U.S. to create cybersecurity military command!
WASHINGTON, April 21 (Reuters) - The Obama administration plans to create a new military command to focus on Pentagon computer networks and offensive capabilities in cyberwarfare, The Wall Street Journal reported on Tuesday, citing current and former officials familiar with the plans. The initiative will reshape the military’s efforts to protect its networks from attacks by hackers, especially those from countries such as China and Russia, the newspaper said.
Pentagon officials were quoted as saying the new command will be unveiled within the next few weeks.
The cyber command will likely to be led by a military official of four-star rank and initially would be part of the Pentagon’s Strategic Command, the newspaper said, citing officials familiar with the proposal.
Spokesmen for the Pentagon and White House were not immediately available for comment. President Barack Obama is expected to announce a plan to improve cybersecurity this month after completion of a White House review of the issue, the Wall Street Journal said.
Defense Secretary Robert Gates plans to announce the creation of a new military “cyber command” after the roll-out of the White House review, the report said, citing multiple military officials familiar with the plan.
The newspaper earlier reported that computer spies have repeatedly breached the Pentagon’s costliest weapons program — the $300 billion Joint Strike Fighter project.
The identity of the attackers and the amount of damage to the project could not be learned, the paper said.
The Journal quoted former U.S. officials as saying the attacks seemed to have originated in China, although it noted it was difficult to determine the origin because of the ease of hiding identities online.
The Chinese Embassy said China “opposes and forbids all forms of cyber crimes,” the Journal said.
Culled from Reuter News
Top 10 Cybercrimes in 2008/2009
Twelve US based cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008 and 2009.
Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.
Here’s their consensus list in ranked order:
- Increasingly Sophisticated Web Site Attacks That Exploit Browser Vulnerabilities - Especially On Trusted Web SitesWeb site attacks on browsers are increasingly targeting components, such as Flash and QuickTime, that are not automatically patched when the browser is patched. At the same time, web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads. One of the latest such modules, mpack, produces a claimed 10-25% success rate in exploiting browsers that visit sites infected with the module. While all this is happening, attackers are actively placing exploit code on popular, trusted web sites where users have an expectation of effective security. Placing better attack tools on trusted sites is giving attackers a huge advantage over the unwary public.
Underground Dark Market – International Triumph or the Tip of the Iceberg?
In October 2008, an internationally coordinated crime operation saw the arrests of 56 members of a transnational criminal network used to buy and sell stolen financial information. The “carder” forum hosted on the Dark Market website had attracted more than 2,500 registered members before its closure.
In addition to the arrests, police seized compromised victim accounts to prevent $70 million in economic loss through identity fraud.The FBI conducted the two-year operation with the assistance of the Computer Crime and Intellectual Property Section of the US Department of Justice, the UK’s Serious Organized Crime Agency (SOCA), Turkish National Police – KOM Department, Bundeskriminalamt (German Federal Criminal Police) and the Landeskriminalamt Baden (State Police of Baden-Württemberg).
FBI Cyberdivision Assistant Director Shawn Henry said: “In today’s world of rapidly expanding technology, where cybercrimes are perpetrated instantly from anywhere in the world, law enforcement needs to be flexible and creative in our efforts to target these criminals. By joining forces with our international law enforcement counterparts, we have been, and will continue to be, successful in arresting those individuals and dismantling these forums.”
Myanmar Attacks – Political Protection
In July 2008, the websites of the Oslo-based Democratic Voice of Burma (DVB) and New Delhi-based Mizzima News were hit by DDoS attacks that shut down their websites for several days. In August two community forums, Mystery Zillion and Planet Myanmar, were disabled and shut down and on September 17, The Irrawaddy, DVB and the Bangkok-based New Era Journal also experienced similar attacks.
It is thought that these concerted attacks were coordinated by the Burmese government in anticipation of the first anniversary of The Saffron Uprising – a peaceful protest by Buddhist monks, nuns, and students against an oppressive military regime. The websites were all known to support the monks. The attacks all appeared to mainly originate from China and Russia, the main diplomatic backers of the junta (military-led government) and where it has been suggested the junta have been receiving technical training.
