As far as the criminal mind goes this level of information is yet another commodity to be traded within the criminal marketplace. After my last post detailing which criminal classes are concerned with which privacy bits people often post on Facebook, I believe that there are so many things wrong with this scenario as far as privacy is concerned, it should be simply assigned the title of Soup Sandwich.
The new service, called Places, allows Facebook users to tap the location-sensing capabilities of their mobile phones to "check in" to a business or address and then instantly share it with their Facebook connections. The optional service will also allow users to find other people who have also recently logged their presence physically nearby.
In this case it may interest domestic criminals rather than offshore cybercriminals, truly crossing from the cyber threat to the physical threat. As former US Attorney Karen Hewitt is quoted – “Everyone on the Internet may not be a bad guy, but all bad guys are on the Internet.”
As far as the Soup Sandwich metaphor:
The term expresses a state of extreme uselessness, which can be understood by considering the functionality and worth of soup between two slices of bread.
My assessment is that this is going to begin to bring violence aspects to a whole new level. Globally. The traditional black market for business account access will probably lead to cybercriminals being ripped off by window shopping gang bangers who simply use the who/what account data to plan their home invasions.
Five Steps to Home Invasion
[click to continue…]
With a grand total of 900 million records lost over the past six years, there is plenty of reason to be concerned about personal and financial information. But where does this concern fit in regards to other everyday issues? And what can public private partnerships really do about it?
Objective: Clarity
Securing Our eCity has been working closely with APWG and NCSA throughout 2009 and 2010 as part of the Messaging Convention to create the Advanced Strategy Online (ASO).
After two collaborative ASO meetings held this May in San Diego and this June in New York City the recommendations are now being compared with the poll data gathered from the APWG / NCSA sponsored poll.
The Messaging Convention driven by NCSA and APWG includes:
…ADP; AVG; Costco; ESET; Facebook; Google; Intel; Intuit; McAfee; Microsoft; PayPal; RSA, The Security Division of EMC; Science Applications International Corporation (SAIC); Symantec; Trend Micro; Verizon Communications; VeriSign; Visa; Walmart; Yahoo!; the U.S. Department of Commerce; the U.S. Department of Homeland Security (DHS); Office of Justice Programs, U.S. Department of Justice; the U.S. Federal Bureau of Investigation (FBI); the U.S. Federal Trade Commission (FTC); and the U.S. Internal Revenue Service (IRS).
Michael Kaiser of the National Cyber Security Alliance provides further details:
[click to continue…]
Until mid-July, malware attacks on SCADA control systems such as power grids use was considered one of many HILFs. Not anymore. Now it’s better to have a plan and as the Boy Scout motto says, “Be Prepared” in a defense in depth stance.
For CIOs this couldn’t come at a worse time – unstable economic situations for business combined and the Stuxnet worm has erupted into a proof of concept nightmare of what malware can do to the power grid – and worse, what grid failure can do to an unprepared business.
HILF – is the catchy new term for a show-stopping event and no, it doesn’t start with an “M”. HILF stands for High Impact Low Frequency. These types of events include malware targeting SCADA controls as well as “Acts of God” and even EMP – electromagnetic pulses – which result from solar flares or nuclear detonation.
Businesses take note: the NERC strategy suggests that businesses plan for HILFs such as EMP or malware such as Stuxnet. Particularly it stresses to plan for effects in which one emergency may bleed over into another.
The report examines three high-impact, low-frequency risks in detail: coordinated cyber, physical, or blended attacks; pandemic illness; and Geomagnetic Disturbances (GMD) and Electromagnetic Pulse (EMP) events. These risks are rare, and in some cases have never occurred.
Article: Learn Seven Ways To Keep HILFS From Crashing Your Party
Stuxnet’s Sophisticated Attack
Stuxnet has been evaluated as a weaponized exploit packaged neatly into a sophisticated social engineering nightmare. Why is this little critter causing so much discussion?
- Stuxnet has automated espionage against a critical infrastructure component. What used to take Cold War spies years to penetrate and diagram was automated within seconds. It was designed to gain access to the visual information part of the control system – the user interface or human machine interface (HMI).
- This blended threat masks whodunit. The true intent behind Stuxnet may never be known and theoretically, the rootkit nature of this malware could have allowed future attacks to propogate, endangering the entire control system. All of this could occur on a global scale not unlike a scenario out of Richard Clarke’s Cyberwar book.
- Blended Threat = there were boots on the ground and a well organized global effort. The organization who created Stuxnet also made a masterful social engineering move by heisting the VeriSign digital certificates from software firms JMicron and Realtek:
Here’s where criminology comes in – Randy Abrams points out that JMicron and Realtek have offices in the same Taiwanese industrial park. These two companies had their digital signatures stolen, that these signatures may have been stolen. I think that both companies could have been criminally penetrated either through physical means or through the compromise of their shared telco / fiber connection.
Right now there are two schools of thought: one is that industrial control system attacks/hacks are nothing new and may not result in the end of the world. The other line of thinking is that this is an evolution of a threat which, by becoming automated in nature, should be treated with the same respect as a power plant gate guard seeing a gentleman armed with a 12 gauge shotgun approaching his guard booth: the gentleman may be hunting quail, or the gentleman may have ill intent. Either way, it’s up to security to assess the threat potential.
