Anonymous and society, supposedly anarchy incarnate but is the cake a lie?

Anonymous and society, supposedly anarchy incarnate...

but is the cake a lie?

Recently anonymous has been trying to prove to society, and by extension each individual that it is more than just a force of anarchy.  They have started investigating the cyber mysteries that seem to elude authorities.  The first instance of this happening is the following.  

From: http://www.nytimes.com/2012/12/17/sports/high-school-football-rape-case-unfolds-online-and-divides-steubenville-ohio.html?pagewanted=1&_r=2&hp&

"Evidence of a gang rape committed by members of an Ohio high school football team, including video, was, in the way of digital native teenagers today, put online on various social media sites — and was quickly taken down as students began realizing the magnitude of the situation. The activist group Anonymous has been able to find archived and cached versions of the damning content, which may help prosecutors make their case."

Obviously helping find rapists is a lofty goal, but does this really help erase the sins of their past.  The damage  anonymous has done with hacking banks and other businesses or even government records has been astounding.  Well maybe if they pitched in a bit more.

From: http://www.huffingtonpost.com/2013/02/19/anonymous-hackers-chinese-army_n_2717352.html?utm_hp_ref=cybersecurity

An American computer security company released an explosive report Tuesday linking a Chinese military unit to a growing number of cyber attacks against American companies, organizations and government agencies.

But some of those connections -- including profiles of the individual hackers in China -- could not have been made without the work of the hacker group Anonymous,according to the report by the security firm Mandiant.

Security researchers and government officials have long claimed that China is behind a growing number of cyber attacks against American computer networks, a charge that China has repeatedly denied. But Mandiant's 73-page report was unusual in its level of detail, going so far as to profile the identities of three hackers who are believed to be working for the Chinese military. Mandiant said it was able to find connections between two of those hackers and China's People’s Liberation Army by relying on public data first revealed by the hacker group Anonymous.

The ability for them to assist with national security, will make it interesting to see how and when they are prosecuted for their other offenses.  The real question becomes, will groups of online hackers be a force for good or evil in the future?

The Stuxnet attack and legality

Were we in the right?

The stuxnet attack is one of the first, large scale critical system targeting attacks to date. The Stuxnet worm might have gone unnoticed, but unfortunately an employee took home the bug on his laptop. The result was stuxnet was unleashed on the world. But why was it developed in the first place?

From: http://www.wired.com/threatlevel/2013/03/stuxnet-act-of-force/

Stuxnet was launched in 2009 and 2010, and possibly 2008 as well, and targeted cascades and centrifuges at the Natanz uranium enrichment plant in Iran. The cyberweapon was reportedly designed by Israel and the U.S. in an effort to set back Iran’s ability to produce a nuclear weapon, though the U.S. has not officially acknowledged its role in the attack. Until the attacks occurred, intelligence agencies speculated that Iran would be able to produce a nuclear weapon by 2010. The attacks by Stuxnet are believed to have set back the program by an estimated three years.

The 300-page legal manual was produced by 20 researchers, including legal scholars and senior military lawyers from NATO countries, with assistance from cybersecurity analysts.

It was thought out, but the question as always becomes... were we right? The morality aside, diplomacy functions within a strong worldwide legal framework. Were we legally right? Unfortunately there just isn't enough data or law yet to establish legality yet.

James A. Lewis, a researcher at the Center for Strategic and International Studies, said the researchers were getting ahead of themselves and there had not been enough incidents of cyberconflict yet to develop a sound interpretation of the law in that regard.

