Getting called out by the Obama administration wasn't enough of a deterrent for Unit 61398, the cyberattack unit of the People's Liberation Army of China, because apparently they're at it again, working to pilfer information from private company and public government data stores.

The New York Times is reporting that Unit 61398 has resumed operations and is actively engaged in hacking into any U.S. systems that might hold information considered to be of use for the People's Republic of China.

Security firm Mandiant told the Times "that the Chinese hackers had stopped their attacks after they were exposed in February and removed their spying tools from the organizations they had infiltrated. But over the past two months, they have gradually begun attacking the same victims from new servers and have reinserted many of the tools that enable them to seek out data without detection.

"They are now operating at 60 percent to 70 percent of the level they were working at before, according to a study by Mandiant requested by The New York Times," the article reported.

If accurate, then it's clear that the U.S. is going to have to step up its game when it comes to cybersecurity, particularly organizations that have data related to trade secrets or, more disturbingly, infrastructure plans - both targets of Chinese hackers.

Even if this isn't the PLA, someone is hacking these systems, and it's time to stop treating cybersecurity like a game.

Low-level cyberscuffles between nations may be about to escalate into more serious conflicts. U.S. government officials are reporting a new wave of attacks aimed at sabotage within the U.S., apparently originating from somewhere in the Middle East.

The New York Times reported over the weekend that saboteurs are using probes to look for ways to seize control of processing plants of mostly U.S. "energy companies" — presumably oil and gas producers. Senior officials with the Obama administration said the attacks are aimed at the administrative systems of 10 major American energy companies, which the sources have refused to name.

Tension, Apprehension And Dissension

To be sure, so far no one seems to have independently corroborated these alleged attacks. As such, there's no good way to know whether they are as potentially serious as these unnamed government officials — and, of course, the NYT — would have us believe.

If the warnings are sound, though, cyberwar escalation still wouldn't be a huge surprise. Security experts and government officials have long predicted that hackers bent on wreaking havoc will will eventually become as commonplace as those looking to steal government and corporate secrets.

In February, then-Secretary of Defense Leon Panetta warned that the technology used in cyberattacks is able to "cripple a country, to take down our power grid system, to take down our government systems, take down our financial systems, and literally paralyze the country. That is a reality."

The U.S. and Israel provided the motivation for their enemies to pick up the pace with their cyberattack on Iran's nuclear facilities several years ago. The two allies used the Stuxnet worm to damage centrifuges used in making high-grade uranium that could be used for nuclear weapons, according to the NYT. Experts believe Iran retaliated last year with the attack on Saudi Aramco, one of the world's largest oil producers.

A virus unleashed on Aramco administrative offices wiped out data on thousands of computers, replacing the deleted files with a burning American flag. The hackers targeted Aramco's production facilities, government officials said. The mission reportedly failed because Aramco's administrative offices were on a network separate from that used for industrial control systems. Using separate networks in this way is a best practice recommended by security experts.

The Aramco attack was soon followed by a similar one launched against Qatari energy company RasGas, which also claimed the attack was stymied because its compromised office network wasn't connected to production systems. Israeli officials said Iran's "cybercorps" was behind the assault. Iran organized the group after the Stuxnet attack.

Tit For Tat

These tit-for-tat attacks could be morphing into a new phase of cyberwar where the consequences are much greater than the damage caused by pilfering a company's trade secrets. Any attack that could destroy critical infrastructure — from oil production and the electric grid to manufacturing facilities and water treatment plants — has the potential to affect the lives of hundreds of thousands of people.

Experts have warned for years that industrial control systems that run these facilities are filled with vulnerabilities that could be easily exploited. Fortunately, hackers haven't yet been able to infiltrate the networks these systems are on.

To shore up the nation's critical infrastructure, President Barack Obama issued this year an executive order requiring government agencies to share cyberattack information with private industry. Industry, however, is under no orders to share information with the government, and changing that will require action by Congress, which is struggling with the privacy implications of requiring companies to share data with government agencies.

CISPA, the controversial cybersecurity bill passed by the House last week, appears to be dead in the Senate. It's deja vu all over again for the measure, which would authorize private companies to share your email, texts and other personal information with federal agencies without a warrant or other privacy protections. Last year, CISPA also cleared the House but foundered in the Senate.

The House of Representatives has once again passed CISPA, the cybersecurity bill that lets companies and the federal government monitor and share your online communication without a warrant. But its fate in the Democrat-controlled Senate is much less clear, particularly now that President Obama has threatened a veto.

House lawmakers voted 288-to-127 in favor of the bill, while 18 abstained. Alarms are now rippling through the civil liberty advocate and Internet activism communities, especially since the bill garnered more supporters than it did last year.

The bill was approved last week without four privacy amendments that would have limited the ability of the NSA to collect personal data from private-sector companies like ISPs, email providers and social-media outfits. The failure of these amendments in committee led President Obama on Monday to publicly threaten a veto:

The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities.

Last year, opponents of the overreaching SOPA copyright bill included an unusually unified coalition of Internet companies. CISPA's critics haven't been so fortunate. AT&T, Comcast, EMC, IBM, Intel, McAfee, Oracle, Time Warner Cable, and Verizon have all signed on as supporters. But tech giants Facebook and Microsoft have stepped back from their support. Google has not taken a position. 

The weight now falls to the Senate, which will have to consider ways to amend the bill in order to sidestep President Obama's veto threat. Last year, CISPA died in the Senate over similar privacy concerns under the shadow of a veto threat.

Guest author Corey Nachreiner, CISSP, is director of security strategy for WatchGuard Technologies.

Between agenda-pushing hacktivists, money-grubbing cyber criminals, and — more recently — belligerent nation states, there is no shortage of attackers breaking into networks, stealing trade secrets and generally wreaking havoc throughout IT infrastructure.

Even the U.S. government has noticed, with the latest National Intelligence Estimate (NIE) warning that the country is the target of a major cyber espionage campaign from China. In fact, network penetrations have become so commonplace that President Obama recently signed a cyber-security executive order in hopes of fortifying our defenses, and encouraging the government and critical private sector organizations to share intelligence.

(See also World War III Is Already Here - And We're Losing.)

Considering this deluge of aggressive and costly security breaches, it’s no wonder that some people are getting frustrated enough to contemplate striking back directly against our attackers. While giving cyber criminals a taste of their own medicine certainly sounds appealing, most forms of so-called "Strikeback" have no place in private business.

What Is Strikeback?

The idea of launching a counter attacks against cyber criminals is not new. Security geeks at information security conferences have been discussing counter-hacking and proactive defense for years.

After all, many in the cyber security community are just as capable of breaching systems as the enemy (if not more so). In fact, the “black hats” often leverage tools and code created by “white hat” security professionals. Lately, though, this idea of striking back against attackers has shifted from lighthearted fantasy to potentially disturbing reality - some that security companies have even begun offering strikeback solutions.

There are different ways companies have started approaching strikeback initiatives. They have loosely evolved into three general categories:

Legal Strikeback: This is the least offensive form of strikeback. It’s where organizations, in cooperation with the authorities, gather as much intelligence as possible about attackers — typically by following the money trail — and then use any legal maneuvering possible to try and prosecute attackers.

Passive Strikeback: This is essentially cyber entrapment. An organization installs a sacrificial system, baited with booby trapped files or Trojan-laced information an attacker might desire.

