T3H Blog

Just about any one involved with cyber security in this region knows that hundred of servers operated by local governments in Japan are vulnerable to cyber-attacks; and, most entities failing to take countermeasures.

According to the Japanese Local Authorities Systems Development Center report describes that servers managed by nearly 200 prefectural and municipal governments across Japan (and likely national-level ministries), and other government affiliated organizations, can easily be compromised.

About 1,400 local entities – mainly prefectural and municipal governments – belong to the center, a foundation operated under the jurisdiction of the Internal Affairs and Communications Ministry. Each year, it surveys these local entities regarding server safety and other matters. However, until now it has never publicly released information on how local governments manage their servers.

In fiscal 2008, the center investigated 3,467 servers operated by 647 local entities. The result showed that 193 entities, or 30 percent of those investigated, continue to use problematic servers.

Of these entities, 70 had so many server-related problems the center concluded they needed to urgently improve their operational environments.

The 495 servers contain residents’ personal information, but use an old cryptographic system in which defects were detected more than a decade ago.

Furthermore, 27 servers loaded with basic software are still being used without updated security measures after the support period provided by a software company expired more than five years ago.

In both cases, the center pointed out that the use of such servers was problematic.

According to a post-survey questionnaire, despite being fully aware that local residents’ personal information could be leaked, 54 entities of those with security problems, said they had no plans to improve their operational environments, with some saying they could not afford to do so, while others said the matter was of no importance (the later being my all time favorite, having heard it so often over the last 10 years).

Elsewhere, many governments are trying to establish Voluntary Breach Disclosure regulations. (Australia, Canada, New Zealand, United States) Currently there is no common way for organizations to safely and confidentially share data about attacks they suffer, nor is there necessarily much incentive to do so.

Aside from the obvious privacy concerns and worries about damage to their public images in the event of a publicly disclosed hack. Many organizations have reservations about sharing their breach information with law enforcement because it is often more of a one-way street than an information-sharing arrangement. They supply their attack information to the authorities and more often than not never hear back from them.

But that soon could change, at least in the United States. FBI director Robert Mueller last week in a keynote address at the RSA Conference 2010 said while today it’s the exception rather than the rule for organizations to report cyber-attacks to the bureau, he promised some big changes that could allay privacy concerns. “We will minimize the disruption to your business. We will safeguard your privacy and your data. Where necessary, we will seek protective orders to preserve trade secrets and business confidentiality. And we will share with you what we can, as quickly as we can, about the means and methods of attack,” Mueller told attendees.

Well that would be a definite step in the right direction and an impetus for other to follow.

Source: Voluntary Breach Disclosure Rare But Valuable by Kelly Jackson Higgins, Dark Reading

Recently I travelled to Kuala Lumpur, Singapore, and Jakarta. In KL I attended a cyber security seminar – interestingly enough the so called ‘emerging’ economies are doing somewhat better overall than the ‘advanced’ economies in respect to security; I gather it comes from less legacy baggage and the benefits of years of experimenting by old countries (in term of cyberspace).

As for Singapore, in the last year I was in SIN 14 times, but this was my first time in downtown in a long time. Given a free weekend, I walked about town and even managed to find nature among all that concrete.

In Jakarta, time was precious and rain abundant – being the rainy season. Nevertheless, some of my local colleagues took time to drive me about town on an overcast, but rain free, Sunday. I took in the sites (or was it sight) and a few pictures. The highlight of the day was being mobbed by munchkins while visiting a museum.

PS. On blogging, it is not so much as not having time as not having the discipline to blog in a consistent manner, sorry.

The UK Centre for the Protection of National Infrastructure (MI5) prepared a short ‘restricted’ report back in 2007~08 entitled “The Threat from Chinese Espionage” – that was widely distributed to UK business organizations worldwide – to little effect.

The report of bugging and burgling by agents from the People’s Liberation Army and the Ministry of Public Security. It warns also of electronic gifts given at exhibitions and seminars riddled with Trojans capable of creating a backdoor, ferreting and transmitting specific data, and remotely triggered malware.

According to CPNI “The Chinese government represents one of the most significant espionage threats to the UK because of its use of widespread electronic hacking.” UK cybersecurity experts suspect that Chinese cyberwarfare units have directed concerted hacking exercises against UK’s defence, energy, communications, and manufacturing entities.

In their great wisdom MI5 and CPNI believe that “any UK company might be at risk if it holds information which would benefit the Chinese.”

