Anonymous Drives Security Fears, But Not Spending

Anonymous Drives Security Fears, But Not Spending

Information security budgets remain focused on stopping malware and advanced persistent threats (APTs), which tend to do more damage in the long run than hacktivists’ SQL injection and DDoS attacks.

InformationWeek
By Mathew J. Schwartz
April 23, 2012

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
>>> click image for larger view and for slideshow <<<<<<

Who are the groups voted most likely to lob cyber attacks at companies over the next six months? That would be the hacktivist set, including Anonymous, LulzSec Reborn, and their ilk.So said 61% of 1,900 IT and information security personnel recently surveyed by endpoint security firm Bit9. Interestingly, however, the survey also found that actual information security program spending doesn’t track this threat analysis.

Instead, most businesses are devoting the majority of their security resources to stopping what they see as the most prevalent attack techniques: malware (for 45%), as well as spear phishing (16%). Interestingly, both of these types of attacks–often used as part of advanced persistent threats (APTs)–are the hallmark not of hacktivists, but rather criminal enterprises, nation states, or sometimes even competitors. Although only 20% of respondents overall ranked corporate competitors as their most likely attackers in the next six months, one-third of all European respondents listed corporate espionage as their top threat concern.

 

>>>  Read 10 Strategies To Fight Anonymous DDoS Attacks. <<<<<<<

 

Businesses spent markedly less to battle typical hacktivist attack vectors, such as SQL injection hacks or distributed denial-of-service (DDOS) attacks.

 

Why do companies fear Anonymous but spend more to stop malware and spear phishing? “My takeaway is that people are definitely more aware of the threat landscape we face, more than ever before. And Verizon’s 2012 data breach report, for the first time ever, said that Anonymous or hacktivist organizations represented more than half of all the database records stolen in 2011. So it’s not just fear,” said Harry Sverdlove, CTO of Bit9.

Businesses, of course, are worried about seeing their name featured on newspaper front pages thanks to Anonymous hacking their servers, then very publicly releasing stolen records into the public domain. Even so, APTs are likely to be much more damaging to the business over the long term.

“The difference is, if you’re attacked by a hacktivist organization, you might see your data posted immediately to the Web,” Sverdlove said. “If you’re attacked by a criminal enterprise, you might start seeing a trickle of compromised accounts after a few months. If you’re attacked by a nation state, you might never find out about that.”

Which parts of the IT infrastructure concern security personnel most? More than half of survey respondents characterized the weakest technology link in their IT program as the infrastructure servers, including domain controllers, DNS servers, and credential servers. Respondents were concerned, but less so, with their other servers–file, database, Web, email–and endpoints.

What’s the best way to improve a business’s information security posture? According to a majority of respondents, the secret is simple: follow security best practices, create better security policies, and enforce them. Interestingly, only 15% said that better technology would have the biggest impact on their security programs. Only 7% believe that government regulations and law enforcement would have the biggest impact on improving their cyber security.

 

More Security Insights

Webcasts

More >>

 

White Papers

More >>

 

Reports

More >>

 

Direct Link:  http://www.informationweek.com/news/security/attacks/232900691

Law Enforcement Raids The Fox News Mole’s Den

Law Enforcement Raids The Fox News Mole’s Den

FORBES

Kashmir Hill, Forbes Staff

April 25, 2012

 

 

The Fox News Mole’s Wednesday morning tweets

 

 

“I just got search warranted at 6:30am by a very polite crew from the DA’s office,” wrote Joe Muto, a.k.a. the Fox News Mole, on Twitter this morning. “Took my iPhone, laptop, some old notebooks.”

The desire to live in public is strong in this one. Muto, a former associate producer at “The O’Reilly Factor,” is under investigation for “anonymously” leaking behind-the-scenes videos from Fox News to the blog Gawker. Muto tweets that the potential charges against him include “ grand larceny, amongst other things.” The “other things” surely include computer tampering. The New York District’s Attorney Office declined comment on an open investigation.

The problem for Muto is that he sold proprietary material from Fox to another news outlet. Gawker has said that it paid Muto $5,000 for his “anonymous” Fox Mole reports and for passing along somewhat embarrassing videos that he had access to, including Mitt Romney and Sean Hannity making small talk and Newt Gingrich being groomed by his wife before an appearance.

The Atlantic Wire notes that Muto “didn’t sound overly worried. [W]e can only assume it’s because he knows Fox and therefore expected to be served with a warrant, so cleared sensitive information from his hard drives.”

That is not good legal advice, my friends! Muto had already received a letter from Fox’s lawyers telling him to preserve evidence for possible criminal and civil investigations. Erasing incriminating info after getting instructions like that is a crime (destruction of evidence).

