Cyber “Hype” or Not?
Published March 12, 2010 | 
Wired carried a story by Ryan Singel titled “Cyberwar Hype Intended to Destroy the Open Internet”. While I respect his opinion, I do not share it. I agree that we must be careful of more and more government involvement in governing how the internet works, I do not agree that the government is “hyping” the cyberthreat. In response to an interview with Mike McConnell where Mike recommends changing the underlying structure of the internet to support tracking down cyberthreats, Ryan states:
He’s talking about changing the internet to make everything anyone does on the net traceable and geo-located so the National Security Agency can pinpoint users and their computers for retaliation if the U.S. government doesn’t like what’s written in an e-mail, what search terms were used, what movies were downloaded. Or the tech could be useful if a computer got hijacked without your knowledge and used as part of a botnet.
First of all, Ryan is correct in that the Government could abuse that capability and hunt me down for sending an email they don’t like. I don’t think that anyone in the Government really cares about my email. Maybe someone does, but I would like to hope that they have better things to do than hunt me down. I think one thing that is often overlooked in this area is that the NSA as well as all of our intelligence agencies are filled with people. As they develop capabilities to be used within our borders, they must have in mind that these capabilities could be used against them or their families. I would doubt that they would like to be spied on either, and I will give them enough credit to call foul if it looks like we are going to spy on everyone within our borders. Some may think that it is the greatest idea ever, but I don’t think it would be shared by the majority within the intelligence community.
Chinese Cyber Attacks: Aurora Tactics
Published March 8, 2010 | iSec has published a .pdf file on “Aurora Response Recommendations”. It is a good read, and does a great job of outlining how the cyber attacks that went after Google and others were conducted. They don’t go into a huge amount of technical detail so it is written such that even non-cyber forensic folks can understand it.
According to the report, here’s the basic Chinese tactics behind the attacks:
- The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
- This website uses a browser vulnerability to load custom malware on the initial victim’s machine.
- The malware calls out to a control server, likely identified by a dynamic DNS address.
- The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
- The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
- The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
- At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.
Pretty straight forward, and effective. It is a blended attack which would be nearly impossible for the average user to stop. If your boss sends you a link to go to, you go to it. How can a person know that it wasn’t your boss that sent the link. Unless you are willing to ignore everything sent to you via email, social engineering attacks will remain effective. As soon as you click on that link, the rest is using existing or zero day exploits of browsers.
The majority of the report goes into recommended countermeasures to take. Overall, I think they did a good job of highlighting what should be considered best practices in securing a corporate network. I wanted to highlight one of their items that I think is often overlooked:
Classify and catalog sensitive data. Victims of these types of attacks who do not understand the disposition of their critical data and systems start at a disadvantage. Having this list in hand at the start of an incident response can guide the responders to the systems of greatest import to the victim and attacker.
How often do we try to protect everything on the network? Having an idea as to what really is the crown jewels is necessary to protect them. In the Government that classify things from UNCLASSIFIED to TOP SECRET, and corporations should do the same… and if necessary, place it on a stand alone isolated network without any connectivity to anything else. Not realistic for most companies, true, but that may become the standard in the future.
Facebook vs. Military Operations
Published March 7, 2010 | Recently, the US Military loosened its draconian rules about military personnel accessing Facebook or other social networking sites. At the same time, Israel had to cancel a military operations because one of its soldiers put details on the operation on Facebook.
No government has been successful in revoking their military personnel’s right of free speech. Sometimes the speaking comes through family members, and sometimes from the military members themselves. Social networking has brought a new dimension on this. In WWII, soldiers had their mail read and censured. While that works for mail, that doesn’t work for anything internet related. Unless you are willing to put thousands of people behind a human firewall similar to the estimated 30,000 involved in the Chinese effort at internet censorship, it won’t work. Even China with that level of effort fails routinely. This is even harder when you have a volunteer force. If you treat the military as criminals, you won’t get many volunteers. The military gives up a lot of their rights when they enter the service, but they can only be pushed so far.
So, what is the solution. The only obvious one is training. There must be extensive training within the military as to what is appropriate and inappropriate to post on the internet. I bet Israel had such training for the stupid one that posted the operational details on his Facebook account. You know that training is never a perfect solution, but the military should go further than it currently does. Any possible stupid mistake that is avoided is a victory. BTW, sames goes for your kids on the internet.
