Targeted Attacks Focus On Economic Cyberterrorism

Orome1 writes "When it comes to dangerous Web threats, the only constant is change and gone are the days of predictable attack vectors. Instead, modern blended threats such as Aurora, Stuxnet, and Zeus infiltrate organizations through a variety of coordinated tactics, usually a combination of two or more. Phishing, compromised websites, and social networking are carefully coordinated to steal confidential data, because in the world of cybercrime, content equals cash. And, as a new Websense report illustrates, the latest tactics have now moved to a political and nationalistic stage. Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."

IN SOVIET RUSSIA...

In Soviet Russia... most people don't have computers, so its not such a problem, komrade.

"Legacy"?

[girlintraining]

Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."

Calling something legacy implies that there's something better to replace those technologies with. Those technologies have not been replaced by some revolutionary new technology that does all that and holds your d--- while you piss too. And they were never intended to be a pancea -- they are intended to augment information security, not act as a substitute for it.

Re:"Legacy"?

[HungryHobo]

but you missed the point!
IT'S SCARY!
AND WE SHOULD GIVE SOMEONE MONEY TO FIX THE PROBLEM!

I'm sure if we get scared enough and give enough money to companies which promise to make the problem go away then we'll be fine.
if not then we just have to get scared enough and give enough money to government agencies which promise to make the problem go away.

I'd say that if security is a big issue on a given system then white-listing is vastly more secure than the blacklisting that is anti-viruses, it's a massive pain but it works better for systems which absolutely positively have to be secure.

If it weren't for FTP firewalls could be a lot more simple and probably more secure so there is a legacy problem there, it's just not the firewalls themselves.

Re:"Legacy"?

[girlintraining]

but you missed the point!
IT'S SCARY!
AND WE SHOULD GIVE SOMEONE MONEY TO FIX THE PROBLEM!

I'm surprised you can get internet out at your ranch, George.

Re:"Legacy"?

[Defenestrar]

If it's about giving someone the money to fix the problem, then all you have to do is follow the slurs to find the money.

...security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers.

So the terror monger here is likely to be someone who makes money through (producing or advertising) two factor authenticator, an alternate active-DNS, or an ISP selling the "we filter the internet for you" service.

And checking net-security.org's "about us:"

Help Net Security is recognized as a media sponsor of leading information security conferences around the globe including: RSA Conference US, RSA Conference Europe, Infosecurity Europe, CSI, InfoSec World Conference & Expo, SC World Congress and more.

I think we have a winner. Why does the cynical approach have to be right so often?

Re:"Legacy"?

[mcgrew]

Those technologies have not been replaced by some revolutionary new technology that does all that and holds your d--- while you piss too.

Why would I want anybody to hold the door while I piss? I want the fucking door CLOSED!

Re:"Legacy"?

[poetmatt]

remember, they added the word cyber, so we need new legislation!

as opposed to, you know, economic terrorism.

Re:"Legacy"?

[jd]

Actually, legislation might not be a bad idea. I propose that it be illegal to store passwords in plaintext (or equiv), allow passwords that John the Ripper can break, not QA code correctly, not encrypt traffic, provide identity verification that is bogus, or provide APIs that allow the protection in place to be bypassed. First-time offenders should be forced to read my posts - not because they're necessarily useful on issues of security, but because they're usually long and occasionally tedious. Repeat offenders should pay for the carpal tunnel syndrome surgery I'll eventually need because of all the writing of long and occasionally tedious posts.

Re:"Legacy"?

[girlintraining]

Repeat offenders should pay for the carpal tunnel syndrome surgery I'll eventually need because of all the writing of long and occasionally tedious posts.

Every opinion eventually reduces to a way to make the author rich. Case in point: asking for unnecessary surgeries and then pocketing it and buying an ergonomic keyboard or hiring someone in Somalia to write your posts for you.

Re:"Legacy"?

[poetmatt]

what you're talking about is more about setting standards, not legislation. There are already best practices in place for stuff like this, it's more that people don't follow them.

Re:"Legacy"?

[Defenestrar]

You can have both at the same time. The FDA has specified monographs and if you perform a process outside of that monograph you're violating the law (unless you've gotten your innovative new drug license, etc...)

Re:"Legacy"?

