return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

Skype's encryption rendered transparent in China by Skype's Chinese partner TOM Online


Using the P2P VoIP Skype has its risks, nicely catalogued by Simson Garfinkel in CSO, not the least of which are unproven crypto, its capacity to tunnel through and around firewalls, the Skype client's ability to relay calls between other network users without your knowledge, its ability to send worms and viruses to the unwary and that its development center is in the Baltic states, they all pale to the condition when a local source applies what is effectively a man-in-the-middle filtering and blocking function. Welcome to TOM-Skype in China.

Skype "has admitted that its partner in China [TOM-Skype] has filtered text messages," invoking the Google and Yahoo defense that Skype was "complying with local law" in its partner's action, defending "this compliance with censorship laws as the only way to do business in the country." Skype’s chief executive, Niklas Zennström, stated that, "Tom had implemented a text filter, which is what everyone else in that market is doing. Those are the regulations." Mental contortions are fun to read. Zennström "insisted that the actions of Tom-Skype had not put users at risk," this in the face of Yahoo-provided information resulting in the arrest and jailing of dissidents.

But this note is less directed at the 2 million TOM-Skype users than to business users taking their Skype usage into China. The general nature of the intercept problem is cited here from an analysis of warrantless wiretaps and the Foreign Intelligence Surveillance Act (FISA):

Thirty years ago when FISA was being drafted it made sense to speak exclusively about the interception of a targeted communication one in which there were usually two known ends and a dedicated ("circuit-based") communication channel that could be "tapped." In modern networks, however, data and increasingly voice communications are broken up into discrete packets that travel along independent routes between point of origin and destination where these fragments are then reassembled into the original whole message ("packet-based"). Not only is there no longer a dedicated circuit, but individual packets from the same communication may take completely different paths to their destination. To intercept these kinds of communications, filters ("packet-sniffers") and search strategies are deployed at various communication nodes to scan and filter all passing traffic with the hope of finding and extracting those packets of interest and reassembling them into a coherent message. Even targeting a specific message from a known sender requires intercepting (i.e., scanning and filtering) the entire communication flow…

Advances in information technology together with the borderless nature of terrorist threats and global communications has made place-of-collection and U.S. personhood an increasingly unworkable basis for controlling the collection of intelligence. Indeed, because of packet-based communication technologies like VoIP and the use of proxy servers, it may no longer even be technically possible to determine exactly when a communication is taking place "within the United States" and no practical means exists to determine if a particular participant is a U.S. person or not until after further investigation. FISA does not account for this. Automated screening can monitor data flows to uncover terrorist connections or terrorist communication channels without human beings ever looking at anybody's emails or listening in on their phone calls. Only when the computer identifies suspicious connections or information do humans get involved… Content filtering is used to search for the occurrence of particular words or language combinations that may be indicative of terrorist communications.

Skype's voice and IM text encrypted streams makes that interception much more difficult. Without devoting sufficient decryption assets, the attacker/collector is reduced to traffic analysis.

TOM-Skype's insertion of filtering into SkypeChat IM messaging short-circuits the encryption step. And if TOM-Skype is filtering for "Falun Gong" on behalf of the government, they are scanning, if not filtering, for much more. If you know that the pipeline is in place, then conceivably any catchphrase that the Golden Firewall employs (See Fun on both sides of the Golden Shield: escape & evasion applicable to civil libertarians and terrorists alike and Finding Zhao Ziyang through the Golden Shield) can be extended to TOM-Skype. Were I the Chinese authorities, I would try to limit filtering, which will draw unwanted publicity, and monitor content for intel to use elsewhere.

Any business traffic to and from China via TOM-Skype should be using a primary encryption tool prior to inserting text into SkypeChat or an independent encryption tool, otherwise consider that you are typing cleartext for any and all to read. It would be worth a test to see if TOM-Skype allows encrypted text to pass. PGP headers and footers are, after all, a standard searchable text string.

Having already recommended Phil Zimmermann's newest encryption software, Zfone, for some project team secure comm, I would suggest it here:

The open-source [Zfone] manages cryptographic handshakes invisibly, and encrypts and decrypts voice calls as the traffic leaves and enters the computer. Operation is simple, and users don't have to agree in advance on an encryption key or type out long passcodes to make it work… Zfone is designed to work with VoIP clients that use the industry standard SIP protocol, and has been tested with clients such as X-lite, Free World Dialup and Gizmo ProjectUsing Zfone didn't add any noticeable latency or distortion to calls made with Gizmo Project. Once it's up and running, you're simply talking on the phone.

But make no mistake: to eavesdroppers, Zfone is anything but routine. The protocol is based on SRTP, a system that uses the 256-bit AES cipher and adds to that a 3,000-bit key exchange that produces the codes callers can read off to one another. It has been submitted to IETF for approval as an internet standard, and by most accounts is strong enough to defy even the most sophisticated code-breaking technologies, from a hacker's packet sniffer to the acres of computers beneath Ft. Meade.

That makes Zfone the "most secure telephone system anyone has ever used… " The Gizmo Project ostensibly uses its own encryption for Gizmo-to-Gizmo calls, though the company won't reveal what algorithms they use. But primarily, Zfone is competing with the built-in crypto that comes with Skype, which is closed-source, uses its own proprietary protocols, and employs its own encryption scheme -- which, significantly, is not available for inspection and peer-review (though some have evaluated (.pdf) it and others purportedly cracked it anyway).

If it must be secure, it must be "double encrypted" given that Skype's encryption has been rendered transparent in China.

ADDENDUM: As an issue of fairness, be certain to listen to the podcast associated with Can you hear me now? Big Brother is listening as it is now manifestly clear that the US is performing a wholesale sweeping and filtering of all traffic passing through AT&T and its peer member access points. The short article has only a fraction of the information of the podcast that is most interesting. The difference is that the US is ostensibly pursuing counterterrorist threats.

Can you hear me now? Big Brother is listening
Posted by Richard Stiennon @ 1:50 pm
Threat Chaos
April 20, 2006
Podcast interview with "Deep Packet"

Skype says texts are censored by China
By Alison Maitland in London
Financial Times
Published: April 18 2006 22:23, Last updated: April 18 2006 23:01

Finally, the government props up ailing encryption industry
Posted by Richard Stiennon @ 1:58 pm
Threat Chaos
April 17, 2006

Pretty Good Way to Foil the NSA
By Ryan Singel
02:00 AM Apr, 03, 2006

Whispering Wires and Warrantless Wiretaps: Data Mining and Foreign Intelligence Surveillance
Center for Advanced Studies in Science and Technology Policy
NYU Review of Law & Security, No. 8, June 2006
DRAFT available in HTML
PDF available from abstract page

By K. A. Taipale
The Columbia Science and Technology Law Review
Vol 3, 2003

Can 9 Million Skype Users Be Wrong?
Skype is a great way to communicate. But CSOs should know that it also brings auditing and monitoring challenges.
By Simson Garfinkel
CSO, March 2005

