Military wins small battle in war against counterfeit chips

From Ars Technica ...

The US Department of Justice announced today that a California man has pled guilty to trafficking counterfeit computer chips to the US military. Neil Fehaly agreed to cooperate with the government as part of his plea deal, and he faces up to five years in prison for passing off bogus versions of chips from Intel, VIA, STMicro, Analog Devices, and other chipmakers to the Navy. These counterfeits, some of which were outright fakes from China, and others of which were "remarked" versions of cheap chips that had been made to look like more expensive parts, have gone into countless critical military systems since the scam started, possibly endangering the lives of military personnel and civilians.

As we discussed in class the threat presented by counterfeit integrated circuits is real. Counterfeit ICs purchased by the US military are dangerous because these chips when used in military hardware, such as a fighter jet, can easily fail and cause catastrophic damage. Aside from the disabling hardware, ICs can also be altered in such a way that military systems behave in unexpected ways. An altered chip could manipulate the targeting systems in 'smart weapons' so that targets are not hit.

The Cyberwar Plan

Shane Harris from the National Journal checks in with this lengthy investigation of the United States's offensive cyber warfare capabilities. Its well worth the read given our upcoming focus on state-sponsored cyber espionage and warfare.

Highlights from this article include ...

At the request of his national intelligence director, Bush ordered an NSA cyberattack on the cellular phones and computers that insurgents in Iraq were using to plan roadside bombings. The devices allowed the fighters to coordinate their strikes and, later, post videos of the attacks on the Internet to recruit followers. According to a former senior administration official who was present at an Oval Office meeting when the president authorized the attack, the operation helped U.S. forces to commandeer the Iraqi fighters' communications system. With this capability, the Americans could deceive their adversaries with false information, including messages to lead unwitting insurgents into the fire of waiting U.S. soldiers.

China proves to be an aggressive foe in cyberspace

The Washington Post checks in with a re-hash of China's cyber espionage and cyber warfare capabilities. Theres not much new information here but for those new to the field its worth the read.

From the article ...

China is significantly boosting its capabilities in cyberspace as a way to gather intelligence and, in the event of war, hit the U.S. government in a weak spot, U.S. officials and experts say. Outgunned and outspent in terms of traditional military hardware, China apparently hopes that by concentrating on holes in the U.S. security architecture -- its communications and spy satellites and its vast computer networks -- it will collect intelligence that could help it counter the imbalance.

Four Indicted in $9.5 Million Bank Card Attack

Wired's Threat Level Blog provides an in-depth look at a recent attack on RBS WorldPay. This story provides a good case study on how sophisticated cyber criminals conduct an attack. From Threat Level ...

Initial reports painted the intrusion as a limited hack, due to the number of cards compromised. But the 16-count indictment (.pdf) charges that the four “compromised the data encryption” that RBS WorldPay used on payroll debit cards to raise the amount of funds available on the cards as well as withdrawal limits. Payroll debit cards are used by employers to pay employees instead of checks. In some cases the hackers raised the limits to $500,000.

According to the indictment, Tsurikov conducted reconnaissance of the RBS network after Covelin provided him with information about vulnerabilities in the system. Pleshchuk and Covelin then worked on exploiting the vulnerabilities to obtain access on November 4. Pleschuk allegedly developed the method for reverse-engineering the encrypted PINs.

Once the hackers raised the account limits, they provided an army of cashers with 44 cards embedded with the account details for a coordinated, simultaneous attack on ATMs around the world. On November 8, the cashers were instructed to begin siphoning money, and they hit 2,000 ATMs in less than 12 hours, netting about $9.5 million.

Errata Security Responds to 60 Minutes

Errata Security has posted an interesting piece in response to 60 Minute's investigation into threats to the US's digital critical infrastructure. I recommend you read the entire piece. Selected highlights from Errata are found below:

We know the CBS story is bogus. CBS news did not investigate the evidence. They instead cite “half a dozen sources” in the US intelligence community. However, these sources themselves did not investigate the evidence: they are simply confirming that they heard the rumor from people in the Brazilian government. Those government officials likewise did not investigate the evidence, they are likewise just passing on rumors.

CBS news didn't track this down. They didn't attempt to contact anybody in Brazil. They did not contact anybody at “Furnas Centrais Elétricas”, the company responsible maintaining those transmissions lines. They didn't even do a simple Google search, which would tell them that the company claimed at the time that the 2007 outage was caused by dust and soot from local forest fires (which, apparently, is a common problem in power transmission).

Additionally,

The CBS story is obvious government propaganda. All their sources are from the government, from people who stand to gain from increased government control over the Internet. For example, it says that the US power grid is insecure, and claims that the reason it's insecure is because it's not regulated by the government. That's not a reason. The federal government's computers are even less secure than the power grid – there is no reason to think that Congress can secure the power grid if they can't secure their own computers. Conversely, all the energy companies belong to the “National Energy Regulatory Commission” or “NERC”, which is does indeed regulate the cybersecurity of the power grid. The reason the CBS story exists is because somebody else, such as the DHS or NSA, wants to take control away from the NERC. That's why you have such a one-sided story from CBS – they never talked to anybody at NERC, or any of the power companies.

Errata comes off a bit strong with some of their opinions, but there is interesting food for thought in this piece.

60 Minutes on CyberWar

For those who missed the 60 minutes piece on CyberWar here it is ...

Watch CBS News Videos Online

We will discuss this in class tomorrow.

Cyber Attacks Caused Brazil Power Outages

The oft discussed but mysterious cyber attack that caused a power outage is the focus of a 60 Minutes piece to be aired on November 8, 2009. In early 2008 CIA Officer Tom Donohue publicly stated,

We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.

CBS News now says two of these attacks that caused blackouts occurred in Brazil. According to 60 Minutes

A series of power outages affecting millions of people in Brazil in 2005 and 2007 were the result of cyber attacks. The two-day event in Espirito Santo State affecting more than three million people in 2007 and another, smaller event in three cities north of Rio de Janeiro in January 2005 were perpetrated by hackers manipulating control systems.

I highly recommend that interested students check out the 60 Minutes episode.

Big Brother's Database

The Salt Lake Tribune reports on the NSA's construction data storage facility in Utah.

The secretive NSA on Friday made public what has for months been Utah's worst-kept military secret: It plans to build an enormous new data center at the Utah National Guard's Camp Williams. The facility could consume as much power as every home in Salt Lake City as it processes information collected in an effort to prevent attacks on the nation's cyber networks. But only a very small slice of the information stored at the center in southern Salt Lake County will ever be scanned by human eyes. And that's the reality for most of what is collected by the nation's other spy agencies as well.

James Bamford sheds further light on this facility on the challenges faced by the NSA in the 21st century in this piece in the New York Review of Books.