I think legislation is a terrible idea. What you'll have in 2 to 3 years is outdated legislation because technology will have left the law behind. Then what do you have? Obsolete security as required by law.

Re:"Legacy"?

[mrheckman]

Firewalls, anti-virus, and URL blockers are not legacy systems at all. They are the state of the art in security precisely because they have to protect legacy operating systems and applications, or new systems built to be backward compatible with legacy systems, which are the real "legacy" problem.

People use all sorts of old software because they have such a huge investment in systems and applications that are built on them. But that old software keeps needing to be patched. For example, there's Windows, of course, 'nuf said, and applications like Adobe Reader. Adobe has to come out with a new patch every week to fix another critical flaw, but they can't simply drop it and start from scratch to fix fundamental flaws - it's not economically feasible. And large numbers of businesses still use IE6, for crying out loud, because of all the infrastructure they've built around it. You can put all the security system armor you want around that soft, chewy center, but there will always be gaps.

As critics like Bruce Schneier have been pointing out for a long time, on the other hand, we've known how to prevent whole classes of attacks for many years, but no one seriously expects these fixes to be implemented because of the economics.

That said, there's no protection when administrators and users do stupid things with passwords and the like. Phishing will always work, no matter how hardened we make our systems. At best, we can put bounds on the damage.

Re:"Legacy"?

I think legislation is a terrible idea. What you'll have in 2 to 3 years is outdated legislation because technology will have left the law behind. Then what do you have? Obsolete security as required by law.

Still, that could be better than what we've got now...

Re:"Legacy"?

[Black+Gold+Alchemist]

We've got something to replace those technologies. Linux.

Re:"Legacy"?

[poetmatt]

sure you can have both at the same time, but that doesn't mean they're in harmony or any more effective by having both go on at the same time.

How many drugs are released to the market and then later retracted by the FDA? How well is that system gamed by companies like GSK?

yeah. Laws by themselves, standards by themselves, it's all about the execution - standards and legislation together don't mean it's going to be magically more successful.

Re:"Legacy"?

[jd]

What do you mean "could"? The Internet Auditing Project revealed a third of Unix systems were insecure, and more recent surveys have revealed Windows boxes getting broken into within minutes of connecting to the Internet.

If the mandated security brought systems up to a minimum standard equal to an NSA-recommended install of Linux or a Trusted OS, circa 2010, with a "sunshine" clause that required the law be revised or automatically expire within, oh, 8 years, the odds are extremely high that we'd have a bullet-proof environment for the duration of those 8 years and a damn-near bullet-proof one for many years after even if the law was never updated and allowed to lapse.

(After all, admins would then be used to configuring systems sensibly and have forgotten how not to.)

Re:"Legacy"?

[jd]

Technology may improve within 2-3 years, but so what? Technology improving won't change whether a buffer overflow is bad, and won't change whether mandatory access controls are good.

Improved technology might help people QA their software, but it won't eliminate the need for QA to be applied.

Improved technology might eliminate the need for passwords, but it won't eliminate the need to ensure that password-protected systems can't be attacked by use of a rainbow table.

Improved technology might help produce superior identity verification, but if you provide an API that bypasses such schemes, such improvements won't be worth a damn.

So what is your point?

Nations are stupid

The internet is global. The economy is global. Politics are local. Why do we still have nation-states? What good do they serve?

Why not graduate to something more modern, like internet-based governance?

Re:Nations are stupid

[ScentCone]

Why do we still have nation-states? What good do they serve?
They help to make sure that even though millions of people want to live under Sharia law, I don't have to. Yet.

Re:Nations are stupid

And nations help with that? Nations help keep people repressed. They have a lot to do with why we have religious radicals. In the U.S. we have different names for them, but the same anti-statist religious nuts are here too.

Nations help oppress people, not keep them free.

Re:Nations are stupid

So we should act quickly, before the people who want sharia law can get onto the internet en masse.

Re:Nations are stupid

What you suggest is Communism. It works *IF* everyone plays nice together. When they dont you end up with Stalinism. Also there is always one bight bulb that figures out you dont have to do much to get by. So you end up with 'do it our way or pay major penalty'.

See
http://encyclopediadramatica.com/Internet_Fuckwad_Theory

Living in a commune sounds good at first. Until you realize that not everyone is driven to help others. In fact most people are douchbags...