I know that when I am writing a post, that I must be careful in what I say for legal reasons. The last thing I need is some company getting offended and filing a liable or slander suit against me. This is a hobby for me and I couldn’t survive a lawsuit. At the same time, I like to write about stuff I know something (sometimes a little something) about, and so I do so. I think that everyone needs to understand that anything posted on the interest is inherently public, even if it was never intended to be public. Do not trust Facebook’s or any other social networks privacy settings. They are only as good as their implementation and all companies will release your private data in response to a legal subpoena for the information. Use common sense, and don’t put something on the internet that will get your buddies killed. Think first, type second.
Is Open Source the Enemy?
Published March 4, 2010 | Networkworld.com had an article on the International Intellectual Property Alliance’s (IIPA) efforts to paint nations that endorse open source software as an enemy to intellectual property. They produce an annual “Special 301 watchlist”.
The Special 301 watchlist is drawn up annually by the IIPA in conjunction with the U.S.T.R. and other federal agencies, a list of nations whose acts, policies or practices “deny adequate and effective protection of intellectual property rights or fair and equitable market access for U.S. persons relying on intellectual property protection.”
Several nations on the watchlist have been targeted because they support the adoption of open source software because it “weakens the software industry and undermines its long-term competitiveness.” What a crock. Many countries are moving towards open source (have you seen whitehouse.gov lately?), and this is a good move. I can understand why businesses that make a profit by selling proprietary software fear open source, but welcome to the work of the competitive market. Make a better product, that adds sufficient value to justify the extra expense. If someone can’t afford to run your proprietary software, either accept that they will be using an illegal copy of your software, or welcome their move to open source. You can never going to be able to make people pay for software that they can’t afford.
I looked at some of the .pdf’s associated with the 301 report and this is some of the more interesting quotes:
On the Philippines: IIPA was concerned regarding reports of consideration of a Free Open Source Software bill which would require government offices to use open source software. Passage of that bill would deny technology choice regarding software usage and ultimately would stunt the growth of the IT industry in the Philippines.
On Indonesia: For example, in March 2009, the Ministry of Administrative Reform (MenPAN) issued Circular Letter No. 1 of 2009 to all central and provincial government offices including State-owned enterprises, endorsing the use and adoption of open source software within government organizations. While the government issued this circular in part with the stated goal to “reduc[e] software copyright violation[s],” in fact, by denying technology choice, the measure will create additional trade barriers and deny fair and equitable market access to software companies.
On Thailand: Conversely, IIPA is concerned by the proposed preference policy of the Prime Minister mandating government agencies to buy open source software, which is inconsistent with APEC policy guidance on technology choice.
If you are a poor nation, what “technology choice” do you have. You can steal, or use open source. Open source software is not always the best software out there, but in many cases, it is “good enough”. Even open source software have viable business models surrounding it as RedHat has proven. It isn’t easy, and you have to prove your worth and compete on what your customers may feel that they should get for free. I don’t see how breaking the law and having a “technology choice” is better than using open source. And for that matter, there is often plenty of choices within the open source community.
Perhaps someday the IIPA will understand that open source is not their enemy, and that putting a gun to nations that support open source isn’t going to win them friends. Better yet, maybe the US Government will learn to not support such stupid accusations against companies. The U.S.T.R. should not be involved with this. If a lobbyist wants to make themselves look like fools, I can’t stop them… but I’m ashamed that anyone in our government took part in this.
NetTalk vs. MajicJack
Published March 3, 2010 | One commenter recommended that I look at NetTalk in response to my MajicJack experience. I went over to NetTalk and took a quick look around. In all, it is very similar to MajicJack, and based on browsing their forum, they are having many of the same problems as MajicJack. I do have to give them a kudo’s for at least having a forum, where you can even find negative reviews. You don’t find anything similar to that on MajicJack’s site. NetTalk seams to actually be listening to customers, whereas there is no easy way to judge how MajicJack is working with customers.
NetTalk and MajicJack use the same type of technology, although the implementation is different. NetTalk probably took a look at some of the criticisms of MajicJack such as requiring being plugged into a computer, and addressed them. As for the quality, I can’t say. I’m not really interested in buying one to try out, and I really don’t make enough phone calls to justify anything beyond my current cell phone plan. If I had to choose between the two on functionality, I’d go with NetTalk.