Where does all this leave us? Aid concludes that the biggest problem facing the agency is not the fact that it's drowning in untranslated, indecipherable, and mostly unusable data, problems that the troubled new modernization plan, Turbulence, is supposed to eventually fix. "These problems may, in fact, be the tip of the iceberg," he writes. Instead, what the agency needs most, Aid says, is more power. But the type of power to which he is referring is the kind that comes from electrical substations, not statutes. "As strange as it may sound," he writes, "one of the most urgent problems facing NSA is a severe shortage of electrical power." With supercomputers measured by the acre and estimated $70 million annual electricity bills for its headquarters, the agency has begun browning out, which is the reason for locating its new data centers in Utah and Texas. And as it pleads for more money to construct newer and bigger power generators, Aid notes, Congress is balking.

While both these pieces raise important questions about the balance between privacy and security, they also raise important questions about the efficacy of spending so much money collecting data which is never analyzed. According to MIT defense expert Pete Rustan, who complained that "70 percent of the data we collect is falling on the floor." Bamford is right to suggest that the money spent on these collection capabilities may be better spent on other programs.

Cyberespionage Overview

An article in today's Wall Street Journal outlines evidence of a cyberespionage attack against a US technology company. According to the article,

The Chinese government is ratcheting up its cyberspying operations against the U.S., a congressional advisory panel found, citing an example of a carefully orchestrated campaign against one U.S. company that appears to have been sponsored by Beijing.The unnamed company was just one of several successfully penetrated by a campaign of cyberespionage, according to the U.S.-China Economic and Security Review Commission report to be released Thursday. Chinese espionage operations are "straining the U.S. capacity to respond," the report concludes.

The report also details the techniques, tactics, and procedures of the cyberspies.

In the months leading up to the 2007 operation, cyberspies did extensive reconnaissance, identifying which employee computer accounts they wanted to hijack and which files they wanted to steal. They obtained credentials for dozens of employee accounts, which they accessed nearly 150 times.The cyberspies then reached into the company's networks using the same type of program help-desk administrators use to remotely access computers.The hackers copied and transferred files to seven servers hosting the company's email system, which were capable of processing large amounts of data quickly. Once they moved the data to the email servers, the intruders renamed the stolen files to blend in with the other files on the system and compressed and encrypted the files for export.Before exporting the data, the collection team used employee accounts to take over four desktop computers to direct the final stage of the operation.They selected at least eight U.S. computers outside the company, including two at unidentified universities, as a drop point for the stolen data before sending it overseas. The high Internet traffic volume on university networks provides excellent cover.

We will discuss the specifics of these kind of targeted cyberespionage attacks in class in the coming weeks.

The Case Against Transparency

Larry Lessig writes an interesting piece entitled Against Transparency The New Republic.

Many of the arguments made by Lessig echo many of our in class discussions. In particular, Lessig notes that transparency does not necessarily lead to greater understanding. Rather, in some cases increased transparency can lead to misunderstanding and misperception. In a world of excessive data flows it is easy to misinterpret data when the context required to understand the data is missing.

O'Harrow made a similar argument in No Place to Hide. When he noted that even when accurate data was released it could easily be misunderstood and abused. The story of the man who lost is job because his juvenile record of vandalism was released to his employer offers a case in point.

I recommend that you peruse this article prior to next weeks class when we our guest speaker Brian Drake will discuss how the government is using cloud computing and social media to increase transparency.

From Wired Magazine's 12 Shocking Ideas that Could Change the World

Want to put your doctor's stethoscope in a twist? Ask them to hand over a complete copy of your medical records. Then watch as they nervously demur, citing state laws, cost, and fuzzy hospital policies.

Jamie Heywood wants those obstacles legislated out of existence so we can access our own health data almost as easily as ordering a pizza. And he hopes consumers will in turn share that data with one another via online communities such as PatientsLikeMe, which he cofounded in 2004.

"Privacy has been used as an excuse by those who have a vested interest in hoarding this information," Heywood says. He believes that the real reason hospitals jealously guard medical records is they don't want to open themselves up to second-guessing from patients—or patients' lawyers. And that lack of openness, Heywood argues, is making us sicker: With data scarce, there's no clear way for physicians to know what treatments are working for other practitioners.

Today's guest speaker, Joel Selzer, the founder of Ozmosis.com, will discuss this idea and others as he discusses how to best balance the need for patient privacy with the need for improved health care through information sharing.

Augmenting Aerial Earth Maps with Dynamic Information

Researchers at Georgia Tech are developing a system that uses CCTV to add dynamic data to Google Earth. According to researchers their goal

is to make Augmented Earth Maps that visualize the live broadcast of dynamic sceneries within a city. We propose different approaches to analyze videos of pedestrians and cars.

This research raises a number of privacy questions. Not only could this system perform a surveillance function but it could also be used to make surveillance data increasingly accessible. Moreover, this system would create increased privacy problems if it were integrated with identification technologies like biometrics or RFID.

New Malware Re-Writes Online Bank Statements to Cover Fraud

From Wired's Threat Level

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

More Details from the story ...

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

“They instruct the Trojan that the next time you log into your online banking account, they actually modify and change the statement you see there,” says Ben-Itzhak. “If you don’t know it, you won’t report it to the bank so they have more time to cash out.”

This is an example of the dangers of 'insecurity.' We'll discuss these types of attacks in more detail later in the semester.

Survey: Half of businesses don't secure personal data

From C|Net News

The personal information you give to businesses may not be as secure as you hope, according to a new survey. Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.

Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.

This is hardly comforting. As weve discussed business will collect data first and then figure out what to do with it later. In the interim it appears that many business do not bother to secure this data because its "too expensive."

Leaky Social Networks

From Ars Technica

According to a recent study by Worcester Polytechnic Institute researcher Craig E. Wills and AT&T Labs' Balachander Krishnamurthy. A "leakage," by the study's definition, is the opportunity for a third party to link the information they get from the social networks (either in the form of logs or browser cookies) to someone's PII—your name, phone number, and dog's favorite treat aren't passed on directly, but can easily be pieced together.

How is that possible? Not through your name, but through your profile's unique identifier, which is apparently included in the data given advertisers from most social networks. "We found that when social networking sites pass information to tracking sites about your activities, they often include this unique identifier. So now a tracking site not only has a profile of your Web browsing activities, it can link that profile to the personal information you post on the social networking site," Wills said. "Now your browsing profile is not just of somebody, it is of you."

As weve discussed in previous class personally identifiable information is a very broad term. Previous studies have shown that the combination of "anonymous" data can be combined to identify unique individuals. For example, MIT's Latanya Sweeney found that 87% of US citizens can uniquely identified by a combination of their birth date, gender, and zip code.

In this case though, the data leaked is not as abstract and leads an interested party directly to your profile.

FBI Targets Online Extremists

The recent spate of arrests of terror suspects is based in part on excellent investigative work done by the Federal Bureau of Investigation. According to media reports, the FBI is doing an excellent job of monitoring online extremists message boards and chat rooms for signs of pending terrorist attacks.

The arrest of Hosam Maher Husein Smadi, a 19-year-old Jordanian citizen who planned on bombing the 60-story Fountain Place building in Dallas, Texas. According to reports,

Smadi stood out to federal authorities in an online group for extremists because of his repeated remarks that he wanted to commit a violent jihad, or a holy war, against the United States.

Federal officials began speaking with Smadi in March after finding him on an online group for extremist.

