[tags]news, cell phones, reports, security vulnerabilities, hacking, computer crime, research priorities, forensics, wiretaps[/tags]
The Greek Cell Phone Incident
A great story involving computers and software, even though the main hack was against cell phones:
IEEE Spectrum: The Athens Affair.  From this we can learn all sorts of lessons about how to conduct a forensic investigation, retention of logs, wiretapping of phones, and more.

Now, imagine VoIP and 802.11 networking and vulnerabilities in routers and…. —the possibilities get even more interesting.  I suspect that there’s a lot more eavesdropping going on than most of us imagine, and certainly more than we discover.

NRC Report Released
Last week, the National Research Council announced the release of a new report: Towards a Safer and More Secure Cyberspace.  The report is notable in a number of ways, and should be read carefully by anyone interested in cyber security.  I think the authors did a great job with the material, and they listened to input from many sources.

There are 2 items I specifically wish to note:

1. I really dislike the “Cyber Security Bill of Rights” listed in the report.  It isn’t that I dislike the goals they represent—those are great.  The problem is that I dislike the “bill of rights” notion attached to them.  After all, who says they are “rights”?  By what provenance are they granted?  And to what extremes do we do to enforce them?  I believe the goals are sound, and we should definitely work towards them, but let’s not call them “rights.”
2. Check out Appendix B.  Note all the other studies that have been done in recent years pointing out that we are in for greater and greater problems unless we start making some changes.  I’ve been involved with several of those efforts as an author—including the PITAC report, the Infosec Research Council Hard Problems list, and the CRA Grand Challenges. Maybe the fact that I had no hand in authoring this report means it will be taken seriously, unlike all the rest.   More to the point, people who put off the pain and expense of trying to fix things because “Nothing really terrible has happened yet” do not understand history, human nature, or the increasing drag on the economy and privacy from current problems.  The trends are fairly clear in this report: things are not getting better.

Evolution of Computer Crime
Speaking of my alleged expertise at augury, I noted something in the news recently that confirmed a prediction I made nearly 8 years ago at a couple of invited talks: that online criminals would begin to compete for “turf.”  The evolution of online crime is such that the “neighborhood” where criminals operate overlaps with others.  If you want the exclusive racket on phishing, DDOS extortion, and other such criminal behavior, you need to eliminate (or absorb) the competition in your neighborhood.  But what does that imply when your “turf” is the world-wide Internet?

The next step is seeing some of this spill over into the physical world.  Some of the criminal element online is backed up by more traditional organized crime in “meat space.”  They will have no compunction about threatening—or disabling—the competition if they locate them in the real world.  And they may well do that because they also have developed sources inside law enforcement agencies and they have financial resources at their disposal.  I haven’t seen this reported in the news (yet), but I imagine it happening within the next 2-3 years.

Of course, 8 years ago, most of my audiences didn’t believe that we’d see significant crime on the net—they didn’t see the possibility.  They were more worried about casual hacking and virus writing.  As I said above, however, one only needs to study human nature and history, and the inevitability of some things becomes clear, even if the mechanisms aren’t yet apparent.

The Irony Department
GAO reported a little over a week ago that DHS had over 800 attacks on their computers in two years.  I note that the report is of detected attacks.  I had one top person in DC (who will remain nameless) refer to DHS as “A train wreck crossed with a nightmare, run by inexperienced political hacks” when referring to things like TSA, the DHS cyber operations, and other notable problems.  For years I (and many others) have been telling people in government that they need to set an example for the rest of the country when it comes to cyber security.  It seems they’ve been listening, and we’ve been negligent.  From now on, we need to stress that they need to set a good example.

[posted with ecto]