- Do not respond to any unsolicited (spam) incoming emails, including clicking links contained within those messages
- Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via email or social networking sites
- Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities
- Rather than following a purported link to a website, verify the legitimacy of nonprofit organizations by using various Internet-based resources to confirm the group’s existence and its nonprofit status
- Be cautious of emails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Open attachments only from known senders.
- To ensure your money is received and used for its intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf
- Do not be pressured into making contributions, as reputable charities do not use such tactics
- Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
- Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.
Friday, February 12, 2010
Stop clicking
Texas Lycium and Cyber Security
It was an interesting group that was assembled and for those interested in watching the discussion, it will be broadcast in the major markets in Texas on PBS sometime over the next month or so (Feb. 18th @ 8:00 PM on KLRU in Austin). The speakers were a good fit of business, policy, and research. I had the opportunity to speak with one of the panelists, Dr. Nicole Beebe, at another event this past Monday. We both agreed that the Q&A session was far too short and that we would have liked the social engineering aspects of cyber security explored at some level.
-------------------------------------------------------------------------
/tangent/
My view on cyber security is that it is 20% technology, policies, standards, guidelines, and procedures and the other 80% = making sure everyone is aware of the policies, standards, guidelines, procedures and that everyone knows how to use the security technologies.
As with many things, education is the key.
/tangent/
--------------------------------------------------------------------------
Bill Morrow, of CSIdentity was an intertaining character that livened up the conversation and Ari Schwartz provided solid government policy and legislation data. Robert Hansen of SecTheory may have seemed a little more BlackHat then he wanted to when trying to prove he had street-cred with all the crackers out there. Dr. Beebe presented excellent comments on data privacy vs usage both from an academic and investigative perspective. No doubt she has (or would love to) track down some of Mr. Hansen's friends...
Overall, I highly recommend watching it or setting it to record on your DVR. I'll be the shining head smack-dab in the middle of the audience.
Michael Mongold
Friday, February 5, 2010
Cybersecurity Enhancement Act of 2009 Passes the House 422-5
H.R. 4061 calls out the National Science Foundation and NIST in particular, to bolster cybersecurity research and enhance data asset protection schemas. The Office of Management and Budget states that Federal security agencies spend roughly 10% of their IT infrastructure budget on cybersecurity or roughly $6 billion per year.
NIST (National Institute of Standards and Technology) will be required to develop "checklists of settings and options that minimize security risks associated with computer systems that are, or are likely to become, widely used within the federal government."
Special to my interest is the directive to:
"establish a program to support development of technical standards, metrology, testbeds, and conformance criteria with regard to identity management research and development"The funding to support research of cybersecurity initiatives is a welcome sight and well-timed with the increase in cyberattacks from Chinese and Iranian sources. The expectation is, and should be, that any significant physical attack on the United States will be coordinated with a significant attack on our information infrastructure.
Hopefully the funding and political stamina will continue to flow as cyber threats to our nation continue to evolve.
NASA still struggling with IT Security
According to the testimony during 2007 and 2008, NASA reported over 1100 realized exploits where non-authorized access was obtained on sensitive information and malicious code was installed on NASA systems.
The deficiencies present real and credible dangers to NASA personnel and their operations. With these exploits, the opportunity to access, modify, or delete "mission critical" information is quantifiable.
If true, Ms. Chaplain's provides a ray of hope for the embattled organization:
"The deputy administrator also stated that NASA will continue to mitigate the information security weaknesses identified. The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program."It is typical for businesses and government organizations to be concerned about the integrity of their data, but few other scenarios could create a more tangible need for the availability and accuracy of their assets than in a multi-billion dollar venture where lives are at stake.
Let's hope that future news about NASA's IT Security is lauding their standing as an InfoSec role model rather than trying explain its role in a tragedy.
Tuesday, February 2, 2010
WPA vs WPA2 - Worth the upgrade?
BLUF: WPA (Wi-Fi Protected Access) only supports TKIP (Temporal Key Integrity Protocol) which has been weakened a couple of times. It is expected that since it was built on the old WPA technology, that more weaknesses will be found.
How much does the safeguard cost? What is the likelyhood that the exploit will be realized? and finally - How much would the exploit cost if realized?
That's usually the order I look at things. How much is this going to run me? Is it really that likely? Only then do I look at the value proposition of the solution against the exploit cost so I can push it up to the bean counters.
Also, if we have a number of WAPs (Wireless Access Points) deployed that can run WPA but not WPA2, then migrating to WPA2 will affect my budget beyond man hours.
Why do so many legacy WAPs run WPA and not WPA2? Because WPA was an excellent solution made to exist on wimpy WEP hardware. WPA uses TKIP which is not very resource intensive. WPA2, on the other hand, uses AES which is incredibly robust but at a price. Hardware that could handle the processing needs of TKIP just don't have the oomph to crunch AES.
This means, if you're legacy hardware falls into this category, then migrating to WPA2 is not quite as trivial of a task.
So let's get back to our decision...
First you must look at the weaknesses of WPA. In order to exploit WPA, someone would need to be incredibly motivated to try and break TKIP. If someone wants in THAT bad, they’ll probably find another way to get what they want. Plus, the exploits of TKIP that have been reported are limited and more complex than the vast majority of bad guys out there are capable of. That doesn't mean that someone won't leverage TKIP's weaknesses to hax0r your intertubz but it does make it significantly less likely.
I believe in the "electric hacker" theory when it comes to threat agents. The vast majority of the time, someone trying to access your assets is going to take whichever path provides the least amount of resistance. Just like electricity. Least effort will usually be the motivating factor in what exploits will be attempted. It doesn't mean that there aren't some overachieving miscreants out there, just means that there are not a lot of them and they are probably focused on more rewarding booty than what you can provide.
If you are looking at upgrading 10 WAPs at $700 each you will spend seven grand plus the man hours to deploy these new devices. If you have the budget and the time then you might as well. However, most organizations I know are not blessed in that way. Time and money are tight and you have to fight the fires with what limited resources you have.
My pragmatic opinion is: The threat is not likely enough to spend the money and time to mitigate the risk. Most infosec teams have more pressing issues to address.
Your thoughts?
Michael Mongold