SC’s 2011 influential IT security thinkers
• Sameer Bhalotra, White House deputy cybersecurity coordinator
Social networking, hacktivism, advanced persistent threats, cyberespionage, mobile malware, the entry of portable, handheld devices (smartphones, tablets) into the enterprise environment…these are just a few of the most prominent challenges security professionals must contend with each day. This year-end special section focuses on people who represent the highest degree of professionalism in the security space, individuals who stand out for their technical skills, managerial prowess, insight and advocacy. As well, interspersed are some of the highlights in the year’s strongest trends, including top breaches and threats, merger and acquisition activity and legal developments, as well as some of the nuttiest news stories in the cybersecurity world.
Occupation: White House deputy cybersecurity coordinator
Personal: Married, two children
College: B.S., chemistry and physics, Harvard University; Ph.D., physics, Stanford University
Recent accomplishments: executive branch development of cybersecurity legislation proposal, National Strategy for Trusted Identities in Cyberspace, and cybersecurity management reform
The three weeks from the end of April to the middle of May was a memorable time for Sameer Bhalotra, the White House’s deputy cybersecurity coordinator. Bhalotra, along with his boss, White House Cyber Coordinator Howard Schmidt, oversaw the release of not one, but three major initiatives on cybersecurity. For Bhalotra, who signed on in July 2010, this was the outcome of long days facilitating lengthy meetings with two dozen executive agencies.
Along with Schmidt, Bhalotra is the architect of the administration’s cybersecurity legislative proposal, released on May 12. But there was more. Four days later came the first International Strategy for Cyberspace. Previously, on April 26, his office released its National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to establish clear privacy rules and greater security within a proposed identity ecosystem.
Accolades abounded for the 35-year-old Bhalotra, whose meteoric rise has taken him from a doctorate in physics at Stanford into the intelligence community, the Senate and his current post.
He achieved what no one in the Department of Homeland Security or the White House was able to do before by bringing the players together and getting them to work harmoniously, Alan Paller, research director for the SANS Institute, says of Bhalotra’s work on the legislative blueprint.
Bhalotra was sought for that mission. Soon after his appointment, Senate Majority Leader Harry Reid, D-Nev., asked the administration to weigh in on cybersecurity considering the 50-plus bills floating around the Hill. With this golden opportunity, Schmidt’s office decided on a comprehensive approach. It was a minefield – within the executive branch, as well as between government and industry – but Bhalotra navigated it skillfully.
But, Bhalotra prefers to deflect attention from himself. “I’m proud to be yet another hard-working member of the White House staff,” he says. “This was a team effort. Our leadership in the West Wing takes cybersecurity seriously.”
“He’s a little publicity shy, actually more than a little,” says Robert Rodriguez, a friend of Bhalotra’s and the founder of the Security Innovation Network. “He likes to work under the radar. But he’s the man behind all of it…Those were three huge accomplishments.”
On the legislative proposal, Bhalotra coordinated massive intergovernmental collaboration among such agencies as the FBI, National Security Agency and departments of Defense, Commerce, Justice and Homeland Security.
“Managing that process was a great experience,” Bhalotra says. The goal was to come up with recommendations to give Congress, of which securing America’s critical infrastructure and information sharing between DHS and industry stand out. Its release “was a great and clear end to a very rigorous process,” he says.
Bhalotra’s training for this process came during his nearly four years in the Senate. In 2007, he was brought onboard in a unique bipartisan role as a top staffer for the Senate Select Committee on Intelligence. He quickly seized on cybersecurity as a major issue and became an expert among Beltway staffers on the topic.
Bhalotra found few colleagues there dedicated exclusively to cybersecurity. So he began an informal group, where he gathered Senate and House staffers monthly to discuss cybersecurity and their work. These “cyber jams” allowed his peers to get briefings from officials, information on important issues and visits to security companies. What began with a half-dozen people grew to more than 30, Bhalotra says.
