Skip to main content Skip to footer site map
Center for Cyber Security Studies

January 2014

Rogers tapped to lead NSA

VADM Rogers official Navy Biography (for background)

Critical Infrastructure Protection Bill Passed in Committee

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would amend the Homeland Security Act of 2002 to better protect the country against potentially destructive cyber attacks targeting national utilities and other critical infrastructure systems.  The House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has marked up and passed the bill back to the House Committee on Homeland Security. From here, H.R. 3696 will travel to the House floor for debate and an eventual vote. Should it pass in the House, it will proceed to the Senate and eventually the Oval Office.

Cybersecurity could be the next bipartisan breakthrough

For several months, key Republicans on the House Homeland Security Committee have been quietly and methodically working with Department of Homeland Security (DHS) officials, industry representatives, cybersecurity experts, and—most importantly—their Democratic colleagues to craft a consensus bill to help the United States address its cyber vulnerabilities. This legislation, the National Cybersecurity and Critical Infrastructure Protection (NCCIP) Act, is coming together at a propitious time. The recent massive cyber assault on Target and the smaller-scale attacks that seem to be revealed almost daily serve as a reminder that this is a public policy area that needs immediate attention.

America Bored of the NSA Story

When President Obama announced his long-awaited reforms to the National Security Agency's controversial surveillance program, it was met by a collective yawn. It was the Friday before a holiday weekend, and not many Americans were listening. Those who were finding it difficult. Fifty percent of Americans have heard nothing about the president's proposals, and 41 percent said they'd heard just a little, according to a new Pew Research Center/USA Today poll. Taken together the numbers mean that nine out of 10 citizens had little interest in what Obama had to say following six months of heated policy debate in Washington.

New Security Report Confirms Everyone Is Spying on Everyone

Lest we forget, the National Security Agency is in good company. A new security report confirms that Chinese hackers spied on The New York Times in 2012, as well as attendees of the G20 Summit in St. Petersburg last fall. Iranian hackers spied on dissidents in the lead up to state elections last May. The Syrian Electronic Army is only getting better, and North Korean hackers were behind a destructive cyber attack that wiped data from South Korean banks last year. These were just some of the findings of CrowdStrike, the hot Laguna Niguel, Calif., security start-up which tracked more than 50 hacking groups last year. The company, started by George Kurtz, the antivirus company McAfee’s former chief technology officer, and Dmitri Alperovitch, McAfee’s former vice president of threat research, produced its findings in an annual report Wednesday. The report buttresses previous findings by The New York Times, Google and a number of other security firms, including FireEye, the Milpitas, Calif.-based security software firm that acquired Mandiant last year.

Big Web Crash in China: Experts Suspect Great Firewall

The story behind what may have been the biggest Internet failure in history involves an unlikely cast of characters, including a little-known company in a drab building in Wyoming and the world’s most elite army of Internet censors a continent away in China. On Tuesday, most of China’s 500 million Internet users were unable to load websites for up to eight hours. Nearly every Chinese user and Internet company, including major services like Baidu and, was affected. Technology experts say China’s own Great Firewall — the country’s vast collection of censors and snooping technology used to control Internet traffic in and out of China — was most likely to blame, mistakenly redirecting the country’s traffic to several sites normally blocked inside China, some connected to a company based in the Wyoming building. The Chinese authorities put a premium on control. Using the Great Firewall, they police the Internet to smother any hint of antigovernment sentiment, sometimes jailing dissidents and journalists; they blacklist major websites like Facebook and Twitter; and they block access to media outlets like The New York Times and Bloomberg News for unfavorable coverage of the country’s leaders. But the strange story of Tuesday’s downtime shows that sometimes their efforts can backfire.