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

Threats to PDAs and smart phones will rival, even dwarf, PC infections


While there are some 150 viruses targeting cell phones today, most target smart phones in Europe and South East Asia using the Symbian operating system. That will soon change:

  • Cusp of rampant growth of smart phones and PDAs
  • Ascendance of keylogging, possibly rivaling phishing in volume
  • Multiple infection paths via multiple PDA functions of which the phone is one
  • PDAs displacing PCs for many tasks, more so in the developing world
  • Social engineering works as long as people are in the loop

Five simple rules apply for today's Bluetooth enabled smart phones (those most prone to infection):

  1. Do not answer 'yes' to an attempted message send, especially from an unknown user (just walk out of Bluetooth range)
  2. Do not swap memory cards (no matter how much you want that song)
  3. Do not download things (no matter how alluring that ring tone or game appears)
  4. Do not accept Multimedia Message Service (MMS) transmissions (even a known white list respondent could have violated rules 1,2, or 3)
  5. Disable Bluetooth or at least switch off the feature that lets your phone be detected by other Bluetooth devices

Unfortunately, users cannot disable themselves and so violations of rules 1, 2, 3, and 4 will certainly thrive amongst a growing user base. That conclusion tilts my support to Gartner's belief that the criteria for a pandemic scale worm or virus attack against mobile phones "will converge by the end of 2007" on the following:

  • Wide adoption of smart phones
  • Ubiquitous wireless messaging
  • Dominant operating system

Any mobile device that can receive, store and transmit pictures, music, games and videos can receive and transmit viruses and Trojans. One of the more insidious attacks against both PDAs and PCs will be silent keylogging:

In most cases, a keylogger or similar program, once installed, will simply wait for certain Web sites to be visited — a banking site, for instance, or a credit card account online — or for certain keywords to be entered — "SSN," for example — and then spring to life. Keystrokes are saved to a file, Web forms are copied — even snapshots of a user's screen can be silently recorded. The information is then sent back to a Web site or some waiting server where a thief, or a different piece of software, sifts through the data for useful nuggets…

keylogging programs exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer. This is a more invasive approach than phishing, which relies on deception rather than infection, tricking people into giving their information to a fake Web site...

"These Trojans are very selective [monitoring] the Web access the victims make, and start recording information only when the user enters the sites of interest to the fraudster."

The potential for serious attacks are already cascading down from smart phones to less capable phones. A proof-of-concept Trojan now circulating in Russia, posing as an app offering the ability to use text messages to visit mobile Internet sites in lieu of a Net connection, can "infect any cell phone capable of running Java applications," not just smart phones. (Seeking to gain something too good to be true, social engineering kicks in to lure users to download and launch.) Another proof-of concept virus has bridged the gap between PCs and mobile devices. Replicating each time the PC is booted, the virus waits for an ActiveSync session used to synchronize data between a PC and mobile device. The virus then copies itself to the device, deleting files.

What I find interesting in such an environment is that, unlike European cellular providers, US cellular firms are resisting antivirus agents on phones in their network:

Cell phone operators have typically focused on their network, rather than phones, as the place to try to thwart mobile virus threats. In moves invisible to users, they scan messages moving from one device to another to filter out malicious programs.

Gartner supports centralized scanning but I disagree with their contention that "installing antivirus software on cell phones would be a mistake" and that on PCs "antivirus tools became largely ineffective... when e-mail surpassed floppies as the dominant transmission mechanism for viruses." Our work takes us to grey area sites for which we depend on antiviral protection, firewalls and current patches - along with stripped down, isolated probe PCs.

"The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort."

I believe that Gartner's "last resort" case is much closer to hand, primarily because of what Bruce Schneier calls proxies (persons or organizations acting on your behalf):

Proxies are a natural outgrowth of society, an inevitable byproduct of specialization. But our proxies are not us and they have different motivations -- they simply won't make the same security decisions as we would...

Sometimes proxies act in our behalf simply because we can't do everything. But more often we have these proxies because we don't have the expertise to do the work ourselves. Most security works through proxies. We just don't have the expertise to make decisions about airline security, police coverage and military readiness, so we rely on others. We all hope our proxies make the same decisions we would have, but our only choice is to trust -- to rely on, really -- our proxies.

Here's the paradox: Even though we are forced to rely on them, we may or may not trust them. When we trust our proxies, we come to that trust in a variety of ways -- sometimes through experience, sometimes through recommendations from a source we trust. Sometimes it's third-party audit, affiliations in professional societies or a gut feeling. But when it comes to government, trust is based on transparency. The more our government is based on secrecy, the more we are forced to "just trust" it and the less we actually trust it.

I do not trust that cellular proxies will protect me, that they will understand every flaw in the hardware variations they put on their networks, that they will be capable of frequent zero-day exploit protection, that they will anticipate the applications and uses to which users will increasingly put these "digital do-it-all" smart phones. I categorically do not expect them to think like a criminal, an attacker, but more as a defender so thereby remain a step behind.

When the incentive for organized crime to accelerate its interest in mobile devices occurs "once people start online banking using their mobile devices or using mobile devices as debit cards or the authentication method of choice," I want access to a slimmer version of the Trusted Platform Module (TPM) security chip designed for PCs, the ability to install my specific point/perimeter protection yet not compromise the non-phone functions of the PDA.

New virus can pass from PCs to mobile devices
By Jeremy Kirk
IDG News Service
February 28, 2006

Russian phone Trojan tries to ring up charges
By Joris Evers
Staff Writer, CNET
February 28, 2006, 1:21 PM PST

Cyberthieves Silently Copy Your Passwords as You Type
By Tom Zeller Jr.
New York Times
February 27, 2006

Protecting Yourself From Keylogging Thieves
By Tom Zeller Jr.
New York Times
February 27, 2006

Is your cell phone due for an antivirus shot?
By Joris Evers
Story last modified Fri Feb 24 11:25:22 PST 2006

U.S. Ports Raise Proxy Problem
Commentary by Bruce Schneier
02:00 AM Feb, 23, 2006 EST

Invasion of the Computer Snatchers
By Brian Krebs
Washington Post
February 19, 2006

Your smart phone has a dumb virus
By Robert Vamosi
CNET Reviews
February 17, 2006

Cisco CEO to use 'holistic' security
United Press International
Feb. 17 2006

Brazilian police bust hacker gang
AP/The Age
February 15, 2006 - 4:37PM

More worries about Google Desktop 3
By Elinor Mills, CNET
ZDNet News: February 15, 2006, 1:52 PM PT

Microsoft Would Put Poor Online by Cellphone
New York Times
January 30, 2006

New security proposed for do-it-all phones
By Joris Evers
September 27, 2005, 4:00 AM PDT

It rings, it plays, it has TV
First there were TVs. Then came PCs. Now, mobile phones are becoming the 'third screen' for viewing video.
By Gregory M. Lamb
Christian Science Monitor
July 21, 2005

Battling for the palm of your hand
From The Economist print edition
Apr 29th 2004

The Disappearing Computer by Bill Gates
Reprinted from "The World in 2003," The Economist Group

How Real Is the Internet Market in Developing Nations?
By Madanmohan Rao
E-OTI (On the Internet)
March/April 2001

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets


The black hat community attacking commercial and military targets is as large as it is diverse and global:

1. State espionage against foreign commercial and military targets

2. Criminal enterprises focused on money over fame or ideology

3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)

4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)

5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

White hats and black hats will produce interacting swarms of rootkits, trojans, worms, adware and spyware spoke, in part, to a deteriorating security environment in which Black hat exploits will combine "unrelated white hat DRM audio, video and text implementations in concert with other secondary weak points" that will likely erase years of armoring by operating systems, ISPs and e-mail systems.

