our home desktops, innette wone got more sophisticated. but nothing too serious at that time. it wasn't until a little over ten years ago when corporations and businesses started taking advantage of the internet and this global connectivity. what we're doing here at the ovf, providing access to the portals and information that cybercrime became very serious. the first targets actually around the year 2000 were the most profitable businesses online. pornography and online gambling sites. online gambling became under attack from eastern criminals. organized crime syndicates who realized they could extort money from people who are used to extorting themselves. and most of these online gambling sites were off site. off shore. in places where they're allowed

to operate and not be reached by the arm of the law. and what these gangs did is they took over tens of thousands of computers on the internet and they would barrage these sites in the week before a super bowl or a week before a big boxing match and they'd bring those sites to a halt. and they'd send an e-mail to the ceo of that business, and say if you want us to stop this before the super bowl, wire a $50,000 check to this account. these guys were getting paid because the owners of these businesses were used to extorting themselves and felt it was part of doing business until one organization called bet crs in costa rica was writing $50,000 checks weekly and then they fought back. that led to the cyber criminals saying we have all the machines under our control. let's now turn and look at what's on those machines and that led to the advent of identity theft.

fast forward starting in 2005, nation states learned about these capabilities and these organizations and started using the same techniques for nation state sponsored attacks. and that is the world we have today. and it's a very sophisticated, sophisticated world. if you remember back in the '80s there was a movie called "war games." that movie was well ahead of its time them. today, we far surpass the capabilities of that movie "war games." if some of you remember that, those kids hacking into computer government systems and what not. today, there are actually four types of cybercrime. i thought i'd step through some of the stories so you can understand how this all works. the first and most prevalent, we read a lot about, is cyber theft of identity. and information. so it's identity theft, but done in bulk amount. the reason it's done in bulk ability is our identities are

worth anywhere from 30 cents to $100 on the black market. there are organizations who specialize in stealing large amounts of data. an example recent was amazon, if you bought zappos online, you probably got an e-mail that your account was compromised. it's probably in the millions. now, what do you do with millions of records? you actually sell them in groups of 10,000 and you make 30 cents each, sometimes up to $2 each depending on the quality of the record. the most famous was albert gonzalez in floridament he started hacking at the age of 9. he was caught by the fbi after having stolen cards and selling them online. so he was caught. the fbi was fascinated with him and actually started to work with him to learn about this industry. so while he was being paid by the fbi, he actually continued

his practices and he was sitting in a marshall's parking lot. marshall's had just gone to wireless transactions in their store. from his laptop, he actually was able to listen to these unsecure credit card transactions and over the course of 18 months from the parent company, tj maxx he stole 40 million credit cards. he threw himself a $75,000 birthday party. count all that money by hand because his bill counter broke. he lived a lavish lifestyle. so you can use these identities to commit fraud. rbs bank of royal bank of scotland fell victim to eight cyber criminals out of eastern europe who actually took atm cards, they had the numbers, they produced what are called white card, fake cards, they recruited an army across 280 cities and within a 24-hour

period, actually it was a two-hour period, they attacked 2,100 atms in the cities and took out $10 million. you saw that stat. the way they did it? 11:30 at night, you went and you withdrew the max amount you could out of a card and and these guys went and they hit each one about ten atms between 11:30 and midnight. at midnight, it rolled over to the day, so they could take out the max again. cyber espionage, the third type of crime. cyber espionage is really accessing classified information, intellectual property, and it goes across both the public sector and the private sector. you might think of a private first class manning in the army who downloaded all the file thathat wikileaks exposes. he was listening to music, what

enin reality that was -- when in reality that was downloading all the documents. the granddaddy, the fourth one is cyber warfare. cyber warfare is nation states sponsored attacks on critical infrastructure. think of critical infrastructure as our power grid. telecommunications systems, transportation. water supply. flow of oil and gas. and so those are the four threats of today. so again, i'm sorry about that movie, but it's my job to educate everyone about how ugly and how sophisticated things are getting. it is getting very ugly out there. and today it is no longer the steve jobs and the steve wozniaks. it's well-funded nation states that are sponsoring a lot of these activities. i also typically show a screen shot of an organization called anonymous. that's a loosely affiliated global organization of cyber hackers who will attack organizations on the whim, based

on a press release or based on news or some political agenda that they don't like. it's those organizations in concert with enemy nation states that are working together. because enemy nation states can contract these organizations and have an arm's length relationship from a lot of the cyber criminal activity that's happening. the most sophisticated attack last year, the most sophisticated attack last year involved a thing called tokens. and many of you probably use them. i carry one in my pocket. when you want access to a network, a private network, in your remote, you use one of these devices. what it does, you have a password in your head and you push that button and it generates a random six-digit number. you enter your computer that six digit number and then never shall the two meet and this number is randomly generated, that gives you access. very, very secure.

