The Feds Need Computer Defense Experts: Were You Surprised?

I’m not.

The federal government says a potential cyberattack is the most serious economic and national security threat the United States faces, but it faces a shortage of skilled experts who could head off that threat, Homeland Security Secretary Janet Napolitano warns.

There’s a huge job market for cyberwarriors who can protect the nation’s computer networks from an attack, but many of those jobs are going unfilled, Napolitano said.

But don’t take my word for it. Read the whole article at http://security.blogs.cnn.com/2012/04/21/feds-need-more-computer-defense-experts-napolitano-says/.

How to Remove Your Google Search History – and Why That Doesn’t Really Happen

This is becoming a disturbing trend. First we find that the iPhone’s GPS can be turned off – but it doesn’t really turn off.

Next we found that our cell carriers were tracking us with CarrierIQ. Three members of a national agency I will not name learned in my training that their phones were carrying this provider-installed backdoor/root kit, and expressed mighty displeasure on the spot.

Now I find detailed instructions for removing your Google search history – which caution that you cannot really remove your Google search history. (Thanks again, Herbbie!)

The Electronic Frontier Foundation provides a nice guide at xxx, though the process presupposes you already have a Google account. What struck me most was this:

Note that disabling Web History in your Google account will not prevent Google from gathering and storing this information and using it for internal purposes. It also does not change the fact that any information gathered and stored by Google could be sought by law enforcement.

With Web History enabled, Google will keep these records indefinitely; with it disabled, they will be partially anonymized after 18 months, and certain kinds of uses, including sending you customized search results, will be prevented. If you want to do more to reduce the records Google keeps, the advice in EFF’s Six Tips to Protect Your Search Privacy white paper remains relevant.

If you’re at all concerned about privacy (and/or about Google), read the article at https://www.eff.org/deeplinks/2012/02/how-remove-your-google-search-history-googles-new-privacy-policy-takes-effect. Even further, we may have arrived at the point where only the uninformed use Google for searching, or at all.

The Value of IT Certificatons

I gave a talk on April 25, 2012 at the Administrative Assistants Conference at UNM on the Value of IT Certifications. If you’re interested in the field, it provides some good quotations and links.

It was built in HTML5, CSS3 and Javascript, using the Impress.js framework, and does some interesting 2D and 3D effects. Check it out at http://gnorman.org/ITcerts/

Infrastructure Hacking Tools Released in Metasploit

I’ve been leery of the weak security used by SCADA and other industrial control systems. Once Stuxnet was loose in the wild, it just became a matter of time before some terrorist or teenager broke into electrical transmission and distribution systems.

Now it’s worse. Because Rapid 7, creators of Metasploit, released two new exploits that attack the Modicon Quantum programmable logic controller, used in chemical and wastewater plants, factories and refineries.

I have about worn out my fingers writing about the dangers we face with a) these exploits in the wild and b) those systems being accessible from the Internet. Simply put, they must not be. Must. Not. Be.

Read more: http://www.wired.com/threatlevel/2012/04/exploit-for-quantum-plc/

14 Enterprise Security Tips from (an) Anonymous

Pay attention to the basics. Hire good people. Train them in security.

You know, all the obvious stuff. Like encrypting data. And keeping a close watch on the data your organization makes public.

“Information security is a mess. … Companies don’t want to spend the time/money on computer security because they don’t think it matters,” said ex-Anonymous hacker “SparkyBlaze,” in an exclusive interview with Cisco’s Jason Lackey.
http://www.informationweek.com/news/security/intrusion-prevention/231600561

All the usual stuff. All we have to do, is do it.

Big Brother is Watching You in the UK: “Phone and email records to be stored in new spy plan”

Things are just getting more troubling when it comes to free speech, privacy and confidentiality all over the world. It’s very depressing to see them threatened in such bastions of freedom as Britain and the USA.

Consider this article from The Telegraph’s website:

Phone and email records to be stored in new spy plan

Details of every phone call and text message, email traffic and websites visited online are to be stored in a series of vast databases under new Government anti-terror plans.
http://www.telegraph.co.uk/technology/internet/9090617/Phone-and-email-records-to-be-stored-in-new-spy-plan.html

And from a related article:

Plans for the controversial move to make internet and phone companies keep a record of every email, phone call, text message and message on social networks such as Facebook, were first disclosed by The Sunday Telegraph in February.