“A cyberattack is generally not going to be an act of force. That is why Estonia did not trigger Article 5 in 2007,” he said, referring to the coordinated DDoS attacks that took down the computer networks of banks, government agencies and media outlets in Estonia that were blamed on Russia, or hackers sympathetic to the Russian government.  Unfortunately, not only is the legality of cyber warfare not declining, its getting better:

From: http://www.nextgov.com/cybersecurity/2013/03/yes-cyberattacks-are-perfectly-legal-under-laws-war/62015/

This makes a recent study from a group of NATO experts very, very welcome. Called the Tallinn Manual, it seeks to adapt the existing laws of war to cyberspace, laying down 95 new ideas over 282 pages. Many of them are just common-sense extensions of current international principles: According to one rule, cyberwarriors must take care not to hit the same targets that are off-limits to conventional forces.

...These include civilians, albeit with a crucial caveat: If you’re a civilian who’s decided to join the fight, you become a legitimate target even if you aren’t affiliated with a government or a military.

This unfortunately not only makes cyber attacks legal, but any entity can join in, even civilians. The interesting part of this is that the Geneva convention is setting the stage for this, instead of preventing it. Hopefully, advances will be made to prevent these kind of attacks from being legal in the future.

Sometimes a wrench is just a wrench... until its a bomb

Teamviewer a great tool for fixing things...

till its a hacking tool

The Team Viewer application is an awesome tool that can be used to allow network administrators to fix problems remotely. Since it and similar tools inceptions, individuals can use remote diagnostic and fixing tools to address problems without having to leave their desk. This has led to the IT field having remote centers that can even remove root-kit viruses from computers remotely. However, recently there has been a new application for team viewer.

From: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240151544/how-teamspy-turned-legitimate-teamviewer-app-into-cyberespionage-tool.html

TeamSpy is a cyberespionage operation targeting government agencies, businesses, and activists that may stretch back as far as roughly a decade. Many of its victims appear to be from Europe. The crew took advantage of the functionality of the TeamViewer application, which is used for remote control, Web conferencing, desktop sharing, online meetings, and transferring files between computers.The malware installs a version of TeamViewer on infected systems. The attackers then extend TeamViewer's functionality to provide additional stealth, dynamically patching it in memory to remove indications of its presence.

This attacks allows for complete remote access and control of individuals computers.  The computer can then be used to remotely access other computers on the network and infect them.  This attack was extremely successful in Eastern Europe. Since then, many organizations have asked, "what can I do about this?"

From: http://www.securelist.com/en/blog/208194185/The_TeamSpy_Crew_Attacks_Abusing_TeamViewer_for_Cyberespionage

1. Scan for the presence of the “teamviewer.exe” application.
2. Block access to the known command-and-control domains and IP addresses. (see our full technical paper)
3. Implement a rigid patch-management plan throughout the organization. This operation includes the use of popular exploit kits that targets known desktop software security vulnerabilities.

But this doesn't solve how to fix this for agencies that actually USE the team viewer software program currently.  What do these organizations do?  This tool is a crucial part of their infrastructure.  Unfortunately, I don't see a solution coming soon, until team viewer patches their software.

iPhones and Smartphones: A Growing Threat to Network Security

iPhones and Smartphones:

A Growing Threat to Network Security

Recently with the growing rise of iPods, tablets and smartphones network security specialists have had a whole new way their networks can be compromised.  The obvious threat of someone taking data from the network using these storage and mobile computing devices is more obvious than is the threat of viruses now that can spread to iPhones and other smart devices:

From: http://www.csoonline.com/article/714053/iphone-sms-bug-said-to-be-serious-threat

The hacker, who calls himself "pod2g" and is best known for jailbreaking iPhones, said Friday that the vulnerability could let an attacker send a message pretending to be from a bank, credit card company or other trusted source.

Because the flaw does not involve code execution, an attacker does not need to get malware pass Apple, which approves all mobile apps before they are sold on the App Store, the only legitimate site for downloading software for Apple mobile devices.

Pod2g, a self-professed iPhone security researcher, said the flaw is "severe" and affects all current versions of iOS and iOS 6 beta 4. IOS is the iPhone and iPad operating system.

