Wednesday, January 20, 2010
F.U.D (fear, uncertainty, and doubt)
In the above “60 Minutes” video, correspondent Steve Kroft spoke with former and current US government officials and private-sector security about the nation’s vulnerability to cyber attack.
“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” Retired Admiral Mike McConnell told Kroft.
To most IT professionals, this revelation isn’t, or at least shouldn’t be, news. Before joining TechRepublic 10 years ago, I worked for a regulated utility–a power company. Even then, before anyone was seriously pushing a “smart grid” we were keenly aware of digital threats to our organization. But, just because IT is aware of a threat, doesn’t mean the business is dedicated to addressing those threats. Corporate management is usually most focused on maximizing profit. (I am not referring to my former employer, but making a general statement about the disconnect that often occurs between IT staff and corporate leadership.)
In fact, this disconnect isn’t confined to IT or even the corporate world. Whenever you have individuals or groups with different and/or competing interests, disconnects are common. Yet it is IT’s job to help protect the organization from cyber threats, and in many cases the stakes are too high to allow a communication gap, lack of understanding, or just pure apathy to prevent good security.
Part of IT’s security mission must therefore be to educate the greater community about relevant security threats and convince them to take or approve the necessary countermeasures. It’s the second goal that’s often the most difficult. Even your best descriptions of DoS attacks, rootkits, SQL injection attacks, social engineering, and all the other threats we face can fall on deaf ears unless you impress upon your audience the consequences of inaction. This is when fear can help.
Fear does not equal F.U.D (fear, uncertainty, and doubt)
Whether you’re trying to convince senior management to ban USB drives or your three-year old not to touch the stove, fear is a powerful motivator. Yet, fear is a double-edged sword. If used inappropriately fear will win you more enemies than supporters and can undermine your ultimate goal of improved security. Therefore, I recommend the following guidelines:
1. Avoid the hype. Be truthful and realistic. Don’t make outlandish or unsubstantiated claims of IT destruction and massive financial loss, if the threats you’re discussing aren’t likely to cause such outcomes. Present the threat as you understand it, explain the likelihood of occurrence, and describe your organization’s level of exposure.
2. Temper fear with solutions. Once you’ve explained a threat, follow up with your best recommendations on how to mitigate it. You’re goal is to motivate the audience into changing their behavior or giving their approval for an action, not merely to scare them. And, don’t come in with an all or nothing plan. Be prepared to offer a range of mitigation options, which vary in scope and cost.
3. Don’t overuse fear. Remember the tale of the boy who cried wolf? If you constantly predict IT catastrophes that never materialize, your audience will eventually stop listening to you.
4. Focus on an audience who can act. Narrowly target your message to those who can address the threat or have significant influence of those who can. Inducing fear in those who can’t benefit from point 2 is counterproductive.
Is fear effective?
Yet, not everyone agrees that fear is an effective motivator. In April 2009, I published a ZDNet video on the possibility of a digital Pearl Harbor event. On the video, Bruce Schneier, noted cryptographer and Chief Security Technology Officer of BT Counterpane, suggests IT is better off avoiding fear as a motivator. “We’re better as an industry, if we don’t stoke fear, if we don’t talk about the digital Pearl Harbor. People turn off from that,” Schneier said.
I agree with Schneier’s statement that IT shouldn’t “stoke” people’s fears unnecessarily–see all my above points. But, I still think a little fear can be a powerful motivator. And remember, all fear isn’t created equal. Rationally explaining the negative consequences of not upgrading your network’s intrusion detection system is a far cry yelling fire in a crowded theater. What do you think?
War Against Computer
Companies Fight
Endless War Against
Computer Attacks
Endless War Against
Computer Attacks
The recent computer attacks on the mighty Google left every corporate network in the world looking a little less safe.
"Fighting computer crime is a balance of technology and behavioral science,” said Edward M. Stroz, a former agent with the F.B.I.
Google’s confrontation with China — over government censorship in general and specific attacks on its systems — is an exceptional case, of course, extending to human rights and international politics as well as high-tech spying. But the intrusion into Google’s computers and related attacks from within China on some 30 other companies point to the rising sophistication of such assaults and the vulnerability of even the best defenses, security experts say.
“The Google case shines a bright light on what can be done in terms of spying and getting into corporate networks,” said Edward M. Stroz, a former high-tech crime agent with the F.B.I. who now heads a computer security investigation firm in New York.
Computer security is an ever-escalating competition between so-called black-hat attackers and white-hat defenders. One of the attackers’ main tools is malicious software, known as malware, which has steadily evolved in recent years. Malware was once mainly viruses and worms, digital pests that gummed up and sometimes damaged personal computers and networks.