Alan Paller, Director of Research at SANS, notes that "Attackers are now targeting the whole range of applications that users are now installing on their systems… That means we're back to the Stone Age. Everything you worried about five or six years ago" is again a primary concern in which these programs do not have a robust, rapid means to detect, fix and disseminate. Vulnerabilities must meet four criteria to make the SANS Top 20 list:

  • They must affect a large number of users.
  • Most systems must lack patches against them.
  • They must allow remote, unauthorized users to control affected systems.
  • There must be enough information about them on the Internet for attackers to exploit them.

Worse, private and commercial users that have grown accustomed to focusing on installing updates for their operating system and a preferred browser must now attempt to locate and install fixes from a potentially large group of secondary product manufacturers - and who knows how good their patch procedures are. (Were I a funded black hat, I would acquire some of these secondary providers as sleeper sites to launch a trap-doored patch when the opportunity was right, but in the interim, operate within the security process so as to acquire an understanding of national and international defense mechanisms.)

The totality of threat and environment forms what Roger Cummings, the director of the UK's National Infrastructure Security Co-ordination Centre (NISCC) calls a "malicious marketplace." Cummings went on to say that the most significant electronic threats to England's Critical National Infrastructure (CNI), including government agencies as well as firms "in the finance, transportation and telecommunications sectors," are "content-based, targeted, Trojan horse e-mail attacks from the far east, primarily China, South Korea and India.

Noting that "Foreign states are probing the CNI for information," Cummings ranks the threats to CNI from today's malicious marketplace, from highest to lowest:

  • Foreign states targeting information ("most significant")
  • Criminal enterprises acquiring information for resale
  • Hackers of "variable capability" selling capability or exploits to other consumers
  • Terrorists currently possessing "low capability"

This tracks with our experience that 'cyber-collection' far outranks cyberterrorism. Take for example the superb Chinese hacker team Titan Rain that has been raiding US commercial and governmental sites at least from 2003. I recommend Nathan Thornburg's The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them), George Ou's How the undermining of US intelligence continues in cyberspace and Ira Winkler's appalling summary of the blowback against the volunteer US investigator and counter-hacker, Shawn Carpenter, in The case of Shawn Carpenter: A cautionary tale.

As Ou notes, the Titan Rain saga is still ongoing and frames the "alarming ineffectiveness of US cyber intelligence policy" "Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced." On the night of 1 November, 2004, Titan Rain breached federal computer systems at the U.S. Army Information Systems Engineering Command (Fort Huachuca, AZ), Defense Information Systems Agency (Arlington, VA), the Naval Ocean Systems Center (San Diego, CA) and the U.S. Army Space and Strategic Defense (Huntsville, AL).

How such a breach was accomplished with such skill and speed is clear from Shawn Carpenter' investigations:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key."

On a voluntary basis on his own time, Carpenter counter-attacked, piercing the Titan Rain organization and placing bugs in their network. Competence and zeal, however, proved no match for bureaucracy. Working first in an unofficial liaison with US Army Intelligence, Carpenter was passed onto the FBI as federal "rules prohibit military-intelligence officers from working with U.S. civilians." For months, Carpenter works in the same unofficial capacity with the bureau where "his work was folded into an existing task force on the attacks."

In a painful reprise of the 1975 Church Committee and the subsequent 1976 Levi Guidelines that, while they addressed excesses, went further so as to effectively geld our intel services in the gray and black HUMINT areas that are so essential today, by law it is illegal for a US national to hack into a foreign computer system. Carpenter's employer, Sandia National Labs, expressly forbid him to share his work, then fired him. The bureau abandoned him to the point that it launched an investigation into the legality of his activities which had occurred with the bureau's knowledge. At some point the bureau moved to protect itself as under current guidelines the US cannot proactively track and shut down a foreign site but must "go through a cumbersome authorization process" that involves the cooperation of the host nation. (The UK endures a similarly delicate and glacial process in China and India.)

Given that "China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute" one should not expect a speedy resolution, yet Carpenter's research showed that Chinese sites in Guangdong province were the source of Titan Rain attacks and not a zombie botnet controlled from elsewhere:

Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident.

The scale, skill and duration of Titan Rain points to state sponsorship but that can be murky in China as state sponsorship, or state tolerance, could included the PLA, a PLA dual-use subsidiary, an outsourced Chinese firm (which the PLA has increasingly used to speed up various activities), or a Triad. David Szady, Assistant Director, FBI Counterintelligence Division, has noted that "the Chinese are more aggressive" than other collectors, adding "If they can steal it and do it in five years, why [take longer] to develop it?"

Readers must not assume this to be China bashing but merely recognition of skill and achievement, better than most, of one among many examples of foreign state probing of commercial and government critical infrastructure. As Ou noted, "The Titan Rain are just doing their jobs as Chinese patriots, but we're not doing our jobs to stop them." (Ou's observations on security, networking and architecture are always recommended. I would also recommend Kabay's series on industrial espionage - links below.)

In the above context, it is easier to understand Bruce Schneier's complaint that cyberterrorism is "over-hyped" (and used in the US as a means for federal and commercial entities to plump their budgets and manpower) while cybercrime is "under-hyped." Schneier supports Cumming's concept of a malicious marketplace and its merger of criminal and hacker assets, while reserving his concern that a monomaniacal focus on cyberterrorism distracts our attention from more immediate threats.

I would broaden cybercrime to 'cyber-collection' by both state and criminal assets as the vastly under-hyped hole which our infrastructure, statues, diplomacy and distraction leaves us increasingly ill-prepared to combat.

