Tuesday, February 19, 2013
Today marks the 700th Edition of GCFlash, a milestone we never envisioned when this eNewsletter launched in August 1999. Issues dating back to August 2010 remain on our website for your reading pleasure. Simply type the subject matter of your interest into the search box at the top of any page on our site to refer back to a previous article. If it predates our online archive, drop an email to firstname.lastname@example.org and I'll be happy to send you a copy of whatever you're seeking. Thank you for being loyal GCFlash readers.
Our Current Rates:
For a listing of our current deposit and loan rates, click here.
Are You Any Safer?
President Obama announced he had signed a cybersecurity executive order in last week's State of the Union Address. Are you now any safer online than you were last week?
Yes. And no.
This executive order simply structures a framework to protect our country's critical infrastructure from cyber attacks. It allows intelligence to be collected on attacks and cyberthreats to "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
The intelligence collected would be used to allow these entities; such as the defense sector, utilities, and banking industry, to better protect themselves. The general U.S. population, the economy, and other nations that rely on us for support would benefit as well.
For now, the order excludes commercial or consumer technology products and services. Microsoft, Google, Facebook and Twitter are exempt. The order is geared towards users of those services rather than the provider.
In a nutshell, this executive order directs our federal government to share cyberthreat information with those entities where a breach of their system would create a catastrophic impact on public health or safety, economic or national security. Secretary of Homeland Security, Janet Napolitano, is charged with identifying which companies fall under this umbrella using a risk-based approach within 120 days of the order's signing.
The National Institute of Standards and Technology will collaborate with industry to develop a cybersecurity best practices framework to reduce risk of companies identified as critical. Companies are not compelled to adopt the framework.
Information will be shared only one-way: from government to business. Antitrust laws limit the amount of information businesses can share. As well, companies may not want to share information that could prompt a lawsuit or reflect negatively to shareholders, competitors or customers.
Government's role in physically protecting its own critical networks isn't addressed. And the order doesn't possess force of law, so standards are only suggestive and not mandatory. President Obama is calling on Congress to pass cybersecurity legislation.
Information sharing is the cornerstone of this executive order. It's also the most controversial aspect.
This executive order was necessary because the Cyber Intelligence Sharing and Information Act (CISPA) stalled in the Senate one year ago after being passed in the House. The bill faced a White House veto had it been approved, citing privacy concerns.
CISPA would allow for two-way sharing of information. Private companies would share details about cyber attacks with the government rather than the one-way sharing outlined in the executive order. This concerned privacy advocates who feared customer private information or even private communications would be compromised, depending on what entity had been breached.
Consumers won't know what information is being shared. And CISPA provides legal immunity to companies who share such information "in good faith." They're shielded from transparency mechanisms such as the Freedom of Information Act. Customers have no recourse if their private information becomes public.
Despite claims that CISPA would be revised before being reintroduced, it was returned to Congress for discussion in its original form last week. Protests began immediately.
Yet some form of cybersecurity protection is essential. Wars are moving from the physical battlefield to the virtual arena. Expect a much higher death toll if vital infrastructure is attacked.
The U.S. struck the first cyber warfare blow when our government claimed credit for the Stuxnet virus that crippled Iran's nuclear program. If you missed our original coverage, you can read about it here.
The virus targeted a specific piece of equipment crucial to nuclear enrichment. The same technology can be used to destroy industrial control systems used to control electrical grids, water supply, oil pipelines, air traffic control or communication networks.
Read on to learn why you should be worried.
Speared By China
We first discussed spearphishing in our June 14, 2011 issue. It's still online here. The article revealed the nature of this type of cyber attack and gave a couple of instances where it had been used to compromise the security of U.S. companies.
Including security vendor RSA.
We're now learning the source of these attacks. And they go much deeper than we initially feared.
A report released today by security company Mandiant Corp. ties these attacks to a network of hacker groups under the direction of Unit 61398 of the People's Liberation Army based in Shanghai, a Chinese military unit. The Chinese government naturally denies involvement.
Information was stolen from military contractors, energy companies and other key industries. They hacked the White House, the U.S. Chamber of Commerce, New York Times, Wall Street Journal, Washington Post, and Bloomberg News.
