Skip to content

Tag Archives: regulations

Cybernews from the dark side – June 4, 2014.

True to my word, herewith, the second installment of my new weekly (or so) series, ‘dark news from the cyber-side’, or something like that…

Today the main topic will be about the security of critical infrastructure; in particular, about the problems and dangers to be on the watch for regarding it. Things like attacks on manufacturing & nuclear installations, transportation, power grid and other industrial control systems (ICS).

Actually, it’s not quite ‘news’ here, just kinda news – from last week: fortunately critical infrastructure security issues don’t crop up on a weekly basis – at least, not the really juicy bits worthy of a mention. But then, the reason for that is that probably that most issues are kept secret (understandable, but worrying all the same) or simply no one is aware of them (attacks can be carried out on the quiet – even more worrying).

So, below, a collection of curious facts to demonstrate the current situation and trends as regards critical infrastructure security issues, and pointers to what needs to be done in face of the corresponding threats.

Turns out there are plenty of reasons to be bowled over by critical infrastructure issues…

If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day

The motto of engineers who make and install ICS  is ‘ensure stable, constant operation, and leave the heck alone!’ So if a vulnerability in the controller is found through which a hacker can seize control of the system, or the system is connected to the Internet, or the password is actually, really, seriously… 12345678 – they don’t care! They only care about the system still running constantly and smoothly and at the same temperature!

After all, patching or some other interference can and does cause systems to stop working for a time, and this is just anathema to ICS engineers. Yep, that’s still today just the way it is with critical infrastructure – no seeing the gray between the black and the white. Or is it having heads firmly stuck in the sand?

In September last year we set up a honeypot, which we connected to the Internet and pretended was an industrial system on duty. The result? In one month it was successfully breached 422 times, and several times the cyber-baddies got as far as the Programmable Logical Controllers (PLC) inside, with one bright spark even reprogramming them (like Stuxnet). What our honeypot experiment showed was that if ICS is connected to the Internet, that comes with an almost 100% guarantee of its being hacked on the first day. And what can be done with hacked ICS… yes, it’s fairly OMG. Like a Hollywood action movie script. And ICS comes in many different shapes and sizes. For example, the following:

Nuclear malware

Read on: absence of light will only be the result of burned out bulbs and nothing else…

Kentucky Fraud Kickin’.

The Internet and mobile devices and related gadgetry have brought so much incredibly useful stuff into our lives that sometimes it’s hard to imagine how on earth anyone managed without it before. You know, purchasing airline tickets and checking in, online shopping and banking, multi-device data sharing, keeping the kids occupied on the backseat of the car with a film on their tablets (in my youth you just sat there or played I Spy). But I digress, and so early on in this post…

Alas, along with all the good and helpful stuff to make life easier, the Internet’s brought us other stuff – bad stuff that’s harmful and dangerous. Malware, spam, hard-to-trace cybercrims, cyberweapons, etc., etc. There’s also Internet fraud, which is what I’ll be writing about in this post, or – more to the point – how to combat it.

But let’s start with the basics: who suffers from Internet fraud?

Consumers? Well, yes, but not much compared with businesses: the brunt of the cost of online fraud is taken by banks, retailers, and in fact any online operators.

The brunt of the cost of online fraud is taken by online operators

A few figures to illustrate the scope of Internet fraud:

  • In 2012 in the United States alone, direct losses from online fraud came to $ 3.5 billion;
  • Those losses were made up of about 24 million fraudulent online orders;
  • Almost 70 million orders were cancelled due to suspicion of foul play.

All rather alarming.

Online financial fraud

In the meantime, are online operators generally taking any measures against fraud?

Of course they are. Plenty!

Read on: budgets, people but not the right tools…

Breathe the pressure!

Prevention is better than cure. And that goes for fighting patent trolls too.

With this old adage in mind we recently filed a lawsuit against Device Security LLC seeking invalidation and non-infringement of the patent covering the tech involved in protecting data on mobile devices. This marks a distinct change of tactics on our behalf: Though we’ve been warring with patent parasites for eight years already, this is the first time we’ve gone for a preventative attack.

Kaspersky Lab vs Device Security LLC

Read on: So why have we done this, and why?…

“To live is to war with trolls”*

The euphoria after our recent single-handed victory over a patent troll has died down – a little. It was real nice to read lots of different accounts of the good news (like this, this, this, this and this) and multiple encouraging  comments from users. However, the real struggle has only just begun – ahead lies a lot of hard work and hassle, albeit interesting hassle. So now’s probably a good time to sum up everything.

comment1

comment2

Read on: The first and main thing – never let your guard down…

Revenge can be sweet, especially against patent trolls.

Payback can be slow – painfully slow – in coming, but thankfully, at last, it does seem to be showing signs of finally arriving and hitting some most unsavory types – patent trolls – squarely in the nether regions.

I’ve already waxed lyrical here about trolls and what needs to be done to up the fight in tackling this scourge.

