World War Web Advisory #4: S.2105 Cybersecurity Act of 2012

[waltky]

Cybersecurity? - We're all screwed...

The state of cyber security: we’re all screwed
Monday 8 August 2016 - Sophisticated cybercrime, privacy fears and ongoing confusion about security have soured the internet for many, and doing something about it won’t be easy

When cybersecurity professionals converged in Las Vegas last week to expose vulnerabilities and swap hacking techniques at Black Hat and Defcon, a consistent theme emerged: the internet is broken, and if we don’t do something soon, we risk permanent damage to our economy. “Half of all Americans are backing away from the net due to fears regarding security and privacy,” longtime tech security guru Dan Kaminsky said in his Black Hat keynote speech, citing a July 2015 study by the National Telecommunications and Information Administration. “We need to go ahead and get the internet fixed or risk losing this engine of beauty.”

There’s no lack of things to be worried about: organized cybercriminal gangs; government surveillance; not to mention hack attacks from nation states. That may be good news for the cybersecurity industry, which is expected to grow more than 10% annually and surpass $200bn worldwide by 2021, according to research firm Markets and Markets.

But it’s bad news for the rest of us. As we conduct more of our lives online, we’re being asked to become increasingly savvy about computer security. Many are simply uninterested or not up to the task. Add up all these factors, and the question becomes not why many consumers are losing confidence in the internet, but whether they should have any confidence at all.

Consumers: the new ATM for cyber crooks

[waltky]

Winter's comin', Granny wants to get a wood stove in case the hackers cut off the `lectricical...

US, UK Cybersecurity Officials: Destructive Hacks are Coming
October 19, 2016 — The world should brace itself for more physically destructive hacks, two senior cybersecurity officials said Wednesday, warning that a more dangerous era of hacking was already upon us.

Paul Chichester, the director of operations at Britain's new National Cyber Security Center, told attendees at an event hosted by British defense think tank RUSI that electronic intrusions were on their way to becoming more “destructive, disruptive and coercive.” “That will be our future,'' he told a crowd of officers, academics and industry experts gathered for a two-day symposium in central London. Chichester was seconded by Air Force Lt. Gen. James K. McLaughlin, deputy commander at U.S. Cyber Command, who told attendees that infrastructure-wrecking attacks were being seen “right now in the environment.”

A specialist works at the National Cybersecurity and Communications Integration Center in Arlington, Virginia

Neither official went into specifics about what they'd seen or why they felt the threat was intensifying, although McLaughlin invoked a cyberattack in Ukraine which knocked out three separate power distribution companies last year. The Dec. 23 incident, believed to have been pulled off by a team of hackers using stolen passwords, left 225,000 people without electricity, according to a U.S. Department of Homeland Security bulletin published two months later.

Cybersecurity experts long worried that hackers can hijack the vulnerable industrial control systems to wreak havoc in power plants, traffic systems, factories, dams or reservoirs. Still, publicly confirmed examples of real-world damage from hacking have — so far — been few and far between. The Ukrainian incident provided a rare and dramatic demonstration of the physical consequences of a well-organized cyberattack. McLaughlin said there was now no doubt such hacks were possible. “Three years ago these were just theoretical,” he said. “Now we see them. They're practically here in front of us.”

http://www.voanews.com/a/us-united-k...g/3558379.html

[waltky]

How do you make everything cybersecure?...

U.S. calls on automakers to make cyber security a priority
Mon Oct 24, 2016 | Automakers should make shielding the electronic and computer systems of vehicles from hackers a priority, developing layers of protection that can secure a vehicle throughout its life, U.S. regulators said on Monday.

The cyber security guidelines issued by the U.S. National Highway Traffic Safety Administration are recommendations, not enforceable rules. However, they mark a step toward establishing a road map for industry behavior as lawmakers and consumers pressure automakers to show how they will protect increasingly connected and automated vehicles from cyber attacks. Some of the agency's proposals, included in a paper titled "Cybersecurity Best Practices for Modern Vehicles," echo moves major manufacturers are making already, including establishing a group to share information about cyber security threats.

The Jeep Cherokee Trailhawk sports utility vehicle (SUV) is seen during the media preview of the 2016 New York International Auto Show in Manhattan, New York

Automakers will carefully review the technical aspects of the agency's proposals as well as proposals related to the disclosure of information about "the secret sauce" of electrical and data systems, which is highly competitive, Jonathan Allen, acting executive director of the Automotive Information Sharing and Analysis Center, said in an interview on Monday. The group, often referred to as the AUTO-ISAC, was established by automakers as a clearinghouse for companies to share information about cyber security threats and countermeasures. Automakers accelerated efforts to address hacking threats over the past year after data security researchers successfully took remote control of a Jeep Cherokee and publicized their feat. Fiat Chrysler Automobiles in July 2015 recalled 1.4 million vehicles to install software to protect against future data breaches.

