This week consumers are receiving messages from trusted companies such as 1-800-Flowers, Chase, Hilton HHonors and others, letting them know that their e-mail addresses have been exposed due to the recent Epsilon data breach.  This provides a perfect opportunity for cybercriminals, who may try to take advantage of the breach to send out phishing e-mails designed to steal user names and passwords.  Since consumers are receiving legitimate e-mails, they may be less suspicious of the phishing  or spear phishing ones.

Generally when a credit card is compromised a new number and card is issued making the breach a forgotten inconvenience. However when a Social Security number is breached, the victim can feel the effects for decades. Email addresses fall in the middle because consumers have the ability to change them, but often weigh the pros and cons and keep them for convenience sake.  This is what makes getting phished a higher probability.

McAfee Labs believe scammers will probably wait until they figure out how best to turn their scams into money, and may wait until the news cycle dies down.  That’s why it is important for consumers to stay vigilant for a period of time…really for the entire time you posses a hacked email address.

Here are some tips for consumers to stay safe:

- Consider ditching your compromised address and starting new.

- Be aware that companies will never ask you for credit card information or other personal information in email.  If you are being asked to provide that information, it’s a scam.
- If you are suspicious of an email, go directly to the Web site of the company that purportedly sent it and don’t follow links in the email as those may be fraudulent. Call the company’s number listed on their Web site, not the number in the email as that may be a fake
- Consider unsubscribing from email communications and re-subscribing using a new email address for commercial communications. That way you know that messages that land in that new inbox are more likely to be genuine as the new address wasn’t part of the breach

- Use the latest security software, including Web security features to protect you from going to malicious Web sites such as phishing sites

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing the Epsilon breach for McAfee on Fox News.

A great many people (expert and layman alike) have been fighting a war on Cyber Warfare semantics these last few months. Some argue that Cyber Warfare is really nothing more than cyber espionage, others even completely dismiss the notion that Cyber Warfare exists. Regardless of your opinion, Cyber Security in general and Cyber Warfare specifically are the talk of the town. Books are written, blogs are typed up and experts roar their opinions from every soapbox they can find. But whats the point?

Cyber Warfare only covers military networks
Every security expert worth his salt will agree with the simple statement that Networks- and Systems security permeates every aspect of today's society, and it is woefully underappreciated. Everyday life is controlled by all kinds of systems that find themselves connected to the internet, whether they should be or not. To think that this fact has gone unnoticed by military leaders all over the world is simple folly, and it is demonstrably false. Based on books about asymmetrical warfare such as Unrestricted Warfare (Q. Liang & W. Xiangsui, 1999), there  is much to say about targetting civilian systems during times of war, and so it would be unwise to think that only military networks would be targets during a cyber war.

Cyber Warfare is really just Cyber Espionage
Some people argue that Cyber Warfare is just digital espionage, and at best we could call it Cyber Espionage. This is probably based on China's numerous cyber espionage operations, but to think that this is the limit of what cyber warfare can do is naive. Even though there is no definitive proof -always a key issue in everything cyber- that it was Russia, those DDoS attacks on Georgian government websites at the same time their tanks came rolling across its borders were timely to say the least. It could also certainly be argued that Stuxnet was politically motivated. Seeing as how War is the "continuation of Politics by other means", this means it falls within the realm of cyber warfare. 

Cyber Warfare doesn't exist
This is the Big One; the Big Denial. Its generally backed up by saying that the Cyber Warfare terminology is (mis)used to pull in a larger piece of the government budget, or to cede more control to the military. In some cases I've even seen this statement followed by several reasons that confirm that Cyber Warfare does exist, but that we shouldn't call it that because it has such 'negative connotations'. But when 150+ countries worldwide are ramping up their militaries to deal with Cyber Warfare, what is the point of such semantics? Sure, it can be argued that Cyber Warfare is nothing more than IT Security with a military flavor. In many ways it is. But is not the application of use most prevalent in determining the meaning of an action? Is intent not the determining factor in a Murder or an Accident, the factor that turns a kitchen knife into a murder weapon? The same can be said for guns. One man using a gun to kill someone is murder. When battalions of two or more nations engage eachother for political motives, this turns it into War. The same reasoning can be applied to IT Security: If it is used by one nation state to further its political will upon another nation state, this is Cyber Warfare.

IT as a sector has historically been the realm of Geeks, Nerds and the Socially Awkward. You may not like it or agree with it, but this has been mainstream consensus for decades (though it is declining as technology becomes more common). IT Security as a specialization has historically been the realm of the Paranoid and the Technically Gifted in IT. You may not like it or agree with it, but this group is generally considered the Nay-Sayer of the IT world (though it is declining as Security becomes more important with the rise of internet connectivity). Cyber Warfare is a fringe area. A niche; a specialization in a specialization. Information Security is poorly understood by the mainstream populace, a fact well evidenced by the digital exhibitionism taking place on the various social networking sites. In fact, it is even poorly understood within the IT sector itself. How is the mainstream populace ever to understand how important Security is, if we can't even reach consensus amongst ourselves?

