An October to remember, and the month is only halfway done.
So far, we’ve got Russian and North Korean spies, Swedish DDoS’ers, an evil software company that is about to go out of business, politicians that don’t understand encryption trying to regulate encryption and some of the most amazingly stupid things some otherwise bright and learned people said and did.
Kaspersky, one of the most respected, most popular (400 million users) and largest Cybersecurity companies in the world, has fallen target to grandstanding politicians who are using it as a pawn in their chess match with President Trump.
One of our leading expert Cybersecurity analysts and congresswomen, Jeanne Shaheen spewed forth an Op-ed diatribe in the New York Times linking the software to an illicit Presidential election campaign and recommended banning it from use by any U.S. government agency or Federal contractor and strongly suggesting it be removed and replaced by all businesses due apparently to its location in Russia and the fact that an apparent Russian hacking group had weaponized it for use against U.S. spy agencies.
If you think this freight train is not going to impact everyday businesses, think again. I have a typical SME customer who is cancelling his license because as he puts it, “I’m not going to risk getting fired when we get breached and someone discovers we are running Kaspersky anti-virus software.”
Somehow, Shaheen managed to overlook the fact that Russia requested and was granted approval by Hewlett-Packard Enterprise to review all of their source code as a requisite for doing business in Moscow. Perhaps the difference here is that HP did not discover Stuxnet or the Equation Group or any of the other myriad Cyber-espionage programs operated by the NSA and out them like Kaspersky did.
And almost to the day, our Deputy Attorney General, Rod Rosenstein, called for a swift global move toward “responsible” encryption which to him means encryption that can be broken by our government anti-terrorist groups so that they can break into messaging services and read terrorist correspondence. This is also known as “warrant proof” encryption and was the basis for the fight with Apple over the events in San Bernardino.
While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein emphasized the threat posed to public safety when technology developers deprive law enforcement of “crucial investigative tools.” In other words, not “responsible” encryption at all but rather a “convenient” encryption which is the equivalent of breakable and useless encryption.
He seems to have conveniently forgotten about law enforcement depriving software developers of crucial prevention tools like notices from the NSA that certain computer software products have holes. It is hard to believe that this is coming from what is supposed to be our most respected law enforcement agencies.
Then Equifax, seemingly hell-bent on setting world records for the Cyber-gift that keeps on giving, manages to fail the third-party security assessment test by allowing a compromised vendor to distribute malware on their site.
Claiming it has no control over the third-party’s security is right in line with its earlier “defenses” about the breach itself, the patch that wasn’t, the fake web-site, the greedy attempt to extort even more money from its victims and the delay that shouldn’t have been. Bottom line; it just isn’t their fault.
One thing is clear. Equifax knows nothing about Information Security or Cybersecurity.
And just when you thought the little whack-job was going to melt into his own bellicose bravado, North Korea shows off its digital sophistication by hacking into the South Korean Defense Integrated Data Center and stealing 235 GBs of classified US and South Korean Military information. This data of course contained plans to assassinate the diminutive dear leader, and a complete set of various planned responses to a North Korean invasion.
While some of us have been banging on our drum for years now about the increasing NoKo Cyber-threat, the U.S. seems content continue focusing all of its attention on North Korean’s nuclear capabilities.
In the meantime, the rogue nuclear state has developed into one of the top four cyber powers on the planet. It has demonstrated that it employs sophisticated malware and espionage tactics and has developed a trained and highly skilled military Cyber-espionage army of 10,000 of their best and brightest.
This has all happened while we managed to create only a dozen or so Cybersecurity programs in our Universities and kept our focus instead lasered on developing safe-spaces for students and undergraduate programs in Adventure Education, Bowling Industry Management, and Farrier Science. Please don’t be shocked when the inevitable happens.
And finally, hackers attacked a couple of Swedish Transport Agencies with DDoS floods that managed to delay several trains for a day.
Not unlike the hack on the Bowman Avenue Dam in Rye Brook, New York, this attack was a probe of the defenses and vulnerabilities in a critical infrastructure component with broad IoT implications.
As we have noted about a million times, as more and more devices and machines come online, and we continue to fail to implement new Cybersecurity manufacturing standards and insist on ignoring the gaping holes in our existing IoT IT and Operational infrastructure, we will persist in presenting an expanded array of attack vectors that will all but invite the bad guys to attack.
I wonder what Rod Rosenstein and Jeanne Shaheen will have to say when we suddenly find ourselves without heat and electricity this winter. Probably nothing because they will be talking into a microphone that no one hears.
Can’t wait for the next two weeks.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management