Should we be afraid of Chinese hackers? ...Or lost cyber war (Part III)

Tuesday, May 04, 2010

Roman Zeltser


Why U.S. is losing steam

In addition to the full access to Windows OS that proved to be vulnerable to endless exploits, China chooses FreeBSD as basis for secure OS. The Washington Times recently reported that "China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies." What a bold move! No wonder that many security specialists are seriously concerned that China rapidly getting the leading edge over U.S.
Congress discussed this issue recently but what's the result? Recall Obama's visit to China (read above). Is our government insane? Not at all! As always, money rules the world. When it comes to make a decision the corporate lobbying wins over common sense.

Even worse! The U.S. Government often downplays cyber attacks on our infrastructure. As Ed Giorgio (in 60 Minutes Report on US Cyber Security (November 7, 8 & 9, 2009)) noted, there are at least 10 "reasons why cyber intrusions are ignored, denied, or not reported by government." No doubts, they will be denied by the government officials but here they are:

  1. It is downright embarrassing to admit that you do not have very good cyber defenses and it will severely hurt your brand.
  2. The targeted organization frequently has no solution to the problem as was the case when DHS "lied" to congress. In government and the military, you cannot report a problem you don't have a solution for.
  3. The administration might be worried about international political fallout because it impacts other delicate issues with China, Russia, Israel, France, etc.
  4. We don't want to open a can of worms and admit that we too have an offensive capability which we work hard to keep secret.
  5. We fear the unwanted oversight and attention.
  6. If we are forced to address the problem by making us reprogram resources from high priority mainstream mission programs which are already behind on.
  7. The bureaucracy doesn't want to be forced to hold somebody accountable and perhaps take adverse action.
  8. Adding security may get in the way of mission operations and reduce our effectiveness (like not being allowed to use a flash drive).
  9. Recognizing the problem would expand the set of stakeholders who you have to work with to solve the problem. No bureaucrat wants that as it causes a loss of control.
  10. We are skeptics and just plain don't believe it's a big problem and that's it has been blown out of proportion.
"Security? What security? What are you talking about? It's not my responsibility!"

As David Osborne and Ted Gaebler indicate:
"It is hard to imagine today, but a hundred years ago bureaucracy meant something positive. It connoted a rational, efficient method of organization - something to take the place of the arbitrary exercise of power by authoritarian regimes. Bureaucracy brought the same logic to government work that the assembly line brought to the factory. With the hierarchical authority and functional a specialization, they made possible the efficient undertaking of large complex tasks."

Since the word "bureaucracy" became a synonym to the word "government" (verify it with MS-Word grammar!) what can you expect these days? Efficiency? Smart decisions? Logical solutions? Forget-about-it!

When the highly qualified computer investigator decided to track the Chinese hackers and passed his amazing discoveries to the FBI that praised his work, as a result he was facing charges against his activity. "...they are so afraid of taking risks that they wasted all this time investigating me instead of going after Titan Rain" [very sophisticated attack - read below] - said the computer investigator.

Do you have any comments? Are you surprised? Do you see the elements of "political correctness" here?

Do you have any comments? Are you surprised? Do you see the elements of "political correctness" here?

At the same time, Chinese government is not under pressure from its corporations and it ignores any "political correctness" that has overpowered United States. China improves the security of its army (PLA) using a hardened FreeBSD operating system. Considering also more than 100 information infrastructure attacks per minute on the US Department of Defense originated from China and keeping in account that most of the DOD computers are Windows-based, now we have a clear picture: it's the face of an enemy.

Whether it's current or future enemy hard to say but I think that at this moment it is a virtual one, the enemy that is invisible, the enemy that is hard to catch. As I mentioned earlier, tracking virtual enemies can be quite a challenge to U.S. spy hunters.The FBI officials are uncompromisingly pursuing the possibility that the Chinese government is behind many cyber attacks (especially not widely discussed Titan Rain attack - "the most pervasive cyber-espionage threats that U.S. computer networks have ever faced.") considering how well it was organized.