Posing as al-Qaida members and speaking Arabic, undercover agents began to probe Smadi for more details of his plans. Slowly, he began to provide them details and ideas to carry out his plan.

We will discuss this case and others later in the semester as we analyze how terrorist groups or using the Internet to communicate and coordinate their activities to like minded extremists. We will also discuss how to conduct online investigations of terrorist suspects.

MyLifeBits

I just picked up a new book entitled Total Recall: How the e-Memory Revolution Will Change Everything!. The book chronicles Gordon Bell and Jim Gemmell's work on the MyLifeBits project Microsoft Research. The premise of this project is to develop technology that will allow people to digitally record every event in their lives including video streams, audio streams, texts, images, etc.

As we've discussed in class ,a series of technological developments including Moore's Law dictates that computing devices will shrink in size, speed up in processing time, decrease in price, and increase in function. This trend will allow people to carry "sensors" that will record their conversations and grab video of their daily interactions.

The MyLifeBits project is the logical extension of these technological trends. It seems inevitable that people will embrace "life logging." Even those who opt-out will be forced to contend with this type of technology as their conversations and interactions can easily be captured by other life loggers.

What types of privacy harms would occur if this type of life logging technology became widely available?

Newly Declassified Files Detail Massive FBI Data-Mining Project

From Wired Magazine ...

A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by Wired.com show.

Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks

Does this type of data mining harm privacy? If so, how? If not, why not?

Digital Safe Havens

Georgetown Professor Paul Pillar writes in today's Washington Post

How important to terrorist groups is any physical haven? More to the point: How much does a haven affect the danger of terrorist attacks against U.S. interests, especially the U.S. homeland? The answer to the second question is: not nearly as much as unstated assumptions underlying the current debate seem to suppose. When a group has a haven, it will use it for such purposes as basic training of recruits. But the operations most important to future terrorist attacks do not need such a home, and few recruits are required for even very deadly terrorism. Consider: The preparations most important to the Sept. 11, 2001, attacks took place not in training camps in Afghanistan but, rather, in apartments in Germany, hotel rooms in Spain and flight schools in the United States.

In the past couple of decades, international terrorist groups have thrived by exploiting globalization and information technology, which has lessened their dependence on physical havens.

The central question asked by Professor Pillar is whether the Obama administration's assumption that abandoning Afghanistan will create a needed safe haven for al-Qaeda is correct? Many policy makers believe that should we pull out of Afghanistan the Karzai government will fall and the Taliban will take over or the country will disintegrate into a failed state. According to this argument, either condition will provide al-Qaeda with a safe have to re-group and plan additional attacks against US interest at home and abroad.

Professor Pillar questions this assumption by pointing out that al-Qaeda and other al-Qaeda inspired groups have used the Internet to communicate, coordinate, recruit, and train and therefore do not rely on a physical safe haven for success.

What are your thoughts? Can a terrorist cell rely solely on the Internet to plan, coordinate and successfully execute an attack? We will discuss this question in more detail later in the semester.

How to short-circuit the US power grid

On September 11, 2009, Paul Marks from the New Scientists published an article entitled How to short-circuit the US power grid. The article discusses work conducted by researchers from China's Dalian University of Technology. These researchers studied vulnerabilities in US's West Coast power grid. The researchers found that the best way to attack the power grid was to attack the least loaded nodes on the grid. Attacking these lightly loaded nodes was the best way to cause cascading failures throughout the grid.

According to the research, "an attack on the nodes with the lowest loads can be a more effective way to destroy the electrical power grid of the western US due to cascading failures."

Although cyber vulnerabilities in the power grid have been found via other research, it should be noted that this article does not point to any specific "cyber" vulnerabilities in the power grid. Instead the vulnerabilities discussed in this article are within on the structural design of the power grid and the vulnerabilities found in the grid's design could presumably be exploited more easily through a physical attack - i.e. blowing up a generator.

We'll discuss this article later in the semester when we focus on information warfare and cyber attacks but I wanted to pass it along sooner rather than later.

Google Knows All

The Washington Post's Cecilia Kang wrote a very interesting article on Saturday September 12. The article entitled Google Economist Sees Good Signs in Searches details Google's Chief Economist Hal Varian belief that the recession is waning and the US economy is in recovery. Varian comes to this conclusion through his analysis of what people are searching on Google. The article states,

In March, the number of Google users searching for information about unemployment benefits or employment centers began to drop, Varian said. Overall unemployment has continued to climb, of course, but new jobless claims have declined since peaking earlier this year.

Varian's analysis of search history to measure economic trends is similar to how Google mined search histories to monitor flu outbreaks. Google launched Google Flu Trends in November 2008 after its researchers noticed a relationship between how many people searched for flu related terms and how many people have flu symptoms. More importantly, Google noticed that its search history data could predict flu outbreaks up to two weeks earlier than the Center for Disease Control because people are likely to search the Internet about health concerns before they visit a doctor.

The Database of Intentions

On the surface our search histories do not appear to be particularly sensitive information and they are unlikely to reveal our identity. However, recent history demonstrates the flaws in this logic and show that our search histories can easily reveal our identity. In August 2006 AOL released 20 million "anonymized" search queries from approximately 650,000 users to the research community.

AOL anonymized these search histories by obfuscating or removing 'personally identifiable information' such as usernames and IP addresses. AOL replaced usernames with randomized unique identifiers.

Reporters from the New York Times analyzed these search histories and were able to identify user #4417749. The reporters noted that user #4417749 searched for

• landscapers in Lilburn, Ga
• 60 single men
• homes sold in shadow lake subdivision gwinnett county georgia
• several people with the last name Arnold

A quick reference of other outside sources lead the Times reporters to Thelma Arnold, a now 65-year widow living in Lilburn, Georgia.

This example reveals the false promise of anonymization. In particular, it is difficult for a database administrator to anonymize one data source when the administrator does not know what other data sources an investigator is able to access. In this case, the Times reporters were able to use the phone book or perhaps property records from Lilburn, Georgia. The combination of these data sources allowed the reporters to identify Thelma Arnold.

Privacy and Anonymization

Professor Paul Ohm of the University of Colorado Law School recently published an important article entitled Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization. The article discusses the perils in relying on anonymization as a means to protect privacy. In today's data rich environment when individuals are constantly emitting data trails and leaving their digital fingerprints throughout cyberspace Professor Ohm argues that it is virtually impossible to anonymize data.

Professor Ohm points to recent research which found that 87% of the US population could be uniquely identified through the combination of zip code, birth data, and sex. Said in another way, 87% of US citizens do not share the same zip code, birth date, and sex with anyone else.

The take away from this article is that policy makers can no longer simply rely on labeling certain data as 'personally identifiable.' In today's digital age, all data must be treated as personally identifiable. As a result, we can no longer rely on anonymizing certain data elements to protect privacy. A new privacy protection regime must be developed because banning information sharing is not realistic.

I highly recommend this article for those students interested in learning more about anonymization and privacy.

Privacy Fail

This weekend while perusing books at Barnes and Noble in Georgetown I noticed the book The Road to Big Brother. The book is advertised as an

entertaining and highly revealing account of his attempt to dodge Britain's 4.2 million CCTV cameras and other forms of surveillance, Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

While scanning through the book I noticed an insert from the publisher Encounter books. The insert was an offer to join their mailing list and a request for the readers personal information.

