Posts Tagged Cyber security

‘Tweeting’ medics expose patients (BBC)

Twitter homepage

Twitter content is user-generated

Medics posting messages on networking websites like Facebook and Twitter are breaching patient confidentiality, a leading journal reveals.

Research in the Journal of the American Medical Association found examples of web gossip by trainee doctors sharing private patient stories and details.

Over half of 78 US medical schools studied had reported cases of students posting unprofessional content online.

One in 10 of these contained frank violations of patient confidentiality.

Most were blogs, including one on Facebook, containing enough clinical detail that patients could potentially be identified.

‘Blue’ blogs

Many postings included profanity and discriminatory language.

Sexually suggestive material and photos showing drunkenness or illicit drug use were also commonplace.

While most incidents resulted in informal warnings, some were deemed serious enough to lead to dismissal from medical school.

But few of the medical schools had policies that covered online social networking and blogging.

Patient confidentiality is paramount and medical students and doctors obviously need to be very careful about any information they post online
A British Medical Association spokesman

The investigators, led by Dr Katherine Chretien of the Washington DC VA Medical Center, said medical students may not be aware of how online posting can reflect negatively on medical professionalism or jeopardise their careers.

Similarly, patient confidentiality breaches may be unintentional.

“Sharing patient stories that are de-identified and respectful, as health professionals might do on personal blogs, can encourage reflection, empathy and understanding.

“However, content may risk violation of patient privacy, even without using names or other identifiers,” they warned.

Also, the line separating freedom of speech and inappropriate postings can be unclear – for example, derisive comments about a student’s institution or profession might not be considered unprofessional by some, they said.

Dr Chretien’s team say medical students should be taught as part of their training about the risks associated with making postings on the Internet.

As a matter of course, students should be shown how to elect privacy settings on social networking sites and should be told to perform periodic Web searches of their own name to vet listed online content.

A spokesman for the British Medical Association said: “Patient confidentiality is paramount and medical students and doctors obviously need to be very careful about any information they post online.”

The UK’s regulator of doctors, the General Medical Council, does not have guidance that covers medics’ blogging.

But a spokeswoman advised doctors: “You must make sure that your conduct at all times justifies your patients’ trust in you and the public’s trust in the profession.”

, ,

No Comments

Hacker admits world’s biggest identity theft (TG Daily)

The Miami man dubbed the world’s most prolific identity thief has admitted stealing 40 million credit and debit cards records from US retailers.
By Emma Woollacott

Monday, September 14, 2009

Albert Gonzalez appeared on Friday in a Boston court and pleaded guilty to 20 charges. He admitted exploiting vulnerabilities in the security systems of TJX, OfficeMax, BJ’s Wholesale Club and other retailers  back in 2003. The records were sold and the money laundered through accounts in Latvia.

His technique – known as ‘wardriving’ – involved cruising around with a laptop and searching for accessible wireless internet signals. Once Gonzalez and his colleagues found a vulnerable network, they installed sniffer programs to capture the card numbers.

Things went from bad to worse: after his arrest, Gonzalez began secretly collaborating with the US Secret Service to catch other hackers. But he now admits that during this period he warned off his co-conspirators to help them avoid arrest.

Gonzalez had already agreed to plead guilty to the charges. He now faces up to 25 years in prison, and must hand back more than $1.65 million. Sentencing is set for December 8th.

His attorney says he feels “really bad”.

, ,

No Comments

Flight site hacker ‘identified’ (BBC)

Avsim logo

Avsim is one of the largest sites serving the flight sim community

The publisher of a flight simulator site targeted by a hacker in May says it has presented a file of evidence to UK police identifying the perpetrator.

Avsim said it had “incontrovertible evidence” about the hacker’s identity.

The attack wiped data held on two servers and “effectively destroyed” the site, which is still being rebuilt.

The US firm said it expected the criminal complaint, filed with London police, to lead to the alleged hacker spending “time behind bars”.

