A Call for Action in Addressing Cyber Security

On Friday, President Obama addressed the nation on the importance of securing cyberspace and the reasons why it could be a danger to both our economy and national security. He also used the term, "weapons of mass disruption" and announced that he will appoint a cyber security czar.

The speech highlighted a 60-day study conducted at his direction, designed to take a look at how vulnerable we are to cyber attacks that could drastically change the whole way we exist.

Is this a far cry from reality? Perhaps not; if you can take command and control of the computer that controls something we use, you can do pretty much anything you want with it. This might be anything from a banking system to the system that controls an electrical grid or a sophisticated weapon. If you really think about, computers control just about everything nowadays.

As I was considering this, it reminded me that there are already millions of computers where some hacker has gained command and control of and formed into a botnet (essentially a supercomputer). All it took to do this was a little social engineering to trick someone into downloading some malicious code on a machine. While some of us might write this off as stupid people doing stupid things, people have even been tricked into doing this at government agencies and Fortune 500 companies. Trust me, not all the people who fall for some of this stuff are stupid. Social engineering is known to cause people to do things they normally would not!

While it takes a little technical sophistication to write malicious code, a person doesn't necessarily have to be a technical whiz to get their hands on it. They can buy it right on the Internet, complete with a do-it-yourself (DIY) kit to execute their intended misdeed. While most of the "misdeeds" seen in the wild have a financial intent, the intent is dictated by the person committing the act. In other words, the intent might be different depending on the person who is executing the deed.

Also mentioned, both in the report and in the speech, was cyber-warfare. For years now, the Chinese have been accused of hacking into government systems, although they always deny it. Also mentioned was an actual use of cyber warfare, or the Russian attack on Georgia that happened in the not very distant past.

Please note that botnets, which I mentioned above, were used to cripple the Georgian infrastructure. The zombie computers used in these botnets didn't come out of Russia, either. Some of them were traced right back to this country. In the current environment, you don't need to be in a physical location to take command and control; it might happen from anywhere.

The report also mentions attacking electrical grids and that the CIA has intelligence that this has already occurred in other countries. Just last month, the Wall Street Journal issued an article stating that Russian and Chinese hackers had mapped the U.S. power grid and left behind software that in theory could be used to attack our electrical grid. The article quoted unnamed officials from within the government. This set off a flurry of articles and in the end, most of the experts concluded that the threat, although real, wasn’t as bad as it was hyped up to be. Nonetheless, hacking certain utilities, such as electricity, water, and sewage could cause a lot of serious problems and there is evidence it has been accomplished in other countries.

While cyber warfare is an ominous subject, the report points out that we have already seen some pretty major events when financial systems were successfully attacked. Examples given were the TJX data breach (45 million payment cards compromised) and the more recent WorldPay payment card breach where a 30 minute exploit netted nine million dollars. This highly coordinated scheme took place all over the United States, Montreal, Moscow, and Hong Kong in a very short time-frame.

There is tangible evidence that so much personal and financial information has been stolen that the laws of supply and demand are driving prices down. Interestingly enough, a lot of this information is traded right over the Internet in anonymous forums using hard to trace forms of payment.

Two recent reports point to this. Symantec released a pretty interesting report on the underground economy and shortly afterwards, Verizon issued another report on the state of personal and financial information being stolen. The Verizon report, pointed out that the 285 million "known" records stolen in 2008 amounted to more than what was recorded in the previous three years. The Symantec report, which breaks down the going prices for information noted that the practice of spoofing (impersonating) financial institutions to steal information grew from 10 percent in 2007 to 29 percent in 2008. The Symantec report stated that 90 percent of the attacks being launched via botnets were designed to steal information and that the number of infected computers had grown 31 percent in 2008 over 2007, also.

Also cited in the report and in the speech was an estimated $1 trillion dollar loss per year in intellectual property. In recent years, the FBI has been busy catching numerous people stealing technology secrets and exporting them out of the country. This brings up another variable in the problem or if a person is given access to a system it is relatively easy to compromise it.

Recently, it was even disclosed that computers in Congress were hacked. It appears that even government intellectual property is being targeted.

When it comes to intellectual property theft, often we do not know what the motive is. Again, the intent is largely dictated by the end user. If you wanted to see a real world example, you might take a look at software piracy. The Business Software Alliance puts worldwide losses at over $50 billion, yearly. If you were to look at counterfeiting in general – which can involve the theft of intellectual property – the International Anticounterfeiting Coalition estimates the losses at $200 to $250 billion just in the U.S., every year.

The report, which is posted on WhiteHouse.gov, also addresses the growing problem of privacy in the digital world. Personal and financial information is worth a lot of money to businesses and criminals alike. Unfortunately, because of this, a lot of people are leery of putting in controls that might make it harder to profit from information. Because of this, a lot of people’s personal and financial information has gone missing.

The American Library Association, the Cato Institute, the Center for Democracy and Technology, Carnegie Mellon University, Consumer Action, the Center on National Security Studies, Cornell University, the Electronic Frontier Foundation, the Electronic Privacy Information Center, George Washington University, Harvard University, Indiana University, Johns Hopkins University, OMB Watch, Ohio State University, the National Security Archive, the University of California-San Diego and the American Civil Liberties Union were all consulted in the initial 60-day report.

While the report isn't clear on how privacy will be dealt with, it nonetheless is calling out that a problem exists. The problem is too much information being stored in too many not very well secured places.

For a real example here, one could refer to the DATALOSSdb Open Security Foundation, which tries to document all the known data breaches. The problem is getting worse all the time, and although some might argue that greater transparency is the reason for this, there are probably many more unknown data breaches that occur out there. After all, it’s unlikely that the hackers or other criminals stealing the information are going to come right out and tell us where they are getting it from. From a business perspective, it isn’t in their best interests.

The real casualties in this part of it are the individual victims, who suffer a lot when their information is used after it stolen. With the sheer amount of victims out there, some could argue we are facing an identity crisis.

To add to the problem, technology is now also being used to produce high-quality counterfeit documents and financial instruments in places, such as garages. This makes the information being stolen all the more dangerous, or easy to abuse.

Another thing the report addresses is the need for education and that laws need to catch up to the technology we are using. An interesting section at the end of the report highlights the history of modern communication technology. There is little doubt that as technology grows at a rapid pace; it is hard for the legal community to keep up with it.

In the end, in my humble opinion, the study is the first step in a positive direction. We have already seen too many examples of the abuse of technology, which has a lot of potential for good, too! The problem is how to deal with those who abuse it. The good news is that a large part of solution can be achieved by using a little more common sense and the clean slate approach (mentioned in the report) will go a long way towards making this a viable effort. In the end, a responsible balance is the key, and this is what it seems the report seems to be calling for.

Millions of Potentially Sensitive Records from the Clinton Era Gone Missing!

A computer hard drive which contained huge amounts of personal and sensitive information from the Clinton administration is missing. Some of this information includes Social Security numbers, personal addresses and even scarier, Secret Service and White House operational procedures.

Yesterday, government officials were briefed about the compromise, which was originally discovered in April. The hard drive held a terabyte of computer data that could contain millions of individual records. A terabyte of data would be enough to fill millions of books, according to this article published by the AP.

The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing – although it is not clear which daughter's information was compromised. Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too. According to articles I read, authorities are still trying to figure out exactly what was on the hard drive.

The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland.

The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation. According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time. When the researcher tried to resume work on the project, it was discovered to be missing.

According to Rep. Edolphus Towns, Democrat-N.Y., chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating.

The FBI will have a lot of suspects in this case. One hundred badge holders had access to the area. Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom.

This information would normally be stored in a secure area. Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost.

At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted. Encrypting data is considered a "safe and sane" security practice when dealing with data in transit and has become a legal requirement in many situations.

The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past. In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide. Other findings in the report include: agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches.

The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists.

More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today. Thus far, a study has been conducted, and is being reviewed. Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries (notably China and Russia), who have been suspected of targeting government systems.

If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled "The Dark Visitor (Information on Chinese Hacking". Another non-government source which covers data breaches in general is the Open Security Foundation.

While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised. Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time.

Update 5/20/09: It has now been confirmed that the missing hard drive had no encryption and a $50,000 reward is being offered for information leading to it's recovery. Source: CNet.

Downadup/Conficker Worm Disables Computer Security

If you were a hacker or a e-scam artist with malicious intent, would it be valuable to disable a machine's security system? Most of them find it relatively easy to take command and control of unprotected machines, but fully patched and protected machines pose more of a challenge.

Since late last year, hackers have developed a new tool that attacks protected machines, known as the Downadup/Conficker worm. This worm is being called a complex piece of malicious code that is able jump network hurdles, hide in the shadows and even defend itself against security measures, according to a recent report by Symantec.