As you may guess, it's almost impossible to determine who exactly was behind the attack: China government, PLA, or someone from private sector (aka patriot hackers) because China has not been cooperating with U.S. investigations of Titan Rain. In accordance to the TIME magazine, "TIME has obtained documents showing that since 2003, the hackers, eager to access American know-how, have compromised secure networks ranging from the Redstone Arsenal military base to NASA to the World Bank… and can be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks".

Due to the length of this article I don't want to discuss this issue further but I highly recommend reading about the Titan Rain attack (see the link above) and who discovered it.

Similar developments can be seen on a military front. In April 2009, in Prague, President Obama gave a speech in which he pledged America would work toward a "world without nuclear weapons.". Considering China's military advancements, they have different plans. China's growing revenues helps to become the world's biggest military power, to the point where the U.S. "would not dare and would not be able to intervene in military conflict", for instance in the Taiwan where U.S. has its own interest. Their new ballistic missile is capable hitting a target at sea with the range more than 1,000 miles and could be well used to attack and sink U.S. carriers.

No wonder, the Defense Secretary Roberts Gates has expressed his concern, too: "Investments in cyber and anti-satellite warfare (by China), anti-air and anti-ship weaponry, and ballistic missiles could threaten America's primary way to project power and help allies in the Pacific - in particular our forward air bases and carrier strike groups." while the U.S. administration (faced with huge budget deficit) seized financing for upgrade of aged nuclear arsenal. All of it will lead to the reduction of our military capabilities giving China a leading edge.

History often repeats itself. You are witnessing the process of losing the world dominance by one country and shifting the power to another one.

The lost cyber warDuring 2008-2009, U.S. government and military organizations reported about 200 breaches including breaches of more than 70 million records in 2009 comparing to a total of fewer than 3 million in 2008. Do you see the trend? Did our government initiatives and billions of taxpayers' money spent on improving security pay off?

"The great thing about being a pessimist is that you are constantly either being proven right or pleasantly surprised." -- George Will, News commentator.

Consider me a pessimist but I don't see the light in the end of the tunnel.

I'd love to be wrong but I guarantee that there will be greater need in more security practitioners than we have now. Cyber security became a survival skill for any organization.

Senior government officials overseeing the nation's cyber defenses told a Senate panel that agencies are doing more to coordinate their far-ranging efforts, but that even in the best-case scenario, the hackers are often one step ahead. "The harder we can make the general network environment, the easier it's going to be to detect [threats]," said Richard Schaeffer, director of the National Security Agency's Information Assurance Directorate. "We believe that if one institutes best practices, proper configuration, good network monitoring ... a system ought to be able to withstand about 80 percent of the commonly known attacks."

What about the rest 20%?

What's the situation with resistance to cyber crime?The painful experience of the last several years, lost data, productivity, new security standards imposed by the government, humongous amount of money spent on improvement of IT security raised a red flag for many organizations. I can't say that we do nothing to fight cyber crime but as I mentioned above we are always one step behind the hackers. Let's see what's going on these days.

In February 2009, President Obama launched a 60-day investigation into cyber-security, promising to improve U.S. Internet defense. I don't know what was done after the investigation except the creation of one or more departments with more bureaucrats but the situation did not change much. I have been reading articles about new Federal law propositions, new security requirements, new initiatives, however, all of it proved to be close to useless not only at the U.S. level but also on the international level. According to InformationWeek news reports, the American and Russian governments were engaged in talks to make Internet a more secure medium and limit certain types of cyber-weapons but talks haven't progressed far due to a difference in philosophy.

Many organizations and companies who work on defense against Chinese hackers have recognized that it's close to impossible to catch and prosecute hackers who operate abroad and especially in China. Since no international legal agreement exist, even if the hacker will be traced to a particular person, it will be impossible extradite him to the U.S. considering the relationships with the communist's government of China. Lately, the relationships became even worse (the hacking of Google's story).

Meanwhile, Chinese hackers are becoming harder to monitor since they communicate and coordinate their attacks through private text-messaging rather than on blogs or Web sites, leaving no traces of their activities. So, what is left? Is there ANY way to protect our networks and data? The only learning how to defend ourselves is the way to go under current circumstances.

