Dell Releases Significant Report on International Security Trends and Attitudes

dellreportBy Steven Caponi

Last month, the computer giant Dell released a report entitled “Protecting the Organization Against the Unknown: A New Generation of Threats.” The report, which is well worth a few minutes to read, was authored by the independent technology market research firm Vanson Bourne. Dell commissioned the report to examine how organizations are preventing security breaches as well as the degree to which IT security will be a priority over the next twelve months. The report analyzes the impact security breaches have had on various organizations and how organizations are protecting themselves from potential vulnerabilities associated with the adoption of BYOD, cloud, and increased Internet usage.

What makes this report particularly interesting is the breadth of survey participants, both numerically and geographically. The report reflects the results of 1,440 IT decision-makers from private sector organizations with 500 or more employees, as well as from public organizations with 500 or more end users. The interviewees were located in ten countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, India, Austria, and China. The survey topics included: IT Security in Organizations; Current Policies and Strategies; Responding to Security Threats; and Understanding the Threat.

Highlights from the report include:

  • Enterprises are spending an average of 17 percent of their IT budget on IT security. This focus on security is set to increase in the near future, as 86 percent of IT decision-makers surveyed report that their organizations will be prioritizing security over the next twelve months.
  • During the past year, security breaches cost respondent organizations an average of almost $1 million each.
  • Unsurprisingly, organizations are more likely to prioritize and commit resources to prevent breaches after they become a victim.
  • Appreciating the nature of the threat, 64 percent of the respondents were resigned to the fact that it is not a matter of if they will be breached, but when.
  • While 91 percent of those surveyed were hosting in the cloud and 93 percent adopted BYOD policies, only 46 percent implemented cloud security and 44 percent adopted policies for BYOD security.
  • 53 percent of survey participants see the government as an important partner in helping achieve operational security.

Click here for a copy of the full report.

The EC-Council Website Hacked; Hacker Posts Snowden’s Passport

ECHBy Elizabeth Sloan

EC-Council has been hacked, and its hacker isn’t keeping silent.  The hacker claims to have obtained copies of passports of law enforcement and military officials who signed up for the organization’s courses, which release could impact up to 80,000 individuals. 

EC-Council is a company that provides IT and security training and certification programs.  The organization has been controversial in that it provides courses and certifications for “ethical hacking.”   Notably, the US Department of Defense requires that its Computer Network Defense Service Providers take the EC’s “Certified Ethical Hacker” program.  The organization claims to have trained between 60,000- 80,000 individuals, including members from the FBI to IBM to the United Nations.

The hacker calls himself “Eugene Belford” – a throwback to the movie “Hackers”.  This past weekend, he defaced the EC’s website with documentation that Edward Snowden was trained by this company, posting Snowden’s passport on the website.   The hacker claims to also have all the passports and other personal information of those individuals certified by the EC, including law enforcement and military.

The hacker later posted on the defaced page the following:

“Defaced again? Yep, good job reusing your passwords morons jack67834#
owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/

-Eugene Belford

P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”

The EC’s website is still currently unavailable, and the EC has yet to comment on the cyberattack.

Vulna Adware Threatens Millions of Android Mobile Devices

Android VirusBy Steven Caponi

Researchers have confirmed that a widely used Android mobile ad library app poses a significant threat to mobile users.  The ad library has been dubbed “Vulna” (or “vulnerable and aggressive”), which allows attackers to “perform dangerous operations such as downloading and running new components on demand.”

The scope of the problem is significant—researchers “have analyzed all Android apps with over one million downloads on Google Play, and found that over 1.8% of these apps used Vulna.  These affected apps have been downloaded more than 200 million times in total.”

Developed by third-parties, mobile app libraries are used to display advertisements from other “host apps.”  This class of software also collects International Mobile Subscriber Identity (commonly referred to as “IMSI”) and International Mobile Equipment Identity (commonly referred to as “IMEI”) codes.  What makes Vulna dangerous, therefore, is its ability to amass call record details and SMS text messages, as well as allow for the execution of malicious code.