Malware today, however, is likely to be more subtle and selective, nesting inside corporate networks. And it can be a tool for industrial espionage, transmitting digital copies of trade secrets, customer lists, future plans and contracts.
Corporations and government agencies spend billions of dollars a year on specialized security software to detect and combat malware. Still, the black hats seem to be gaining the upper hand.
In a survey of 443 companies and government agencies published last month, the Computer Security Institute found that 64 percent reported malware infections, up from 50 percent the previous year. The financial loss from security breaches was $234,000 on average for each organization.
“Malware is a huge problem, and becoming a bigger one,” said Robert Richardson, director of the institute, a research and training organization. “And now the game is much more about getting a foothold in the network, for spying.”
Security experts say employee awareness and training are a crucial defense. Often, malware infections are a result of high-tech twists on old-fashioned cons. One scam, for example, involves small U.S.B. flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document. In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC and, from there, explore a company’s network.
With this approach, the hackers do not need to break through a company’s network defenses because a worker has unknowingly invited them inside.
Another approach, one used in the Google attacks, is a variation on so-called phishing schemes, in which an e-mail message purporting to be from the recipient’s bank or another institution tricks the person into giving up passwords. Scammers send such messages to thousands of people in hopes of ensnaring a few. But with so-called spear-phishing, the bogus e-mail is sent to a specific person and appears to come from a friend or colleague inside that person’s company, making it far more believable. Again, an attached file, once opened, unleashes the spy software.
Other techniques for going inside companies involve exploiting weaknesses in Web-site or network-routing software, using those openings as gateways for malware.
To combat leaks of confidential information, network security software looks for anomalies in network traffic — large files and rapid rates of data transmission, especially coming from corporate locations where confidential information is housed.
“Fighting computer crime is a balance of technology and behavioral science, understanding the human dimension of the threat,” said Mr. Stroz, the former F.B.I. agent and security investigator. “There is no law in the books that will ever throw a computer in prison.”
As cellphones become more powerful, they offer new terrain for malware to exploit in new ways. Recently, security experts have started seeing malware that surreptitiously switches on a cellphone’s microphone and camera. “It turns a smartphone into a surveillance device,” said Mark D. Rasch, a computer security consultant in Bethesda, Md., who formerly prosecuted computer crime for the Justice Department.
Hacked cellphones, Mr. Rasch said, can also provide vital corporate intelligence because they can disclose their location. The whereabouts of a cellphone belonging to an investment banker who is representing a company in merger talks, he said, could provide telling clues to rival bidders, for example.
Security experts say the ideal approach is to carefully identify a corporation’s most valuable intellectual property and data, and place it on a separate computer network not linked to the Internet, leaving a so-called air gap.
“Sometimes the cheapest and best security solution is to lock the door and don’t connect,” said James P. Litchko, a former government security official who is a manager at Cyber Security Professionals, a consulting firm.
Some companies go further, building “Faraday cages” to house their most critical computers and data. These cages typically have a metal grid structure built into the walls, so no electromagnetic or cellphone transmissions can come in or out. Defense contractors, aerospace companies and some automakers have built Faraday cages, named for the 19th-century English scientist Michael Faraday, who designed them to shield electrical devices from lightning and other shocks.
But in the Internet era, isolationism is often an impractical approach for many companies. Sharing information and knowledge with industry partners and customers is seen as the path to greater flexibility and efficiency. Work is routinely done by far-flung project teams. Mobile professionals want vital company data to be accessible wherever they are.
Most of that collaboration and communication is done over the Internet, increasing the risk of outside attacks. And the ubiquity of Internet access inside companies has its own risks. In a case of alleged industrial theft that became public recently, a software engineer at Goldman Sachs was accused last year of stealing proprietary software used in high-speed trading, just before he left for another firm. The engineer, who pleaded not guilty, had uploaded the software to a server computer in Germany, prosecutors say.
The complexity of software code from different suppliers, as it intermingles in corporate networks and across the Internet, also opens the door to security weaknesses that malware writers exploit. One quip among computer security experts is: “The sum of the parts is a hole.”
But, security experts say, the problem goes well beyond different kinds of software not playing well together. The software products themselves, they say, are riddled with vulnerabilities — thousands of such flaws are detected each year across the industry. Several weaknesses, it seems, including one in the Microsoft Internet Explorer browser, were exploited in the recent attacks on Google that were aimed at Chinese dissidents.
The long-term answer, some experts assert, lies in setting the software business on a path to becoming a mature industry, with standards, defined responsibilities and liability for security gaps, guided by forceful self-regulation or by the government.
