U.S. Navy: “I Thought the Other Guy Was Doing Security”

Image: iStockphoto

The Wall Street Journal reported this week that security holes exploited by suspected Iranian hackers  existed because of “a poorly written contract with computer-services provider Hewlett-Packard.” Under the terms of the contract, H-P wasn’t required to secure the Navy Department databases. But the Navy, under the mistaken assumption that the computer company was the sentry at the gates, didn’t assign personnel to oversee security for the databases. The lapse made the computer network ripe for the picking. How ripe? So much so, an unnamed source told WSJ that restoring the Navy network took four months and cost about US $10 million. The source, a senior defense department official said that “after the Iranian hack, the Navy took stock of its security efforts and drew up a list of 62 security issues…Some [will] cost more than $100 million and may require asking Congress for permission to redirect funding.”

Though it’s clear that, in the parlance of politicians, mistakes were made, everyone currently or recently in charge is being spared the indignity of being blamed for this massive screw-up. The unnamed defense official said the comedy of errors was based on “decisions made years ago as to what the Navy network structure should be and what kind of risk it was comfortable taking.” Because the contract was first awarded in 2000 and last updated in 2010, Vice Admiral Michael Rogers, who served as the Navy's cyber chief in 2011 and oversaw the cleanup, has been able to sidestep blame for the cock-up as Congress prepares to vet him for the role of director of the National Security Agency.

300 000 Routers Hijacked

Security researchers at Team Cymru in Lake Mary, Fla., published a report this week revealing that more than 300 000 small office and home office routers located across Europe and Asia have been compromised during a rash of attacks that began in mid-December. Team Cymru says hackers began overwriting the DNS settings on routers from a number of manufacturers, including TP-Link, D-Link, Micronet, and Tenda, and rerouting traffic to attacker-controlled sites. The victims, say the researchers, have been located mainly in Vietnam, Thailand, India, and Italy.

The attacks were first detected in January. The Cymru researchers noticed that several TP-Link routers were redirecting victims to two IP addresses that were unrelated to the sites unwitting computer users were trying to reach.

The attackers took advantage of a cross-site request forgery vulnerability on the devices that gave them admin privileges without them having to provide even so much as the default authentication password.

Team Cymru said it immediately notified the affected vendors, but when none responded, it shared the information with law enforcement.

Though there are similarities between this set of attacks and those suffered by several Polish banks in recent weeks, the Cymru report notes that, “The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability. The more manually-intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group.”

Cisco Issues Internet of Things Grand Challenge

There’s good reason for concern over the prospect that the “Internet of Things,” the name given to the point when just about every electronic device will be connected to the Internet, will create innumerable points of vulnerability that can be exploited by hackers. Few of these gadgets were originally created with security in mind. With that in mind, Cisco Systems has created the Internet of Things Security Grand Challenge, a $300 000 global competition whose winners will be the people who come up with innovative yet practical ways of securing millions of gadgets and the networks to which they connect. The entries will be judged on four criteria: feasibility, scalability, performance and ease-of-use; applicability to multiple industries and applications; technical maturity and viability of the proposed approach; and the proposers’ expertise and ability to feasibly create a successful outcome.

According to Cisco Security Group Senior VP Chris Young, as many as six recipients will be awarded between $50 000 and $75 000 at the company’s second annual Internet of Things World Forum in Barcelona, Spain later this year. The deadline for submissions is 17 June.

Report Suggests How to Secure the Grid from Cyberattacks

Another potential point of vulnerability to cyberattacks is the electric grid. And so although it’s not technically appropriate for a blog called This Week in Cybercrime, we’d be remiss if we didn’t report that a group of current and former U.S. government officials and representatives from the entities that operate the grid did last Friday. They convened a panel at the Bipartisan Policy Center in Washington, D.C., and presented a new report (PDF) containing guidelines for protecting North America’s grid. The report also included recommendations for what to do if the grid is ever compromised.

Matthew Wald, an energy reporter with the New York Times and the moderator of the panel session, noted that of the more than 250 cybercrime incidents reported to the U.S. Department of Homeland Security last year, two-thirds of them targeted the energy sector in general and the grid in particular.

“What permeates the report is that you can’t win this just defending the perimeter, you can’t win this with just prevention and defense,” former National Security Agency and C.I.A. Director General Michael Hayden said. “It’s the concept of resilience, what happens after things start to go wrong?”

Among the proposals in the paper, whose authors include Hayden, is the creation of a new Institute for Electric Grid Cybersecurity modeled after the Institute of Nuclear Power Operations. That group was formed in 1979, in the aftermath of the nuclear accident at Three Mile Island.

Cyberthreats: Assessing the Enemy Within

Clear your mind. Now quickly conjure the image of a group of hackers breaking into a corporate database. Did your mental image include the corrupt middle manager acting as the team’s inside man? How about the middle manager who violates security protocols and unwittingly opens the door to a cyberattack? A just-released report from PricewaterhouseCoopers (PwC) focuses attention on all aspects of global economic crime, not just cybercrime, but one of the things that stood out is how frequently the enemy lurks within an organization. “Many times those who are colluding [with hackers] are individuals inside these companies who have administrative access to the corporate computer system," Steve Skalak, a partner in PwC's forensic service practice told Investors Business Daily. Skalak coauthored the Global Economic Crime Survey.

The report notes that an increasing share of internal fraud of all types is being committed by middle managers—54 percent in 2012 versus 45 percent in 2011. PwC has even developed a profile of the average middle management fraudster: a man whose tenure with the organization is six years or longer.

"Because they have more intimate knowledge of internal processes and infrastructure, better access and higher trust, they can be a much more challenging 'enemy within' compared to junior employees or external fraudsters," Amir Orad, CEO of Nice Actimize, a New York-based unit of financial security software firm Nice Systems (NICE), told Investors Business Daily. He adds that middle managers who are actively involved in cybercrime tend to “feel they haven't been properly appreciated or compensated.”

Other middle managers, says Orad, may just be duped into helping hackers. "Because of [their] access, middle managers may unknowingly be accomplices to cybercrime and fraud by having their credentials and accounts taken over by cybercriminals. Cybercriminals know that middle management has access to key systems and therefore target this layer within the organization."

Meetup Website Suffers DDoS Attack After Spurning Ransom Demand

For five days, many groups that make connections via the social media site Meetup were unable to. The website was felled by several massive DDoS attacks that began last week and resulted in a protracted battle against the cybercriminals to keep the site up and running.

Last Thursday, Meetup CEO Scott Heiferman received an e-mail that said, "A competitor asked me to perform a DDoS attack on your website." Heiferman revealed in a blog post that the sender said the attack wouldn’t happen if the company forked over a measly $300. When the company refused, reasoning that to negotiate with criminals would make the site a target for further extortion—demanding much greater sums—the series of attacks began. The site was quickly overwhelmed, but service was restored by Friday morning. The battle didn’t end there, however. Another attack brought the site down again, and as of Monday, Meetup was reporting that it was working urgently to restore functionality. By Tuesday, it was back online, with a link on its homepage to some FAQs related to the outage. The company was quick to reassure customers that none of their personal data, including credit card information, was accessed during the cyberattack.

Cybercrime Hits the Airwaves

CBS is planning to air a spinoff of the hit TV series "CSI" (short for Crime Scene Investigation) that will focus on the agents in the FBI's cybercrime division.

 

 

 

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement