Cyber Intelligence Sharing and Protection Act (CISPA) H.R. 3532

The Cyber Intelligence Sharing and Protection Act (CISPA) H.R. 3532 is a new bill being introduced in Congress that is gunning to blast the ongoing cyber attacks that have occurred since internet users figured out the keyboard could be an effective weapon. If passed through Congress, the bill would allow the government access to personal correspondence of any person of their choosing. Once again, we are being fucked by those nosey neighbors in our government.

You should be very mad and very afraid because CISPA is far worse than SOPA and PIPA in its effects on the internet. The wording of this bill is mumbo jumbo, vague and broad. Reading through the nonsense, basically the act would allow Congress to circumvent existing exemptions to online privacy laws, and would allow the monitoring and censorship of any user of the internet. Peeping Toms will be wetting their pants. The real kicker (in our asses) is that it will also allow the government to stop online communications which they deem critical or disruptive to them. They can even decide they don’t like what you say about other private parties and shut you down.

The Center for Democracy and Technology states that CISPA would allow Internet Service Providers (ISPs) to “funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.” Holy Bejeezers, where are Batman and Robin when you need them?

What will happen if we don’t stop CISPA?

CISPA effectively creates an exemption to all existing internet privacy laws. Pay attention here, because this means the government will have control over the entire internet, and would be able to censor anything they deem as a “threat” to national security. And what do those ding dongs deem a threat? Well, that is up for them to decide. With the power they would have, it would enable them to interpret anything as a potential “threat” if they really wanted to. Be afraid, very, very, very afraid.

This is just another trap to have our freedom stripped away even further. It is blaringly obvious that our very own government has slowly diminished the very freedoms we were promised at the inception of this “democracy.” It is painful that it may not appear obvious that each new bill that is introduced and passed in Congress contains many clauses that most Americans aren’t even aware of. This is why it is imperative we examine each new bill and law very closely. It is a shameful fact we have to protect ourselves from the very institution we pay to work in our best interest.

It blows my mind that social networks like Facebook support CISPA. Who is paying who off? Here is what Joel Kaplan, FB Vice President said was the reason they support the bill.

“One challenge we and other companies have had is in our ability to share information with each other about cyber attacks. When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack,” Kaplan wrote a blog post on Friday. “Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.”

Umm, what am I missing here? You need an anti-privacy law to get off your duff and let others know if you are being attacked? It is all to crazy making and once again we have to mobilize and put the pressure needed on our government to dump this dumb bill.

POSTED BY THN REPORTER ON 4/22/2012 10:09:00 AM
By:  Patti Galle, Executive Editor

Richard Clarke Says Stuxnet was a U.S. Operation

Richard Clarke Says Stuxnet was a U.S. Operation

By Jack Goldsmith - Thursday, March 29, 2012 at 4:36 AM

The former counterterrorism czar reaches this conclusion because the operation had lawyers’ fingerprints on it.  From an interview with Ron Rosenbaum in Smithsonian Magazine:

“I think it’s pretty clear that the United States government did the Stuxnet attack,” [Clarke] said calmly.

This is a fairly astonishing statement from someone in his position.

“Alone or with Israel?” I asked.

“I think there was some minor Israeli role in it.  Israel might have provided a test bed, for example.  But I think that the U.S. government did the attack and I think that the attack proved what I was saying in the book [which came out before the attack was known], which is that you can cause real devices—real hardware in the world, in real space, not cyberspace—to blow up.”

Isn’t Clarke coming right out and saying we committed an act of undeclared war?

“If we went in with a drone and knocked out a thousand centrifuges, that’s an act of war,” I said. “But if we go in with Stuxnet and knock out a thousand centrifuges, what’s that?”

“Well,” Clarke replied evenly, “it’s a covert action. And the U.S. government has, ever since the end of World War II, before then, engaged in covert action. If the United States government did Stuxnet, it was under a covert action, I think, issued by the president under his powers under the Intelligence Act. Now when is an act of war an act of war and when is it a covert action?