“Vulna is aggressive—if instructed by its server, it will collect sensitive information such as text messages, phone call history, and contacts.  It also performs dangerous operations such as executing dynamically downloaded code.  Second, Vulna contains a number of diverse vulnerabilities.  These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-­factor authentication tokens sent via SMS, or turning the device into part of a botnet.”

Israel Opens New Cybersecurity Research Center

On September 3, Israeli Prime Minister Benjamin Netanyahu cut the ribbon on the Beer-Sheva Advanced Technologies Park (“ATP”), located at the Ben-Gurion University of the Negev (“BGU”).   Upon completion, the ATP will encompass sixteen buildings on twenty-three acres of land, with two million square feet of office and lab space, a conference center, and a hotel.

BGU is ATP’s academic research partner and the ideal location for ATP given its focus on cybersecurity matters—the city of Beer-Sheva is a growing hub of cybersecurity innovation, and is also home to Cyberlabs, Israel’s first cybersecurity incubator.  CyberLabs is located at the ATP near the Israeli army’s elite technology units, which include the main cybersecurity training center for the Israel Defense Forces.  A clear objective of the ATP is to pair the best talent in academia and the military in order to foster the growth of companies focused on cybersecurity initiatives and research.

Prime Minister Netanyahu declared the ATP “a national cyber centre that will maximize the resources of the University, the IDF, and the new high-tech tenants.”  ATP is already home to several international companies, including Oracle, Deutsche Telekom, EMC², RSA, and ECI Telecom.

To read more on the ATP, please click here.

Wichita Kansas E-Procurement Website Hacked

By Steven Caponi

The City of Wichita announced that it is cooperating with the FBI to investigate a recent hacking incident involving the city’s procurement website.  Preliminary indications suggest personal information of thousands of vendors and employees were exposed. This attack on a local government site could be an anomaly or suggest we are going to experience a wave of cyber attacks directed at vulnerable government web sites.

One of the city’s 14 web sites, its e-procurement website, was hacked over the weekend compromising the private financial information of vendors that have done business with the City and current or former employees who have been reimbursed for travel and other expenses since 1997.  As many as 29,000 vendors and employees may be affected.

The Attack affected the City’s procurement process and city officials are working with their e-procurement software vendor to make certain the procurement system is operating and secure.  The city issued the following statement

“The City of Wichita is deeply concerned about this breach of security and the impact it may have on our vendors and employees,” City Manager Robert Layton said. “Numerous steps are being taken to obtain more information about the incident, including the involvement of appropriate law enforcement agencies.”

Board of Directors Liability for Cybersecurity

By Steven Caponi

The likelihood of a cybersecurity breach hitting a company in the near future is as certain as the subsequent drop in shareholder value, finger-pointing, fines, regulatory headaches, and civil litigation alleging the board was asleep at the wheel in the face of a known danger when that danger finally materializes.  The question every board member must answer is whether the actions they are currently taking to protect their company’s digital assets are sufficient to withstand the Monday morning quarterbacking that will occur after a cyber attack incident.

I recently published a series of three articles intended to help boards of directors better understand the breadth of their fiduciary obligation in managing looming cybersecurity threats.

In today’s world, many companies maintain their most valuable assets in digital form.  Thieves no longer need to physically enter a company’s facility to steal its valuables. Rather, an individual on the other side of the globe, or right next door, can, with equal impunity, silently steal a company’s most prized possessions by breaching its data network.  Due to the evolving nature of cyber risks, there is a lack of authority discussing the scope of a board’s obligation to address such attacks.

Obviously, directors’ fiduciary duties will extend to the protection of significant digital assets. The more difficult question to answer is: What are the contours of a director’s fiduciary obligation when it comes to cybersecurity?  As discussed in my articles, the answer to these vexing questions is almost always “it depends.”  As with all risks, the extent of a director’s obligation and the amount of attention an issue should receive at the board level will depend on such things as the nature of the company, the foreseeability of an attack, and the potential severity of a cyber breach.