French agency caught minting SSL certificates impersonating Google

Rekindling concerns about the system millions of websites use to encrypt and authenticate sensitive data, Google caught a French governmental agency spoofing digital certificates for several Google domains. The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

Cyber warriors: The next generation

There is no one-size-fits-all for Defense Department cyber training. Neither is there one institution or organization that can meet all of the needs that are required to deploy well-trained front-line troops to defend DOD networks against daily attacks that number in the millions and carry out cyber warfare missions when necessary. "...As a sign of the growing importance of cyber study at military colleges, the U.S. Naval Academy announced in May 2013 that it had established a cyber operations major for the class of 2016 and beyond. In December, the Army graduated it first class of cyber network defenders at Fort Gordon.... " In 2011 the Pentagon declared cyberspace a domain of warfare — in the same sense as land, sea, air and space — and the U.S. command and the service commands at the Army, Navy, Air Force and Marine Corps all are expanding their workforces. While some areas within DOD are seeing budget cutbacks, funding for cyber operations is increasing. The 2014 omnibus appropriations bill, for example, will more than double the Cyber Command’s funding, from $191 million in fiscal 2013 to $447 million. Key to making the command work is training personnel, both uniformed and civilian, in the specific aspects, both defensive and offensive, of the complex theater of cyber warfare.

Is cybersecurity the right job for you?

Headlines, reports and keynote addresses describing a cybersecurity workforce crisis continue to dominate the IT security landscape, with thousands – even hundreds of thousands – of open positions for cyber pros. Are you one of the many IT workers looking to make the jump, only to fall short of getting hired? It's all too common, and there are some surprising reasons why. At a time when cybersecurity is more important than ever, countless thousands of tech workers are looking to find a way into the lucrative and ostensibly wide-open field. A number of them, limited by a lack of security experience, the wrong educational background or inadequate skill sets, are being shut out, even as the staffing shortages mount. Combine that with a hiring process that doesn't quite fit the mission, and it's a recipe for confusion and frustration all around. "The problems and shortages are so severe at this point, employers want people who can hit the ground running and who have that experience," said Hord Tipton, executive director of (ISC)2, a top IT education and certification organization, and former Interior Department CIO. "In many cases they don’t have the time, patience or comfort level for hiring entry-level people who have to learn on the job. So that makes it difficult, and fixing it won't happen overnight." Even though workers with IT experience might not be considered entry-level, the lack of security-specific experience creates barriers to jumping into cybersecurity.

European experts divided on success of cyber security

European IT security experts are divided on the success of cyber security, it emerged at the 6th International Forum on Cyber Security in Lille, France. Seven panelists failed to reach a consensus in the sometimes heated debate on the topic in the opening session of the conference. Dividing opinion by declaring that cyber security is a failure was David Lacey, UK consultant and strategic advisor at security services firm IOActive. He was joined by Jérémie Zimmermann, co-founder of the Paris-based La Quadrature du Net, a citizen advocacy group defending fundamental freedoms online. “Cyber security is a failure at all levels, including compliance, methodology, skills and technology,” said Lacey. While agreeing that regulatory compliance is necessary, he said it tends to encourage organizations to come up with the cheapest response. Lacey said regulation does not encourage innovation and tends to recognize outdated standards and models that give the attacker the advantage. The old “plan, check, do” model is too slow-moving and needs to be replaced with a military-style “observe, orient, decide, act” model that enables the faster response times required, he said.

Records Exposed Hit New High in 2013

Cybercriminals exploiting weaknesses in how users employ passwords is a significant factor behind an increase in records exposed in breaches during 2013, says Craig Spiezle of the Online Trust Alliance. The alliance - a not-for-profit group of technology and security providers, online security and privacy advocates and government agencies that promotes online trust - this week issued its annual Data Protection and Breach Readiness Guide. The alliance claims that its research verifies that more than 740 million records were exposed in 2013 data breaches worldwide, making last year the worst ever for records exposure. "Cybercriminals are getting very, very smart," Spiezle says in an interview with Information Security Media Group. "They're recognizing that consumer are sometimes lazy and they reuse passwords and user names. So if they're able to compromise a very large target, then they use those to compromise other accounts downstream." Spiezle says the number of data breaches in 2013 was about the same as in 2012, but the amount of credit card numbers and Social Security numbers exposed in breaches grew five-fold in just one year.