Clearly no one at Encounter Books understands privacy or irony!

Unreasonable Search?

School administrators have long declared an interest and intent to search student for drugs, weapons, and other contraband in the name of security. Some administrators have even gone so far as 'strip searching' students.

As more students carry cell phones and other PDAs on school grounds, administrators have increasingly targeted these devices for search or seizure. The ACLU recently filed a lawsuit on behalf of a Mississippi middle-school student.

Jacqui Cheng from Ars Technica provides good coverage of the story. According to Ms. Cheng,

Southaven Middle School in Southaven, Mississippi has a policy against cell phone use during school hours, as many schools do nowadays. In August of 2008, 12-year-old Richard Wade was discovered to be in violation of that policy after he received a text message from his father (who was traveling out of state) during "football class." That's when his cell phone was confiscated by his football coaches and then searched by the principal, as well as the Southaven Police Department. At that time, authorities found what they considered to be extremely scandalous, "gang-related activity"—that is, photos of Wade and a friend dancing in the bathroom at Wade's home. The friend held a BB gun across his chest while he danced.

Wade was suspended and then eventually expelled for having "gang signs" stored on his phone. That's when the ACLU got involved—the organization says that the football coaches, principal, and police violated Wade's constitutional rights and even acted outside of the school's policy of merely confiscating phones during school hours.

On the surface this case appears to not only be in violation of the school's own policy but an assault on the students privacy. However, one must also considers the school's interest in this case. Does the school have a legitimate interest in protecting the general student population from potential threats? If so, how should school administrators balance their interest in providing a secure environment for students against the students right to privacy?

Insights via The Onion

With two posts from the Onion within the last week I can only conclude that 1) I still believe its summer vacation 2) humor is an effective tool to discuss complex policy questions.



Facebook, Twitter Revolutionizing How Parents Stalk Their College-Aged Kids

Text, Text, Text: Parental Nagging Evolves Electronically

The Washington Post checks in with an interesting story on how parents are increasingly using technology to communicate with their children as well as monitor their behavior. From the article,

Parents know more about flubbed tests and skipped homework because of online grading systems. They know more about social lives because of Facebook and MySpace pages.

The Post brings up some interesting issues that are relevant to our examination of privacy. Does our increasingly willingness to share details about ourselves negate our right to privacy? If we share information on Facebook, even if we only share it with our network of friends, can we reasonably expect that information to remain private? We will discuss many of these issues in class.

Check out the full article here.

Opting Out

Here is a little humor to get you through the first day of class.

hat tip: The Onion

Video Surveillance - Enhanced Security or Privacy Invasion?

According to a London Metropolitan Police Department internal report only "one crime was solved by each 1,000 CCTV cameras in London last year."

David Davis MP, the former shadow home secretary, said: "It should provoke a long overdue rethink on where the crime prevention budget is being spent. CCTV leads to massive expense and minimum effectiveness. It creates a huge intrusion on privacy, yet provides little or no improvement in security."

Detective Michael Michael McNally, who commissioned the report, agreed that more work needed to be done to realize the potential of video surveillance cameras.

McNally said, "CCTV, we recognise, is a really important part of investigation and prevention of crime, so how we retrieve that from the individual CCTV pods is really quite important. There are some concerns, and that's why we have a number of projects on-going at the moment."

A Metropolitan police department spokesman added, "We estimate more than 70% of murder investigations have been solved with the help of CCTV retrievals and most serious crime investigations have a CCTV investigation strategy."

Do you think video cameras deter crime and enhance security? If they do not deter crime do they enable police to more quickly catch the criminals responsible? Do they deter terrorists?

Finally, could the dollars required to install and monitor video surveillance cameras be reallocated to other technologies or investigative techniques that are more effective and less invasive?

source: BBC

Job Interviews and Facebook

With the start of classes just two short days away, its time for me to start blogging again. I've previously used this blog as a means to communicate with my students outside of the classroom and to comment on current information privacy and security news. The media is replete with stories on these topics. There are also a number of blogs that focus specifically on these topics - many of which are listed in my blogroll.

As I scanned the headlines today I noticed a number of items of interests. In particular, I noticed a story in the New York Times entitled More Employers Use Social Networks to Check Out Applicants. According to the article,

45 percent of employers questioned are using social networks to screen job candidates — more than double from a year earlier, when a similar survey found that just 22 percent of supervisors were researching potential hires on social networking sites like Facebook, MySpace, Twitter and LinkedIn.

The study also found that "35 percent of employers decided not to offer a job to a candidate based on the content uncovered on a social networking site."

The study stated that

More than half of the employers who participated in the survey said that provocative photos were the biggest factor contributing to a decision not to hire a potential employee, while 44 percent of employers pinpointed references to drinking and drug use as red flags. Other warning signs included bad-mouthing of previous employers and colleagues and poor online communication skills.

Im sure many students, especially seniors looking for jobs, already regularly clean up their facebook profiles and remove potentially incriminating material. This is certainly a good practice, but the broader questions remain.

Should employers be allowed to scan facebook profiles of potential employees? Are employers treading on shaky legal ground by denying jobs to qualified individuals based on information discovered in their facebook profiles? Is it fair to judge a candidate on material found within their facebook profile?

Syllabus Available

Ive activated our class Blackboard site and posted the syllabus. I know most of you are pre-occupied with moving-in, getting settled, and catching up with friends but if you have time to check out the syllabus please do. If you have any questions drop me a note.

Have a great move-in weekend, do not anything too stupid and I see you next week for our first class.

Summers Over

As summer draws to a close I can no longer put off the inevitable. Its time to review the COSC-011 syllabus and make the changes necessary to ensure this semster's class is a great one. The general focus and format of the class will remain the same. We will still examine the tension between privacy and security in the digital age. However, I plan on tweaking some of the readings and adding more interactive exercises to the course.

If any former or future students are following this blog please let me know if you have any suggestions for the pending semester. I'm looking forward to another exciting semester. Enjoy your last week of freedom and ill see you on campus September 2.

The Cyber Maginot Line

On Tuesday May 12, 2009, Bill Gertz of the Washington Times reported on China's defensive cyber warfare capabilities. Gertz writes,

China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies. The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is preparing to wage cyberwarfare with the United States.

Gertz continues,

The deployment of Kylin is significant, Mr. Coleman said, because the system has "hardened" key Chinese servers. U.S. offensive cyberwar capabilities have been focused on getting into Chinese government and military computers outfitted with less secure operating systems like those made by Microsoft Corp.

This reporting demonstrates a stunning ignorance of cyber warfare and cyber security strategies and tactics. First, there is no such thing as a "secure" operating system and any claims of such should be treated with skepticism. Security must be balanced with usability. For example, a truly secure operating system should not be connected to the public Internet but obviously this type of system would be of little use to the average user.

Second, an operating system is only as secure as the users who install, configure, and use it. If administrators do not configure the Kylin system properly and users do not follow good security practices, then security breaches are likely to follow. All it takes is one user willing to click on a link in a phishing email or download an infected attachment to compromise a system.