This is a serious threat to network security, if a virus can be spread by SMS to smartphones, what if it can be spread to computers as well?  Then anytime a computer had this iPhone plugged into it, even to just download a song, that computer would be infected.  How do you manage the computer access when these devices are just a USB port away from compromising the security of the whole network?  

From:  http://www.darkreading.com/security-monitoring/167901086/security/security-management/240151594/monitoring-the-nomads-in-your-network.html

At the most basic level, companies can monitor the devices that connect to their network. Companies can track which devices connect to their internal systems, which means treating a phone no differently than a laptop, desktop, or server, says Tyler Lessard, chief marketing officer at Fixmo, a mobile-device security firm.

"You can allow any user to access the network, but then say, 'I'm going to watch what devices are coming in, and if any of them look like they are potentially malicious or bad, then I might go out and react to it,'" Lessard says.

This most basic level of monitoring has the benefit of being inexpensive. The necessary data could be culled from firewall logs, but companies would benefit from more tailored systems designed to alert in real time.

Unfortunately, as stated above, firewalls aren't the most reliable form of security. So network admins are looking for new tools to deal with this.  

Traveling further up the security food chain, companies can focus on both the users and the devices. Companies that do not allow their users to access sensitive data on their devices--limiting access, say, to ActiveSync's e-mail and calendar services--could potentially just register each device with a mobile-device management (MDM) system and assign each user a certificate to access the network.

Companies that want to control the devices, but not necessarily the applications on the devices, should require that each user register their device with the MDM software. While turning off access for all unregistered devices may work in theory, IT departments will be more successful using a carrot-and-stick approach: Giving each user, say, 30 days to register their devices before cutting them off, and granting additional benefits--such as VPN access or to users that finish the enrollment process, says Ahmed Datoo, vice product of product marketing at Citrix.

"So there is no way for them to get e-mail unless they enroll their device--that is the stick approach," Datoo says. "You give them a warning, and there is an amnesty period."

This with the added ability to allow users to only access certain data under certain user accounts, restrict ports and also prevent users from using unauthorized devices on the network this is a very strong solution.  The only problem is this solution isn't cheap.  This solution should come down in cost as Moore's law progresses.  

Visa and credit card theft... oh my!

The relatively recent policy by visa to fine shops that are compromised is going to be in court next week.  Genesco,  a sports and shoes shop will be taking visa to court next week due to the hack of its credit data base that went undetected from 2009 to 2010.  More information on this from http://www.computerworld.com/s/article/9237588/Retailer_hauls_Visa_to_court_over_13.3M_fine_for_payment_card_data_breach?taxonomyId=17 

After the intrusion was discovered, Visa issued an alert to affected card issuers, informing them that every Visa card that was processed by Genesco over a one-year period between Dec. 2009 and Dec. 2010 had been compromised. Visa later collected a total of $13.29 million in fines from Wells Fargo Bank and Fifth Third Bank, the two "acquiring banks" that had authorized Genesco's participation in the Visa payment system.

Visa insists that the fines are a necessary way of dealing with shops that have lax security, and has built it into contracts  However, Genesco stated:

None of these situations applied with the 2010 intrusion, Genesco said in its complaint. The company noted that it was fully compliant with PCI requirements at the time of the breach. As required under PCI, no card data was ever stored on Genesco's systems at any time during the intrusion.

But why are all of these rules necessary, well unfortunately credit card theft is way up.  From http://krebsonsecurity.com/

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

These attacks demonstrate that not only are online breaches of databases realistic, they're on the rise and cheap.    Should Visa be fining people for this?  Maybe, most people do think with their wallets.  No  matter what though this needs addressed.

Social Speaing, I mean Phishing

The idea of social engineering is not unique to computers, and is certainly not new to the world.  Con-men have been squeezing information out of people with a courteous smile and willing ear for hundreds of years, and now the internet is starting to see the mixture of con-art and coding.  This technique is known as phishing.  Phishing is defined as:  a party who misrepresents themselves as a reputable 3rd party site, to garner information that comprises one or both parties.  If this was too wordy, its when someone (con-artists) pretends to be someone else (aka your bank) to get information they should have(your account name, password and routing number).  In a study by Gartner, it was found about 1/5 users had clicked on a phishing link in their history.  

