The Pentagon has finally confirmed a security breach that happened back in 2008 and which one of their top officials has described as “the most significant breach of U.S. military computers ever.” The breach was caused when a foreign intelligence agent used a flash drive to infect US military computers, including those used by the Central Command to oversee combat zones in Iraq and Afghanistan.

The device in question was a cigarette-lighter-sized flash drive which was plugged into an American military laptop from a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense, quoted by the New York Times

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

This serious security breach was first reported in November 2008 in Wired magazine’s Danger Room blog and according to The Los Angeles Times, the event was grave enough to have President George W. Bush briefed on it, also mentioning that Russian involvement was suspected.

Almost a year later, Mr. Lynn’s recent article was the first official confirmation of this breach which he called Operation Buckshot Yankee and said that the episode “marked a turning point in U.S. cyber-defense strategy.” One of the early countermeasures set in place was the fact that the Defense Department banned the use of portable flash drives in its computer network, yet the ban was later annuled.

“A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’s global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target,” he wrote.
Against the array of threats, Mr. Lynn said, the National Security Agency had pioneered systems — “part sensor, part sentry, part sharpshooter” — that are meant to automatically counter intrusions in real time.

Keeping your company or home computer network safe from day to day threats that could lead to data theft, data loss, identity theft or malware infections has never been easier. My Endpoint Protector, software as a service device control and data security solution developed by CoSoSys, is now offering an app version available for iPads, iPhones and iPod touch devices through the iTunes store.

With a few touches, you can use the app’s centralized console to authorize new devices, monitor file transfers and access to sensitive data and block portable devices, making sure all common threats are kept at bay. In a world where the unsecured use of portable storageand lifestyle devices – smartphones, notebooks, USB sticks, digital cameras or extern HDDs – can lead to tremendous data breaches and severe losses for both companies and individuals, having a smart and effective app at your fingertips preventing it all is extremely important.

The iPhone and iPad app makes sure you can handle your security issues when being caught in a lengthy meeting, when being on the road and unable to plug in a netbook or reach a computer with an Internet connection. It saves time and works quickly, making it all easy.

“Lifestyle devices such as USB flash drives, mobile phones and portable computers started out as being smaller, portable and a lot more fun than their static predecessors, while fulfilling our need of communication. As they evolved, getting smarter and smaller, they have also changed our lifestyle. We can have business presentations on an iPad and send emails from our iPhone while keeping in touch with friends and partners, so why not go with the trend and offer the possibility of doing more important tasks from our mobile devices, such as handling the security of a business network or that of our home computers?” explained Roman Foeckl, CoSoSys CEO.

Key benefits of the My Endpoint Protector App

• Easily manage business or home computers through a centralized console available on your iPhone, iPad or iPod touch
• The My Endpoint Protector App and the cloud service powering it require no specific security expertise or complicated learning process
• Closely monitor access to your business and personal sensitive files regardless of location and available IT infrastructure; the portable and highly mobile devices you are already carrying are enough
• Allow or deny access to specific devices without needing to wait until you reach a desktop or plug in and start your notebook; for example, allow access to employee smart phones and deny access to your children’s USB sticks

More information about the My Endpoint Protector App can be found on iTunes:
http://ax.itunes.apple.com/us/app/my-endpoint-protector/id379244830

or on the Endpoint Protector website here:
http://www.endpointprotector.com/en/index.php/products/my_endpoint_protector_SaaS

If you think BP have their hands full with the oil spill and the whole environmental mess they’ve caused in the Gulf of Mexico, think again. It seems they lack all kinds of security – not only can’t they drill for oil in a safe environment, their data security is also poor.

The Defcon hacker contest organized in Las Vegas is a hacking competition that has its contestants trick employees of large companies into spilling out potentially sensitive information. The purpose is – and targeted companies should thank the organizers for that matter – to show how gullible people can be and how this becomes a major security vulnerability.

One of the contestants, Josh Michaels, made only two phone calls and got a computer support employee of BP into revealing data that could have helped launch a network attack against the oil giant. He managed to get details such as what model laptops BP used and the specific operating system, browser, anti-virus and even virtual private network software the company is using. He also won extra points for tricking the employee into visiting Social-Engineer.org.

“That was scary,” said Michaels, shortly after ending the call, in which he posed as a Louisiana-based employee handling claims stemming from BP’s massive oil spill in the Gulf of Mexico. “You never know what you’re going to get. There’s an adrenalin rush that comes with social engineering.”

