Author Archives: Taylor Armerding

Politicians are fond of saying that the only poll that matters is the one on election day.

That may be especially true this year, especially when it comes to online polls that, like anything in the digital, connected world, are vulnerable to mischief.

The mischief is enabled by bots – hundreds to many thousands of computers under the control of an attacker that are more typically used to send out spam, create Distributed Denial of Service (DDoS) attacks and commit various kinds of fraud – but in this case are used to skew poll results. They can make it look like public opinion views one candidate as the winner of a debate when the real vote would show the other candidate did.

To read this article in full or to leave a comment, please click here

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

To read this article in full or to leave a comment, please click here

If you want to have even a chance of defeating cyber attacks, you have to be quick.

So, in hindsight, there is no mystery why the federal government’s Office of Personnel Management (OPM) was a loser to attackers who exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data – of more than 22 million current and former federal employees.

Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later.

To read this article in full or to leave a comment, please click here

As the BSIMM (Building Security In Maturity Model) gets older, it is also getting younger.

With the release of the seventh version of the software security measurement tool, launched in 2009 by Cigital CTO Gary McGraw along with colleague Sammy Migues, and Brian Chess, then of Fortify Software, the average “maturity” of the membership is declining, said McGraw.

The goal from the beginning has been to help software developers use real-world data and analysis designed to build security into their products from the start, rather than try to bolt it on later.

As McGraw said at the time, “It doesn’t tell you what you should do. It tells you what other people are already doing.”

To read this article in full or to leave a comment, please click here

Everybody shares stuff, man.

That line, from ‘70s stoner comics Cheech and Chong, was about sharing joints, of course.

But today it is about information, and the message from top-level government financial and intelligence officials is that everybody needs to do more of it.

At the Cambridge Cyber Summit this week, held at MIT’s Kresge Auditorium and sponsored by MIT, The Aspen Institute and CNBC, several of them stressed that effectively countering the level and sophistication of cyber threats to the nation’s financial, economic and political system is going to require more sharing between the public and private sectors.

“Collaboration” and “cooperation” were mentioned frequently.

To read this article in full or to leave a comment, please click here

The intractable nature of the “privacy vs. security” debate, in a world where the internet is a tool for criminals, spies and terrorists as well as for billions of law-abiding citizens, was on full display during Wednesday’s Cambridge Cyber Summit at MIT.

Not surprisingly, it didn’t get resolved.

The event, hosted by The Aspen Institute, CNBC and MIT, featured top-level government officials, private-sector experts and activists, who all agreed that there needs to be a “conversation” about how to “balance” the two, and that to achieve it will require more effective cooperation between the public and private sectors.

But there was no agreement about where that balance lies. About the best they could do, after some conversation that got chaotic at times, was agree that they should continue the conversation.

To read this article in full or to leave a comment, please click here

The intractable nature of the “privacy vs. security” debate, in a world where the internet is a tool for criminals, spies and terrorists as well as for billions of law-abiding citizens, was on full display during Wednesday’s Cambridge Cyber Summit at MIT.

Not surprisingly, it didn’t get resolved.

The event, hosted by The Aspen Institute, CNBC and MIT, featured top-level government officials, private-sector experts and activists, who all agreed that there needs to be a “conversation” about how to “balance” the two, and that to achieve it will require more effective cooperation between the public and private sectors.

But there was no agreement about where that balance lies. About the best they could do, after some conversation that got chaotic at times, was agree that they should continue the conversation.

To read this article in full or to leave a comment, please click here

To put it in somewhat technical terms, the nation’s industrial control systems (ICS) – part of its critical infrastructure – are not only vulnerable to compromise, they are likely compromised right now.

Or, in Paul Dant’s much more blunt, and less technical terms, “your sh– is f–ked.”

Dant, chief strategist and managing principal at Independent Security Evaluators, was one of three experts on a panel titled “Securing Industrial Control Systems” at the recent Security of Things Forum in Cambridge, Mass.

He added that he believes more attacks on US critical infrastructure are inevitable. “To think that stuff is not vulnerable is a complete fallacy.”

To read this article in full or to leave a comment, please click here

In the world of medical device security, success comes down to having the capability to fail gracefully.

This is not as oxymoronic as it might seem, Kevin Fu told an audience at the Security of Things Forum in Cambridge, Mass., on Thursday. What is more important than bulletproof security, he said, is the ability to contain or “localize” breaches or infections so they don’t disrupt the continuity of operations.

Fu, CEO and cofounder of Virta Laboratories. whose opening keynote was titled, “Your Fly is Down: Managing Medical Device Security Risk,” was just one of multiple experts who said the security of those devices could be drastically improved just by practicing basic security hygiene.

To read this article in full or to leave a comment, please click here

You should be worried about the November election. Not so much that the candidates you support won’t win, but about the risk that the “winners” may not really be the winners, due to hackers tampering with the results.

Or, that even if the winners really are the winners, there will be enough doubt about it to create political chaos.

This is not tinfoil-hat conspiracy theory. The warnings are coming from some of the most credible security experts in the industry.

Richard Clarke, former senior cybersecurity policy adviser to presidents Bill Clinton and George W. Bush, wrote recently in a post for ABC News that not only are US election systems vulnerable to hacking, but that it would not be difficult to do so.

To read this article in full or to leave a comment, please click here