Active Strikeback: In this approach, an organization identifies an IP address from which the attack appears to be coming, and launches a direct counterattack.

What’s Wrong With Strikeback?

Unfortunately, direct strikeback measures have huge inherent risks:.

Targeting: The biggest problem with strikeback is that the Internet provides anonymity, making it very hard to know who’s really behind an attack. It's all too likely that strikebacks could impact innocent victims. For example, attackers have started to purposely plant false flags into their code, suggesting it came from another organization in order to sabotage that company.

Geography: Another key issue is that Internet crimes tend to pass through many geographies and legal jurisdictions. Domestic strikebacks invite potential legal problems, but cross-border actions have even wider ramifications.

Legal: Additionally, most strikeback activity is illegal. It is against the law for the average person to track down and punish a burglar who ransacked a house, and the same principles hold true for cybercrimes. If an organization uses a booby trapped document to install a Trojan on the attacker’s network, it is technically breaking the same type of computer fraud and abuse laws that the attacker broke to steal information in the first place.

Revenge: When it comes down to it, strikeback is simply revenge. If a network has already been breached, striking back against the attacker typically doesn’t recover stolen data or repair damage that has already been done. It's almost always better to pursue legal investigations and prosecutions through the proper channels.

Strikeback simply doesn’t belong in private business. It offers no real advantages to most organizations, and it carries serious risks that far outweigh the short-lived satisfaction of revenge. Instead, companies should focus their security strategies on well-implemented, carefully monitored, multi-layer defenses designed to keep cyber criminals from breaching their networks in the first place.

Image courtesy of Shutterstock.

When it comes to user security at Apple, it's one step forward, two steps back.

Yesterday, the company belatedly announced long-needed two-step verification security for Apple IDs, only two years after Google rolled out the protective measure for its users. Today comes word of a massive security flaw that reportedly lets anyone reset your Apple account password if they know your email and your birthday.

(See also: Apple Finally Gets Serious About User Security)

But here's the punch line: While two-step verification would protect Apple users from this exploit, the company has subjected all requests to activate the security measure to a three day delay. Even then, two-step verification is only available to users in the U.S., the UK, Australia, Ireland, and New Zealand.

How To Protect Yourself

A step-by-step guide to exploiting this vulnerability is still available online, although we won't link to it here. Basically, it involves pasting in a modified URL on Apple's iForgot page when prompted to answer the date-of-birth security question to reset your password.

The surest way to protect yourself in the short term — i.e., without two-step verification — is to change your birthday, the Verge's Chris Welch writes. To its credit, Apple has already disabled its password reset page, presumably to disrupt any attempts to hijack user accounts. With any luck it will have the flaw fixed as soon as possible, although the company has yet to make any public statements regarding the flaw.

This turn of events follows by just days an earlier Apple security faux paux. The company released iOS 6.1.3 for the sole purpose of fixing a lock-screen bypass that let users with a knack for expert timing access an iPhone's contacts and photo library. Yet later that day it become clear that the update contained yet another lock-screen bypass flaw.

This password reset hack is considerably more destructive than the lockscreen problem, which essentially only allows a would-be hacker to peek at a stolen iPhone's contacts and photo library. Still, it's certainly been a bad week for Apple in the user-security department.

We've contacted Apple and will update if and when we hear back.

Update: According to the Verge, Apple acknowledges the vulnerability and says it's working on it:

Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.

While media and government source continue to allude to China as the biggest source of cyber attacks hitting innocent servers on the Internet, recent evidence instead suggests it's actually the Russian Federation that's king of the cyber attack mountain.

The evidence comes from German telecommunications giant Deutsche Telekom (DT), which has set up a new portal to monitor real-time cyber attacks against its network. According to the data on the sicherheitstacho.eu (loosely translated as "security tachometer") site, Russia was responsible for 2.4 million attacks against DT last month.

The People's Republic of China, the current bugaboo of security mavens, ranked 12th on the same list, its 168,000 attacks coming in far behind nations like Germany, Ukraine and the United States. Curiously, it was Taiwan that held the number two slot, with 907,000 tracked cyber attacks, seemingly dispelling the notion that it's the Commies out to get Western corporate interests.

Security Whack-a-Mole

The monitored attacks are not actually hurting DT - at least, not directly. The incoming volleys are instead hitting a network of 97 sensored machines deliberately designed to be tempting targets on the Internet, a concept known as honeypots. According to DT, these honeypots are built to "feign weaknesses to provoke attacks and as such act as early warning systems."

"Our honeypot systems show that once attackers have identified weaknesses, they exploit them immediately," said Thomas Kremer, Board Member responsible for Data Privacy, Legal Affairs and Compliance in a statement to the press.

"If, for example, a provider announces an update for its operating system, attackers launch themselves at the old system to find the gap that the update is intended to close." Kremer said. "For this reason, customers should install updates immediately - this successfully prevents 90 percent of attacks. Apart from up-to-date virus protection, that is the most important security precaution for all IT users."

The honeypots are programmed to mimic a wide variety of Internet-facing systems, such as servers, desktops and even vulnerable smartphones.

Hardening Against 24/7 Attacks

The security tachometer site itself is definitely an eye-opener, even in DT's soothing trademark pink tones (DT is the parent company of U.S. carrier T-Mobile). According to the information provided by DT, most of the attacks are in the form of automated bots, which probe a potentially weak system for holes. If a human hacker wants to come back later and investigate further, they may, or the bot may simply call in other bots to further infiltrate the system.

Security experts won't find this map much of a surprise, since it's long been known that Russia remains a big source of cyber trouble - far more, in sheer numbers, than China. Of course, this map could be interpreted as contrarian evidence, too: perhaps the bot handlers in the other countries recognize the DT honeypots for what they are and have moved on to real targets. Or perhaps the targets presented simply aren't interesting.

Whatever the explanation, Deutsche Telekom's security tachometer makes it clear that the Internet is far from safe, and vulnerabilities on any platform - from any source - can be discovered at any moment.

Image courtesy of Deutsche Telekom.

After almost two decades online, I have never been more paranoid about my security, identity and theft.

Since the start of 2013, the following has happened:

• My Twitter password was compromised.
• So was the password on my Evernote account.
• My Yahoo email (which I hardly use anymore) was hacked and sent spam to everybody in my contacts.
• And, the kicker of them all, my debit card was compromised while I was traveling in Manhattan.

That's just my personal journey for the first two and a half months of the year. I am not alone. Millions of Internet users have been affected by security breaches so far in 2013. Even the big companies of the Internet have seen breaches. Apple, Facebook and Microsoft have all admitted to being penetrated in one form or another. High profile Twitter accounts have been hacked, like those of Burger King and Jeep.

It's time to admit it. The hackers are winning. 

Are They, Really?

Assaying blame for hacks is a difficult endeavor. On one hand, people say we need to rebuild the Internet to make it more secure by default. Their theory is that the Web is, by its very nature, a hodge-podge mix of vulnerable nodes and standards that is aging and easy to exploit. This is largely true. Hackers hoard zero-day vulnerabilities like squirrels preparing for winter, and a motivated hacker can basically bust through anything.

On the other, many security experts argue that security starts with the individual. If you get hacked, you are basically at fault for violating basic security protocols -- for instance, by failing to change your passwords or by clicking on suspicious links. 