I feel that it is important that all of us should stop arguing over Semantics and start working together constructively. It is important for the IT sector as a whole to form a united front if we are to positively influence the security habits of those who we aim to help.

Crossposted from ArgentConsulting.nl

When you compare the cost of various services, you begin to see how much your time is worth. For example, it would take most homeowners a significant chunk of nights and weekends to paint a house themselves, but a professional crew can get it done in a week, for a reasonable price.

Recovering from identity theft can take as little as an hour for some, or up to several hundred hours for others. For some, it takes a lifetime. The average identity theft victim loses anywhere from $2800.00 to $5100.00, which, coincidentally, happens to be roughly the cost of painting a house!

Nicole Piquero, one of the most distinguished female criminologists in the nation, according to The Journal of Criminal Justice Education, explains, “Identity theft, also known as ‘identity fraud,’ has affected between 5 and 25 percent of U.S. households. Because of our increasing reliance on technology, and given the resourcefulness of hard-to-catch identity thieves, it seems likely that most if not all of us will at some point be victims of this crime or know others that have been.”

Piquero and her spouse, Alex Piquero, who has made significant scholarly contributions to the field, conducted a study that “reveals that most individuals will agree to a small tax increase to support government-sponsored identity theft prevention efforts.”

Unfortunately, the government isn’t doing anything to protect you. Fortunately, McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents.

Recently, the issue of cloud security came up in one of our meetings. I said, "USB's are going to be a thing of the past."  At first we had the hype. Now we have the reality. More and more data is being stored in the cloud.

A recent article in PC World asks the question: http://www.pcworld.com/businesscenter/article/224228/public_cloud_vs_private_cloud_why_not_both.html

Public Cloud vs. Private Cloud: Why Not Both?

...a recent Info-Tech survey shows that 76% of IT decision-makers will focus initially or, in the case of 33% of respondents, exclusively on the private cloud.

"The bulk of our clients come in thinking private. They want to understand the cloud, and think it's best to get their feet wet within their own four walls," says Joe Coyle, CTO at Capgemini in North America.

But experts say a better approach is to evaluate specific applications, factor in security and compliance considerations, and then decide what apps are appropriate for a private cloud, as well as what apps can immediately be shifted to the public cloud.

http://stateofsecurity.com/?p=1046 Last year, we noticed the trend toward "consumer use of the cloud" and how that would leak into your enterprise. Now more companies are utilizing the cloud, even building private clouds that act as gated communities.

We know attackers are going to be doing everything possible to hop onto one of those clouds.  Keep current with best practices by bookmarking sites like https://cloudsecurityalliance.org  Cloud Security Alliance. Forewarned is forearmed.

Spyware is sold legally in the United States. This software records chats, emails, browsing history, usernames, passwords, and basically everything a person does on that PC. Some spyware programs can record everything in a video file, which can then be accessed remotely.

This is all perfectly legal as long as the PC’s owner installs the software. It is illegal to install spyware on a computer that is not your own.

Spyware can be great if, for example, you want to monitor your twelve-year-old daughter who obsessively chats online, or your employees whose lack of productivity has you wondering if they’re watching YouTube all day.

Spyware also comes in the form of a virus, which essentially does the same thing. When you click a malicious link or install a program that is infected with malicious software, several different types of spyware can be installed as well.

Spyware can also take the form of a keylogger or keycatcher, a USB device similar to a USB flash drive, which can connect to a PC and piggyback the keyboard connection. Keycatchers have a made a splash in schools, where students plug them into the back of teachers’ PCs, trying to get test information ahead of time.

In England, two keyloggers were found plugged into public library computers. This would have allowed whoever planted the USB devices to access a record of activity on the compromised computers. “It’s unclear who placed the snooping devices on the machines but the likely purpose was to capture banking login credentials on the devices prior to their retrieval and use in banking fraud.”

Keep in mind that anyone with special access to a computer, including friends, family, and employees, poses the main threat. A cleaning person or security guard could always be paid to install spyware in order to record sensitive data.

Check your USB ports to make sure there are no mysterious devices attached to your PC. Prevent unauthorized password installation by password protecting the administrator account on your PC.

Only download files from trusted websites, and avoid torrents and software cracks, which are often seeded with spyware.

Never click “Agree,” “OK,” “No,” or “Yes” in a popup. Instead, hit the red X or shut down your browser by hitting Ctrl-Alt-Delete.