In the Senate, Bhalotra gained many admirers, among them committee chairs Jay Rockefeller, D-W.Va., Kit Bond, R-Mo., and Dianne Feinstein, D-Calif. His reputation led to Schmidt’s call. And he brought this knowledge of how Congress works to the White House.
“He knows where the money is spent,” says Paller, who calls Bhalotra brilliant and catalytic in his influence. “He’s a wonderful bridge between the two.”
From a young age, Bhalotra, who grew up in New England, worked with computers. He’d tinker with electronics in his home, taking apart computers, VCRs and telephones. His parents were “amazingly tolerant,” he says. “I was lucky I didn’t burn down the house or electrocute myself.”
Bhalotra carried this passion to his undergraduate years at Harvard, where he studied physics and chemistry and even taught classes on laboratory electronics as an upperclassmen. His graduate school thesis covered optical sensing in electronics. At Stanford, where he earned a doctorate in physics, his research was funded by the secret Defense Advanced Research Projects Agency (DARPA).
Bhalotra returned east to accept a position with the CIA, where he was assigned to the director’s staff. Next, he moved to the office of the director of national intelligence, where he was again involved in Cabinet-level policy discussions. His work on cybersecurity “exploded” after he moved to the Senate.
“I’m a technologist by training,” he says. “And I find cybersecurity so sophisticated, complicated in an interesting way, and important to the country.”
There’s little time to rest for Bhalotra, who is already meeting with Congress on the administration’s legislative proposal. In addition, he is also focused on bringing others into public service to meet cybersecurity’s fresh challenges. He has mentored many young staffers on the Hill. With his distinguished résumé, Bhalotra has cut the model. He hopes others in academia and industry will follow.
“One of my personal interests is trying to bring new people into government,” he says. “We need to tap into the best minds in the country to solve these problems and move forward.” – Ryan Goldberg
Occupation: chief information security officer, Providence Health & Services
Personal: Married, four children
College: B.S., computer engineering, California State University-Sacramento
Something of a perfect storm for privacy and security is converging in the health care industry. As part of last year’s Patient Protection and Affordable Care Act, companies are now required to digitize their medical records, but with this push come greater threats and challenges.
Eric Cowperthwaite, the chief information security officer of Providence Health & Services, which employs 54,000 people in Washington, Oregon, California, Alaska and Montana, is facing these challenges proactively.
Providence, which operates 214 physician clinics, 27 hospitals, a health plan and many other services, has cut a model for other Catholic health care organizations in protecting patients’ information from an increasing number of breaches.
This was borne out of necessity: in 2008, Providence was the first organization to enter into a resolution agreement with Health & Human Services (HHS) to resolve allegations of violating the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Cowperthwaite, 44, has overseen the successful implementation of that agreement.
“They have the most mature program that I’m aware of in health care delivery,” says Gartner analyst Paul Proctor. “Eric has a program that rivals those in financial services.”
The federal government and business side of the industry, Cowperthwaite says, are “pushing us down the road of 100 percent electronic records. All patient information has to be in accessible, open systems.” These systems “will be a one-stop shopping center for all the information you could want about a single person.”
However, confidential information – personal and financial in nature – is incredibly valuable for those who want to steal it. Breaches cost the health care industry $6 billion a year, according to the Ponemon Institute, and the majority of those intrusions currently come from insiders. At the same time, HIPAA and 2009’s Health Information Technology for Economic and Clinical Health Act, or HITECH Act, levy heavy fines for the loss of patients’ information.
At Providence, protection of that data begins with recognition and emphasis. By design, Cowperthwaite reports to the chief risk officer instead of the chief investment officer. He believes he’s the only one among his peers at Catholic health organizations who does this.
“I think it’s a recognition that information security is a critical function of the business,” he says. “It’s not just an IT issue, but it touches the whole business.”
Providence did not have much of a security program to speak of before Eric, Gartner’s Proctor says. “They brought Eric in to build that program up.”