Just as the government eventually stepped in to mandate seat belts in cars and safety standards for aircraft, says James A. Lewis, a computer security expert at the Center for Strategic and International Studies, the time has come for software.
Mr. Lewis, who advised the Obama administration about online security last spring, recalled that he served on a White House advisory group on secure public networks in 1996. At the time, he recommended a hands-off approach, assuming that market incentives for the participants would deliver Internet security.
Today, Mr. Lewis says he was mistaken. “It’s a classic market failure — the market hasn’t delivered security,” he said. “Our economy has become so dependent on this fabulous technology — the Internet — but it’s not safe. And that’s an issue we’ll have to wrestle with.”
Crown jewels of Google, Cisco Systems or any other technology company
Fearing Hackers Who Leave No Trace
By JOHN MARKOFF and ASHLEE VANCE
MOUNTAIN VIEW, Calif. — The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run.
If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace. More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software.
The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure last week that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies.
“Originally we were saying, ‘Well, whoever got it has the secret sauce to Google and some 30 other California companies, and they can replicate it,’ ” said Rick Howard, director of security intelligence at VeriSign iDefense, which helped Google investigate the Chinese attacks. “But some of the more devious folks in our outfit were saying, ‘Well, they could also insert their own code — and they probably have.’ ”
For example, a foreign intelligence agency might find it extremely useful to know who was asking particular questions of Google’s search engine.
Security researchers took particular interest in the fact that the Silicon Valley company Adobe Systems was one of the companies hit by the recent wave of attacks.
Computer users around the globe have Adobe’s Acrobat or Reader software sitting on their machines to create or read documents, and Adobe’s Flash technology is widely used to present multimedia content on the Web and mobile phones.
“Acrobat is installed on about 95 percent of the machines in the world, and there have been a lot of vulnerabilities found in Flash,” said Jeff Moss, a security expert who sits on the Homeland Security Advisory Council. “If you can find a vulnerability in one of these products, you’re golden.”
Products from Microsoft, including Windows, Office and Internet Explorer, have long been favored targets for hackers because so many people use them. But McAfee, a leading software security firm, predicts that Adobe’s software will become the top target this year, as Microsoft has improved its products after years of attacks and Adobe’s software has become ubiquitous.
Adobe said it was still investigating the attacks but so far had no evidence that any sensitive information had been compromised.
Brad Arkin, the director of product security at Adobe, said the company generally expected to face increasing attention from hackers given the growing popularity of its products. But he added that the company employed industry-leading practices to respond to threats. “The security of our customers will always be a critical priority for Adobe,” he said.
Given the complexity of today’s software programs, which are typically written by teams of hundreds or thousands of engineers, it is virtually impossible to be perfectly confident in the security of any program, and tampering could very well go undetected.
Companies are understandably reluctant to discuss their security failures. But one notable episode shows just how damaging the secret tampering with source code can be.
Before the 2004 Summer Olympics in Athens, an unidentified hacker inserted secret programs into four telephone switching computers operated by the Vodafone Group, the world’s largest cellphone carrier. The programs created a clandestine tapping system that allowed unknown snoops to eavesdrop on cellphone calls and track the location of about 100 prominent Greek citizens, including then-Prime Minister Kostas Karamanlis, military officials, the mayor of Athens, activists and journalists.
The infiltration was uncovered in a government investigation after a Vodafone engineer was found dead in 2005 under suspicious circumstances.
Although the recent round of attacks against Google and other companies appears to have come from China, the threat is not limited to that country, according to computer security researchers. A host of nations, private corporations and even bands of rogue programmers are capable of covertly tunneling into information systems.
“Our conventional military dominance drives our adversaries to cheat, lie and steal,” said James Gosler, a fellow at Sandia National Laboratories and a visiting scientist at the National Security Agency, in a speech last year to Pentagon employees. “The offensive technical capability to play this game is well within the reach of the principal adversaries of the United States. In fact, one could argue that some of our adversaries are better at this game than we are.” Over the years, Chinese attackers have shown the most interest in military and technology-related assets, leaving assaults on financial systems to hackers in Russia and Eastern European countries.
A look at the source code of software at a company like Adobe or Cisco can help attackers find new ways to burrow into products before the companies can fix errors in their software. In addition, the hackers can gain insights into how to insert their own code into the software so that they can have ready access to machines down the road. “One of the U.S. government’s biggest worries is that the attackers will place that source code back into products,” said George Kurtz, the chief technology officer at McAfee.
For example, the widespread appearance of counterfeit Cisco routers, which direct traffic on computer networks, has become a major concern in recent years.