Re:Nations are stupid

[KarrdeSW]

Why do we still have nation-states? What good do they serve?

Nations are an emergent phenomena. It all starts with small tribes of people that are small enough that the leaders know everybody, and then grows as the technology and institutions grow to be able to keep more people under its umbrella. Once the group of nations grow large enough, they then have the choice of either attempting to dominate one another until no others remain or cooperating. The eventual result of either of these paths would probably be one singular world government, assuming that either ultimate victory or complete peaceful cooperation are even possible. If they're not, then we're all just wasting a hell of a lot of time trying.

But really, in answer to your question: You have to start with Nations, and long before they become obsolete they become an entrenched middle-man. Doing away with them is a lot like trying to eliminate any middle-man who wants to keep their job.

Re:Nations are stupid

[Nidi62]

The internet is global. The economy is global. Politics are local. Why do we still have nation-states? What good do they serve?

Why not graduate to something more modern, like internet-based governance?

Politics are local? Huh, that's funny. Drezner (2007) says that All Politics is Global. He even has a chapter in his book that deals with the internet. To quote from the conclusions of this chapter: "The evidence presented here suggests that both international governmental organizations and nongovernmental organizations have roles to play in global governance. At times they can act as independent agenda-setters and advocates, but they become more important when they provide services as the agents of state interests." Of course, what does Drezner know? His book has only been cited by at least 132 published works according to Google Scholar. I'm sure you have a Political Science Ph.D and plenty of empirical evidence to support your claims, right? And open source global governance? It can never work until there are globally accepted political, social, and societal norms. By the time we reach this (assuming we ever do), the world would already essentially be under one global government, which would make open source government obsolete. You also assume that the norms required for open-source government are widespread globally, or will be the norms that are eventually accepted by the global community. It has in fact aided the adoption of norms that are antithetical to those that would need to be adopted for open source government to ever work.

Re:Nations are stupid

[ScentCone]

Nations help oppress people, not keep them free

No. Nations that don't have a constitutional framework founded in liberty (freedom of speech, assembly, etc) might fit that description, but not all nations. Nations are either subject to the rule of law (as backed up by their founding documents) or they are just mob rule (or a fuedal society). A nation that doesn't prevent thugs from telling you what to do isn't keeping people free. A nation that is constititionally chartered around the idea of keeping thugs (individual or governmental) in check is, in fact, a preserver of liberty.

That doesn't mean that it always goes well, but that's the general idea. You seem to be suggesting that ALL nations are oppressive because some nations are oppressive to thugs. Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.

Re:Nations are stupid

A nation that doesn't prevent thugs from telling you what to do isn't keeping people free. A nation that is constititionally chartered around the idea of keeping thugs (individual or governmental) in check is, in fact, a preserver of liberty.

So you are admitting the government of the United States of America is a thug against the very citizens it is supposed to protect. Vive la revolution!

Re:Nations are stupid

[girlintraining]

That doesn't mean that it always goes well, but that's the general idea. You seem to be suggesting that ALL nations are oppressive because some nations are oppressive to thugs. Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.

All laws benefit one group by disadvantaging another. What you're calling liberty is just screwing over a minority to benefit a majority, and what you're calling tyranny is benefiting a minority by screwing over a majority. Both are oppressive, the difference is one group knows it and the other group posts on slashdot about how great it is to live in a "free" society.

Re:Nations are stupid

[Monkeedude1212]

Denying liberty to those who seek to deny liberty to others is not oppression. It's the opposite.

Well then there is no such thing as oppression. Or Liberty. Or something. That's a shakey ground or slippery slope that I wouldn't stand behind, it's far too black and white.

What qualifies as "denying liberty" to others? The fact that I'm using a computer right now means that I've supported computer companies that set up sweat shops in a lot of third world countries for all their goods and resources which means I've contributed to the poor state of their economy and I'm essentially keeping people in poverty over in some other country. I've supported the system that aims to take away the civil rights of some people and made them work in hazardous conditions.

Does that mean that mean that I'm oppressive? Simply denying another person's liberty? How many degrees of seperation must it go through before its no longer on me?

I mean, if this logic holds, then locking me up for using a computer is not oppression - it's the opposite.

I think you'd be better off saying that Denying liberty to those who seek to deny liberty to others is still oppression - but people need to redefine oppression and realize that some kinds of oppression are good for society.

