
Cyber Briefings 'Scare The Bejeezus' Out Of CEOs - iProject
http://www.npr.org/2012/05/09/152296621/cyber-briefings-scare-the-bejeezus-out-of-ceos
======
talmand
I'm about to reveal the most mind-blowing secret of internet security. If you
have data that must not be compromised in any way, don't plug the computer
into the network and heavily screen all storage media to be placed into said
computer.

Plus, Gibbs from NCIS taught me that if a hacker is getting into your computer
and you can't stop them, unplug the computer from the power outlet.

~~~
diminish
indeed, in some military organizations, i witnessed that computers have no
connection to any network.

------
marcusf
Does anybody else get chills from the implication of the final sentence in the
article? Makes the whole article read like CISPA propaganda.

Further, and this is preaching to the choir, if the security researchers of
the respective companies could get the same unfettered access to their CEO's
as the government, I'm sure they could 'scare the bejeezus' out of them, just
as well.

------
gpcz
The article and the linked NIST page were not specific about the BIOS flaw,
but based on Google searches for "bios security flaw," it seems that even the
worst ones (the CompuTrace Lojack flaw and Johanna Rutkowska's Intel flaw)
require the attacker to have already compromised the operating system. If an
attacker can compromise your computers' OSes, then disabling the hardware is
probably the least of your worries.

By default, the major PC operating systems follow Ideas 1-3 of the "Six
Dumbest Ideas in Computer Security" (
[http://www.ranum.com/security/computer_security/editorials/d...](http://www.ranum.com/security/computer_security/editorials/dumb/)
) in terms of executables. While you can reconfigure most common OSes not to
follow these ideas, most home and business computers will follow the default
configuration out of convenience.

~~~
pgeorgi
Disabling the hardware is probably the least of your worries (depends on the
job the hardware performs).

Installing a permanent backdoor (that you only get rid of with external
flashing hardware - OS reinstall won't help, new disks won't help, reflashing
firmware won't help) is not.

------
pferde
The overuse of the prefix "cyber" makes the whole article sound like something
from a 70s B-class scifi flick. Hard to take seriously.

~~~
adolph
I listened to it this morning and found the article frustratingly devoid of
specifics or any countering view. There was a reference to an attack on
firmware, but otherwise sounded like a DARE session for biz execs.

Addeddum: Some of the comments to the article are interesting. One ties the
article to the lobbying effort for CISPA.

------
cryptolect
I'm aware of similar "briefings" happening in Australia. I think it's
important for no other reason than security awareness. Often there are
internal security staff in organisations who know just how vulnerable their
organisation is to targeted attack, but it's hard to get that message through
to the C-level staff. This approach does get through.

~~~
angdis
It sure does, but this kind of stuff also hints at a future possibility of
government involvement at a level that makes many people very uncomfortable.

~~~
cryptolect
For certain industries, government is already heavily involved as a matter of
national security. Energy, telecommunications, research, finance etc.

------
angdis
I wonder how many of them left the briefing thinking that the US Cyber Command
could literally turn a computer into a "brick".

~~~
rdtsc
Still kind of wish computer science should have ended up being called
"Cybernetics", it is a much cooler word.

~~~
arethuza
Isn't Cybernetics really more about systems and control theory than CS
subjects?

<http://en.wikipedia.org/wiki/Cybernetics>

~~~
gaius
Indeed, former Ukrainian PM Yulia Tymoshenko was a Cyberneticist-Economist in
the oil industry before going into politics. I suppose we in the West would
call that Operations Research.

~~~
rdtsc
Informatics is another name used in Eastern Europe. Kind of interesting
because the emphasis is on manipulation of information in general.

------
snowwrestler
I have personally known several corporate security teams who only found out
that their networks had been penetrated because a federal agent called them
and told them their networks were talking to known malware control IPs in
Asia.

This happens because of a mismatch in the levels of sophistication of the
corporate security defense team vs. the security threat team. The defense team
is simply not aware of what the threat teams are capable of, or the extent to
which attacks are being specially and carefully crafted to target individual
companies.

It's important to understand how common this is. For years most companies have
not had to worry much about security because they were not previously targets.
Now they are the targets of attacks that are carefully researched and crafted
to target their particular vulnerabilities, and in many cases actual specific
employees or users.

So most companies are playing catch up. First, they are having to learn much
more about the details of the full stack of their technology, from the
hardware firmware through the OS, applications, local networking, and
internetworking. It's no longer enough to trust vendors, which for years was
the corporate way.

Second, to speed this up, they are trying to figure out how they can learn
from each other, from security experts, and from the government without
triggering all sorts of legal consequences like shareholder lawsuits,
antitrust investigations, privacy lawsuits, etc.

This is where the desire for bills like CISPA comes from--to simplify what
appears to them to be a legal minefield. The feeling is that the bad guys can
all freely share threat info with one another, but corporate security teams
are legally limited in how they can share info about vulnerabilities and
defense.

------
ktizo
_The 2010 revelation that U.S. cyberwarriors could turn a computer into a
"brick" stemmed from research into a design flaw in U.S. computers, according
to several sources. It was determined that an adversary could conceivably
update computer firmware — the low-level software that dictates how the
hardware works — to make the machine useless._

And this is considered a revelation? In 2010?

In that case, the standard of what constitutes a revelation has definitely
slipped over the years.

I love the _design flaw in U.S. computers_ bit as well, because U.S. computers
are obviously so very different from the other foreign kinds of computer. You
know, the ones without updatable firmware, or something.

