Jaime Chanaga, CISSP, CISA

The Associated Press is reporting (link) that Harvard University has suffered a serious data breach.  Harvard has acknowledged that a hacker breached on of their computer servers. The server contained the personal information on approximately 10,000 graduate school applicants.   The data contained approximately 6,600 social security numbers of some of the applicants and students.

Harvard Graduate School of Arts and Sciences
http://www.news.harvard.edu/gazette/2008/03.13/99-hacked.html

Boston Globe - Harvard student, applicant files breached
http://www.boston.com/news/education/higher/articles/2008/03/13/harvard_student_applicant_files_breached/

Concerned about cyber security threats to our national security, President Bush has signed (on January 8, 2008) a classified executive order (the "National Security Presidential Directive 54/Homeland Security Presidential Directive 23") directing the U.S. National Security Agency (NSA), Central Intelligence Agency (CIA), and the Federal Bureau of Investigation's (FBI) Cyber Division to monitor the computer networks of all federal agencies.

The task force will be coordinated by the Office of the Director of National Intelligence (ODNI).  Under the auspices of the ODNI, the Department of Homeland Security (DHS) will coordinate protection efforts for the cyber security of the computer networks for all federal agencies.  The Pentagon will be in charge of coordinating strategic defensive and offensive responses to cyber attacks.

Although this order attempts to centralize the federal efforts to protect our federal agencies from cyber security threats both foreign and domestic, it falls short on one key element.  That element is the inclusion of the public sector industries that are part of our national critical infrastructure such as energy companies, telecommunications providers, and health care organizations such as hospitals, etc.  Failure to include the money and resources for these industries to better protect their critical information networks and assets is detrimental to our national security posture. 

I'm in agreement we need to protect federal agencies from cyber security threats.  However the Federal government must do more than pay lip service to private sector and provide some real economic incentives, technology transfers, research, and coordination efforts with private sector to protect industries critical to our national infrastructure and security.

Washington Post
Bush Order Expands Network Monitoring

Early morning on Friday, January 4, 2008, the Commonwealth of Pennsylvania government website was infected with a computer virus.  In order to prevent the spread of the computer virus, system administrators began a coordinated effort to shutdown other commonwealth agency websites in order to prevent the spread of the computer virus infection.  System administrators and IT security staff were able to preliminary identify the source of the data breach--a domain name registered in China.

The fact that this attack may have originated in China is not surprising.   As early as 2006, the U.S.-China Economic and Security Review Commission (USCC), a U.S. Congressional Commission, warned about China's cyber threat capabilities.  According to the 2006 USCC annual report (http://www.uscc.gov/annual_report/2006/chapter3_sec1.pdf), China is creating military information warfare units and shifting its cyberwarefare to become offensive in an effort to disrupt enemy networks and information systems.

The U.S. Government is not alone in its assessment that China poses a major threat in terms of cyberwarefare capabilities.  Recently the United Kingdom's counter-intelligence and security service, MI5, warned that China is sponsoring cyber espionage against key industries in the British economy.

When nations with unlimited resources, like China, decide to integrate cyberwarefare capabilities into their military forces, this fact should cause both private industry and governments around the world to take notice and rethink their views about cyber security.  In the next few years, we will see that state sponsored cyberwarefare will increasingly become a major threat of national security importance.  In order to effectively counter this threat, there must be better cooperation and research between private industry and government.

State Web sites back after hack attack
http://www.mcall.com/news/local/all-a1_5web.6214422jan05,0,2068262.story

Hackers Force Pa. to Shut State Web Site
http://ap.google.com/article/ALeqM5iGKgY3SpKw7_p7A8MGHpTfSpN8mAD8TVE5SG0

Computer "botnets" estimated of generating over $20 million in economic loses for businesses and consumers are disrupted by the U.S. Federal Bureau of Investigation (FBI), U.S. Secret Service, U.S. Immigrations Customs Enforcement and New Zealand Police.  (FBI Press Release: http://www.fbi.gov/pressrel/pressrel07/botroast112907.htm)

"Operation Bot Roast II" is an excellent example of interagency cooperation by U.S. Federal and international law enforcement agencies in the fight against cyber crime.

While the law enforcement community has done their part, it is time for us as consumers to do our part prevent cyber crime.  If you have not already done so, please install anti-virus, anti-spyware, firewall, and wireless encryption defenses to protect your personal computer and networks.   In doing so, each of us can do our part to prevent cyber crime by following basic computer security precautions.

For more information:

• OnGuardOnline.gov
  http://onguardonline.gov/botnet.html
• See my June 13, 2007 blog post
  1 Million Computers Affected by Botnet; FBI Announces

The Associated Press (AP) is reporting the Personnel Department of the State of Nevada has lost track of at least 470 compact discs (CDs) containing the social security numbers and payroll information for state employees during the past three years.  The Personnel Department has sent more than 13,000 CDs to 80 agencies for processing every-two week pay period during the past three years.

The State of Nevada is enacting changes to ensure this type of data loss does not happen again including:

• Discs will be signed for and returned to the Personnel Department after every pay period
• Passwords will be required to read data stored on CDs
• State employee information will be correlated to unique employee ID numbers instead of social security numbers

In my opinion, these public relation driven policy changes are window dressing rather than substantive data security, access, and audit controls to prevent the misuse of sensitive personal and financial information for state employees.

