Wednesday, March 24, 2010

U.K. Internet Cafes Asked to Monitor Web Usage for Terrorism

After several terrorism related convictions in the U.K. where suspects were believed to have used Internet cafes, police are seeking cooperation for the cafe owners:
"The new initiative involves getting internet cafe owners to monitor the websites their customers view and to pass on any worries over suspicious activity to the police."
and additionally,
"The police want internet cafe owners to check the hard drives of their computers to help spot any suspicious activity."
It should probably go without having to say, there are critics of the program(me). One commentator is quoted::

"What is dangerous about this initiative is that it does not just focus on preventing access to illegal material but also material that is defined as 'extremist' without offering an objective definition of what that is.

"It thus potentially criminalises people for accessing material that is legal but which expresses religious and political opinions that police officers find unacceptable."

Anti-terror police seek help from internet cafes

Friday, March 12, 2010

Increasing Use of the Internet by Terrorist Groups

The LA Times reports on the extensive and effective use of the Internet by traditional terrorist organizations:
"From charismatic clerics who spout hate online, to thousands of extremist websites, chat rooms and social networking pages that raise money and spread radical propaganda, the Internet has become a crucial front in the ever-shifting war on terrorism."
The article also discusses using the Internet for terrorist training activities:
"The new militancy is driven by the Web," agreed Fawaz A. Gerges, a terrorism expert at the London School of Economics. "The terror training camps in Afghanistan and Pakistan are being replaced by virtual camps on the Web."

Internet making it easier to become a terrorist

Thursday, March 11, 2010

Report: Internet Controls Violate Human Rights

The U.S. Department of State's 2009 Human Rights Report highlights Internet censorship as a major human rights concern. The report's introduction included cyber monitoring and controls resulting in privacy violations and censorship:
"2009 also was a year in which more people gained greater access than ever before to more information about human rights through the Internet, cell phones, and other forms of connective technologies. Yet at the same time it was a year in which governments spent more time, money, and attention finding regulatory and technical means to curtail freedom of expression on the Internet and the flow of critical information and to infringe on the personal privacy rights of those who used these rapidly evolving technologies."
Most notable in the report were China and Iran:
"The government of China increased its efforts to monitor Internet use, control content, restrict information, block access to foreign and domestic Web sites, encourage self-censorship, and punish those who violated regulations. The government employed thousands of persons at the national, provincial, and local levels to monitor electronic communication ... The government at times blocked access to selected sites operated by major foreign news outlets, health organizations, foreign governments, educational institutions, and social networking sites, as well as search engines, that allow rapid communication or organization of users... The government also automatically censored e-mail and Web chats based on an ever-changing list of sensitive key words."
The report also notes that government interference is not always effective:
"Despite official monitoring and censorship, dissidents and political activists continued to use the Internet to advocate and call attention to political causes such as prisoner advocacy, political reform, ethnic discrimination, corruption, and foreign policy concerns."
The report cites Iran for cracking down on Internet access in the run-up to the June presidential election:
"...the government blocked access to Facebook, Twitter, and other social networking sites. After the June election, there was a major drop in bandwidth, which experts posited the government caused to prevent activists involved in the protests from accessing the Internet and uploading large video files."
Receiving honorable mentions were North Korea because:
"Internet access was limited to high-ranking officials and other elites..."
and Vietnam where:
"Bloggers were detained and arrested under vague national security provisions for criticizing the government and were prohibited from posting material the government saw as sensitive or critical. The government also monitored e-mail and regulated or suppressed Internet content, such as Facebook and other Web sites operated by overseas Vietnamese political groups."

2009 Human Rights Report: Introduction

Tuesday, March 09, 2010

Law Firms Increasingly the Victims of Espionage

Law firms are one of the latest targets of alleged cyber espionage from China and others interested in obtaining information on clients or litigation that involve their interests:
"Law firms are attractive targets for cyberattackers because they maintain sensitive client information on their systems, according to attorneys and technology consultants. Perpetrators may be digging for litigation strategies, negotiation tactics, details on pending deals, or other specific information that could aid governments, competitors, or other entities. The bulk of cyberattacks originate overseas, with China leading the pack..."
Law firms are at high risk because of both the sensitive nature of the information they possess and because they don't understand the threat or how to protect themselves. From an adversaries perspective, they are high value targets with a high potential for a successful attack and low risk of being caught.