What may be easing Muto’s mind is Gawker’s last very-public tangle with law enforcement. Police raided a Gizmodo editor’s home in 2010 after the blog bought a “stolen” iPhone 4 prototype and refused to return it to Apple. A case was never brought against editor Jason Chen, though those who sold him the prototype were slapped with criminal charges. Chen was protected, in part, by journalistic privilege. Muto’s case is more complicated. Though he is/was a journalist, he was not operating as one in this situation, nor really as a whistleblower. The videos he handed over to Gawker were a far cry from the Pentagon Papers. Gawker’s lawyer, however, is claiming that Muto is an employee in a statement to Poynter.

A question that remains: is this a civil case or a criminal case? Fox could fairly easily pursue a civil case against Muto for violating the terms of his employment contract. Will the District Attorney determine it’s worth sicking a prosecutor on Muto? We’ll find out soon.

Muto, meanwhile, expressed some frustration at being investigated by the DA in light of the other legal issues swirling around News Corp right now, tweeting, “I should have done something more innocuous, like hacked a dead girl’s phone and interfered with a police investigation.”

 

Direct Link:  http://www.forbes.com/sites/kashmirhill/2012/04/25/law-enforcement-raids-the-fox-news-moles-den/

CISPA: 4 Viewpoints You Should Hear

CISPA:  4 Viewpoints You Should Hear

 

PCWorld   

By Christina DesMarais

Apr 28, 2012

 

 

 

Citing its effort to better protect American infrastructure from foreign attacks, the U.S. House of Representatives passed the Cyber Information and Security Protection Act April 26 in spite of worries that consumer data privacy will be compromised if the bill eventually becomes law.

In an interesting and informative debate hosted by KQED public radio Joshua Johnson in San Francisco yesterday, several parties with strong opinions weighed in on the matter — one that stirs up a plethora of questions.

For instance, can CISPA really protect America from hackers who could do nefarious things such as shut down or blow up power plants? While the answer isn’t cut and dried, certainly cyber terrorists could feasibly do a lot of harm. In fact, as Johnson pointed out, just this week Iran took several of its oil terminals offline due to fears hackers would program the machinery to self-destruct.

And will fears about terrorism ultimately trump the popular desire to keep regular people’s data private? As we become more entrenched in all things online and the social data revolution continues to unfold, is a society reminiscent of Orwell’s Big Brother or — to use a more modern prophecy from popular culture — the movie Minority Report inescapable in years to come?

These questions have no easy answers. The good news is that dialogue on the policy front and in the tech media is earnest and unrelenting. Here are what several experts had to say during yesterday’s debate:

Against CISPA: EFF

Rainey Reitman, activism director for the Electronic Frontier Foundation, is an outspoken contributor to the CISPA debate. Reitman said that while CISPA proponents employ rhetoric that the bill will “fend off a cyber Pearl Harbor,” what they’re really doing is inciting fears of security threats when, in fact, such concerns have existed for years. “I do think there is a need for companies to get more information from the government in a timely fashion. The problem that arises with CISPA is that it does so much more than that,” she says.

 

 

Like what?

“It also opens the floodgates for companies to intercept communications of everyday Internet users and pass unredacted personal information to the governments,” she says, adding that several amendments to the bill would have addressed such concerns but they never made it to the House floor for a vote.

Reitman says civil liberties groups like the EFF don’t want cyber security programs to be a method by which intelligence agencies or the military can garner information about American citizens.

As for why many companies such as Facebook support CISPA, Reitman says the companies understandably want to be better informed about security vulnerabilities and promise not to spy on users or hand unredacted information over to the government. On the other hand, she says CISPA as it stands now lets companies bypass all existing privacy law and pass citizens’ personal data to the government even if there’s a weak excuse that the information is related to cyber security purposes.

“The government in return has said that if they get information that’s unrelated to cyber security they “may” — don’t have to, but may choose to — remove some of the implications toward civil liberties. But they don’t have to and there’s no real guidelines on what they would have to do about it,” she says. “What we want[are] actual laws in place that make that impossible or difficult. In the very least that if the government wants personal information about users of services including the content of e-mails they [have to ] go to a judge and get a warrant.”

For CISPA: Information Technology Industry Council

Dean Garfield, president and CEO of the Information Technology Industry Council, has also weighed in on behalf of that industry organization. Garfield said 95 percent of the data breaches that take place on the Internet are breaches of people’s personal information — things like social security numbers and credit card numbers. “This is really about protecting the people who are a part of the Internet ecosystem on an everyday basis and that’s why it’s so critically important,” he says.

 

 

He also makes the point that CISPA doesn’t mandate that companies give the government information, but that doing so is voluntary.

As for why cyber security is so important now, Garfield says it’s a problem that just keeps getting worse and he points to data that said between 2009 and 2010 there was an increase of 93 percent in cyber security breaches.

