Saturday, May 30, 2009

Hacking for the U.S. Government: Plum Job?

Here's an interesting article from The New York Times about the growth of contract work for the U.S. government in cybersecurity, something the Pentagon wants to enter with "religious intensity."

Government work, which conjures up bureaucracy and red tape in the minds of most freewheeling geeks, is something most self-respecting nerds would avoid at all costs. But the combination of the recession, a weak labor market in Silicon Valley, increased government interest in cybersecurity and the growth of defense contracts in cybersecurity has swelled the ranks of bright young computer engineers looking for a classified thrill.

The players include household names in the military and defense business such Lockheed Martin, Northrop Grumman, General Dynamics and Raytheon. Some companies, like the 100-person unit at Raytheon, have built their cyberdefense businesses through acquisition.

The geeks with clearances, as they like to call themselves, use honey pots and other tools to track the hacking activity of their counterparts in places like China and Russia, and develop both defensive and offensive tools against cyberattacks.

Besides the contractors, there are an estimated 3,000 to 5,000 information operations specialists in the military itself. These initiatives are expected to help the U.S. catch up to its Chinese and Russian rivals, who have literally had free rein of American computer networks, both government and private.

Thursday, May 28, 2009

U.S. Military Developing Cyberattack Technologies

There's been a lot of talk both here and in the trade press about cyberdefenses, but now the military is also looking at cyberattack technologies, according to a fascinating article last week in Aviation Week.

The idea is to have cyberattack tools that are sophisticated enough to do the trick, yet easy enough to use in the field even by non-technical military people on the ground, SC Magazine reported.

The Aviation Week report said the military was impressed with how the Russians coordinated their traditional on-the-ground combat with a cyberattack during their war in Georgia last year. The U.S. military is looking to duplicate that effort with this project.

One of the tools is a device for tapping into satellite communications, VoIP, proprietary SCADA networks and any wireless network. Another tool, unclassified partly because it's built from open-source software, is Air Crack, which is used to crack wireless encryption keys.

The three elements of the cyberattack system are a toolbox, and planning and execution capabilities. The toolbox has hardware and software for specific missions, while the planning piece consists of a database of available capabilites. And the execution side, of course, is the course of operation of the attack.

Wednesday, May 27, 2009

National Cybersecurity Coordination Center

The National Security Telecommunications Advisory Committee (NSTAC) has approved a proposal after meeting with President Barack Obama last week to set up a 24-hour facility for monitoring cybersecurity.

The center would build on initiatives already in place by the NSTAC and the Department of Homeland Security's US Computer Emergency Readiness Team.

The project is part of the ongoing 60-day review of federal cybersecurity commissioned by the president, whose conclusions -- or at least some of them -- are due to be publicly announced soon.

ITU Releases Global Cyberlaw Kit

The International Telecommunications Union (ITU) recently released what it calls a "Cybersecurity Toolkit" with a list of best practices for drafting cybersecurity legislation.

The idea behind the toolkit, as reported in The H, is two-fold: first to help globally harmonize cybersecurity legislation and, second, to assist countries new to the cyberlegislation game in putting their own laws in place.

What's really interesting in the toolkit is a matrix of existing cybersecurity legislation by country, so that initiatives can be cross-referenced. All of the countries listed are key players in cybersecurity -- the US, the EU, Germany, Japan, Singapore, India and China, among others -- and have established laws on the books.

While attempting harmonization of anything globally, especially security, is dicey, at best, this is still a handy reference for different approaches and philosophies on cybersecurity by country and region of the world.

Tuesday, May 26, 2009

Obama Likely to Appoint Powerful Cyberczar

The president is expected to be days away from announcing the creation of a powerful cyberczar for overseeing the security of both government and private computer networks. The move by President Barack Obama comes as part of the release of a 40-page report on the status of federal cybersecurity he commissioned 60 days ago.

The new cyber chief is expected to be part of the National Security Council but will also report to the national security adviser and the White House senior economic adviser. Officials are mum as negotitations and political jockeying are still in process as we speak.

The focus on cybersecurity by Obama should definitely be applauded. But the report's conclusions, much of which won't be available to the public, and the turf battles between government agencies overseeing cybersecurity, have yet to be resolved.

The federal cybersecurity saga continues.

Self-Destructing Botnets: But Why?

Here's an interesting brief analysis about self-destructing botnets from Michael Kassner on TechRepublic's IT Security blog. While kill switches are nothing new in botnets, Kassner argues, it's not exactly clear what they do, or why they're there, in the first place.

