See on Scoop.it – Chinese Cyber Code Conflict
The granddaughter of Chairman Mao has been named on China’s rich list, with a fortune of nearly £530 million.
The irony of Chairman Mao Tse Tung’s granddaughter being on the list of the ‘superrich’ within the People’s Republic of China…perhaps it was the intellectual property theft or prolific Chinese cyber espionage…
See on www.telegraph.co.uk
See on Scoop.it – Chinese Cyber Code Conflict
Why It’s Time For China To Lose Its Copycat Mentality @Worldcrunch Worldcrunch – Great stories from the world’s best news sources
See on worldcrunch.com
Good day friends –
Red Dragon Rising has now arrived and will begin posting items of interest about the People’s Republic of China (中華人民共和國) and her use of the computer as a weapon system…
Please expect to enjoy the latest and most current news and updates about the Middle Kingdom on the State of Security!
Semper Fidelis;
謝謝您
紅龍
So, yesterday was the date of the much awaited OpUSA, originally proclaimed to be a decisive attack on the US banking and government infrastructures. Thankfully, there seemed to be little impact on US banking or government, and while some commercial and even government sites did get attacked, the sustained impact seemed to be fairly well contained.
Below are a few thoughts on OpUSA and observations made from the data we saw around the Internet (in no particular order):
Other than the usual chatter and jeers, there seemed to be little unique about OpUSA and the efforts identified with the campaign. The media is picking up on some additional items here and there, but largely, the operation was seen as being a smaller or less successful campaign than previous attack sets.
It’s almost time for another CMHSecLunch! This month, the event is May 13th, 11:30a – 1pm at Easton Mall food court. As always, it is FREE and open to anyone interested in infosec and IT to attend. You can find out more, track the event and RSVP all one page by clicking here.
We hope to see you there!
This time around, we have a question from a reader named John: “I work in a small financial institution and we have problems with physical access to our computers. Many of our workstations sit in semi-public areas and could easily be attacked with USB devices or physical access when a teller or customer service person leaves the customers alone with the machine at a desk or cubicle. What advice do the experts have to help counter these types of attacks?”
Bill Hagestad started the conversation:
Recommended Points for mitigating this digital & physical vulnerability;
1) Remove workstations from semi-public areas; 2) Deploy & install single – purpose Internet workstations at no more than 2 public locations with VERY limited access to financial institution records only after 3 factor authentication has been authorized by credentialed users only; 3) Set time limites on inactive sessions on all banking terminals to logoff after physical proximity to machine exceeds 15 seconds; 4) Enforce 32 random, alpha-numeric character password changes to all critical financial institutional systems weekly; and, 5) Implement and /or continue aggressive financial institution information assurance education program with goal of 100% employee participation; review/update monthly and, 6) Mandate information security and awareness program participation from financial institution leadership throughout all employees and ranks within the organization.
John Davis expanded: I know how difficult this is for financial institutions. Your customer service representatives need computers in their cubicles in order to provide service to your customers, while at the same time those same computers are a main point of physical vulnerabilitiy. Easy steps can be taken, though, to harden these work stations.
First, workstation users should be allotted local administration rights on their systems only when a business need is present. So, CSR workstations should have their USB and DVD ports disabled. Furthermore, their is no need for them to have the ability to upload or download software. In addition, workstations in publicly accessible areas must be turned off each and every time they are unattended. Perhaps you could implement a system similar to the cut off device used on treadmills or at casinos: CSRs would have to clip a device from their clothing to the workstation before it will work. You could accompany this with biometric access for quick and easy access for the users.
Jim Klun added:
From my experience, and assuming the worst case of Windows systems configured as normal workstations with end-users having admin level access, some immediate things I would do:
1. Disable all removable media access at the hardware ( i.e. BIOS) level. At minimum: disable ability to boot from such sources. or: remove all DVD and CDROM drives and physically disable USB ports. (e.g. glue) 2. Ensure all workstations log activity and ensure that the logs are directed to a central log repository and reviewed. Example: http://www.intersectalliance.com/projects/SnareWindows/ 3. Ensure surveillance cameras cover workstation areas. 4. Aggressive screen-lock settings 5. Removal of admin access for all but limited support staff if at all possible. 6. Consider Usage of security cabinets for workstations: Example: http://www.globalindustrial.com/g/office/computer-furniture/cabinets/orbit-side-car-cabinet 7. Network Access Control to limit what devices are allowed on the local network. That unattended RJ45 jack or poorly secured wireless environment is as much a threat as that USB port or CDROM. Bluetooth setting should also be reviewed. 8. Ensure all sensitive information traveling over the local LAN is encrypted. 9. Use a firmware password ( e.g drivelock or a BIOS power-on password) to limit who can boot the machine. 10. Monthly re-iteration of security policies – including need to lock workstations. In my experience such messages are best tied to real-world examples. It makes the risk real – not just an abstract “security guy” worry. For example, this event could be used to ensure employees are aware that an unlocked workstation could lead to the installation of malware: http://news.techworld.com/security/3256513/sovereign-bank-and-penfed-warn-customers-after-keyloggers-are-found-on-laptops/
I note that both JD and Bill talk about enhanced authentication – including the use of proximity devices. Using such devices ( mostly bluetooth ) to secure these workstations sounds like a great idea to me and may be the easiest and most effective solution. Once the financial institution walks away from the workstation – it’s locked and ideally will not boot. http://btprox.sourceforge.net/ – open source Google “computer proximity lock” for a number of commercial alternatives.