What does the contest do? The Social Engineering Capture the Flag contest gives entrants 25 minutes to call a company chosen in advance by the organizers. They are free to make as many calls as they need and use what ever deceiving techniques they see fit. Awarded points depend on the types of collected “flags”: the version of Adobe Reader the company used, the garbage collector that hauled its trash, or success in getting the target to visit a website of the caller’s choosing.

Callers sat in a soundproof glass booth while about 80 people crammed into a conference room listened on, often chuckling and applauding as targets naively volunteered potentially sensitive information. Companies that were called during day one of the two-day competition included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, and Ford. Of the dozens of calls made to the 10 companies, only three of the targets refused to cooperate.

Contest organizers put great efforts into making sure the contest stays within legal boundaries. Requiring sensitive info such as credit card numbers or passwords is prohibited as is the strategy stating someone’s account has been compromised, or other such scenarios that might lead targets to believe they are at risk.

US President Obama and cybersecurity czar Howard Schmidt have both issued statements on cybersecurity presenting very optimistic progress reports and supporting increased activity in the private sector.

Some of the points discussed in the progress reports included the recent organizational changes and new cybersecurity initiatives of the Obama administration presented as evidence that the White House is making advances on the cybersecurity front.

“President Obama appointed a Cybersecurity Coordinator to provide White House leadership on cybersecurity issues,” the progress report says. “The Cybersecurity Coordinator leads a new Cybersecurity Directorate within the National Security Staff (NSS), works closely with the economic team, and has created a close partnership with the Office of Management and Budget (OMB) and the Office of Science and Technology Policy.”

As stated before while speding a year to decide who will be the czar everyone expected, cybersecurity is considered a “key management priority” by the white house.

“Enhancing cybersecurity is a central component of the Administration’s Performance Management Agenda,” the progress report says. “The Federal Chief Performance Officer has targeted key performance strategies for improving government operations, which include moving to real time monitoring and integrating cybersecurity into system design, rather than bolting it on as an afterthought.”

I am thrilled to see things are movig along just fine and the White House is also focusing on ecouraging cybersecurity projects in the private sector as well. Let’s hope they keep it up and others start following their lead.

For more details of the two statements, visit DarkReading.

Experts, who recently convened at a Conference organized by the Trans-Atlantic Alliance’s IT Defense Unit in Estonia, warn about the seriousness of cybercrime and cyber espionage at a global level. They encourage both NATO governments and the general public to “wake up”, as cyber war is far easier than a conventional attack.

“It would take two years, cost less than 50 million dollars a year and involve fewer than 600 hackers to prepare a cyber attack that could paralyze the United States,” – a disturbing assessment by Charlie Miller, security expert who launches test assaults on IT systems.

According to Melissa Hathaway, a former US cyber tsar: “Key infrastructures, including power stations, have become vulnerable due to their dependence on Internet connections.” She also states that the cyber threat issue should be a matter of concern for both companies and private citizens, as “there is no national security in the modern world without economic security.”

Estonia, a NATO member since 2004, one of the world’s most wired nations and home to the Cooperative Cyber Defense Centre of Excellence, suffered an assault in 2007 that paralyzed key business and government web services for days. Despite Estonia’s experience, “people elsewhere have not woken up,” said British defense ministry expert Gloria Craig. “As of now NATO is not prepared for a global cyber attack,” she added.

However, US specialist Bruce Schneier said the current threat should not be overplayed: “Building tanks does not mean you fear you could be overrun by a military force right now. It pays to build tanks and it pays to prepare for cyber war, but I don’t believe that’s a fear we should worry about right now.”

Despite their different views on the urgency of the matter, all experts seem to agree that in order to avoid sci-fi style scenarios, the time to prepare against these cyber threats is now.

When it comes to high-level executives, the rules of the game often change. They are used to ask for exceptions to be made for them, backdoors to be opened and a whole different set of rules to be applied. This is what turns them in one of the biggest threats to corporate security.

According to Jayson Street, CIO and managing partner of Stratagem 1 Solutions, senior executives often circumvent security rules and policies to suit their needs and whims at the expense of security. The negative effect is that the special treatment leads to enabling cybercriminals to easily gain access to corporate networks by impersonating as management personnel. That is why, because of their systems privilege and access rights, they become ideal targets for all those wanting to hack into corporate networks.

“[Hackers are] not going after the bank teller, [they are] going after the bank president, because the tellers have USB drive rights deactivated, they have controls on where they can go on websites.” Street recounted how he was able to access the server room of a hotel simply by gathering information through social networks such as LinkedIn and Twitter of the owner, then sending an email to the access control personnel masquerading as the CEO of the tech support organisation. When the staff was later asked why he allowed Street access, he said: “Because [the boss] sends email messages like these all the time! He asked, and he’s the owner — you have to let him do what he wants.”

