Senate Bill 2105: Cybersecurity Act of 2012

On Valentine’s Day, four Senators introduced Senate Bill 2105, which is also known as the Cybersecurity Act of 2012.  If you would like to read the bill as it was introduced, it is available in full as presented.   If passed, this law would authorize the Federal government to regulate the security of privately owned critical infrastructure, much of which is controlled by Internet-connected systems and susceptible to being hacked.  This includes electrical power grids, telecommunications networks, air traffic control systems, dams, and nuclear power plants.  Said differently, this would allow the Federal government to have security standards, to assess a company’s compliance, and to levy fines if the security is not sufficiently high.

Last week, the Wall Street Journal reported that a group of Senators have weakened the bipartisan legislation.   They responded to business lobbyists who claimed that such regulations would “regulations would create a costly and cumbersome process.”  Rather than requiring the companies to meet these regulations, they should be encouraged to do so.  According to Senator John McCain, “Instead, we must leverage the ingenuity and innovation of the private sector in partnership with the most effective elements of the federal government to address this emerging threat.”

I am perplexed as to why Senator McCain, who has a strong record on National Security, would take this stand …. unless he does not really understand the real and present threat of such an attack.  Consider the number of companies in the last few months that have reported a security breach.  Sometimes the breach provides thieves with passwords, which can be problematic enough, but sometimes instead it is social security numbers, bank accounts and more personal information.  The people whose identities are stolen have a never ending hassle to fix the problem.  Many companies do not take security as seriously as they should.  Even when security is a priority, the companies have a significant task keeping a step ahead of the hackers.

Now, take that up to a regional or national level.  Suppose the U.S. had no access to electricity or telecommunications equipment.  Suppose this is not for a couple of hours as you might get in a thunderstorm, but rather for an extended period of time.   What would that do to the company’s productivity?  What if it happened during peak holiday shopping and no one could buy gifts or food?  What if it happened on election day and half the people were not able to vote?  What if …. there are many horrible examples.

We have already proven this can happen.  Well, it is unclear whether “we” proved it or someone else proved it by the introduction of the Stuxnet virus into Iran’s nuclear reactor.  Not only did it stop operations, but it did it in a way to damage the plant and roll back their development.  Other similar viruses, aimed at the “Internet of Things” (such as a power plant) have also been identified.

People release viruses all the time — sometimes without even knowing the impact of what they have done.   Why do we believe it won’t happen here?  Personally I think it is because people just do not understand technology and what security breaches can do.   They understand bombs or people shooting guns and know how to respond.  But electrons?  It is easy to listen to those claiming to be experts and follow their advice.

I hope we get the legislation.  I hope that it is flexible enough to be able to adapt to the rapid changes in technology.  I hope we can find a way to protect ourselves before it is too late.  If you agree, please share your concern with your Senators and Representatives.

 

A postnote:  Even weakened, the bill failed.  Too many people thought telling infrastructure companies that they need to be secure was a problem.  Sigh.

Malware — DNS Change

You may have heard the reports that something called DNSChanger is expected to hit on July 9, but not known what it was or what to do.

First, what is a “DNS” and why do you care if it gets changed?  First, DNS stands for Domain Name System and it is the directory system that allows computers to locate one another.  Your computer has no understanding of a web address such as  https://internetuseforseniors.wordpress.com.  So, after you type that into your web browser, the computer goes to the DNS and asks for the URL to be translated into something it understands.  That something is called an IP address.  Like your home address, an IP address is made up on multiple parts.  Your home address has a street number, a street, a city, state, country (perhaps) and some code, such as a zipcode.  Similarly, the IP address has a series of components that identify a specific computer uniquely.  These addresses are of the form 134.124.25.18, where the first number indicates your domain and the last number identifies a specific computer in the domain;  the intermediary numbers are further demarcations of the location.

Without a DNS server, we would all need to type in the specific IP address.  Clearly that is not practical. So, if the malware has infected your computer, then on Monday you will no longer be able to type in a URL and have your computer understand how to direct the browser.

How did that malware get put on people’s machines?  Like most malware, it infected people’s machines when they clicked on some advertising link that downloaded software to computers without the user knowing about it.  Since the software was not causing any problems, people do not know that it is on their machine — until July 9.  (Of course, with regular malware checks, this would probably have been detected.)

To avoid a problem, check your system now.  Some services, such as Comcast, has notified the users whose machines seem to be infected.  Similarly, Google and Facebook may be posting a warning if they detect your computer is infected.  To check, go to http://www.dcwg.org and follow the directions for checking and repairing your machine if necessary.  Do it today so you don’t have a problem on Monday!

Flashback Trojan

I’m sorry I have been gone for a while, but,  I got caught up in conferences and final projects/exams, and I lost control of my schedule.

Something important happened while I was gone, though, the Flashback Trojan!  We have discussed trojans before.   They are similar to viruses in that they disrupt the operation of a computer or make your computer vulnerable to data theft or keystroke logging,  or other things.    They are different from viruses in that they cannot infect another computer.   What makes this particular trojan interesting is not its structure or action, but rather that it was directed to a Macintosh.  My friends and colleagues who use Macintosh computers have smugly reminded me for years that they do not run virus protection software on their computers because they do not need it;  Macs don’t get malware.   Yet on April 5, it was reported that over 600,000 Macs were infected with this trojan.  This malware was initially found in September 2011 masquerading as a fake Adobe Flash Player plug-in installer, but it has also exploited Java vulnerabilities to infect Macs.

Do you wonder if you have it?  Check the security company F-Secure, which has published instructions on how to determine whether a Mac is infected with Flashback.  If your computer is infected with the trojan, you can learn how to remove it from CNet.

This is not the first malware product lately to infect the Mac, but it was the most widespread. The question you may be asking right now is WHY????  As I said, most Mac users do not bother with malware protection because to this date they have not needed it.  Yes, it is true that the Mac operating system has fewer holes in it to exploit when compared with Windows.  Yet, I believe there is more to the story.  Historically there have been many more Windows-machines than Macs, and they tended to be more pervasive in industry.  If your goal was to cause significant disruption or to steal data and identities, you would get a bigger bang associated with Windows machines than Macs.   I believe that is exactly what malware writers have been doing.  However, the Mac isn’t just for schools and artists anymore, it is being used in more businesses and by more people.   It stands to reason that more malware will be written for these machines, especially since there are less people protecting the Macs and few companies that are actively involved in research into the attacks.

So, what does it mean for you?   I would recommend that you purchase anti-virus software and use it.  That is, you not only need to install the software, but you must update the virus patterns weekly (if not more often).  Second, you need to be careful what attachments you open.  If you are suspicious, do not open it.  That holds for updates too.  Research what is being updated and whether that popup is legitimate.  Be careful — even with solid doors with locks, you must be vigilant to insure the burglar does not steal your possessions.  The same is true with the protection of your computer.