The Growing Evidence of Cyberespionage and National Attacks
In May 2008, Belgium and India joined the growing force of countries claiming to be victims of attacks, believed to be originating from China. Thought to be a target because it houses the headquarters of both the EU and NATO in Brussels, Belgium has had emails containing spyware sent to State departments. Similarly, India claims its government and private sector networks are under constant cyberattack.
In August 2008, a coordinated cyberattack was launched against Georgia’s infrastructure, compromising Georgian government websites including the Ministry of Foreign Affairs. The Georgian government said the disruption was caused by attacks carried out by Russia in connection with the conflict between the two States over the province of South Ossetia.
The Gold Rush
E-gold is a digital gold currency that allows for the instant transfer of gold ownership. Unlike in the case of credit cards, all payments are final and irreversible. There are currently more than five million e-gold accounts worldwide. Due to the anonymity provided to account holders it became a popular method for cybercriminals to turn illgotten proceeds into clean cash.
In July 2008, the brother of Joseph Yobo (the vice captain of the Nigerian national soccer team and one of the English Premier League Club Everton’s top soccer players), was kidnapped and a ransom of $10,000 was demanded in e-gold. This was clearly a new digital twist on an old crime.
Also in July 2008, e-gold Ltd. and its three directors pleaded guilty to money laundering charges and the “operation of an unlicensed money transmitting business.” While e-gold’s executives are still to be sentenced, the company is confident that the business can reinvigorate itself.
In October 2008, e-gold made moves towards becoming fully legal by registering with the Financial Crimes Enforcement Network (FinCEN), one of the US Department of Treasury’s lead agencies in the fight against money laundering.
Microsoft becomes high priest of secure software development
Posted by Elinor Mills
Historically, Microsoft was bashed for security holes in its software that led to worm outbreaks on desktops and servers around the globe and other problems. In 2002, the company saw the light and launched its Trustworthy Computing initiative, elevating security to the top priority, and began designing and building products with security in mind.
Six years later, the company’s conversion seems to have worked with vulnerabilities dropping by about half from Windows XP to Windows Vista by 90 percent between SQL Server 2000 and SQL Server 2005.
But the environment has changed–Web applications have eclipsed desktop applications as people move more and more of their computing online. Now, 60 percent of new vulnerabilities are in Web apps, and only 14 percent of them are from the top five independent software vendors, like Microsoft and its ilk, according to research from IBM’s X-Force.
Microsoft has gone from being the vendor responsible for the greatest proportion of vulnerabilities to being third, with 2.5 percent share, the research shows. The lion’s share of the vulnerabilities come from start-ups racing to get their products to market. And 70 percent of them are doing the security testing and review after they release the product, Microsoft said.
So now Microsoft is trying to convert others to the cause, offering free tools that outside developers can use to assess their software development security practices and analyze their software designs to look for security weaknesses and threats.
“By helping other companies build more secure software, especially companies that develop on the Microsoft platform, we make the Internet more trustworthy,” said Steve Lipner, senior director of Trustworthy Computing at Microsoft. “That’s good for our business.”
Microsoft will offer free downloads in November of its Security Development Lifecycle (SDL) Optimization Model and its SDL Threat Modeling Tool 3.0, the company announced Tuesday. Also, Microsoft formed the SDL Pro Network composed of nine security consultants to help developers implement the SDL.
The SDL Optimization Model serves as a sort of blueprint for changing processes and strategy related to building secure software. The SDL Threat Modeling Tool, which Microsoft has used internally for about a year, is designed to help analyze the security of software designs and to figure out how to mitigate threats in the development process.
The companies in the SDL Pro Network, which include IOActive, Cigital, and Verizon Business, will serve as contractors and set their own fees. The one-year pilot program begins in November.
Microsoft isn’t getting into the security consulting market–it’s just trying to help companies improve their software so computer users are protected and feel confident online, Lipner said.
“We’re not claiming we’re perfect,” he said. “But we have a lot of experience in this domain.”
Chris Wysopal, chief technology officer of security firm Veracode, praised the announcements but wondered if Microsoft’s success can be duplicated at companies with very small developer teams.
“The SDL is working for them, but the question is, will it work for the majority of the companies writing software?” he said.