Symantec has documented its blog posts on this subject in this report, which are available on their site. They also have a blog post by Ben Nahorney that attempts to put this complex threat into terms that can be understood by the general public.

Just this month, Symantec identified the third version of Downadup/Conficker, which has an even more powerful punch designed to take down computer security systems. This version has been dubbed the W32.Downadup.C variant and is still under analysis. The payload from W32.Downadup.C is set is to be triggered on April 1st, and if it is, the damage from it could be huge. SC Magazine aptly summed this up in an article called, "No Joke — Conficker Worm set to explode on April Fool's Day."

Since Downadup/Conficker has the ability to replicate itself — even on USB drives and network shares — by cracking passwords, it can spread like wildfire and wreak havoc on systems.
The report concludes that this is only the beginning of the Downadup/Conficker threat. If you take the time to read through the report, it shows how this malware is evolving and changing to avoid attempts to stop the spread of it.

It is being reported that Downadup Conficker has enabled one of the largest botnets to be formed on the Internet because of the number of systems that aren't protected from it. Of course, it appears that once infected, the worm itself might prevent the patches from be downloaded on a machine.

Botnets generate all the spam we see in our in boxes and are the vehicle of most fraud, phishing and financial misdeeds seen on the Internet. They consist of infected computers that have been taken over and form a super computer capable of spreading a lot of garbage. Of course, becoming infected can also mean that all your personal and financial information will be data-mined and used by less than honest people to steal money or commit other types of crimes.

Information can be stolen to commit espionage or even provide a fake identities, which are then used to support other more serious criminal activity. Although a lot of espionage is industrial, it is on record already that Downadup/Conficker infected computers at the U.K. Ministry of Defence and the Houston Municipal Courts which suggest a more sinister intent than merely committing financial crimes.

Since the beginning of the year, there are different estimates of how many computers are infected, but all them seem to agree it's somewhere around nine million.

Microsoft has announced a $250,000 reward for information leading to the arrest of the authors of this code. It has also announced an industry-wide coalition to fix the threat that Downadup/Conficker poses. Included in this coalition are ICANN, NeuStar, Symantec, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Verisign, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

Microsoft also provides information on patches and the latest developments on Conficker/Downadup on its site. It also has another page where you can learn more about these types of threats and how to stay safe online.

Who Hacked the Halls of Congress?

Came across an interesting story about the halls of Congress being hacked in October 2006. Although no one knows or is saying, some speculate that the attack can be traced to the Chinese, who seem to get accused of hacking into a lot of government systems (worldwide). Of course, the Chinese officially deny these allegations.

Shane Harris of the National Journal reported the attack was initially discovered in one office, but cyber-investigators eventually traced it to eight members' offices, where one or more computers were infected. Besides this, seven committee offices, including the Commission on China, Ways and Means and the International Relations Committee were identified as having compromised computers in them. The International Relations Committee (now the Foreign Affairs Committee) had 25 infected computers and an infected server found in it.

The virus discovered was a trojan designed to allow malware (malicious software) to invade government machines and steal information. The investigation revealed that the trojan was probably downloaded by an employee, who clicked on a link in a spam e-mail. This method of dropping a virus on a computer is usually referred to as Phishing.

Phishing attacks are normally designed to steal personal and financial information, which is later used to commit financial crimes and identity theft. While most phishing attacks (from a historical perspective) have been financially motivated, we are now seeing more person/position-targeted attacks. This type of phishing is referred to as spear phishing or whaling. In April, there were reports of spear phishing attacks against corporate executives all over the country.

The unidentified hackers used a wide-array of attack methods and the malware was downloaded from random Internet addresses. It's suspected they were using other infected machines to launch the attacks, which makes the activity even harder to trace. In this latest instance, it makes sense; the intent was to steal confidential and sensitive information.

The article points out that there is a lot of evidence that the Chinese have "penetrated deeply" into both government and corporate systems.

Just hours before the Olympics, Joel Brenner, the top U.S. counterintelligence official, warned Americans to leave their smart phones and other wireless computer devices at home. He told CBS News that the public security services in China can turn on a cell phone and activate its microphone when the owner thinks it's off. In July, Senator Sam Brownback also warned that China was planning to mount a massive espionage operation on guests staying at major hotels during the Olympics.

