CIO magazine has posted the latest Deloitte paper “Cyber crime: a clear and present danger”.

They look at the latest trends and recommend three security practices:

1. Recognize that the threat from cyber crime to data is real
2. Use a risk based approach to get the most benefit/return from security spending
3. Use centralized management to get a high-level view

Clearly this is not rocket science. Could there ever be a survey that does not produce these three recommendations? What has changed with “cyber crime” versus any other attack name/vector/title? They are sound practices, but do not seem linked to any specific trend or development that is distinct from past threats. In fact, they also conclude with “We do not suggest that cyber security professionals consider a change in focus and additional duties lightly.” Sound advice and I really do not see much change here.

I will be presenting next Tuesday at the RSA conference on the Top Ten Breaches. I will give a high-level view, analysis of trends and then specific steps to mitigate the current threats. The objective is to give information that is not just general advice but actionable and targeted.

Hope to see you there.

The old attack vector was just to block GPS signals, but the BBC News says Sat-nav systems are under increasing threat from more sophisticated attacks.

“You can now buy a low-cost simulator and link it to Google Earth, put on a route and it will simulate that route to the timing that you specify,” said Professor Last.

“A GPS receiver overcome by it will behave as if you’re travelling along that route.”

We have relied for too long on open communication. This is yet another case for authentication between devices.

Of course I must say that even with 100% assurance my GPS device is connected to an authentic signal I would still be concerned about bogus directions. Just the other day Google maps tried to send me to a city center when I asked for an airport, and my GPS suggested I turn left in the middle of a bridge. Aside from all that, however, authentication definitely needs to be factored into the future of navigation systems.

ComputerWorld reports that a Federal judge orders Pa. schools to stop laptop spying

Last week, Michael and Holly Robbins of Penn Valley, Pa., on behalf of their son Blake, sued Lower Merion, accusing it of spying on students and students’ families using the iSight webcams in the MacBook laptops issued to each high school student in the district.

According to the original complaint, Blake Robbins was accused by a Harriton High School assistant principal of “improper behavior in his home” and shown a photograph taken by his laptop as evidence. In an appearance on network television last Saturday, Robbins said he was accused by the assistant principal of selling drugs and taking pills, but he claimed the pictures taken by his computer’s camera showed him eating candy.

I am genuinely surprised an American school official would think there is any justification in this kind of home spying. Are they familiar with the Constitution? This seems to be an example of a government official using technology to enter a child’s bedroom without invitation/warrant, as mentioned by the ACLU legal director in the article. Then again there might be a clue to this mentality in the story regarding Apple’s purge of “objectionable” applications from their store.

“I’m now worried the eco-system is run by puritans and is not fair to all players,” developer Jon Atherton said on its website.

Issues have come up before with regard to webcams, usually related to office environments and instant messenger software. The simple and obvious solution in those situations from a product perspective was for a manufacturer to include a manual shutter, similar to a lens cap. A user can slide the cover down to ensure a webcam view is disabled. The after-market alternative is a piece of paper taped over the lens, or something fancier, but you get the idea. The more complicated answer is to educate the educators on constitutional rights and freedom from unlawful surveillance that are still in effect no matter what the technology.

Today a simulated cyber attack response exercise is being held in Washington D.C. The Bipartisan Policy Center is hosting:

The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance. They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.

The Bipartisan Policy Center press release is peppered with traditional terms like “unprecedented” and “real-world”, “often unseen threat” and “real dangers”. There is no mention of the Chinese or international collaboration but that has to be one of the main issues on everyone’s mind. I wonder, for example, if anyone bothered to invite international participants. Why? James Fallows in the Atlantic Monthly did a nice job explaining how national security models are facing a transition from typical “bipartisan” efforts to one that is open and collaborative:

While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

An alternative to this kind of closer cooperation could be to improve the quality of education dramatically in the US including teaching computer skills and Mandarin to a high percentage of graduates, as well as the language of every other threat. The British have tried this latter model, which I am told is why the School of Oriental and African Studies (SOAS) came to exist. Perhaps compared to solving the problem of quality education, cooperation on information security seems far simpler.

Fallows warns in his article that America might have a tough time with the concept of “cooperation” given the cultural view of how to deal with “tough-guy, real-world problems”. However, the interconnected nature of Internet risk makes it almost impossible to use a bi-lateral attack/defense paradigm. This has been known since at least the first “Smurf” attacks. Multi-lateral and shared approaches have become the norm in hi-tech response centers but it will take time for established leaders in government to warm up to the idea of greater openness as a strategic advantage in national security.