill Cullifer on September 1, 2009

Phishing, Cyber Crime and the Ugly Truth Play Now | Play in Popup | Download
Phishing, Cyber Crime and the Ugly Truth Play Now | Play in Popup | Download

Greetings Web professionals everywhere! The topic for today’s podcast is Phising, Cyber Crime, the ugly truth and what we need to know and do about it. To assist us in better understanding the size and the scope of the problem, I reached out by telephone to Laura Mather, PhD Founder and VP of Product Marketing Silver Tail Systems an anti fraud company and a volunteer for the anti phising working group APWG.

In this three minute podcast, Dr. Mather, a former EBay executive provides key insights to how prevalent the issue has become, what we need to know as Web professionals and anti phishing educational resources we can share with our customers. She also ask that we participate with feedback as well.

According to Wikipedia, Phishing in the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and the first recorded use of the term “phishing” was made in 1996. The term is a variant of fishing. probably influenced by phreaking, and alludes to baits used to “catch” financial information and passwords.

Today’s Web Pro Minute is sponsored by the crew at An Event Apart Conference taking place in Chicago, Il October 2009 at the Sheraton Hotel and Towers. The conference is from the makers of A List Apart: An Event Apart is an intensely educational two-day conference for passionate practitioners of standards-based web design. Save $100 when you
register with discount code AEAWOW. Check it out today and save!

{ 0 comments }

Phishing-What is it exactly, How Big of an Issue this really is and Who Monitors this Activity

by Bill Cullifer on June 17, 2009

Phishing-What is it exactly, How Big of an Issue this really is and Who Monitors this Activity Play Now | Play in Popup | Download

Greetings WOW Members and Web Professionals Everywhere.

Web Security is an issue of importance to Web professionals and to the customers we serve. To that end, I’d like to cover the topic of Web security or more specifically “Phishing” and some stats that I just learned about. For today’s podcast, I’d like to explain what exactly Phishing is, just how big of an issue this really is and who monitors such activity.

According to Wikipedia, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.
Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

According to Anti-Phishing Working Group (APWG), the number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, and 827% increase from January 2008.

For the complete story check out today’s two minute podcast on the Web Professional Minute website.

Today’s minute is sponsored by Web Design World 2009 taking place July 20-22, 2009 in Seattle, WA July These days, everyone’s doing more with less. That’s why Web Design World Seattle is the design conference for the here and now. No fluff or filler, just great speakers and practical topics. CSS and markup that work. Smart user-experience and social-networking strategies. Power tips for Photoshop, Dreamweaver, and Flash.
Check out our lineup and sign up today!

A complete transcript will be available in twenty four hours.

{ 0 comments }