Cisco is required by law to include technology in its networking products that allows investigators to tap the hardware for information. The fear is that a country like China could sell counterfeit routers containing slightly modified software that would allow hackers to dial into the systems. “That could provide the perfect over-the-shoulder view of everything coming out of a network,” Mr. Moss said.
A Cisco spokesman, Terry Alberstein, said that the company had extensively tested counterfeit Cisco routers. “We have not found a single instance of software or hardware that was modified to make them more vulnerable to security threats,” he said.
Alan Paller, director of research at the SANS Institute, a security education organization, said American technology companies had gotten better about protecting their most prized intellectual property by creating more complex systems for viewing and changing source code. Such systems can keep a detailed account of what tweaks have been made to a software product.
But such security can be undermined by employees who open malicious files sent to them in e-mail, said Mr. Kurtz. “One of the greatest vulnerabilities remains the people element,” he added.
By JOHN MARKOFF and ASHLEE VANCE
MOUNTAIN VIEW, Calif. — The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run.
If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace. More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software.
The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure last week that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies.
“Originally we were saying, ‘Well, whoever got it has the secret sauce to Google and some 30 other California companies, and they can replicate it,’ ” said Rick Howard, director of security intelligence at VeriSign iDefense, which helped Google investigate the Chinese attacks. “But some of the more devious folks in our outfit were saying, ‘Well, they could also insert their own code — and they probably have.’ ”
For example, a foreign intelligence agency might find it extremely useful to know who was asking particular questions of Google’s search engine.
Security researchers took particular interest in the fact that the Silicon Valley company Adobe Systems was one of the companies hit by the recent wave of attacks.
Computer users around the globe have Adobe’s Acrobat or Reader software sitting on their machines to create or read documents, and Adobe’s Flash technology is widely used to present multimedia content on the Web and mobile phones.
“Acrobat is installed on about 95 percent of the machines in the world, and there have been a lot of vulnerabilities found in Flash,” said Jeff Moss, a security expert who sits on the Homeland Security Advisory Council. “If you can find a vulnerability in one of these products, you’re golden.”
Products from Microsoft, including Windows, Office and Internet Explorer, have long been favored targets for hackers because so many people use them. But McAfee, a leading software security firm, predicts that Adobe’s software will become the top target this year, as Microsoft has improved its products after years of attacks and Adobe’s software has become ubiquitous.
Adobe said it was still investigating the attacks but so far had no evidence that any sensitive information had been compromised.
Brad Arkin, the director of product security at Adobe, said the company generally expected to face increasing attention from hackers given the growing popularity of its products. But he added that the company employed industry-leading practices to respond to threats. “The security of our customers will always be a critical priority for Adobe,” he said.
Given the complexity of today’s software programs, which are typically written by teams of hundreds or thousands of engineers, it is virtually impossible to be perfectly confident in the security of any program, and tampering could very well go undetected.
Companies are understandably reluctant to discuss their security failures. But one notable episode shows just how damaging the secret tampering with source code can be.
Before the 2004 Summer Olympics in Athens, an unidentified hacker inserted secret programs into four telephone switching computers operated by the Vodafone Group, the world’s largest cellphone carrier. The programs created a clandestine tapping system that allowed unknown snoops to eavesdrop on cellphone calls and track the location of about 100 prominent Greek citizens, including then-Prime Minister Kostas Karamanlis, military officials, the mayor of Athens, activists and journalists.
The infiltration was uncovered in a government investigation after a Vodafone engineer was found dead in 2005 under suspicious circumstances.
Although the recent round of attacks against Google and other companies appears to have come from China, the threat is not limited to that country, according to computer security researchers. A host of nations, private corporations and even bands of rogue programmers are capable of covertly tunneling into information systems.
“Our conventional military dominance drives our adversaries to cheat, lie and steal,” said James Gosler, a fellow at Sandia National Laboratories and a visiting scientist at the National Security Agency, in a speech last year to Pentagon employees. “The offensive technical capability to play this game is well within the reach of the principal adversaries of the United States. In fact, one could argue that some of our adversaries are better at this game than we are.” Over the years, Chinese attackers have shown the most interest in military and technology-related assets, leaving assaults on financial systems to hackers in Russia and Eastern European countries.
A look at the source code of software at a company like Adobe or Cisco can help attackers find new ways to burrow into products before the companies can fix errors in their software. In addition, the hackers can gain insights into how to insert their own code into the software so that they can have ready access to machines down the road. “One of the U.S. government’s biggest worries is that the attackers will place that source code back into products,” said George Kurtz, the chief technology officer at McAfee.