“There’s no simple answer to this question,” Catalin Cosoi of antivirus company BitDefender wrote in an email to ReadWrite. He continued:

Hackers, scammers and malware writers have two main advantages: they have access to a lot of money (either by sponsorship or classic fraud) and they don’t have to obey any software practice (their “software” doesn’t have to be properly tested, it can have bugs, doesn’t have to work on any operating system and it really doesn’t matter if it crashes a few machines). However, no one wants to complicate their lives more than needed or pay more that it actually makes, so if the hack gets very complicated, they will simply move to someone else.

Reactive Measures & The Myth Of The Impenetrable Fortress

Antivirus companies like Bitdefender are, by their own admission, highly reactive. They wait for a new virus to show itself on the Internet and then create a way to inoculate against it. This reactive approach has been going on for almost 20 years and it is increasingly becoming an untenable model.

“It works the same way human medicine responds to illness: once you identified the stream or the behavior, you can create vaccine for it,” Cosoi said. “But we can’t find a cure for an illness that doesn’t currently exist –- at least not without significant costs. What we can do, though, is find ways to boost the immune system to make it less prone to future infections. In the security industry, we call this raising the cost of the attack.”

Spammers and malicious hackers have the stereotype of being inherently lazy. Like any stereotype, this is both true and false.

When it comes to getting people’s money, most spammers prefer the path of least resistance. This leads to the quantity-over-quality approaches such as hacking Yahoo email accounts and spamming every contact from the user’s address book. The easy route is to just get one person on the hook and then spread the virus through them, multiplying the scale of the attack with each successful infection.

When Cosoi talks about “raising the cost of the attack,” he means that if it was harder to perform these types of attacks, they would slow to a trickle. The fact that they are so easy for spammers means they will continue. 

On the other hand, it is nearly impossible to keep a motivated hacker from getting something he or she really wants. These types of black hats are fewer and further in between but are infinitely more dangerous than your average spam-net. They usually don't target average users. Instead, they target the enterprise behind the user, which can lead to widespread breaches that affect everybody. 

As security researcher Graham Cluley at Sophos put it to me via email:

Regular Joe User isn't being targeted, and don't have to follow any different rules than the ones they should have been following for some years now to deal with the approximately 100,000 new unique samples of malware we see each day.

Is It Your Fault?

Some in the security industry think that breaches (both enterprise and individual) are inherently preventable. Just be smart and you’ll be fine, right?

“The sky is not falling,” said Cluley. “Burger King, Jeep and others who have had their Twitter accounts hacked have probably fallen victim because of human weakness. Chances are that they followed poor password practices, like using the same password in multiple places or choosing a password that was easy to crack.”

I can half believe that sentiment. It's very easy to imagine some intern manning the Burger King Twitter account might have a poor password or has been clicking on linkbait spam. That doesn't negate the fact that Twitter itself was hacked, exposing the passwords of some of its more popular and influential users.

I'm highly aware of suspicious links and attempts to spearphish me (a tactic where a specialized message with a poisoned link is sent to an individual as opposed to spammed to the masses). I don't click on links that might be malware.

Caution Only Gets You So Far

And yet, my caution hasn't protected me. For instance, I was not spammed or phished on Yahoo. I hardly use the account and only became aware of the hack when my Yahoo email started spamming my Google email (oh, the irony). This hack was on the Yahoo side, not the fault of an individual. Same goes for my password compromises on Evernote and Twitter. 

Unless I'm completely missing something, these breaches were not my fault. I was a victim caught in a larger game of cat-and-mouse between the hackers, security companies and susceptible enterprises. 

“There are no shortage of attackers with the necessary skill, motivation and financial resources to break into a given enterprise and steal data,” said Michael Sutton VP of security research at Zscaler, a company that focuses on detecting breaches. “When companies such as Twitter, Apple and Facebook, with sophisticated security teams and more than adequate means to attract the very best talent cannot stop every attack, we must accept that the goal of building an impenetrable fortress is unachievable.”

Security Starts With The Individual (Who Can Still Be A Victim)

Researchers like Cluley have long advocated that security starts and ends with the individual.

“The takeaway from all these security stories is that each of us has a part to play in the fight against the bad guys -- whether it's on our home computers (ensuring they don't get hijacked into a botnet) or in the workplace,” Cluley said. “Report suspicious activity, think before clicking on unsolicited attachments or links, keep your OS, your PDF reader, your anti-virus up-to-date with the latest security patches.”

The argument is a sound one and similar to how entities like the World Health Organization have gone about fighting outbreaks of epidemic disease: educate people to take care of themselves. Sometimes though, it doesn't matter how much you know or how assiduously you take care of yourself -- you are going to get sick (or hacked) and there is nothing you can do about it.

So, are the hackers winning? When people still do everything right and still become victims, you tell me.

At the RSA Conference in San Francisco last week, I got the chance to sit down with Stephen Cobb, a distinguished security researcher for the IT security company ESET. We talked about a lot of things, including Android security issues and how walled gardens have their uses.

(See also In The Security World, Android Is The New Windows.)

It was a great conversation, touching on a wide variety of fascinating aspects of online and mobile security, and I wanted to share as many of them as possible.

This list seemed like the best way to do that. And while not every one of the dirty-dozen points presented here may surprise you, I can pretty much guarantee that few people will already know - or agree with - everything on the list:

1. Big Data is not new to the anti-virus industry. Turns out the anti-virus companies have been doing traffic analysis, incident sharing and code sharing for decades, Cobb claims. They just didn't call it Big Data until the term become fashionable.

2. Anti-virus companies have been practicing co-opetition since the 1980s, when they realized there was no percentage in one company being able to stop one virus while you needed another company to stop a different virus. They quietly began sharing virus signatures and other information, Cobb says.

3. All the major Web browsers share information on malware sites and other threats. Chrome, Internet Explorer, Firefox and the others all share which URLs to flag, for example. That's why when NBC.com was hacked recently and started spewing malware, everybody was able to block it almost immediately.

4. One of the hardest parts of securing Big Data is knowing where the data is actually stored. In the old days, when data was collected and stored, it didn't really move much. Now, in the cloud, Cobbs says we don't really know where data is stored. Malware creators are intent on exploiting that, but what form that will take remains to be seen.

5. One reason more high-value targets haven't been hacked is that there is still so much low-hanging fruit for the bad guys to go after. According to Cobb, so far, there hasn't been much need to try and crack the hardest targets.

6. Most attacks take the form of malware or hacking. Of the hacking attacks, Cobb says, 80% go after passwords that are either non-existent, guessed or stolen.

7. Anti-virus hasn't been about matching virus signatures for years. Some people say the anti-virus model doesn't work because so much new malware is coming out all the time that anti-virus solutions can't possibly keep up. But Cobb protests that most anti-virus software is continually detecting previously unseen malware.

8. People who know what they're doing on the Internet might be able to get by with no anti-virus software. But Cobb says people are fooling themselves when they claim: "I don't run anti-virus software and I've never been hacked." "Are you really OK telling everyone you know - your mom, for instance - not to run anti-virus software?" he asks.

9. There's still an incredible amount of spam out there. You don't see it, but it's still there. It's using a a huge amount of datacenter power to block it, but it's built into the network security appliance and you don't have to deal with it.

10. The overall trend is for increasing levels of security to be compressed into the core, to become part of a standard install. That's happened to anti-spam, to firewalls and it's happening to anti-virus, too.