What began with six employees not well versed in information security has become a staff of 19 who report to Cowperthwaite directly, and another 33 people assigned in a matrix role. He is the single point of contact from the security side to those managing the electronic medical record rollout, with multiple teams of auditors, managers and privacy and compliance staff asking questions about access controls and complying with federal regulations.
Cowperthwaite has set the first line of defense for Providence with its employees. All of them must undergo privacy, security and compliance training every year. Cowperthwaite also customizes training for different business units. If, for example, his staff notices emails being sent that contain confidential information, they will educate that particular unit rather than send a company-wide email blast.
A leading area of focus for Providence has been with its employees in the field. As a Catholic entity, home care and hospice are significant parts of the mission. The laptops and mobile devices being used hold vital patient information.
Cowperthwaite has established several policies to mitigate potential threats: Employees are required to activate security controls and keep their computers within sight, the amount of data on them is limited to that day alone, and they are shut down while in transit and cable-locked in employees’ trunks. Above all, employees are made aware of why all these safeguards matter.
These measures stand out following Providence’s previous slip-up. According to published reports, HHS investigated the company after it fielded more than 30 complaints from people whose information was compromised after unencrypted laptops, optical disks and backup tapes went missing, having been left unattended between September 2005 and March 2006. In all, 386,000 patients were opened to potential identity fraud.
Providence agreed to settle the allegations for $100,000, and successfully implemented a systems improvement plan. Cowperthwaite says the organization had already decided to make significant changes to its security program before the deal. He says HHS recently notified them that they have met all of their mandates.
“I’m proud that we are the first organization to come out of that in a really good way,” he says. “We went above and beyond what they required of us.”
For Cowperthwaite, this has been the validation of an unlikely path. He joined the U.S. Army out of high school and his 10-year service included deployment in operations Desert Shield and Desert Storm. In 1996 he enrolled at California State University, Sacramento to study computer engineering. He graduated two years later and went to work for Medi-Cal, the state of California’s Title XIX Medicaid Insurance program. Information security came onto his radar gradually over the years. “I call myself the accidental security guy.”
When Providence called, he foresaw challenges in health care information security that have come to fruition and still animate his work.
“I knew that the explosive growth in the storing of patient information, and needing to do it as effectively and efficiently as possible without expanding costs, would make for a dramatic and innovative field to be in,” he says.
– Ryan Goldberg
Occupation: teaching at University of Maryland and a teaching assistant in New York
College: B.S. in computer science at The University of Richmond; M.S. in computer science from William and Mary; completed a doctorate in mathematics education at Rutgers, and pursuing a M.S. in technology management specializing in cybersecurity at NYU
Recent accomplishments: worked on numerous research projects (some sponsored by NSF) in networking, compilers, grid computing, security and education; numerous papers for academic journals and the IEEE; president of the New York/New Jersey Chapter of Graduate Women in Science (GWIS)
Suzanna Schmeelk is a woman on the frontlines of computer science, attempting to tear down the remnants of an old system that, she says, hasn’t been updated to meet the needs of today’s new computing environment. Her criticism is that students nowadays are not being taught to think independently.
“Divergent thinking is being lost,” she says. “The ability to assert innovative, conceptual ideas is stifled in favor of procedural exercises.” As an example, she points to the evolution in attack vectors where an engineer has to think about what the next criminal entryway might be. The future of protecting online commerce depends on encouraging this type of open questioning, she says.
For Schmeelk, thinking conceptually began early. Her grandfather and father were both math professors. Her dad, she says, was a “liberal” math person who encouraged her efforts “within ethical boundaries.” Her mom provided vision. “She said everything is going to be computers some day,” Schmeelk recalls.