Even worse, phishers are getting smarter.  Some are using public records to discern commonly used security questions. As per: http://threatsim.com/2013/01/29/call-it-2013-year-spear-phishing/

We all know that Facebook, LinkedIn, and the Internet in general make it really easy to find personal info that can be used to spear phish your end users. If an attacker is that motivated to get someone at your company, then it’s only a matter of time before they are successful.

 Especially with facebook and myspace making information so available, the ability to find especially personal information is at an all time high (thanks picture of ... fluffy, thats right fluffy was my old dogs name!).  A study conducted by Indiana University showed that people who had a lot of information posted on social networking pages were MUCH more vulnerable than other potential victims.  They also found that gender had an affect on if a user would fall for this type of attack, with women typically being more trusting than men.

Just basic spoofing with the addition of this social phishing has lead to an alarming rate of compromised users.  The victims of these attacks, once they find out often are incredibly upset, but often for the wrong reasons.  After being contacted by the University of the previously referenced study,  some victims believe there email has been hacked (how else could we spoof?  oh wait its really easy), which in fact had not been the case, but they did not have the technical knowledge to understand this.  Some went into denial, and would not acknowledge that they had been hacked.  This is dangerous as a user will not correct their behavior to fix the issue.  The last reaction is understandable anger at having their privacy violated.  

Sadly these messages can often be prevented, and the largest one is education.  With the rise of computers, an ethical or safe computer use class should probably be mandatory in high school or at the very least college. Even telling users to check to make sure the URL is correct, and to check for HTTPS:  would be a huge step in the right direction.  Education beyond this would help users be aware of threats to them and their online identity.

As per: http://newswatch.nationalgeographic.com/2013/03/06/hacking-the-mind-social-engineering/

Earlier today I was listening to one of my favorite podcasts, The Drill Down, and Dwayne D.mentioned how frustrating it is for many people to juggle multiple passwords, especially those that need to change frequently.

One of the other co-hosts suggested using a two-pronged security system, which requires a code to be sent to a device for access. Another suggested using a virtual vault to store passwords behind encryption. Dwayne was skeptical, arguing that access needs to be as simple as possible for users, while still being secure.

The other way to prevent these attacks is to require digitally signed email addresses, so that we can actually tell who is sending what.  Another way is to develop software that detects websites that are likely phishing, or even emails that are likely spoofed.  This software would not be hard to develop, such as a way to tell the difference between www.Iightscibe.com and www.lightscribe.com ( iightscribe and Lightscribe if you wouldnt tell).  Amazon has had a number of attacks conducted against it, and its users.  I’m sure they’d be all about solving this.  

In addition, the industry really does need to be less lazy, per: http://www.infosecurity-magazine.com/view/24356/successful-bank-phishing-attacks-target-compromised-infrastructure/

Agari found that system administrators aid phishing attacks by deploying unprotected infrastructure. Systems administrators could have prevented one-quarter of successful phishing attacks against banks by patching known vulnerabilities, the company judged.

In addition, Agari found that botnets no longer pose a significant phishing threat, with only 0.5% of successful bank phishing attacks sent by botnets.

Realistically, without education, further study and people actually caring; there is no way this problem is going to get solved.  We need to as a society start giving a damn, and start educating our end users.  Phishing is such a profitable scheme that it sure isn’t going away.

DDoS attack against small bank

What do you mean the websites down, Oh Noes...