“We will not name any names, but have incontrovertible evidence of the individual that performed the hack,” said Tom Allensworth, the publisher and CEO of Avsim.

“We have protected the forensic evidence and provided that evidence to the London police. We are committed to bringing justice to bear on this case.”

Mr Allensworth told BBC News that the evidence was submitted on Monday to the Southwark division of the Metropolitan Police, which was “acting on behalf of another constabulary”.

‘Next level’

The US site, launched in 1996, covers all aspects of flight simulation, although its main focus is on Microsoft’s Flight Simulator.

In addition it hosts a forum and allows enthusiasts to download extra content for flight simulations, such as new landscapes.

The firm claims it is the most-visited flight simulation site on the internet.

“Its contribution has been immeasurable,” said Derek Davis, editor of PC Pilot magazine, following the attack.

The firm said it had spent $50,000 (£30,000) to bring Avsim back online since the 12 May attack, including $25,000 from users.

It said it had filed the criminal complaint after giving the alleged hacker “two opportunities to settle” the case.

“The individual did not avail himself of the opportunity – in fact, he has ignored our proffers,” Mr Allensworth said in the statement.

“We are now doing as we promised this person we would do: ratcheting this up to the next, criminal, level.”

“We fully expect that the criminal complaint…will result in the perpetrator spending some time behind bars – under UK law.”

The firm said it was seeking prosecution under laws that “deal with unauthorised use of a computer, unauthorised and criminal theft of data, and numerous other violations of other computer and online laws”.

The Metropolitan Police could not confirm whether it had received the complaint.

, , ,

No Comments

Websites ‘breaking consumer laws’ (BBC)

Phone and keyboard

The investigation covered 28 European countries

More than half of websites selling electronic goods were breaking European laws aimed at protecting consumers, according to an EU investigation.

The analysis of 369 websites selling mobiles, DVD players and games consoles in 28 European countries found that 203 of them held misleading information.

The biggest failure surrounded the right to return a product bought on the internet within seven days.

Any websites which continue to break the law face fines.

“We know from the level of complaints coming into European Consumer Centres that this is a real problem area for consumers,” said EU consumer commissioner Meglena Kuneva.

“We discovered that more than half of the retailers selling online electronic goods are letting consumers down.”

Sweep

Authorities, such as trading standards departments, carried out the investigation in May. They were checking to see if the websites followed rules on providing clear information about the trader, the product, the price, and customers’ rights.

There is a lot of work to be done in the months ahead to clean up this sector, Europe’s consumers deserve better
Meglena Kuneva, EU consumer commissioner

Some 369 websites – across 26 EU member states (all members except Slovakia) as well as Norway and Iceland – were checked as they sold electronic goods including digital cameras, mobile phones, personal music players, DVD players, computer equipment and games consoles.

Two hundred of the sites were chosen because they were the biggest in the EU and another 100 were checked because they had been the subject of previous consumer complaints.

Of the 203 cases facing further investigation:

  • Two-thirds (66%) failed to adequately explain that consumers had seven days to return a product bought over distance for a full refund and without giving a reason. Others failed to explain the right to have a faulty product repaired or replaced for at least two years after sale
  • Details about extra delivery charges were missing or difficult to find on the website in 45% of cases
  • A third (33%) did not fully outline the trader’s name, address or email details so they could not be contacted if there was a problem.

All of these traders will now be contacted by the authorities and asked to clarify the position or correct the problems identified in the investigation.

Meglena Kuneva

Meglena Kuneva is the EU consumer commissioner

Any website that fails to make corrections could face warning letters and then enforcement action. If this was ignored the operators could be prosecuted and face fines.

“This is a Europe-wide problem which needs a European solution. There is a lot of work to be done in the months ahead to clean up this sector, Europe’s consumers deserve better,” said Ms Kuneva.

Every website checked in Cyprus and Hungary during the sweep was found to require further investigation. Six of 14 websites checked in the UK revealed irregularities.

