Fordham Law's Karen Greenberg on CNN

Karen Greenberg, director of the Center on National Security at Fordham School of Law, appeared on CNN's Newsroom with Ashleigh Banfield to discuss a top-secret Foreign Intelligence Surveillance Act court order, which requires Verizon to turn over records on a daily basis.

The four-page order, published by the UK-based Guardian on its website Wednesday, requires the communications giant to hand over "originating and terminating" telephone numbers as well as the location, time and duration of the calls -- and demands absolute secrecy.

Check out video of Karen Greenberg's appearance on CNN here.

Forum to Discuss Online Threats

The hazards that threaten private citizens online also present challenges for government agencies, corporations and academic institutions. On Wednesday, a panel of experts will discuss the strategies and technology they’ve employed behind the scenes over the years to protect data.

What: Dangers Lurking on the Cyber Highway: Threats in Academia, Business and Crime

When: Wednesday, Jan. 5 at 6:30 p.m.

Where: The Princeton Club of New York, 15 West 43rd St.

Who:
Anthony Ferrante, (FCRH ’01, GSAS ’04) Special Agent, Cyber Division, FBI, New York

Frank Hsu, Ph.D., Calvius Distinguished Professor of Science, Fordham University

John Pignataro, director of SIRT Investigations, CITI Group

Cost: $10 (Includes one drink)

Reservations: (212) 596-1255 or humanresources@princetonclub.com

—Patrick Verel

Consultant: Stupidity Threatens Cyber Security

A cyber-security consultant speaking on Aug. 5 at Fordham pointed out how easy it is to gain access to sensitive business and government information.

John Verry, principal enterprise consultant of Pivot Point Security, and his “Tiger Team” attempted to access data possessed by the government and several Fortune 500 companies. Their methods included entering physical structures as well as using the Internet.

This research allowed Verry to suggest precautions to reduce information security risks. He found it possible to enter secure facilities without authorization in the following ways:

“Smokers are the friendliest people,” Verry said. By smoking (or pretending to smoke) outside the door of a building and striking up a conversation with other smokers, it is easy to gain access. “[The smokers] will hold the door open for you.”

Another easy way to enter secured buildings is through loading docks.

Government officials want their water, so just carry a large amount of Deer Park water bottles, he said. Or better yet, hang around the loading dock while the actual Deer Park delivery person delivers the water.

Verry pointed out that the person delivering the water probably just wants to get his or her job done. As such, he or she will not be paying attention to anyone lurking in the loading dock.

Getting data online is also quite simple.

First, gather information on someone from using a site such as Pipl.com, he said. Then, call the person and pretend to be from the payroll department at his or her workplace. Next, accuse the person of logging onto the payroll department’s online information site without proper authorization.

When the person says he or she did not, ask them to verify their e-mail address (which can easily be found online).

“After the individual confirms, say, ‘And your password is 123, right?’ The individual will say, ‘No, it’s XYZ,’” Verry explained.

He told the audience that many security lapses are due to people not realizing the gravity of the situation in which they find themselves.

“People act stupidly,” he said. “They give out passwords when accused or reset passwords without verifying who is trying to gain access. They let smokers and delivery people in without checking identification.”

Eliminating stupid mistakes would reduce cyber information risks. But as Verry pointed out, “You can’t fix stupid. You can only try to make people more aware.”

Verry spoke as part of the second International Conference on Cyber Security, which was co-sponsored by Fordham and the FBI.

—Jenny Hirsch

Cyber Attacks: Don’t Blink

In his ICCS conference presentation Thursday on “Defending Cyberspace: A Practitioner’s Enduring Journey,” Simon Y. Liu, Ph.D., said that back in 2001, a computer network had up to 338 days to patch its system before it suffered fatal file information losses. By the year 2005, however, the window of opportunity had shrunk. Today, the “window of remediation” to recover files can be minutes or even seconds. In fact, Liu, who is the director of the office of computer and communications systems for the U.S. National Library of Medicine, said that a human response to an e-mail virus is still possible, but e-mail worms and blended threats can no longer be stopped by human intervention; only pro-active software can defend such attacks.