Security experts lift lid on Chinese hack attacks
By Tom Espiner, CNET
Published on ZDNet News
November 23, 2005, 11:48 AM PT

Cyberterror 'overhyped,' security guru says
By Tom Espiner, ZDNet (UK)
Published on ZDNet News
November 23, 2005, 7:41 AM PT

Schneier on security
Tom Espiner interview with Bruce Schneier
November 23, 2005, 13:00 GMT

Foreign powers are main cyberthreat, U.K. says
By Tom Espiner, CNET
Published on ZDNet News
November 22, 2005, 12:23 PM PT

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus
Version 6.0 November 22, 2005
SANS Institute

Guard against Titan Rain hackers
Opinion by Ira Winkler
OCTOBER 20, 2005

Industrial espionage series by M. E. Kabay, Network World:

Industrial espionage, Part 1: Methods
Methods of conducting industrial espionage
Industrial espionage, Part 2: More methods
Even more ways to conduct industrial espionage
Industrial espionage, Part 3: Survey results
Surveys showed rise in industrial espionage in 1990s
Industrial espionage, Part 4: Risk factors and losses
Industrial espionage responsible for huge losses, much of which isn’t reported
Industrial espionage, Part 5: People from many countries targeting U.S.
Reports show long list of countries involved in industrial espionage
Industrial espionage, Part 6: Cases
Cases of industrial espionage
Industrial espionage, Part 7: More cases
More cases of industrial espionage
Industrial espionage, Part 8: China and Titan Rain
‘Titan Rain’ investigation leads to China

The case of Shawn Carpenter: A cautionary tale
By Ira Winkler
22 Sep 2005

How the undermining of US intelligence continues in cyberspace
Posted by George Ou @ 8:35 am
August 29, 2005

The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)
An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets
Posted Monday, Aug. 29, 2005
Scrolled to fee
Mirror, Mirror

Hackers Attack Via Chinese Web Sites
U.S. Agencies' Networks Are Among Targets
By Bradley Graham
Washington Post
August 25, 2005

Web of Crime, PC World 5-part series:

Enter the Professionals
Erik Larkin
August 22, 2005
Zombie PC Armies Designed to Suck Your Wallet Dry
Erik Larkin
August 23, 2005
Web of Crime: Internet Gangs Go Global
Liane Cassavoy
August 24, 2005
Internet Sieges Can Cost Businesses a Bundle
Robert McMillan
August 25, 2005
Who's Catching The Cybercrooks?
Tom Spring
August 26, 2005

Between phishers and the deep blue sea
By Dawn Kawamoto, CNET
Published on ZDNet News
July 18, 2005, 4:00 AM PT

Hacking for dollars
By Joris Evers, CNET
Published on ZDNet News
July 6, 2005, 4:00 AM PT

Asian Trojans attacking U.K., agency warns
By Dan Ilett, ZDNet (UK)
Published on ZDNet News
June 16, 2005, 8:38 AM PT

Security guru slams misuse of 'cyberterrorism'
By Dan Ilett, ZDNet (UK)
Published on ZDNet News
April 26, 2005, 3:24 PM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

White hats and black hats will produce interacting swarms of rootkits, trojans, worms, adware and spyware


While Sony's recent botched DRM rootkit implementation (timeline coverage in parts I, II, and III) brought the term rootkit into the public domain and drew a remarkably quick retraction, it is only the harbinger of a group of interacting themes that I believe will make Richard Clarke's cybersecurity admonitions seem meek:

1.DRM content silos in audio, video and the workhorse print sector

2. Ostensibly "white hat" commercial construction of flawed, exploitable DRM implementations

3. Black hat criminal penetration efforts for cracking commercial gain

4. Symbiotic and parasitic interaction between white and black hat implementations

5. Black hat exploits combining unrelated white hat DRM audio, video and text implementations in concert with other secondary weak points.

6. Post-discovery recovery of white hat implementations open a cyclic growth of new holes

7. Antiviral protection providers will face heuristic hurdles in identifying a threat from a feature

8. Additive (and continuing) social engineering attacks in which individuals will violate personal and corporate security for pleasure or convenience

9. Long Tail legacy interaction of all the above

Suzi Turner's Rootkits galore: part I is recommended as a introductory piece and all of its links are useful. Then move to the bookends of Bruce Schneier's Sony's DRM Rootkit: The Real Story which points out the foot-dragging of security firms in flagging, developing and distributing fixes, and Larry Seltzer's overlooked Tough Decisions: Heuristics and Threats which points out the difficulty for security firms in trying to "acquire every version of every major commercial program to test it for malware" and yet insure that they do not "start falsely detecting legitimate software as malicious."

The lessons learned for content producers are not as sound as one might think. While bloggers had much to do with calling attention to Sony's XCP DRM suite, it was more likely the potential liability that Sony would face by malicious exploitation of the holes of that suite that saw it pulled from the market. Sony still has a second DRM suite called MediaMax in use since 2003, "the first copy restricting technology that installed software in an attempt to block ripping and copying." MediaMax is not as dangerous as XCP but still acts as spyware.

Worse, Sony's revenues have not suffered from the revelations of its digital rights excesses nor have many record stores reported significant backlash against Sony titles. (While Sony has reported a loss for the quarter, it is due to a sales slide in TV and Walkman purchases compounded by a lack of hit cinemas from its film unit.) It appears that many purchasers are unaware of the fault embedded in the CD that they purchased and so the holes in their personal PCs remain in place.

As one cannot see content providers relenting from attempts at DRM, I would expect that a swarm of unannounced, even obscured, DRM tools to proliferate. Even if they are speedily found, their numbers will rise, further complicating the virus update process, while nimble crackers will rush zero-day exploits into service to exploit a transient vulnerability. The impact on commercial firms whose employees continue to bring in CDs to mount on the office PCs and who cannot quickly mount new releases across their networks cannot be overestimated.

For now, it is recommended to disable autoload (or auto-play) on your personal PCs to prevent auto-inhalation of unannounced DRM tools. Then examine the directories on the volume, e.g., CD, with care before you proceed. Corporate users should edit their enterprise Group Policy to "disable auto-play from every single computer in the Enterprise globally."


SANS: Cybercriminals targeted popular applications, network systems in 2005
BY Michael Arnone
Published on Nov. 22, 2005

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus
Version 6.0 November 22, 2005
SANS Institute

Tough Decisions: Heuristics and Threats
By Larry Seltzer
November 21, 2005

Sony sailing past rootkit controversy
By John Borland, CNET
Published on ZDNet News
November 21, 2005, 12:42 PM PT

Rootkits galore: part I
Posted by Suzi Turner @ 9:52 pm
November 18, 2005

Sony's DRM Rootkit: The Real Story
Bruce Schneier
Schneier on Security
November 17, 2005

Sony rootkit: The untold story
Posted by David Berlind @ 11:16 am
November 18, 2005

TRUSTe to legitimize adware
Posted by Suzi Turner @ 10:34 pm
November 16, 2005

Sony's Uninstaller Is Worse than Its DRM
By Larry Loeb
Security IT HUB
November 15, 2005

Sony Secretly Installs Rootkit on Computers
Bruce Schneier
Schneier on Security
November 01, 2005

Sony, Rootkits and Digital Rights Management Gone Too Far
Mark Russinovich
Mark's Sysinternals Blog
Monday, October 31, 2005

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

The disappearance of inertial privacy by paparazzi and terrorist alike


The piercing of personal privacy once had an inertia to it that deferred all but the dogged collector. No more. The cataloging and publishing of information directly to the web, or to a web of legitimate and grey area intermediates that will fetch information for a fee, have dispensed with what I call inertial privacy and along with it any illusion of anonymity.