Again, I can't say we do nothing because:
  • We educate IT professionals responsible for protection of their IT infrastructure, and we have a number of highly experienced and certified professionals who participate in examining case studies, war-gaming various scenarios, exercises, and implementing global defense solutions.
  • We have created a whole bunch of security-related certifications to certify the expertise of IT pros (CISSP, CEH, Security+, CISA).
  • We have developed multiple government standards to protect the government networks and information.
  • We plug the endless holes in the operating systems, applications, utilities, and databases.
  • We participate in numerous webinars, read whitepapers, magazines and books; discuss the IT security on hundreds of forums.
  • We have plenty of web sites dedicated to data security.
  • We spent (and continue spending) zillions of dollars on anti-malware products and technologies ($7 billion a year).
Yet, we are still facing the same danger to be exposed to sudden cyber-attack or to become the victim of cybercrime because the standards are not perfect and not everyone is following them, the anti-malware products are only 50% effective; there are endless security holes in the operating systems, applications, web browsers, perimeter defense and more. As a result, for instance, according to FBI, an average of over 1 million computers per year is currently being hijacked by botnets; an estimated 90% of Internet access points on corporate networks are inadequately protected; and the cyber-gangsters rip estimated $100 billion worldwide utilizing silent attacks that are invisible to their victims.

What are the latest developments in cyber-defense?

There is interesting information about the new security content protocol specification that has been released by The National Institute of Technology (Special Publication 800-126. "The Technical Specification for the SCAP,"). In accordance to the Government Computer News, "SCAP comprises specifications for the standard organization and expression of security-related information, provides an overview of the protocol and on ways software developers can integrate SCAP technology into their product offerings and interfaces."

In the end of last year, the U.S. Department of Homeland Security (DHS) completed, in cooperation with other government agencies, a draft of national cyber attack response plan that is planned to be tested in September 2010 during Cyber Storm III, a cyber security drill. I am just curious why this information is available online and not restricted to those who has appropriate security clearance...

Northrop Grumman and three universities planned to form a cyber security research consortium to address emergent cyber security issues. Northrop Grumman will fund 10 research projects at MIT, Carnegie Mellon University and Purdue University. Quite a powerful combination! I hope we'll get some positive developments from the best brains in our country.

The Homeland Security seeks new ideas how to protect our networks by creating a Web 2.0 crowd-sourcing portal called IdeaFactory. House leaders have asked the chamber's security officials to implement a new cyber-security training procedure for aides and take extra steps to protect sensitive information from potential hackers and to recommend the technology updated focused on security awareness.

Microsoft detailed new botnet protection, IdM technology at RSA Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, offers insight into the company's plans to thwart botnets, secure enterprise cloud computing and help individuals better manage their online identities.

Yes, the first step that will be the most effective is to educate computer users about potential threats from highly qualified hackers, what needs to be done and how to operate computers safely.

Here is what one fellow said in his blog

"I run a computer service shop, and...we drop Avast [anti-virus program] on ALL computers that come in, while simultaneously telling every single customer that it will do nothing to prevent them from brand new threats...and neither will anything else on the market today! Quoting myself, "viruses are a cat-and-mouse game, and antivirus vendors are always the cat doing the chasing." Software firewalls are also junk because any virus that does take root can easily bypass such a program. In reality, the only two things that are needed to keep a secure network are (A) a hardware firewall between you and the Internet and (B) well-educated, cautious, skeptical users. Education seems to fly out the window when an erection or free music is involved… Computers and software stopped being the weakest link over a decade ago. The most commonly exploited security hole on a computer is the device which sits between the keyboard and the chair, not the IP stack or WMF rendering libraries."

Posted by: cryptikonline on: 07/14/09

Step number two should be proactive defense, the type of defense that actively fights hackers with their own weapons. I was glad to find information that there are some white-hat hackers that actually do just that!

In accordance to F-Secure, a white-hat hacker (a good guy) using the avatar 'Catch-Em' hacked into the web site (the underground site that re-sells stolen credit cards), compiled a list of registered users with their email addresses and passwords and then posted the list to the Full Disclosure security mailing list. He also forced the web site to shut down for several days, and later (when the web site was online again) activated the DDoS (distributed denial of service attack).

DNSSEC introduced a new encrypted domain technology designed to protect the domain name system from spoofing and other hacks.

Lockheed Martin has formed an information security alliance with several technology providers to focus on self-healing systems to solve some of the information security problems.