Third, just because an operating system is secure does not mean the entire system is secure. Vulnerabilities may still exist up the stack specifically in applications installed on the system.

In addition, a closer examination of the Kylin reveals it is based almost entirely on FreeBSD. This fact debunks Gertz's claim that China "has developed more secure operating software for its tens of millions of computers." Dancho Danchev at ZDNet reports that a Chinese security researcher operating under the handle of Dancefire first noted the similarities between Kylin and FreeBSD. Dancefire wrote, "the Kylin operating system - which is funded by the National 863 High-Tech Program - was found to have plagiarized from the FreeBSD5.3." The similarities between the two systems "reached 99.45 percent." FreeBSD "is derived from BSD, the version of UNIX developed at the University of California, Berkeley." It is currently maintained by the FreeBSD Foundation in Boulder, Colorado.

In conclusion, this Mr. Gertz's story is another in a long line of hype surrounding the important issue of cyber security.

Projecting Borders into Cyberspace

My Grey Goose colleague Jeffrey Carr makes a compelling argument about the need for nation-states to patrol their own territory in cyberspace. Specifically, Jeffrey writes,

One way to improve our ability to attribute attacks is to require that ISPs and nations exercise greater control. A recent breakfast conversation with a colleague on this topic resulted in what I think is a great way to assign attribution: Structure cyberspace like airspace or territorial waters with designated areas of state responsibility. In other words, each nation controls and is responsible for its own cyberspace.

In the case of airspace and territorial waters, enforcement is by international treaty. Perhaps one solution is to add cyberspace to this body of law as a fourth environment after air, land, and sea. There are penalties for violating a nation’s airspace. It seems logical to apply those penalties to cyberspace as well.

If enacted, this would put the onus on hosting companies licensed to do business in their respective countries to more vigorously enforce anti-piracy software laws, require registrars operating within their borders to make a better effort at validating WHOIS data, and require hosting companies to be more attentive to gross violations by their customers or be subject to civil and criminal penalties.

Ive expressed similar beliefs in previous blog posts on how to develop a cyber deterrence strategy. While there are certainly civil liberty, privacy, and other issues to resolve before we can implement international standards and norms regarding the use of cyberspace, the mounting losses from rampant cyber crime and espionage demonstrate the alternative of an ungoverned Internet is proving itself to be an unsustainable model.

Secrecy and Cyber Deterrence

On Monday, April 27, 2009, the New York Times published the first article in a series on the "growing use of computing power as a weapon." While I applaud the Times for reporting on this important issue, I was disturbed by the backwards thinking of policy makers revealed by the article.

Specifically, the article the touches on the problem of defining a cyber deterrence strategy. This is a topic in which I am extremely interested in and have previously written about here and here. The article states,

But Mr. Obama is expected to say little or nothing about the nation’s offensive capabilities, on which the military and the nation’s intelligence agencies have been spending billions. In interviews over the past several months, a range of military and intelligence officials, as well as outside experts, have described a huge increase in the sophistication of American cyberwarfare capabilities.

Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of American cyberweapons.

While I understand the need for secrecy in matters of national security, I am deeply troubled that the culture of secrecy surrounding cyber warfare will negatively impact the United State's ability to create a credible cyber deterrent.

Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

It will be very difficult for the US to convince an adversary that it faces a credible prospect of punishment if our adversaries do not understand our offensive cyber power. I do not believe we need to publicly inventory our cyber weapons arsenal, but it would behoove us to publicly demonstrate our offensive capabilities. Public demonstrations like the Aurora Generator Test are good examples of how we can demonstrate our offensive capabilities to our adversaries.

A policy of publicly demonstrating offensive capabilities is nothing new. During the Cold War, the US military repeatedly tested nuclear weapons and conducted large-scale conventional military exercises. The US used these tests and exercises in part to demonstrate its offensive prowess so that its adversaries, including the Soviet Union, would understand the United State's ability to cause harm. Cyber is just a new domain of warfare and I see no reason to treat it any differently than we have previously treated warfare in the past. As such, it makes sense to publicly demonstrate our offensive capabilities. This will increase our deterrent capacity and help stave off future cyber wars. Excessive secrecy only makes cyber deterrence harder to achieve.

Comparing the Strategic Defense Initiative and the Comprehensive National Cybersecurity Initiative

This past week, during a panel discussion I moderated at RSA on how lessons from the Cold War could be applied to cyber conflict, an interesting line of discussion emerged. A member of the audience compared the use of cyber warfare strategies and tactics to the Strategic Defense Initiative (SDI).

While I am typicall skeptical of embracing historical analogies due to their frailties and tendency to lead policy makers astray, the similarities between cyber warfare and SDI are appealing enough to warrant further investigation. Our panel discussion and further in-depth discussions with colleagues revealed the followed parallels:

• During the Cold War, the Soviet Union felt compelled to invest increased amounts of resources into its nuclear weapons delivery systems in an effort to counter the purported defensive capabilities of SDI.

• In response to the threat of cyber warfare, the United States feels compelled to invest increased amounts of resources into cyber defenses designed to protect critical infrastructure targets. The Bush administration's Comprehensive National Cyber Security Initiative reportedly allocated close to $30 billion over the life of the program.

• In both cases, the efficacy of the strategies and tactics were unproven. SDI was never fully deployed, but the mere idea of a space based ballistic missile defense system spooked the Russians into allocating extra resources to countering its purported capabilities. Similarly, advanced cyber warfare strategies are at this moment theoretical. Yes, Estonia and Georgia have been attacked by crippling DDoS attacks, but large-scale coordinated attacks against critical infrastructure targets like the power grid have not yet been proven possible. While it is unclear whether or not the grid could be taken down by remote attackers, we are frantically spending money to counter this threat.

• In each case, the Soviet Union and the United States response appears to have been based on fear and not inspiration.

Do not get me wrong, I am not claiming we should ignore cyber security. Nor am I stating that cyber attacks against critical infrastructure are to be dismissed as fantasy. Rather, it is my feeling that our cyber security programs should be based on more than desperation and fear. For example, rather than respond with frantic patching and other point defensive measures, it would make more sense to use the threat to critical infrastructure as a tool to sponsor and encourage more secure coding initiatives. As my friend Ed Skoudis points out, software engineers in the United States are not required to study secure programming in order to earn a computer science degree. It would seem that the Federal Government would be smart to invest more of its $30 billion allocated to CNCI towards sponsoring education programs designed to foster secure software design.

As my colleague Dave Sulek likes to say, policy responses based solely on desperation without any hope or inspiration are destined to fail. In order to properly address the cyber security problem, we must seek to adopt policy prescriptions that are equal part inspiration and desperation.

Achieving Cyber Deterrence

Many cyber security experts and national security policy makers assume that it is impossible to achieve a comprehensive cyber deterrence strategy. Deterrence involves convincing an adversary not to initiate a particular action or actions due to the credible prospect that he will not succeed in achieving his objectives and/or he will be subjected to a punishing response such that the costs incurred will far outweigh the benefits that might be gained.

