Saturday, May 1, 2010

Strategy in Cyber War - - Dallas Summit Aims to Target Cybercrime

When a group of former and retired federal officials gathered in Washington, D.C., in February to test their skill in containing a simulated cyberattack on the nation, the "damage" was catastrophic.

Vast networks that transmit millions of cellphone calls each day were the first to go down.

Landlines and the Internet quickly followed.

Finally, the entire East Coast electrical power grid crashed under the stress of mock bombs exploding in gas pipelines and power stations, and the simultaneous arrival of a Gulf Coast hurricane.

The officials – including former national intelligence czar John Negroponte and former Homeland Security chief Michael Chertoff – were unable to coordinate a countermeasure to the virtual attack.

"Air traffic was thrown into disorder, and commerce came to a standstill," according to cybersecurity news site Help Net Security, which chronicled the exercise.

That cyber-wargame was widely seen as a sign that neither government nor business is fully ready to deal with a worst-case online attack.

This week, cybercrime fighters bring that message to Dallas.

Monday through Wednesday, the city will host the Worldwide Cybersecurity Summit, what organizers at the EastWest Institute are billing as one of the largest conferences ever on online crime and terrorism.

More than 400 corporate executives, diplomats, retired military leaders and White House officials will converge on the Hyatt Regency Hotel to address what the FBI recently called its "highest criminal priority."

"In effect, all the key players from our government will be here, as well as delegates from around the world," said Ross Perot Jr., who led the effort to bring the conference to Dallas.

Cybercrime surge

While the event is geared toward government and corporate leaders, cybercrime is a surging problem for everyone.

According to the FBI, cybercrime officially cost Americans almost $560 million last year, more than double the 2008 tally, although experts say the true number is undoubtedly much higher, since many cyberattacks go unreported.

Supervisory Special Agent Charles Pavelites at the Internet Crime Complaint Center, a joint program of the FBI and National White Collar Crime Center, said that as little as 10 percent to 20 percent of online scams and crimes are reported.

He said people are often embarrassed at getting scammed or realize the crooks are so hard to track that prosecutors probably won't bother with an investigation into a few hundred dollars.

But some of the biggest companies in the world are talking openly about the threat.

Google Inc. recently disclosed that its online e-mail service was compromised, apparently by the Chinese government in attempt to spy on human rights activists, while Intel Corp. acknowledged in a government filing that it was the victim of a "sophisticated incident" in January.

Smaller businesses are also under fire.

Plano-based Hillary Machinery Inc. lost more than $200,000 last year to hackers who stole the company's online banking login information.

The Dallas conference will be a who's who of corporate bigwigs and government staffers.

Randall Stephenson, chief executive of Dallas-based AT&T Inc., will speak, as will Dell Inc. CEO Michael Dell.

Dell is the top sponsor of the event, as the company's purchase of Plano-based computer services firm Perot Systems Corp. has made Internet security a bigger focus for Dell.

Perot, incoming president of the EastWest Institute and a director at Dell, will be involved in the event. So will the chief information officer of Fort Worth-based American Airlines.

Peter Altabef, head of Dell Services and former CEO of Perot Systems, said corporate clients expect security to be a basic element of almost any computer service or system they buy.

"You've got the vast majority of organizations saying they're concerned," Altabef said. "And I think that's a justified concern."

One goal of the Cybersecurity Summit is to develop international relationships that make it easier to pursue and prosecute cybercriminals across borders, Altabef said.

Howard Schmidt, recently appointed White House cybersecurity coordinator, is expected to address the government's role in reducing theft.

Criminal element

There's growing concern about virus writers and thieves coalescing into criminal gangs.

"[T]hreats continue to evolve from mischievous hackers who pursue notoriety to organized criminals who steal data for monetary gain," Microsoft noted in a report on software security published last week.

Cybersecurity researcher Brian Krebs noted recently that old-school robbers with masks and guns stole $9.5 million from U.S. banks in the third quarter of 2009.

In that same time, cyber-thieves stole more than $25 million from bank accounts of small and mid-size businesses by hacking directly into the accounts or stealing passwords.