Each of the three articles in my “Cybersecurity and the Board of Directors: Avoiding Personal Liability” series can be read in their entirety by clicking on the links below:

Part I: http://www.blankrome.com/index.cfm?contentID=37&itemID=3145

Part II: http://www.blankrome.com/index.cfm?contentID=37&itemID=3146

Part III: http://www.blankrome.com/index.cfm?contentID=37&itemID=3147

Department of Energy Awards $30 million in Cybersecurity Grants

By Steven Caponi

U.S. energy officials recently announced that eleven projects will share $30 million in awarded grants to fund the development of new technologies that will strengthen and better protect the electric grid and oil-and-gas infrastructure from potential cyber attacks.

With support from the Department of Energy (“DOE”), energy sector organizations in California, Georgia, New Jersey, North Carolina, Tennessee, Virginia, and Washington will develop new systems, frameworks, and services to advance the DOE’s vision of more resilient energy delivery control systems.

The grants are the most recent effort by the DOE to help secure the nation’s critical energy infrastructure from cybersecurity threats.  According to the DOE, it has invested more than $100 million in cybersecurity research and development through awards and funding provided to industries, universities, and national laboratories since 2010.

Combined, the eleven projects will advance expertise in power system engineering and cybersecurity, with a focus on testing new products to demonstrate their effectiveness and interoperability.  The projects comport with the DOE’s cybersecurity Roadmap to Achieve Energy Delivery Systems Cybersecurity, which represents the joint efforts of the energy sector in coordination with the DOE.  The Roadmap represents a strategic framework for the design, installation, operation, and maintenance of a secure energy delivery system capable of sustaining a cyber incident.

The eleven projects selected for grant funding are:

ABB, Inc. – Cary, NC
DOE share: $ 2,765,733; Recipient share: $ 936,793
ABB will develop a system that allows substation devices to work together to validate the integrity of communications, such as commands to change a protective relay’s configuration, and assess the potential impact on grid operations.

Electric Power Research Institute, Inc. (“EPRI”) – Palo Alto, CA
DOE share: $ 1,524,959; Recipient share: $ 529,384
EPRI will develop a framework that allows utilities to centrally manage the remote configuration of their energy delivery system devices—regardless of vendor or age— more securely.

Foxguard Solutions, Inc. – Christiansburg, VA
DOE share: $ 3,298,893; Recipient share: $ 1,003,399
Foxguard will develop a service that allows utilities to simplify the process of keeping up-to-date with the most current firmware and software patches and updates.

Georgia Tech Applied Research Corporation – Atlanta, GA
DOE share: $ 3,283,063; Recipient share: $ 1,726,000
Georgia Tech Applied Research Corporation will develop a technology that evaluates energy delivery system control commands to anticipate their impact on power grid operations and, if needed, implement cybersecurity responses to prevent disruptions.

Grid Protection Alliance – Chattanooga, TN
DOE share: $ 2,213,000; Recipient share: $ 637,000
The Grid Protection Alliance will develop an architecture that enables more secure substation communications for data generated by legacy or modern energy delivery devices.

National Rural Electric Cooperative Association (“NRECA”) – Arlington, Virginia
DOE share: $ 3,620,725; Recipient share: $ 1,137,367
NRECA will develop a network that allows utilities and small electric cooperatives with limited resources to centrally manage their networks more securely.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 2,094,599; Recipient share: $ 845,140
Schweitzer will develop an integrated cyber-physical access control system that simplifies the process of managing access to energy delivery facilities.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 3,771,371; Recipient share: $ 1,068,807
Schweitzer will develop a radio platform for more secure “last mile” wireless communications used with remote energy delivery infrastructure, such as distribution substations.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 3,892,170; Recipient share: $ 1,248,207
Schweitzer will develop software that allows utilities to centrally manage their local area networks more securely, providing real-time awareness of cyber activity and rerouting network traffic in response to cyber intrusions.

TT Government Solutions, Inc. – Red Bank, NJ  
DOE share: $ 956,560; Recipient share: $ 324,205
TT Government Solutions will develop a technology that analyzes and visualizes smart meter wireless communications to quickly detect unusual behavior that could suggest a cyber attack.