11. It's a lot harder to write 64-bit malware than it is to write 32-bit malware. And that could help lower the number of attacks on 64-bit systems.

12. In many ways, hacking behavior seems to have gotten better over the years - at least in the United States, Cobb says. But we are now increasingly exposed to other, more dangerous places. The globalization of the Net has caught up with us even as the value of hacking has one way up. Today, hackers aren't just messing with us, Cobb notes, they're stealing from us. And that's a big new incentive.

The technology industry has been excluded from the government's definition of what constitutes the nation's critical infrastructure, giving them a free pass from regulations. While this may be good for IT businesses, telecom companies like AT&T and Verizon Communications are crying foul.

Information technology is crucial to business, and according to these telecom companies, IT is just as important in securing power plants, telecommunications and water filtration systems. Which is why they want IT companies to be listed as part of the nation's critical infrastructure, something IT vendors are resisting because they don't want to be saddled with more government regulation.

The very political situation raises many questions, and has few answers.

Obama's Executive Order

Currently, IT - think companies like Microsoft, IBM, Apple, Oracle, Cisco and more - is excluded from the government's definition of critical infrastructure, as defined by President Obama in an executive order issued last month. In directing the Secretary of Homeland Security to identify critical infrastructure at the greatest risk of attack, the order says the Secretary "shall not identify any commercial information technology products or consumer information technology services under this section."

This exclusion, the result of heavy lobbying by the IT industry, is not sitting well with telecom companies, such as AT&T and Verizon. They believe technology vendors are as important as the network operator in building adequate security to fend off cyberattacks from terrorists.

"The Internet ecosystem is far more interconnected and dependent on a host of players than it was even five years ago," a Verizon spokesman said.

Fighting Regulations

While the government battles terrorism, telecom and IT companies are trying to fend off regulations. The executive order sets the groundwork for cybersecurity legislation from Congress. So far, the IT industry has been excused, and the telecom industry wants it to share whatever regulatory burden results from current negotiations between the White House and Congress.

"The telecom community is concerned the tech industry is going to get a free pass here," David Kaut, a Washington analyst with Stifel Nicolaus & Co. told Bloomberg. "You have an ecosystem and only the network guys are going to get submitted to government scrutiny."

Telecom companies have a point when it comes to critical infrastructure. Hackers who break into the Windows computer of a telecommunications company could wind their way into control systems and shutdown wireless or landline service for hundreds of thousands of people. But is regulating IT security directly the best way to prevent such a breach? I don't believe so.

Instead of more regulations, the government should focus on requirements for companies directly involved with maintaining the nation's critical infrastructure. As IT customers, these companies, which include utilities, financial institutions, defense contractors and manufacturers, are in a much better position to get the security they need built into the products they agree to buy. If an IT company such as Microsoft, Oracle or IBM cannot meet the requirements, than another one will.

"Commercial products and services often are the weakest link, but regulating them directly means imposing costs that many users won’t be able to shoulder," Stewart Baker, a partner at law firm Steptoe & Johnson and a former assistant secretary for policy at DHS, said. "So you end up imposing costs on everyone to protect a portion of the economy."

Political Talks

This issue is sure to come up during negotiations underway between the White House and congressmen supporting a cybersecurity bill introduced in the U.S. House Intelligence Committee. The bill emphasizes sharing threat information between businesses and government, while the Obama administration also wants minimum security standards set for the most critical companies.

For telecom companies to get what they want, they will have to convince the Republican majority in the House, which adamantly opposes more government regulation, to broaden the cybersecurity bill to include the IT industry. That's unlikely, so telecom and other critical infrastructure companies should be prepared to take full responsibility for securing their systems.

Image courtesy of Shutterstock.

For decades, Microsoft Windows was the computer platform of choice — not just for the overhwelming majority of computer users, but also for a growing legion of malware creators. As the dominant computing platform, it offered the fattest, most lucrative target, and some of its fundamental architecture decisions made it vulnerable to many kinds of malware.

With the transition to the mobile era, Windows is no longer at the center of the computing universe — for users or for hackers. That role is now occupied by Android. According to Stephen Cobb, a distinguished security researcher for the IT security company ESET, "Android is like early Windows." It's now the locus for security attacks and prevention — even if it's not getting as much attention in this regard as Windows used to.

Flying Under The Radar?

"There's so much malware on Android, you'd think it would be a huge deal," Cobb said. And the growth of is "huge," he added, "both in the number of malware exploits and their increasing sophistication. The rate of growth in Android malware is impressive, and scary."

(See also Sloppy App Development Leaves Android Owners At Risk)

At this week's RSA conference in San Francisco, ESET did a live demo on Android, downloading an infected app that roots the phone and opens it up to whatever the attacker wants to do with it — including dumping out its entire contents in a few seconds over the Internet.

Why aren't we hearing more about Android's security problems? "It's death by 1000 cuts," Cobb said. Instead of emptying the bank accounts of infected users, the malware is more often used to for premium-rate SMS fraud against mobile carriers, "which isn't bankrupting anyone immediately. They're flying under the radar."

"I don't think the criminal underground is sophisticated enough that it is holding back," Cobb said. It's just that when a mobile platform is the target, "the model is many times a smaller attack — or you can look at it as part of a larger attack."

(See also Where Has All The Mobile Malware Gone?)

For example, if a criminal wants to insert himself into a small or medium-sized business doing $40,000 bank transfers, he'd run into the fact that many online banking systems use two-factor authentication — i.e., they require a code sent to a client's mobile device in addition to a password. But a mobile hack can help defeat that.

Your Mobile Platform Does Matter

Just as on computers, which mobile platform you use really does make a difference on security. "The Apple model of a closed shop, from a security standpoint, is a very good thing," Cobb said. Apple's OS X and iOS are both pretty secure to start with, and with iOS and the App Store, "Apple is moving that from a physical environment to a software environment."

Even as Android takes the lead in global sales, it's been much less successful from a security standpoint. "We sell an anti-virus product for Android," Cobbnoted. "No one sells anti-virus for iOS."

What will it take for Android to clean up its act? "Quite frankly, I expect to see it improve when sales start getting impacted," Cobb said. That obviously hasn't happened yet on a mass scale, as Android sales continue to outstrip its smartphone competitors.

But Cobb said that "In some circles it is already having an effect… I wouldn't use an Android phone for my personal stuff."

Meanwhile, Windows Is Getting Better

Ironically, as Android's secuirty issues grow, Windows is actually getting better. "Microsoft deserves kudos for making Windows more and more secure," Cobb said. And with the move to Windows 8, Microsoft is shifting toward a more closed, more secure model, specifically by by not allowing apps unless they are from a legitimate developer.

Plus, Windows' issues over the years have had the effect of training people to be more careful. "Someone who's been using Windows for the last 10 years is probably better protected than a Mac person," Cobb joked. "They've had to learn the hard way."

The problem is in that in an ostensibly protected environment, people can get a false sense of security. They are still vulnerable to "some big hack" that overrides all the existing protections, or to "social engineering" attacks, Cobb noted. That's why many of the bad guys are changing tactics. "Instead of trying to break into the computer, they're now trying to break into the person."

Ultimately, that's only one reason Cobb thinks that concentrating on mobile malware may be the wrong angle. "What the bad guys really want," he said, "is the device out of your pocket." If they can physically get ahold of your device, they can do all sorts of bad things.

Image of Stephen Cobb by Fredric Paul.