Earlier this year, a computer hacker from Miami was sentenced to 20 years in prison for stealing tens of millions of credit card numbers from businesses, including Dallas-based Dave & Buster's and 7-Eleven Inc.

The thief, 28-year-old Albert Gonzalez, also attacked Plano-based J.C. Penney Co. Inc., but apparently failed to steal any of the retailer's card numbers.

Gonzalez is believed to have conspired in the attacks with Russian accomplices.

Password theft seems to have been what hit Hillary Machinery, which saw a bit more than $800,000 drained from its account with PlainsCapital Bank in withdrawals over just a couple of days in November.

Hillary and PlainsCapital were able to recover about $600,000, but the two companies are suing over which of them is responsible for the remaining funds.

Hillary is lobbying for federal legislation that would require banks to provide the same refund guarantees in case of fraud on commercial accounts that are available to individual accounts.

"It's a national security issue in my opinion, and it's a jobs issue," said Troy Owen, Hillary's vice president of sales and marketing. "We had to put off hiring people at a time when we were trying to recover from a recession."

Owen said Hillary used all the basic security measures, including running anti-virus programs on its computers.

But anti-virus programs themselves are often a source of cybercrime.

In a report issued last week, Google said 15 percent of all malicious software programs posted on websites are fake anti-virus programs. The programs pop up and instruct viewers to click on a button to remove security threats.

But clicking on the button causes malware to be installed on the user's computer, removing the need for virus writers to actually hack into the system.

Even when legit anti-virus software is used, it's no panacea.

"Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by anti-virus vendors," Microsoft noted in its report.

And the rush to get updated software out recently caused one vendor to fall on its face.

On April 21, McAfee Inc. pushed out a software update for its anti-virus software in response to "a new global threat to Windows PCs that attacks critical operating system components," as the company said on its blog.

But the update itself was not properly tested and caused thousands of computers to crash at companies worldwide.

The backlash against McAfee was severe, and the company has said it will reimburse "reasonable expenses" to home and home office users who were also affected.

Advanced attacks

Ed Amoroso, chief security officer at AT&T, said while simple viruses and worms dominated the headlines a few years ago, today's threats are much more advanced.

He said one of the biggest dangers comes from what are known as "botnets," networks of thousands or millions of hacked computers that are harnessed by hackers to send out spam e-mails, attack corporate and government networks and perform other malicious activities.

"The threat has definitely gotten bigger," Amoroso said.

Last week, Mesquite resident David Anthony Edwards pleaded guilty in federal court in Dallas to charges that he and another man built a botnet of 22,000 computers. After demonstrating how the botnet could be used to attack computers on other networks, a buyer agreed to buy source code and the botnet itself for about $3,000.

Amoroso said one of the reasons botnets are growing is that the software to create them is widely available and easily activated by programmers and Web surfers with only moderate hacking skills.

Chasing down cybercriminals is much tougher, though, with few official channels for tracking and prosecuting crooks who often operate out of multiple countries. Pavelites said there is some cooperation already between governments.

"We have had successes working directly with the Romanian police, with the Russian police, the fraud people in Nigeria, the organized crime people in the U.K.," he said. "We have had prosecutions, not just investigations."

Delegates from the U.S., China, Russia, Japan, Brazil and other nations will hash out concrete proposals at this week's summit to expand that cooperation, which will then be presented to official organizations like the United Nations

One of the institute's recent achievements was developing plans to lay undersea fiber optic cables in ways that make them less susceptible to damage and easier to repair. That ability to turn words into results is what spurred Perot to bring this conference to Dallas.

"I wouldn't be this involved if it wasn't focused on action," Perot said. "I'm not too big on just talking."

And Perot said the talking that does happen will be much more direct than typical diplomatic summits.

He described a recent EastWest delegation he led to China to meet with high-ranking government officials.

"We brought up Google," Perot said. "I said, 'Look, every time you do something with Google, you look weak. The Communist Party looks weak. Because none of us can figure out why you want to censor this stuff.' And they'd never thought of themselves as looking weak."

"I can't stress [enough] how frank conversations are when it's not official diplomacy," he said. "And we can get a lot more done unofficially."

Source: Dallas News

No comments:

Related Posts Plugin for WordPress, Blogger...