Re:Nations are stupid

Which is why most models of open source governance work on a consensus model.

Re:Nations are stupid

[OutSourcingIsTreason]

So laws against murder, bank robbery, and other real crimes (with real victims) are oppressive?

Re:Nations are stupid

[Hognoxious]

Politics are local.

Debatable, but they're certainly singular.

Re:Nations are stupid

[ScentCone]

Which is why most models of open source governance work on a consensus model.

Which is a terrible idea. That's how you get the tyranny of the majority. Governance must be based on principle, not consensus.

Re:Nations are stupid

That would be true if consensus == majority. But it most certainly does not.

You can't have the majority imposing its will on a minority if a consensus is required for that imposition. What incentive is there for the minority to join the consensus of their own repression?

Tyranny of the majority is what we have now, if you haven't noticed. Or more often, since this is a republic, tyranny of the minority. How is that better?

And no, we don't have governance based on principle. Unless you equate "I want as much power, money, and other goodies" as principle. Because that is what our politicians are trained to believe. Have you ever heard of the saying that "power corrupts?" It's not just a cute thing to say. It is evidenced every time a lobbyist makes a "campaign contribution."

Re:Nations are stupid

[ScentCone]

All laws benefit one group by disadvantaging another

Sure, OK. And you have a problem with taking away the advantage (the consequenceless use of violence) held by criminals? You really think that a rapist or a murderer has the moral equivalence of a carpenter or a teacher, and can't see that it's rational to give non-aggressors an advantage over violent parasites?

Re:Nations are stupid

[ScentCone]

So you are admitting the government of the United States of America is a thug against the very citizens it is supposed to protect

Gee. No, I'm not saying the opposite of what I'm saying, actually.

Re:Nations are stupid

Nations are an emergent phenomena. It all starts with small tribes of people that are small enough that the leaders know everybody, and then grows as the technology and institutions grow to be able to keep more people under its umbrella. Once the group of nations grow large enough, they then have the choice of either attempting to dominate one another until no others remain or cooperating..

Right about that point I shift my nation's knowledge pursuits from pure science, to more military-based discoveries, and try try to get my most productive city to build "The Great Library" wonder.

Re:Nations are stupid

"constitutional framework" "founding documents"

You new worlders are so cute.

Re:Nations are stupid

[ScentCone]

You new worlders are so cute

And you would be ... what? An old-world Nanny State leftist? Greek, perhaps? Or maybe an ex-pat Parisian who left in the 60's to go to Venezuela? Ah, paradise!

Firewalls are obsolete?!

[Arthur+Grumbine]

Legacy technologies?!
I don't think that word means what you think it means.

Time for IBM to work on the ZTIC successor?

[mlts]

Maybe its time to work on better out of band authentication and confirmation devices.

Take the IBM ZTIC that plugs into a USB port, and communicates encrypted from the device itself to the bank, just using the computer as a passthrough. This is what needs to be worked on, and maybe banks should start handing these out to customers. This way, even if an end user's computer is infected, their bank account couldn't be logged into without the device, and even if someone was to gain access upon logging on, all bank transfers would have to be confirmed on the ZTIC, so a quick transfer of funds would be caught and denied.

Applying this to MMOs, maybe the ZTIC device to confirm character transfers or deletion, as well as be needed to confirm logging on.

The advantage of using the ZTIC device over a cellphone for this is that the ZTIC device is simple -- it isn't a full fledged computer like a cell phone, and only does one task. Of course, exploits might be found, but the attack surface for this device is a lot smaller than a general purpose machine.

Re:Time for IBM to work on the ZTIC successor?

[HungryHobo]

It still astonishes me how utterly awful the whole credit card system is in terms of security, public key crypto should have made stealing someone's credit card into a physical problem of actually stealing some kind of physical object by now rather than a simple number.
but since it's the merchants who pay the CC companies have no incentive to fix it.

Re:Time for IBM to work on the ZTIC successor?

What will happen is end users will simply leave the ZTIC plugged into their computer ready for the next zero-day exploit payload to activate it.

Re:Time for IBM to work on the ZTIC successor?