Only Iceland, Norway and Latvia have published a list of the websites that will face further investigation.

About one in four consumers across the EU who has ever bought anything on the internet bought an electronic product, according to the European Commission. The market is valued at an estimated 6.8bn euros (£5.9bn).

Some 34% of complaints about online shopping in 2007 featured the sale of electronic equipment.

, , ,

No Comments

US cyber-security ‘embarrassing’ (BBC)

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

sign saying what's in your network

Experts say the threat is increasing fast

America’s cyber-security has been described as “broken” by one industry expert and as “childlike” by another.

The criticism comes as President Obama prepares to release the results of a review he had ordered.

Tim Mather, chief strategist for security firm RSA, told BBC News: “The approach we have relied on for years has effectively run out of steam.”

Alan Paller from security research firm SANS Institute said the government’s cyber defences were “embarrassing”.

The government review, which will outline a way forward, is expected to be opened up for public comment at the end of this month.

At the same time, President Obama is also expected to announce the appointment of a cyber-security tsar as part of the administration’s commitment to make the issue a priority.

For many attending last week’s RSA Conference in San Francisco, the biggest security event of its kind, such focus is welcome.

“I think we are seeing a real breaking point in security with consumers, business and even government saying enough, no more. Let’s rethink how we do this because the system is broken,” said Mr Mather.

‘Laws of procurement’

Over the past couple of weeks, the heat has been turned up on the issue of cyber-security following some high profile breaches.

One involved the country’s power grid which was said to have been infiltrated by nation states. The government subsequently admitted that it was “vulnerable to attack”.

US government computer

The review will provide a roadmap for tackling cyber-security

Meanwhile reports during the RSA Conference surfaced that spies had hacked into the Joint Strike Fighter Project.

The topic is very much on the radar of politicians, who have introduced a number of bills to address security in the virtual world.

One includes a provision to allow the president to disconnect government and private entities from the internet for national security reasons in an emergency.

The latest bill, introduced this week by Senator Tom Carper, has called for the creation of a chief information officer to monitor, detect and respond to threats.

Mr Paller, who is the director of research for SANS, believes the government’s multi-billion dollar budget is the most effective weapon it has to force change.

“The idea of cyber-security leadership isn’t if it’s the White House or DHS (Dept of Homeland Security). It’s whether you use the $70bn you spend per year to make the nation safer.”

He said the best way to ensure that was to require industry to provide more secure technology for federal acquisitions.

“If you want to change things, use the laws of procurement,” suggested Mr Paller.

Hot seat

There is a growing view that the industry is also at a crossroads and has a responsibility to alter the way it operates.

fraud sign

There are 32,000 suspected cyber-attacks every 24 hours

“I think we are more aware of security than ever before,” said Benjamin Jun, vice-president of technology at Cryptography Research.

“We are looking at risk in a new way and the good security practitioners are in the hot seat. It’s time for them to do their job.”

It is also time for them to come up with new technologies that can keep pace with, and move ahead of, the threats that affect the whole of cyberspace, says Asheem Chandna of venture firm Greylock Partners.

“For the evolution of the internet, I think we need the next wave of innovation. The industry clearly needs to step up and deliver the next set of technologies to protect people and stay ahead of the bad guys.”

He also believes the smaller innovative companies in Silicon Valley could help the government be more productive if they were not effectively locked out of the process by the big established firms.

“We want smaller companies that are innovating in Silicon Valley to be given a better chance to help government agencies meet their mandate but the bureaucracy to do this hinders these companies.

“Instead they go to commercial customers because they see the value, they move fast, they see the return on investment and the competitive advantage it can give them. The federal government is more of a laggard in this area,” said Mr Chandna.

‘Silver lining’

There is undoubtedly a consensus that the security of the internet needs to be improved and that attacks are taking their toll on everything from banks to credit card companies and from critical infrastructure to defence.

sign who's your hacker

The president has likened the threat to the internet to that of a nuclear attack

“There is a silver lining to this dark cloud,” said Mark Cohn, the vice-president of enterprise security at security firm Unisys.