there's a very sophisticated breach against this. and i'll go into it in a moment. the fact of the matter is to breach a system is actually quite easy, and it's almost -- it's almost scary how easy it is. so there's three steps to the modern cyber hack. three simple steps to the modern cyber attack. the first is to breach the perimeter. and the way you breach your perimeter is to -- there's two primary ways -- human vulnerabilities. so you're trying to look at humans who are at the perimeter and trying to trick them into doing something and compromising your operation. and the other is application vulnerabilities. we have wonderful developers here who have well and great intentions of writing an application, but they can't anticipate how bad guys might mess with their logic to get in. much like that very first hack

that john draper did or cap'n crunch of using a whistle to get administrative access. who would have thought of that? so these application flaws are also being used. so you get into the enterprise you want to target and then that's methods of jumping off and covering your tracks. the next thing you do is you're now inside the organization and you're trying to get access to sensitive data or sensitive systems. and you do what's called privileged access. you become an internal user on that system. you're no longer an external user. you have compromised someone's internal accounts. you infiltrate that information. you can cover your tracks and you want to go uncovered for a long period of time. get in, get access, exfiltrate. let's look at the most sophisticated attack that

happened last year. the most sophisticated attack. mind you, this attack went against the company that has e the -- that produces the algorithms and it generates that random number. if you could get access to the generator of random numbers and you can figure out customers of this company's, some of their key members four digit additional password, you could marry those. so that was the sophisticated attack. it was a human vulnerability, this organization out of asia targeted this security company, and was targeting a finance department. they sent in an e-mail to the mid level finance manager. microsoft outlook handled that e-mail appropriately. it actually put it in the junk mailbox. it recognized it as a potential spam. the problem was this business user's curiosity got the best of him. he opened up the junk e-mail.

mistake number one. what he found was this e-mail. redacted a bit. when he found this e-mail, this is actually what was in there. look what the message says. i forward this file to you for review. please open and view it. and there's an attachment that says 2011 recruitment plan. security professionals will look at that and say, mysterious. it comes from a webmaster at a jobs board. the grammar of the sentence is a little direct. but curiosity got the best of him and he opened that attachment. and he was very disappointed that this is what he found. okay, this is an excel spreadsheet with no content in it. he goes, darn, nothing there. he shut it off. and went on to do his job as a finance manager. the company's been breached. if you look in cell a-1, that's how excel represents an embedded

object in a cell. that embedded object was malicious code that took advantage of vulnerability in adobe flash. a vulnerability much like that phone system 30 years ago. this presentation is using adobe flash. almost every computer has adobe flash on it. that vulnerability allowed these guys to install that's called a remote administrative tool. puts software on that person's machine that gave them remote access to control that machine as if they were sitting at the keyboard. and this software went undetected. from there, it communicated back to a website which is a known command and control site called good-mincesur.com. this is the command and the control of that software. this was a known bad site. unfortunately for about ten months but they didn't catch it. i won't go into too technical, but from there you can scan the

network. they scan the network. they found two servers on this company's network that had open ports, mistakes that was made and they jumped on to those two servers. using a tool called enmap which corporations use all the time. so they're using now the company's own tools. they got on that server, they found their targeted files. these algorithms. many of you use zip files. they found internally what's called a zip file, where they can package up the sensitive data and they sent it out over to mincesur over a period of time. several defense contractors were hacked because of this breach at this security company. and those defense contractors lost quite a bit of sensitive data. so one, two, three, that's how it happens.

it's not that complex when you think of it. so security intelligence, what do with edo in this -- we do in this world when traditional tools don't work? when the attacks are so sophisticated? i'm going to skip to a couple slides so we -- let me step forward. are we frozen? yeah. i've been hacked. we'll see if that comes up. but let me just draw kind of an analogy in our world here of voting. so when voting is going on to prevent -- let's step back just a bit. okay. so prevent voter fraud, what do we do? we actually monitor elections. right, we have monitors on board, they look at the controls and the policies and, you know, we're tracking and making sure.

