Tag Archives: computer security

Social networking websites: the next cyber war zone?

WASHINGTON — The Government Accountability Office reported April 12 that federal agencies remain vulnerable to cyber attacks and security breaches because they’ve failed to take the required steps to secure Internet connections and computer systems. Experts say cyber attack could come from anywhere—an individual American or someone overseas, a terrorist group, or a country. But the number of ways a cyber attack could infiltrate American systems is growing—and the ever-expanding web of social networking sites could prove problematic for national cyber security.

Social networking technologies are creating potential new challenges for government transparency and security As more agency employees use Twitter, Facebook and similar external sites, officials at all levels of government are reviewing their policies.

Elayne Starkey, chief security officer of Delaware and FOIA coordinator for the state’s Department of Technology and Information, said her organization is cracking down on the problem from the inside.

“Websites like Facebook are blocked from our computers,” Starkey said. “It’s too great a risk and who or what actually gets that information is still quite unknown.”

Starkey said there is a long list of precautions that need to be taken at all levels of government and the private sector to prevent a cyber attack. She said she is working with other groups and agencies in Delaware to raise awareness and educate others on the “very real” dangers that a cyber attack could cause.

“We do a lot of trainings to drill and simulate with other state and federal employees on their IT resources,” said Starkey. “Using the right technical tools is important to have the top level of security we need.”

Among the many things that can help in thwart future cyber terror, Starkey said, would be new legislation. She said that the right legislation would take time though. “There is a gap that needs to be filled—but the proper legislation with the proper partners would need a multi-year window.”

“As more people move into the Web 2.0 phase, they become more comfortable with the websites like Facebook and Twitter,” Starkey said. “There is a false sense of security people have once they enter their password. They feel comfortable that they do things they might not have done elsewhere.”

Targeted ads are drawing more clicks by naïve social media users, increasing the potential for scammers and hackers.  “People are much more likely to click some ad that is tailored to them, and then who knows what is behind that ad.”

Starkey said viruses from social networking sites could work in a similar way that an e-mail virus works, sometimes immediately attacking user’s system­ at other times lurking for months before any damage is noticeable.

“That’s why at our offices, those sites are pretty much blocked,” she said.

Patrick Wells, a participant in the U.S. Cyber Challenge, a competition to find individuals who could be future cyber security practitioners and researchers, said he thinks it is unlikely that social networks will become a target of cyber terror is unlikely.

Wells said the information technology teams at the major social networking sites are more prepared than the government simply because they are individual sites, and as such only to worry about hardening their own target.

“Government websites are more interconnected, yet with different security systems and levels which allow for overlooked loopholes,” said Wells. “Sites like Facebook, although they have a huge amount of traffic, are more secure.”

Wells said Facebook, for one example, was a victim of cyber attacks through its applications, add-ons that could contain games, quizzes or other attractions. Applications are made by outside groups, and in the past anyone could create one. Wells said that was the most common way a hacker could hack through the website. “Now, Facebook has a stronger identification process for those creating applications to prevent that.”

For legal and tracking purposes, there is no sound way to currently archive communication done in social networking site, Starkey said. “The problem is that agencies don’t know how to archive the many forms of communications made on those popular websites.”

As citizens become increasingly accustomed to accessing more types of communication archives, Starkey says that social network archives will be a logical expectation.

Wells said that he doesn’t foresee social networking sites being a target of cyber terrorists, but more of a jumping off point. “Social networking sites are mainly used for information… as a tool to find an employee of a company, to get as much information about the person, and then hack into their system.”

Wells said the more security measures the better, but that social network users should be careful of every bit of information they list, not just inappropriate pictures.

Tagged , , , , , , , , ,

10th Annual Cyber Defense Exercise

The Cyber Defense Exercise is an annual computer security contest put on by the National Security Agency/Central Security Service as a way to foster education and awareness among future military leaders about the role of information assurance.

The contest pits network specialists tasked with securing the U.S. Government’s most sensitive communication systems against  teams from the U.S. Air Force Academy, U.S. Coast Guard Academy, U.S. Merchant Marine Academy, U.S. Naval Academy, U.S. Military Academy, the Naval Postgraduate School, the Air Force Institute of Technology, and the Royal Military College of Canada to see which can defend computer networks the students have designed, built and configured at their respective schools.

A NSA press release explains that each team is graded by a separate group of specialists on their “ability to effectively maintain network services while detecting, responding to, and recovering from network security intrusions or compromises.” In order to guard against disruption of real-world networks, the contest takes place on virtual private networks.

For three years running, West Point has won the competition.

Further reading: 2010 NSA/CSS press release, transcript of 2009 competition.

Tagged , ,

U.S. cyber security effort falls short

WASHINGTON — Two congressional studies released in April showed that no federal agencies have successfully implemented security programs required by the Office of Management and Budget (OMB).

That means not one of the 23 government agencies cited in the reports is secure enough to meet minimum government standards for preventing intrusions and destructive viruses.

The reports by the Government Accountability Office (GAO) regarding Internet connection and personal computer security both recommended that the agencies crack down and a a better job of  enforcing and implementing the plans. The GAO serves as an independent ­congressional watchdog and is the “official investigative arm” of Congress and provides data and research to lawmakers.

Several departments were in partial­ compliance but none were fully secure, the reports said. Among those in partial compliance, the Department of Defense was cited as having the best record for securing its Windows Vista computers; 99 percent of the workstations using the operating system were secure. However, none of their older computers were described as being in complete compliance.

Several departments including Education, Homeland Security, Transportation and State were listed as having zero percent of their computers in compliance.

The reports come at the same time as the State Department is launching a digital innovations team and planning greater expansion into the digital world. But if government agencies can’t properly implement existing minimum security standards, some critics ask, will such new innovations be any more secure?

Those  requirements were launched in 2007 and 2008, well before .President Obama’s much-reported refusal to give up his Blackberry. At the time there was much handwringing and debating whether it was safe for the leader of the free world to be carrying a tiny, hackable gateway to a treasure trove of state secrets.

­The GAO studies do not explicitly describe the basic security requirements in question, instead referring to approved settings at each individual agency.

Sen. Joseph Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee issued a response to the reports on April 12 expressing his disappointment in the study’s findings. He took? OMB to task for falling short in its enforcement of the standards. However, neither he, nor the agencies had a plan for how or when they’d reach the security standards.

“The security of federal IT [information technology] systems is an ever-growing problem that must be confronted aggressively and with all available means,” Lieberman said in a statement. Quote resume here? “Unfortunately, these key initiatives, which have been underway for years, have faced challenges, particularly the lack of communication and follow through from the Office of Management and Budget and the Department of Homeland Security.”

Lieberman went on to say that OMB agreed with the findings and would be “acting to address many of the lessons learned,” but noted that no concrete commitments were made as to how they would do so.

Some digital security analysts like Kevin Thompson, a Chicago area attorney and author of the blog Cyberlaw Central, aren’t surprised by the GAO’s low compliance findings.

“They’ve got a long way to go in living up to their requirements in being secure,” he said of the agencies. “A lot of people think that the government would have access to the latest and greatest technology but in reality they don’t.”

Thompson has researched government digital security infrastructure and says he’s seen a ­lack of funding and attention paid to the issue.

“We should be able to reach the minimums we set,” he said.

For his part, Thompson sees value in moving towards a creative, innovative approach to how the government uses digital tools while still ensuring their security.

In his statement Lieberman said his committee would be drafting legislation to address the issue. But the constantly evolving nature of the digital world begs the question, is another piece of legislation enough?

Tagged , , , , ,