In a post on Evernote's offical blog, the company said it has "discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service." While post author Dave Engberg said the company has "found no evidence that any of the content you store in Evernote was accessed, changed or lost," Evernote decided to require all users to reset their passwords.

Engberg explained that Evernote had "no evidence that any payment information" was stolen, but that usernames, email addresses and encrypted passwords were accessed. The encrypted passwords were both hashed and salted, Evernote said, so they should be very difficult to crack.

Nevertheless, in order to continue using their accounts, Engberg wrote, all users will have reset their passwords. That can be a hassle, of course, as many people use Evernote apps on multiple mobile devices as well as over the Web. Engberg said the company was working on app updates to ease the process.

Security Breaches Becoming More Common?

Evernote - a popular app for personal and professional productivity - is only the latest in an ongoing string of high-profile security breaches. Other recent victims include Twitter, Microsoft, NBC.com, the U.S. State Department, The New York Times, The Wall Street Journal, Bloomberg, Burger King and many others. It's not entirely clear to what extent the various breaches are connected, but the trend has to be worrisome to everyone from corporate security managers to consumers to everyday online consumers.

Without some resolution, security concerns could increasingly threaten the growth of the online economy.

(See also World War III Is Already Here - And We're Losing.)

In the past few weeks, I have written two stories about the menace the Internet represents, particularly in view of the hacking attacks almost certainly perpetrated by the Chinese Red Army. In particular, my contention that we need to develop a next generation Internet that's more secure and, preferably, walled in, drew a lot of heated commentary.

Here are just a few of the choicest ones:

• This is unmitigated isolationist idiocy.
• Seriously... is this a spoof article?
• This post should not appear in readwriteweb.

(See World War III Is Already Here - And We're Losing and Cyberwar Imperative: We Need A Next-Generation Internet.)

Hacking As Retaliation?

That's great, and maybe there really isn't any problem here. But the fact is that about 10 days after the first story ran - I got hacked.

A coincidence? I think not.

Or maybe it was my own doing, astutely observed one reader: "I asked for it." Now where have I heard that blame game before?

So what happened? Someone hacked my email password and sent thousands for spam messages using my account. I knew something was wrong when I suddenly was inundated with "Mail delivery failed" subject lines. My Twitter account was hacked, too, but that could just be Twitter's lax security measures.

Of course, there's no way to tell if the dirty deed was done by the Chinese, or even whether it was in retaliation for the articles. But the timing certainly seems suspect.

In his State of the Union address, President Obama ranked hackers and cyber attacks among the greatest economic and national U.S. security threats. The President's response was to issue an executive order calling for more sharing of cyber-attack and threat information between private and public sectors. Naturally, civil libertarians object to this executive order due to potential invasions of privacy.

Solution: Fix the Internet Itself

A far more practical idea comes form New England Complex Systems Institute, which is set to publish a report next week that agrees with my stated principles. The NECSI report blames the problem on the Internet itself, and says that the only solution is to redesign it.

"The current design of the Internet is inherently insecure," says NECSI President and co-author Yaneer Bar-Yam in a press release. "Any node can be attacked from any other node, requiring the entire network to be fortified against all possible attacks, an unrealistic goal," adds Bar-Yam.

That would require redesigning the Internet's architecture itself. The report proposes substantial changes to routers in charge of switching data packets between network nodes.

"Collective security-preventing attacks would require that the routers of the Internet themselves would need to have protocols that allow refusal of transmission based upon content or extrinsic information such as point of origin," according to the study's authors.

The study, Principles of Security: Human, Cyber and Biological, was developed at the request of a long-term military planning group, the Strategic Studies Group, which reports to the Chief of Naval Operations. The report is being released for the first time to the public next week.

As for me, I'm glad to see that other people are thinking about realistic solutions to make our Internet less vulnerable to attacks of all kinds.

Image of alleged Chinese hackers compound courtesy of Reuters.

The conventional wisdom holds that your organization will be secure if you focus on shutting down zero-day exploits and keep out the rest of the exploits by applying multi-layer defenses from multiple vendors. That complacency is about to take a serious beating from new research coming out of NSS Labs this week.

The news really could not have come at a worse time. Last week's revelations that China may be participating in state-sponsored cyberattacks against Western nations, coupled with Anonymous' full-on declaration of war against various corporate and government agencies following the death of Aaron Swartz, mean that security is very much on the minds of IT leaders these days. Finding out your bulletproof vest is made out of cardboard instead of Kevlar just as the firefight is heating up does not make for happy security executives. 

Bypassing The Kill Chain

Good news or not, Frank Artes, Research Director at NSS Labs, are spreading the word about the research he and colleague Stefan Frei have done.

After analyzing the massive amount of data NSS Labs collects as it analyzes security products up and down an organization's security stack (known as the kill chain), the team discovered that the usual practice of using heterogeneous, layered tools to filter out exploits is not as effective as one would think.

The idea of this layered approach, Artes explained, is based on the premise that even if an exploit can get through one vendor's defenses, another vendor's tool can catch that exploit and kill it. Hence, "kill chain."

But in reality, "huge numbers of exploits are getting through," Artes said. The NSS Labs researchers mapped those exploits and identified them based on criticality and availability (is the exploit hard to get or part of a crimeware package that a script kiddie can buy with a credit card?). Using a visual model, the team was able to create graphic results that demonstrate just how many serious exploits can get through.

Exploits Don't Have Expiration Dates

NSS Labs, which acts as a Consumer Reports-like organization in the security sector, is not singling out any one vendor as a problem. Instead, Artes emphasized, all vendors' products, be they browsers, Intrusion Prevention Systems (IPS) or firewalls, have exploits that can let malware through, and a surprisingly high number of these holes are shared among various products.

Part of the problem is that many vendors are so focused on security in the present, such as protecting customers from zero-day exploits and advanced persistent threats (APTs), such as state-sponsored attacks.

"We're always looking forward, watching out for the next Duqu or ILoveYou for 2013," Artes said. What should also be done is keep an eye on what's happened in the past, because it can come back to haunt you.

Exploits don't have expiration dates and there are a lot of older methods and tools that can bust through security because the security software may never have been properly patched or (in some cases) the exploit may have been deprecated from the security tool's database to make room for newer exploits. Databases for security software can't afford to get too big, Artes explained, or their tool's performance would be hindered.

End users patch-management policies can also affect how many exploits get through. Because many applications can touch parts of a security stack, you can't just automatically update every single piece of security software to the latest and greatest - without extensive testing, business applications could break and die when confronted with freshly patched security code.

Revisiting your company's patch-management procedures is a good way to help ensure systems are locked down as much as possible. Devoting more resources to these procedures is your best bet, Artes explained, but many companies don't have the time or the money to beef up patch management.

Instead, they may have to work smarter, not harder. Tools like the visual analysis Artes and Frei's team have developed should help  focus efforts, even on a fixed budget.

Lead image courtesy of Shutterstock.

Securing a Bring Your Own Device (BYOD) program means more than hoping endpoint authentication will keep out the bad guys. 

BYOD security is a big deal. In 2012, Intel surveyed 3,000 IT decision makers and 1,300 end users from Australia, Germany, South Korea and the United States to better understand their BYOD challenges. In three of the four countries, IT Managers considered a lack of security features the most important factor inhibiting device adoption. German IT managers ranked it second, after only government compliance.