we go overseas and monitor elections to make sure they're fair and following the rules. that's one of the things we need to do in the online world. we need to monitor she hthese ss and look at when controls are being breached. i'll show you how it worked to stop that most sophisticated crime of last year and it wasn't too hard. you have to have context of what's happeningre urs are coming from, what are they doing and what are they trying to do and surface nefarious activity. the first thing in you're monitoring, no corporation should ever connect to a command and control center on the internet. that was a clear connection that should have been caught in this situation. simple monitoring. very, very basic. the next thing is, that would have caught it. the next scenario is enmap is used by i.t. organizations all

the time. i have never met a finance manager that knows how to use an enmap tool. it was a finance manager's machine that launched this. secondly, once that -- they jumped off that machine, they got on to two servers, they actually listen and they got the passwords of i.t. administrators and started to use those pass words to get access to the sensitive data. but they were doing this at hours when these i.t. administrators weren't even at work or logged on to the network. could have been caught. then finally, sending out a multipart file that's encrypted should set off large alarms. that that's monitoring could have helped address this type of environment. and now, when it comes to voting systems, and susan talked about we want everyone to have an online voter's account, and you start thinking of these

sophisticated attacks, you think, wow, the integrity of voting can be very compromised. i'm a big believer that technology can bring great benefits to the overall voter registration process. i'm so impressed with what the ovf has already done around reaching out and educating overseas voters, giving them registered databases. access to ballots, to be able to print those off. the question becomes when are we safe enough to do the voting online? i don't think we're there yet, because the integrity of voting can't be compromised. what's happening in the industry is we're moving to as susan said, moebbile devices or cloud computing. we are opening up to a whole new set of cyber attacks. what's exciting about the companies today, like hp, rather

than saying how are we being hacked, we're spending a will of time and saying how do we design security into these mobile applications? how do we design security into these shared services? and start with security in the design and not after the fact. it is actually a very different approach than how we have been going about this. i do think this is a crawl before we run, and we need to focus on building the infrastructure and the services around voting in the processes that we can help automate. but when you think of actually placing a vet online, the challenge is you look across our country and all the municipalities and the different infrastructures and the different tools and in many cases the immaturities of the infrastructures. we need to elevate and build that up before i believe we can go the final mile. but the final work goes into the design and enable us to get to the point where i think we have wonderful online voting

capabilities. so that completes my remarks. we have time for some questions. or comments. or i probably have another dark video or two i could show you. yes? or i can repeat your question. >> you're saying we're not ready for that. how would you feel if we offered the opportunity -- to place your ballot on your computer? >> yes, so the question is, how would i feel about placing my personal vote online from my own machine? right, that's the question. i would love to. i would -- i mean, i would love to. i think it's tremendous.

i think the -- yeah, but i think the concern isn't about me from my machine and someone seeing my vote. my concern is about the centralized system that's collecting and tallying and registering all these votes that we -- and that is operated very differently in every municipality, every voting location. so unless we can move to much more of a centralized and shared and consistent business that we built the security into, to protect that and really you're protecting the integrity of the election i think is so critical. versus protecting the integrity of my vote is less concerning. it's the integrity of the overall election that we need to really focus on. i think that comes down to, you know, very well thought out security built into these back end systems. and i do believe that we need to do it in a shared way, so that we're not trying to put these

systems into hundreds of different types of environments that have multiple different types of infrastructures and levels of security. and if we can do it in a shared way, then i think, you know, we're putting more resources around those shared services and securing them work consistently. one of the drivers that i'm responsible for at hp, so there's a thing called cloud computing. you see theillboards. it is about shared services, and using i.t. much more as a service instead of installing and operating it yourself. when you ask cios what's the biggest concern about adopting shared services, security is the number one concern. so hp has challenged me, my job is to turn security into the number one advantage of why you would go to shared services. that's what i'm spending this year working on is taking these shared infrastructures and investing more in the security and the configuration of that