The number of companies that have been hit by DDoS attacks is simply astounding.  Now cyber criminals are using a new technique to take advantage of this old way of doing business.  The "Bank of the West" and contracting firm "Ascent Builders" found out the hard way that DDoS attacks are now being used to cover up actual financial fraud and theft.  The way it works is simple:

1)  Hack an account through either social engineering or a software exploit

2)  Access that account and give a fund transfer authorization

3)  Initiate a DDoS attack against the institution, thus making the website unusable for the victim and the bank

4)  Transfer the funds from the original account to another, then another, then another to prevent tracking

5) ???

6) Profit

Well, obviously that ??? isn't necessary but who doesn't like a good joke.  Unfortunately for Ascent Builders, this is not really a funny joke.  From the article DDoS Attack on Bank Hid $900,000 Cyberheist:

But a law enforcement source working the case and speaking on condition of anonymity confirmed that the bank was subjected to a DDoS attack at the time of the robbery. The law enforcement official added that Ascent may not have been the only victim that day at Bank of the West, and that several other businesses and banks in the local area had been similarly robbed on or around Christmas Eve.

Unfortunately for these victims, the DDoS attack makes it incredibly hard for the FBI to sort out the traffic on the banks website and identify the perpetrators.  Sadly, these DDoS attacks can be mitigated and you'd think that a financial institution would try to secure its website.  From DDoS attack methods and how to prevent or mitigate them

The easiest, although a costly way to defend yourself, is to buy more bandwidth. A denial of service is a game of capacity. If you have 10,000 systems sending 1 Mbps your way that means you’re getting 10 Gb of data hitting your server every second. That’s a lot of traffic. In this case, the same rules apply as for normal redundancy.

In addition from:  http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml

Behind a [corrupt] Client is a person that orchestrate an attack. A Handler is a compromised host with a special program running on it. Each handler is capable of controlling multiple agents. An Agent is a compromised host that runs a special program. Each agent is responsible for generating a stream of packets that is directed toward the intended victim.

Attackers have been known to use these four programs to launch DDoS attacks:
Trinoo
TFN
TFN2K
Stacheldraht

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; but, the tools can be ported to other platforms as well.

It goes on to say that you can there are ways to tell if a computer is infected with these viruses, and deny traffic based on that.  These attacks can also be mitigated in other ways, such as:

1) Limiting the number of failed queries allowed by an ISP

2) Getting multiple DNS servers to help handle the increased capacity.  

3) Caching Servers also can help mitigate this by allowing your servers to not need to "exchange" even more information for every request.

4) Having traffic management be setup

Google, as always is a great resource, and googling DDoS or how to prevent a DDoS can get you valuable information.  In addition, security websites like dark reading, or local security professionals can help get you up to speed.  These are just a few ways to educate yourself, and obviously for people or businesses really serious about security, you should be contacting someone who is a professional to help you mitigate these attacks immediately.

The Rising Red Threat

China and the Rising Red Cyber Army

Recently we American's saw the president sign into action a new executive order authorizing our security personnel to counter attack or preemptively attack threats to American cyber security.  While we can definitely see wanting to protect our interests, why has this become a big enough issue that we've needed an executive order to protect us? Didn't the internet start out as a way to securely exchange information for the US military?  Unfortunately we're long past that.  Now attacks are no longer about money and trade secrets, now its much more serious:

This is no longer a business issue. For years, victimized American companies preferred to keep quiet, lest they expose their vulnerabilities. But now the government is less comfortable with that silence because the hackers are targeting firms responsible for the American power grid, water supply, and other pieces of critical infrastructure. In one case, “one target was a company with remote access to more than 60 percent of oil and gas pipelines in North America.”