“Most of us spend seven-plus hours a day in a network environment in front of our computer and so we make all sorts of information available on the Internet. It’s an integral part of our everyday life. And of the information that’s being compromised, 95 percent of it is our personal information and it’s important that we take steps to protect that. And there are simple straightforward ways to do that which from our perspective and from the majority of the Congress’ perspective CISPA was a vehicle for doing just that.”

One fly in CISPA’s pie has been that the White House staff says it will recommend to President Obama that he veto the bill if it makes it to his desk. However, Garfield asserts that the recommendation was made regarding a prior version of the bill and not the amended version that was passed by the House of Representatives.

As for concerns about the bill giving the government free reign to get its hands on whatever data it convinces companies to give it, Garfield says that’s not a concern.

“In fact, there was an amendment in the bill that passed that makes clear that CISPA doesn’t enhance the power of the NSA or any other government agency to engage in the kinds of activity that Rainey’s talking about…For example, the bill sunsets in five years. It has a FOIA (Freedom of Information Act clause) so that those who want to find out the types of information that’s being shared can do so. It sets up the process which I don’t think has existed anywhere else where if the government misuses private information, it’s subject to liability for that misuse of information. “

A Tech Entrepreneur Speaks Out

A caller into KQED’s show identified as “Bruce in Los Gatos” said he is a long-time serial entrepreneur in Silicon Valley who, along with other tech innovators, has invested heavily to develop services, social media, GPS, and mobile apps that give him insight into the behavior and habits of consumers. “We take pride for the most part in doing the best job we can to use the data responsibly and give consumers value around that,” he says.

 

 

What concerns him about CISPA and other previous bills that have been under consideration is that the government seems to want to get at that data. “And the courts thus far haven’t been very tough on the government in preventing them from accessing it.”

He also points out that modern technology and services companies legitimately know where and when people travel and with whom they communicate.

“But if the government should choose to start to aggregate and track that data, it’s very concerning. And I would be concerned as a consumer that there aren’t more safeguards in place to prevent the government from just grabbing that data or forcing the companies to turn it over in secret,” he said.

What Will Happen to CISPA in the Senate?

Garfield says he’s still hopeful about the bill’s future and Reitman says the EFF’s goal is to have a voice in whatever bill the Senate considers.

 

 

That said, Jennifer Martinez, technology policy reporter for Politico, says Democratic sources told her that CISPA is “basically dead on arrival” because of the privacy concerns associated with it. She also says that nothing will happen with CISPA at least for the next week because the Senate is currently in recess and Senate Majority Leader Harry Reid has said the issue will get picked up sometime in May.

What’s most likely to get attention first, Martinez says, is a bill by Senator Joe Lieberman (I-Connecticut) that supports a different method of evading and mitigating cyber threats.

“The main difference is that the core component [of Lieberman’s bill] puts new security mandates on operators of critical infrastructures [such as] utilities companies, [and] possibly water plants [whereas] CISPA is focused on improving information sharing about cyber threats between the government and industries so it doesn’t have that piece that addresses security gaps in critical infrastructures,” she says.

How You Can Hear and Be Heard

To listen to the entire radio interview for yourself, visit KQED.

And regardless of which side of the fence you’re on, the EFF has posted an online tool that makes it easy for you to send a tweet to your U.S. senators cyber security and privacy. If legislators perk up when a few dozen phone calls come into their offices, imagine the effect of hundreds or thousands of Twitter interactions on the matter.

 

 

Direct Link:  http://www.pcworld.com/article/254669/cispa_4_viewpoints_you_should_hear.html

#CISPA, #SOPA, #PIPA and #BigLobbying

#CISPA, #SOPA, #PIPA and #BigLobbying

Center for Responsive Politics
OpenSecrets.org
By Russ Choma
April 27, 2012
In an era when Republicans and Democrats can agree on almost nothing, one issue in the last three months has been providing common ground: rewriting the rules of the Internet. Privacy and free speech advocates have unleashed a groundswell of outrage as they’ve rushed to rally the public against the measures. But corporate backers of the proposals have fought back hard. 
According to an OpenSecrets.org analysis of the most recent lobbying disclosure information, five of the top ten bills that have been lobbied the most intensely so far this year are Internet-related, and most have bipartisan and industry backing. Major cash is being laid out to push their passage.
The most recent bill to stir things up is the Cyber Intelligence and Sharing Protection Act (CISPA), which would allow private companies to share far more data on users with the federal government in what backers say is an effort to improve cybersecurity. Opponents claim it would severely undermine the privacy rights of many Americans. The bill was passed by the House last night and now faces a tougher battle in the Senate (and the threat of a veto by President Obama).  