“Public awareness, and that among the community and interested parties, has grown tremendously over the last year or two.

“Cyber-security affects us all from national security to the mundane level of identity theft and fraud. But that means society as a whole is more receptive to many of the things we need to do that would in the past have been seen as politically motivated.”

For security firm VeriSign, a shift in how people practise security is what is needed

“Security is a state of mind,” said the company’s chief technology officer, Ken Silva.

“Up until now we have relied on the inefficient system of user names and passwords for security. Those have been obsolete for some time now and that is why our research is focused on making authentication stronger and user friendly.”

To that end, VeriSign has introduced a security application that produces an ever-changing password credential for secure transactions on the iPhone or Blackberry. To date the free app has been downloaded more than 20,000 times.

“It’s one thing to say security is broken, but the consumer doesn’t care until it affects them,” said Mr Silva.

“But if we as an industry want them to use stronger security measures we have to make it easy and more user friendly.”

Indeed, Mr Cohn believes everybody has to play his or her part as the online world becomes increasingly integral to our lives.

“It may seem like we are under attack and the world is more dangerous but in some ways the threat environment is shifting.

“Now the greater concern for people is protecting their information, their identity, their financial security as we move to put more information online like our health records and our social security records.

“We are at a crossroads and this should be viewed as a healthy thing,” said Mr Cohn.

, , , ,

No Comments

Insider risk problem revealed (BBC)

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

front pages on cyber security

The headlines get the real cyber security threat wrong says the RSA

Security experts have turned the notion that so called “malicious insiders” are the biggest cyber security threat for companies on its head.

The security vendor RSA revealed that the majority of breaches are actually caused unintentionally by employees.

Its survey showed that firms believed 52% of incidents were accidental and 19% were deliberate.

“Unintentional risk gets overlooked, yet it’s the most serious threat to business,” said the RSA’s Chris Young.

“The sexy incident where someone gets arrested for stealing records and selling them to a third party for a lot of money is the stuff that catches the attention of the media, the regulators, executives and Congress people.

“But this is not necessarily where organisations have 100% of the risk,” said Mr Young, the RSA’s senior vice president of products.

The study conducted by the RSA and IT analysts IDC looked at 11 different categories of risk ranging from malware and spyware to employees having excessive access to systems and from unintentional data loss to malicious acts for personal gain.

The report concluded that the difference between the most frequent type of cyber breach – unintentional data loss, at 14.4% per year, and the bottom of the list – internal fraud, at 10.6% – is a clear sign that no single solution can address all potential internal security risks.

It covered over 400 firms from the US, UK, France and Germany across a variety of sectors including the financial industry, healthcare, telecommunications and technology.

‘Weakest link’

The report noted that whether the threats are accidental or deliberate, the cost to a company of a cyber breach is still the same.

The RSA and IDC said disclosure of sensitive information results in regulatory actions, failed audits, litigation, public ridicule and competitive fallout.

fraud sign

Government figures report 32,000 suspected cyber attacks every day

“The figures are hard to quantify, but the average annual financial loss to insider risk adds up to $800,000 (£480,000) overall per organisation in the US and between $300,000-$550,000 (£180,000-£330,000) in the UK, France and Germany.

“And that ties into the billions of dollars range when you think of the thousands of companies that comprise the IT industry,” said Mr Young.

A recent report by the Ponemon Institute found that the average cost of a data breach in 2008 was $202 (£122) per customer record.

The information security firm also determined that the expense continued to rise by 38% between 2004 and 2008.

The RSA and IDC discovered that the weakest link in any company is the temporary employee or contractor.

“They represent the greatest internal risk,” Mr Young told BBC News.

“Most organisations start with a principle of trust and you trust your employees to be able to do their job well and protect the interests of the company. There are always levels of trust which is greater or lesser depending on how closely tied an individual actor is to an individual organisation.

