Of Bytes and Badges

Though posting has been spotty as I approach the end of my first semester at JHUISI, I’m excited to say that I’ve been offered a position as an intern with the NASA Office of Inspector General, Office of Investigations, Computer Crimes Division (affectionately known as NASA OIG CCD. The OI is silent). The Office of Investigation:

…investigates allegations of crime, cyber-crime, fraud, abuse or misconduct having an impact on NASA programs, operations, and resources. OI refers its findings to either the Department of Justice for prosecution or to NASA management for action. Through its investigations, OI identifies crime indicators and recommends effective measures for NASA management that are designed to reduce NASA’s vulnerability to criminal activity.

…and the Computer Crimes Division:

… is responsible for conducting criminal investigations in which NASA is a victim and connected primarily to computers and information technology.

Needless to say, I’m humbled and excited to be a part of such an awesome (and, among the general public, little-known) federal law enforcement agency. NASA OIG does some great work in computer forensics and intrusion analysis, in particular. It’s going to be a great learning experience, and I hope that I have something to contribute as well. One more step on the path of a career civil servant.

And this would never be possible if it wasn’t for the Federal Cyber Service – Scholarship for Service. I highly recommend it to US citizens interested in education in the information security field, and government work thereafter.

- David Oxley

I’m happy to say that I passed the SANS GIAC Security Essentials (GSEC) exam today with a score just shy of 94%. Not only was the training course I attended in Baltimore a big help, but a lot of what I’ve learned in my Security Informatics Masters program at Johns Hopkins came in handy as well.

Thinking about potentially going for a Gold certification, in the eventual pursuit of a GIAC Security Expert (GSE) certification. We’ll see!

- David Oxley

I love reading Byron Acohido’s excellent blog, “The Last Watchdog.” However, some of his recent titles are really getting to me:

“Unstoppable new phishing attacks blanket Facebook, Twitter, Hotmail”

…as in, spammers and phishers are targeting social media sites. Surprise, surprise.

“Windows 7’s security ‘time bomb’”

…that is, why it’s default UAC settings could be the target of a very complex, difficult attack.

And so on. I already had a bit of a rant against his previous article in USA Today, “Cyberthieves find workplace networks are easy pickings,” entitled “Are We Really So Vulnerable?”, here.

I understand the need for catchy titles to get readership. Heck, I try to do the same! However, there’s a fine line between educating the public and scaring them with fear, uncertainty, and doubt, especially when the situation is nowhere near as dire as it’s been advertised. There is no Windows 7 “time bomb” — there’s a questionable choice in default security stances. These phishing attacks are no more “unstoppable” than they’ve been when spammers have focused on them in the past.

I feel especially strong about this in regards to cyber security. Most people are either totally unaware of current happenings in cybercrime, or they have a very simplified understanding of the situation. Scaring them with such titles just drives them deeper into the clutches of security vendors who promise a panacea with signature-based scanning (heh). Sure, if they read it, they may see things differently. But titles have a big impact on those who know nothing more about the subject.

Do you think I’m being too harsh? Thoughts?

- David Oxley

As mentioned by Dr. Avi Rubin in his “Security and Privacy” course, originally by Dr. Eugene Spafford at Purdue:

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”

Don’t believe it? Look-up the latest consumer information breaches on news sites, then tell me the ratio of database compromises to successful attacks on communication encryption. You know, SQL injection vs. breaking AES, 3DES, etc.

Yeah, that’s what I thought.

- David Oxley

(In Russia, luxury cars and cybercrime seem to go hand-in-hand)

Did RIPE NCC and Russian police aid the Russian Business Network? In short, yes and no.

But first, the back story. If you weren’t already aware, the Russian Business Network was (and is – more on that later) a massive criminal enterprise operating out of St. Petersburg, Russia. They have been implicated in activities ranging from malware distribution to money laundering all the way to child pornography. In the past, they’ve been associated with installs of the infamous MPack exploit kit, C&C operations of the Storm Worm botnet, and, more recently, the ubiquitous ZeuS crimeware package. These are the kind of folks that give “organized cyber crime” its name.

As you can probably guess, there have been some substantial efforts undertaken to have these guys brought-down. The Russian Business Network (Exploit) Blog has kept-up the pressure on the RBN throughout its lengthy history, as has Spamhaus, Brian Krebs with SecurityFix, and many other researchers and vendors. Likewise, law enforcement officials in both the US and Russia have been working to track-down the group’s members, known for driving around St. Petersburg in a bulletproof, black Audi R8.

Or have they?

Comments made by members of the FBI and SOCA (UK’s Serious Organised Crime Agency) at this week’s RSA Europe Conference (FBI Supervisory Special Agent Keith Mularski and Andy Auld of the SOCA, to be more exact) have had a mixed reception among news agencies and the blogosphere. Some have portrayed them as pointing fingers at Internet registrar RIPE NCC and the Russian police as being complicit to the crimes of the RBN. Others have put a more positive spin on things, detailing the plans made for greater cooperation between US and UK authorities.

So what’s the real situation?

Read more…