Facebook, Twitter and Apple have been hacked. We now know these same groups were responsible for the RSA breach.
The New York Times hired Mandiant to investigate the attack on its news operations. An advance copy of the report was given to the Times today.
The report found that hundreds of terabytes of data had been stolen from at least 141 organizations. They state that the unit has been in operation since at least 2006.
Coca-Cola was one of the earliest U.S. firms attacked. They were in negotiations to buy the China Huiyuan Juice Group. The failed deal would have been the largest foreign purchase of a Chinese company.
It began when a Coca-Cola executive received an innocent looking email that was really a spearphishing attack. The executive clicked the malicious link and the attackers were inside the company's computer network where they sent confidential company files back to their Shanghai base on a weekly basis. These files revealed Coca-Cola's negotiation strategy.
Two years later, RSA was victim to a similar attack. By infiltrating RSA's internal computer network, the cyberthieves had access to security codes for U.S. intelligence agencies, military contractors and several major companies. RSA replaced their customer's SecureID tokens and added extra layers of security to its products.
But it was too late for Lockheed Martin. Information stolen from RSA helped crooks breach their system.
Companies are wising up to spearphishing attacks. But what's frightening are the attempts to compromise our critical infrastructure. The Mandiant report detailed thwarted attempts at companies that control our power grids and other utilities.
Digital Bond is a security firm specializing in the same type of industrial controllers destroyed by Stuxnet. A part-time employee there received a spearphishing email that appeared to come from his boss. Recognized as a scam, the email was shared with researchers who traced the malicious link to a remote-access tool that would have given the attackers access to their computer system. With it, confidential information about their clients who include a major water project, a power plant and a mining company.
Other prevented attacks targeted a contractor for the National Geospatial-Intelligence Agency and a lobbying group that represents companies that make components for power grids.
But it only takes one weak link to wreak catastrophic consequences. The attack on the Canadian arm of Telvent was successful. Telvent, now owned by Schneider Electric, kept detailed blueprints on more than half of all the oil and gas pipelines in North and South America. Project files were stolen. Telvent designs software that allows oil and gas pipeline companies and power grid operators to control valves, switches and security systems remotely.
This is where I would normally conclude an article. But I'll let each of you draw your own conclusion on this one.
GCFlash is a weekly e-mail sent only to its listed customers and associates free of charge. GCFlash informs customers of special product offerings which may be of interest, current interest rates on both deposit and loan products, selected financial news and other financial tidbits. GCFlash is intended to supplement the more comprehensive information listed on the GCF Web site at http://www.gcfbank.com.GCFLASH PRIVACY STATEMENT
GCF maintains your e-mail address in a confidential and secure database along with much of your other account information, such as mailing address and telephone number, etc. Before aggregating our e-mailing list each week, we filter out any duplicates. In most cases, this inhibits the unintended e-mailing of multiple copies of GCFlash to a single e-mail address. However, because these account records are kept by both individual and account, there is a chance members of the same household could each receive a copy of GCFlash or any other transmission at the same e- mail address - resulting in multiple copies. For example, a husband and wife that both have accounts with GCF may both receive a copy because the names are different but listed at the same e-mail address. This is similar to the manner in which each individual may share a common telephone number. To handle this situation, GCF recommends you simply delete any extra copies of GCFlash as this will ensure that ALL individuals receive any future promotional mailings, which might only be targeted or offered to specific accountholders meeting certain criteria. GCF has the capability to suppress customer e-mail addresses so they are omitted from our transmission list. If you would rather have a specific household member's e-mail address suppressed in our electronic database, simply send us a reply, as stated below, and indicate the accountholder for which you would like to have e-mail suppressed. Please keep in mind that this suppression will mean that NO future e-mails are sent, including special promotional offers. If you have any questions about this process or need additional information, please contact us at email@example.com.
If you would like to be removed from this electronic mailing list, click this link to send us an email to unsubscribe. Please note, removing your name from our electronic mailing list means GCF will send NO FUTURE NEWS or SPECIAL OFFERS.
Banking With Us