Data Breaches are a Global Problem

For those of you who maybe just thought that data breaches were only happening against US companies, and only by a certain country as the culprit, we wanted to remind you that this certainly isn’t so.

In fact, just in the last several weeks, breaches against major companies in the UK, Australia, Japan, Kenya, Korea, China and others have come to light. Sources of attacks show evidence of criminal groups working from the US, Brazil, Northern Africa, the Middle East, Russia and Asia among others. Just follow the data for a few weeks, and it quickly becomes clear that this is a GLOBAL problem and is multi-directional.

Even loose alliances seem to come and go amongst these criminal groups. They often steal data, talent, techniques, tools and resources from each other. They work together on one deal, while treating each other as competitors in other deals simultaneously. The entire underground is dynamic, shifting in players, goals and techniques on almost moment by moment basis. What works now spreads, and then gets innovated.

This rapidly changing landscape makes it hard for defenders to fight against the bleeding edge. So much so, in fact, that doing the basics of information security and doing them well, seems to be far more effective than trying to keep up with the latest 0-day or social engineering techniques.

That said, next time you read a report that seems to cast the data breach problem as a US issue versus the big red ghost, take a breath. Today, everyone is hacking everyone. That’s the new normal…

International Cyber Intelligence & Situational Awareness (SA)…Operation Middle Kingdom

Good day Folks;

Here is an extensive list of the recent International Cyber Intelligence & Situational Awareness (SA) you should be cognizant of…something cyber for everyone including the People’s Republic of H@cking, HUAWEI, Pakistan ~ People’s Republic of China relations and much, much more cybernia related…and coming soon to a computer and networked system near you OP Middle Kingdom…

Innovation and Disruption, & Why the People’s Republic of China Needs the Latter

http://www.techinasia.com/difference-innovation-disruption-important/

A Breakdown of the People’s Republic of China’s New Visa Rules
http://www.haohaoreport.com/l/43604
A New Anti-American Axis? People’s Republic of China & Russia…

http://www.nytimes.com/2013/07/07/opinion/sunday/a-new-anti-american-axis.html?

People’s Republic of China’s Huawei Zambia to invest $500,000 in brand promotion | Times of Zambia
http://www.times.co.zm/?p=22996
People’s Republic of China, Pakistan Build Communication, Transportation Links

http://www.ibtimes.com/china-pakistan-agree-communications-transport-links-huawei-board-fiber-optic-project-1335227?ft=w18y0

PM urges People’s Republic of China’s Huawei to set up research centre in Pakistan

http://www.pakistantoday.com.pk/2013/07/07/news/profit/pm-urges-huawei-to-set-up-research-centre-in-pakistan/

People’s Republic of China’s Huawei-Imperial plan renews Chinese cyber-security fears

http://theconversation.com/huawei-imperial-plan-renews-chinese-cyber-security-fears-15788

People’s Republic of China’s Huawei deploys high speed 4G on Mount Everest

http://www.theinquirer.net/inquirer/news/2279724/huawei-deploys-high-speed-4g-on-mount-everest

People’s Republic of China’s Huawei to build China-Pakistan link

http://www.defence.pk/forums/economy-development/262482-huawei-build-china-pakistan-link.html

People’s Republic of China’s Huawei Ready to Outspend Ericsson in R&D Race to Woo Clients

http://www.bloomberg.com/news/2013-07-02/huawei-woos-carriers-with-research-boost-beyond-me-too-networks.html

People’s Republic of China’s Huawei supports Asia Pacific hospitals

http://www.itwire.com/it-industry-news/market/60579-huawei-supports-asia-pacific-hospitals

People’s Republic of China’s Huawei boosts spending on research

http://www.scmp.com/business/companies/article/1275572/huawei-boosts-spending-research

People’s Republic of China, Switzerland sign free trade agreement
Switerland is latest OP MIddle Kingom acquistion by the People’s Republic of China…

http://www.reuters.com/article/2013/07/06/us-china-trade-idUSBRE96503E20130706

Studies: Cyberspying Targeted SKorea, US Military

http://abcnews.go.com/International/wireStory/studies-cyberspying-targeted-skorea-us-military-19602444

Turkish Agent Hacked US Air Force Culture & Language Center Website | Cyberwarzone
Didn’t the USAF tell the US Senate they were lead DoD on Cyber & were going to protect US Critical INfrastructure againsts hackers?
Hell, they cannot even protect themselves….
USAF CYBER ….MASSIVE FAIL….


http://cyberwarzone.com/turkish-agent-hacked-us-air-force-culture-language-center-website

Taiwanese Military to stage computer-aided war game later this month: MND
“tested the armed forces ability to fend off a simulated invasion by Chinese forces.”


http://www.chinapost.com.tw/taiwan/national/national-news/2013/07/03/382727/Military-to.htm

EU and People’s Republic of China close in on solar panel deal

http://www.reuters.com/article/2013/07/05/us-china-solar-idUSBRE9640L720130705

Pakistan, China set sights on Arabian Sea link |

http://www.ksl.com/?nid=235&sid=25866836&title=pakistan-china-set-sights-on-arabian-sea-link

Is People’s Republic of China’s Huawei Becoming Less Chinese?

http://blogs.wsj.com/digits/2013/07/04/is-huawei-becoming-less-chinese/?