For example, the widespread appearance of counterfeit Cisco routers, which direct traffic on computer networks, has become a major concern in recent years.
Cisco is required by law to include technology in its networking products that allows investigators to tap the hardware for information. The fear is that a country like China could sell counterfeit routers containing slightly modified software that would allow hackers to dial into the systems. “That could provide the perfect over-the-shoulder view of everything coming out of a network,” Mr. Moss said.
A Cisco spokesman, Terry Alberstein, said that the company had extensively tested counterfeit Cisco routers. “We have not found a single instance of software or hardware that was modified to make them more vulnerable to security threats,” he said.
Alan Paller, director of research at the SANS Institute, a security education organization, said American technology companies had gotten better about protecting their most prized intellectual property by creating more complex systems for viewing and changing source code. Such systems can keep a detailed account of what tweaks have been made to a software product.
But such security can be undermined by employees who open malicious files sent to them in e-mail, said Mr. Kurtz. “One of the greatest vulnerabilities remains the people element,” he added.
Popular account password Hack Me Please
If Your Password Is 123456, Just Make It HackMe
Back at the dawn of the Web, the most popular account password was “12345.”
Today, it’s one digit longer but hardly safer: “123456.”
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used “123456” as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123” and “princess.”
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”
Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.
To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.
Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.
Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123” and “password.”
Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?
Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.
“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”
In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.
“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”
Google's Secret Struggles With Chinese
Inside Google's Secret Struggles With Chinese Cyber Power
U.S. intelligence officials have concluded that December's mass cyber attack against 33 American companies was most likely the result of a coordinated espionage campaign endorsed by the Chinese government.
Google's revelation that they'd been hit was deemed a "watershed" moment by security industry analysts, but the other 32 companies who were hit have not followed suit and have begged the government to keep their identities a secret. The government has no choice but to protect their identities -- even as U.S. policy encourages greater transparency about the scope of such attacks.
The attackers exploited security vulnerabilities in at least two widely used software programs to gain information about dissidents as well as proprietary information. Reports suggest that the penetration of Google allowed the hackers to get a good look at how the FBI and the National Security Agency sift through information gleaned from warrants served to Google.
"The recent cyber intrusion that Google attributes to China is troubling and the U.S. government is looking into it," said Nicholas Shapiro, a White House spokesperson. "We read Google's statement and are strongly opposed to the practices it describes, particularly the illicit targeting of private email accounts for political reasons. We welcome Google's decision to discontinue censorship of search results on google.cn. The United States has frequently made clear to the Chinese our views on the importance of unrestricted Internet use, as well as cyber-security. We look to the Chinese for an explanation of what happened," he said.
On Thursday, Secretary of State Hillary Clinton will speak on cyber power and she is expected to address, in some fashion, the attack. Administration officials have said that a variety of responses are on the table, including the lodging of a formal protest to a request to the World Trade Organization to investigate. Behind the scenes, there is panic in the cyber world.
"Some people hint by saying these attacks are from China, that they are very sophisticated, and that the attackers are looking for information from Chinese human rights advocates," a U.S. official said. "What is left unsaid is that the attacks are likely sponsored by the Chinese government."
On Thursday, Secretary of State Hillary Clinton will speak on cyber power and she is expected to address, in some fashion, the attack. Administration officials have said that a variety of responses are on the table, including the lodging of a formal protest to a request to the World Trade Organization to investigate. Behind the scenes, there is panic in the cyber world.
"Some people hint by saying these attacks are from China, that they are very sophisticated, and that the attackers are looking for information from Chinese human rights advocates," a U.S. official said. "What is left unsaid is that the attacks are likely sponsored by the Chinese government."
Officially, Google has no contact with Chinese authorities about censorship. Unofficially, it has engaged in a war of attrition with the government. In March of 2009, China blocked YouTube from being accessed in the country and never acknowledged its action. The reasons for its decision were spurious. Traffic dropped off dramatically. And then, half a way later, YouTube access in China was suddenly restored. In September, YouTube was taken away again -- and the presence of pornography was cited as the reason. Google could not find the pornography. Porn -- and national security information -- seem to be the de facto public excuses that China provides for its capricious and unpredictable censorship.
James Fallows has provided us with an extensive examination of how China censors the net. Google's experience brings to light some new details, and reveals the banality of the entire enterprise. According to sources with knowledge of the process, the State Council Information Office sends lists of censored sights and words to companies operating search engines. The companies passively accept the lists. If there are small updates, Chinese officials will communicate via instant messenger to companies to keep them up to date on the latest banned sights. In China, this process itself is considered a state secret. Any active role that China plays in banning IP addresses directly is denied -- the world's worst kept secret is the existence of the Great Firewall.