There are also some successful operations on the grand scale. Eighty (80) people worldwide were arrested in connection with a major international banking ID phishing scam. "Operation Phish Phry" has been described as the biggest cybercrime investigation in US history.

I'd like to see more news like these ones:
There is a known technique to build "Honeypot" servers that attract hackers by lack of any protection and avert them from sensitive servers that have various layers of protection. Since the hackers usually take the easy route, those servers serve well by not only turning the attention away from important computers but also allow learning how the servers are being hacked and what needs to be done to protect the sites against becoming a part of botnets. For instance, a new open-source honeypot project called Glastopf dynamically emulates vulnerabilities attackers are looking for" and can auto-detect and allow unknown attacks.

Recently introduced technique, perhaps limits the number of security holes in the software by using the application Whitelisting techniques like from Faronics. If any executable file is not on the white list, it's not permitted to run!

On another note, if you have the critical infrastructure with strategic importance, why not isolate it physically from the Internet and use, perhaps, dedicated lines of communication? Not possible? I doubt it. With amount of money wasted on security that does not protect there is always a way to find the method of managing the infrastructure without exposing it to attacks originated from the Internet.

What can we do about cyber-terrorism?Let's be honest, the facts are against us. Those who defend the networks are faced with a huge range of cyber-weapons to protect the infrastructure. At the same time, the cyber-gangsters can reach the goal by exploiting only a single vulnerability. Cyber-gangsters are usually fanatics who would do anything to cause the mass destruction, whereas security experts are not the fanatics to work tirelessly endless hours.

U.S. Federal agents have thwarted planned terror attacks on Fort Dix, N.J. by uncovering a terror ring in Lackawanna, N.Y. and plots against the nation's financial centers, the World Bank, ten airliners landing in the U.S. (the liquid-bomb plot), JFK airport, the Brooklyn Bridge, the New York subway system, the Los Angeles airport, the Israeli consulate in Los Angeles, and the Prudential Building in Newark, N.J., among others. They fought real terrorists. But how do you fight cyber terrorists?

The Internet is not a secure media. Those security professionals who passed CISSP exam (commonly respected security certification) learned about the model for security policy development or so-called "CIA triad" (Confidentiality, Integrity, Availability). The problem with the Internet security lays in the fact that the Internet was not initially designed for confidentiality or integrity. It was designed for availability and resiliency by providing a packet switched network with alternate paths meshed together. The security services of confidentiality and integrity usually must be implemented at the application and end-point levels (computer, mobile phone, PDA, etc.).

There were some voices to re-design the Internet and to make it more secure. Wouldn't it be great? It makes sense for some of the people who are responsible for security. This drastic measure cannot be taken without the government intervention due to possibly imposed taxes on the Internet usage and huge expenses. As you may guess, this measure will obviously rage many people (including myself, perhaps on this stage) who would oppose it using all available civil rights. I am not talking only about the U.S. citizens but also about world's net-citizens since it must be a common effort after a commonly accepted agreement.

Maybe the future incidents will push more people toward this measure but we must act now - as a government and as individuals - to fully meet the challenge of cyber terrorism. Some methods we may use include:
  1. Implementing strong access control systems to ensure that only authorized individuals can access cyber systems.
  2. Using strong encryption to ensure confidentiality and integrity of information stored, processed, and transmitted on and through cyberspace
  3. Keeping policies up to date, and ensuring they are strictly enforced
  4. Implementing effective detection systems to recognize currently known and future cyber attacks quickly
  5. Closely monitoring all cyber activity by using log files and log analyzers
  6. Implementing a real-time national defense strategy
  7. Deep analysis and forward thinking on possible future technologies and prediction of attacks (based on current trends) that may occur as those technologies are implemented to address the security requirements of the future
1. END-POINT PROTECTIONS FOR ORGANIZATIONSHere are the "BIG SEVEN" rules that reflect the major steps to be taken to protect the end-points in the corporate and government networks:
  1. Create an Internet use policy and use the web content filtering with scheduled updates.
  2. Train employees on cyber security and enforce it vigorously.
  3. When administer the access rights, reduce privileges as much as possible on a "need-to-know" basis.
  4. Login to the system with administrator rights only when you need to change the configuration or install/remove the applications. Otherwise, login as a regular user with no administrative rights. (Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts)
  5. Take care about updating your software (OSs and applications patches) religiously.
  6. Use the best possible Anti-malware product on each piece of hardware. Besides that, implement application "whitelisting", heuristic and behavioral detection additionally to detection by signatures to mitigate zero-day threats.
  7. Consider implementing new technologies such as cloud and virtual computing by centralizing the hardware for distributing the applications down to user's PCs (or terminals).
Using application and OS streaming based on specific needs and storing the images in one, central location will increase the security level and lessen the burden of maintaining the security locally, on each node since all the patches and security protection will be concentrated in one place rather be distributed all over the network - hosted security (assuming that the application/OS streaming will be tightly secured and encrypted).

