Privacy

Steve Bellovin’s unsparing analysis of the CSIS cyber security report

The recent release of the “Securing Cyberspace for the 44th President” report spawned a flood of analysis and criticism, and much of it was positive and complimentary. I’ve written before about the idea behind this report and the fact that many, if not most, of the recommendations in it can also be found in the National Strategy to Secure Cyber Space, which was released nearly six years ago. That document has been largely ignored and we have all been paying the price in the interim. The federal government’s virtual abandonment of cybersecurity policy in the last eight years has left all of us more vulnerable, and will end up costing the government, and taxpayers, far more money in the long term.

In reading the various analyses of the report, I found that many people were commending the commission for suggestions that either have failed in the past, or have little chance of working now. I ran across Steve Bellovin’s blog post on the report and it came as no surprise that his analysis was right on the money. Bellovin’s as smart as they come, and it’s worth the time to read through his entire post on the report, but in the meanwhile, here are a few key points:

The analysis of the threat environment is, in my opinion, superb; I don’t think I’ve seen it explicated better. Briefly, the U.S. is facing threats at all levels, from individual cybercriminals to actions perpetrated by nation-states. The report pulls no punches (p. 11):

America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009. It is, like Ultra and Engima, a battle fought mainly in the shadows. It is a battle we are losing.

That’s it exactly. In fact, it’s a battle we’re not even fighting right now.

The most important technical point in this report, in my opinion, is its realization that one cannot achieve cybersecurity solely by protecting individual components: “There is no way to determine what happens when NIAP-reviewed products are all combined into a composite IT system” (p. 58). Quite right, and too little appreciated; security is a systems property. The report also notes that “security is, in fact, part of the entire design-and-build process”.

It should be, but that hasn’t been the case in many systems for far too long. Bellovin then skewers what has been the dominant federal strategy for remedying this problem:

The discussion of using Federal market powers to “remedy the lack of demand for secure protocols” is too terse, perhaps by intent. As I read that section (p. 58), it is calling for BGP and DNS security. These are indeed important, and were called out by name in the 2002 National Strategy to Secure Cyberspace. However, I fear that simply saying that the Federal government should only buy Internet services from ISPs that support these will do too little. DNSSEC to protect .gov and .mil does not require ISP involvement; in fact, the process is already underway within the government itself. Secured BGP is another matter; that can only be done by ISPs. However, another recent Federal cybersecurity initiative — the Trusted Internet Connection program — has ironically reduced the potential for impact by limiting the government to a very small number of links to ISPs. Furthermore, given how many vital government dealings are with the consumer and private sectors, and given that secured BGP doesn’t work very well without widespread adoption, U.S. cybersecurity really needs mass adoption. This is a clear case where regulation is necessary; furthermore, it must be done in conjunction with other governments.

Bellovin also criticizes the report for calling on the Obama administration to protect online privacy without providing any guidance as to what that means or how to do it. But he leaves the best for last: the omission of any mention of software security and its cascading effect on system and network security.

The buggy software issue is also the problem with the discussion of acquisitions and regulation (p. 55). There are certainly some things that regulations can mandate, such as default secure configurations. Given how long the technical security community has called for such things, it is shameful that vendors still haven’t listened. But what else should be done to ensure that “providers of IT products and systems are accountable and … certify that they have adhered to security and configuration guidelines?” Will we end up with more meaningless checklists demanding antivirus software on machines that shouldn’t need it? Of course, I can’t propose better wording. Quite simply, we don’t know what makes a system secure unless it’s been designed for security from the start. It is quite clear to me that today’s systems are not secure and cannot be made secure.

Well said.

Attacks show vulnerability of keyboards to eavesdropping

A pair of security researchers in Switzerland have found several new ways to eavesdrop on the keystrokes from a number of different keyboards from a distance of up to several meters. The methods are similar to other attacks in that they rely on collecting the electromagnetic emanations from the keyboards and then decode them to reproduce the keystrokes from the remote keyboard. In a pair of videos posted on the site of the Security and Cryptography Laboratory at the Ecole Polytechnique Federal de Lausanne, researchers Martin Vuagnoux and Sylvain Pasini show two separate attacks. Both attacks used a simple antenna to collect signals coming from a wired keyboard attached to a laptop, which had its power supply unplugged in order to avoid interference. One attack is done at a distance of about one meter and the other is done from an adjoining room, through a wall. In both cases, Vuagnoux and Pasini were able to accurately decode every keystroke of a short message typed on the remote keyboard.