One reason that cyber deterrence is viewed as impossible because unlike the Cold War there is not one monolithic adversary to deter. During the Cold War the United States only had to worry about deterring nation-states and primarily achieved this goal via the threat of a nuclear retaliation. In today's cyber threat environment there are a number of adversaries including:

• nation-states;
• terrorists;
• patriotic hackers and;
• cyber criminals.
  

Each of these adversaries have different interests and objectives. Further, some of these adversaries, like terrorists, believe they have nothing to lose and therefore are not threatened by the use of force - digital or physical.

Accordingly, cyber security experts and policy makers believe it is difficult to develop a deterrent strategy to address all of these adversaries. While it is certainly more difficult to develop individual deterrence strategies for the above adversaries rather than the one deterrent strategy needed to counter the Soviet Union during the Cold War, it is by no means impossible. A closer examination of the various adversaries capabilities and intentions reveals the United States can easily develop a credible cyber deterrent strategy for its adversary.

Deterring nation-states is relatively straight forward. The United States still possesses its nuclear deterrent used to counter the Soviet Union during the Cold War. This deterrent capability can still be used to deter nation-state adversaries from launching devastating cyber attacks on critical infrastructure targets.

Deterring terrorists, patriotic hackers, and cyber criminals is a more difficult challenge. Currently, terrorist groups have demonstrated intent but not the capability to launch crippling cyber attacks against critical infrastructure targets. Therefore, in order to successfully deter terrorist from pursuing cyber warfare the United States should focus on improving its cyber security and resiliency. Improved defense may convince terrorist groups that the execution of a successful cyber attack is well beyond its capabilities. Additionally, improved resiliency may convince terrorist groups that even if successful a cyber attack may not have the desired crippling effect. Improved resiliency, via the use of redundant systems, can be designed to prevent devastating and cascading failures in critical systems. A terrorist group may be less likely to waste precious resources attacking a target they perceive to be invulnerable to attack.

Patriotic hackers have demonstrated the capability and intent to launch successful cyber attacks against critical infrastructure targets. For example, Chinese patriotic hackers are believed to be responsible for an ongoing series of cyber espionage attacks against various targets within the Defense Industrial Base sector. According to media reports, untold amounts of valuable intellectual property and military logistics data were lost in these attacks. Given the patriotic hackers de facto connection to a nation-state it is reasonable to treat this adversary as an extension of its patron nation-state. The United States should carefully articulate its belief that attacks carried out by patriotic hackers will be treated as attacks sponsored by the hacker's patron nation-state. As such, the United States should threaten the patron nation-state with retaliation in an effort to deter attacks launched by patriotic hackers. Ideally, nation-states will find this threat credible and seek to control and limit attacks emanating from patriotic hackers within their borders.

Cyber criminals have also demonstrated the capability and intent to launch cyber attacks against critical infrastructure targets. Cyber criminals have launched successful attacks against various targets in the financial sector. Additionally, CIA analyst Tom Donohoe publicly stated that presumed cyber criminals caused blackouts overseas. Donohoe said, "we have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet." Cyber criminals appear to be the most difficult adversary to deter due to their perceived capability to overcome advanced defenses as well as the inability to tie them directly to a patron nation-state. While difficult, the United States can deter cyber criminals by improving its attribution capabilities. Improved technical attribution coupled with effective intelligence gathering and increased information sharing by international law enforcement partners will enable the United States to more accurately identify the sources of a cyber attack. Once identified the United States should use traditional law enforcement strategies to pursue and arrest cyber criminals. Improved attribution and an effective response from law enforcement will likely discourage cyber criminals from launching high profile attacks on critical infrastructure targets like the power grid.

Developing a comprehensive cyber deterrence will by no means be easy to achieve and will take lots of patient work. Just because our Cold War deterrent strategy is no longer applicable and a replacement is not immediately obvious it does not mean we should conclude that cyber deterrence is impossible. After World War II and the introduction of nuclear weapons, policy makers took time to develop the sustainable framework of mutually assured destruction. This strategy was not immediately obviously at the dawn of the Cold War and we should therefore not expect that a cyber deterrent strategy will also be immediately obviously.

Hacking with iPwn

I'm kicking myself for missing the Hacking Exposed session with Stuart McClure and George Kurtz at RSA. These guys were able to pwn a Windows Primary Domain Controlled from an iPhone. Wow! Thats some pretty amazing stuff.

For those interested in getting in the weeds with computer security I highly recommend you read Stuart and George's book Hacking Exposed. Its considered by many to be the bible for penetration testing.

The Cold War Reloaded?

In its 2007 Virtual Criminology Report McAfee stated that "cyber crime has expanded from isolated attacks initiated by individuals or small rings to well-funded, well-organized operations using sophisticated technology and social engineering." Further, the report noted that an estimated 120 countries are developing or utilizing cyber espionage or warfare capabilities. The report speculated that we are now entering a "cyber Cold War." 

This past week at the RSA Conference in San Francisco I had the pleasure of moderating two panels that discussed this cyber Cold War analogy. The specific purpose of these panels was to more thoroughly analyze the Cold War analogy and tease out those similarities that could aid policy makers in better understanding the current threat environment and discarding those differences that would lead decision makers astray.

The conclusion of both panels was that we are indeed facing an exacerbated cyber threat. Some panelists concluded that we were indeed engaged in a cyber cold war with various adversaries, while other attendees were hesitant to label the currently threat environment as a "war". Further, the panelists found some useful similarities and distracting differences between the Cold War and the current cyber threat environment. Its my intention to blog about some of these similarities and differences that we discovered in future blog posts. Stay tuned!

A Cyber Cold War?

Next week, i'm headed out to the RSA Conference in San Fracisco to moderate a panel that will discuss whether or not the United States is currently engaged in a "cyber cold war". The panel abstract gives a overview of the planned discussion:

It is widely believed that the world is in the midst of a "cyber cold war". China's alleged cyber espionage against the U.S. and Russia's flexing of its cyber muscles on its neighbors are purportedly examples of this new cold war. It is clear that nation-states use cyber warfare to achieve political goals, but is there a new "cyber cold war"?

The other panelists and I will closely examine the comparison of Cyber War to the Cold War. Specifically, we will analyze the similarities and differences between the geopolitical structure of the Cold War world and today's world order. Further, we will study the specific weapons technologies of the Cold War and of Cyber War and debate if the differences between these technologies negates any comparisons between the eras.

It should make for an interesting discussion and I am very excited to share the stage with renowned cyber security experts including Ed Giorgio, Thomas Fuhrman, Dmitri Alperovitch, and one of my mentors Ed Skoudis.

I'll be sure to post updates from San Francisco about the conference.

Scanning the Grid

Last week's WSJ article has stirred controversy within the cyber security community. Many, including myself, recognize the vulnerabilities in the power grid but nonetheless feel this specific story was was hype. Others believe the real threat to the grid is from insiders, not external hackers.

The fundamental problem with the WSJ article is that it provided no specific information to support its claims. Sure, its logical to assume that rival nation-states, like Russia and China, are interested in developing offensive cyber warfare strategies and tactics - including the capability to take out a power grid. However, without solid attribution data it is difficult to state with certainty that China and Russia have indeed penetrated our grid.