From: http://www.newyorker.com/online/blogs/evanosnos/2013/02/china-hacking-and-north-korea.html#ixzz2LOBjbL3N

The fact that an attack from the internet could deny an area water or electricity, often a life or death matter, is simply unacceptable.  This is why action is being taken.  Most recently the Chinese have attacked the New York Times and other big american businesses.   It used to be that firms wouldn't disclose an attack as they believed it would make them look weak, and typically it was only firms with trade secrets the Chinese wanted.  Now however, it is obviously far worse. Its gotten bad enough that the cyber attacks have spill over into the media, with the Chinese making a press statement with the following:

A Chinese ministry spokesperson said claims are "unfounded accusations based on preliminary results," and that "China resolutely opposes hacking actions and has established relevant laws and regulations, and taken strict law enforcement measures to defend against online hacking activities.''

From: http://www.cnbc.com/id/100470478

Many people are unbelieving of this denial... for logical reasons.  To have thousands of attacks come from the same area as a unit of P.L.A. cyber soldiers is a pretty big coincidence, especially in a country known for its "great firewall".  A top security firm, the one that discovered where all the attacks came from responded with:

Mandia even said, "China has a controlled Internet access, everything people do on the Internet is monitored there... So it's hard to believe ... that the Chinese government does not notice thousands of attacks coming from a neighborhood that happens to be co-located with units 61398, it's hard to believe they don't notice."  The long story short becomes, if china has laws that dis-allow these types of attacks, why hasn't it cracked down on cyber terrorists in the SAME AREA as its own cyber army.

From: http://www.cnbc.com/id/100470478

The next few weeks should give us more and more clarity in terms of how the cyber war is going to shape up.  I for one am hopeful that its going to turn into a cold war... rather than computer world war I.

Adobe drops the ball, again...

Feb. 15th 2013

  The recent zero-day attacks on adobe reader and acrobat have left many wondering, especially after the recent flash player exploit, is adobe capable of making a secure product?  Fire eye, a private security firm, reported the malicious attack after observing it on multiple deployments of adobe:  9.5.3, 10.1.5, 11.0.1.  This attack bypasses a built in sandbox, a program developed to contain and limit the privileges of the adobe program.

  This is being bypassed with a .pdf that loads two .dlls onto the target computer.  The first opens adobe reader and displays a false error message; the second opens the malicious .pdf file in the back ground. At this point, the remote user has access to remote control some processes on the computer.   The company is working quickly to address this, but they are not sure when a fix is going to be finished.

  However, the adobe representative note that they are still investigating the breach, and there is no official way to deal with it at the moment.  Security experts warn not to open any unknown PDF files at this time (not that its EVER a good idea to open an unknown PDF).  The part that shocked this author was the response to this hack even occuring: 

Botezatu believes that bypassing the Adobe Reader sandbox is a difficult task, but he expected this to happen at some point because the large number of Adobe Reader installations makes the product an attractive target for cybercriminals. "No matter how much companies invest in testing, they still can't ensure that their applications are bug free when deployed on production machines,"

From: http://www.computerworld.com/s/article/9236751/Zero_day_PDF_exploit_affects_Adobe_Reader_11_and_earlier_versions_researchers_say?taxonomyId=17&pageNumber=2

The fact that this is just normal everyday business for an exploit that allows remote control of a system is shocking and honestly, I'll be using foxit reader, sumatra reader, or another alternative since Adobe has been so slow in responding.   Even now that they've responded to the hack with the following:

Adobe late yesterday confirmed that two "critical" newly discovered flaws -- CVE-2013-0640, CVE-2013-0641 -- in Adobe Reader and Acrobat XI (11.0.01 and earlier), Acrobat X (10.1.5 and earlier), and Acrobat 9.5.3 and earlier for both Windows and Macintosh could let an attacker wrest control of the victim's machine after crashing the application. The attacks send users an email with a rigged PDF file, bypass the sandbox feature in Adobe Reader 10, and bypass the Protected Mode sandbox in Reader XI.

The software vendor is working on an emergency fix; in the meantime, it recommends that users enable the Protected View setting in Adobe Reader XI and Acrobat XI for Windows.