“That’s a legal issue. In U.S. law, it’s a covert action when the president says it’s a covert action. I think if you’re on the receiving end of the covert action, it’s an act of war.”

When I e-mailed the White House for comment, I received this reply: “You are probably aware that we don’t comment on classified intelligence matters.” Not a denial. But certainly not a confirmation. So what does Clarke base his conclusion on?

One reason to believe the Stuxnet attack was made in the USA, Clarke says, “was that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

“What makes you say that?” I asked.

“Well, first of all, I’ve sat through a lot of meetings with Washington [government/Pentagon/CIA/NSA-type] lawyers going over covert action proposals. And I know what lawyers do.

“The lawyers want to make sure that they very much limit the effects of the action. So that there’s no collateral damage.” He is referring to legal concerns about the Law of Armed Conflict, an international code designed to minimize civilian casualties that U.S. government lawyers seek to follow in most cases.

Clarke illustrates by walking me through the way Stuxnet took down the Iranian centrifuges.

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA [Supervisory Control and Data Acquisition] software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens [the German manufacturer of the Iranian plant controls]?’ ‘Yes.’ Third question: ‘Is it running Siemens 7 [a genre of software control package]?’ ‘Yes.’ Fourth question: ‘Is this software contacting an electrical motor made by one of two companies?’” He pauses.

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

“There are reports that it’s gotten loose, though,” I said, reports of Stuxnet worms showing up all over the cyberworld. To which Clarke has a fascinating answer:

“It got loose because there was a mistake,” he says. “It’s clear to me that lawyers went over it and gave it what’s called, in the IT business, a TTL.”

“What’s that?”

“If you saw Blade Runner [in which artificial intelligence androids were given a limited life span—a “time to die”], it’s a ‘Time to Live.’” Do the job, commit suicide and disappear. No more damage, collateral or otherwise.

“So there was a?TTL built into Stuxnet,” he says [to avoid violating international law against collateral damage, say to the Iranian electrical grid]. And somehow it didn’t work.”

About the Author
Jack Goldsmith is the Henry L. Shattuck Professor at Harvard Law School, where he teaches and writes about national security law, presidential power, cybersecurity, international law, internet law, foreign relations law, and conflict of laws. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003–2004, and Special Counsel to the Department of Defense from 2002–2003.

Gartner's Magic Quadrant for Unified Threat Mangement

Click here for the full article here.

FBI's top cyber cop: "We're not winning"

Click the link below:
We're not winning the cyber war says FBI's top cyber cop

Cyber Intelligence Sharing and Protection Act (CISPA)

If you download and distribute copyrighted material on the Internet, or share any information that governments or corporations find inconvenient, you could soon be labeled a threat to national security in the United States. That’s the aim of a bill in Congress called the Cyber Intelligence Sharing and Protection Act (CISPA).

The good news is that SOPA and PIPA haven’t come to pass, but the bad news is that they could be followed by a bill that is even more invasive and could violate even more of your civil liberties. According to a press release issued last week, the bill already has over a 100 congressional co-sponsors. Yet the bill is only now beginning to appear on the public radar.

CISPA would let companies spy on users and share private information with the federal government and other companies with near-total immunity from civil and criminal liability. It effectively creates a ‘cybersecurity’ exemption to all existing laws.

CISPA, however, is nothing like SOPA, despite its recent association in the media. While SOPA included provisions that would have essentially broken the Internet by allowing the U.S. to delete domains from a central registry system, CISPA does nothing of the sort, and aims more at “cyber threat intelligence” gathering than censorship and piracy prevention.

The bill presents itself as a simple enhancement of America’s cyber-security that would amend the National Security Act to include “cyber threat intelligence” gathering. To those ends, it would tear down the firewall between private corporate networks and the National Security Agency , enabling corporations to share data with the world’s most sophisticated spy apparatus.