Here, let me give you a quick review of what needs to be done:

  • Patent use to be limited – a ban on claims for a term preceding their acquisition;
  • Mandatory compensation of a defendant’s expenses if a lawsuit against it is either defeated in court or withdrawn;
  • A ban on patent aggregators bringing lawsuits;
  • An increase in the required detail and accuracy of patent descriptions, and mandatory technical expert examinations;
  • The main thing: not for ideas to be patented, but their concrete practical application.

Sometimes it seems like US legislators read my blog! Finally, something is getting done – and not just anywhere, but in the state of Vermont, where the first anti-troll law has come into effect!

There’s a lot of interesting stuff in this law, but what I like most in it is that now a defendant company can demand from a patent troll reimbursement of all its legal costs if it manages to prove that the troll acted not in good faith.

More: Special thanks for the law go to … a patent troll!

Patents against innovation – cont’d.

“Patents against innovation”. Sounds as paradoxical as “bees against honey”, “hamburger patties against buns”, “students against sex” or “rock ‘n’ roll against drugs”.

Patents against innovation? How can that be possible? Patents exist to protect inventors’ rights, to provide a return on R&D investment, and generally to stimulate technological progress. Well, maybe it’s like that for some things, but in today’s software world – no way.

Today’s patent law regarding software is…well, it’s a bit like one of those circus mirrors where reality is distorted. Patent law is now just so far removed from common sense that it’s patently absurd; the whole system right down to its roots needs to be overhauled. ASAP! Otherwise innovative patents meant to encourage and protect will simply fail to materialize. (Good job, patent system. Stellar work.)

So how did everything end up so messed up?

Well, despite the virtuous original intention of patents to protect inventors – today they’ve mainly turned into nothing more than an extortion tool, whose objective is just the opposite of protecting innovation. The contemporary patent business is a technological racket – a cross-breed between… a thieving magpie and a kleptomaniac monkey – with a malicious instinct to drag anything of value back to its lair.

Growth in the number of patent lawsuits with the participation of trolls

trollcase

 Source: PatentFreedom

Now for some detail. Let’s have a closer look at the patent business.

More: aggregators, trolls and pools …

Obama: patents patently barmy.

A serious issue I’ve been critically writing and talking about for several years has finally made its way up through the echelons of power to find itself being officially recognized – and condemned – by no less than the President of the USA! Indeed, the day before President’s Day Barak Obama issued a strong rebuke against patent trolls! Ye gods. At last some sense from the top! …

More: Obama: patents patently barmy.. . .

A Move in the Right Direction.

Barack Obama signs an executive act regulating cyber security

On Tuesday, President Obama issued a long awaited Executive Order on cyber security intended to expand and deliver more robust information sharing between government and the private sector.  The Executive Order also requires the development of a voluntary cyber framework and standards to improve protection of the U.S. critical infrastructure.  The Executive Order rightly focuses on a risk-based approach.  Resources are limited and prioritization to secure those areas most at risk is smart policy.  The sophistication of threats and targeted attacks on key economic sectors around the world stresses the urgency that action be taken to better secure critical infrastructure.  This effort by President Obama is a positive step to address a real gap in the protection of critical assets necessary to the well being of the United States.

The risk to critical infrastructures is real, and an international challenge that must be addressed by governments and the private sector together.  As we see more threats to the national and economic security of countries, action must be taken to better protect those critical national infrastructures.  Attacks like StuxnetFlameGauss and Shamoon are becoming commonplace and keep growing in sophistication.

I believe this executive order is a move in the right direction as it seeks to increase digital defenses of critical infrastructure, and tries to facilitate the exchange of threat information between the government and private sector.  Better cooperation between governments around the world and their private sectors to improve sharing of timely and relevant cyber threat information is essential. Likewise, operators of the critical infrastructures must work to implement flexible performance based standards to secure their assets.

We are at a critical juncture on cyber security protection, and leadership in the U.S. and around the world is essential.  We hope that other nations and unions will follow this example and take steps to better protect their national critical infrastructures.

We’re ready to support and assist in national and international cyber defense efforts with our research, technologies and people.

Worse than Cheese: Scary Scenarios Causing Nightmares Now – the Five Main Issues of IT Security.

Here I’m presenting my List of the Five Main Issues Facing IT Security, in the broad sense of the term. I should say straight away that I don’t have prescriptions for solving all five issues. The aim of this post is more to identify the problems, let you start to muse on them, and hopefully draw you into the fold of their ongoing discussion by raising your interest, empathy and/or sympathy!

More: Worse than Cheese: Scary Scenarios Causing Nightmares Now – the Five Main Issues of IT Security.. . .

Don’t Feed the Troll!

Good news! After 3.5 years of legal battles with patent trolls we have finally won a resounding victory! This was our first patent litigation battle in the US and we won! And this is not just some ordinary legal victory …

More: Don’t Feed the Troll!. . .