Laws, Investigations and Ethics

Steve Bellovin’s unsparing analysis of the CSIS cyber security report

The recent release of the “Securing Cyberspace for the 44th President” report spawned a flood of analysis and criticism, and much of it was positive and complimentary. I’ve written before about the idea behind this report and the fact that many, if not most, of the recommendations in it can also be found in the National Strategy to Secure Cyber Space, which was released nearly six years ago. That document has been largely ignored and we have all been paying the price in the interim. The federal government’s virtual abandonment of cybersecurity policy in the last eight years has left all of us more vulnerable, and will end up costing the government, and taxpayers, far more money in the long term.

In reading the various analyses of the report, I found that many people were commending the commission for suggestions that either have failed in the past, or have little chance of working now. I ran across Steve Bellovin’s blog post on the report and it came as no surprise that his analysis was right on the money. Bellovin’s as smart as they come, and it’s worth the time to read through his entire post on the report, but in the meanwhile, here are a few key points:

The analysis of the threat environment is, in my opinion, superb; I don’t think I’ve seen it explicated better. Briefly, the U.S. is facing threats at all levels, from individual cybercriminals to actions perpetrated by nation-states. The report pulls no punches (p. 11):

America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is, like Ultra and Engima, a battle fought mainly in the shadows. It is a battle we are losing.

That’s it exactly. In fact, it’s a battle we’re not even fighting right now.

The most important technical point in this report, in my opinion, is its realization that one cannot achieve cybersecurity solely by protecting individual components: “There is no way to determine what happens when NIAP-reviewed products are all combined into a composite IT system” (p. 58). Quite right, and too little appreciated; security is a systems property. The report also notes that “security is, in fact, part of the entire design-and-build process”.

It should be, but that hasn’t been the case in many systems for far too long. Bellovin then skewers what has been the dominant federal strategy for remedying this problem:

The discussion of using Federal market powers to “remedy the lack of demand for secure protocols” is too terse, perhaps by intent. As I read that section (p. 58), it is calling for BGP and DNS security. These are indeed important, and were called out by name in the 2002 National Strategy to Secure Cyberspace. However, I fear that simply saying that the Federal government should only buy Internet services from ISPs that support these will do too little. DNSSEC to protect .gov and .mil does not require ISP involvement; in fact, the process is already underway within the government itself. Secured BGP is another matter; that can only be done by ISPs. However, another recent Federal cybersecurity initiative — the Trusted Internet Connection program — has ironically reduced the potential for impact by limiting the government to a very small number of links to ISPs. Furthermore, given how many vital government dealings are with the consumer and private sectors, and given that secured BGP doesn’t work very well without widespread adoption, U.S. cybersecurity really needs mass adoption. This is a clear case where regulation is necessary; furthermore, it must be done in conjunction with other governments.

Bellovin also criticizes the report for calling on the Obama administration to protect online privacy without providing any guidance as to what that means or how to do it. But he leaves the best for last: the omission of any mention of software security and its cascading effect on system and network security.

The buggy software issue is also the problem with the discussion of acquisitions and regulation (p. 55). There are certainly some things that regulations can mandate, such as default secure configurations. Given how long the technical security community has called for such things, it is shameful that vendors still haven’t listened. But what else should be done to ensure that “providers of IT products and systems are accountable and … certify that they have adhered to security and configuration guidelines?” Will we end up with more meaningless checklists demanding antivirus software on machines that shouldn’t need it? Of course, I can’t propose better wording. Quite simply, we don’t know what makes a system secure unless it’s been designed for security from the start. It is quite clear to me that today’s systems are not secure and cannot be made secure.

Well said.

ICANN transfers EstDomains customers to Directi

After a few delays, ICANN has officially transferred all of the domains that formerly belonged to registrar EstDomains to another registrar in response to EstDomain’s president being convicted of several crimes earlier this year. ICANN, which governs the use of top-level domains and accredits domain registrars, said it is transferring the domains that had belonged to EstDomains over to Directi Internet Solutions. The action comes more than a month after ICANN originally notified EstDomains of its decision to de-accredit the regitsrar, which is based in Estonia. The company has been linked to a number of malware distributors and has been a target of security researchers and antispam activists for years.