We found 4 different ways (including the Kuhn attack) to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. We tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks.

We conclude that wired computer keyboards sold in the stores generate compromising emanations (mainly because of the cost pressures in the design). Hence they are not safe to transmit sensitive information. No doubt that our attacks can be significantly improved, since we used relatively unexpensive (sic) equipments.

These kinds of attacks against displays  have been common knowledge from decades, and other researchers, including Markus Kuhn and Ross Anderson,  have identified keyboards as being possible targets, as well.Vuagnoux and Pasini plan to release a paper with their full findings later.

RSA 2008: Verizon, AT&T tout security at RSA (Part 2)

In the conclusion of this two-part video series, Information Security magazine Senior Technology Editor Neil Roiter explores security services in the U.S. telecom market. In an interview at RSA Conference 2008, Stan Quintana, vice president of AT&T Security Services discusses the company’s strategy. He talks about what makes carriers qualified to offer security services and some of the challenges facing the industry.

LoJack on steroids for the laptop

Technology blog Engadget is reporting that Intel is about to debut LoJack like technology for laptops. Few details are available about the technology. Ars Technica had the original post on the subject. Let’s hope it does more than track down a lost notebook. It’s either got to have functionality to brick a laptop, erasing all data, or make the data completely useless to thieves.  Ars said the technology would prevent the laptop from booting. Lenovo, Fujitsu, Phoenix, and McAfee are partnering with Intel on the technology.

By the way, LoJack currently licenses out technology to track down laptops in the event of theft. Dell sells the protection in a line of laptops for businesses. The software is available on some sites for about $90.

Hannaford and the industrial compliance complex

This week’s headline may not fit perfectly with the analogy I had in mind yesterday, but I’m running with it anyway because all week I’ve been thinking of what the lessons are regarding the recent data security breach at Hannaford’s supermarkets.

The biggest lesson was eloquently explained in a column by my colleague Dennis Fisher, in which he cites the decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations that has created a climate where passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets.

There are plenty of vendors out there who link the use of their products to both compliance and security, and I’ve spoken to many a public relations flak who talk about the two as if they are the same thing. As Dennis points out, they are not the same thing. True, a lot of the work that’s required for the sake of compliance can improve enterprise security. But security is about so much more than buying a bunch of technological tools on some assessor’s checklist and plugging them in.

Being a history geek, I always find myself looking for historical references to match up with the things we’re writing about, and this case reminded me of the farewell speech President Eisenhower gave a few days before leaving office in 1961 in which he warned of the military industrial complex.

Now, I know you’re waiting for the big analogy, and in the end there isn’t much of one to make. The military industrial complex is something far different than the compliance complex I see today. But I do see a few similarities worth mentioning.

Ike warned that as the U.S. fought the Cold War, it needed to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” which included members of Congress from districts dependent on military industries, the Department of Defense and privately owned military contractors like Boeing, Lockheed Martin, and Northrop Grumman. Ike feared that the military-industrial complex inspired policies that might not be in the country’s best interest and he feared that its growing influence, if left unchecked, could undermine American democracy [see more detailed description from Encyclopedia Britannica]. 

I’m not trying to suggest that compliance vendors are trying to influence the course of American policy. As I admitted earlier, this is an imperfect analogy.  But I do believe there’s a danger of individual businesses being influenced by a compliance complex in which execs desperate to pass the compliance test fall under the spell of vendors promising that their tools will not only help them pass the test but keep them secure. In the end, some make decisions that are not in the best interests of the company’s security program. In other cases, the technology purchased does its job well but the company fails to implement a bunch of other security measures technology alone can’t address — because the vendor or assessor assured them that investing in their product would be all that’s needed.

The Hannaford breach has sent shockwaves through the retail world because it turns out the company had achieved PCI DSS compliance. Many were stunned to see a living example of a compromised business that spent a lot of money on compliance products and thought they were secure.