Viasat, Inc. – Carlsbad, CA
DOE share: $ 3,250,000; Recipient share: $ 3,301,163
Viasat will develop an architecture that gives utilities awareness of the status of their energy delivery systems’ cybersecurity, and allows them to automatically respond to cyber intrusions as predetermined in the utility’s cybersecurity policy

New iPhone Security Feature Hacked by Chaos

By Steven Caponi

As with all Apple products, the launch of the iPhone 5s was heavily anticipated, overly hyped, and embraced with significant fanfare.  Unfortunately, a few individuals with more nefarious intentions were hidden within the long lines of Apple devotes seeking to buy the latest and greatest phone.  These individuals were members of the Chaos Computer Club (“CCC”), Europe’s self-proclaimed “largest association of hackers.”

Within hours of securing their iPhone 5s, the CCC claimed to have bypassed the Touch ID feature using some tried-and-true methods.  According to their claim, the CCC took a photograph of a user’s fingerprint that was left on a glass surface, created a latex recreation of said fingerprint, and held it against said user’s iPhone 5s to successfully authenticate their way into the device.

A more detailed account of how this hack was accomplished can be found in this article written by David Murphy and the team at P.C. Magazine.

Student Hacks Cripple $1 billion L.A. iPad Initiative

By Steven Caponi

In a stunning example of students besting their teachers, within days of receiving new school issued iPad, more than 300 Los Angeles students hacked through protective measures placed on the Apple tablets, giving them complete access to features — including Facebook, Twitter and other apps — that should otherwise have been blocked.  It appears students managed to bypass the security lock on the device by deleting a personal profile preloaded in the settings. Revelations of the massive hack all but brought a highly publicized $1 billion initiative to place iPads in the hands of nearly 650,000 students.

Tom Kaneshige of CIO has an informative article discussing the incident.

Government Shutdown Increasing Cybersecurity Risks

By Steven Caponi

While the news runs countless stories detailing the closure of national parks, little attention has been paid to the impact of the ongoing government shutdown on our nations’ IT infrastructure.  As detailed in a recent article by Nicole Blake Johnston of the Federal Times, the widespread furlough of federal employees has left many critical security systems unmanned or of diminished usefulness.  This gap in our cybersecurity defenses is an opportunity that cyber criminals are likely to exploit.

Although the network and security operations centers operated by the Department of Homeland Security (“DHS”) remain staffed, the government’s lead defender of civilian computer networks is operating with fewer resources during the shutdown.

“DHS’ National Protection and Programs Directorate (“NPPD”), which contains many of the department’s cybersecurity personnel, is operating with nearly half of its staff gone, according to the agency’s Sept. 27 shutdown plan.  NPPD estimates 1,617, or 57 percent, of its 2,835 employees will continue working through a shutdown because they are either presidential appointees, law enforcement officers, paid with funds other than annual appropriations, or needed to protect life and property.”

Contrary to the impression created by the National Security Agency scandal, sophisticated computer algorithms are not the only drivers of our security systems.  It is necessary to have highly trained personnel analyzing the information that is flagged by cyber risk software so that they can make the critical decision to act when a security breach occurs.

National Cyber Security Awareness Month

By Steven Caponi

October marks the 10th National Cyber Security Awareness Month (“NCSAM”), coordinated by the National Cyber Security Alliance (“NCSA”) and the U.S. Department of Homeland Security (“DHS”).  Over the past 10 years, the digital world has evolved from flip phones to smartphones, and from social clubs to social networks.  As a result of the ever-evolving technology industry, “[t]here is no endgame in cybersecurity,” said Michael Kaiser, executive director of the NCSA.

The cornerstone of this year’s NCSAM is the DHS’s “STOP. THINK. CONNECT.” campaign.  Launched in 2010, STOP. THINK. CONNECT. is a national cybersecurity education and awareness campaign with nearly 100 participating companies, organizations, and government entities.  Materials are available in five different languages along with more information about the campaign at STOP.THINK.CONNECT.

Additional information regarding planned NCSAM events can be found here.