EstDomains was informed on 28 October 2008 that ICANN was terminating the company’s accreditation due to its president’s conviction for credit card fraud, money laundering and document forgery. ICANN stayed that termination following  correspondence with EstDomains. However, after further investigation, ICANN decided to go ahead with the termination, effective yesterday, 24 November 2008.

In accordance with the De-Accredited Registrar Transition Procedure, ICANN put out a request for statements of interest from registrars interested in receiving a bulk transfer of the names formerly managed by EstDomains.

As part of that procedure, EstDomains is permitted to designate a gaining registrar. It chose to use that option and identified ICANN-accredited registrar Directi. ICANN reviewed that request and approved it.

Earlier this year, Directi was implicated as helping to control EstDomains, but that report was later dismissed and Directi and the group that put out the report, HostExploit, have been collaborating on actions to try and stop domain registry abuse.

ICANN terminates alleged malware hosting provider EstDomains

ICANN, the organization that controls the top-level domains, has pulled the accreditation of EstDomains, a hosting provider that has been under fire for months from the security community for allegedly providing a safe haven for spammers, malware authors and other undesirables. This is a major and rare move on ICANN’s part, and perhaps signals a new willingness to play a bit of hardball with hosting providers who don’t police themselves. Antispam activists and security experts for months have been telling anyone who would listen that EstDomains was closely linked to Intercage/Atrivo, a hosting provider that is now out of business, but had been listed as one of the more active hosters of spam and malware operations.

The loss of accreditation is the result of EstDomains’ president, Vladimir Tsastsin, being convicted of several crimes in Estonia in February, including credit card fraud and money laundering, according to a letter ICANN sent to Tsastsin Tuesday.

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction.

ICANN is now looking for another registrar or registrars to take over the hundreds of thousands of domains that EstDomains managed.

As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains.

EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names.

The EstDomains termination is set to go into effect on Nov. 12.

FBI takes down DarkMarket cybercrime ring

The FBI says it has taken down a popular site used by carders and other criminals to exchange stolen information and credit card data, the result of a two-year-long investigation by the bureau and other international police agencies. The site, known as DarkMarket, served as a kind of hub and meeting place for low-level online criminals, the Internet equivalent of pickpockets working the local mall. The key difference being, of course, that our wonderful system of tubes allows these guys to work on a massive scale and do unprecedented damage with minimal effort. The FBI says the investigation, which involved extensive undercover work and is still ongoing in some places, resulted in 56 arrests.

The bureau also estimated that the operation prevented $70 million in economic losses.  Now, I’m certainly happy to see the FBI and other agencies around the world making a dent in the cybercrime problem. It’s a global scorpion’s nest that’s gone unaddressed for way too long. But I’m always skeptical when I see this kind of estimate thrown around with no data to back it up. I’m sure the bureau based its statement on something, but we’ll never know what it is. But, the reality is that whether the number is accurate is basically irrelevant. It could be off by an order of magnitude, and it’s still just a grain of sand on the giant cybercrime playground. Online crime is such a low-risk, high-reward activity that criminals who as little as five years ago would have been selling drugs or running kidnapping rings are now setting up dozens of loosely organized online crime cells around the world, and raking in millions in virtually risk-free profits. Not good times.

The FBI knows this very well, but it also knows the psychological value of making even a small dent in the global cybercrime infrastructure. It’s a method that has served the bureau well in its decades-long fight against traditional organized crime: take down the lower-level guys and then use them as leverage to work your way up the ladder. Cybercrime is obviously a different animal, with its worldwide scope and loose, fluid structure. But progress is progress, no matter how small.

UPDATE: Kevin Poulsen on Wired’s  Threat Level blog has an excellent post about this investigation, which lays out the evidence that the FBI’s cybercrime group itself was running DarkMarket for the last two years.