Last year there was speculation in the press that Commerce Secretary Carlos Gutierrez's laptop was hacked during a visit to China and the information was used to hack into government computers. Even scarier, rumors abound that Chinese hackers have already attacked power grids and that they are developing a cyber-warfare capability.

The article's conclusion points to a just released Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The study recommends that President Elect Obama establish a Cyber-Security Directorate in the NSC, who would direct a National Office for Cyberspace.

As a mere observer of all of this, I think President Elect Obama needs to take this report seriously. We need to remember (especially while a financial crisis is going on) that besides being a threat to National security, hacking also threatens our financial stability. Although this post points to the Chinese, they certainly aren't the only players in the International hacking game, and the problem it presents isn't going away. Sadly, some believe the problem is getting worse.

There is little doubt that change is needed in the way we address this problem and hopefully this is what will occur.

Microsoft is NOT the Biggest Hacker in China!

Chinese surfers are crying foul at Microsoft's launch of the "Windows Genuine Advantage Program," which turns a screen black when it detects pirated software. It is believed up to 200 million computer users in China have counterfeit software on their machines.

China is well-known for being involved in the knock-off trade, as well as, selling dangerous and defective products in the global economy. The news has had a lot of stories about them censoring the Internet, violating user privacy and being involved in hacking on an industrial scale.

Ironically, Dhong Zengwhi, a Bejing lawyer, accused Microsoft of being the "biggest hacker in China with its intrusion into users' computer systems without their agreement or any judicial authority," according to the China Daily. His argument is that this will cause serious functional damage to users' computers and according to China's criminal law, Microsoft could be accused of breaching and hacking into computer systems. Zengwhi has filed a complaint with the Chinese government about this.

Does this mean Microsoft won't be able to out-source work to China?

I wonder if Mr. Zengwhi's opinion was when it was revealed that the Chinese were data-mining the communications of Tom-Skype users? Tom-Skype is the Chinese version of the popular Skype software, which allows people to communicate worldwide using the Internet.

Privacy violations in China aren't limited to Tom-Skype communications, either. During the recent Olympic games, the government openly monitored Internet communications, using the excuse of security to justify what many believe was censorship.

The allegation that Microsoft is the biggest hacker in China is questionable. Governments from all over the world have accused the Chinese of hacking into their systems and it isn't considered safe to carry a laptop, or even a smart-phone when visiting China. Recently, there was speculation that Commerce Secretary Carlos Gutierrez had his laptop hacked during a visit to China.

In fact, if you follow the news, the theft of intellectual property is often traced to the Chinese. The FBI has caught numerous Chinese agents stealing a lot of private and government information in the recent past.

Pirated software is a huge problem in the global economy. It is estimated that one third of all software being sold is counterfeit. A large percentage of the software sold on auction and even e-commerce sites is counterfeit, also. It isn't unknown for a consumer to think they are getting legitimate software when they are not.

Besides costing jobs and revenue to legitimate firms -- knock-off software can damage a machine, or even lead to information theft when malicious software is added to the mix.

I'm sorry that that certain people in China are outraged by Microsoft's solution to the theft of their property, but let's face it, they are hardly the biggest hacker in China.

DOJ announces strategy to go after organized crime in a borderless environment

I've often written about borderless crime being committed with a click of a mouse, as well as, the lines that law enforcement jurisdictions impose, which can make investigative and prosecution efforts, frustrating.

The Attorney General and the Justice Department are announcing a new strategy to go after the problem.

From the press release on fbi.gov:

Today, Attorney General Michael B. Mukasey announced a new strategy in the fight against international organized crime that will address this growing threat to U.S. security and stability. The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment) and will address the demand for a strategic, targeted, and concerted U.S. response to combat the identified threats. This strategy builds on the broad foundation the Administration has developed in recent years to enhance information sharing, and to secure U.S. borders and financial systems from a variety of transnational threats.

In the press release, Attorney General Mukasey sums up the threat by saying:

The strategy specifically reacts to the globalization of legal and illegal business; advances in technology, particularly the Internet; and the evolution of symbiotic relationships between criminals, public officials, and business leaders that have combined to create a new, less restrictive environment within which international organized criminals can operate. Without the necessity of a physical presence, U.S. law enforcement must combat international organized criminals that target the relative wealth of the people and institutions in the United States while remaining outside the country.

Also stated in the verbiage of the press release is that there will be more coordination of information between federal law enforcement agencies. "This unprecedented coordination will include utilizing all available U.S. government programs and capabilities, including existing economic, consular, and other non-law enforcement means," according to Attorney General Mukasey.