Botmasters have total -- as in life-and-death -- control over their bots, and built-in self-destructing code is just one of those control mechanisms. Why not just control a machine, when you can blue-screen it's operating system altogether, if necessary? The concept was mentioned in a 2007 report by the ITU that nicely summarizes the whole subject of botnets.

Kassner cited three well-known botnets, in particular -- InfoStealer, ZeuS and Nethell -- all of which have built-in self-destruct mechanisms. But he focused on ZeuS in his article.

Basically, botnet kill switches can hide the botmaster's tracks when the heat is on, buy time for a phisher while transferring -- or stealing -- from a bank account, or even be a way for a criminal gang from allowing its botnet to fall into the hands of a rival cybergang. These are only a few possibilities.

Sunday, May 24, 2009

Apologies for Lack of Posts

I was rushed to the hospital last week with acute appendicitis. Apparently, it was worse than I had expected, since I woke up 24 hours later in intensive care, where I ended up for a total of two days. They discovered during surgery that my appendix had already perforated and my abdomen needed to be drained of all kinds of puss and other nasty stuff. But I'll be back posting news and tidbits from the exciting world of IT security within two to three weeks.

Friday, May 08, 2009

Massive Data Breach at UC Berkeley

Hackers have allegedly broken into a health care database at the University of California at Berkeley. Supposedly sensitive personal information, including Social Security Numbers, for 160,000 students and alumni was stolen.

The intruders started probing around the system last September, finally broke in October 9 and were discovered in April 9, exactly a month before the university disclosed the breach to those potentially affected.

Authorities are tight-lipped about possible causes of the breach, but CBS News reported that the attackers might be from China.

What is known are two things: the data base was accessed via a public web portal used by the university, and that the database and web servers were on the same server.

Hmm. That's interesting. Maybe a little SQL injection going on here? Database and web servers together. That's just a lack of plain IT security common sense.

Monday, May 04, 2009

A Penny for Your Corporate Secrets?

These are two unrelated stories about easily giving up secrets. The first is about how 37% of Londoners would reveal their company's secret information at the right price. Of that number, 63% would give up information if paid at least a million British pounds, and 10% would do it if their mortgage was paid off.

“It’s quite staggering that a third of people are open to bribery," Tamar Beck of Infosecurity Europe told the CBR Security web site.

In Nigeria, a television report noted that the market for used BlackBerries is based not on the model but on the value of data it might hold, as reported in The Register.

None of this should be shocking. Other reports had people exchanging secrets for chocolate and candy, and still others picking up loose USB sticks in parking lots. The USB sticks contained malware that stole data.

ChicagoCon Conference Starts Today in Chicago

ChicagoCon, the Ethical Hacking and Security Conference in Chicago, kicked off today and runs until Saturday, May 9. Program organizer, Don Donzal, also runs the Ethical Hacker Network.

The program promises to be both useful for those working toward security certifications and those looking to sharpen their skills through educational seminars with noted speakers.

Sunday, May 03, 2009

Proposed Cyber Law Requires Security Licensing

The Cybersecurity Act of 2009, known formally as Senate Bill 773, is best known for its radical recommendation to give the president authority to shut down parts of the Internet under cyberattack.

While well meaning, and a positive sign that the Obama administration is taking cybersecurity more seriously than his predecessor, some critics say it would activate not just an Internet kill-switch, but also a business kill-switch with burdensome licensing requirements for IT security professionals.

The issue is that businesses already struggling with resources to meet the current tangle of regulations -- SOX, HIPAA and PCI -- would have to add another to their project plans.

Section 7.a of the bill is short on details about the licensing requirement for the public sector, other than to say it would be administered by the Secretary of Commerce. It also isn't clear on whether it would be mandatory for cybersecurity professionals other than those working for the federal government.

Would a CISSP be enough for an IT security professional at private company? That remains to be seen.

Locking Out Users? Good Security or DoS Enabler?

The idea of locking out users after a specified number of failed login attempts isn't new. It's been touted for a long time as a way to prevent unauthorized access to computer systems, such as by brute-force guessing of weak passwords.

And, in its recently released Special Publication 800-118, the National Institute of Standards and Technology (NIST) calls for just that approach, among others. It's also something I advocated on page 54 of my book, The Little Black Book of Computer Security, Second Edition.

But, in his recent weekly column in Network World, Mich Kabay, commenting on the new NIST password standard, says a better approach is outlined on page 3-5 of the standard. He also questioned my recommendaiton of lock outs in a column last year.

"Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay, and so on."

Kabay also commented on other password wisdom from the NIST draft document in another recent column.