Such a solution may dramatically lessen the number of attack vectors with many additional benefits. In fact, server versions of Windows typically have a lower infection rate on average than client versions. Servers have a tendency to have a lower effective attack surface (or vectors) than computers running client operating systems because they are more likely to be managed by experienced administrators and to be protected by several layers of security.

2. ANTI-SPAM PROTECTIONMessageLabs Intelligence Top Tips to Stamp out Spam:
  • Protect your email address - using your primary email address anywhere on the web puts it at risk of being picked up by spammers so be careful where you use it
  • Watch out for the checkboxes - when you buy or sign up for something online, opt out of being contacted by third parties, you don't know where your address will end up.
  • Don't use the reply, remove or forward options - acknowledging the spam email using any of these options only validates your email address and can lead to more spam.
  • Use an unusual name - if you use an email address with numbers in it for instance, you are less likely to receive spam. Spammers often use directories of common names to guess email addresses, e.g.,, etc.
  • Avoid clicking on any links in spam messages - the addresses of links are frequently disguised and often serve only to confirm your existence to spammers. Same with unsubscribe links.
  • Avoid downloading pictures in spam email - these can identify you as a recipient even if you just view the message in the preview pane. You can view your email as text to prevent this, or you can set your email security to block external images.
  • Use a spam filtering service
3. HOME PC PROTECTION a) First of all, educate yourself about information security even if you are not involved in the Information Technologies.

b) Consider dedicating one PC exclusively for online banking. Restrict other browsing or services like email of web surfing.

c) Use the combination of the best security utilities. My "four favorites" that I have on EVERY PC that I use at home and recommend to my clients:
In addition, if you download a zipped or executable file from the Internet web site, please use the web site. Upload your file to that web site and verify it against 32 virus scanners. There is a big chance that only one anti-virus scanner will detect the malicious content. The service is free.

d) Do not expose your personal information on social networking web sites. It's easy to follow the crowd and proudly post your photos and personal information about yourself and your family. Keep in mind that it is exactly what the hackers need to steal your identity.

e) Remember that "there's no patch for human stupidity". Do not click on suspicious e-mails that you don't expect to receive. Do not open e-mail attachments (even such "innocent" as PDF or PPT files) because they may contain the malicious code. In fact, the PDF files, in particular, are responsible for about 80% of all infections in accordance to some sources. Such the files can take a form of fake codec or videos and poisoned search results continue tricking users into on purposely disabling the security programs that they had at the first place.

No Internet security suite can protect you from yourself, so do yourself and the Internet a favor - patch all your insecure applications - it's free with F-Secure and Secunia.

Through a combination of a fully patched OS (operating system) running the latest versions of the software installed, least privilege accounts and a well-configured personal firewall, a big percentage of the malware that penetrates through the client-side will be mitigated well before it reached the antivirus scanner.