It is time government agencies do a better job of protecting our personal and financial information.

The Federation of American Scientists (www.fas.org) Project on Government Secrecy has recently commented regarding Comcast's (NASDAQ: CMCSA) support for law enforcement investigation and domestic surveillance activities.

The "Comcast Cable Law Enforcement Handbook," (download PDF at: http://www.fas.org/blog/secrecy/docs/handbook.pdf) while supportive of U.S. law enforcement community, sets clear guidelines for protecting the privacy of Comcast customers.  Comcast is also requiring $1,000.00 as a setup fee and an ongoing $750.00 monthly fee, to install any device to comply with law enforcement surveillance requests that are authorized under the Foreign Intelligence Surveillance Act (FISA).

The FAS comments:

"The role of telecommunications companies in intelligence surveillance is under increased scrutiny as the Bush Administration seeks to shield the companies from any liability associated with their cooperation in what may be illegal warrantless surveillance." (see blog: http://www.fas.org/blog/secrecy/2007/10/implementing_domestic_intellig.html)

As a law abiding U.S. Citizen, I find it encouraging to see Comcast follow the law in requiring the law enforcement community to adhere to the letter of the law when fulfilling investigative requests, instead of blindly following the U.S. executive branch in support of any warrantless surveillance programs.

For more information see:

• Electronic Frontier Foundation - NSA Spying
• American Civil Liberties Union v. NSA
• Wikipedia - NSA Warrantless Surveillance Controversy

Montana State University issued a press release on October 12, 2007 regarding a data security breach possibly affecting 1,400 people "who enrolled online for MSU Extended University courses during the last two years."

MSU states they have encryption technology controls on the stored data which may have been exposed.  The exposed data may include credit card and social security numbers. 

MSU has setup a dedicated web site with more information on this incident at: http://eu.montana.edu/security/

Security at the Asia-Pacific Economic Cooperation Summit (APEC - www.apec2007.org) in Sydney Australia was penetrated by a group of television comedians, who created a fake motorcade that was allowed through two security check points.   One of the comedians was dressed as Osama Bin Laden.

The motorcade drove through the city and passed through check points (including one with bomb sniffing dogs).   Eventually the motorcade was stopped by police, only a few meters from the hotel where U.S. President George W. Bush is staying.  Understandably, police did not find this prank amusing.

It is estimated the Australian government has invested at least $170 million on security services for this event.  This incident highlights an important lesson--sometimes no amount of resources (people, technology, or money) can guarantee 100% security.   

CNN
Prank breaches Sydney Security

Associated Press
Sham Motorcade Passes by APEC Security

China is officially denying any involvement in state sponsored computer hacking activities directed towards the German government.  (PC World article: German Government PCs Hacked)  A few days ago the German magazine Der Spiegel, had claimed that German government computers had been compromised by Chinese computer hackers.

Whether or not any government involvement is proved in this incident, this case does illustrate the need for governments around the world to shore up their critical and technology infrastructures from potential malfeasance by attackers.  Here in the U.S. this debate has raged for quite some time.

Too often, as citizens of any country we fail to foresee the social and economic impact which may occur as a result of a major attack in critical infrastructures including the Internet.   Today the Internet is intertwined into almost every facet of our daily lives.   Its time we as citizens of the world, ask our governments to invest in protecting the critical and technology infrastructures that impact our daily lives.

I would guess it may be easier for a state sponsored terror network to create panic in any country by knocking out the technology infrastructure, thereby impacting our telephones, cellular phones, on-line banking, air traffic control systems, building environmental controls, etc. than it is to do physical harm to any of our airports, schools, shopping centers, etc.

If governments don't wake up to the fact that critical and technology infrastructures must be better protected, we could wake up one morning back in the stone age--without the conveniences of the modern world.

Identity (ID) theft is a serious crime affecting people from all walks of life.  Now it seems this type of crime has also affected some American millionaires and billionaires.

InformationWeek.com is reporting (http://www.informationweek.com/security/showArticle.jhtml?articleID=201800899) the announcement from Manhattan District Attorney Robert M. Morgenthau (http://www.manhattanda.org/whatsnew/index.htm) regarding the arrest of members of an id theft gang who targeted billionaires from Forbes magazine's list of the 400 richest Americans.

I believe the law enforcement community acted appropriately in setting the year-long undercover operation that has led to these arrests.  Hopefully these criminals will be convicted of their crimes.  However, this case makes me think there is another incident worthy of criminal prosecutions.

In January, TJX Companies, Inc. (NYSE:TJX) disclosed the largest credit card information data breach affecting thousands of American consumers. The reality is that although this security incident affected thousands of consumers, it hast not warranted or yielded ANY criminal prosecutions to date. Last week TJX Companies, Inc. announced that costs from this massive data breach may surpass $118 million dollars. 

Perhaps soon we will read the news wires and find the culprits behind the TJX data breach are also being prosecuted for ID theft criminal actions affecting thousands of consumers--not just the uber-wealthy.

Jaime