Charlie Miller (L) and Chris Valasek give a briefing during the Black Hat USA 2015 cybersecurity conference in Las Vegas, Nevada August 5, 2015. Miller and Valasek talked about how they remotely hacked into a 2014 Jeep Cherokee

Other automakers, including BMW AG and Tesla Motors Inc, have disclosed actions to fix potential data security gaps. The security of data and communications systems in vehicles is also critical as more auto manufacturers gear up to follow Tesla's lead and begin offering significant vehicle upgrades through wireless data links. The Federal Bureau of Investigation earlier this year warned that criminals could exploit online vehicle software updates.

The 2015 Jeep Grand Cherokee is exhibited on a car dealership in New Jersey

The NHTSA recommends manufacturers conduct tests of vehicle systems to see if the cyber security systems can be breached, and document their testing and their assessment of the risks. Democratic U.S. Senators Ed Markey of Massachusetts and Richard Blumenthal of Connecticut said the NHTSA should do more. “If modern day cars are computers on wheels, we need mandatory standards, not voluntary guidance, to ensure that our vehicles cannot be hacked and lives and information put in danger," the lawmakers said in a statement Monday. The Alliance of Automobile Manufacturers said on Monday the NHTSA guidelines appear to support the steps being taken by the AUTO-ISAC. The Alliance represents General Motors Co, Ford Motor Co and Daimler AG, among others.

http://www.reuters.com/article/us-au...-idUSKCN12O2JG

See also:

U.S. takes aim at cyber attacks from connected devices as recalls mount
Mon Oct 24, 2016 | Obama administration officials sought on Monday to reassure the public that it was taking steps to counter new types of cyber attacks such as the one Friday that rendered Twitter, Spotify, Netflix and dozens of other major websites unavailable.

The Department of Homeland Security said it had held a conference call with 18 major communication service providers shortly after the attack began and was working to develop a new set of “strategic principles” for securing internet-connected devices. DHS said its National Cybersecurity and Communications Integration Center was working with companies, law enforcement and researchers to cope with attacks made possible by the rapidly expanding number of smart gadgets that make up the "internet of Things. Such devices, including web-connected cameras, appliances and toys, have little in the way of security. More than a million of them have been commandeered by hackers, who can direct them to take down a target site by flooding it with junk traffic.

Several networks of compromised machines were directed to attack big customers of web infrastructure company Dyn last week, Dyn officials and security researchers said. The disruption had subsided by late Friday night in America, and two of the manufacturers whose devices had been hijacked for the attack pledged Monday to try to fix them. But security experts said that many of the devices would never be fixed and that the broader security threat posed by the internet of Things would get worse before it gets better. “If you expect to fix all the internet devices that are out there, force better passwords, install some mechanism for doing updates and add some native security for the operating system, you are going to be working a long time,” said Ed Amoroso, founder of TAG Cyber and former chief security officer at AT&T. Instead, Amoroso said he hoped that government officials would focus on recommending better software architecture and that business partners would insist on better standards.

In the meantime, fresh responses by two of the companies involved in the attacks illustrated the extent of the problem. Chinese firm Hangzhou Xiongmai Technology Co Ltd, which makes components for surveillance cameras, said it would recall some products from the United States. Another Chinese company, Dahua Technology, acknowledged that some of its older cameras and video recorders were vulnerable to attacks when users had not changed the default passwords. Like Xiongmai, it said it would offer firmware updates on its website to fix the problem and would give discounts to customers who wanted to exchange their gear. But neither company has anything like a comprehensive list of their customers, many of whom will never learn of the problems, said Dale Drew, chief security officer with communications provider Level 3. “I wouldn’t be surprised if the only way they are going to reach their consumers is through media reports, Drew said.

http://www.reuters.com/article/us-us...-idUSKCN12P047

[waltky]

Military cybersecurity opportunities...

Uncle Sam May Want You for Cyber War
9 Mar 2017 | Brig. Gen. Patrick Higby is director of Cyberspace Strategy and Policy, Office of Information Dominance and Chief Information Officer, U.S. Air Force. The opinions in this column are his own.

