Omar Ramos-Lopez, a wanted 20 year old ex-employee of the Texas Auto Center car dealership in Austin, remotely disabled 100 cars from the dealership after he was laid off from his job. The Texas Auto Center equipped cars with a blackbox under the dashboard which allows a central computer to either shut down the vehicle’s ignition and/or sound the horn. The service is provided by WebTech Plus and gives the dealership the option of shutting down a car remotely versus sending out the repo men in case of non payment. Mr. Ramos-Lopez exploited the central computer system and affected 100 vehicles.   100 Texas Auto Center customers are probably asking the dealership a number of interesting questions today.

That’s the first we’ve heard of dealers equipping their cars with these gadgets, and the first we’ve heard of a hacker exploiting the gadget.  The difference between an exploit scenario and a real exploit is only a mouse click away.

Via Danger Room. http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/

The skills needed to deal with abstract data points and formulate pictures is not only badly needed now, but is also growing with each passing month. While the economy trudges along in the doldrums, digital data growth is exploding and someone has to make sense of it.

According to the popular news, failure to connect the dots is the leading cause of nearly all intelligence failures.  The pundits point to the existence of a picture or plot outlined with a bunch of dots.  The only thing missing is to draw lines between the dots and presto, the picture becomes crystal clear.

Things aren’t so simple.  What if you’re given more dots?  Seems like your picture would become more focused with more dots on it.  But what if all those extra dots didn’t belong to that picture and instead were part of other pictures?  What if a bunch of those dots didn’t belong to any pictures at all but were just there to clutter the picture?  How do you separate them, categorize them and begin to assemble pictures?  Now that sounds more like reality.

In 2004, just a short 5 years ago, there were 285 million web servers reported online in the world.   In 2009, that figure tripled to 681 million.  [i] And these are just web servers and don’t include all the private servers that have been implemented since then.

On the wireless side, the International Telecommunications Union (ITU) forecasts mobile cellular subscriptions will surpass 5 Billion in 2010.  [ii]

The forecasted amount of data from these devices can be found in the Cisco® Visual Networking Index (VNI) Global Mobile Data Forecast for 2009-2014.[iii]

The research projects that annual global mobile data traffic will reach 3.6 exabytes per month or an annual run rate of 40 exabytes by 2014.  Such a figure equates to a 39-fold increase from 2009 to 2014, or a compound annual growth rate (CAGR) of 108 percent.

Two major global trends are driving this increase-the proliferation of mobile-ready devices and widespread mobile video content consumption. By 2014, there could be over 5 billion personal devices connecting to mobile networks – and billions more machine-to-machine nodes. Mobile video is projected by the study to represent 66 percent of all mobile data traffic by 2014, increasing 66-fold from 2009 to 2014-the highest growth rate of any mobile data application tracked in the Cisco VNI Global Mobile Data Forecast.

What exactly does 3.6 exabytes per month mean? How much is that?

According to the table below, 5 exabytes equals all the words ever spoken by human beings, and I assume that means all languages. [iv] That’s a lot of dots.

Information object	How many bytes
A binary decision	1 bit
A single text character	1 byte
A typical text word	10 bytes
A typewritten page	2 kilobyte s ( KB s)
A low-resolution photograph	100 kilobytes
A short novel	1 megabyte ( MB )
The contents of a 3.5 inch floppy disk	1.44 megabytes
A high-resolution photograph	2 megabytes
The complete works of Shakespeare	5 megabytes
A minute of high-fidelity sound	10 megabytes
One meter (or close to a yard) of shelved books	100 megabytes
The contents of a CD-ROM	500 megabytes
A pickup truck filled with books	1 gigabyte GB )
The contents of a DVD	17 gigabyte s
A collection of the works of Beethoven	20 gigabytes
A library floor of academic journals	100 gigabytes
50,000 trees made into paper and printed	1 terabyte ( TB )
An academic research library	2 terabytes
The print collections of the U.S. Library of Congress	10 terabytes
The National Climactic Data Center database	400 terabytes
Three years’ of EOS data (2001)	1 petabyte ( PB )
All U.S. academic research libraries	2 petabytes
All hard disk capacity developed in 1995	20 petabytes
All printed material in the world	200 petabytes
Total volume of information generated in 1999	2 exabyte s ( EB s)
All words ever spoken by human beings	5 exabytes

And remember these data numbers are only related to mobile cellular data.  Add in terrestrial network data and mix in some Mandarin, Spanish, English, Portuguese, French, Arabic, and German dots and your pictures start to get cloudy very fast.