While Schmeelk believes computer science, as it is currently taught, is too narrowly focused, there are shining lights who manage to think outside the box. She points to Apple’s recently deceased co-founder Steve Jobs, and Joseph Nadan, a professor of management of technology and business innovation at Polytechnic Institute of New York University (NYU-Poly), a research institution affiliated with NYU, where she is currently teaching. What she admires about them is their ability to see the big picture by combining engineering acumen with business needs. It’s a matter of being goal-oriented and being able to envision an end result. “It’s more about the value, not the process,” she says.
At NYU, Schmeelk is working as a cybersecurity consultant on a number of start-up projects, including collaborating with a number of hospitals and gaming companies. She serves as a resource as these incubating projects attempt to build websites, focused on applications-related challenges, such as how best to protect health care data and online privacy.
“I am more geared to management and understanding the computer science aspect of online efforts,” she says.
This involves more studying of human nature. “A lot of this needs to be analyzed from a perspective of motivation: Why is this person doing this?” she asks, referencing hackers and cyberbullying.
“Suzanna is someone who makes a difference,” says Marjory Palius, associate director of The Robert B. Davis Institute for Learning at the Rutgers Graduate School of Education in New Jersey, where she teaches mathematical reasoning courses.
“I think she does it by bringing outstanding personal qualities to bear upon her work,” Palius says. “Suzanna is bright, worldly, compassionate and highly creative. She is an innovative thinker who eagerly explores novel situations and applies focus, imagination and perseverance to solve problems and develop new techniques.
Schmeelk was writing her doctoral dissertation at Rutgers as Palius and her colleagues were launching the Video Mosaic Collaborative, a portal to enable teachers and researchers to analyze and use classroom videos in math education. Schmeelk’s dissertation was the first to incorporate multimedia, inserting video stills in support of her findings of children’s mathematical learning as they built understanding of rational numbers as fourth graders, says Palius.
“The videos she analyzed for her research were among the earliest video clips for which we prepared metadata, with the help of Suzanna, in order to catalog and make them freely accessible to educators worldwide to support math learning, teaching and research,” Rutgers’ Palius says.
Schmeelk brings these qualities as well to her efforts as president of the New York/New Jersey Chapter of Graduate Women in Science (GWIS), where she trains women in computer-related areas, serving, she says, as a broker of information to the community. But, it’s not just a matter of transmitting data and details. While she’s reluctant to discuss gender issues, she does admit that being that she was often the only female in her computer science classes, she enjoys her new role encouraging women in the sciences. “There’s a choice a teacher makes,” she says, “to either encourage or discourage.”
Before her present activities, she interned at The Team for Research in Ubiquitous Secure Technology (TRUST). She has high praise for the consortium of academic and industry partners funded by the National Science Foundation to address issues affecting security, privacy and data protection.
“They’re not average people,” Schmeelk says. “Working there, you realize these are people who are making the impossible possible.” A similar consortium is now being formed within NYU, she says.
She is also a prolific writer of research papers, which often focus on how one can manage a project by developing a prioritization schema. Here too she envisions how a project can build to an end result. Schmeelk presented papers on prototype tools for testing open source coding at security conferences for Yahoo! and eBay.
“I like thinking about a lot of different problems,” she says. – Greg Masters
Occupation: chief information security officer, U.S. Department of State
Personal: Wife, three children
College: Maxwell School of Public Affairs, Syracuse University, M.P.A; St. Olaf College, B.A.
Recent accomplishments: Reduced measured risk on PCs and servers by a factor of 20; his tools guided critical patch coverage to the 84-percent level in seven days and 93-percent in 30 days at State; gives away software and speaks widely to promote continuous monitoring across the economy; served in 17 federal civilian roles across military, civilian and foreign affairs organizations
John Streufert doesn’t like three-ring binders. Not because they remind him of a cold-hearted teacher, but because of what their presence has come to symbolize in the government security world.
As chief information security officer of the U.S. Department of State since the summer of 2006, Streufert has seen more notebooks filled with compliance paperwork than he cares to remember. Indeed, between Federal Information Security Management Act (FISMA) mandates and the Office of Management and Budget-required risk studies, the printers at the Harry S. Truman Building in Washington, D.C. have worked overtime.