Prove it to yourself. Go to this Web site. It allows you to experience what search is like for the Chinese. I tried it out -- and about half of the websites I was browsing are suddenly no longer available.
Google-dot-com is available in China and is not filtered on the back end. Google's China site, Google.CN, is subject to the laws of the local authority. On Google.com, the Chinese government cannot prevent Google from returning search results. But clicking on those results often leads to content that is not available. As Fallows has explained, the government employs "packet sniffing" after the Google search results come back through the firewall to weed out objectionable content. China has variously blocked Google's basic search engine, Gmail, a proprietary music search and other Google apps -- often for hours, sometimes for days, without explanation or comment. In July, China publicly accused Google of providing links to pornography; Google responded by voluntarily disabling several of its high-profile search features.
There are at least seven different agencies responsible for Internet policing in China. They often fight with one another for bureaucratic territory. Companies like Google are left to their own devices to figure out how to comply with the law--and whatever specific emanations the law requires. Google employees in China really never know what they can and cannot do. Violating the law means, potentially, prison.
Soon after Google's announcement last week, reports circulated that Google had stopped filtering its Google.CN site; that would directly violate Chinese law. Not true. The truth is more insidious. Enterprising consumers decided to see if results that were previously blocked had suddenly become unblocked. Somehow, pictures of the Tiananmen Square massacre were able to be accessed. Google unblocked! But no -- in this case, Google hadn't done anything. There were no changes to the filter and no updates that day. The truth is that, in this instance, the Chinese users of the Google.CN domain were censoring themselves; it had not occurred to them to search for such pictures before. To be clear, Google.CN is censored (by Google, "voluntarily,") but the lack of transparency in the process can grind down the will of even the world's largest Internet company, if not the intellectual interests of millions of Chinese.
Given this context, it's easy to why Google's had enough.
Then there are the U.S. network security rules of engagement. Defend, don't attack -- unless there's a secret presidential finding, which, to the best of knowledge, there isn't one on China.
For example, if a U.S. site comes under attack from a Chinese site, the site -- assume it's an intelligence agency -- can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them -- but once that threshold is crossed, it cannot attack the sites. The Chinese have no such rules. In fact, the Chinese government teaches attack techniques to a large group of state-sponsored hackers, and part of the classroom work is for them to conduct actual attacks on sites around the world, including the U.S.
Then there are the U.S. network security rules of engagement. Defend, don't attack -- unless there's a secret presidential finding, which, to the best of knowledge, there isn't one on China.
For example, if a U.S. site comes under attack from a Chinese site, the site -- assume it's an intelligence agency -- can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them -- but once that threshold is crossed, it cannot attack the sites. The Chinese have no such rules. In fact, the Chinese government teaches attack techniques to a large group of state-sponsored hackers, and part of the classroom work is for them to conduct actual attacks on sites around the world, including the U.S.
The question is natural: if China is so intent on stealing stuff from us, why haven't we responded?
One, we may well have responded, in ways that are classified. But the U.S. has an extraordinarily complex and vital economic relationship with China - one that China would never compromise. There is no fear among U.S. officials that China would ever mount a crippling cyber attack against U.S. infrastructure, even though they have mapped our electrical grid and probably left behind some malware that could be triggerable at a later date. (For what it's worth, the U.S. has also mapped China's electrical grid.)
China, in fact, needs a secure and stable U.S. infrastructure to do business. (As James Lewis of the Center for Strategic and International Studies puts it, "Since they own Wall Street, the last thing they want to do is crash it.") But China also wants to control the information flowing in and out of its country. In the absence of an international treaty defining what cyber sovereignty consists of, it is hard to figure out the boundaries, much less police them effectively. Third, the U.S. is aware of a debate within the Chinese government about whether it should pursue a globalist or nationalist technology policy; should China depend on the rest of the world for its cyber needs; should it become a part of the grid; should it pursue its activities independently? This is linked to a central organizing question of modern Chinese society: will it be open, modern, forward-looking? Or forever consigned to a second-rate status?
The geopolitics of cyber power suggests that centrally directed government espionage is...tolerated by U.S. officials. A 2007 intrusion, where Chinese hackers broke into classified Department of Defense computer databases, alarmed officials -- but the response, largely, was defensive. There is a reason; ambiguity provides more policy options for the U.S., and the lack of an offensive reaction -- aside from Clinton's comment -- prevents the situation from escalating.
Over the next few weeks, Google will determine whether to suspend its business operations entirely. Very quietly, through intermediaries, it has engaged the Chinese government. The U.S. government is informally advising the company and is being kept in the loop.