"The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment)," according to the press release.

The press release identifies and defines the following strategic threats:

International organized criminals have penetrated the energy market and other strategic sectors of the U.S. and world economy. As U.S. energy needs continue to grow, so too could the power of those who control energy resources.

International organized criminals provide logistical and other support to terrorists, foreign intelligence services, and foreign governments, all with interests acutely adverse to those of U.S. national security.

International organized criminals traffic in people and contraband goods, bringing people and products through U.S. borders to the detriment of border security, the U.S. economy, and the health and lives of those human beings exploited by human trafficking.

International organized criminals exploit the U.S. and international financial system to move illegal profits and funds, including sending billions of dollars in illicit funds through the U.S. financial system annually. To continue this practice, they seek to corrupt financial service providers globally.

International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.

International organized criminals are manipulating securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers, and government agencies of billions of dollars.

International organized criminals have successfully corrupted public officials around the world, including in countries of vital strategic importance to the United States, and continue to seek ways to influence—legally or illegally—U.S. officials.

International organized criminals use violence and the threat of violence as a basis of power.

What alarmed me the most in this news release, especially with out of control oil prices, was that organized crime was involved in the energy sector. Randall Mikkelsen at Reuters must have been interested in this statement and questioned Alice Fisher, head of the DOJ criminal division. Fisher seemed downplay the statement by saying "I don't think that you can directly link the two." Fisher did go on to state that organized crime had a foothold in global financial markets?

To me, that's at least as scary as organized criminals being involved in the energy sector. What we do know is that both the financial and energy sectors seem to be causing the average citizen a considerable amount of pain and suffering, lately.

The reason for this response might be that investigative entities don't generally want to comment on the specifics of any ongoing investigations? There are good reasons for not doing so.

Interestingly enough, the Organised Crime and Corruption Reporting Project, which is run by some Eastern European journalists has covered potential organized criminal involvement in the energy sector in Eastern Europe. On a story, which can be seen on the home page of the site, it states:

In between are the energy traders. They say they are the future of low-cost energy but that is a promise yet to be fulfilled. These politically connected and well-financed businessmen have reaped billions in sales, often at the expense of state companies. Investigators in a number of countries are trying to determine whether some of them made their millions in profits illegally or legally in systems that have few laws and not enough regulations.

Although the executives at Enron were never found to be involved with organized crime, the Enron debacle illustrates how a little dishonesty in the energy sector can create a lot of financial havoc for a lot of people!

Also alarming, is the statement that public officials around the world are being corrupted by these groups.

As I stated in the first paragraph, I've often written about some of the items now being identified as strategic threats. We live in a society, where identities are stolen in mass, counterfeiting is rampant and rumors of foreign governments hacking into military and industrial systems are surfaced, too frequently.

And so far as hacking, criminal organizations -- who seem to be run as efficiently as any successful corporation -- appear to have the ability to crack into whatever defenses the good guys put into place. There has been speculation that these groups can afford to recruit the best and the brightest in a lot of "disciplines" in addition to information technology, also.

These factors have also enabled a lot of other (even more dangerous) criminal activity to spread at what some consider, epidemic proportions.

Given all these trends, the only successful strategy is to go after the people behind it. Nothing else has seemed to work very well, at least so far!

The full press release can be seen, here.

Reuters story can be seen, here.

I would also like to thank Suad and Lazarus at Paper Weapons, Heike at The Dark Visitor (information on Chinese hacking) site and the journalists at the Organised Crime and Corruption Reporting Project for the links, which I seeded in this post to make a point.

Sensitive infared cameras discovered bound for China at LAX

Dangerous and counterfeit products, hacking government systems and espionage all have one thing in common, they are likely to originate from China.

The latest example of this is being reported by the AP:

Two men attempting to board a plane to China with nearly a dozen sensitive infrared cameras in their luggage were arrested on Saturday, a federal official said.

Federal agents stopped the pair on the jetway as they were preparing to board the flight to Beijing.

The men had been in the United States for about a week, said Rick Weir, assistant special agent in charge of the Los Angeles office of the Department of Commerce's Bureau of Industry and Security.

Yong Guo Zhi, a Chinese national, and Tah Wei Chao, a naturalized U.S. citizen, were arrested for investigation of trying to take thermal imaging cameras with potential military use to China without the proper export licenses, Weir said.