As we've discussed attribution is difficult, but not impossible. Thankfully, independent cybersecurity researchers have stepped into the void and attempted to provide more reliable attribution data. Team Cymru recently published a study documenting the origination point of probes for SCADA systems. As we've discussed in class, SCADA systems are used to monitor and control power plants and the power grid. If a hacker were able to locate and gain control of a SCADA system responsible for power generation or distribution, the hacker could presumably crash the SCADA system and disrupt the grid.

According to Team Cymru's research,

scans of our Darknet for 2008 for udp/20000, tcp/502, udp/2222, tcp/44818 and udp/44818. These ports encompass protocols that are believed to control a large section of currently deployed SCADA systems. The IPs scanning for these ports seem to be grouped into four geographic regions:

USA: The two main hotspots for scanning appear to emanate from IPs located in Houston, Texas and Miami, Florida.

Western Europe: There are hotspots in London, United Kingdom, Seville, Spain, and apparently in locations in Scandinavia and Southern France.

Eastern Europe: Hotspots in this region include St Petersburg and Moscow as well as a location in the Ukraine and Bucharest, Romania.

Far East: By far the most concentrated grouping of hotspots, the Far East contains concentrations of SCADA scanning IPs in Thailand, Hong Kong, Taiwan, Korea, Japan and several locations in China.

On the surface, this data appears to indicate that hackers in China and Russia are actively scanning the Internet in search connected SCADA systems. I appluad Team Cymru's efforts to bring analytical clarity to the question of whether rivals are penetrating our power grid. However, I do feel compelled to point out a couple of limitations of their studies.

First, just because a scan originates from China does not mean the hacker executing the scan is based in China or Russia. A hacker from another country could easily connect to a bot in China or Russia to carry out a scan.

Second, its important to note next to China and Taiwan, the United States was the third most popular origination point for scans for SCADA systems. Does this mean that hackers in the United States are also probing for SCADA systems? Or does it mean that hackers are using bots based in the US to carry out thier scans?

My point is that more data and analysis is required in order to accurately identify the source of a probe or a cyber attack. Again, attribution is difficult but impossible and it is absolutely necessary.

Privacy vs. Security - An Example

As you may recall during our social engineering exercise, one of the attack vectors we discussed used a URL shortening service and Twitter. The implicit trust between users on social networking sites like Twitter, increases the chances that a user will click on links from someone they "follow". The use of URL shortening services to save precious character space makes it more difficult for a user to vet the site they are clicking through to and therefore leaves many users in jeopardy of visiting a malicious site.

Some URL shortening services, like TinyURL, have responded to this problem by creating a preview function that allows users to view the full URL of the destination website prior to visit the site. For those interested in utilizing this service visit http://tinyurl.com/preview.php.

I bring this service to your attention for two reasons. First, I strongly encourage those users of Twitter or TinyURL to make use of this feature for security purposes. Second, this service demonstrates a tension between privacy and security.

TinyURL is interested in protecting the security of its users and therefore created this URL preview service so that users could defend themselves against social engineering attacks. However, this URL preview feature is enabled via the use of cookies. A cookie is a persistent file written to your hard drive that allows TinyURL to uniquely identify you (or more precisely your computer). As a result, TinyURL is able to log all the links you (or someone using your computer) visit. As we discussed in class, this type of data collection represents a threat to privacy as users may not fully understand that a portion of their surfing history is being tracked by TinyURL. As a result of this data collection a host of other privacy concerns are raised including the possiblity of secondary use.

I am in no way seeking to condemn TinyURL. I believe it is doing the right thing by creating this preview functionality to protect its users from social engineering attacks. Further, using a cookie is far less intrusive then requiring users to register for an account and provide personal information. That being said, I believe TinyURL can do a much better job explaining to its users what its data rention policy is and how it protects the surfing history of its users from abuse.

Cyber Security Hype Reloaded

Following up on our original discussion about the hype surrounding the threat to the power grid, Nart Villeneuve shreds the myths surrounding the WSJ story and shines a light on the more pressing threat to critical infrastructure.

Nart writes,

Now, the point here is not to diminish the threat of attack against critical infrastructure but to point out that the hype-based approach ends up bringing focus on the wrong kinds of threats. By focusing on external Internet-based threats (that may or not really exist) the focus on the insider threat is lost.

In many cases the insider threat is of more importance than an external, Internet-based threat (especially when such systems are *not* connected to the Internet).

As a point of reference, Nart helped lead the Ghostnet investigation and is widely respected throughout the Information Security community. His opinions should be taken very seriously. You can find him online here.

Use Sandboxie

If you're interested in enhancing the security of your online interactions and protecting your personal data you should make use of Sandboxie.

During our brief discussion about the Pwn2Own contest we noted that Chrome was the only browser not to be hacked. Chrome survived the onslaught in large part due to its use of sanbox technology.

Sandboxie operates on a similiar principal. You can run your web browser or your email application through Sandboxie. This will protect your computer by running these programs in a virtualized environment and prevent malware, such as keyloggers, from being installed on your computer.

Deconstructing Attribution

Conventional wisdom dictates that it is nearly impossible to assign attribution of a cyber attacker. According to this school of thought the open nature of the Internet allows an attacker to spoof their IP address and obfuscate their identity by routing through a series of proxy servers or utilizing a botnet. Further, it is believed that even with the technical capacity to accurately trace the origin of an attack, it is impossible with current technology to know who is at the keyboard executing the attack.

As the attribution problem is central to a number of vexing cyber security predicaments, it is important to study and validate the assumption that attribution is nearly impossible. While it is technically difficult to trace the origin of attack through a confusing maze of proxy servers or infected bots, attribution is not solely dependent on the technology needed to identify an accurate IP address.

A number of others technical and non-technical data points can help identify the source of an attack. For example, if the source of an attack is a bot investigators can attempt to identify who wrote the bot code and who currently controls the bot. In the summer of 2008 a large botnet was used to launch DDoS attacks against targets in Georgia. While the use of a botnet appeared to complicate the task of identifying those responsible for the attack, a closer examination revealed that the botnet used during the attack was known as "Machbot". According to Arbor Network's Danny McPherson, "Machbot is primarily a Web-based Russian DDOS botnet written in Russian, used by several different groups, but not widely available." While the identification of the botnet used for the attacks on Georgia does not provide irrefutable proof of Russia's responsibility for the attacks, it certainly does provide compelling evidence that Russian nationalist hackers and possibly the Russian government were involved in these attacks.

Additionally, analyzing the attacker's target may help reveal his or her identity. The target of the attack reveals information about the intentions of the attacker and can therefore aid in attribution. Returning to the example of the cyber attacks against Georgia, the corresponding phsyical conflict between Russian and Georgian troops in South Ossetia led many analyst to suspect that Russian nationalist hackers, possibly at the direction of the Russian Government, were responsible for the DDoS against Georgian websites.