A year ago Jon Udell wrote:

Many folks wouldn't want to be reminded how easy it is to convert sparse input into a detailed profile that includes a phone number, a street address, a satellite photo, and driving directions. Re-entering the basic facts each time perpetuates an illusion of privacy. Yet the reality, for many of us, is that these facts are public.

Today that information and vastly more is available to paparazzi and terrorist alike, a fact driven home by same day articles on paparazzi photo wars where celebrities are collateral damage and an Animal Liberation Front (ALF) attack on a university research facility that extended to detailed personalized threats "by axe, drill, or crowbar" to penetrate each researcher's home. In each case, the illusion of anonymity, of privacy, is dissolved. 

The head of one paparazzi firm described the "quality of his information" as being heavily driven by "cash payoffs to tipsters [that] can come to $100,000 a year." Not everyone would agree with his "description of honest business practices" that include:

this week's scheduled movements of every famous passenger of a major limousine company in Los Angeles [where a limo company employee is on retainer]… the passenger manifests of every coast-to-coast flight on American Airlines [LA's largest carrier] to the point that, "If they fly any coastal flight, I know. I can also find anybody in the world within 24 hours, I guarantee it. If they don't mask the tail number on a private plane, I'll find it"… "license plate checked in an hour on weekdays, 20 minutes on weekends" [where law-enforcement officers are on payroll - I believe an illegal act]… a photocopy of what he says are the transcribed notes of a top film actress's examination by her doctor, and points to a reference to her breast implants.

Another paparazzi capitalized on his former gang and street credentials to create a "tight network of Angelenos that extends to seemingly everywhere in Hollywood [where] "We can find just about anything" or "easily - and illegally - penetrated Universal Studios the other day to get exclusive pictures" of an actress.

After ALF members broke into a college research facility, destroying equipment and dumping acid and other corrosives on computers and documents, this single-interest terrorist group (also here) commenced "well-orchestrated harassments" containing:

the e-mailing of a communique to the media, detailing the crime and the rationale for targeting" the facility and its researchers… Each [researcher] was singled out for derision… [then threatened with statements such as] "We're watching. And by axe, drill, or crowbar -- we're coming though your door. Stop or be stopped"… [followed by a listing of] our names, our spouse's names, home addresses and phone numbers, as well as information about our students… freedom of information requests, midnight phone calls… [then a deluge of subscriptions such as] Canoe & Kayak, Guns & Ammo, Fit Pregnancy, Muscle Mustangs & Fast Fords.

Information is collected for profit by the paparazzi and for fulfillment of a sole vision by the single-interest group, but it is collected with ease nonetheless. Profit and vision may intermingle as vision pays for the data that it cannot readily collect. Alternately vision may sell data in order to fund the continuance of their own particular vision. In either case, the reader should know that anonymity is a veil to be pierced for the asking.

The Animal Zealotry That Destroyed Our Lab
By Mark S. Blumberg
Washington Post
July 17, 2005

Eye vs. Eye: Inside the Photo Wars
New York Times
July 17, 2005

HailStorm was before its time
Jon Udell
Strategic Developer/InfoWorld
July 16, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Commercial blindness: a "twofer" attack on the Indian state and US and European outsourcing assets


Documents seized from three members of the Lashkar-e-Toiba (LeT) terrorist group killed in an encounter with the police on Saturday revealed that they planned to carry out suicide attacks on software companies in Bangalore... "The terrorists planned to hit these companies in an effort to hinder the economic development of the country."

The LeT has a history of orchestrating attacks in India and its cadres are well networked, as well as very savvy with computers, gadgets and gizmos, making them very difficult to track. Some of its bold attacks include an attempt to storm the Indian parliament on December 13, 2001, which triggered a military standoff with Pakistan and brought the neighbors close to a fourth war; India also holds the LeT responsible for the killing of 37 and injuring more than 80 Hindu devotees assembled for prayer at the Akshardham temple in September 2002 in the state of Gujarat.

One must wonder how inattentive major US outsourcers can be, and how 'missing in action' that major consultancies such as Forrester can be, so as to not recognize the physical threat to core outsourcing facilities in India. Perhaps it is the mere continuation of the lesser lapse of failing to factor intellectual property (IP) theft risk in supposedly low cost areas. (See Intellectual property theft: the unspoken unknown of offshoring.) Even more curious is the effective absence of concern by Europeans who would normally have an attentive ear to the near and middle east. (The UK has a term EMEA for Europe, Middle East, and Africa to describe their version of the 'Near Abroad.')

The threat to IT and outsourcing assets in Bangalore and Hyderabad should be taken seriously despite the bland denials from Indian authorities who are understandably anxious to protect what amounts to the core of Indian economic revival:

India's software and services exports totalled $17.2 billion in the fiscal year to March 31 this year, up by 34.5 percent from the previous year... [Indian] exports of software and services are expected to grow by between 30 percent and 32 percent in the fiscal year to March 31, 2006. [In the year to March 2005] exports of IT software and services grew by 30.5 percent to $12 billion, while exports of business process outsourcing (BPO), call center, and related services grew by 44.5 percent to $5.2 billion. The growth in exports came despite fierce opposition last year to offshore outsourcing from politicians and workers unions in the U.S. The U.S. accounted for about 68 percent of India's outsourcing exports, with Europe accounting for another 24 percent.

Who can blame the Indians for keeping mum, but where are the US and European firms that should have a fiduciary responsibility to their stakeholders and to their clients who data and business continuity are in the possession of their Indian entities and outsourcing partners?

Bangalore has a large concentration of Indian software outsourcing companies, and a number of multinational companies have software development and chip design facilities in the city. IBM, Intel, Texas Instruments (TI), and Accenture are among those with operations in Bangalore. Two of India's largest software and IT services outsourcing companies, Wipro and Infosys Technologies, have their headquarters and large facilities in Bangalore. Bangalore also has some of India's key defense research and development organizations.

The only thing that the Indians have going for them is that the great unwashed commercial consumers in the West do not know who Lashkar-e-Toiba, Army of the Pure, really is. The South Asia Terrorism Portal overseen by a retired Indian police commander, K.P.S. Gill, is a sound source of basic information, unlike many other Indian sites which are merely anti-Pakistani or nationalistic (the South Asia Analysis Group comes to mind). SATP has much to say about Lashkar-e-Toiba here but I would net it out as follows:

LeT rose as part of the Mujahideen resistance against Soviet occupation in Afghanistan as the military wing of Markaz-ud-Dawa-wal-Irshad (MDI), an Islamic fundamentalist organization rising from Pakistan, where the US has been pressuring Musharraf to curb their activities. LeT's goals go far beyond regaining Muslim control of Jammu and Kashmir to recreating Islamic governance of India in union with other predominantly Muslim states surrounding Pakistan. LeT is now active in Jammu and Kashmir, India, Chechnya, again in Afghanistan from 2002 to date, Iraq, Bosnia and other garden spots. Think of LeT more as educated and skilled than peasants, e.g., an LeT activist, formerly an engineer with Hindustan Aeronautics Ltd (HAL) was arrested 14 May in New Delhi on a flight from Singapore:

The LeT has a history of orchestrating attacks in India and its cadres are well networked, as well as very savvy with computers, gadgets and gizmos, making them very difficult to track.