In February of this year, the FBI highlighted two high profile cases involving Chinese espionage.

Again, whether it involves defective goods, hacking or stealing military secrets -- the Chinese seem to be having a field day victimizing the citizens of the United States and the World.

Is the cheap labor they provide for a lot companies worth all the risks we are taking by allowing them "free trade status?"

Additional examples of Chinese espionage, hacking and defective products written about on this blog can be seen, here.

Full AP story on this latest development in the ongoing saga, here.

Human beings are the reason for most security breaches!

If you think phishing is merely a financial crime, think again. Eleven employees at a nuclear research facility fell for a phishy e-mail, which appears to have been an attempt to steal information.

The New York Times reported:

A cyber attack reported last week by one of the federal government’s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security.

Although the article suggests China may behind this attempt, the article suggests they have plausible deniability:

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

I guess it might have been a host of undesirables trying to steal this information. A lot of Internet misfits redirect through China to do their misdeeds on the Internet.

What's scary is that eleven employees at a Nuclear Research Facility clicked on a phisy e-mail and compromised sensitive material.

I recently wrote a post, where an official government audit revealed that 60 percent of IRS employees tested fell for a vishing scheme and gave up sensitive information.

Vishing is stealing information by telephone.

It was recently announced that private investigators are being indicted for vishing infomation in an illegal manner, sometimes referred to as pretexting.

All of these events would suggest that businesses and government organizations have a big opportunity when it comes to raising employee awareness on social engineering schemes that are used to compromise sensitive information.

IT also illustrates that human beings are the common cause for most breaches of security!

New York Times article, here.

Here are the two previous posts on the IRS vishing test and the indictment of private investigators for using social engineering techniques:

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Private Eyes charged with aggravated identity theft

Resources to avoid those dangerous Chinese products

There has been a lot in the news lately about dangerous Chinese products. At this point, there seems to be too many of them for the average person to keep up on.

I happened to be taking a look at Lou Dobbs' site and found some great resources that the average person can use to determine, whether or not, they are making a safe buying decision.

Since there doesn't seem to be enough oversight by our government to ensure our safety, I highly recommend taking matters into your own hands. Especially with the holiday season rapidly approaching.

On the site, I found a link to a U.S. PIRG page on recalled toys, here.

Additionally, the page had a safety blog set up by ConsumerReports.org, here.

Also, on the page, is a message from Mattel about products they have voluntarily recalled, here.

Of course, the Chinese haven't only been in the news lately for exporting dangerous products.

Here are some posts about other things they are doing that might be considered dangerous to the rest of the world:

China caught stealing government information again!

The Hackers from China are at it AGAIN!

How Dangerous is China

Here are another posts, I've done (with lots of references) about unsafe products from China.

The new red menace, global commerce from China

Of course, we can't only blame the Chinese. There are other forces in this equation, who are making a lot of money doing business with China:

The problem of unsafe products from China are just a symptom of the bigger problem!

Maybe if we started making more educated shopping choices, some of these problems would go away?

After all, the almighty dollar has a lot of power!

FlexiSpy - software that spies on people via their smart phone

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety, will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Here is FlexiSPY's marketing pitch (from their site):

Catch cheating wives or cheating husbands, stop employee espionage, protect children, make automatic backups, bug meetings rooms etc.

If FlexiSPY is installed on a smart phone, it downloads data to their server 4 times a day, which can be accessed via the Internet by anyone paying for their service 24 hours a day, 7 days a week.

The FlexiSPY site blasts F-Secure, a security vendor, for calling their software a trojan, and claims FlexiSPY will not answer their e-mails. This is probably because F-Secure was the first one to question this software and it's potential abuse factor. The site claims F-Secure's true intent is to sell their own software, which can remove FlexiSPY.

This is partially true, billions are made in the spy versus spy (white-hat versus black-hat) world of computer security. Although, in all fairness, F-Secure isn't the only on record that is worried about the use of FlexiSPY's spyware.

According to FlexiSPY, their software IS NOT a trojan because it has to be loaded on a telephone by a human being, and the software doesn't replicate itself.

I wonder how long it will be before a hacker figures out how to drop the software remotely? Of course, it also makes sense that FlexiSPY wouldn't want someone to be able to replicate their software. Replicated software doesn't make them any money.

I'll leave it to the reader's imagination how a product like this could be used by criminals, spies, or stalkers.

It never ceases to amaze me how some of these products are sold right over the Internet to ANYONE! It gives credence to the old saying, "there ought to be a law."