f) Sometimes, you may travel (abroad or just out of your office). Please be cautious about public PCs/kiosks:
  • Check how the PC is set up. It shouldn't let you access the system settings such as the control panel and user accounts. It is a case when the less you can do on the PC, the better - it's well-locked down. I would also recommend to look around the PC for any kind of plug-in devices. It can be hardware-based keylogger attached to the keyboard cable or USB port. For more on keyloggers, read the Bright Hub article, "Risky business, using kiosk computers."
  • When you HAVE TO perform online banking and credit card purchases that might leave sensitive information on public PC and have to chance to avoid it (what is highly recommended), uncheck any box offering to remember your information and change your passwords as soon as you are on a PC you know is secure (home/your office). I have setup special access to my online PayPal account using the security fob that generates random digits to be used for passwords. It allows me to access the web site with a different password every time I use it. You may request it from PayPal, too.
  • If you have access to browser options that let you clear the cache and wipe out cookies, you should use them. The best systems warn you that they will clear stored information such as cookies when you exit.
  • If you need to save a file - do not do it to the local drive but rather to Flash drive. Also, you may want to e-mail the file to yourself and then delete it from the public PC. Make sure you emptied Windows Trash can.
  • If you access the Internet through Wi-Fi networks available in public places, remember, there might be hackers that wait for your free, password-free access. Today's Wi-Fi security protocols are proven to be weak and can be easily broken within minutes with a tool freely available on the Internet.

The future of cyber space. Be aware!Since this is the last chapter of this article, I'd like to summarize my concerns. In accordance to Liu Migfu (People's Liberation Army (PLA) Senior Col., "The China Dream" book), "China's big goal in the 21st century is to become world number one, the top power."

China's population is growing by 21 million a year and currently houses 1.2 billion people that represent 22% of the world's population. At the same time, their territory is only 7%. The law that restricts Chinese citizens to have only one child doesn't work because poverty breeds children in spite of the danger to be put in jail. This limited territory cannot provide enough food for such a dramatically growing population forever. Many poor Chinese citizens will be faced with starvation.

Of course, I am speculating but think about it. What would be the solution to this problem if you are one of the Chinese government officials? The answer is the immigration (legal and illegal) of a large number of people to the every corner of this world. It's the most inexpensive solution that will have the most lasting effect. China thinks in longer terms. The gradual (and peaceful!) takeover of the territory could be a long-term plan. Legal immigrants can buy or open businesses in whichever country they settle in and have the political power earlier or later. The illegal immigrants will flood the businesses with cheap labor. Given enough time, all of it may lead to serious political and economical influence all around the world especially if Chinese immigrants will preserve close ties with their motherland.

I am taking about a peaceful invasion that you cannot fight because it will be a fight against unarmed people. Taking into consideration long-term plans and almost enormous financial resources of China, the Chinese immigrants will be supplied with enough money from the Chinese government to keep the businesses strong. Of course, they will have to repay the loan what will tie them to China even more.

The same financial resources concentrated in the hands of Chinese government can surely be used (and probably are used) to finance the cyber-gangsters who conduct cyber espionage (economic and military), to secretly stockpile the gold and invest in oil-rich regions out of China, to bribe government officials in various countries and to gain the advantage in trade and politics. Just try to arrest any Chinese anywhere in the United States and the Chinese government will raise a hell with the White House. I am taking about boycotts of trade goods and various sanctions. The growing power of China will be used easily to tight our hands. Now, can we arrest any Chinese hacker in China even if he is an originator of the cyber attack?

The trade and cyber war between the People's Republic of China and the United States, in particular, is a war for extraordinary power and wealth for the winner, and therefore China uses all available resources openly or secretly for winning down the road.

Regardless of whether cyber terrorism is a serious threat to safety, our critical infrastructures, or just an annoyance, we must be forward-thinking to meet future challenges regarding cyber security.

As you understand, many countries' governments consider cyber security and cyber- weapons very seriously. Our government, in fact, not only continuously worked on improvement of cyber-security but also successfully used cyber attacks during Iraq war in May 2007 when George W. Bush authorized the NSA attack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The attack not only prevented successful communication and coordination efforts but also supplied enemy with false information by leading them directly under fire of U.S. soldiers.

There were several cyber tsars to lead the U.S. efforts in cyber defense as well as several major initiatives aimed to improve and protect our infrastructures against cyber attacks. The new reality of computer age is taken so seriously that the Obama administration's former White House chief of cyber-security, Melissa Hathaway, has called for international cyberspace agreements (with similar proposals from Russian government).