“It’s likely contractors may be less well-trained in organisational policy and it’s harder to maintain control over their access to systems because of the time they interact with an organisation. There is always a tension between letting an employee do his or her job versus security,” said Mr Young.

The Better Business Bureau has drawn up a list of simple things companies should do to secure its data, often regarded as the crown jewels of any company.

It advises limiting systems access to a few trusted employees, using a password protection system for logging in, equipping computers with firewalls and virus protection and educating employees.

, , ,

No Comments

US man ’stole 130m card numbers’

Credit card

The card details were allegedly stolen from three firms, including 7-Eleven

US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards.

Officials say it is the biggest case of identity theft in American history.

They say Albert Gonzalez, 28, and two un-named Russian co-conspirators hacked into the payment systems of retailers, including the 7-Eleven chain.

Prosecutors say they aimed to sell the data on. If convicted, Mr Gonzalez faces up to 20 years in jail for wire fraud and five years for conspiracy.

He would also have to pay a fine of $250,000 (£150,000) for each of the two charges.

‘Standard’ attack

SQL INJECTION ATTACK
This is a fairly common way that fraudsters try to gain access to consumers’ card details.
They scour the internet for weaknesses in companies’ firewalls, which is simply a security wall designed to block unauthorised access to a computer network.
Once they find a weakness, they insert a specially designed code into the network that allows them to access card details.
There is little consumers can do to protect themselves from the effects of this type of attack.
The general advice to cardholders is to check bank statements carefully and report any suspicious transactions immediately.

Mr Gonzalez used a technique known as an “SQL injection attack” to access the databases and steal information, the US Department of Justice (DoJ) said.

Edward Wilding, a fraud investigator, told the BBC that this method was “a pretty standard way” for fraudsters to try to access personal data.

It “exploits any vulnerability in a firewall and inserts a code to gather information,” he explained.

However, he added that this case probably “involved extremely well researched, especially configured codes, not standard attack codes downloaded from the internet”.

Mr Wilding said there was little consumers could do to protect themselves against this kind of fraud.

“The real vulnerability [for cardholders], I suspect, is internet and telephone transactions. But this is a failure in the configuration of [corporate] firewalls,” he said.

Michelle Whiteman, from anti-fraud organisation Financial Fraud Action UK, said that consumers must check their bank statements regularly and flag up any suspicious transactions to their bank.

She said that online, telephone and mail order fraud were on the increase, along with fraud committed abroad on UK cards, according to figures released in March.

But she stressed that any victim of fraud would “always be refunded in full”.

Further charges

FROM THE TODAY PROGRAMME

Mr Gonzales’ corporate victims included Heartland Payment Systems – a card payment processor – convenience store 7-Eleven and Hannaford Brothers, a supermarket chain, the DoJ said.

According to the indictment, the group researched the credit and debit card systems used by their victims, attacked their networks and sent the data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

The data could then be sold on, enabling others to make fraudulent purchases, it said.

Mr Gonzalez, who had once been an informant for the US Secret Service helping to track hackers, is already in custody on separate charges of hacking into the computer systems of a national restaurant chain and eight major retailers, including TJ Maxx, involving the theft of data related to 40 million credit cards.

Mr Gonzales is scheduled to go on trial for these charges in 2010.

This latest case will raise fresh concerns about the security of credit and debit cards used in the United States, the BBC’s Greg Wood reports.

, , , ,

No Comments

Major US cities hail crime reduction (BBC)

By Claire Prentice
BBC News, Washington

A Washington DC police officer consults his in-car computer

In-car computers are helping DC police reduce crime rates

It is mid-morning and, despite being several hours into his shift, Officer Frank Buentello of the District of Columbia Metropolitan Police Department has not received a single call for assistance.

It was a different story when he started his police career in Washington DC 20 years ago.

“The city has really cleaned up. Even 10 years ago this street here was a crime hotspot,” he said, pointing towards bustling Columbia Road.