The silver lining around the Hannaford breach may be that other companies are broken of the compliance complex. Dennis does a good job of mapping out what security is really about, but I leave you with some blog chatter from security experts who make similar points this week:

Burton Group analyst Randall Gamby writes in his company blog that PCI DSS and the work of complying with it has achieved a false sense of security in many corners.

“I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches,” he writes.

Security management expert Mike Rothman makes the point more bluntly in his Daily Incite blog: “If security professionals think that an audit makes them secure, they are idiots.”

Rothman goes on to say compliance does not equal security. Maybe it makes the senior folks sleep a little better, he writes, “but they’d be dumb, too.” Anyone in a position of power needs to understand about risk and containing risk, he says.

I’m probably going to get a bunch of emails telling me how stupid my analogy is, and one of them might even come from Mike. But instead I’m hoping to hear what readers have to say about the points he and others are making.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

The data breach that hit home

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Report: 8,700-plus FTP account credentials in hackers’ hands

Finjan released an interesting report today about a database it uncovered with more than 8,700 harvested FTP account credentials — including username, password and server address — that are apparently in the hands of the digital underground.

The vendor says these stolen credentials allow the bad guys to inject crimeware into servers and in turn infect end users. Stolen accounts include those of Fortune-level global companies in a wide range of industries such as manufacturing, telecom, media, online retail, IT and government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by Alexa.com.

“Software-as-a-Service has been evolving for sometime, but until now, it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ’solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate websites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button,” Finjan CTO Yuval Ben-Itzhak said in a press release.

Emotions raw over FISA bill

The fur has been flying this week over whether Congress should extend the life of a controversial surveillance law or let it expire tonight.

The firestorm surrounding the Foreign Intelligence Surveillance Amendments Act (FISA) is just the latest battleground in a debate that has raged throughout the war on terror — whether the threat of another attack on U.S. soil justifies unfettered government surveillance of most of its citizens in hopes of finding the few evil seeds that hide among us.

As my colleague Dennis Fisher wrote this week, the bill would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program. The bill’s passage would effectively prevent the public from ever discovering the details of that program, privacy experts told Dennis. In a follow-up posting in this blog, Dennis noted the increased likelihood that Congress will let the current extension expire tonight rather than try to work out a compromise between separate bills passed by the House and Senate that would extend the legislation for several years.

“Democrats in the House, who are opposed to a provision in the Senate version of the bill that would grant retroactive immunity to telecoms that aided in President Bush’s warrantless wiretapping program, apparently decided simply to not act on the legislation,” he wrote. “Bush and Republican Congressmen ripped the Democrats for their decision, saying that it places the country at greater risk of terrorist attack.”

I must admit I’m torn on the issue. On the one hand, we are in a war where a small band of radicals are hiding in the shadows, bent on unleashing more death and destruction, including the variety where nuclear and biological weapons may be used. There’s a reasonable argument to be made that wiretapping is a necessary evil to catch enemies who play by unconventional rules.

On the other hand, I have no doubt the Bush Administration has used the threat as an excuse to trample on our basic rights, stoking our fear to get public approval. It’s maddening to me when people are duped, by their fear, into giving the government carte blanche to invade any private space it wants in the name of security. That’s what the terrorists want, isn’t it?

Here’s what some bloggers have to say:

Phantom Lady, a conservative FISA bill supporter and keeper of the Frustrated Incorporated blog, ripped at Sen. Hillary Clinton for not showing up to vote on the issue, Sen. Barack Obama for voting against it (though she praised him for at least showing up to vote); and she praised Sen. John McCain for voting for it. In the entry, she uses this nugget from the Rush Limbaugh website:

“Congratulations to Senator McCain. He made sure he was there while fighting off this challenge from Governor Huckabee. He voted to preserve the powers of the intelligence agency in the executive branch to defend and protect this country. Also, hats off to Senator Obama. He showed up. He voted. He voted against it. In so doing, he demonstrated he is not fit to lead this country as commander-in-chief. He has voted against every reasonable authority that has come before him in the form of legislation in terms of intelligence and protecting this country. But at least Obama showed up. At least he voted. At least he told the country he’s incompetent.”