However, the chances of such an agreement are quite slim. And here is why. The senior U.S. Army officials identify the wireless communications networks used by insurgents and terrorists as their No. 1 target, and after the Russian government's attempt to propose a treaty limiting the use of cyber-weapons, the State Department has rejected the idea preferring to focus on improving defenses and summon cyber attacks as crimes. In addition, the officials are against any move that could undermine our own cyber security by limiting the options and ability to attack because the advantages of having a cyber-warfare capacity are simply too great in the computer era world.

The cyber-war tactics are also advancing. The United States has already learned that it makes no sense to hit an enemy's infrastructure if it disables an ally's, and possibly America's own since many networks are interdependent. "If nations begin attacking one another's banks and power grids, the next step is exchange of bombs and bullets". In spite of the fact that China rapidly moves to the leading position of cyber-war master, most likely, it has no desire to knock-out Wall Street, because it owns large piece of it. Russia should be hesitant to begin a cyber-attack on the United States because, unlike Estonia or Georgia, the U.S. could quickly response with massive conventional force.

As you see the Cold War still exists but it moved underground or, to be precise, "underwire".

In fact, in accordance to McAfee's annual Virtual Criminology report, many nations are secretly stockpiling tools and techniques in preparation for sophisticated cyber warfare against each other So, expect the cyber-weapons to be enhanced, the cyber-war capacity to be increased and improved, and methods of penetration or DoS attacks to be technologically advanced.

Here is a "dirty 13" prediction for 2010 by Larry Barrett:
  1. Antivirus is not enough
  2. Social engineering as the primary attack vector
  3. Rogue security software vendors escalate their efforts
  4. Social networking third-party apps will fraud targets
  5. Windows 7 will come in the crosshairs of attackers
  6. Fast Flux botnets will increase
  7. URL-shortening services become the phisher's best friend
  8. Mac and Mobile Malware Will Increase
  9. Spammers breaking more rules
  10. As spammers adapt, volume will continue to fluctuate
  11. Specialized malware on the rise
  12. CAPTCHA technology will improve
  13. Instant messaging spam will surge

Russians have an excellent proverb that when being translated to English sounds like this: "Those drowning - save thyself". It can be very well applied to the situations described in this article.

Got computer? Start with security!

Please share this article on your network (Tweeter, Facebook, etc - more social networking links can be found on top of the page in the right corner)

Possibly Related Articles:
Breaches Privacy
Hacks Privacy China
Post Rating I Like this!
Ray Tan There are many useful tips and resources in your article for those people who want to protect themselves.
Although I disagree with your political opinion, I accept your technical advice,
Thank you.
colby dean This shouldn't be about a competition if whose got the edge or better software system, it's about making sure that these computer hackers be prevented to have access on any system. It's not really a political issue. It's about the circumstances that we deal with the technology we are using. There's a new way of monitoring activities of private and public businesses alike, in that way computer hacking would be best prevented. It's Perfect Citizen, a device intended to be use to help monitor computer networks of public and private corporations.
Don Turnblade I mostly agree but take issue with only three points. Pessimism misses the mark, extradition problems do get solved and there really is a growning software issue with exploitable defects per thousand lines of Source Code.

We won the cold war. I did my part and this kind of fear mongering is a waste of bits. That said, if 0.1% of the populace really has the means and intent to harm us, then first of all that means that 99.9% do not. That is seriously good news. After we stop defending against what is not a real threat, then we need real plans for that 0.1% that really is after us.

Not to depress anyone but 0.1% of 1.7 Billion Internet Users is 1.7 Million internet users with felony means and intent to harm us. None of these persons has distance, travel or visa restrictions preventing them from paying us a visit. That said, extradition problems get solved and counter measures get put in place. At a minimum the US government will learn to address this at least at the Civil Defense level or we will have to do the counter attaccking ourselves. The rules of engagement will get clarified.

Mistake rates of trained professionals apply even to Software Developers. Even a Six Sigma Certified Software process allows for 3.4 defects per million lines of source code. if one in 10 of these is a security flaw then that is 0.34 security flaws per million lines of source code. As tools get larger, this matters. Using binomial odds to work out how many error checks should be in place to meet Six Sigma Process levels suggests that 3,815 defect preventions steps may be needed to make even this level of security realistic to expect. We are going to have start idiot proof computers against developers or we are in for more security defects. Also, the number of Six Sigma Software Development Processes out there is not as high it should be.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.