Cyber War: Microsoft a weak link in national security

It has been a few months since Clarke’s latest opus appeared, but it’s still making quite a splash. Clarke, after all, was the guy who repeatedly warned the White House about Al Qaeda before September 11, 2001. As a result, he has quickly become the most publicly identifiable person on the subject.

“While it may appear to give America some sort of advantage,” Cyber War warns, “in fact cyber war places this country at greater jeopardy than it does any other nation.” The enormous dependence of our financial and energy networks on the ‘Net open us up to potentially devastating online attacks. “It is the public, the civilian population of the United States and the publicly owned corporations that run our key national systems, that are likely to suffer in a cyber war.”

“Microsoft insiders have admitted to me that the company really did not take security seriously, even when they were being embarrassed by frequent highly publicized hacks,” Clarke confides. Sure enough, when Apple and Linux began to offer serious competition, Microsoft upgraded quality in recent years. But what the company did first was to lobby against higher government security standards.

“Microsoft can buy a lot of spokesmen and lobbyists for a fraction of the cost of creating more secure systems,” concludes Clarke’s section on the software firm. “They are one of several dominant companies in the cyber industry for whom life is good right now and change may be bad.”

Law Enforcement Appliance Subverts SSL

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections.

To use the Packet Forensics box, a law enforcement or intelligence agency would have to install it inside an ISP, and persuade one of the Certificate Authorities – using money, blackmail or legal process – to issue a fake certificate for the targeted website. Then they could capture your username and password, and be able to see whatever transactions you make online.

Banks Aim to Secure Customers’ PCs

Cybercriminals have had great success over the past year hitting banks where their security is the weakest–on their customers’ PCs. In 2009, online fraud losses doubled, according to FBI data.

Now banks are starting to hit back, focusing not only on the security of their own systems, but of their customers’ systems. Last week, security firm Trusteer announced it would provide a service to banks that lets them remotely analyze computers belonging to customers who have been hacked. Using the service, called Flashlight, banking customers that believe they have been targeted could download a program to their PC that would quickly search the system for digital tracks left by online thieves and their malicious software.

“By analyzing the malware, the banks can find out how the groups are getting by their security measures,” says Mickey Boodaei, CEO of Trusteer. “We noticed that most banks have no real understanding of their fraud losses. They have no idea where they are originating from, whether it was Zeus [a common Trojan horse program] or some other malicious software, and what criminal groups are attacking them.”

Is Nagging Anxiety About On-line Transactions Justified?

Now that you are frightened enough, here’s the good news about online payments: There is little to worry about using credit cards online, because the risk of loss from unauthorized charges, by law, is almost nil.

“The strongest protections are when you pay by credit card,” says Carole Reynolds, a senior lawyer at the Federal Trade Commission. Under the Truth in Lending Act, consumers’ maximum liability for unauthorized use of their credit card is only $50, and when a card is used online, it’s zero.

Should US Ban Chinese Computers?

This is going to be a major point of contention in the years to come and is a continuously ignored and under discussed topic.

There had been an implicit agreement about the Internet made between China and the United States. The United States agreed to lower all its tariffs on high technology manufactured goods to zero, and we agreed to let in all that China could send over here, no questions asked. What is the result of that? The result is that substantially all United States computers are now made in China. We even went so far as to allow the first U.S. PC maker, IBM, to sell its PC division to a Chinese company, Lenovo…

Why? Because we believed that as China industrialized and moved along the economic and knowledge highway they would become a great market for those goods where we continue to have an advantage, things like search engines, and streaming video, and innovative websites. We believed they would keep their side of the bargain. But they have not.

How to Securely Erase Data from your Media

Great walk-through illustrating how to securely remove your data from a variety of media types by Maximum PC.

The Point-And-Click Botnet

In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.

Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak. It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures. Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.

Spanish arrests mark the end of dangerous botnet

A massive botnet of up to 12.7 million infected PCs has been dismantled after Spanish police, working in conjunction with a Canadian security firm, have arrested the botnet’s operators. The Mariposa botnet first emerged in December 2008, and was used to steal credit card and bank details from infected PCs. The malware driving it was spread through instant messaging, USB thumbdrives, and peer-to-peer networking.

Identity Theft on the Rise

Identity theft has become so commonplace that the odds are pretty high that you’ve been a victim or you know someone who has. Those odds continue to increase, according to a survey released today by Javelin Strategy & Research. It found that the number of identity fraud cases rose by 12 percent in the U.S. last year, to 11.1 million. And the amount of money potentially affected by these frauds, Javelin says, grew by 12.5 percent, to $54 billion.

Two Chinese Schools Tied to Google Attacks

A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.

Within the computer security industry and the Obama administration, analysts differ over how to interpret the finding that the intrusions appear to come from schools instead of Chinese military installations or government agencies. Some analysts have privately circulated a document asserting that the vocational school is being used as camouflage for government operations. But other computer industry executives and former government officials said it was possible that the schools were cover for a “false flag” intelligence operation being run by a third country. Some have also speculated that the hacking could be a giant example of criminal industrial espionage, aimed at stealing intellectual property from American technology firms.