[httptech]

Have a look at Cronto - it's an out-of-band authentication system, similar to ZTIC but doesn't use an electrical connection to the computer that could be impacted by a malware infection on the PC. Instead it transfers encrypted/signed transaction details via visual code to the Cronto device (or Cronto app running on a camera-enabled smartphone). There are a few other similar systems from other vendors, but Cronto is the only one I've seen with a mobile app so far.

Re:Time for IBM to work on the ZTIC successor?

[mlts]

It is because the consumer pays for it in the end anyway. For businesses, security has no ROI, so beyond the basic PCI-DSS 2.0 standard, businesses gain nothing by offering better security. Banks don't really care. The credit card makers have it factored into the fees charged merchants, so the fees go up.

Lets say some organization (so people can't say "OMG, it's backdoored by 'x' government or organization") made a generic ZTIC like key. It would have a serial number on it, and a few buttons to help aid pairing. It would be flash updatable via a signed/encrypted ROM that had enough flash space to copy the update. This way, the flash of the BIOS would be atomic (done or rolled back.) It would have the fingerprints of all the organization public keys in its BIOS, so even if a certificate was forged via the SSL tree, it would know if it was fake or not. CRLs could be issued also on the fly just in case.

If someone gave or sold a device for a nominal fee, it would change the landscape of security as we know it. Even stuff simple as an E-mail account, where someone would be prompted on the device if they wanted to send a message, make profile changes, or whatnot would win battles in the war against spam and ID theft. Similar if an eBay account prompted to confirm address changes on a device, or confirm/decline listings.

The key with this device is to keep it as simple as possible. It should just show a lot of detailed text, with a detailed confirm/deny and the consequences for such actions.

Re:Time for IBM to work on the ZTIC successor?

[mlts]

The difference between Cronto and other apps that run on a phone versus a ZTIC is that the ZTIC is a very simple device and only does one function in life.

Because of this, it is a lot harder to compromise, than a targeted attack that compromised cellphones, and PCs, which makes multiple factor authentication moot.

We can look at smart cards. Yes, they have been hacked sometimes, but I have yet to hear about someone being able to pluck a key out of any recent cryptographic token without access to a chip fab. Earlier eTokens could be pried apart and logic probes used, but a remote attacker won't have that available. So, the chance of remote compromise on a dedicated cryptographic token that does nothing but that task is almost nil. Not that it could be done, but it would be very hard.

Was This Story Summary Written By

this book salesman? Because it has NO content.

Yours In Electrogorsk,
Kilgore Trout.

Terrorism

Cyber-terrorism. Eco-terrorism. Econo-terrorism. Man, it's almost like any criminal activity is an act of terrorism, now. Good thing we have those anti-terrorism laws unhindered by judicial process. And BTW, be intelligent about how you disagree with me, terrorist.

Cyberterrorism?

[flaming+error]

Were cyberbombs detonated on a cybertrain?

Re:Cyberterrorism?

Were cyberbombs detonated on a cybertrain?

I'm sure you're objecting to the cliche of putting "cyber" in front of everyday words. However, these cyberterrorists are no different than the terrorists who shop lift from Walmart. Shockingly, I saw a terrorist steal a six pack of beer from Walmart last week. He slipped it past the cashier while she rang up his other groceries. The cyber prefix in cyberterrorism just means they're using computers to help steal stuff.

Fortunately, we have laws that allow us to send these terrorist (cyber or not) to Gitmo where they can be water boarded every day for the rest of their lives.

Re:Cyberterrorism?

[flaming+error]

> I saw a terrorist steal a six pack of beer

I'll bet if the feds investigated they'd find at least one educator with links to that terrorist. That's what really shocks me - how they've infiltrated our schools.

Re:Cyberterrorism?

... the cashier....

Don't you mean "front-line counter-terrorism soldier"?

Re:Cyberterrorism?

[jd]

I don't know. I'm waiting for the Cybermen to get back from their meeting with their Cyberleader on the issue of Cyberbombs.

Re:Cyberterrorism?

No, it was the "PAAAAAAAAAAAAAALM" guy releasing a youtube video instructing Verizon and Sprint users to engage in a DDOS attack.

Re:Cyberterrorism?