Adam Hostetler closed the conversation with:
Everyone has really good suggestions so far. I am a fan of the simple phsyical solutions. I would put the workstations in locked cages. This would prevent any malicious people from inserting USB devices or CDs, or implanting sniffers between the keyboard and USB ports. Additionally, follow the other advice of disabling them through software, just to be sure.
Another solution may be to move to a thin client solution. It is possible to buy thin clients that have no USB ports or optical drives. This would also ensure that no sensitive information was on the workstation, in the event that it was stolen.
April’s touchdown task for the month is a suggestion to update your contact list that you should have included in your incident response policy.
A few minutes now to make sure the right people are in the list and that their contact information is current could pay off largely down the road. It might also be a good time to check to make sure your contact process has been updated to include SMS/texting, Skype and/or other supported technologies that may have not been around when your policy was last updated.
Just a quick update on the Stolen Data Impact Model (SDIM) Project for today.
We are prepping to do the first beta unveiling of the project at the local ISSA chapter. It looks like that might be the June meeting, but we are still finalizing dates. Stay tuned for more on this one so you can get your first glimpse of the work as it is unveiled. We also submitted a talk at the ISSA International meeting for the year, later in the summer on the SDIM. We’ll let you know if we get accepted for presenting the project in Nashville.
The work is progressing. We have created several of the curve models now and are beginning to put them out to the beta group for review. This step continues for the next couple of weeks and we will be incorporating the feedback into the models and then releasing them publicly.
Work on phase 2 – that is the framework of questions designed to aid in the scoring of the impacts to generate the curve models has begun. This week, the proof of concept framework is being developed and then that will flow to the alpha group to build upon. Later, the same beta group will get to review and add commentary to the framework prior to its initial release to the public.
Generally speaking, the work on the project is going along as expected. We will have something to show you and a presentation to discuss the outcomes of the project shortly. Thanks to those who volunteered to work on the project and to review the framework. We appreciate your help, and thanks to those who have been asking about the project – your interest is what has kept us going and working on this problem.
As always, thanks for reading, and until next time – stay safe out there!
MicroSolved, Inc. is proud to announce a unique event for those interested in information security.
The 2013 International Cyber Threat Intelligence Briefing, featuring internationally recognized author William Hagestad, is an executive level briefing on the latest cyber threat intelligence from around the world. This briefing will provide a unique opportunity for C-Level decision makers to understand the cyber threat to their organizations through the loss of intellectual property via the determined use of cyber espionage. Attendees will be presented with two commercial case studies focusing on Global 50 companies. Recommendations, Short & Long Term Moves will accompany this interactive cyber threat intelligence briefing.
This is an opportunity for your management team to participate in a frank, focused discussion about the international cyber threats organizations face today in the global marketplace.
To learn more or sign up to participate, please register by clicking here.
In our first two blogs concerning Distributed Denial of Service (DDoS) attacks and small service industries, we presented measures organizations can take to prepare for and defend against DDoS attacks. In this final installment on the subject, we will discuss methods of response to these incidents.
The first thing to do when you think you are under DDoS attack is to not panic. Calm and considered responses are always more effective than immediately jumping in and possibly cutting off legitimate connection requests. An ill-considered response on your part could cause the very denial of service your attacker intended in the first place. The best thing you can do is to immediately access your incident response plans and begin to implement those pre-planned procedures you worked so hard on. We are constantly amazed at how many organizations fail to follow their own response planning in the heat of a real incident!
The next step in the process is traffic (log) analysis. You need to be able to identify what type of attack is being perpetrated and the kinds of bogus requests that are being made. This is where large log capacities and log aggregation tools come in very handy. Being able to view a large amount of data from a central console truly helps you recognize patterns in the attack. Since application layer attacks that employ IP spoofing are presently being used, pattern and type recognition are often the only means you have to discern good traffic from bad.
Once you are able to get a handle on what the bad traffic looks like, you can start filtering it out. This is best done by appliances as close to the network edge as possible. You can also work with your ISP which may be able to assist with filtering as well as other mechanisms such as rate and connection limiting.
After the attack is under control, don’t forget to work with law enforcement agencies such as the FBI and US-CERT. They are interested in these events and may be able to assist you in finding and dealing with the perpetrators. Reporting incidents is important because it is crucial to know the number and types of DDoS attacks that are really taking place out there in order to effectively respond to them. Reporting ends up being good for everybody!
Finally, it is very important to conduct lessons learned meetings and to adjust your incident response and business continuity planning. Table top exercises and other incident preparation techniques are helpful, but nothing helps you learn the hard lessons like a real incident. Why waste the only valuable thing to come out of the whole mess!