So what’s hot in the career forecast for dot-connecting?

Intelligence analysts and investigators.  The ability to make sense and find meaning and context in large amounts of noise.

Translation services.   More data in multiple languages means someone has to decipher the meaning.

Cyber Security.  In 2009, the malware signature counter surpassed 5 Million.  Many of those malware files are designed to steal your data. [v] You will need to increase your security, like it or not.

Cyber Criminal.  Really.  It can be lucrative.  Lots of targets.   Writing malware, stealing credit cards, corporate espionage, or hacking for profit.   It’s a growing business–illicit, but it is a business.

Cyber Law Enforcement.   Didn’t think cyber criminals could operate freely did you?  DHS, FBI, Secret Service, State and local are all ramping up Cyber and forensic capabilities.

Cyber Lawyers.  It’s a wild frontier.  Case Law is still being written in this domain.  If you can charge by the hour, that’s good for you.

A lot has been written already on the Christmas Day panty bomber Abdulmutallab and the lack of dot-connecting that preceded the event.  Some of the databases that could have and should have been checked were in the form of microfiche not too long ago.   Now they are digital dots.  That should make searching through them easier and it does.  But with exabytes of data coming at us from the land and from the air, and even more coming in multiple languages, finding the right pictures among the noise is going to get alot harder.

---

[i] “Internet host count history | Internet Systems Consortium,” https://www.isc.org/solutions/survey/history

[ii] “Press Release: ITU sees 5 billion mobile subscriptions globally in 2010,” http://www.itu.int/newsroom/press_releases/2010/06.html

[iii] “Cisco Visual Networking Index Forecast Predicts Continued Mobile Data Traffic Surge -> Cisco News,” http://newsroom.cisco.com/dlls/2010/prod_020910b.html

[iv] “What is How many bytes for…? – Definition from Whatis.com,” http://searchstorage.techtarget.com/sDefinition/0,,sid5_gci944596,00.html

[v] “Triumfant Worldwide Malware Signature Counter Reaches 5 Million In Less Than One Year – DarkReading,” http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=220600888

Jeff Carr at GreyLogic has recently released an investigative Open Source report on Critical Infrastructure cyber threat vulnerabilities.    The focus primarily is on the electric grid.

As a side note, Eagle was one of many participants conducting research into the report.

Hop over to the link below to review the report.

Project Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Jeff Carr, a Cyber Security Guru and author of “Inside Cyber Warfare,” has put out a call for Intelligence professionals willing to volunteer portions of their time to support the US Intel Community.   I have reposted Jeff’s message below.  I have worked with Jeff and he is legitimate.  I recommend you check it out.  You can follow his Twitter or email him if interested.

Links are below.

—————————————————————————————————————————————-

What if DARPA’s Red Balloons Were Dots That Needed Connecting?

Last Updated on Wednesday, 13 January 2010 05:53 Written by Jeffreycarr Sunday, 10 January 2010 11:04

“Our goal in entering this (DARPA) challenge is to understand how to mobilize the vast resources of the human network to face challenges and explore the opportunities that come with living in such a connected world.”

- Riley Crane, Post-doctorate Fellow, MIT Media Lab team

In sum, the U.S. government had the information — scattered throughout the system — to potentially uncover this plot and disrupt the attack.  Rather than a failure to collect or share intelligence, this was a failure to connect and understand the intelligence that we already had.

- Barack H. Obama, President, United States of America

I know that a lot of you feel the same way I do. You’re thinking how can I help fix this problem? And, let’s face it, it’s a pretty big friggin’ problem; not only in terms of what’s at stake but also in its longevity as a thorn in the side of intelligence analysts since…, well, forever. I’ve been thinking about this off and on ever since the President’s remarks and today, on my way home from seeing a movie with my wife, I thought about those red balloons and what might be possible if we leveraged Twitter to harness some of the best creative minds in the country to volunteer their particular skill set to help solve this problem on an as-needed basis.

Just from my work with Project Grey Goose, I’ve come to know lots of talented individuals in varying disciplines who I’m sure would be happy to join an on-call list to volunteer at least some of their work week if their specialty was needed. Perhaps their employers would even agree to pay them for the effort, similar to what Microsoft does for its annual Day of Caring.