Organized and politically motivated cyber attackers are changing their methods, finding new, less direct methods of launching targeted attacks on enterprises and government agencies, according to a report issued today.  The report, issued today by threat intelligence company CrowdStrike, offers a detailed look at the motivations, methods, and practices of five organized cyberattack groups -- including the Syrian Electronic Army as well as groups in China, Iran, and Russia -- during 2013.

Speech recognition hack turns Google Chrome into advanced bugging device

Users of Google's Chrome browser are vulnerable to attacks that allow malicious websites to use a computer microphone to surreptitiously eavesdrop on private conversations for extended periods of time, an expert in speech recognition said. The attack requires an end user to click on a button giving the website permission to access the microphone. Most of the time, Chrome will respond by placing a blinking red light in the corresponding browser tab and putting a camera icon in the address bar—both indicating that the website is receiving a live audio feed from the visitor. The privacy risk, according to a blog post published Tuesday, stems from what happens once a user leaves the site. The red light and camera icon disappear even though the website has the ability to continue listening in. In this demonstration video, a site given permission to access the microphone continues to record all sounds within earshot of the computer with no clear indication of what's happening. From there, Israeli researcher Tal Ater said, the audio is sent to Google for analysis before being sent to the site that made the request. Once permission has been granted, Chrome can be programmed to begin recording only after certain keywords—say, "Iran" or "National Security Agency"—are uttered.

Digital Access Leads to Higher Malware Levels in Developing Markets

It’s logical that social and economic factors affect cybersecurity outcomes worldwide – in less developed countries with more remedial technology, cyber-risk should be greater. And it is, for the most part – except for one issue: increased modernization and digital access has equaled a greater rate of malware infections in developing countries, until a certain level of maturity is reached. By taking malware infection data from the Microsoft Security Intelligence Report and comparing it to international socioeconomic statistics, Microsoft has sought to explore how cybersecurity is changing in countries that are still developing technological capacities in a new report. Globally, it found that digital access, institutional stability and economic development all have a profound effect on malware infection rates. When it comes to the former, “while increased Internet access…is correlated with improvement in cybersecurity at the global level, it has the opposite effect among countries with developing economies and lower levels of technological development,” said Paul Nicholas, senior director of global security strategy and diplomacy at Microsoft, in a blog. “Specifically, we saw that as these countries increased their digital access, they experienced a rise in malware rates.” This suggests that countries with a developing level of technology usage may be unprepared to secure their technology infrastructure commensurate with the increase in citizen use of computer systems, which provides greater opportunity for malware to spread unchecked.

From Google Chairman....its a race between the human and machine.

"The race is between computers and people and the people need to win," he said. "I am clearly on that side. In this fight, it is very important that we find the things that humans are really good at."

Beware Of The Internet Of Things' Despicable Side

But with all the power to work for the greater good, there is unfortunately a dark side. There are cases where security exposures in physical devices and embedded systems could easily cause severe disruption. So just like the main character Gru (below) in the brilliant, computer-animated movie Despicable Me, I could -- if I was so inclined and had the technical smarts -- engage in some pretty nefarious and wicked activities. For example: With a wry smile, I could hack into a home alarm system or even baby monitoring sleep devices -- or better still, launch an attack of malicious email communications from an army of security-compromised consumer devices including home-routers, multimedia systems, televisions, and even refrigerators...

Do You Trust Your Connected Appliances to Run Your Home?

Cyber-security expert Bruce Schneier thinks we have reached a crisis point with embedded systems. He wrote, “The industries producing these devices are even less capable of fixing the problem than the PC and software industries were.” Many of these products simply aren’t designed with security in mind, and many of the companies involved aren’t ready to acknowledge the scope of the problem. A couple in Texas who recently had their Internet-connected baby monitor hacked had to complain to the media before the manufacturer would take the vulnerability seriously enough.

go to Top