Their billing structure is different. Unlike MajicJack, NetTalk costs more upfront, but you get “lifetime” free calls after that. Really, that is one business model that will allow NetTalk to bring in more income, and if it fails, they made more money than they would have if they charged a yearly fee like MajicJack. It is a way for them to milk the customer on an unproven product, and if anyone really thinks that this will be used for a lifetime beyond a couple of years, you have to be kidding. If they are lucky they will survive this business and will be around for a long time. The odds are against them, but who knows. If you intend on going out of business in the near-term (not saying that they are), then any business model that maximizes income in the near-term is good. I almost feel being set up for failure… but maybe that is just me.
Well, whichever you choose, there are risks and benefits. I prefer MajicJacks business model, but I give a nod to NetTalk’s functionality and their much more open communication model.
MagicJack suit thrown out of court
Published February 28, 2010 | MagicJack sued Boing Boing and their suit was thrown out of court. Boing Boing reported in 2008 that the MagicJack EULA states that the customer must give up their right to sue the company and that they may analyze your phone calls to target ads. The EULA still states this today. What was most bothersome was that the EULA was not accessible from the MagicJack webpage in 2008 (it is now if you search on the term “EULA”).
I bought and used a MagicJack a couple of years ago. I was underwhelmed with its performance and it was nearly impossible to find any useful information on the webpage. As Boing Boing stated, there is no way to uninstall the software (maybe there is now), and I had to rebuild my computer to uninstall the software. I like the concept but I was bothered by the customer experience, especially if you needed help. I think their website is designed to dissuade users from draining any of their support personnel time. Given the cost they sell this device for, I’d be surprised if they have many, if any, support staff. I finally gave up on using the device and stuck with using my cell phone instead.
Can the US survive a Cyber War?
Published February 27, 2010 | Net-Security.org had a story on a recent exercise regarding the US’s ability to detect and defend against a cyber attack. The article starts with:
The inability to deflect even a simulated cyber attack or mitigate its effects shown in the exercise that took place some six days ago at Washington’s Mandarin Oriental Hotel doesn’t bode well for the US.
It begs the question, does the US Government have an obligation to defend the US from cyber attack? I don’t think… maybe I’m wrong, but I don’t think there is anything in the Constitution stating that the Government has an obligation to defend against cyber attack. If the US Government took the necessary steps to detect and defeat a cyber attack, then Government would be accused of interfering in business and spying on its own people. To detect a cyber attack, you must have a way to monitor internet traffic. The Government would have to instrument the internet, including the servers at your ISP. If they did so, there would be a public outcry that it is an invasion of privacy to monitor everyone’s internet traffic. As a nation we will have to choose either privacy or cyber security, you technically can’t have both. And I’m not sure if it is even the role of the Government to protect individual citizens or corporate networks. I agree that they should protect government networks, but beyond that it gets very difficult to justify that the benefit outweighs the risks. It should be a corporate or individual obligation to protect your own computer.
So the exercise demonstrated that we can’t survive a cyber attack. Not really a surprise, now is it. It is a real threat that we should not ignore it, and it makes sense that private businesses should combine their efforts to defend the corporate networks of the US. I suspect that much of this is actually happening behind the scenes. Let’s hope that they do, and we can sleep soundly… on a mattress stuffed with money (just in case).
DoD Welcomes Back USB Drives
Published February 18, 2010 | Wired is reporting that USSTRATCOM has lifted the ban on the use of USB drives in the DoD. The ban was enacted after malicious code managed to bypass the DoD’s anti-virus scans by launching directly from the USB drive. The funny thing is that the lifting of the ban doesn’t really lift the ban, but restricts the use of USB drives to Government issued approved devices. So, the vast majority of folks will still look at the USB drives used widely by DoD contracts with envy, and will continue to carry laptops around instead of simply moving the data.
I agree with the Wired article in that this is unlikely to reduce the chance of malicious code being introduced on military networks. The only way I can think of this working is if the USB profile used by the military is updated to only allow these approved drives. I don’t know if that is even possible, nor do I think that it would stop someone from using the USB drive at home, getting it infected, and then putting it on a military network. My money is that the ban will be back in full force in a couple of months.