While the bill is openly supported by companies like AT&T, Lockheed Martin, Microsoft, Facebook, Boeing and Intel, ACLU legislative counsel Michelle Richardson cautioned last month that it is not something to be taken up lightly.

Cybercrime claimed 431 million adult victims last year and cost $114 billion

Cybercrime claimed 431 million adult victims last year and cost $114 billion, according to a report published Wednesday.

The Norton Cybercrime Report 2011 said over 74 million people in the United States were cybercrime victims last year, suffering $32 billion in direct financial losses.

Cybercrime cost China around $25 billion, Brazil $15 billion and India $4 billion in the past 12 months, said the report from computer security firm Symantec, maker of the Norton anti-virus software.

According to the report, more than two-thirds of online adults -- 69 percent -- have been victims of cybercrime at some point in their lives, resulting in more than one million cybercrime victims a day.

Cybercrime rates were even higher in China and South Africa. Eighty-five percent of Chinese respondents to the Norton survey and 84 percent of South Africans said they have been victims of cybercrime.

The report found a growing threat from cybercrime on mobile phones.

Ten percent of adults online have experienced cybercrime on their mobile phones and the number of reported new mobile operating system vulnerabilities increased from 115 in 2009 to 163 in 2010.

"There is a serious disconnect in how people view the threat of cybercrime," said Adam Palmer, Norton lead cybersecurity advisor. "Cybercrime is much more prevalent than people realize.

"Over the past 12 months, three times as many adults surveyed have suffered from online crime versus offline crime, yet less than a third of respondents think they are more likely to become a victim of cybercrime than physical world crime in the next year," Palmer said.

For the survey, interviews were conducted with nearly 20,000 people in 24 countries, Symantec said.

Spear Phishing

By now most everyone has heard the term “phishing”.

Wikipedia defines phishing as an attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.

IDP recently carried out an authorized phishing attack for one of its customers and found that over 50% of the staff gave up their email passwords in an email that, if examined closely, was obviously bogus.

So what is spear phishing?

The difference between phishing and spear phishing is while the former floods thousands or even millions of inboxes, the latter targets a small group of previously-identified people, sometimes only a handful who work at the same company or in the same organization.

With the increased popularity of social networking sites (Facebook, Twitter, etc.), the bad guys are now able to select specific individuals (and businesses) and direct their malicious activity in a very granular fashion, just as you’d spear a fish.

"Today's spear phishing is not only more prevalent but also much more technically proficient," say Dave Jevans, chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft.

"They're not going for a password, anymore, they're getting people to install crimeware on their computers," said Jevans.

Like the more common phishing, spear phishing attacks are launched as emails that try to con the recipient into clicking a link that leads to a malicious Web site. Those sites can take almost infinite forms, from fake account log-in screens to ones that tout a software upgrade to widely-used software, such as Adobe Flash.

Once the malicious link or email is clicked the attacker is able to install a program that infects the computer, giving criminals access to that machine -- and through it, others -- or to confidential information, like account passwords obtained by secretly monitoring the PC's keystrokes.

According to reports by the likes of Bloomberg, the recent IMF spear-phishing attack targeted one of its workers and planted malware on a machine, which was then presumably used to scout the network for data to steal.

But the IMF incident is only the most recent in a series of specialized attacks this year aimed at targets from the Oak Ridge National Laboratory and the French foreign ministry to Google's Gmail.

All have one thing in common: They relied on spear phishing to fool users into installing malware or revealing account information.

So what can individuals you do?

Well, very simply, maintain awareness, think before you click, keep your antivirus and antimalware software up to date and remember that anyone can be an unwitting target.

What about businesses?

Educating staff is first and foremost. Make sure there are polices, processes and procedures in place that everyone follows – but more importantly, that they understand.

From a technical perspective, ensure that your perimeter defenses (stateful firewalls, IDS / IPS, VPNs, blacklists, access control, etc.) are current, properly configured, monitored and regularly tested.

In summary, maintaining a defensive posture is not rocket science. Common sense, diligence and thoughtfulness is 90% of the game.