The murder rate in the District of Columbia is down 22% this year, with 84 murders so far in 2009.

The district is on track to have fewer killings than in any year since 1964.

It is a remarkable turnaround for an area which, as recently as 1991, was dubbed “the murder capital of the United States”.

New technology

And DC is not alone. Across America, major cities have experienced a significant drop in violent crime, a definition which includes murder, rape, robbery and aggravated assault.

They include once-notorious crime hubs like New York and Los Angeles, both of which are on track for their lowest homicide rates in 40 years.

Chicago, Boston, San Francisco, Las Vegas and Minneapolis are among other cities seeing notable reductions in murders.

Mr Buentello and DC Police Chief Cathy Lanier say a return to beat policing combined with the introduction of sophisticated new crime fighting technology are responsible for slashing DC crime rates.

We are using our pooled expertise to gain a better understanding of crime and to more precisely target the perpetrators of violent crime
Cecil Thomas
Policing expert

Inside Mr Buentello’s patrol car, a small computer, or Mobile Data Terminal, receives minute-by-minute updates of all emergency calls coming into the department along with any new information on cases under investigation or crimes taking place in the area.

Commanders also receive regular updates on their mobile phones.

On the roof of his vehicle, Mr Buentello points out a “Tag Meter” which automatically scans licence plates and identifies vehicles which are stolen or are suspected of being used in a crime.

The DC police force also uses Shot Detectors to monitor activity in parts of the city associated with gun crime.

This information is then sent electronically to officers patrolling the area.

“All of these things add up to a powerful crime fighting weapon,” said Officer Buentello. “They help us solve cases and act as a powerful deterrent.”

In New York, police send a mobile data unit to murder scenes, allowing police there to listen to emergency calls and search databases listing everyone in a certain building who is on parole.

Cincinnati police have in-car computers which allow them to use surveillance cameras to zoom in on everything happening within a known trouble area.

In New York, murder has dropped 8.8% over the last two years, and 77.2% since 1993.

It is a similar story in Los Angeles, where murder is down 20.8% in the last two years.

PhD policing

Some experts warn that police departments may be celebrating prematurely, however.

“I’m sceptical about the claim that violent crime is down because policing has got better,” says Andrew Karmen, a criminologist at the John Jay College of Criminal Justice in New York and author of New York Murder Mystery.

“The truth is that not all violent crimes are down in all cities.”

Baltimore, Denver and Dallas are among cities experiencing a higher number of homicides compared with last year.

According to experts factors contributing to a rise in crime include poverty, unemployment, the size of the police force, the efficiency of the local criminal justice system in identifying and locking up repeat offenders and whether there is an entrenched gang, drug and gun culture.

Despite some regional discrepancies, most observers agree, however, that the drop in violent crime in many cities is significant.

The trend also cast doubt on the widely-held view that crime increases during times of economic hardship.

Criminologists point out that crime rates were relatively low during the Great Depression compared with the Roaring Twenties, when there was more violence across America.

Policing expert and Cincinnati councilman Cecil Thomas worked for the Cincinnati police force for 27 years.

He said that a greater willingness to pool resources with criminologists, the FBI, other police departments and crime fighting bodies has led to more effective policing.

“We all used to be very territorial but what you are seeing now is ‘PhD policing’ – we are using our pooled expertise to gain a better understanding of crime and to more precisely target the perpetrators of violent crime,” said Mr Thomas.

Chief Lanier stresses that new technology alone cannot fight crime.

She has introduced a number of initiatives aimed at building relationships with the community, including All Hands On Deck, whereby every police officer in DC goes out simultaneously on foot patrol.

The introduction of these measures has led to a greater volume of tip-offs from the public.

“We’ll never kick back and relax and think we’ve done our work,” said Chief Lanier. “We can always do better.”

, , , ,

No Comments

Defending virtual borders (BBC)

By Mark Cieslak
BBC Click

The risk to government networks and major financial institutions from cyber warfare is increasing every day but what is being done to defend national borders?

