April 30, 2009

Microsoft to disable Autorun feature - YEAH

Microsoft plans to disable the Autorun feature in Windows 7 and release a patch to disable it in older supported version of Windows. It won't affect CD or DVD players, they will still autorun, but will disable USB ports. This is great news! There is so much malware out running around infecting USB drives that this had to be done.

Microsoft talks about this topic:

Kudos to Microsoft for taking this measure.

April 21, 2009

Low post volume

Hi everyone. Sorry this blog has been getting quieter, I've been busy battling the rogues and other Internet fun. I promise I will try to update this blog more often than once a week.

My recent Targeted Blackhat SEO Attack against Ford Motor Co. - link to Panda blog

Speaking of rogue security software, Microsoft's recently released security intelligence report talks about the dramatic rise in rogue security software they saw on Windows machines during 2nd half of 2008. They saw a 15% rise over the course of 2008 from 20% of all machines to a full 35%! I would estimate that number is even higher today given the unbelievable increase in websites and "brands" of this scumware.

You can see Microsoft's report here. It's a pretty good report, worth a read.

April 7, 2009

New Cybersecurity Bill Gives Commerce Dept and President Obama Cyber and Internet Authority

On April 1, 2009 a bill, a.k.a. "Cybersecurity Act of 2009" to ensure the free flow of commerce within the United States has been introduced in the US Senate. (See PDF draft here) It's important that our nation gets working on this critical issue now so I reviewed the working draft and thought I'd summarize it and note some interesting passages.

Summary points...
- Cybersecurity oversight of government networks, the Internet, cybersecurity research would fall under the Secretary of Commerce;
- Roles and responsibilities involve other agencies such as ODNI, NIST, FCC, and NSF.
- Three years of funding, then after a review/evaluation a potential for continued funding;
- Establishes state and regional cybersecurity centers tasking them with securing small- and medium-sized businesses;
- Requires providing security for the FCC's national broadband initiative;
- Establishes a private-public sector clearinghouse for vulnerability information;
- Conducts the feasibility of cybersecurity insurance;
- Taps NIST as the standards body for all cybersecurity related standards;
- Provides the President with the power to disconnect the Internet in a cybersecurity emergency or in the interest of national security;

Various interesting passages...

Section 3 - Cybersecurity Advisory Panel.
DUTIES.—The panel shall advise the President on matters relating to the national cybersecurity program and strategy and shall assess—
(1) trends and developments in cybersecurity science research and development;
(2) progress made in implementing the strategy;
(3) the need to revise the strategy;
(4) the balance among the components of the national strategy, including funding for program components;
(5) whether the strategy, priorities, and goals are helping to maintain United States leadership and defense in cybersecurity;
(6) the management, coordination, implementation, and activities of the strategy; and
(7) whether societal and civil liberty concerns are adequately addressed.
REPORTS.—The panel shall report, not less frequently than once every 2 years, to the President on its assessments under subsection (c) and its recommendations for ways to improve the strategy.
I have a problem with that frequency; at a minimum it needs to be twice a year.

Section 4 - Real-time Cybersecurity Dashboard.
The Secretary of Commerce shall— (1) in consultation with the Office of Management and Budget, develop a plan within 90 days after the date of enactment of this Act to implement a system to provide dynamic, comprehensive, realtime cybersecurity status and vulnerability information of all Federal government information systems and networks managed by the Department of Commerce; and (2) implement the plan within 1 year after the date of enactment of this Act.
Wow is this aggressive for this large of an undertaking.

Section 5 - State and Regional Cybersecurity Enhancement Program.
The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards.
The purpose of the Centers is to enhance the cybersecurity of small and medium sized businesses in United States...
What do they mean by "enhance"? To what extent will these new regional centers assist SMBs with their security?
ACTIVITIES.—The [Regional Cybersecurity] Centers shall—
(1) disseminate cybersecurity technologies, standard, and processes based on research by the Institute for the purpose of demonstrations and technology transfer;
(2) actively transfer and disseminate cybersecurity strategies, best practices, standards, and technologies...
Where's NIST? Are they going to be folded into this new center? Ah later in the document, section 6, NIST is mentioned...

Section 6 - NIST standards development and compliance.
National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks...
Does NIST not already do this? Maybe this is giving them teeth - which is a great thing.
The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks.
This will touch the private sector is a very big way since something like 75% of all of the critical infrastructure is run by that sector.
...[NIST] shall be responsible for United States representation in all international standards development related to cybersecurity...
(2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section.

(e) FCC National Broadband Plan...shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks...
So what exactly does that mean? Maybe requiring firewalls and other controls, which would help mitigate some of the network worms.
FCC NATIONAL BROADBAND PLAN.—In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.
Section 9 - Secure domain name addressing system.
...develop a strategy to implement a secure domain name addressing system.
Section 10 - Promoting cybersecurity awareness.
...develop and implement a national cybersecurity awareness campaign...
Good good.

Section 11 - Federal cybersecurity research and development.
(b) Secure Coding Research...
(c) Assessment of Secure Coding Education in Colleges and Universities

Section 14 - Public-private clearinghouse.
...The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information to the Federal government and private sector owned critical infrastructure information systems and networks.
Section 15 - Cybersecurity risk management report.

In section 15 they talk about conducting a feasibility study of creating a market of cybersecurity management including civil liability and insurance.

Section 18 - Cybersecurity responsibilities and authority.

This is the section that has got several people concerned and upset about. It essentially provides for the President to declare a cybersecurity emergency and shutdown the Internet. There's also a provision which allows him to disconnect any system or network in the interest of national security. This authority extends to Internet connections into Federal offices as well as any US critical infrastructure information system or network. This is intriguing because a majority of the infrastructure defined "critical" by the US Government is owned and operated by the private sector. This bill would grant the President the power to shut down private sector systems and networks.

This section also requires mapping of Federal systems and networks. Good idea, wonder how long it will take though.

Section 30 - Joint intelligence threat assessment.

This section requires the Director of National Intelligence and the Secretary of Commerce to submit to Congress an annual assessment on cybersecurity threats.

What's interesting in all this is that neither DHS nor NSA are mentioned in this bill. Just recently the Director of National Intelligence testified in front of Congress that the NSA should be in charge of cybersecurity. And a few weeks ago director of DHS's NCSD resigned over concerns about the move of cybersecurity from DHS to under the NSA.

What will hapen to all the initiatives currently underway by DHS and NSA? Will they be folded into this new organization or directed by this organization yet still reside in respective agencies? What about DOD's cybersecurity efforts?

All I want is for them to get it right organization-wise and start working to address the country's cybersecurity shortcomings - ASAP.