FlexiSPY even lists several electronic publications on their site as "talking about them." I decided to see what a few of them (besides F-Secure) had to say.

Gizmodo states:

The software allows a sickening amount of privacy invading features.

Endgaget states:

While FlexiSPY is designed to install itself invisibly, it's now been officially categorized as a trojan (which, face it, it really is) and has been added to F-Secure's virus database.

And the Register states:

A piece of software which allows a user to track another person's mobile phone use would be almost impossible to use in the UK without breaking the law, according to a surveillance law expert.

If fact, using this software could be illegal and subject to penalties in most of the civilized world. Most of these countries would require some sort of court order, even if this technology were to be used by law enforcement.

Gizmodo story, here.

Engadget story, here.

Register story, here.

FlexiSPY acknowledges the same concern that the surveillance law expert brings up in the Register article about them:

It is the responsibility of the user of FlexiSPY to ascertain, and obey, all applicable laws in their country in regard to the use of FlexiSPY for "sneaky purposes". If you are in doubt, consult your local attorney before using FlexiSPY. By downloading and installing FlexiSPY, you represent that FlexiSPY will be used in only a lawful manner. Logging other people's SMS messages & other phone activity or installing FlexiSPY on another person's phone without their knowledge can be considered as an illegal activity in your country. Vervata assumes no liability and is not responsible for any misuse or damage caused by our FlexiSPY. It's final user's responsibility to obey all laws in their country. By purchasing & downloading FlexiSPY, you hereby agree to the above.

I guess the old latin saying "caveat emptor" (buyer beware) applies in this instance!

The problem of unsafe products from China are just a symptom of the bigger problem!

Interesting picture about consumer protection, courtesy of Flickr.

In the past couple of months, we've seen some alarming stories about dangerous products coming from China.

Dirk Lammers of the Associated Press wrote:

Poisoned pet food. Seafood laced with potentially dangerous antibiotics. Toothpaste tainted with an ingredient in antifreeze. Tires missing a key safety component. U.S. shoppers may be forgiven if they are becoming leery of Chinese-made goods and are trying to fill their shopping carts with products free of ingredients from that country. The trouble is, that may be almost impossible.

The Lammers family shopped far and wide, and came to the conclusion that merchants sell all kinds of products from China. Even more alarming, even if the label didn't say "made in China," it likely has a component (ingredient) that was.

The reason for this is simple, companies make billions off the cheap labor found in China and other less developed countries lacking the same level of consumer protection, we think (my opinion) we have.

The U.S. Bureau of Labor Statistics, which keeps tally of labor costs abroad, doesn't seem to have any data on China, or India for that matter. I mention India because, we seem to be in the market for a lot of their labor, recently.

The closest I could find was Sri Lanka, which in 2005 (most recent year available) has a labor compensation rate of 52 cents an hour.

I noticed a lot of countries left out. For instance, the region to the South of the United States, only has data for Mexico and Brazil. Mexico, which has a better economy than most of the area, has a labor cost of $1.57 an hour.

Maybe this is one of the major reasons our border to the South isn't very secure. Minimum wage, or even welfare benefits must seem like a king's ransom to some of these people.

Going back to China, I was able to find an estimate of labor costs in China by using Google. Judith Banner wrote in the Monthly Labor News Review:

Employees in China’s city manufacturing enterprises received a total compensation of $0.95 per hour, while their non-city counterparts, about whom such estimates had not previously been generally available, averaged less than half that: $0.41 per hour. Altogether, with a large majority of manufacturing employees working outside the cities, the average hourly manufacturing compensation estimated for China in 2002 was $0.57, about 3 percent of the average hourly compensation of manufacturing production workers in the United States and of many developed countries of the world.

A little higher than the government figure for Sri Lanka, but not much. Of course, I can think of a lot of countries, we outsource the cost of labor to, not included on the government list.

It makes sense -- that since a lot of these countries have a much lower standard of living, as well as, not very many consumer protection laws -- unsafe products have the capability to spread, worldwide.

In fact, with counterfeiting (another worldwide problem) thrown in, who knows what might show up in the supply chain? For example, it was recently disclosed that counterfeit drugs from China were likely being dispensed from pharmacies in the United States.

Chris Hansen, Dateline, did a pretty revealing story about this, here. The FDA did announce new rules, shortly after this, but I'm not sure this makes us very safe. All sorts of illegal drugs, make it past customs, daily.