What can companies do to stop turning their top dogs into easy targets? Jayson Street recommends that IT security experts should stop enabling them and instead explain how fast they can become victims of cybercriminals. Lower rank employees should also be encouraged to report abnormal behaviors in order to maintain a safe environment. Also, educating all users about how and social engineering, impersonation, identity theft and other such menaces occur could also prove to be very effective.

While their cybersecurity czar plans have been delayed for so long we were all a bit tired for waiting, the White House approach to fighting cyber threats seems to have found a new focus these days: recommending training, exams and detailed certification requirements for cybersecurity professionals employed or contracted by the federal government. And this is going through the careful review of a commission whose main purpose is to advise the Obama administration on cybersecurity policy.

The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who’s who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication.

Of course, the discussion got a bit stuck in the first part of the future report, the cybersecurity workforce. With no one knowing if the new certification recommendation will take into account existing certifications or not, with people in the commission and in the field of cybersecurity having different takes on the issues, and given the need to details qualification needed for each type of IT security pro, I assume it will take a while to get to a common decision on this one

According to Tom Kellermann, a member of the Commission and vice president of security awareness at Core Security Technologies, the federal government has bigger problems: an insufficient workforce that’s about to shrink some more if certifications become mandatory requirements:

“I would suggest that we need to increase our workforce, but not ostracize those that don’t have certifications to get them or lose their jobs. They should be grandfathered in,” Kellermann says.

Exploring a movie-like scenario, I have to wonder – If they ever want to cut a deal with a genius hacker and have him/her do some anti-hacking work for them, would they care if that person has the required certifications?

Companies, beware! Data breaches do cost a lot if you’re operating in the US. A recent study conducted by the Ponemon Institute shows that a data breach occuring in the US could cost twice as much as a similar incident from a different country with less stringent disclosure and notification laws. Yet the US is not alone in this, as all countries that have strict rules related to data security and what should be done in case of a breach makes the total cost go up.

After comparing data breach costs in five countries, the United States, the United Kingdom, Germany, France, and Australia, the study concluded that in the U.S., due to the fact that 46 states have introduced laws that require  organizations to publicly disclose the details of breach incidents, the cost per lost record was 43% higher than the global average. The second most expensive country is Germany with a cost per lost record 25% higher than the worldwide average. Australia, France, and the U.K. have no data breach notification laws  thus the costs were all below the average.

“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.” Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.

The Ponemon study breaks breach costs into five components: detection, escalation, notification, post-breach response, and customer churn (losing customers after the breach and replacing them with new ones). Of the five components, customer churn is the highest cost, accounting for 44% of breach costs worldwide.

If you’re interested in protecting yourself against data theft, data leakage and other USB device related risks and would also like to help needy children, then you’re going to love the License to hope campaign! Powered by CoSoSys and the Romanian Foundation for Children, Community and Family, License to hope aims to create an education center with 50 properly equipped laptops and providing computer usage training to 150 marginalized children yearly.

Meet the children

To do so, CoSoSys will donate 50% from all revenue generated by Secure it Easy license sales. Secure it easy is an easy to install endpoint security software that helps protect notebooks and PCs in small and home offices as well as home users from portable storage device threats. You can use it to lock down USB Ports in seconds and control your PC’s endpoint devices.

Want to be part of this amazing campaign? Then check out Secure it Easy first and see if you need it. You can also add a badge to your website or become a fan of the License to hope campaign on Facebook.. And they’re also on Twitter. See the full press release here.

Yet another warning about data loss, company policy and how easily all your files can be liked over the internet comes into the security world, this time from the Federal Trade Commission. Long overdue some would say, including Robert Siciliano in a recent post on Information Security Resources.

Yes, it is quite bewildering to see how after warning after warning and a long line of data breach incidents, companies still allow the misuse of software and hardware resources. It is also confusing to see the FTC now getting ready to directly warn about 100 companies about the risks of peer-to-peer. It’s a bit late, years and years after the problems appeared.

But if there are any IT managers or CEOs who don’t know what peer-to-peer can lead to, here are a few quotes from Siciliano’s article:

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software.In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers.

I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

In some cases, the benefits of technology are far more important than the risks. It happens with all gadgets that make work fun, efficient and portable. But if you do allow your employees to install software that’s easily hacked, at least protect your files by restricting access to them…