Like al-Qaeda, LeT cadres are generally not mercenaries out to make a fast buck from the cash-laden terror industry, but indoctrinated youths driven by the desire to kill in the name of a distorted jihad. The LeT derives most of its cadres from Indian Kashmir, as well as Pakistan, while mercenaries are usually renegade mujahideen from Afghanistan, with the intention of keeping the fire of terror burning in Indian-administered Jammu and Kashmir.

[The] terrorists visited Bangalore last December and surveyed the locations of many software firms. Police gathered this information from a diary seized from two captured associates of the slain terrorists. Similar evidence was gathered by the police from laptops recovered from the terrorists who attacked the Indian parliament, revealing detailed mapping of the parliament building before the attack took place. It is also worth noting that it is apparent that the LeT is trying to move beyond Delhi, the other area of its active operation apart from Kashmir, as the capital city has a very powerful intelligence network set up by government agencies to track their presence.

An LeT attack on outsourcers in India is a "twofer" in that an attack damages the Indian state and its ability for economic gain directly, and damages US and European firms indirectly -- where an attack on US soil would be prohibitive in terms of placing surveillance and strike teams on the ground:

Attacking software offices hits at one of the most international symbols of Indian success and could set off a wave of panic from potential foreign investors, as well as multinationals, that could hobble the rapid pace of India's economic progress. Such economic and cultural destabilization can only be the handiwork of international terror outfits that seek out targets that inflict maximum damage to people, as well as pass on a symbolic message.

I would support SATP's opinion that "LeT cadres [are] characterised by a level of brutality, which surpasses that of all other Pakistan-sponsored terrorist outfits active in J&K" and would rank them with the Chechens (also here) and the Algerian GIA (Groupe Islamique Armé) or Armed Islamic Group (also here).

The Jamestown Foundation, whom I respect, has this to say about the ability and likelihood of LeT to carry out attacks in India:

Notwithstanding its rhetoric and ambitions, LeT is unlikely to engage in serious terrorist operations outside the Indian subcontinent. Nevertheless, the potential for it to strike against Western targets in Pakistan and India is all too real, especially since it is under increasing pressure from all sides. Moreover the gradual improvement in India-Pakistan relations may motivate LeT to engage in spectacular operations to sabotage the tentative peace process.

FYI, the Indian home ministry has long been concerned with Muslim activities in the south Indian states of Andhra Pradesh, Karnataka, Tamil Nadu and Kerala which affects the cities of Hyderabad (India's Silicon Valley), Warangal, Nalgonda and Mahboobnagar in state of Andhra Pradesh; Bangalore and Gulbarga in the state of Karnataka; Malappuram and Palakkad in the state for Kerala; and Madras, Coimbatore and Ramanathapuram in Tamil Nadu.

Thoughtful outsourcers there should consider counterthreat and personnel security improvements in addition to IP theft mitigation.

Linkages between Jihadis of Singapore and India
A. S. Smiline Gini
Observer Research Foundation
14 June 2005

India's offshore outsourcing revenues grew 34.5 percent
U.S. accounted for about 68 percent of India's outsourcing exports
By John Ribeiro
IDG News Service
June 02, 2005

Delhi turns to the UN
By Siddharth Srivastava
Asia Times
Mar 12, 2005

The jihad lives on
By Amir Mir
Asia Times
Mar 11, 2005

Terrorists target India's outsourcing industry
Terrorist group planned to carry out suicide attacks on software companies in Bangalore
By John Ribeiro
IDG News Service
March 07, 2005

'LeT planned to target software cos in Bangalore'
Sify News
06 March , 2005

By Wilson John
Volume 3, Issue 4 (February 24, 2005)

Lashkar-e-Toiba, 'Army of the Pure'
South Asia Terrorism Portal

Gordon Housworth

Cybersecurity Public  InfoT Public  Intellectual Property Theft Public  Terrorism Public  


  discuss this article

Convergence of PCs and smart mobile devices falls prey to a new generation of attacks


Watching the convergence of PCs, now that laptops consistently outsell desktops, and the sector of "mobile devices with an operating system" that comprise PDAs and smart phones, it is easy to see miniaturizing notebooks that increasingly communicate begin to blend with the smaller devices, mimicking the characteristics and ultimately falling prey to the same threats that are predicted to afflict the mobile market of PDAs and smart phones in the 2008-2009 period.

The upshot of this convergence is that current architecture of PC antivirus protection will begin to fail this emerging 'mobile majority' and that the excellent but long overdue cooperation between Microsoft and hackers and independent security consultants will have to be accelerated at a rate that substantially exceeds current planning if robust solutions are to be found.

Consider how short a time horizon with which we are dealing. The first viruses for mobile devices, Duts for Pocket PCs and Cabir for devices using the Symbian OS, were written in 2004 as a proof of function "not designed [to] propagate on a massive scale" by the 29A VX virus writing group. Users were told not to worry, that you're "more likely to have a meteorite strike your house" than see infection by these viruses. A year later viruses on Pocket PCs are not yet a significant issue, except in pockets of Asia and Europe, to the point that skilled users I know do not carry virus protection in their base load. (But then these users are disciplined enough to limit their IM traffic to only those whom they trust.)

But the threat migration from email systems currently buttressed by gateway and desktop antiviral tools has begun to move to IM (Instant Messaging), IRC (Internet Relay Chat), P2P (peer-to-peer) and CIFS (Common Internet File System) protocol for remote file-system access use over the Internet. In March 2005, Symantec reported threats "related to P2P, IM, IRC, and CIFS make up 50 percent of its top 50 threat submissions, up from" a third a year earlier.

The key to becoming a target is to have a significant mass of users and an exploitable vulnerability for propagation. (Even Macs will become a target as less skilled users adopt mini Macs.) For mobile devices, the necessary conditions required for propagation will converge about "year-end 2007 [when] smart phones account for 30 percent of all wireless telephones in use":

  • Commonplace "large-scale user-to-user sending [of] complex executables
  • User community of a third or more of the population

I submit that increasingly miniaturized laptops will have the same characteristics and suffer similarly, yet the PC market and the major software vendors are still behaving as if perimeter/barrier tools will suffice. Gartner has already called the mobile market out:

The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort."

Thoughtful players are already calling for tools at the network layer that detect behavioral and network traffic anomalies:

Signature-driven antivirus tools are great for hindsight, but we are at a turning point where signatures are not enough…Currently the attackers are testing their tools against the most popular antivirus products [so as to produce immunized attacks].