—Janet Sassi

Done In by Love

When someone began hacking into the TeraGrid - a network of 11 supercomputing sites across the United States - in 2004, a team at the National Center for Supercomputing Applications (NCSA) began a manual traceback to find the culprit.

In a session on Thursday afternoon, James J. Barlow, director of security operations and incident response at NCSA, explained the how the hacker was caught.

After following the path of compromised machines to several sites in the United States, then to computers in France and Croatia, the NCSA team discovered the hacker was a Swedish 16 year old. The NCSA began monitoring his IP address while the FBI worked with Swedish authorities to set up an arrest.

While monitoring the hacker, the NCSA noticed that he had posted images of his computer screen online because his girlfriend had designed the desktop patterns. A closer look at these desktop images showed open windows that proved the hacker was accessing an unauthorized computer when the images were made.

That evidence directly led to his conviction in Swedish court.

—Joseph W. McLaughlin

Eastern European Organized Cyber Crime on the Rise

Because of the vastness of the Internet, cyber crimes such as credit card fraud and identity theft can be committed from anywhere in the world. For quite some time, the FBI has seen an increase in these activities in Eastern Europe.

Though the hackers are young, they seldom work alone. In fact, Eastern European cyber crime rings are organized crime hierarchies, and the FBI is trying to tackle them, said Darren J. Mott, supervisory special agent with the bureau’s Cyber Division in Washington, D.C.

“Imagine the Cosa Nostra, with the big guys at the top and a bunch of little guys working under them; it’s just like that,” Mott said.

The FBI is taking a holistic approach to try and dismantle this burgeoning world, Mott said at a panel on Eastern European Organized Cyber Crime.

With special agents working in legal attaché offices in Russia, Romania and Estonia, Mott said the agency has established, and continues to strengthen, a working relationship with many Eastern European entities.

“We’re trying to get that cop-to-cop communication because with all cyber crimes, the information is time sensitive,” he said. “We can’t just expect to call and get or share information at a moment’s notice unless a relationship is established.”

—Gina Vergel

Cyber Boot Camp, and Beyond

Each year, Col. Joe Adams, Ph.D., trains a group of select incoming cadets in the basic military attack principles—in cyberspace.

Adams, an assistant professor and research scientist in West Point’s Department of Electrical Engineering and Computer Science, gave an overview of his training at Fordham’s ICCS 2009 conference on Wednesday. His computer science curriculum culminates each spring with a final cyber defense exercise (CDX), a contest among five U.S. service academies—the U.S. Military Academy at West Point (USMA), the U.S. Naval Academy, the U.S. Air Force Academy, the U.S. Merchant Marine Academy, and the U.S. Coast Guard Academy.

At West Point, cadets don fatigues and sit at a computer terminal surrounded by camouflage netting for the grueling four-day-long final exam. There, they battle repeated enemy penetrations—unexpected pop-ups, new users that persistently reappear, and system software shutdowns. In the crawl-walk-run method of military training, Adams says, “this is the run part.”

The next cyber battle is scheduled for April 21, and Adams claims bragging rights, legitimately. The USMA has beaten out all of the other participants in four of the eight years since the cyber-battles began in 2000.
“These cadets like to win,” he said.

—Janet Sassi

Old Phish, New Phish

News and Media Relations staff covering the International Conference on Cyber Security (ICCS 2009) are filing conference updates in addition to their regular stories:

Phishing—the practice of tricking computer users into voluntarily giving up sensitive information such as account passwords or social security numbers—has been around longer than many people realize.

In his keynote address on Wednesday, renowned cyber security expert Howard A. Schmidt detailed its history.

“Phishing as a way to steal things began in the early days of the Internet, when we were still paying $6 an hour for online time to America Online and Compuserve,” he said. “Users would pretend to be from AOL and ask someone else for his or her password; that way they would avoid paying the $6 charge for the service.”

—Joseph W. McLaughlin

Think Cyber Crime is Victimless? Think Again.