BYOD may be inevitable, but the security concerns around it are well-founded. Some of IT's top BYOD security issues are beyond the ability of software-management tools to handle alone. These include

• Unlicensed Software: Owner-installed applications on personal devices can violate enterprise license agreements, and others could compromise the integrity of your network.
• Unsecured Third-Party Connections: All smartphones and most tablets can connect to unsecured wireless networks, offering an unmonitored back channel.
• Malware: Devices can become infected outside the firewall through non-work usage.
• Rooted Devices: By gaining root access to mobile devices, users can bypass security restrictions and, in some cases, install rogue apps.
• Lost, Stolen, Or Damaged Devices: When devices disappear or go out of service unexpectedly, businesses can lose access to critical data. Furthermore, in addition to compromising local data, stolen devices can expose the entire network.

Each device class and user type brings unique security challenges. To address them all, IT needs to leverage software and hardware solutions to lock down and manage devices while simultaneously securing the data itself. Here are three steps to help make the BYOD environment as secure as it can be.

1: Educate Employees

Curbing dangerous behavior is the first step toward reducing risk. Personal device management policies and procedures help reduce your company's risk with very low cost and complexity. In a review of its own, internal BYOD program, Intel noted three types of employee education necessary to minimize risk:

• User Training: Training end users about the content and ramifications of the employee service agreement and sharing best practices for data protection inside and outside of the office.
• Security-Desk Training: Training the Help Desk to answer questions quickly, efficiently, and within the allowable legal scope created by the program.
• Developer Training: Training developers to build secure data access and storage into their application code.

With its favorable cost-benefit ratio, education is low-hanging fruit. In the IT manager survey referenced earlier, managers from all four participating countries that had begun securing their BYOD systems had most commonly implemented device management rules and an employee code of conduct. Employee education is a rewarding place to start, but – based on the fact that security concerns persist – it is obviously not a standalone solution.

2. Secure Your Data

Tomorrow's devices could be completely different, future applications may handle data in entirely new ways and users will always find ways to use devices inappropriately. Future-proofing your network against the unknown requires a shift from protecting devices to protecting the data they use. Encrypting and backing up data is essential, but IT should also consider other, complementary methods of making sensitive information less accessible.

One popular software-based security method gaining steam in BYOD environments is the Virtual Hosted Desktop (VHD). VHD (sometimes known as Virtual Desktop Infrastructure, or VDI) creates a complete desktop image that includes an operating system, all applications and settings. The hosted desktop can be accessed from any compatible machine, and processing and storage take place on a central server. With enough network bandwidth and powerful hardware, this type of virtualized environment can combine acceptable performance with high-levels of security.

For high-security environments in which manageability and recovery trump everything else, it is often the default computing paradigm. But for most BYOD workers, VHD's drawbacks usually outweigh its advantages. VHD cannot take full advantage of all the features of local hardware, and it performs poorly on marginal networks – a major issue for remote workers. Furthermore, the desktop paradigm may break down on non-PC devices, limiting the available audience.

Example showing multiple containers on a single device. Containerization is way to address VHD's issues by placing native applications inside a safe zone on a device. A virtual machine manager (VMM) abstracts the container from the client hardware, boosting performance and reducing server strain by allowing client-side execution - while still improving security by isolating the container from certain functions, such as wireless network connections, USB ports or device cameras. Some virtual containers contain an entire operating system and productivity application suite, while others are purpose-built, single-function virtual devices that provide services like compliance monitoring or highly secure applications.

IT can create or purchase containerized applications for every platform, including smartphones, providing a much broader client base than VHD. Containerized applications also run at or close to the speed of fully native applications, and caching lets users continue working through network disruptions. However, containerization can compound development and administrative burdens, and since containerized apps require client-side storage, they are inherently less secure than fully virtualized solutions.

3. Use Your Hardware 

Selecting the right subset of hardware to support will bolster software-based security measures while lowering management costs. For example, if a company chooses to support a variety of Intel-based devices, IT could implement a 100% Windows-based environment. This would reduce the cost of developing and securing applications for different platforms while allowing IT to leverage Windows' existing security infrastructure, virtualization tools and anti-malware. And it would still allow employees a wide choice of devices to meet their individual needs.

On an application level, properly chosen hardware can augment your management tools. Mobile Device Management (MDM) software can identify devices that are out of compliance, but it has limited reach into rooted, broken, hacked or otherwise compromised systems.

Chipset-level security technologies like Intel VPro (found in 3rd-generation Intel Core processors) allow MDM to reach underneath a managed device's operating system, performing remote wipes and pre-boot virus scans, regardless of the device's status. By providing access below the operating system, VPro allows administrators to correct problems by loading software patches and virus definitions, and its integrated support for Public Key Infrastructure (PKI) allows IT to use the devices themselves to authenticate users, removing the need for third-party software tokens or hardware-based authentication devices. Intel Anti-Theft technology extends security features such as remote, OS-independent device locking and unlocking to earlier processors, as well as newer, VPro-compatible chipsets.

Finally, selecting the right hardware can make other software options more viable. For example, VHD's biggest drawback is performance. Hardware that accelerates common virtualization tasks can mitigate that sluggishness, making the security of VHD more acceptable to users.

Securing BYOD will always be a challenge, but with the right planning and proper device selection, IT can make users' hardware work for the cause, rather than against it.

Lead image courtesy of Shutterstock.

Microsoft ended the week with a pair of black eyes: a failure to secure a security certificate brought its Azure cloud service tumbling down, and the company also confessed to being the latest corporate victim of a high-profile hacking attempt.

The Azure failure also affected Microsoft's Xbox game, Halo 4, Microsoft confirmed.

The highest-profile incident may have had the least effect: "a small number" of Microsoft PCs were penetrated by an unknown intruder. No user data was compromised, Microsoft said in a blog post. 

"Consistent with our security response practices, we chose not to make a statement during the initial information gathering process," Matt Thomlinson, general manager of Microsoft's Trustworthy Computing Security unit, wrote. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."

The attacks were consistent with other efforts to penetrate computers within Apple and Facebook, Microsoft said. Facebook discovered its attack last week, which followed attacks on the Wall Street Journal and The New York Times via an unpatched exploit within Java, exploited, experts believe, by the Chinese military.

Separately, ZenDesk reported Friday that it too, was hacked, exposing emails that clients Tumblr, Twitter and Pinterest used to communicate it with it for service-related requests. 

Lack Of SSL Certificate Brings Azure Down

At press time Friday night, Microsoft still had not implemented a fix for the Azure issue, caused by a failure to obtain a new SSL certificate. That brought its Azure storage services down across all of its worldwide regions, as well as services that were dependent upon them.

At 9:30 PM UTC (4:30 PM ET), Microsoft discovered that "HTTPS operations (SSL transactions) on Storage accounts worldwide are impacted," the company said.  By 9:45 PM UTC, the the management portal, WindowsAzure.com, and the service bus, plus the websites that Azure serves were also down. By 10:15 PM, the company had begun validating steps to repair the problem, but hadn't formally announced a fix. After users began circulating screenshots of what appeared to be an expired SSL certificate, the company acknowledged its error.

"Windows Azure Storage has been affected by an expired certificate," a spokesman said in an emailed statement. We are working to complete the restoration as quickly as possible. We apologize for any inconvenience this has caused our customers. For more information please go to http://www.windowsazure.com/en-us/support/service-dashboard/." Microsoft also apologized to customers via Twitter.