They are at the centre of mounting concern from civil liberties groups and backbench members of both Coalition parties, with senior Conservative backbenchers now increasingly outspoken in opposition to the measures.

The new measures would force internet firms to install hardware enabling GCHQ to examine “on demand” and in “real time” details of any phone call, text message or email, and any website visited.
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/9192209/GCHQ-warns-it-is-losing-terrorists-on-the-internet.html

So this is where we’ve come: on-demand, real-time monitoring of the vast numbers of innocents, in what is probably a futile attack on terrorists who will simply change their methods right around our security. I cannot imagine a more catastrophic opportunity for information to be stolen, misused or altered. But of course THAT never happens.

Uneasy Aims: The Search for Cyberweapons

It’s one thing to wipe out the whole electronic infrastructure with one massive electromagnetic pulse. It’s a whole nother game to alter instructions on an operating computer. When it’s not connected to the Internet.

Yeah, that sort of changes the game, doesn’t it? The Washington Post informs us that the Pentagon has $3.4 billion to spend on cyber security of both the offensive and defensive sorts, including attempting to do the above. Which isn’t, perhaps, as impossible as it seems. Ethernet is, after all, just a really fast sequential signalling. Could we microwave right on to the enemy’s wires? (See
http://www.washingtonpost.com/world/national-security/us-accelerating-cyberweapon-research/2012/03/13/gIQAMRGVLS_story.html.)

It’s an interesting possibility. As long as one is not on the wrong side of someone’s else’s definition of “enemy.”

Security Alert: Remote Desktop Software Exploited by Georbot Trojan

So, have you enabled Remote Assistance on your Windows computer?

Or Remote Desktop?

Or do you have any version of VNC?

Or any other kind of remote or virtual desktop software?

Because ESET has discovered a nasty, nasty trojan that exploits exactly that kind of software. See this report at InformationWeek.com:

New Malware Puts Nasty Spin On Remote Control

Security researchers have discovered malware that scans PCs for remote-access or remote-desktop-configuration files, which indicates installed software that can be used to remotely control the computer. The malware, dubbed Georbot, then steals related credential files and transmits them to attackers, providing direct access to the machines using the built-in remote access tools.
http://www.informationweek.com/news/security/attacks/232602932

The cure is simple: when you’re not using Remote Desktop or Remote Assistance, disable it. Don’t run the VNC server on your PC or Mac except when you need it – really need it. Don’t leave this stuff fired up by default!

Of course, the real way people will learn caution in this matter is exactly the same way we learn everything else: bitter experience. Bitter, perhaps, for an individual and a home computer; catastrophic for, say, a health care provider. A word to the wise had better be enough.

Secure Telephony: You Are Already Being Tracked

I have an interesting acquaintance who refuses to let me bring my phone into his home. “Spy chips” is his term for all wireless phones. I’ve laughed at him. Until I didn’t.

Exhibit 1: from the New York Times

Police Are Using Phone Tracking as a Routine Tool

WASHINGTON — Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show.
http://www.nytimes.com/2012/04/01/us/police-tracking-of-cellphones-raises-privacy-fears.html

Already being done? Routine tool? No court oversight?

This is Big Brother.

Read the article and notice who’s collecting fees for betraying you: your provider!

Exhibit 2: from Naked Security, Sophos.com

UK government plans to spy on email, web and internet phone use

The British government is proposing new legislation which would allow the police and secret service to monitor internet users’ email and web activity.

Unsurprisingly, privacy campaigners are up in arms about the plan which would force internet service providers to give British intelligence agencies’ real-time access to electronic communications.

However, the authorities argue that it is necessary for national security and to fight terrorism, online child abuse and organised crime.
http://nakedsecurity.sophos.com/2012/04/02/uk-government-spy-plans/

I have a sneaking suspicion that if they’re talking about it publicly, they’re already doing it. Like the USA.

None of this makes me feel proud – or free.