But not long after joining State, Streufert realized that while the agency was dutifully feeding the compliance beast, the process was doing almost nothing to improve security and mitigate risk. In fact, it was quite the opposite. The number of exploits impacting State meteorically rose from 2008 to 2010, from 2,104 to nearly 8,000. And when it came to FISMA report-card time, State often received failing grades for its ability to protect sensitive data.
“The network was changing faster than you could print out the results,” he says. “The three-ring binders don’t really help you that much if your exploits are quadrupling. We had to do something else because it wasn’t working. Was the government getting any value doing these three-ring binder reports?”
Streufert and three others decided an overhaul was the answer. Instead of relying on snapshot-in-time images of its compliance, the agency would be better served by continuous network monitoring of the Microsoft computers and servers at its 400 embassies, consulates and offices spread across the globe. Not only would security improve, but the agency would get a better bang for its buck. (Consider: The agency has spent between $30,000 and $2.5 million on each individual compliance report since 2004.)
In making this decision, Streufert drew on evidence: 80 percent of exploits rely on known vulnerabilities and configuration management settings. So in 2008, he and his team stood up a new program, known as iPost, which borrows a page from the financial markets to “monetize highly disparate risks into a common currency.” Dashboards, much like one might find on a trading floor, detail the “hottest risks” as if they were shares of Apple or Google.
“The relative risk becomes variables which we increase or decrease based on vulnerability, threat or impact that is posed to the organization from a particular problem,” he says.
In layman’s terms, that means affixing a risk score to each vulnerability and patching the most pressing issues first. That runs counter, Streufert says, to how most commercially available vulnerability management products handle the problem.
“Most people treat every risk like it’s $1,” he says.
Since the model was implemented, the results have been nothing short of stunning. Streufert says State found that by automating the process, it was able to reduce its risk by a factor of 10 within the first 11 months and by a factor of 20 within two years.
“There’s almost nobody on earth that can patch as quickly as the State Department,” he says. “And it’s due to the monetization of relative risk for critical problems, which allows unparalled speed and patching of known vulnerabilities.”
James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, has been closely following the State Department’s progress. Lewis is a big believer that more agencies – and the private sector – should get away from a compliance focus, though he admits there is much resistance to this because organizations have become far too complacent in checking off boxes as a means of verifying security.
“[State’s model] moves from the shot-in-the-dark [mentality] we had for years to something more quantifiable,” Lewis says. “And John was sort of a path-breaker in doing this. Since then, they’ve been able to close down the number of opponent successes and have been able to upgrade response time.”
That is especially important for the nation’s lead foreign affairs agency. “They had a huge number of penetrations,” Lewis says. “A former State official said in 2007 they lost three or four terabytes of information. That’s a huge outflow not that long ago, and that’s what drove them.”
With the program now comfortably in place, Streufert has spent much of 2011 investigating how he can extend its essence to other areas of network weaknesses, notably applications, routers and switches. And when he’s not focused on State, Streufert serves as an industry advocate for the agency’s model. He often spends hours before and after work, fielding phone calls and emails from hundreds of private sector security professionals interested in adopting a similar initiative.
Streufert tells them: “If we’re going to step up to the plate and fix our security challenges, this is a set of techniques that are not disruptive to the organizational structure and, dollar for dollar, you’re going to get a higher return than a lot of investments in this space.”
And while iPost was home grown at the State Department, Streufert is not keeping anything secret.
“It seems like valuable information to share,” he says. “It seems easier to adopt continuous monitoring than to persuade people to stop doing the three-ring binder studies. My belief is that the merit and efficiency of doing it this way will [become] more widely understood and adopted.” – Dan Kaplan
Peiter “Mudge” Zatko
Occupation: Program manager at the Defense Advanced Research Projects Agency (DARPA)
College: The Berklee College of Music
Recent accomplishments: Founding member of hacker think-tank, L0pht, pioneer of buffer overflow vulnerability research, leader in the “full disclosure” movement, author of numerous security tools, developor of DARPA’s Cyber Fast Track program, referenced in the board game Trivial Pursuit.