Microsoft also reported problems with its Compute services, preventing users from creating new virtual machines. That left users who needed to create those virtual machines to host new apps scratching their heads. "Most of our apps are screwed up now!" pinvoke.in, one commenter, complained. "WHATS NEXT? All compute instances die because someone at the data center switched them off?"

Unfortunately for Microsoft, this sort of thing has happened before. At the end of February 2012, Microsoft failed to account for the leap day at the end of the month, Feb. 29. As a result, the Azure services was down for more than 12 hours before Microsoft could issue a fix. Microsoft hasn't said whether or not the recent outage was a result of an oversight, or a more serious technical error.

Oddly enough, Netflix began reporting problems of its own on Friday night, leading to the intriguing possibility that two cloud services may have been failing at the same time. But although Netflix has gone down before when Amazon's AWS service failed, Amazon's own AWS service dashboard didn't indicate any problems.

So Burger King's Twitter account got hacked on Monday. Apple and Facebook got attacked too. And so it goes. Within a few years, the Internet will be engulfed by "nuclear" warfare, but the bombs will be entirely created in plain ASCII text. What can be done?

We need a new Internet, that’s all. One designed from the ground up to be far more secure than what we have today. A few weeks ago, I wrote an article about the Chinese hacking into The New York Times, The Wall Street Journal and Bloomberg. All because they delved too deeply into the affairs of some Chinese government officials.

On Tuesday, Mandiant released two reports that not only provided more evidence to support its allegations that many hacking attacks originate in China, but also pinpointed the exact location, a 12-story building on the outskirts of Shanghai. As The New York Times put it, that building is the “People’s Liberation Army base for China’s growing corps of cyberwarriors.”

The hacking underground is teeming with activity, as witnessed by the Apple and Facebook attacks. In Apple’s case, a worm was unleashed when employees visited a site called iPhoneDevSDK.

No Evidence?

I shuddered at the foregone conclusion of some media outlets: “there was no evidence that any data left Apple.”

Really?

They can break in at will but they have to leave evidence that they took stuff? Then there was the wholesale hacking of the Burger King Twitter account, which resulted in a string of profane tweets.

Like I wrote in World War III Is Already Here - And We're Losing, we’re smiling the enemy in the face. In that article, I proposed that America ramp up its investment spending in cyber security and robotics dramatically, by boosting cyber-security investment to $5 billion and robotics to $20 billion, annually.

As Steve Blank observes, “We are getting our asses handed to us by the Chinese. Almost irrationally we have decided not to have a National Industrial policy — leaving that to private capital.”

Who Will Lead The Charge?

So it’s up to us pundits in the media to lead the charge for disruptive change. And one thing that clearly has to go, in its current form, is the Internet. I propose the U.S. create a next-generation Internet, a superset, or n-th layer if you will, that make our critical Internet infrastructure, which is now largely powering the U.S. economy, less massively vulnerable to hacking attacks.

We have already seen what Russia did to Estonia in 2007 and to Georgia in 2008. Now imagine what a full-blown war would look like today - or in 2015?

Way back in August 2006, Bloomberg BusinessWeek cited a counterintelligence report that found at least 108 countries engaged in “collection efforts against sensitive and protected U.S. technologies),” up from 37 a decade ago. Now that’s a trend. Among the few countries specifically mentioned, China and Russia were among “the most aggressive” in targeting the U.S.

The Fiscal Times, a publication funded by Peter Peterson, agrees with my bleak assessment: Chinese Attacks Reveal an Undeclared Global Cyber War.

Next-Generation Internet: Wants & Needs

So how should this Next-Generation Internet be architected?

I will give you my wish list and you, tech wizards, can write the spec:

• Secure: It should be extremely secure, from day one. I know some will say that anything can be hacked, but let’s put the fence up high enough so that climbing it becomes a relatively esoteric art.
• Real ID: Everyone using it in an official U.S. capacity should be readily identifiable. I propose some type of next-generation eye-recognition technology using a computer or mobile camera. This will help sites like LinkedIn and Facebook in their endless battle against identity fraud. It will also help deter spamming because each business will need to use its “eyeD” to launch a marketing campaign.
• America Only: It should be accessible by Americans only, for obvious reasons. Americans are free to leave the Next Gen Internet, but they do so as their own discretion.

I’m sure many people can’t believe I would even propose such a thing. I know that things are going to have to get a lot worse before anyone takes my proposals seriously.

That's OK. I've already called this World War III, and it's only beginning to escalate. To win, we'll need to innovate. And that means staying ahead of the pack.

Image courtesy of Shutterstock.

Nothing says "I love you" like falling for a fake diamond ring sale and getting your identity stolen in the process. Bitdefender, an antivirus solutions provider, has sent out an alert to online Valentine's Day gift buyers, warning of rampant scams aimed at extortion, phishing for personal information and luring unsuspecting loverbirds to malware-infected sites.

Bitdefender's Top 10 infographic (below) stresses that men are the top target of V-Day scams because they spend 75% more on gifts than women, according to CreditDonkey.com.

Among the scams to watch out for are malicious Valentine's Day cards that use blackhat SEO techniques to redirect buyers to search results that may install viruses, Valentine's Day wallpaper downloads that contain malware, and 'love calculator' and other relationship-themed apps from unofficial Android app stores that infect your devices and steal personal info.

With the astronomical number of fake profiles floating around social media, Bitdefender stressed the dangers of giveaways and information soliciting through phony social media profiles promising love.

Some of the more blatant cons can be easy to spot, such as phony flower sales and cheap limousine offers. But the last scam on Bitdefender's list should be a dead giveaway: "heart experts." Specializing in healing one's relationship wounds, these online offers sound like antivirus ads from a decade ago, but resurface every February alongside an array of these other scams.

The number one rule leading up to this Thursday? Stay smart and trust your spam filter.

Image courtesy of Shutterstock. 

Guest author Marcus Austin is a technical writer at computer security training firm Firebrand Training.

Among the more popular products to debut at last month's Consumer Electronic Show (CES) in Las Vegas, were cross-over machines, tablets and PCs designed for double-duty - to be used at home and in the office.

The shift towards BYOD (Bring Your Own Device) into the enterprise is unstoppable. Employees are happier - and more productive - when they're able to use their computers. Unfortunately, computers that travel from location to location (often left in places where they can be stolen) can be an easy vehicle for hackers to get into corporate networks. 

Only The Paranoid Survive

Like many industry innovations, BYOD offers as much opportunity for wily cyber-thieves as it does for corporate efficiency. Unless enterprises ratchet up their level of vigilance, 2013 is poised to become the most destructive year on record. That will play out in four main areas:

1. Mobile. Experts warn 2013 will be a banner year for mobile malware. Smartphones and tablets running Google's Android  operating system will hardest hit because of both its openness and the relative ease of adding apps. Historically, Windows machines presented the one target too big for hackers to ignore, and attacks on Windows PCs increased three-fold last year. But this year the action will expand to Windows 8 tablets. Out-of-the-box security features in Windows 8 make hacking harder. So many hackers are shifting their tactics to old-school methods like phishing and other techniques that rely on social-engineering of users instead of hacking the code itself

2. Political. Most hackers are simply greedy. But an increasing number are motivated by politics. They want to bring down organizations or businesses they deem offensive. Some of these politically motivated attacks have aims than can be more subtle than just destroying data or interrupting service. The New York Times recently discovered that Chinese hackers had penetrated their computers systems for four months, seeking information on an investigation into the wealth of a top Chinese leader and his family. The hackers eventually obtained the passwords of all Times employees, and used them to break into the PCs of 53 employees. A day later, The Wall Street Journal reported a similar attack.