I find it curious that experts can say that that "desktop antivirus software became largely ineffective [as proactive prevention] as soon as e-mail surpassed floppies as the dominant transmission mechanism" as a means of justifying better network layer tools for mobile devices yet ignore the rise of laptops that will increasingly operate in much the same way.

It should be a reminder to all that attackers move to whatever point in the supply chain or the delivery chain where there is maximum opportunity at minimum risk. Just as we remind clients in Intellectual Property (IP) protection that they must think in terms of total asset protection (wherever that asset appears by tier, application, and location) instead of location solely (where the client fixes on a particular site or facility where they believe that they have exposure), so will crackers migrate to the next weakest point - targets of opportunity - in the software delivery system to the enduser.

If perimeter and desktop deterrents are not going to work as a sustaining architecture and the antivirus vendors are going to be treated as a major exploit targets equal to the applications that they protect, work on intelligent network defenses, regardless of design difficulty, best should get underway immediately lest the growing 'mobile majority' finds itself at grave risk.

Clock's ticking on phone virus outbreak, experts say
By Munir Kotadia
ZDNet Australia
Published on ZDNet News: June 21, 2005

Security tools face increased attack
By Joris Evers
Published on ZDNet News: June 20, 2005

Microsoft asks for help from hackers
By Ina Fried, Special to ZDNet
Published on ZDNet News: June 16, 2005

Skulls Trojan puts on antivirus mask
By Joris Evers, CNET
Published on ZDNet News: June 10, 2005

Expert: Cell phone virus threat is overblown
By Will Sturgeon,
Published on ZDNet News: May 5, 2005

Hackers reach beyond Windows, IE
By Robert Vamosi,
Published on ZDNet News: March 21, 2005

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Cybersecurity 'serf' edges closer to Cybersecurity 'czar'


The US cybersecurity czar has from the onset been more of a powerless serf (peasant) than a commanding czar (king). We have digested four 'czars' in far too short a time to too little effect, Richard Clarke, Howard Schmidt, Amit Yoran and Robert Liscouski. Under Clarke, the position was largely powerless and too many in industry denied the risks that Clarke predicted (and have all come true). While awareness has risen, the post remains a feckless affair. That may finally be changing as the House starts debate on a proposal for a cybersecurity head elevated to an Assistant Secretary for Cybersecurity heading a National Cybersecurity Office within the Directorate for Information Analysis and Infrastructure Protection of DHS.

It is fair to say that any elevation of cybersecurity will benefit from the appointment of Michael Chertoff as DHS Secretary. Whereas Tom Ridge has been described as an accommodating politician that favored consensus over corralling headstrong agencies, Michael Chertoff is described as a blunt and efficient manager that will bring sparing agencies to heel.

The role of an "assistant secretary for cybersecurity" is enshrined in a proposed amendment to the Homeland Security Act of 2002 titled, H. R. 285, Department of Homeland Security Cybersecurity Enhancement Act of 2005. PDF version here. Thomas online here. Note that Thomas searches time out quickly and texts get replaced. If this link does not work, go here and search Bill Text 109th Congress (2005-2006) with the phrase "assistant secretary for cybersecurity."

A definition of cybersecurity has been added:

prevention of damage to, the protection of, and the restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation

[Citations to various US Code section/titles follow to define the terms: damage, computer, electronic communications system, electronic communication service, wire communication, and electronic communication.]

Distilling the bureauspeak, I see the Assistant Secretary's role described in two parts: build/run and coordinate/consult.

Establish and manage a national cybersecurity response system:

  • Analysis of cybersecurity threat effects on critical infrastructure
  • Detection and warning of attacks on, and restoration of, cybersecurity infrastructure
  • Cybersecurity threat and vulnerability reduction program
  • Cybersecurity awareness and training program
  • Government cybersecurity program to coordinate and consult to cybersecurity programs of federal, state, and local governments
  • National security and international cybersecurity cooperation program to enhance international cybersecurity cooperation

Coordinate and consult roles with:

  • Private sector to promote cybersecurity information sharing, vulnerability assessment, and threat warning regarding critical infrastructure
  • Other directorates and offices within DHS on cybersecurity aspects of their missions
  • Under Secretary for Emergency Preparedness and Response to ensure recovery measures for the National Response Plan
  • DHS CIO to establish a secure information sharing architecture and information sharing processes
  • Private sector for sharing voluntary cybersecurity best practices, standards, and benchmarks responsive to "rapid technology changes and to the security needs of critical infrastructure"
  • Electronic Crimes Task Force (US Secret Service) on private sector outreach and information activities
  • Office for Domestic Preparedness to ensure "realistic cybersecurity scenarios" - a contradiction in terms - are incorporated in recovery exercises
  • Other Federal agencies on cybersecurity-related items
  • DHS assets and other relevant Federal agencies, on security of digital control systems, e.g. SCADA (Supervisory Control and Data Acquisition) systems

This assistant secretary will need to be strong, competent and command a slice of Chertoff's time in order to fulfill his or her brief.

Feds eye new cybersecurity post
By Declan McCullagh, CNET
Published on ZDNet News: May 16, 2005

Cybersecurity czar may get a promotion
By Declan McCullagh, CNET
Published on ZDNet News: September 20, 2004

Gordon Housworth

Cybersecurity Public  Strategic Risk Public  


  discuss this article

Immediate self-policed, self-notification of flaws buttressed by workarounds and security recommendations


It was pleasantly startling to see Microsoft announce a program, albeit in 'pilot' status, that I have long been on record as favoring: a security advisory service that will "strive to issue an alert within one business day of [Microsoft's] becoming aware of a problem and offer ways to mitigate it."

In Vast differences in major flaw handling separate software and manufacturing firms, I noted:

How different the handling of analysis and subsequent disclosure of security flaws between software and computer makers on the one hand and hardware and industrial vendors on the other. Whereas the software industry too often seeks to muzzle "amateur and professional researchers who have found flaws in their products" to the point of imprisonment via the Digital Millennium Copyright Act (DMCA), hardware vendors tend to work with those investigators who discover faults, if not outright halt production before their customers halt deliveries.

I am equally disturbed that "all the special-interest organizations created by vendors for vendors" such as Microsoft's Organization for Internet Safety are designed to shield said vendors from public censure. I have less patience from governmental entities, especially those from the intel community, that should know that that criminal and terrorist groups are working just as quickly to build a repository of hacks and will employ them when it is financially rewarding or when DDOS or other strike is ordered.

Such a possible about face deserves the benefit of the doubt, and while it was clear from the talkback entries to the announcement that much ill will was sent in Microsoft's direction, it is noteworthy that Microsoft, given its visibility and market leadership position, has elected to establish a threat watch list.

In that spirit, I find it quite acceptable to "include alerts that do not necessarily relate to a flaw, but to issues that could pose a security risk," e.g., phishing. While some, myself included, could think that this is a means to dilute the focus from purely Microsoft generated issues, it is also long overdue to have a general security threat list as even the most fearsome defense can be undone by a well-socially engineered attack that entices Homo Boobus to click on a link or open a file. See Malware, phishing, cracking, and social engineering all point to increasing criminal profit.