Ask Peiter “Mudge” Zatko when he first realized that he wanted to turn hacking into a career and he’ll tell you he didn’t really have a choice in the matter. His passion for computers and technology was, after all, fostered all the way back to when he was a baby. Back then, he had a mobile hanging over his crib, not made of stars or animals, but constructed by his father out of circuit boards.
“He wanted me not to be afraid of technology,” Zatko says.
And afraid he was not. As a young child, tinkering with computers and helping his father write operating systems became a game. In fact, he first started hacking at the ripe old age of 5.
He’s quick to point out, though, that when he uses the word hacking he’s referring to the act of getting a system or device to do something it wasn’t intended to do. Using an Apple II computer, which first appeared in 1977, Zatko and his father would reverse-engineer floppy disks to understand the copy protection schemes used to prevent software from being pirated.
Years later, during his time at Berklee College of Music, Zatko turned to his father for advice because, like many young adults, he didn’t know what he wanted to do with his life.
“He said, ‘Don’t worry, the field you’re going to go into just doesn’t exist yet.’” He was right, Zatko remembers.
Now, at 40 years old, Zatko can truly say he had a hand in helping to create the now-thriving IT security field.
Around 1992, he came together with a group of like-minded individuals, who were “curious and enthralled with the notion of security,” to form the hacker think-tank L0pht (pronounced loft). At the time, there were very few resources available to those wanting to learn about the burgeoning field, he says.
L0pht members set out with the goal to document their research and build up a body of knowledge about the subject so that others wouldn’t have to replicate their work. Doing so was controversial, however, since their research often exposed flaws in products and systems.
But it was also extremely important. During his time at L0pht, Zatko conducted and documented early research about buffer overflows, a now well-known coding vulnerability that is still prevalent.
“It’s been rewarding for me to see, in graduate classes, ideas I pioneered are part of the curriculum now,” he says.
Looking back at his career so far, Zatko says he’s often had to dispel the belief that products are secure just because a company’s marketing department says so.
“He’s a bit of a contrarian, he doesn’t accept conventional wisdom,” says Richard Clarke, former cybersecurity czar for President George W. Bush. “You’re almost guaranteed to get a different perspective [from Zatko] than you would from anyone else.”
Since he was in his early 20s, Zatko has been Clarke’s unofficial adviser on cybersecurity issues.
“When I was at the White House, every time there was a major cybersecurity incident, I would call him,” Clarke says of Zatko. “I always learned more from him than I did from anyone else.”
After being asked several times over the past few years, and turning down the offer every time, Zatko last February accepted the role of program manager at the Defense Advanced Research Projects Agency (DARPA), the U.S. Defense Department’s central research and development (R&D) organization.
In this post, Zatko has led the development of Cyber Fast Track, a new initiative to fund small hacker groups and independent researchers in the development of cutting-edge solutions that can be created in short intervals for a low cost. Historically, federal security funding has been awarded to large contractors that often have whole teams dedicated to crafting proposals. In the past, it was next to impossible for a small group of researchers to receive such funding due to the time and cost of the application process alone.
Cyber Fast Track will allow talented researchers to compete for government funding and bring DARPA’s cybersecurity R&D efforts up to speed with the rapidly evolving cyber landscape, he says. The goal of the undertaking is to fund between 20 to 100 cyber R&D programs each year, or the same amount of time it would normally take to run just one.
“All too often in the past, by the time the project was finished nobody cared about it anymore because the technology had moved on,” Clarke says.
Launched in August, the initiative has already garnered interest outside of DARPA, Zatko says. The U.S. military is considering adopting such an approach for its own R&D contracting processes.