Finally, patient and clever cyber intelligence gathering can reveal a tremendous amount of information the individuals or entities responsible for an attack. After the presence of the Ghostnet cyber espionage network was revealed, Heike and Jumper from the Dark Visitor blog demonstrated that patient cyber intelligence gathering can aid in attribution. Specifically, via clever analysis of whois registration data and patient trolling of chinese hacker forums, Heike and Jumper were able to identify at least one individual believed to be responsible for the Ghostnet cyber espionage network.

In short, it vitally important to understand that attribution is difficult, but not impossible. There may not be fancy technology that can discover the origination point of an attack and identify the individual at the keyboard. However, through patience and old school detective work it is possible to identify the hackers, criminals, spies, or terrorists responsible for a cyber attack.

What is a Cyber Attack?

I came across an interesting argument raised by Kent Anderson at the Politically Motivated Computer Crime and Hacktivism Blog. Mr. Anderson notes some interesting inconsistencies in the recent Wall Street Journal report that claimed Chinese and Russian hackers had infiltrated the U.S. power grid. Specifically, the article stated,

The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

However, the article also claims,

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on.

Mr. Anderson astutely notes that the contention that the "intruders haven't sought to damage the power grid" is fundamentally flawed. According to our discussion of information security theory, specifically the concepts of confidentiality, integrity, and availability, the act of installing malicious code into the power grid is a cyber attack. Although the hackers haven't attacked the availability of the grid, the installation of this code does attack the integrity of the power grid.

Recall that according to the National Institutes of Standards and Technology, "a loss of integrity is the unauthorized modification or destruction of information." According to the WSJ, "software tools" were installed within the power grid "that could be used to destroy infrastructure components." This represents a clear attack on integrity.

The WSJ article appears to have raised the threshold for what defines a cyber attack. By this new definition, an attack must involve physical damage or economic damage. Some advice to the WSJ, when reporting on complex cyber security stories please do your homework and do not rely on "anonymous sources".

Hacking for Dummies

From the San Jose Mercury News,

Santa Clara County officials have declared a local emergency after they said someone intentionally cut an underground fiber optic cable in south San Jose, causing a widespread phone service outage in southern Santa Clara and Santa Cruz counties today that included disruption to 911 emergency phone service.

John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables.Britton also said there was a report of underground cables being cut in San Carlos.

Barrett Lyon of BitGravity states that the damage from these cuts included,

many people in Silicon Valley woke up without 911 service, Internet, cellular phones, and in some cases TV. Web sites were impacted and Internet traffic between a few major datacenters stopped flowing.

If cables were cut at a number strategic locations the impacts can be significant. In December 2006 a massive earthquake off the coast of Taiwan damaged multiple underseas fiber optic cables and disrupted traffic throughout Asia for days.

The apparent intentional cable cuts in San Francisco demonstrate that attacks on the cyberspace can have the same impact as the attacks in cyberspace.

Extremist Web Sites Are Using U.S. Hosts

Today's Washington Post reports on the Taliban's use of U.S. Internet Service Providers (ISP). The article states,

On March 25, a Taliban Web site claiming to be the voice of the "Islamic Emirate of Afghanistan" boasted of a deadly new attack on coalition forces in that country. Four soldiers were killed in an ambush, the site claimed, and the "mujahideen took the weapons and ammunition as booty."

Most remarkable about the message was how it was delivered. The words were the Taliban's, but they were flashed around the globe by an American-owned firm located in a leafy corner of downtown Houston.

For those writing their final paper on how terrorist groups use the Internet, I recommend that you read it in full. Despite the articles implication that the use of U.S. ISPs is a "new" trend, it is important to understand that terrorist groups, specifically al-Qaeda, have long made use of U.S. ISPs to deliver their message. Ive seen groups use U.S. ISPs for the last five years. Ive also seen terrorist ulilize other American online services such as YouTube!, the US Government funded Internet Archive, and WordPress to name a few.

Cyber Security Hype

From the Wall Street Journal,

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

This isnt really news. As we've discussed in class, similar reports have surfaced in the past few years.  As there is not much new in this WSJ story, my cynicism of politics on Capitol Hill leads me to believe that this story was planted by people interested in pushing the Cybersecurity Act of 2009. 

To be clear, I do believe that there are vulnerabilities in the power grid and other critical infrastructures.  Further, I believe that hostile nation-states and non-state actors currently have the capability and intention to penetrate our critical infrastructure.  However, I am not convinced that federalizing cyber security is the answer.

UPDATE: This piece in Forbes validates my suspicion that this story was planted in order to pressure the private sector into accepting more stringent regulations.

UPDATE: Richard Stiennon from the ThreatChaos blog is in total agreement that this story is hype.

Skimming Identities

From the Consumerists blog,

This past weekend I went to use the local WaMu ATM to get some cash money. When I walked up to the ATM something struck me as funny…I couldn't quite put my finger on it but the card reader didn't look right, like it wasn't completely attached. I grabbed and pulled at the card reader and, lo and behold, it came off! It was actually a card skimmer attached to the ATM over that actual card reader. On the back there is a battery, flash memory card, and a mini USB port – it was set up so that ATM cards would first go through the skimmer and then into the ATM itself so you'd never know the difference.

While this type of attack is different then the type of phishing and other targeted cyber attacks then we've discussed this semester, it is important to note the varied technical means criminals employ to achieve their goals.

The Profile Police

From the Washington Post,

As high school students flock to social networking sites, campus police are scanning their Facebook and MySpace pages for tips to help break up fights, monitor gangs and thwart crime in what amounts to a new cyberbeat ...

An expedition into a thicket of blinking MySpace profiles found high school students discussing drugs, sex and fights. It was all publicly available (although in language that caused a reporter to blush).

"It's crazy, the things they put on there," Loudoun County Sheriff Stephen O. Simpson said. "They seem to think they're invisible."

Some students object, 

"It's not really [their] business to be looking at students' profiles," said Eleni Gibson, 15, a freshman at Robinson. "Because they might see something that students didn't want them to see." But she acknowledged that the practice might be worthwhile for safety."

Others acknowledge the presence of police on social networking sites,

"I think that we all know that [they] can look at our Facebooks, and they do," said LeighAnne Baxter, 17, a senior at Robinson. "If you do put up incriminating pictures, you have to be prepared for the consequences."

Hunting the GhostNet Hacker

Heike and Jumper from the Dark Visitor blog recount their search for the hacker behind the Ghostnet cyber spying network. Its a fascinating read and it provides an excellent case study of cyber intelligence tradecraft.

For those interested in writing on Chinese cyber espionage or cyber intelligence gathering tradecraft for their final paper I highly recommend you read this specific post as well as the entire Dark Visitor blog. Heike and Jumper do great work.

Weekly Roundup

• China pwns Britain?
• Britain's Snooper Charter to monitor social networking sites
• US Senate wants to regulate cyberspace
• Internet Fraud complaints up 33% in 2008
• PowerPoint zero-day in the wild
• Senator Nelson pwned (by China?)
  
• Multiple DNS providers under DDOS attack
• China pwns Australian Prime Minister (notice a pattern here?)
  

Conficker World Maps

Shadowserver and Conficker Working Group have produce these maps that illustrate the distribution of hosts infected with the Conficker worm.