Tuesday, January 12, 2010
USB security flaw triggers first FUD laced news cycle of 2010
USB security flaw triggers first FUD laced news cycle of 2010
by Steve Ragan - Jan 12 2010
Now that the cat is out of the bag, and it is known that the authentication method used on certain secure USB devices is broken, there has been a ton of hype and confusion in the news. So much so, that the NIST is now looking into the matter after being dragged into the hype by the press.
Last week, The Tech Herald published a small article on the Kingston announcement that three of their secure USB drives were being recalled after security researchers from SySS discovered a weakness in the method used to authenticate access to the drive. The Kingston drives in question are DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and the DataTraveler Elite - Privacy Edition.
Soon after Kingston’s announcement, SanDisk and Verbatim announced problems with some of their secure USB drives, each of them impacted by the authentication flaw.
SanDisk says that their Cruzer Enterprise USB drives are impacted, which include the 1GB, 2GB, 4GB, and 8GB versions of the Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46. Verbatim reports that their Corporate Secure USB and Corporate Secure FIPS Edition drives are vulnerable, and both companies are offering fixes to the problem. Kingston is offering technical support as well, but you will need to call them to work out the details.
Once the Kingston story broke, the news slanted towards the fact that secure USB drives were busted, and that “hackers” could access the data contained on them at will. This simply isn’t the case, and despite the blogosphere’s and technical trade’s opinions on the matter, this is not an issue of broken encryption. This is an issue of how authentication is implemented, and why trusting a computer is a bad idea.
For those curious, the flaw discovered by SySS centers on how the listed USB drives access the encrypted data. When you go to decrypt the data you enter a password, which must be checked, before you can do anything with the drives. The process of checking the authentication is the heart of the problem.
Each device vulnerable to the methods detailed in the SySS research has software that will reside on the host computer to verify the password used to decrypt the drive. This software will send an unlock code if the password is correct. The problem is that the unlock code is essentially the same, no matter the vendor or device. SySS developed an application that will skip the process used by the host software to check passwords, and simply send an unlock code. As you can tell by the number of USB drives listed, they had a decent amount of success with their work.
This is a design flaw, not a failure in encryption. So when news started to spread that the National Institute of Standards and Technology (NIST) was looking into the matter, more FUD appeared across the wires.
No one thought to ask why NIST is involved, choosing instead to focus on a statement from them that said they are looking into their certification criteria. Most of the recent media reports hinge on the fact that the vendors and products impacted by SySS’s work tout Federal Information Processing Standard (FIPS) 140-2 certification.
Essentially, FIPS is an accreditation standard used to certify encryption algorithms. FIPS 140-2 consists of four levels, most of which deal with the usage of at least one approved encryption algorithm or security function and various degrees of tamper resistance. It is great for a company’s marketing to have a product FIPS certified. At the same time, FIPS is a security guideline, and like other guidelines, such as PCI, FIPS does not mean secure, nor does it promise actual data security.
At no time will FIPS certify that the method used to authenticate the owner of the device is secure. This is up to the manufacturer of the device, and because of that a lot of trust is placed into their hands.
However, scanning the headlines, the larger picture is missing and the focal point of many of the stories online is that three of the larger vendors in the secure USB sector are vulnerable to attack, and as a result, so are their customers. While that is true in a sense, it only skims the surface. Not all of the customers using SanDisk, Verbatim, or Kingston are vulnerable.
Each of the vendors impacted by the SySS research offers other products that can be used for data security. There are other vendors, such as IronKey or SPYRUS, which do not use the vulnerable method of authentication. IronKey for example, never once uses the host system for authentication checks. There is biometric protection as well if you wanted it.
Still, you are better off using TrueCrypt and a regular USB drive if you have to encrypt data. The only problem is, because USB drives are easily lost, stolen, or broken, Enterprise or Government operations ban the use of USB media. Another point missing is that in several of the larger Government agencies, even Enterprise on some levels, they disable USB access completely on the network.
If you have to encrypt something, spend $20.00 on a normal USB drive and use TrueCrypt. If you have to purchase a secure drive, remember that FIPS 140-2 is a great certification for a product to have, but it does not mean proof of data security.
The problems in the authentication processes discovered by SySS are the result of solid research. SySS did a great job, both in how they went about the work and reported it to the public. However, the coverage related to their work is quickly becoming the first FUD-based news cycle for 2010.