[Black+Gold+Alchemist]

As I cyberunplugged my cyberelectric cybercar from my cybersolar cyberpanels, I cyberwatched a cybertrain cyberrun down the cyberrailroad cybertracks. I cybersaw a cybercriminal with a cyberski cybermask cyberwalk onto the cybertrain at the cyberstation and cyberpunch a cybermale cyberpassenger who cyberlooked in his cyber20's. Then he cyberstole some cybercash from the cyberpassenger and cyberran cyberaway, and I no longer cybersaw the cybercriminal.

-Cybersample cyberwitness cybertestimony ~2020.

Seriously, cyber is getting to be like the e- prefix.

Re:Cyberterrorism?

No, it was the "PAAAAAAAAAAAAAAAAAAAAAAAAAAAALM" guy in a self made video instructing Verizon and Sprint users to participate in a DDOS.

Porn now safer than news!

[TheBrutalTruth]

From TFA: "Searching for breaking news represented a higher risk (22.4 percent) than searching for objectionable content (21.8 percent)"

Money for nothing and chicks for free

[Sheik+Yerbouti]

Hey I bet Websense will sell you the solution to the problems cited in the report who wants to take a bet.

Re:Money for nothing and chicks for free

So now Websense has a secure replacement for Windows? Awesome!

Cybercrime != Cyberterrorism

[SirGarlon]

I think any sensible definition of "terrorism" has to involve violence -- people in meatspace getting killed or at least hurt. I read TFA and the only connection it had to terrorism was in the headline. Skimming credit card numbers is not terrorism (though it could be used to finance terrorist activities). Spreading malware through Facebook is not terrorism (though a botnet could be used in conjunction with a terrorist attack, maybe).

I am not aware of terrorists ever having made a "cyber terror attack." Most extremist groups are looking for a bigger shock value than they can get by knocking out Google's Web server or even bringing down the electric grid in half the United States (either of which could be accomplished by a misplaced backhoe or a freak thunderstorm). Actually they would much rather blow up a school bus or something. A lone gunman can create more of a scare and get more PR for the cause than could a group of crack cyber-terrorists who managed to reproduce the U.S. blackout of 2005.

To label any and all malicious activity is disingenuous. It grabs some attention and helps you sell something in the short run, but in the long run, crying wolf is a disservice to the public and it doesn't pay off.

Re:Cybercrime != Cyberterrorism

[Nidi62]

I would focus more on the political aspect of terrorism rather than the violence aspect. The DDOSing of the Georgian national bank by Russian hackers during the crisis over North Ossetia certainly didn't kill anyone, but it left a large portion of that state's population without access to cash for a few days. Attacks such as these have the potential to cause severe economic and psychological damage to a targeted society. Reducing confidence in something that a society takes for granted has great political/terroristic potential. Remove the ability for hundreds of thousands (millions?) of stay at home soccer moms to play Farmville, and you will have an affect. Terrorism should be defined more by the motive rather than the method.

Re:Cybercrime != Cyberterrorism

No.

Terrorism is a method. You achieve effects by creating terror among your targets.

Damage is not the same. That's an attack, but it isn't terrorism.

Re:Cybercrime != Cyberterrorism

[n0prob]

They need to relate cybercrime to terrorism so they can throw out the constitution and go after petty cybercriminals with the full power and authority granted by the PATRIOT act.. In other words, declare them a terrorist because some member of a bureaucracy determines it to be so.. No trial, judge, jury or any other petty rights a human deserves..

Re:WhiteListing

[TaoPhoenix]

I'm a little fuzzy on WhiteListing - is that browser specific?
I could really see a hybrid system with "favorite sites" on a "WhiteList Browser", then when extended surfing, put a proposed link into a "BlackList Browser" to see if it's any good. Then there would be some easy way to add it to the WhiteList browser.

Most of my web usage is covered by a top-100 list, and TFA's from Slashdot or Fark, which I haven't seen come through too often with real malware.

This is why we have auto-cutoffs for regions

[WillAffleckUW]

While you can't shut down botnets in-country, you can shut down entire countries if they start launching attacks, severing their undersea cable and communications satellite connections, reducing the activation of more attacks.

Which is why we maintain the ability to pull the plug on China, who persist in using their military to launch attacks on US sites.

it's the end of the interweb as we know it

[davidwr]

Countries and organizations are going to have to realize that connecting their in-house network to "the internet" securely is HARD and sometimes the best thing to do is to have an "ip gap" or better yet an "air gap" between their in-house data and the outside world. Oh, and turn off of those USB ports or at least treat them as untrustworthy. This isn't easy either, so there is a trade-off.

