NSA Director and Chief of Cyber Command General Alexander: Anonymous + Power Grid == Bad
As if the drumbeat among tech companies in support of the Cybersecurity Act of 2012 wasn’t stratospherically hyped enough, the Wall Street Journal reports that General Keith Alexander, Director of the National Security Agency and Chief of Cyber Command, has indicated in non-public White House briefings that Anonymous, “could have the ability within the next year or two to bring about a limited power outage through a cyberattack.” (For those without WSJ subscriptions, see USA Today.) Histrionics? Maybe. Then again, Uncle Sam hasn’t come out and said that the report was inaccurate, and that’s more worrisome given that DHS has been very keen on managing the press to downplay rumors as observed with the SCADA scare for a water supply control system in Illinois. Thankfully, Shift is providing solutions to deal with the largest problem areas in cybersecurity for the electric sector, but we understand that in the world of Advanced Persistent Threats, DDoS attacks, CAC credential cyber thefts, and motivated rogue states, e.g. Iran, North Korea, Syria, … the target on the back of American critical infrastructure just gets bigger by the day as the attack surface grows exponentially.
Don’t Strip OCSP and CRL Verification – Just Fix It!
I have to wonder what the real logic is behind removing live OSCP and CRL verification from the browser, as Google has announced they are planning to do with Chrome. While the “fail open” mode endemic to most browsers is also insecure, particularly if a OCSP server has been subjected to DDoS style attack, wouldn’t it be wiser to fix the browser under your control to “fail closed” and to setup a OCSP status network as Ivan Ristic at Qualys has suggested? Perhaps Google loses money when its page loads are hindered by real-time OCSP verification of its https connections – wouldn’t be surprising in view of their ad campaigns to convince us how “fast” Chrome is. (See Google Core Principle #3.) If a company is willing to sacrifice useful security tools tested for years by millions of users like CRL and OCSP validation, all in the name of page load speed, it tells me that company doesn’t place a genuine high priority on the online safety of their users, particularly when it really only translates to a fraction of a second on modern networks. More paranoid minds would like to know, what else do you get when you drop the only mechanism of validating certificate status?
Shift Identified as the First NAESB ACA
From the press release:
16 February 2012 – Shift Systems, LLC of Reno, NV is the first Authorized Certification Authority (ACA) to be credentialed under the North American Energy Standards Board (NAESB) Certification Program, and provides entity and subscriber digital certificates for use in the Electric Industry Registry (EIR) application. Rae McQuade, President and Executive Director of NAESB, has congratulated Shift in its identification as the first ACA, “Shift is the first Authorized Certificate Authority to be identified in the NAESB Certification Program. Thank you for taking the time to support the market security of the NAESB WEQ Membership by stepping forward to act as the Authorized Certification Authority.” Starting in early April, the North American Energy Standards Board (NAESB) will begin the process of transitioning the Transmission System Information Networks (TSIN) registry previously operated by the North American Electric Reliability Corporation (NERC) to a new EIR to be operated under license granted by NAESB to Open Access Technology Inc, (OATI) as the EIR Administrator. Previous registrants in the TSIN will need to re-register in the new EIR. As part of this transition, all EIR users are required to enroll for and be issued digital certificates provided by ACAs on the NAESB list of approved ACAs.
Read more in the full press release.
Moving from Cyber Espionage to Economic Interference
A rumor is now circulating that China is leveraging its cyber-espionage efforts to affect major commercial transactions. The trick: target law firms supporting major M&A deals in a way to disadvantage the party less favorable to the hacker.
I wonder what the reasonable care standard says about liability here.
Largest Private Brazilian Bank Targeted by Hackers
A hacker group calling itself Anonymous Brazil targets Itau Unibanco Multiplo SA, Brazil’s largest private bank and Banco Bradesco SA, Brazil’s second largest private second bank in a series of denial of service (DoS) attacks.
The attack has led the Brazilian Federation of Banks to promote passage of new statutes focused on criminalizing fraud and electronic attacks.
These styles of attack incur brand damage and reputation risk, and may cause economic losses for customers and partners as transactions are interrupted while the DoS event is ongoing.
Cybersecurity – a $46B Market
It appears that the Ponemon Institute has pegged the market size to $46B, up from $5B. It’s clear with this “tornado” market transition, critical infrastructure will become a new area for defense contractors to move aggressively into this space as traditional DoD spend migrates to address the emerging threats from cyber activities.