Looking into the future, Zatko says he’ll continue working for as long as necessary to educate people about computer security.
“Security is about trying to solve and fix problems,” he says. “The definition of success is to put myself out of a job, which is what I’ve always said and always have been striving to do.” – Angela Moscaritolo
Book of Lists
Top 3 weirdest news items
Taste of one’s own medicine: A hacker in October who received a scam email had the last laugh when he took control of the phishing page and turned it into a public service announcement around phishing awareness.
Happy ending: Ivan Kaspersky, who was kidnapped for a ransom of $4.3 million, was rescued following a police operation. He is the son of IT security mogul and Kaspersky Lab founder Eugene, one of the wealthiest businessmen in Russia.
Mean streets: The YouTube channel for Sesame Street was briefly hijacked by hackers who swapped out educational videos with X-rated pornography. Not long after, Microsoft’s YouTube channel was also compromised, but not to display erotic video.
Top 3 breaches of 2011 (by impact)
On Sept. 20, the Dutch-based certificate authority (CA) was “declared bankrupt” after it emerged that the company issued hundreds of counterfeit SSL credentials after hackers breached its systems. At least one phony certificate, for Google.com, appeared in the wild, presumably so Iranian users could be spied on the government. Authentication solutions provider Vasco, the parent of DigiNotar, expects the bankruptcy to cost it between $3.3 and $4.8 million.
In March, another CA revealed that hackers gained access to its system and fabricated nine certs for some top-tier sites. Experts believe the Iranian government carried out the Comodo, and more recent DigiNotar, attacks to spy on private communications.
In March, the security company revealed that sophisticated hackers launched a spear-phishing attack that exploited an Adobe Flash zero-day vulnerability to successfully infiltrate its systems and steal information related to its SecurID products. Such products include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs. Subsequently, hackers leveraged stolen information about SecurID in an attack on U.S. defense contractor Lockheed Martin. RSA President Art Coviello issued a warning for customers to be more vigilant and issued a list of recommended actions.
Top 8 legal actions
1 In what was termed the largest identity theft takedown in U.S. history, 111 individuals were charged for their involvement in a New York-based organized crime operation responsible for more than $13 million in losses.
2 Six men believed to be behind a massive click-fraud scheme, all of whom are Estonian nationals, were arrested last month following a two-year, international police investigation, dubbed Operation Ghost Click. The racket led to the infection of more than four million computers in 100 countries with malware.
3 Running an online business that sold counterfeit credit cards embedded with stolen account information led to a 14-year prison sentence for Tony Perez III, 21, of Indiana.
4 The U.S. point person for one of the largest phishing rings ever to be brought down, Kenneth Lucas II, 27, of Los Angeles, was sentenced to 11 years in prison for his part in stealing more than $1 million from victims.
5 Scammer Tien Truong Nguyen, 34, of Long Beach, Calif., was sentenced nearly 13 years in prison for orchestrating a phishing operation that duped at least 38,500 people.
6 Using stolen credit card numbers to conduct fraudulent transactions totaling more than $36 million resulted in a 10-year prison sentence for Rogelio Hackett Jr., 25, of Lithonia, Ga.
7 Former IT employee Jason Cornish, 37, of Smyrna, Ga., faces 10 years in prison for crippling his ex-employer’s network and causing hundreds of thousands of dollars in damages.
8 A nine-year sentence was handed down to former Dallas hospital guard Jesse William McGraw, 26, after he broke into hospital computers, planted malicious software, and planned a DDoS attack.
Top 3 hacktivist attacks
The victim: HBGary Federal (now defunct)
The motive: CEO Aaron Barr threatened to out members of Anonymous.
The hack: The Anonymous group published tens of thousands of emails, including a plan to smear whistleblower site WikiLeaks and its supporters, apparently at the behest of the U.S. Chamber of Commerce and Bank of America.