Many governments already do this for their sensitive networks.

This won't stop inside jobs and it won't stop the most determined invader but it will make it much more expensive to succeed.

Attacks build immunity.

[couchslug]

I'd like to see a much more hostile internet to coerce better security practices. People in general won't care about such things unless and until it is forced upon them by events.

If they won't change unless someone "breaks their shit", then that needs to happen.

Re:WhiteListing

[HungryHobo]

I was talking about white-listing processes on systems which absolutely have to be secure.
As it stands antivirus software just blacklists virus code which is just an example of Enumerating Badness : http://www.ranum.com/security/computer_security/editorials/dumb/

Sweden

[Swanktastic]

What the hell Sweden?!? You guys are hosting 37% of the phishing sites out there. Get your act together, or I might starting thinking about issuing a verbal warning which is only 3 steps away from a written warning.

There was a movie on this

[hesaigo999ca]

A great movie came out with Robert Redford, about this type of cyber crime that could virtually cause a full collapse of a nation, or country. This is not far off, get a few more stock exchange collapses in a row, and we are off to mad max land!

China or Japan?

[GrEp]

The Chinese and Japanese can both do a lot of shenigans with their US treasury reserves.

1) Blanket the market and buy as many call options as you can.
2) Announce that your treasury is dumping 100% of it's US treasuries, and you will only take hard assets or Euro as payment.
3)Stock prices now soar on inflation.
4)Exercise all your call options.
5)Blanket the market and buy as many put options as you can.
6)Announce that you have decided not to sell your US treasuries after all as the bids "weren't as high as you expected"
7)Stock prices plunge on deflation.
8)Exercise all your put options.
9) GOTO 1

Sneakers?

See here, and the title above:

http://en.wikipedia.org/wiki/Sneakers_(film)

(Is that the one? If so?? Great film!)

APK

Linux &/or MacOS X are unassailable? NOT!

"We've got something to replace those technologies. Linux." - by Black Gold Alchemist (1747136)
on Wednesday November 10, @08:46PM (#34192576)

The ONLY reason Linux appears "safer to use" vs. cyberthreats is simple: "SECURITY-BY-OBSCURITY", & not even then!

E.G. -> Witness ANDROID based systems (a Linux variant no less) getting abused more & more lately (and yes, "normal Linux distros" before that as well - because it's not as if I do not get security-oriented updates via KUbuntu's Software Package Management here).

I mean, just like you are doing now? Hey - The MacOS X folks from Apple tried the same play Linux folks are too, and on T.V. no less, & what happened once Apple's MacOS X started getting a larger share of market?? Exploits for MacOS X too...

No escaping facts here.

Criminals online, they're NOT MUCH DIFFERENT than say, pickpockets. Pickpockets do not gather where there aren't larger amounts of folks, especially unsaavy folks, to take advantage of. They go where the crowds are, subways/trainstations/malls or any other largely travelled throughfare. Pickpockets (and yes, "cyber-criminals" too) are after YOUR MONIES.

So, crowds being where they are, on today on PC's online... where's the analogues to those crowded areas? Windows.

This is why Windows is "abused" more, plain & simple. It's more used and presents a larger target to go after from 1 single attack codebase.

(Once Linux, if ever, gets more folks using it than currently today? It too will be attacked more... just as Apple's MacOS X began to be once it began gaining larger amounts of users! Also/lastly: Need I remind ANYONE where the 1st computer worm/virus originated? Robert Morris ring a bell?? That's right - on *NIX's people! Don't think it can't happen again either I say, & learn from history.)

I like & use KUbuntu here daily, but I'm not so "zealous" to not realize that it too, is NOT "invulnerable" to attacks online... it's just less targetted (for now).

APK

P.S.=> I'd also like to know if you think that webbrowsers running on Linux or MacOS X are "invulnerable" to attack? Most attacks nowadays utilize javascript as the attack vector being used in malscripted html webpages, or even maliciously scripted adbanners or just plain KNOWN bad websites, and even emails that use scripts... So, does javascript run on *NIX variants with the same basically flawed & exploitable DOM? Sure does last I checked! apk