News and Media Relations staff covering the International Conference on Cyber Security (ICCS 2009) are filing conference updates in addition to their regular stories:

People generally consider cyber crime and other white-collar crimes as the younger, more innocuous siblings of violent felonies.

As FBI Special Agent J. Keith Mularsky warned, that is simply not the case.

Mularski is responsible for combating credit thieves who operate online. In his presentation Tuesday at the International Conference on Cyber Security, Mularski said that terrorists fund much of their activities through the shadowy world of stolen credit.

In fact, he cited a 2005 case in which a three-man Al-Qaeda cell in London was arrested after they raised $2.2 million through stealing and selling stolen credit card information.

—Joseph W. McLaughlin

ICCS 2009: Notes from the Floor

News and Media Relations staff covering the International Conference on Cyber Security (ICCS 2009) are filing conference updates in addition to their regular stories:

Tuesday’s keynote session of Fordham’s International Conference on Cyber Security featured a brief appearance by Michael Balboni, deputy secretary for public safety for the State of New York. While other speakers emphasized the need for cooperation among organizations and professionals in fighting cybercrime, Balboni added a side note to individuals: secure your own personal systems. Those who spread malicious software, or botnets, won’t have as much success if each system maintains basic, up to date security. He also emphasized the point that a network is often only as strong as its weakest link.

“We are all connected,” Balboni said. “That means whoever utilizes your system, if they’re not secure, you’re not secure.”

Balboni also mentioned that New York State has a 24/7 cyber security system that offers intrusion detection, prevention, mitigation and recovery service. Why are municipal systems important? Balboni said that most of our nation’s operating systems– dams, electrical grids, telecommunications—are done through local municipalities.

—Janet Sassi

The conference, a joint effort between the Federal Bureau of Investigation and Fordham University, will bring together global leaders in emerging cyber threat analysis and enforcement at the University's Lincoln Center campus from January 6 through 8, 2009.

ICCS 2009: Standing Room Only

Registrations for the International Conference on Cyber Security (ICCS 2009) are officially sold out, and more than a dozen cyber professionals have asked to be placed on the waiting list.

The conference, a joint effort between the Federal Bureau of Investigation and Fordham University, will bring together global leaders in emerging cyber threat analysis and enforcement at the University's Lincoln Center campus from January 6 through 8, 2009.

Among the many sessions ICCS will feature Anatomy of a Modern Homegrown Terror Cell: Aabid Khan et al., by Evan F. Kohlmann, senior investigator and private consultant, Global Terror Alert; Child Pornography: Investigations, Trends, and Legal Issues, by Denzil S. Fearon, senior investigator, computer crimes unit, New York State Police; The Hacker Factor, by the AT&T Ethical Hacking Team; and Penetrating Mind of Mayhem: Inside the Mind of an Islamic Extremist, by the Honorable Shannen L. Rossmiller (Ret.), cyber operative and co-founder, AC-CIO.

See the ICCS newsroom for more details. For media queries, please contact Bob Howe, director of communications at Fordham University.

Fordham, FBI Team Up on Cyber Security

ICCS 2009

www.iccs.fordham.edu

A MEETING OF LAW ENFORCEMENT, INDUSTRY AND ACADEMIC EXPERTS

The Federal Bureau of Investigation has teamed with Fordham University's Department of Computer and Information Sciences to bring together global leaders in emerging cyber threat analysis and enforcement. In January 2009, the two institutions will launch the first International Conference on Cyber Security (ICCS 2009) in New York City, the information center of the world.

With the number of cyber threats escalating worldwide, the need for comprehensive security analysis and solutions has reached a critical juncture. Join us at ICCS 2009 for a first-hand opportunity to discover and share critical intelligence on issues shaping the future of cyber security.

ICCS 2009 will feature distinguished speakers, presentations and vendor exhibits. This gathering of international cyber security experts will host more than 300 delegates from around the world. The world's foremost experts in cyber threat analysis and enforcement will engage in a dialog and develop strategies for combating cyber threats across the globe. With shared expertise and insight into a myriad of cyber security trends, tools and techniques, this conference will create an unparalleled opportunity for the international advancement of cyber threat analysis and enforcement.