Alleged operators of HerbalKing spam gang indicted

The FTC on Tuesday dropped the hammer on a group of alleged spammers who are notorious in the antispam community for their persistence and prolificness. The commission was successful in getting a U.S. District Court to indict two members of the HerbalKing spam gang, and also got the court to issue an injunction freezing the men’s assets. The FTC alleges that the two defendants, Lance Atkinson and Jody Smith, were responsible for sending billions of spam messages advertising the usual array of herbal remedies, male enhancement products and prescription drugs. From the commission’s announcement of the indictment:

The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants’ assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.

According to papers filed with the court, the defendants deceptively marketed a variety of products through spam messages, including a male-enhancement pill, prescription drugs and a weight-loss pill.

Spamhaus, the organization that tracks spammers and keeps a list of all the known spammers online, said that the HerbalKing group had been the most prolific spammers in the world for most of 2007 and 2008 and had been working since 2005. The group also said that despite the indictments and asset seizures on Tuesday, the gang’s spam activities have continued unabated in the last 24 hours, most likely because much of the operation is automated through the use of botnets. And, Spamhaus officials said, “Spammers such as this gang and the Russians, Indians and others they work with care little about the law. Spamhaus notes that most will not quit spamming until they are behind bars.”

House committee to hear recommendations on cybersecurity for next president

As the country continues to focus more and more attention on the November election, some security industry insiders are beginning to agitate for more attention to be paid to information security, regardless of who’s in the White House next year. The House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology will hold a hearing Tuesday afternoon to hear recommendations from several witnesses on what the next president should do to bring the country’s critical infrastructure up to par.

The list of witnesses includes Paul Kurtz, a security consultant and former security adviser to President Bush, as well as David Powner, director of information management issues for the Government Accountability Office, and others. Kurtz is a member of the Commission on Cyber Security for the 44th Presidency, an organization that includes dozens of industry heavyweights as well as Reps. Jim Langevin and Michael McCaul. The commission has been developing a plan to help the next president address cybersecurity issues, and don’t be surprised if the recommendations that are aired tomorrow are sweeping.

There’s a feeling in the industry that the federal government can do much more not only to secure its own networks but to help and encourage private enterprises to do the same. On the government side of things, that could mean something as drastic as revamping the entire federal information security apparatus, or simply implementing some of the dozens of recommendations that various government and private-sector organizations have made over the last eight years.

Hearings are nice and I applaud the committee for calling some much-needed attention to this issue. But it’s still going to come down to whether Barack Obama or John McCain considers cybersecurity a priority and is willing to spend some money and political capital on it.

Judge tosses gag order against MIT students

Every once in a while things work the way should. Not often, but sometimes. Tuesday was one of those times, when a federal judge in Boston threw out the gag order that had prevented three MIT students from talking about research they’d done on security vulnerabilities in the Boston subway system. The order, which was imposed nearly two weeks ago, was the result of a law suit by the MBTA, which feared publication of the students’ work at Defcon would result in a spike in rider fraud on the system. The agency contended that even allowing the students to talk about their presentation was a violation of the Computer Fraud and Abuse Act, but Judge George O’Toole disagreed. From a blog post by the Electronic Frontier Foundation, which is representing the students:

The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act. MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers “verbal transmission,” such as talking to people at conferences. Judge O’Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people.

This is a nice victory for the students, but there never should have been a restraining order, let alone a law suit, to begin with, especially considering that all of the material that the students were planning to present is already online. So, the law suit is still hanging over their heads, but this move by Judge O’Toole is a step in the right direction and may be an indicator of things to come in the suit, as well.

Exploiting Web business Web logic: I can’t hack it, but can I steal it?

At last, I thought, cybercrime for the rest of us. After seven years of infosec journalism I have just enough knowledge to ask reasonably intelligent questions, most of the time. But I’m no closer to having the technical chops for even the most idiot-proof Web attack.

So, I had a more-than-professional interest to sit in on “Get Rich or Die Trying: Making Money on the Web the Black Hat Way at Black Hat.” With one kid starting college and another trailing an ain’t-that-just-too-perfect four years later — and the epiphany that the $5 blackjack tables was not the answer — here was Web crime even I could grasp, except for some aching ethical considerations.