Globe

“Cyber war” is an emerging global security risk

Estonia is an online savvy state and champion of so called ‘e-government,’ a paperless system with many government services online. The population can even vote via the web.

In 2007 a large number of Estonian government and financial websites were brought to a standstill as they came under sustained online attack.

On 4 July 2009, US and South Korean government websites and those of certain banks and businesses ground to a halt as they came under denial of service assaults. In the United States, the Pentagon and the White House were also targeted.

These cyber attacks were all initially thought to be orchestrated by countries unfriendly to Estonia, South Korea and the US and to date have been the highest profile examples of so-called cyber warfare.

Digital battlefield

Conventional warfare relies on tanks, troops, artillery, aircraft and a whole gamut of weapons systems. Cyber warfare requires a computer and an internet connection.

Professor Sommer

Professor Sommer claims that most of the attacks are over the internet

Rather than sending in the marines, the act of typing a command on a keyboard can have a devastating effect on computer systems and networks.

According to Clive Room of Portcullis Computer Security: “It is possible to bring an entire state to a standstill theoretically and we’ve seen it done on a small scale practically, so the threat ahead of us is very big indeed.”

From criminal gangs trying to steal cash, to foreign intelligence services trying to steal secrets, the threat of cyber warfare is now very real.

Nato suspects that along with the tanks and troops involved in the conflict in Georgia in 2008, Russian forces also engaged in cyber attacks against Georgian government computer systems.

Professor Peter Sommer of the London School of Economics explained that cyber warfare should just be seen as a part of modern warfare in general:

“[Carl Von] Clausewitz said war is diplomacy conducted by other means. What cyber warfare gives you is a whole range of new types of technologies which you can apply.”

Zombie machines

These international attacks are not isolated instances. Everyday government and corporate websites fend off thousands of attempts to infiltrate hack and cause disruption.

Twitter, Facebook and other high-profile sites have recently been brought to their knees by similar attacks.

The popular weapon of choice in cyber warfare is the directed denial of service attack or DDOS. Unknown to their owners, infected computers become zombie machines digitally press-ganged to do the bidding of hackers, this is known as a botnet.

My experience of doing investigations of all sizes is that very often the initial diagnosis is wrong
Professor Sommer, London School of Economics

In their thousands these zombie machines attempt to log on to a particular website, forcing it to fail or collapse under the sheer weight of data it is receiving.

The threat of cyber warfare is being taken seriously by Western governments and Nato. Online assets are being deployed to bolster national and international digital defences.

NATO has set up a cyber defence facility in Estonia codenamed K5. The American government has launched a national cyber security strategy and the UK has responded by creating two organisations, the Office of Cyber Security and the Cyber Security Operations Centre based at GCHQ in Cheltenham.

However the amount of people involved is still small, said Clive Room.

“The government’s own reckoning is about 40. About 20 people within each of those two offices.”

In comparison he estimates that there are about 40,000 people “listening in to us in China” and “working round the clock.”

For Professor Sommer, the UK has had a response to cyber warfare in place for 10 years, but “it’s been pretty hidden so far.”

“You tended to get to know about it if you were an academic or you moved in certain sort of technical circles,” he said.

“More recently because the problems got bigger and because of greater public alarm and interest they have decided to make it more public.”

Misdiagnosis

If defending against cyber warfare is tough, trying to pin point, track back and identify the origin of an online attack can be a near impossible task.

Computer mouse and keyboard

PCs inside a botnet can be forced to carry out instructions

In the case of the Estonian attacks, initial reports suggested that Russia was to blame. These allegations have been strongly denied by Russian authorities, and to date only one individual, an ethnic Russian student living in Estonia, has been fined as a result of the attacks.

For Professor Sommer, misdiagnosis is easy: “All too quickly people say they know where the attack is coming from.”

“My experience of doing investigations of all sizes is that very often the initial diagnosis is wrong.”