environment and understanding the potential vulnerabilities and putting this place defenses, better in that environment than multiple corporations than anyone with do themselves. that's the journey we're on. i think it's not too far off. but that needs to be done before i think we compromise the integrity of the voting. yes, sir? >> so in the u.s., the concerns about security have led to returns in many cases to paper ballots and a move away from electronic voting, even at the polling place. so my question is now at the same time, technology folks will say, well, what you don't want to do is create a standard or a requirement that freezes the technology. so my question is how do you compromise those two with respect to voting? how do you reach the right mix? it's a concern also on the cyber security legislation being developed on the hill now. >> yeah. so first off, i believe it's my

job to solve every problem with technology, right? so you know kind of pains me to say, wait, we have to be cautious here. so one of the things that we need to do in the cyber security world for 20 years we have been striving for what we call 100% security. we need to lock down everything. we need to control everything. be 100% secure. yet no system, no operation ever is 100% secure. even the companies that spend the most money, take a look at google. the most modern data center with the smartest people, hacked. so we need to move -- you said the key word -- risk. we need to look at this from a risk standpoint. and measure the amount of risk that a system or application is presenting and make sure we're operating within an acceptable

level of risk. we have to move to this risk discussion, but, you know, so you move to now, i believe we have to move to online voting. i can't wait for the day when i'm sitting at my desk and i can place my vote and not figuring out how to go to the local church or get away from work or worry about the absentee ballot. i have this, i should be able to vote with this. we just need to make sure this is me. right? we need to make sure this is me. we need to make sure that when i submit my vote, the integrity of it is well protected. and i think there's risk in all those steps in the way, but there are things we can do to mitigate it. then what we're doing we have tools that say how do we look at the risk at all the touch points in this process? and how do we collate or collect them together and score a risk score over an overall business. one of the things we're

advocating online businesses will have to present to you a risk score before you actually conduct business with them. because today we go to sites, we have no idea what their security is. but we'd like to see a risk score. i think the same will happen in this sector. yes, sir? >> >> so i hear people promote all source, open code, that that's the key to security. but does that improve security or does that just tell the bad guys how to get in? >> good question. not a good answer to that. so the notion of open source is basically instead of, you know, vendors creating code and then selling it to, you know i.t. organizations that then build things there's a lot of open source or think of it as free ware code that's out there, that the community develops and puts in place. and open source is being used in lots of areas of security.

but you also are working with a community of developers that you don't necessarily know. so i think there's a balance. the great thing about open source code is it improves the productivity of i.t. development shops to get access to this code and not recreate a lot of things. you actually produce applications a lot quicker. what we do is we sponsor an organization called the zero day initiative. and what the zero day initiative does is there's 1,650 independent researchers around the world who take code and a lot is open source code. a lot is commercial off the source code. they look for vulnerabilities in that code. and if they discover a new vulnerability, it's called a zero day vulnerability. they actually submit that to this organization called the

zdi. we test it. we validate it and if it is a true first-time discovery, we write that individual a check. typically $3,000 to $5,000. this is how they make their living. then we notify the organization that this needs to be closed. they have six months to close it out. why is it so important? you remember reading stucks net in the cyber attack on the iranian nuclear facility? that took care of four zero day vulnerabilities in the windows operating system and that code which is tremendous how that whole attack happened. love to take you through it. but the four vulnerabilities didn't need to be all used orb taken advantage of. any one of them allowed them to get their attack and find their way to basically the centrifuge within this air gapped nuclear facility in iran. so i think, you know, testing open source code and putting protections in place is something we need to do this.

a question there? no. yes, please. there's a mic right to your left. >> hi, it's an older technology, but what about voter registration by fax? how's the security with that? >> anything by fax is not very secure. yeah. anything by fax is not very secure. and this, you know, this goes into privacy, right? as we collect voter information, we're clelollecting privacy dat about them. whether it's addresses or whatnot. we do need to secure that. fax transmissions are just not very secure. yes? yes, sir?

>> in regards to -- [ inaudible ]. >> yeah, so the question is as we go towards the holy grail of electronic voting and remote voting, what are the greatest challenges? is it technology, is it process? is it politics? right? so what do i see as the greatest challenges? in -- it doesn't just come to voting, but it comes to every single type of process that you're trying to automate that has an element of risk with it. we believe it goes people, process and then technology. the technology is actually pretty strong. the security technology that's out there. it is actually a lit -- a lot of great technology. we don't need more security techno.