A blogger named Scarecrow took the opposite view in the Firedoglake blog, writing that House Democrats finally said enough and called George Bush’s bluff. “The President had threatened to leave the country in an intelligence blackout if Congress did not accede to his demands for sweeping warrantless surveillance and telecom immunity,” Scarecrow wrote. “But this time, for the first time, Democrats said, “we don’t believe you.” That moment of courage may well define the fall campaign.”

Errington Thompson wrote in the Where’s the Outrage blog that the House has finally stood firm and that it’s confusing as to why the Senate bowed to the White House.

“Mr. Bush’s rhetoric is simply tiresome,” Thompson wrote. “The terrorists this and the terrorist that. Are we so lame that we can’t do anything without trying to figure out what the terrorists will do? Hell, don’t we need to be more worried about our own homegrown crazies?”

I realize this week’s topic runs astray of what I usually set out to do — write about the latest IT security issues and point to blogs where IT pros can go for guidance. But this is a case where telecoms are helping the government in what many consider an invasion of privacy. The reach of the telecoms stretches to practically every enterprise, and that’s where there IT shops face a potential security quandary.

A big part of IT security is about keeping hackers from breaking into company networks and accessing sensitive information. But what do you do when it’s the government breaking in, all in the name of national security?

Please share your thoughts on this one.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Verizon snubs Hollywood’s request to filter pirated content

It’s taken a while, but it seems that someone is finally making some sense in the debate on whether network owners should be trying to stop pirated content from crossing their networks. The folks at Verizon looked at the issue of filtering for copyrighted content and said, No thanks, we’re all set. A company spokesman told The New York Times this week that Verizon found a number of problems with trying to weed out copyrighted content, including infringing on the privacy of its customers and the “slippery slope” that could result in other third parties expecting the company to start filtering out pornography, offshore gambling traffic, etc. Tom Tauke, Verizon’s VP of public affairs also said this:

When you look back at the history of copyright legislation, there has been an effort by Hollywood to pin the liability for copyright violations on the network that transmits the material. It is no secret they think we have deeper pockets than others and we are easy-to-find targets.

Good for Verizon.

There are any number of reasons that Verizon, AT&T and other network operators should not be looking for copyrighted content on their networks, and Tauke is right on with his description of the hazards this misguided idea presents. It is the responsibility of the copyright holders themselves–not the network owners, ISPs or anyone else–to find people who infringe on their copyrights and enforce those rights. Demanding that network operators do this for them smacks of intimidation and laziness on the part of the Hollywood big shots. It also shows a fundamental lack of understanding of the problem.

The epidemic of illegal file-sharing is no more the fault of the network operators than it is of the PC manufacturers. Sure, both of their products are used in the process, but the ultimate responsibility lies with the individual who is downloading pirated material. The executives at the record labels and movie studios understand this, of course, but they’ve had precious little success going after individual file-sharers, and even when they do get someone to settle, it’s for a relatively small dollar amount. So they take a look around and see who in this pipeline has the most resources, and their gaze inevitably settles on the network operators. At least one operator, AT&T, has shown a willingness to filter out copyrighted content, but thankfully Verizon and the other large telecoms have so far resisted the pressure from Hollywood.

I’m not naive enough to think that Verizon is doing this solely out of some altruistic concern for its customers’ privacy. The kind of filtering it would take to look for pirated content would cost the company a lot of money and also likely would cost Verizon customers. So there’s plenty of self-interest at work here. But the company deserves credit for not laying down for the studios and record labels on this.

Happy Valentine’s Day from the Storm Trojan

Valentine’s Day isn’t for another month, but that’s not stopping controllers of the Storm Trojan from using the holiday theme to trick users into downloading the malware.

A posting on the SANS Internet Storm Center Web site describes another wave of Storm emails with a subject designed to catch the recipient’s attention and an email body with a URL consisting of only an IP address. Once a user visits the Web site he is “served with a nice web page and a link to download an executable,” the ISC says — the same trick used in previous attacks. The user will see something like this:

The advice here is the same as always: Don’t click on URLs and email attachments from sources you don’t know and trust.