I don’t think there’s a larger pool of intellectual talent anywhere in the world than in the United States. Let’s follow MIT’s lead and mobilize via the Social Web, organize it via a wiki, sketch out possibilities on a virtual white board, bring in talent as-needed, and come up with some solutions for the ODNI to apply. Let’s make it a permanent revolving resource so support is always available. And best of all, there are no budgetary issues, no bureaucratic obstacles, no BAAs that take two years to go from white paper to Phase II trials, etc. Just the work, and the best people in the country to do it – now, and for free.

Follow @greyballoons on Twitter to show your willingness to participate, and spread the word. If the idea catches on (let’s say a minimum of 1000 follows), then perhaps DNI Blair will give his endorsement and a new resource will become available to the hard-working individuals inside the IC that are tasked with the day-to-day challenge of meeting the President’s order to fix what has contributed to this intelligence failure.

Update: 11 Jan 2010 - As of 1026 Pacific time, over 50 exceptionally talented individuals have signed on via Twitter and e-mail. If you aren’t on Twitter but want to offer your services to the @greyballoons project, feel free to use email instead.

Update: 12 Jan 2010; 0400 Pacific: 101 participants and counting. 86 from Twitter and 15 via email. Thanks everybody. Please keep spreading the word.

Update: 13 Jan 2010; 0452 Pacific: 146 participants and counting. 103 from Twitter and 43 via email.

Cisco released its annual security report this week. The report covers a range of cyber security trends ranging from spam, to bots, to malware. They also devote a few pages to the criminal business models that generate profits from illicit activity. Worth a read.

The link is here.

Not surprisingly, as computer use grows around the world, the trends are all upward for more malware, more spam, more fraud.

One of the solutions hightlighted in the Cisco report is user education.
“Previous Cisco security reports have emphasized that “user education” is an essential component to security. Users should be expected to take measures to protect their online identity and to be aware of the risks that accompany their use of technology.”

While true, it’s simply not enough. Businesses need to raise security higher on their own priority lists in order provide their customers with “as secure as possible” environments.

I had an account at a regional bank that highlighted their focus on security (secure access to accounts, privacy, etc.) They even charged extra for it. One day I received an email allegedly from the bank that led me to their web page. It had the account login script on the page. Upon further inspection, the web page was coming from a server and location that didn’t belong to the bank. Looked like a phishing site to me.

So I called the bank and asked for their security department. “We don’t have a security department,” he said. I asked who I should talk to if I did have a security problem. He said, “You need to talk to Jim, our IT guy.” I was feeling much less comfortable by now.

Jim (not his real name) called me back and after discussing the situation with him, told me the site was legitimate. They had outsourced all their marketing efforts to a 3rd party company and allowed their main website to be routed from an untrusted source. I asked him why, in the age of so much internet crime, would they choose to create a vulnerable point for their customers–particularly their elderly customers. He was a nice guy. Very polite. But I’m not sure if he understood the risks. Clearly marketing hadn’t.

My account is now closed.

The two pillars of trust and reputation are hard to build.  Securing the “client’s  visit” (physical and virtual) is required if you want those pillars to stay up.

Dear Bank CEO: Jim’s a good guy. Jim needs help. This isn’t an IT problem, it’s your responsibility.

Thanks to the Internet and global telecommunications networks, small businesses can participate in supply chains that span the globe. But with the rapid increase in online fraud and exploits, supply chains can also be exploited.  Where’s the weak link?  Is it you?

In October, the National Cyber Security Alliance published a survey of 1500 small businesses on Cyber Security practices and attitudes.

Here are some highlights:

• 75% of small businesses use the Internet to communicate with customers
• 38% use the Internet for Procurement
• 34% use the Internet to manage their database
• 92% think they are generally safe from hackers, viruses, malware, or cyber breaches.  Yes 92%!
• 62% have a wireless router at the office
• 23% do not have a password on their router

So using rough figures, (62% X 23% X 1500 SB) = 214 small businesses with open routers accessible to anyone driving by and peaking in.  Assuming the survey represents the total population, then roughly 14% of small businesses admit to having no security on their routers.  I hope my personal data isn’t in your database!

Exploits are increasing. If you’re part of a supply chain now and you’re the weak link, not only do you risk liability for compliance related issues but you also risk being replaced in the supply chain. The easiest thing to do is to replace you with another.

On a somewhat bright note, 58% of respondents said Cyber Security is a cost of doing business.  I believe this number will go much higher as small businesses realize the consequences of operating with no security—or false security.

Summary survey and full survey are attached.

NCSA SB Study Factsheet

FullSMBStudy2009 FINAL