The victim: Sony Pictures
The motive: The company has pursued legal action against alleged copyrighters.
The result: The now-disbanded LulzSec group exploited a SQL injection vulnerability to gain access to internal Sony networks and websites. The hack yielded the passwords, email addresses, home addresses, birth dates and other account information belonging to more than one million users.
The victim: PBS
The motive: LulzSec sought revenge against the network for airing what they considered an unfair documentary about WikiLeaks.
The hack: The intruders compromised the website of PBS NewsHour to post a fake story that rapper Tupac Shakur was still alive. In addition, they published the usernames and passwords to staff at the public TV station, as well as those working at other networks affiliated with PBS.
Top 5 threats
Duqu: An information-stealing trojan that shares much of its code with the notorious Stuxnet worm, and has impacted roughly five Europe-based manufacturers of industrial control systems.
Zeus: The insidious banking trojan, which continues to be used to siphon millions of dollars from U.S. bank accounts, became even more prolific this year when its source code was leaked on at least two underground forums.
DroidDream: The malware, which is capable of harvesting data, was discovered this year in more than 50 apps offered in Google’s official Android Market, and illustrates that cybercriminals are focusing more of their efforts on mobile platforms.
Operation Shady RAT: A five-year-long advanced persistent threat and cyberespionage offensive that plundered intellectual property from some 72 organizations across 14 nations, including the U.S. government.
Mac OS X scareware: While still much-less prevalent than those seen in the Windows world, rogue anti-virus malware scams targeting the Mac platform grew increasingly nefarious this year, leading to a significant uptick in infections.
Top 5 research revelations
BIOS fuel Researchers discovered the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer. The discovery of Mebromi, the root kit, should not induce panic, though, as the complexity of a successful attack on the motherboard is high.
CA, MIA Moxie Marlinspike released Convergence, an add-on for Firefox, which essentially inverts the existing (and much maligned) certificate authority (CA) system, giving more power to users. They take their pick of so-called “trust notaries,” which authorize their web communications by default.
Pumped up Jay Radcliffe demonstrated at Black Hat how he is able to send commands to and wirelessly disable the insulin pump he has been wearing since he was 22, when he was diagnosed with the autoimmune disease after dealing with extreme weight loss and an unquenchable thirst.
In control In an effort to prove that SCADA hacks don’t require deep pockets, Dillon Beresford took the stage at Black Hat to describe how to infiltrate Siemens industrial control systems. He uncovered replay attack bugs in programmable logic controllers, or PLCs.
Baby ginger Xuxian Jiang, assistant professor at North Carolina State University in Raleigh, found the first malware that uses a root exploit, known as GingerMaster, against Android version 2. The discovery is a sign that cybercriminals are keeping pace with the evolution of mobile devices.
4 ways to prevent breaches
Companies spend a lot of time and money to protect their data from hackers, thieves, and other malfeasants—and for good reason. But when it comes to the causes of data breaches, don’t forget human goof-ups. The irony about these true stories is that organizations try to do the right thing and they still experience data breaches.
Garage sale bargains: Patient data files. Garage sales are great places for a deal. You might discover a treasure, as did one customer who purchased a filing cabinet chock-full of personal data, including Social Security numbers and home addresses. Thankfully, this bargain shopper left the contents safely with the owner to destroy.
Leaving personally identifiable information (PII) in a car. One organization held an annual drill to assess its preparedness in the face of a data breach. Instead of using “test” data, an employee transported actual data tapes offsite that contained client accounts payable information and left them overnight in his car. A thief got details on every payout ever made to people who had sued the company.
Lost keychain with a flash drive. Flash drives are great portable devices, but they don’t belong on key rings. The data on that drive is probably more valuable than your Honda.
Private patient records spill from a shredding truck. A shredding truck containing an organization’s patients’ records overturned while driving on a street. Paper records spilled out and flew all over town. – Christine Arevalo, director of healthcare identity management, ID Experts