People’s Republic of China’s Huawei to overtake Ericsson in R&D spending

http://www.intomobile.com/2013/07/05/huawei-overtake-ericsson-rd-spending/?

Papua New Guinea’s fixed line incumbent Telikom recruits People’s Republic of China’s Huawei for NBN project

http://www.telegeography.com/products/commsupdate/articles/2013/07/05/telikom-recruits-huawei-for-nbn-project/?

FCC approves deals between Japan’s Softbank, Sprint, Clearwire
Softbank signs huge deal with Huawei….backdoor to United States critical infrastructure now wide open for Huawei courtesy of Japan…


http://www.washingtonpost.com/business/technology/fcc-approves-deals-between-softbank-sprint-clearwire/2013/07/05/f48c88d8-e5ad-11e2-a11e-c2ea876a8f30_story.html

People’s Republic of China’s Huawei, Imperial College, London announce big data joint venture |

http://www.zdnet.com/huawei-imperial-college-announce-big-data-joint-venture-7000017582/

Chinese Web giant Tencent faces obstacles in its goal to expand in global IM market

http://www.washingtonpost.com/business/economy/chinese-web-giant-tencent-faces-obstacles-in-its-goal-for-a-global-im-market/2013/07/05/6ee4016c-cff4-11e2-8845-d970ccb04497_story.html?

People’s Republic of China Says Private Banks Possible

http://www.npr.org/templates/story/story.php?storyId=198990603

Emerging market giants quick to grab Australian foothold
Chinese banks, among the world’s largest, are busy in Australia


http://www.brisbanetimes.com.au/business/emerging-market-giants-quick-to-grab-australian-foothold-20130705-2phh7.html

NJRAT ESPIONAGE MALWARE TARGETS MIDDLE EASTERN GOVERNMENTS, TELECOMS AND ENERGY

http://threatpost.com/njrat-espionage-malware-targets-middle-eastern-governments-telecoms-and-energy/

Current cybercrime market is all about Cybercrime-as-a-Service |
http://www.net-security.org/secworld.php?id=15173
TARGETED ESPIONAGE ATTACK BORROWING FROM CYBERCRIMINALS

http://threatpost.com/targeted-espionage-attack-borrowing-from-cybercriminals/

Traitorous Snowden Says the NSA and Israel Wrote Stuxnet Malware Together

http://news.softpedia.com/news/Snowden-Says-the-NSA-and-Israel-Wrote-Stuxnet-Malware-Together-366371.shtml?

EU adopts stricter penalties for cyber criminals
http://www.net-security.org/secworld.php?id=15183
EU Parliament to launch inquiry into US surveillance programs
http://www.net-security.org/secworld.php?id=15181
Piratin Nocun über den Überwachungsskandal…Cyberwar governments against their citizens

http://www.sueddeutsche.de/digital/ueberwachungsskandal-cyberwar-der-regierungen-gegen-ihre-buerger-1.1713200

Iran to hold nationwide cyber maneuver

http://www.presstv.ir/detail/2013/07/06/312582/iran-to-hold-nationwide-cyber-maneuver/

United Kingdom Cyber War ‘At Its Gunpowder Moment’

http://www.huffingtonpost.co.uk/2013/07/05/cyber-war-gunpowder-moment_n_3549048.html

Beware the Internet and the danger of cyberattacks

http://www.dallasnews.com/opinion/sunday-commentary/20130705-robert-j.-samuelson-beware-the-internet-and-the-danger-of-cyberattacks.ece
U.S. military realm extends to cyberspace

http://www.upi.com/Science_News/Technology/2013/07/02/US-military-realm-extends-to-cyberspace/UPI-85321372770741/

The cyber-intelligence complex and its useful idiots
“Those who tell us to trust the US’s secret, privatised surveillance schemes should recall the criminality of J Edgar Hoover’s FBI”

http://www.guardian.co.uk/commentisfree/2013/jul/01/cyber-intelligence-complex-useful-idiots
Cyberwar: Angriffe auf Industrieanlagen wachsen…Cyberwar: Attacks on industrial plants grow

http://business.chip.de/news/Cyberwar-Angriffe-auf-Industrieanlagen-wachsen_62848164.html

Blind Fear Of Cyberwar Drives Columnist To Call For Elimination Of The Internet |

https://www.techdirt.com/articles/20130701/10561323680/blind-fear-cyberwar-drives-columnist-to-call-elimination-internet.shtml

Cyberwar ist kein Kalter Krieg
http://www.dradio.de/dkultur/sendungen/interview/2162803/
Brazil was target of U.S. signals spying, Globo newspaper says
http://www.reuters.com/article/2013/07/07/brazil-espionage-snowden-idUSL1N0FD05120130707

Enjoy –

Semper Fi –

謝謝紅龍

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce  that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…