At the time of the ‘restricted’ letter released by MI5’s DG it was observed in Schneier on Security (4 December 2007) that sending a confidential letter to 300 businesses and expecting it to be kept so was not such a good idea – publicity, and lots of it, should have been the order of the day. The Chinese Ministry of Public Security must have had a good laugh at the time (from reading their own copy); it sure did not slow them down any…

References:

MI5 alert on China’s cyberspace spy threat, Exclusive: director-general of MI5 sends letter to British companies warning systems are under attack from China, From The Times, published: 1 December 2007

Britain Warned Businesses of Threat of Chinese Spying, By Jonh F. Burns, published: 31 January 2010

The Internet has opened global markets and revolutionized modern business practices. Yet, while providing new opportunities, reliance on the Web has also exposed new vulnerabilities. McAfee estimates that in 2008, “companies worldwide lost more than $1 trillion” from IP and data theft. A recently released PwC report on the rising threat of e-espionage asks: “Are companies aware and ready to respond?” In general, the resounding answer is, “No.”

Surveys after reports after commissions unanimously demonstrate that the Internet (Web, cyberspace) is unsecured. Threats are multiplying and growing evermore successful in gaining access to desired data or results. Nevertheless, no one in is right mind stays away – yet, most do very little to protect their property, even themselves – Why?

One answer is ease of use – the Internet is too simple to use and yields too much benefits at a click – how can something this beneficial be this nefarious!

Until we find the right answer, we will continue to barrel down towards an unparalleled cataclysmic  catastrophe where not only IP or data will be lost, but lives…

References:

Study Finds Growing Fear of Cyberattacks, by John Markoff, Published: 28 January 2010

Unsecured Economies: Protecting Vital Information, The first global study highlighting the vulnerability of the world’s intellectual property and sensitive information, December 2009

Securing Cyberspace for the 44th Presidency, A Report of the CSIS Commission on Cybersecurity for the 44th Presidency, December 2008

The Electronic Frontier Foundation (EFF), whose lawyers brought the National Security Agency’s warrantless surveillance program case to court in 2008, unsurprisingly lost their case and plans to appeal. This means that the practice of funnelling Internet traffic by Telcos to government security agencies will continues unabated in the US.

This will also give leverage to security and law enforcement agencies to persuade ISPs (and in some case developers) to provide exploitable backdoors to access emails unimpeded and continue Internet filtering unhindered by privacy regulations. However, more damaging will be the international repercussion; countries like Australia, Canada, the EU, Germany, Russia, Sweden, the United Kingdom, and many others around the world will be embolden in advancing greater Internet surveillance and joint the ranks of the likes of China, Iran, and many others oppressive (draconian) governments.

Nothing surprising here, governments will always find at least one reason to eavesdrop on its citizens – be it to protect wayward nationals at one end of the spectrum to insecure politicians to give themselves an edge over the masses’ discontent (justified or not), or simply because they can do it under the guise of prevention or perversion.

So get over it, short of setting-up your own clean email address servers that you access via TOR sites – governments sponsored hacking and surveillance is here to stay, and they will apply the 5Ws to fit their political or personal agenda.

Note: Clean email address is where you write emails in draft form, and not send them, but allow trusted contacts to also access the account, read the draft message, and type a draft response. The Onion Router (TOR) – the general idea for TOR is that your connection goes through a server that then processes the encrypted connection through a series of proxy servers. The result is a virtual dead-end for anyone trying to analyze the path you took to get to your clean mail server.

References:

Internet censorship on the rise, by Ersu Abalk, published 27 January 2010

Top 10 technologies to beat tyranny, By Iain Thomson, published: 25 January 2010

U.S. enables Chinese hacking Google, by Bruce Schneier, Special to CNN, published 23 January 2010

Kei Eide, the UN special representative in Afghanistan, suggests that ISAF and the UN give into grievances expressed by Taliban leaders regarding the incontinence of being listed on the UN list of terrorists. Apparently, he does not believe that persuading rank-and-files Taliban fighters to leave terrorist organizations in exchange for schooling and employment, or simply payment to stay idly home, is a sustainable course of action. (I agree turncoats in that region are just that – turncoats that can never be trusted.)

Ostensibly, the reason to delist Taliban leaders is to enable reconciliation talks with people of authority instead of supporting uneducated bottom of the barrel individuals that may or may not be worth trust.

As it ever occurred to anyone at the UN that this approach has not, does not, will not work – there are plenty of examples since 1947 where attempts to mediate with criminals and terrorists have solve or change nothing (i.e., Palestine, Congo, Yugoslavia – Bosnia, Croatia, Kosovo).