It is also good that "advisories will notify [when] exploit code [has] been made public or "proof of concept" code that might be related to a released update or vulnerability" is released as the status of the attack - from discovery of the flaw to proof-of-concept code being shared in virus IRC chat rooms to code seen "in the wild" gives the thoughtful user a 'timeline to realistic potential attack.' I would also add which chat rooms the code is seen or discussed so as to build a geographical tracking history of how fast a particular group gets code into the wild.

Also good is the appending of a "tracking number that will enable people to follow any changes in the warning" on to patch release.

As large firms are loathe to self-flagellation, the advisories "will not rank the severity of the security problem," but I do not despair as many other firms will pick up the Microsoft list and append rankings and their rationale. Ultimately, I would expect Microsoft to harvest the best of these ranking systems for incorporation into its threat advisory series.

An open issue is when the clock starts on the advisory list and who can contribute to the advisory list beyond Microsoft. For example, a long standing fault list for Internet Explorer contains items that have been open for some time. Having opened the advisory list, Microsoft would be well advised to acknowledge legacy faults and get on with the business of resolving them - publicly - so as to also get an advertising and trust bounce from the effort.  Were I Microsoft, I would invite security firms to post their discoveries on the advisory list as well as their own websites. Over time, I could build a center of expertise around the handling of flaws and threats.

Given the current competitive environment, I think that this is a calculated gain for Microsoft. Done well, the advisory list puts Microsoft in the same tier as open-source software vendors that provide "alerts and list potential workarounds." While a self-policed "full disclosure" advisory list allows Microsoft some control over the spin that describes a particular fault, I would think that it would ultimately pressure Microsoft to reduce the lag time between identification and patch dissemination. If software liability, heretofore excluded in almost all US software contracts, does materialize in North America, Microsoft would be better positioned to show that it is proactive in resolving faults before litigation commences.

Long overdue, yes, but a very sound step for an industry software leader.

Microsoft to sound early alert for flaws
By Dawn Kawamoto, CNET
Published on ZDNet News
May 6, 2005, 11:08 AM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

Architectures of testimony, architectures of control propelled to convergence


Architectures of testimony - systems that can testify upon the actions of individuals, for or against, and architectures of control - systems that can shape and coerce individual behavior, are being propelled to convergence by a combination of technological, economic, and political forces that are stealing (have stolen may be the better phrase) a march on society as political actors and consumers.

I believe that I am the first to coin the phrase, "architectures of testimony" which contain the subpoena power upon the likes of stored automotive handling and position data, indexes of all past on-line and off-line search activity, and computer "crash" data that contains all programs running at the time of the error and the contents of all documents that were being created.

This newer sibling joins the much older architectures of control which have been with us for some time, though not recognized as such. Witness the likes of Baron Haussmann's redesign and broadening of the streets of Paris to forestall a recurrence of street fighting in a warren of medieval streets during the revolution of 1848, and Robert Moses' intentionally designed low-clearance Long Island overpasses that eliminated buses (public transit) from his parkways while leaving those owning cars free to use them at will.

Langdon Winner was writing on the capacity of "technical things" being imbued with "political qualities" (to which I would add economic qualities) in the 1980s:

[T]echnologies can [encompass] purposes far beyond their immediate use [and] be used in ways that enhance the power, authority, and privilege of some over others… In our accustomed way of thinking technologies are seen as neutral tools that can be used well or poorly, for good, evil, or something in between. But we usually do not stop to inquire whether a given device might have been designed and built in such a way that it produces a set of consequences logically and temporally prior to any of its professed uses… If our moral and political language for evaluating technology includes only categories having to do with tools and uses, if it does not include attention to the meaning of the de signs and arrangements of our artifacts, then we will be blinded to much that is intellectually and practically crucial.

In parallel, Stewart Brand was writing on information in 1987:

Information Wants To Be Free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine---too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. That tension will not go away. It leads to endless wrenching debate about price, copyright, 'intellectual property', the moral rightness of casual distribution, because each round of new devices makes the tension worse, not better.

In that same text, in a section dealing with the political economy of the media, he added, "Information wants to be (politically) free." In his late revision in 1989, Brand stated, in part:

The pressure of the paradox [between free and expensive] forces information to explore incessantly. Smart marketers and inventors quietly follow-and I might add, so do smart computer security people.

Jump forward to Gartner Group's 2003 forecast on Technology Trends 2005 - 2014:

Through to 2015, the over-arching trends for humanity will be the creation of the truly connected society, smart networked objects and semantic connectivity.

Dan Farber's commentary on the Gartner forecast continues:

Wireless sensor networks based on RFID or other technologies that capture data -- such as location, movement, temperature, molecular data or auditory signatures -- will improve safety and support better decision-making and convenience.

[With] all the data come the problems of collection and analysis, as well as with privacy in a world in which information is the major form of currency... Privacy will continue to be a volatile issue in the next decade, but the die has been cast. Rather than trying to prevent data collection, the focus is on controlling access to data and creating a balance between privacy and personalization.

Farber merges the architectures of testimony and architectures of control:

What is less predictable is the social impact of embedded computing, in which the entire environment of everyday objects is invested with some form of computing power and possibly intelligence. It's also likely that in the next decade computers will get much smarter, not just faster and cheaper, and understand more about content in context.

Dan Lockton asks, "What if your computer locks up your dissertation because it detects a copyright-infringing mp3 or image?" and then goes on to cite "primarily commercial control intentions [connected] with enforcing intellectual property rights, from copy-protection on DVDs to more complex ‘analogue hole' patching algorithms [that] identify copyrighted material [seen by cameras and camcorders] ‘in the wild.’

He goes on to describe "products [being] designed with features that restrict or enforce modes of behaviour or use on the part of the consumer, often in ways with parallels in software licensing techniques and digital rights management" for commercial, moral, environmental, social, or psychological purposes.

The means of economic and political shaping of individual actions at the device level are at hand and deserve thoughtful attention.

Designs on your... freedom
Dan Lockton
Gown, 2005

Microsoft to add 'black box' to Windows
By Ina Fried, CNET
ZDNet News: April 26, 2005, 4:00 AM PT

Microsoft's reveals hardware security plans, concerns remain
Can trusted computing hardware deliver security without locking out competition?
By Robert Lemos, SecurityFocus Apr 26 2005 7:29AM

Google Launches Personal History Feature
20 April 2005, 9:25pm ET

Hollywood Wants to Plug the "Analog Hole"
Posted by Cory Doctorow at 03:44 PM
EFF Electronic Frontier Foundation
May 23, 2002

Langdon Winner
FROM: The Whale and The Reactor: A Search for Limits in an Age of High Technology, 1986

Gordon Housworth

Cybersecurity Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

Prev 1  2  [3]  4  5  6  7  8  9  Next

You are on page 3

Items 21-30 of 89.

<<  |  May 2020  |  >>
view our rss feed