“If you look at the recent Korean attacks it seems, at a political level, a reasonable supposition that it originated in North Korea because they’re the people that are most active at the moment.

“On the other hand, some of the reports say at a technical level they seem to have originated here in the United Kingdom, which makes no sense. So diagnosis is quite difficult.”

However, one thing is certain: cyber warfare is here to stay.

, , , ,

1 Comment

Web attack ‘aimed at one blogger’ (BBC)

Facebook icon

Facebook was not taken completely offline by the attack

A “massively co-ordinated” attack on websites including Google, Facebook and Twitter was directed at one individual, it has been confirmed.

Facebook told BBC News that the strike was aimed at a pro-Georgian blogger known as Cyxymu.

The attack caused a blackout of Twitter for around two hours, while Facebook said its service had been “degraded”.

Google said it had defended its sites and was now working with the other companies to investigate the attack.

“[The] attack appears to be directed at an individual who has a presence on a number of sites, rather than the sites themselves,” a Facebook spokesman told BBC News.

“Specifically, the person is an activist blogger and a botnet was directed to request his pages at such a rate that it impacted service for other users.”

Botnets are networks of computers under the control of hackers.

The machines were used to mount a so-called denial-of-service (DOS) attack on Thursday.

DOT.LIFE BLOG
‘Up is down, left is right and black is white,’ a chief security researcher told me. ‘These attacks do not make sense’

DOS attacks take various forms but often involve a company’s servers being flooded with data in an effort to disable them.

“Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways and, in this case, Twitter, for intended customers or users,” wrote Twitter co-founder Biz Stone on his blog.

Writing on his blog, Graham Cluley of security firm Sophos said: “This raises the astonishing thought that a vendetta against a single user caused Twitter to crumble, forcing us to ask serious questions about the site’s fragility.”

Silencing tactic

It is still not known who perpetrated the attack or why they may have targeted Cyxymu and his accounts.

However, in an interview with the UK’s Guardian newspaper, the blogger blamed Russia.

Twitter status screenshot

Twitter updated users via a status page

“Maybe it was carried out by ordinary hackers but I’m certain the order came from the Russian government,” he said.

The blogger has previously criticised Russia over its conduct in the war over the disputed South Ossetia region, which began one year ago.

A previous statement by Facebook said that the attack on the websites where he held accounts was “to keep his voice from being heard”.

Other sites such as Live Journal, where Cyxymu has his blog, were also targeted in the attack on Thursday.

Only Google seems to have escaped unscathed from the attack.

“Google systems prevented substantive impact to our services,” the company said in a statement.

The company has not confirmed which services were targeted in the attack, but it is thought that its e-mail service Gmail and video site YouTube were under fire.

“We are aware that a handful of non-Google sites were impacted by [an]… attack this morning, and are in contact with some affected companies to help investigate this attack,” the company said.

Protest tool

All of the affected services were keen to stress that users’ data had not been put at risk in the attacks.

“Please note that no user data was compromised in this attack,” wrote Twitter’s Biz Stone.

Twitter CEO Evan Williams on BBC Two’s Newsnight

“This activity is about saturating a service with so many requests that it cannot respond to legitimate requests thereby denying service to intended customers or users.”

Twitter has had a meteoric rise since its launch in 2006.

A ComScore study suggests that Twitter had about 45 million users worldwide as of June 2009.

However, as many users interact with the service through mobile phones or third-party software, the actual number of users is likely to be higher.

However, that pales in comparison to Facebook, which claims to have 250m active users worldwide.

Both sites recently garnered worldwide attention when they were used by Iranians to co-ordinate demonstrations following the disputed election of Mahmoud Ahmadinejad as president.

Many protesters believed there was electoral fraud and that opposition leader Mir Hossein Mousavi should have won.

Twitter chose to delay upgrade work during the protests to allow communication to continue.

In a BBC interview, co-founder Evan Williams denied the move had been a response to a US state department request.

, , ,

No Comments