From: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240148632/new-zero-day-attacks-cheat-key-security-features-in-adobe-reader-acrobat.html

Telling users to use protected view is a good idea, however, the fact that it took this long for even a partial work around is shocking.   Another article: Thanks, Adobe. Protection for critical zero-day exploit not on by default, details how irresponsible this is:

Sadly, as sophisticated as the exploit is, Adobe engineers could have prevented it from succeeding against default configurations of Reader XI had they enabled protected view. Instead, they chose to turn that feature off by default, so the only way users can avail themselves of its benefits is to delve deep into the application settings and manually enable it.

I can't help comparing the move to a car manufacturer that installs airbags in one of its models, but then requires customers to flip a switch before the bags actually inflate during a high-impact crash. Security mitigations are great, but only if they're easily used by the masses.

I especially enjoy that second quote, because essentially its true. Lets hope Ford doesn't do the same thing with its cars... and lets hope Adobe gives us a reason to have faith, because as is I'm just about out of it.

President Obama's Cyber Soldiers

Legal Review of President's Cyber Authority: Can he protect us?

02/14/2013

 The future of American security could rest on the presidents shoulders, or at least, so a recent review of Obama's authority over cyber weapons would have us believe.  However, while this may allow us to stave off large scale attacks, similar to DDOS, how does a cyber attack stave off a virus that does not need a coordinated network of computers to function?  Can it?  This quote is from the article Broad Powers Seen for Obama in Cyberstrikes from the New York Times.

The rules will be highly classified, just as those governing drone strikes have been closely held.John O. Brennan, Mr. Obama’s chief counterterrorism adviser and his nominee to run the Central Intelligence Agency, played a central role in developing the administration’s policies regarding both drones and cyberwarfare, the two newest and most politically sensitive weapons in the American arsenal.

As you can see from the quote above, many details as to the presidents authority, and by virtue ability to protect the public from attacks are not public information.  While secrecy does help in terms of not allowing our enemies to prepare, it cripples at least my, and I would imagine, the public confidence.   The fact that the military is looking out for public interest is touching, but how much can it do about rogue skilled hackers?   The public needs to know, especially in terms of an open source resource like the internet, what the president is doing or planning on doing, so it can give our approval over a shared resources treatment.  Having the non-specific details given to the public, or at least something like the american IEEE, for feedback would be extremely comforting to the public in my opinion.  Unfortunately given the current state of affairs, there is no way for the public to educate themselves on american cyber-military protocols, because there isn't any real information on them.  A quote from google news article:  US military review backs pre-emptive cyber strikes

The military and top civilian officials examined scenarios for offensive cyber ops while updating "rules of engagement" for the armed forces, adding the digital realm to the standard battle areas of air, land, sea and space.

"They're trying to normalize cyber as a domain," the official added.

Even the military does not know how its going to handle all of this at the moment, its finalizing its policies. While it is comforting that the military wants to protect us, having a public resource suddenly policed is going to be quite a shock.  For example, what if we released a targeted virus on Chinese server clusters, and the virus didn't stay targeted.  If a nasty virus created by the US got into the wild, what would be done about the damage?  Would there be reparations?  What if the US caused a large section of the internet to crash, and fail.  What if your small business was linked through that portion of the net?  What would happen? Again from the New York Times:

While many potential targets are military, a country’s power grids, financial systems and communications networks can also be crippled. Even more complex, nonstate actors, like terrorists or criminal groups, can mount attacks, and it is often difficult to tell who is responsible. Some critics have said the cyberthreat is being exaggerated by contractors and consultants who see billions in potential earnings.

This type of attack could EASILY have collateral damage, so the question isn't really a what if, so much as a when.  Its a question that we should all be concerned with, and that none of us really can afford to ignore.  The better question here, is not just what can we do to attack our enemies online, but how to protect ourselves from said attacks.  I urge you to read up on modern issues, even if it something as simple as reading Google technology news.  Contact your senators or congressmen, let them know what you think.  An informed country is a better country.