Keep your operating system’s security patches updated, and be sure to install the latest, most secure version of your browser. And Run McAfee Total Protection, including spyware removal.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing spyware on Fox Boston (Disclosures)

The term "Cyber Deterrence" is gaining traction lately, with regard to the act of deterring cyber attacks. I've seen at least one author (Richard Clarke) use it in his book about Cyber Warfare. In many cases the proponents of this term invoke existing Deterrence Strategies such as the MAD doctrine that was used to prevent Nuclear weapons during the Cold War, and use it as a model on Cyber Warfare.

As part of a Cyber Warfare course I am following, I was asked to write a research paper about Cyber Deterrence. In it, I was to research and analyze the proliferation of cyber capabilities and discuss cyber deterrence and their likelihood of success. I was to specifically address traditional methods of deterrence including trade sanctions, import and export restrictions and other economic sanctions. After I started seriously working on this paper, I realized that all the sanctions in the world weren't going to apply to cyber warfare; a capable attacker would never give you a target to retalliate.

I changed direction and, because I didn't want my paper to become a carbon-copy of Martin Libicki's "Cyber Deterrence and Cyberwar" (RAND Corporation), I took a different approach that breaks Deterrence Theory in three parts. The assignment was very clear in the amount of data it was to contain, so it's fairly brief, but it covers the salient points well enough that I decided to upload the resultant work here on ArgentConsulting.nl.

Please find the Research Paper here: Cyber Deterrence - Methods and Effectiveness

The federal government anticipates spending $79 billion on information technology (IT) in fiscal year 2011. The Office of Management and Budget (OMB) plays a key role in overseeing the implementation and management of federal IT investments.

Given the size of these investments and their importance to the health, economy, and security of the nation, it is critical for OMB and federal agencies to provide appropriate program oversight and ensure adequate transparency. Over the past several years, GAO has issued a number of reports and testimonies on OMB's initiatives to highlight troubled projects, justify IT investments, and use project management tools. Partly in response to this prior work, in 2009 OMB deployed a public Web site--known as the IT Dashboard--that provides detailed information on approximately 800 major federal IT investments, including assessments of these investments' performance against cost and schedule targets (referred to as ratings). GAO was asked to testify on OMB's key efforts to improve the oversight and management of federal IT investments through the use of the Dashboard and other efforts. To prepare this statement, GAO drew on previously published work on IT investments, including OMB's Dashboard, agencies' oversight boards, and agencies' use of project management tools.

OMB has improved the oversight and management of IT investments through multiple initiatives. By establishing the IT Dashboard, OMB has drawn additional attention to troubled IT investments at federal agencies, which is an improvement from the previously used oversight mechanisms. The Federal Chief Information Officer (CIO) also stated that the Dashboard has increased the accountability of agency CIOs and established much-needed visibility into investment performance. However, GAO has found that the data on the Dashboard are not always accurate. Specifically, in reviews of selected investments from 10 agencies, GAO found that the Dashboard ratings were not always consistent with agency cost and schedule performance data. In these reports GAO made a number of recommendations to OMB and federal agencies to improve the accuracy of Dashboard ratings. Agencies agreed with these recommendations, while OMB agreed with all but one. Specifically, OMB disagreed with the recommendation to change how it reflects current investment performance in its ratings because Dashboard data are updated on a monthly basis. However, GAO maintained that current investment performance may not always be as apparent as it should be; while data are updated monthly, ratings include historical data, which can mask more recent performance. In addition to the Dashboard, beginning in January 2010, the Federal CIO began leading reviews--known as "TechStat" sessions--of selected IT investments involving OMB and agency leadership to increase accountability and transparency and improve performance. OMB officials stated that, as of December 2010, 58 sessions had been held and resulted in improvements to or termination of IT investments with performance problems. For example, the June 2010 TechStat session for a National Archives and Records Administration investment resulted in the halting of development funding pending the completion of a strategic plan. In addition, OMB identified 26 additional high-priority IT projects and plans to develop corrective action plans with agencies at future TechStat sessions. According to the Federal CIO, OMB's efforts to improve management and oversight of IT investments have already resulted in $3 billion in savings. Additionally, in December 2010, OMB issued an 18-month plan for reforming federal IT management that has five major goals, including strengthening program management, streamlining governance and improving accountability, and using shared solutions, among others. These goals and the plans in place to support them are consistent with GAO's work highlighting IT management and governance weaknesses, as well as work to identify duplicative activities in the government. As part of this plan, OMB has initiatives under way to strengthen agencies' investment review boards and to consolidate federal data centers. GAO has ongoing work to review the Dashboard and other OMB initiatives. These efforts, along with full implementation of GAO recommendations, could result in further significant savings and increased efficiency.

Source: http://gao.gov