3. New Gateways. HTML 5, the latest version of the HTML standard, allows users to personalize their browsing experience, and lets businesses build browser-based applications. But reducing the layers of technology between the browser and internal systems removes obstacles for would-be hackers. As businesses make greater use of popular social networking sites like Facebook and Twitter, hackers can gain access to personal data that can be used for phishing or other "social engineering" attacks. And there's also the potential for corporate networks to be infected by malware from social networking sites.

4. Hacking-as-a-Service? Believe it or not, hackers are providing suites of sophisticated tools so that even casual criminals can mount credible cyber-attacks. The availability of user-friendly hacking tools has the potential to expand the hacking universe by an order of magnitude.

Forewarned Is Forearmed

Remedies are available. Greater password security, network access restriction, firewalls, and abundant redundancies are some of the steps that can help prevent attacks. These are fixes for gaps in the system's hardware and software created by the businesses themselves because they were poorly designed or were not thoroughly tested.

The best way to thwart a would-be criminal hacker is often to hire an "ethical hacker" to design new applications and test them as well as the system as whole. It turns out that the most effective way to counter a hacker’s attacks is to provide him or her with a worthy - and human - opponent.

 Image courtesy of Shutterstock.

Every day the Pentagon is attacked 3 million times. They’ve infiltrated our banks. They’ve ransacked our technology industry. They’ve breached the networks of the Chamber of Commerce. They’ve read our email by taking down one of America’s pre-eminent technology companies, Google. It’s already World War III, people. And all we do is smile at the enemy.

Last Wednesday, The New York Times announced that its computers had been hacked. That passwords had been stolen. That its private networks had been traversed with impunity by a bunch of brazen hackers. We’re not talking Anonymous here nor a bunch of ethical hackers. No we’re at war with China.

To paraphrase an old newspaper joke, “what’s black and white and red all over?” The Chinese Red Army, that’s who.

How do we know that? As William Gibson might bark, “Pattern Recognition!” Computer security experts consulting with The New York Times identified the malware “as a specific strain associated with computer attacks originating in China.”

There other telltale signs. Like the fact the hackers broke into The Times’ computers starting on Sept. 13, as the newspaper was putting its final touches on a report that the relatives of China’s Prime Minister Wen Jiabao had accumulated a fortune worth several billion dollars through business dealings.

The Definition Of War

In May 2011, the Pentagon promised it would announce a formal strategy to deter cyberattacks by declaring foreign computer hacks an act of war. But despite mounting evidence that Chinese attacks continue relentlessly, there has been no further action. In view of all the recent happenings, that’s tantamount to raising the white flag.

The New York Times was not the only company hacked. That same day, The Wall Street Journal admitted it too had been infiltrated by Chinese hackers who apparently were trying to monitor its China coverage. And Bloomberg computers were infected by Chinese hackers after the company published an article on June 29, 2012 about the wealth accumulated by relatives of Xi Jinping, China’s vice president at the time.

But media companies are not the only ones being breached. An Air Force Cyber Command Recruiting video on YouTube urgently proclaims, “This building will be attacked 3 million times today,” while hovering over the Pentagon. Those are blatant acts of war, people, and the daily siege of the Pentagon is just part of today’s cyber-warfare landscape.

Cyberattacks are exploding. In Jan. 2010, Google, Intel, Adobe and and more than 30 other companies were attacked in a coordinated terrorist campaign. Google said the attacks originated in China, which lead the company to abandon the Chinese market. If Google leaves the world’s largest market, what does that say about the enemy?

In January 2011, Morgan Stanley admitted it too had been hit by the same China-based hackers who attacked Google’s computers, an operation dubbed “Aurora” by cyber-security firm McAfee. Terremark Worldwide estimates that the number of companies known to be hacked in Operation Aurora now exceeds 200.

While government organizations and companies spend vast amounts of money on security precautions, the situation is so dire that the Defense Department, whose Advanced Research Projects Agency (DARPA) developed the Internet in the 1960s, “is beginning to think it created a monster,” reports Bloomberg BusinessWeek.

What Should We Do?

Let me repeat that again, the inventors of the Internet you like and use so much think they’ve created a monster! So what should we do?

I believe we need a serious dose of innovation and reinvention to stem this monster tidal wave.

America today spends about $718 billion on defense and security. Most of that money is spent on resources and equipment designed for old-fashioned warfare.

The reality is that World War III is being fought in cyberspace and most real-life interaction will be handled by robots. And in both sectors our public and private capital spending priorities are completely misaligned.

The global cyber security market was valued at $64 billion in 2011, or less than 10% of what the U.S. spends on defense and security. Major U.S. players include CA Technologies, Cisco Systems, Fortinet, IBM, McAfee and Symantec. International security firms include Check Point Software (Israel) and Kaspersky (Russia).

Our venture capital scenario is not much better. In 2011, VCs collectively invested $935 million in tech security companies, nearly double the $498 million they invested in 2010, according to a MoneyTree report compiled by PricewaterhouseCoopers, the National Venture Capital Association and Thomson Reuters.

Clearly, the U.S. cyber security market is woefully underfunded. As Delaware Senator Thomas Carper puts it, “The issue of Cyber Warfare is not science fiction any more. It’s reality.” Here’s what I believe we should do:

* U.S. Defense Budget – America should reshape its defense budget to reflect the reality that World War III is already here and it’s being fought in the cyber trenches. This means the Pentagon should officially declare Chinese cyber attacks as foreign warfare and treat the matter with the utmost urgency.

* Robotics - The worldwide robotics industry today is a $25 billion global industry, with most R&D activity taking place in South Korea and Japan. How can America allow its next-generation cyber-soldier technology to be based on foreign know-how? My recommendation: put the U.S. on a robotics fast-track with a combined government-private sector investment budget of $20 billion annually.

* Cyber Security – Like the robotics industry, cyber security is in dire need of more attention, but it’s not very sexy. VCs are falling all over themselves to fund the next Facebook or Snapchat, but what if those services could no longer function because the Chinese brought the Internet to its knees with relentless denial-of-service attacks? That $1 billion VCs invested in 2011 in cyber security is a drop in the bucket compared to the Pentagon’s $718 billion budget. We need to ratchet this up to $5 billion, preferably $10 billion, by next year.

* Internet 2 – As the pronouncements of DARPA suggest, the Internet was not designed for what it’s doing today. Please take some time to read this Bloomberg Businessweek story, it’s downright scary. We need to insulate this country from the enemy, and that means designing an all-new Internet, one created from the ground up for secure operations, and preferably one that insulates the U.S. from the rest of the world.

I’m sure this last bit of advice will have free-thinkers around the world cringing. But when the Chinese decide that you’ve had enough freedom, it might be too late to come to your senses. I fully expect to be hacked by the Chinese this week.

I’ve added Mandiant to my address book. I rather be safe than sorry. And please do contribute to my crowdsourced ideation engine to suggest more ideas on how we can protect ourselves in this brave new world.

Image courtesy of Larry Ye / Shutterstock.