SySS Report on Kingston
SySS Report on SanDisk
Read more: http://www.thetechherald.com/article.php/201002/5068/USB-security-flaw-triggers-first-FUD-laced-news-cycle-of-2010#ixzz0cROvFd45
by Steve Ragan - Jan 12 2010
Now that the cat is out of the bag, and it is known that the authentication method used on certain secure USB devices is broken, there has been a ton of hype and confusion in the news. So much so, that the NIST is now looking into the matter after being dragged into the hype by the press.
Last week, The Tech Herald published a small article on the Kingston announcement that three of their secure USB drives were being recalled after security researchers from SySS discovered a weakness in the method used to authenticate access to the drive. The Kingston drives in question are DataTraveler BlackBox, DataTraveler Secure - Privacy Edition, and the DataTraveler Elite - Privacy Edition.
Soon after Kingston’s announcement, SanDisk and Verbatim announced problems with some of their secure USB drives, each of them impacted by the authentication flaw.
SanDisk says that their Cruzer Enterprise USB drives are impacted, which include the 1GB, 2GB, 4GB, and 8GB versions of the Cruzer Enterprise CZ22, CZ32, CZ38, and CZ46. Verbatim reports that their Corporate Secure USB and Corporate Secure FIPS Edition drives are vulnerable, and both companies are offering fixes to the problem. Kingston is offering technical support as well, but you will need to call them to work out the details.
Once the Kingston story broke, the news slanted towards the fact that secure USB drives were busted, and that “hackers” could access the data contained on them at will. This simply isn’t the case, and despite the blogosphere’s and technical trade’s opinions on the matter, this is not an issue of broken encryption. This is an issue of how authentication is implemented, and why trusting a computer is a bad idea.
For those curious, the flaw discovered by SySS centers on how the listed USB drives access the encrypted data. When you go to decrypt the data you enter a password, which must be checked, before you can do anything with the drives. The process of checking the authentication is the heart of the problem.
Each device vulnerable to the methods detailed in the SySS research has software that will reside on the host computer to verify the password used to decrypt the drive. This software will send an unlock code if the password is correct. The problem is that the unlock code is essentially the same, no matter the vendor or device. SySS developed an application that will skip the process used by the host software to check passwords, and simply send an unlock code. As you can tell by the number of USB drives listed, they had a decent amount of success with their work.
This is a design flaw, not a failure in encryption. So when news started to spread that the National Institute of Standards and Technology (NIST) was looking into the matter, more FUD appeared across the wires.
No one thought to ask why NIST is involved, choosing instead to focus on a statement from them that said they are looking into their certification criteria. Most of the recent media reports hinge on the fact that the vendors and products impacted by SySS’s work tout Federal Information Processing Standard (FIPS) 140-2 certification.
Essentially, FIPS is an accreditation standard used to certify encryption algorithms. FIPS 140-2 consists of four levels, most of which deal with the usage of at least one approved encryption algorithm or security function and various degrees of tamper resistance. It is great for a company’s marketing to have a product FIPS certified. At the same time, FIPS is a security guideline, and like other guidelines, such as PCI, FIPS does not mean secure, nor does it promise actual data security.
At no time will FIPS certify that the method used to authenticate the owner of the device is secure. This is up to the manufacturer of the device, and because of that a lot of trust is placed into their hands.
However, scanning the headlines, the larger picture is missing and the focal point of many of the stories online is that three of the larger vendors in the secure USB sector are vulnerable to attack, and as a result, so are their customers. While that is true in a sense, it only skims the surface. Not all of the customers using SanDisk, Verbatim, or Kingston are vulnerable.
Each of the vendors impacted by the SySS research offers other products that can be used for data security. There are other vendors, such as IronKey or SPYRUS, which do not use the vulnerable method of authentication. IronKey for example, never once uses the host system for authentication checks. There is biometric protection as well if you wanted it.
Still, you are better off using TrueCrypt and a regular USB drive if you have to encrypt data. The only problem is, because USB drives are easily lost, stolen, or broken, Enterprise or Government operations ban the use of USB media. Another point missing is that in several of the larger Government agencies, even Enterprise on some levels, they disable USB access completely on the network.
If you have to encrypt something, spend $20.00 on a normal USB drive and use TrueCrypt. If you have to purchase a secure drive, remember that FIPS 140-2 is a great certification for a product to have, but it does not mean proof of data security.
The problems in the authentication processes discovered by SySS are the result of solid research. SySS did a great job, both in how they went about the work and reported it to the public. However, the coverage related to their work is quickly becoming the first FUD-based news cycle for 2010.
SySS Report on Kingston
SySS Report on SanDisk
Read more: http://www.thetechherald.com/article.php/201002/5068/USB-security-flaw-triggers-first-FUD-laced-news-cycle-of-2010#ixzz0cROvFd45
Subscribe to:
Posts (Atom)