Imagine this scenario: America is at war and it's getting messy. Our enemies exploit cyber vulnerabilities, inflicting severe losses on our economy and national security without fear of consequence or reprisal. Should the country explore every available response, whether under the confines of current law or through new methods to unleash the untapped potential from private citizens, communities and corporations? Fears of an "electronic Pearl Harbor" have been with us for more than a decade, and threats to American cyber security grow more profound by the day. In recent years, foreign hackers have infiltrated everything from government networks and databases to banks, movie studios and political organizations. Just recently, Defense Secretary James Mattis noted a significant increase in the hacking of NATO country databases during recent years.

In addition to the traditional approaches to countering cyber threats, perhaps it is time to start thinking unconventionally about safeguarding our electronic infrastructure and, more importantly, our data. There is, after all, a long-standing tradition of American pragmatism and ingenuity used to turn the tables on our adversaries and leverage the private sector. America's most famous example of "privateering" came in June 1812, when our young nation was at war with Britain. Our Navy fielded perhaps a dozen ships. Britain's battle-hardened Royal Navy boasted over 500 warships, with 85 of these operating in American waters when the War of 1812 broke out. Something was needed to quickly even the odds as the Royal Navy pummeled our commerce and interdicted our harbors.

Three airmen perform cyber operations at Lackland Air Force Base, Texas

Enter the privateers -- armed private ships manned by civilian crews motivated by patriotism and profit. These brave sailors were given Letters of Marque as authorized by Article 1 of our Constitution and constrained under an admiralty court to seize British ships as prizes. These actions bolstered the meager U.S. Navy and allowed private citizens and corporations to actively fight back to inflict great consequences upon our adversary. Today, our nation is at war with many non-state actors, including the Islamic State, who are leveraging social media and the dark web to further their repugnant objectives. A recent article in "The Atlantic" magazine by Emerson Brooking and Peter Singer outlined the problem: "While the Islamic State has shown savvy in its use of social media, it is the technology itself -- not any unique genius on the part of the jihadists -- that lies at the heart of the group's disruptive power and outsize success. Other groups will follow."

That innovation in exploiting the new cyberspace domain should not be confined to our adversaries. We can just as easily unleash American ingenuity in service of national interests without having to resort only to traditional military options. We are suffering significant losses in cyberspace as savvy enemies continue to hack government databases and other critical infrastructure without fear of real or immediate consequences. The continued message of using strictly military solutions, technology-based defenses and cyber hygiene alone will no longer suffice. As was the case with our privateers, American citizens, communities and corporations must be empowered to fight back and inflict more immediate and unpredictable consequences upon our adversaries to change the calculus. Today's challenges call for no less ingenuity than those faced by previous generations.

http://www.military.com/daily-news/2...cyber-war.html

[waltky]

New York Offers Free Cybersecurity Tools to Public to Deter Hackers...

New York Offers Free Cybersecurity Tools to Public to Deter Hackers
March 29, 2018 - New York City will offer free cybersecurity tools to the public as part of a new effort to improve online safety, officials said Thursday, a week after Atlanta was hit with a ransomware attack that knocked some municipal systems offline.

The program, dubbed NYC Secure, will launch a free smartphone protection app to warn users when suspicious activity is detected on their devices, New York Mayor Bill de Blasio announced at a news conference. "New Yorkers aren't safe online. We can't wait around for other levels of government to do something about it or the private sector," de Blasio said. The program will cost the city about $5 million per year, he said. "It's our job in government to make sure that people are safe online. It's a new reality," de Blasio said.

City agencies will also beef up security protection on public Wi-Fi networks by the end of the year to protect residents, workers and visitors. Those networks will be secured with a tool, dubbed Quad9, that is available to anybody in New York City and beyond at https://quad9.net. Quad9 routes a user's web traffic through servers that identify and block malicious sites and email.

Atlanta cyberattack

NYC Secure was unveiled as Atlanta officials worked alongside federal law enforcement and technicians from private security firms to investigate the cause of the attack that encrypted data on computers. Atlanta City Council President Felicia Moore said she was waiting to hear more about how the hackers breached city networks, the scope of the attack and when city services would be fully operational. "Everybody in the public wants to know. I want to know, too," Moore said at a news conference. "But I do think that we need to give them an opportunity to get the information."

Atlanta on Thursday reactivated a website that allows residents to make requests for trash pickup, report traffic signal outages and ask for other public works-related services. Municipal court services remained offline Thursday and City Hall employees told Reuters their work computers were still unusable a week after the hack was detected.

https://www.voanews.com/a/new-york-f...s/4323141.html