There’s a lot of business logic out on the Web, said WhiteHat Security Inc.’s Jeremiah Grossman and Trey Ford, that can be exploited for big bucks with nary a cross-site scripting attack nor a SQL injection. All that’s required is the will, maybe some working capital, a grayish ethical worldview, and some good old-fashioned name-your-nationality know-how.

Information leakage, insufficient authentication and authorization, and abuse of the website’s functionality are prime money-makers, along with the technical hacks we all know and love.

The money-making schemes run from low-yield CAPTCHA solving, to trading on information obtained by picking unpublished press releases off business sites, to disturbingly easy harvesting of Web mail passwords off e-commerce sites, to bending the rules to apply hundreds of e-coupons for extremely cheap large purchases.

Or, taking advantage of a flaw in functionality to get merchandise for nothing. This one was near and dear to my heart. Something you get even though you don’t order it — say, you shut down an order while it’s still processing, but UPS shows up with the goods 3-5 business days later nevertheless.

When I was a kid, I collected stamps. I ordered five Egyptian mint stamps on approval, which means I send them back if I don’t buy. They sent me more than a hundred assorted stamps on approval and I kept them all.

The U.S. Securities and Exchange Commission (SEC) says unsolicited merchandise is yours to keep, but it’s one thing to profit by a mistake — though things get murkier if you repeat the process to exploit the glitch for profit.

That’s the extent of how far I’ll bend my ethics though, so the e-tailer world is safe from me still, and the college bills are still coming.

But the message here is there are many ways to rip off online businesses, some very technical, some not so much, some clearly illegal, some sort of, maybe. In any case, your company’s money is good as gone.

California elections official wins over techies

California Secretary of State Debra Bowen spoke to an appreciative crowd at the USENIX Security Symposium this week in San Jose. The state’s top elections official earned a long round of applause from the techie crowd after her opening keynote, “Dr. Strangelove or: How I Learned to Stop Worrying and Love the Paper Ballot.” A couple of attendees praised Bowen for ordering a top-to-bottom review of electronic voting systems used in California. The review, conducted last year by a team of computer security experts, uncovered a number of flaws in systems from Hart InterCivic Inc., Sequoia Voting Systems Inc. and Diebold Elections Systems ULC (now Premier Election Solutions Inc.)

In her keynote, Bowen compared those who “continue to deny the insecurities with electronic voting machines” to those who deny the evidence about global warming. “We’re always going to be chasing the latest exploits,” she said. “That’s why we’re looking at layered security.” While she doesn’t think a perfect voting system exists or could be created, Bowen promoted a system using paper ballots backed up with optical scanning to record the votes. The state can verify vote counts through random sample hand tallies. “Hand tallies mean never having to say ‘I trust you’ to thousands of lines of code,” Bowen said.

HIPAA violations cost Seattle health care provider

Interesting news on the HIPAA front. Seattle-based Providence Health & Services has agreed to a settlement over HIPAA security and privacy violations, the U.S. Department of Health and Human Services (HHS) announced last week. In what HHS called the first of its kind “resolution agreement,” Providence will pay $100,000 and implement a corrective plan after losing backup media and laptops containing personal health information in 2005 and 2006.

Previously, HHS’ Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS), which enforce HIPAA’s privacy and security rules, settled complaints by requiring organizations to make changes to their security and privacy practices. A CMS spokesman said last fall that the agency preferred resolving problems rather than punishing mistakes, but this agreement with Providence may indicate that the government is stepping up HIPAA enforcement. A statement by Winston Wilkinson, OCR director, certainly seems to signal a change: “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the privacy and security rules may face similar action.”

In the Providence case, backup tapes, optical disks and laptops containing unencrypted personally identifiable health information were taken out of two Providence home health care operations and later lost or stolen. More than 360,000 patients were affected. In addition to the fine, Providence agreed to revise its policies and procedures regarding safeguards for off-site transport and storage of electronic media containing patient information. It also must train employees on the safeguards, conduct audits and site visits of facilities, and submit compliance reports to HHS for three years.