A list of companies and organizations that have sent letters of support for the bill to the House Intelligence Committee, where the legislation was created, meshes closely with the list of top lobbying groups so far this year — not to mention groups that lobbied on SOPA and PIPA

For example, AT&T, which sent this letter, spent more money lobbying in the first three months of 2012 than any other single corporation ($7 million, second only to the mega-trade organization Chamber of Commerce, which also lobbied on CISPA though to a lesser extent). The telephone utilities industry as a whole, which includes AT&T and Verizon (which sent this letter) spent $15.3 million in the first quarter of this year, increasing its lobbying expenditures by 35 percent over the previous three months. The total laid out for lobbying by the computer/Internet industry, which includes some of the biggest backers of CISPA, SOPA and PIPA, fell 6 percent in the first quarter — but at $32.1 million, the industry was still the sixth-largest spender on lobbying amont all industries so far in 2012.
It’s hard to assess how much each of these companies spent lobbying Congress specifically on CISPA — or other hot-button Internet bills — because many of these companies have a variety of issues they’re pursuing on Capitol Hill, but are required to report just one dollar amount covering everything. AT&T, for instance, spent its $7 million talking to lawmakers about 121 separate pieces of legislation.
But it’s clear that the lobbying firepower on the other side of the issue is a fraction of what supporters have. One of the most vocal opponents of CISPA is the American Civil Liberties Union — which has spent $507,000 lobbying so far this year, a 28 percent increase from the last three months of 2011. But the group used that money to lobby on 109 different bills, almost as many as AT&T. Another group that has taken a prominent stand against CISPA is the American Library Association, which has spent $54,000 so far this year, spread over 56 different pieces of legislation. 
Another indication of the collective influence of backers of CISPA is the amount of money individuals or PACs affiliated with the organizations have given to key lawmakers on the issue. Last week we reported that the bill’s original sponsor, Mike Rogers (R-Mich.), had received $104,000 from groups that lobbied on the bill. With new campaign finance reports filed since that story, OpenSecrets.org data now shows that Rogers has received at least $175,000 from organizations that have lobbied on the bill. That’s about 15 percent of the total $1.1 million he has reported raising this election cycle. The top two groups: defense contractor SAIC (whose PAC has given Rogers $20,000 this election cycle) and Koch Industries (whose PAC has given Rogers over $14,500.)
Check out all of the donations Rogers has received on our profile of him here, and the entire list of organizations that have lobbied on CISPA here on our profile of the legislation.

House Approves Controversial CISPA Cyber-Security Bill

House Approves Controversial CISPA Cyber-Security Bill

P.C. MAGAZINE

By Chloe Albanesius
April 26, 2012

Backup: The Ultimate Security

 

 

Though the House was not expected to vote on the controversial CISPA legislation until tomorrow, lawmakers approved the bill late on Thursday by a vote of 248 to 168.

206 Republicans voted in favor of CISPA, as did 42 Democrats, while 28 Republicans and 140 Democrats voted against it. Fifteen members did not vote. The full vote tally is available on House.gov.

CISPA now moves to the Senate. The White House has already threatened to veto the bill.

Privacy groups swiftly condemned the move, but bill sponsor Mike Rogers said “America will be a little safer and our economy better protected from foreign cyber predators” thanks to the the Cyber Information Sharing & Protection Act.

CISPA would allow for voluntary information-sharing between private companies and the government in the event of a cyber attack. Backers argue that it’s necessary to protect the U.S. against cyber attacks from countries like China and Iran, but opponents say that it would allow companies to easily hand over users’ private information to the government.

House members debated the bill for several hours on Thursday, and offered up amendments that dealt with things like Freedom of Information (FOIA) requests, details about which agencies receive private cyber-security information, clarification on certain terms, and more.

During the debate, Rep. Jared Polis argued that the immunity clauses in CISPA would incentivize companies to hand over users’ personal information, which could land in the hands of the military and the NSA.

Rep. Mac Thornberry, however, argued that the number of cyber threats have grown rapidly in recent years, but legislation has not kept pace. CISPA tries “to close that gap between the growing threat and laws and policies, [and is] a step in the right direction,” he said.

 

 

Hurting or Helping?
Not everyone agreed. The ACLU said that “CISPA goes too far for little reason.” Security should not result in the “abdication of Americans’ online privacy,” said Michelle Richardson, ACLU legislative counsel. “As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity.”

The Center for Democracy and Technology (CDT), whose initial opposition prompted CISPA sponsors to alter the bill earlier this week, said it was pleased with those changes, but was still concerned with two issues: “the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity.”

CTIA, the wireless industry trade association, however, applauded “the members of Congress who voted on this important piece of legislation that will help protect our nation’s communications networks from cyber threats.”

Co-sponsor Dutch Ruppersberger, meanwhile, said CISPA is a “victory for America. Our nation is one step closer to making a real difference protecting our country from a catastrophic cyber attack.”

 

Direct Link:  http://www.pcmag.com/article2/0,2817,2403641,00.asp