An investigation into a security slip that left the identity information for over 170,000 users of a US federal government program publicly available online has led to accusations of hacking and legal threats.…Iain Thomson
This 127-page report was just published by the UK Defence Academy. I have not read it yet, but it looks really interesting.Executive Summary: This report presents a systematic way of thinking about cyberpower and its use by a variety of global players. The urgency of addressing cyberpower in this way is a consequence of the very high value of the Internet and the hazards of its current militarization.
Cyberpower and cyber security are conceptualized as a 'Global Game ' with a novel 'Cyber Gameboard ' consisting of a nine-cell grid. The horizontal direction on the grid is divided into three columns representing aspects of information (i.e. cyber): connection, computation and cognition. The vertical direction on the grid is divided into three rows representing types of power: coercion, co-option, and cooperation. The nine cells of the grid represent all the possible combinations of power and information, that is, forms of cyberpower.
The Cyber Gameboard itself is also an abstract representation of the surface of cyberspace, or C-space as defined in this report. C-space is understood as a networked medium capable of conveying various combinations of power and information to produce effects in physical or 'flow space ,' referred to as F-space in this report. Game play is understood as the projection via C-space of a cyberpower capability existing in any one cell of the gameboard to produce an effect in F-space vis-a-vis another player in any other cell of the gameboard. By default, the Cyber Game is played either actively or passively by all those using network connected computers. The players include states, businesses, NGOs, individuals, non-state political groups, and organized crime, among others. Each player is seen as having a certain level of cyberpower when its capability in each cell is summed across the whole board. In general states have the most cyberpower.
The possible future path of the game is depicted by two scenarios, N-topia and N-crash. These are the stakes for which the Cyber Game is played. N-topia represents the upside potential of the game, in which the full value of a globally connected knowledge society is realized. N-crash represents the downside potential, in which militarization and fragmentation of the Internet cause its value to be substantially destroyed. Which scenario eventuates will be determined largely by the overall pattern of play of the Cyber Game.
States have a high level of responsibility for determining the outcome. The current pattern of play is beginning to resemble traditional state-on-state geopolitical conflict. This puts the civil Internet at risk, and civilian cyber players are already getting caught in the crossfire. As long as the civil Internet remains undefended and easily permeable to cyber attack it will be hard to achieve the N-topia scenario.
Defending the civil Internet in depth, and hardening it by re-architecting will allow its full social and economic value to be realized but will restrict the potential for espionage and surveillance by states. This trade-off is net positive and in accordance with the espoused values of Western-style democracies. It does however call for leadership based on enlightened self-interest by state players.schneier
For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:Abstract: This thesis examines the history, development, theory, and practice of distributed denial of service actions as a tactic of political activism. DDOS actions have been used in online political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback in December 2010. Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity. Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools -- petitions, fundraisers, mass letter-writing, call-in campaigns and others -- find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice. Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions.
One of the problems with the legal system is that it doesn't make any differentiation between civil disobedience and "normal" criminal activity on the Internet, though it does in the real world.schneier
. OWASP Connector May 21, 2013
MAY FEATURED OWASP PROJECT
OWASP Mobile Security Project
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. The primary goal of this project is to classify mobile security risks, and provide developmental controls to reduce their impact our likelihood of exploitation.
The primary focus is at the application layer. While consideration is taken into the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas where the average developer can make a difference. Additionally, focus is placed not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. Focus is heavily aimed towards the integration between the mobile application, remote authentication services, and cloud platform-specific features.
NEW OWASP PROJECTS
OWASP Good Component Practices Project
Project Leader: Mark Miller
Good Component Practice is one of the most overlooked silver bullets in the Open Source arsenal. Due to business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.
This project will use community input to document an industry acceptable process for the creation, maintenance, and use of open source components.
OWASP Bywaf Project
Project Leader: Rafael Gil Larios
The aim of this project is to develop an application that makes the work of an auditor much easier when conducting a Pen Test. The application's principal functions are to detect, evade, and give a vulnerability result utilizing known SQL injection, and other methods developed by professionals within the industry.
2013 Mobile Top 10 Call For Data
We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more formal document. We are encouraging everyone to get involved. Right now we are looking for data that represents the current state of mobile application security. We are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues. The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions. We will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.
If you would like to et involved, please visit the OWASP Mobile Security Project wiki page. Please direct any questions or concerns to the Top 10 Refresh leaders, Jason Haddix, Jack Mannino, and Mike Zusman.
Do you want to host an event or propose OWASP involvement in an outreach event? Submit your event through the OWASP Conference Management System (OCMS)
Thank you to MStar Semiconductor, Inc, our newest Corporate Member
Thank you to AsTech Consulting for their Corporate Membership Renewal
GET READY FOR THE 2013 SUMMER
New Membership Levels
Become a LIFETIME Member
Click the icon for all the details
Apply for an Honorary Membership
Get the Details and the Link to the form
AppSec Research 2013
4th COUNTDOWN CHALLENGE RELEASED There will be a challenge posted on the conference wiki page every month up until the event in August. The winner of each challenge will get FREE entrance to the conference (a €420 value). Be sure to sign up for the conference mailing list to get a monthly reminder.
CLICK HERE to access this challenge
Complete instructions on this challenge
OWASP is pleased to announce our upcoming Partner Events:
ICCS 2013 James R. Clapper, the Director of National Intelligence, will be the opening keynote speaker for the conference.
Blackhat 2013 (15% discount promo code for OWASP members is: KobrLQ44 - case sensitive)
EC Council - Use discount code TDCSTLOWASP for $99 conference passes
Contact Us OWASP Blog
Do you have some news? Submit your item to appear in the next connector HERE
MAY 23 GLOBAL WEBINARS SCHEDULED
TOPIC: Unraveling the mysteries of the OWASP WIKI
Have you ever wondered how to find something on the wiki? Where are the projects? How do i volunteer? How, and more importantly - Why, do I become a Member? Join us for this webinar where the Ops team will walk through some of they mysterious links on the OWASP.org website.
May 23, 2013 at 10am EDT
May 23, 2013 at 9pm EDT
Links to the recordings of previous meetings can be found on the Initiatives Page
OWASP Global Board Elections
The call for candidates is OPEN!
2013 WASPY (Web Application Security People of the Year) Awards
It's time to submit your nominations for the 2013 WASPY (Web Application Security People of the Year) Awards!
This year's awards will recognize our community's best in 5 different OWASP related category:
- Best Chapter Leader
- Best Project Leader
- Best community supporter - contributor to chapter, project or initiative
- Best Mission Outreach - grow the OWASP community
- Best Innovator - willingness to try new ideas
CLICK HERE TO ACCESS THE FORM!
OWASP would like to thank
for stepping up to be a Platinum Sponsor for these awards in 2013! Additional sponsorship opportunities are available Here
The true root causes of software security failures
When you focus only on building functionality and not preventing unspecified functionality, you don't anticipate potential attacks, and you end up with the OWASP Top-10 and other lists like it. This is my message: Building functionality is ...
The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.
The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.
The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.