Understanding the exact extent of law firm intrusions is difficult due to ignorance or fear of reputational damage:
"Often, law firms never figure out on their own that their networks have sustained serious breaches, largely because... attacks are designed to be difficult to detect. Most firms learn of network security problems from third parties, often law enforcement authorities..."

"Law firms often fear that disclosing such a breach may prompt their clients to take their business to a competing firm, even though that competing firm likely has no better capacity to protect the client's information..."

Firms Slow to Awaken to Cybersecurity Threat

Friday, March 05, 2010

Political Cyber Crimes Growing

The increasing nature of politically motivated computer crime is the subject of a recent article discussing how companies focus on profit motivated cyber crime while ignoring other threats. The author states that because of "fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with [profit based] cyber-crime."
"While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests."
The article blames much of this on security vendors hyping specific threats that their products are designed to protect against. I agree: I see it every day when advising my clients.

The author then prescribes three actions companies should take. These are summarized as:
  1. "...put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use";

  2. "...implement the best people-processes you can"; and,

  3. prepare to be "hacked".
Unfortunately, these recommendations just repeat the very error the article points out: Blindly implementing security controls without understand the nature of the threats the organization faces.

There are many cyber threats with a multitude of motives and one of the key contributors to the increased effectiveness of all types of cyber-crime is the myopic focus on technology while not understanding threats and risks. This leads to some threats not being mitigated while others are over-protected thereby wasting valuable budget and resources (see IT security professionals must evolve for changing market for further discussion).

Companies need to start with a thorough assessment of threats and risks. Then, they can design the organization, skills, policies and processes to best mitigate those risks. Only after these steps are completed should they begin to choose and implement (technical) controls that help automate and manage the mitigation and monitoring processes. Anything else is just a waste of money.

Managing threats and risks should drive the selection and use of controls - not the other way around.

The author is correct that too many organizations are not prepared for cyber attacks and assume (incorrectly) that if they have a firewall and some log management or other tools in place they don't need to worry. No security control or process is perfect even if resources and budgets weren't an issue. Companies need to have a robust incident response capability and one that isn't developed when a crisis occurs.

Focus on Cyber-Crime Misses Real Threat

Thursday, March 04, 2010

NATO Facing Increased Cyber Threats

NATO's Secretary-General commented at a NATO seminar in Finland that the alliance needs to increase defenses against cyber threats. While not releasing any details it appears NATO is concerned about a wide range of potential problems:
"It's really a broad range of threats. There are many actors in cyberspace, and we have to develop a capacity to protect ourselves against those attacks," [said Secretary-General Anders] Fogh Rasmussen."
Swedish Foreign Minister Carl Bildt also commented at the same meeting on the threat saying:
"There are terrorists, spies, subversive attempts, ongoing attacks as well as preparations for much more disruptive and destructive operations... There will be no security for our societies if we can't secure both our cyberspace and our orbital space."

NATO chief calls attention to cyber threats

Tuesday, March 02, 2010

Germany Suspends Communication Data Retention Law

Citing security and transparency concerns, the German Federal Constitution Court has suspended the law requiring communication providers and ISPs to retain traffic information for six months for use by law enforcement:
"The judges said the data storage was not secure enough and that it was not sufficiently clear what it would be used for."
The law was implemented to follow an EU Directive aimed at fighting terrorism but the court ordered the suspension until new rules for the storage and use of the data could be implemented:
"The court demanded that stricter conditions be attached to the use and storage of the data, saying it needed to be encoded and that there should be "transparent control" of what the information was used for."
The court additionally ordered all data stored to date to be deleted.

German High Court Limits Phone and E-Mail Data Storage