I'm not sure if blaming China is the solution. After all, we aren't only outsourcing labor costs over there. Many of the other countries we outsource labor to, don't protect their people very well, and could care less about, consumer protection, also.

In fact, in many of these countries, people have a hard enough time keeping food on table!

Perhaps, we should take a closer look at ourselves? There are corporations here in the West, making a lot of money by stocking these products on our shelves. And at less than 60 cents an hour in labor costs, it must be extremely profitable for them.

The worker in China, or Sri Lanka isn't living very well off less than 60 cents an hour.

Perhaps, if certain companies had to start paying the true costs of padding their bottom lines with cheap labor, it wouldn't be as profitable.

I was amazed that despite all the special interests, obviously behind the recent immigration bill, that it was promptly defeated by the voice of the public. Many of us believe this bill, was at least in part, a ploy to drive down the cost of labor.

I'm not saying that all the politicians had ulterior motives, or that all corporations lack ethics, but it did reveal that the voter (individual person) has a choice, and more importantly, a voice!

It might be wise for politicians and corporations to get more on board with their voters, and customers.

If you are interested in learning more about this, I recommend Lou Dobbs, who has become extremely outspoken about a "war against the middle class." His site can be viewed, here.

Here are some references used for this post.

Article by Judith Bannister (Monthly Labor News Review), here.

Article by Dirk Lammers (AP), courtesy of the Washington Post, here.

Counterfeiting merchandise is enabled by outsourcing labor (my opinion). I've written a lot about this, here.

Previous posts about China and other dangerous activities coming from there, including espionage and hacking, can be viewed, here.

RFID sniffing could be used by spies and criminals to commit all kinds of dastardly deeds!

Dark Reading wrote about a pretty scary flaw in RFID technology this week. Apparently, it's now possible for corporate spies and even organized retail criminal types to "sniff" RFID chips in a cargo container and use the information to commit a dastardly deed.

Apparently, truckers will be particularly vulnerable to being "sniffed" (compromised). Of course, if you use a little imagination, sniffing RFID might put more than "truckers" at risk, also.

From the story in Dark Reading:

That means your competitor could use this information for intelligence purposes. "He could get an idea of what you are shipping and how much, and how often," Perrymon says, adding that an attacker could also write to those tags, either disabling or changing them if you don't apply the proper authorization and passwords to your EPC system. That's PacketFocus's next step in its research.

And sniffing the truck's payload could also provide criminals with intelligence they wouldn’t otherwise be able to get very easily, thus helping them target their holdups or other heists, he says. "Unless they had a lot of inside information, they don't have enough information to rob that truck. Now they can scan it if it's not secure -- they don't want to rob that toilet paper truck, but if it's got plasma TVs with surround sound, [that's their] target."

RFID has been pushed by retailers, such as Walmart, and the military (not mentioned in the Dark Reading article). The Department of Defense now uses RFID to monitor it's supply management system.

Stealing shipments of plasma TVs is one thing, but on a personal level, I'm a little more worried about how some of this technology might be used by those with more sinister intentions than stealing high-tech merchandise.

So far as the passwords mentioned in the article -- easily compromised by the Packet Focus folks, they can be made more secure -- but passwords are hacked by software and more social methods, fairly frequently.

All it takes is one dishonest person with access to one, or even a honest person, who is tricked into giving up one to compromise an entire system.

Hacking for Dummies has an interesting write-up on how passwords are hacked, here.

Besides that, the bad guys are always coming up with new exploits to defeat security fixes.

Interestingly enough, according to Wikipedia, RFID's predecessor was invented by a Soviet inventor as a tool to commit espionage. It also was used the World War II era for a lot of military applications.

Perhaps, in this case, history (or the original intent) should give us a little perspective on RFID?

In the recent past, government experts have seen China show an interest in stealing (hacking) logistics (supply) information. Here is a post, I wrote about that:

How Dangerous is China

Dark Reading's interesting article, here.

I've written a few posts about RFID and it's potential abuses, which can be seen, here.

Dark Reading got it's information for the article from PacketFocus Security Solutions, which is a company that performs what is known as "ethical hacking" for the public at large. Ethical hacking is where good guys test vulnerabilities in technology to stay ahead of the bad guys.

There might very well be some useful applications for RFID, but we need to slow down, and consider the safety implications before continuing to have this technology take over our daily lives.

It's not worth the money a very few people are making off it!