Is it that easy for the UN to forget that those listed are responsible for the mass murders, rapes, destruction of homes, near ethnic (tribe) cleansing, and unbelievable discrimination against women – all reasons for the last eight years of war (security assistance).

There is no political solution to Afghanistan, especially if presided over by politicians of any ilk. The solution is hard work towards relative prosperity for all through sustained relevant education and honest labour – rendering Taliban rhetoric meaningless. First near self-sufficiency sustained with the manufacture of tradable products onto the world markets.

A house is build from the bottom up, the same applies to a country… very hard work for all concerned, something real versus likely meaningless talks from UN bureaucrats and politicians. Case in point (and that is only the now list):

War in Somalia

Insurgency in the North Caucasus

Sudanese nomadic conflicts

Cambodian-Thai standoff

Civil war in Ingushetia

Civil war in Chad

South Thailand insurgency

Conflict in the Niger Delta

Sa’dah insurgency

War in North-West Pakistan

Baluchistan conflict

Iraq War

Reference:

U.N. Seeks to Drop Some Taliban From Terror List, by Dexter Filkins, published:  24 January 2010

In a recent NY Times article Amichai Shulman, the chief technology officer at Imperva examined a list of 32 million accounts that an unknown hacker stole last month from RockYou – they found that the 32 million accounts shared about 5000 passwords.

I have been maintaining for almost 20 years that the safest user/password access combo, and now the easiest now, is the ten passwords at your fingertips and the one user ID in your face – a simple choice now that almost all laptops have built-in fingerprint reader and camera, or can be added via the USB port.

If the sign-in provider is too lazy to add the few lines of code needed to take advantage of biometrics, let someone come up with a elegant face recognition to user ID and fingerprint to password conversion application that generates unique user ID and password based on an individual’s biometrics (contact me if you want to know how it works).

We have the technology people, let’s get with the program…

References:

If Your Password Is 123456, Just Make It HackMe by Ashlee Vance, Published: January 20, 2010

Facial Recognition Door Lock and Time Clock for Less than $500 by Aaron Saenz, Published: December 29, 2009

RockYou Hack: From Bad To Worse by Nik Cubrilovic Published: December 14, 2009

Biometrics Turns Your Ear Into Your Password by Drew Halley, Published: May 6, 2009

Computer security researchers found strong evidence of the digital fingerprints of the authors, suspected to by Chinese, in the software programs used in attacks against Google. It apparently attacked Google’s source code – akin to the modifications of Cisco Systems source code found in Cisco routers knockoffs that have appeared on the market.

However, I think that experts are giving Chinese hackers too much credit by assuming, in general, that the attacker gain access externally, unaided, to Google’s jewels. I would make a small wager that it was (a) an insider’s job or (b) a combo job (most probable) where malfeasants have an insider drop keyholes (Trojan horse) among the Hollerith cards or modify some code (backdoor)…

The theft of intellectual property through modified software (application) and co-opted hardware (knockoff or compromised) is about to become a standard cost-of-doing business, not only in China, but worldwide, in just about every industry.

At first governments will mostly support it as an extension of their Intelligence Services, like China, which is committed to make great techno-economic strides to keep the masses busy – too many idle hands only create problems – e.g., look at the Middle East. Their Cyber-Intelligence units will pass on the gathered tidbits from their info-warfare (IW) endeavors to their industries.

(Several countries have well defined C⁴ISTAR units capable of waging cyber-warfare – has seen recently during the cyber attacks on Estonia (2007) during the Bronze Soldier of Tallinn incident and Georgia (2008) during the South Ossetia war. These cyber-warriors are the evolution of the Cold War’s tactical and strategic SigInt operators gifted with patience and blessed with luck that intercepted, decoded, and analyzed signals and/or data to gain some sort of advantage on their targets.)

Eventually, since all things digital reign supreme in the commercial world, organizations will draft individuals to penetrate the competition as workers to drop malware in the cogs to gleam a perceived advantage. Malware to spy and reveal business secrets; or, to erode slowly an opponent’s business model; or, simply siphoned off intellectual property for later nefarious use.

Cybersecurity technologists capable of certifying and fingerprint applications as secure (given certain environments) and able to recognize any modifications, especially unauthorized one, will be worth their weight in platinum. They will have to be digital detectives of the caliber of Sir Arthur Conan Doyle’s Sherlock Holmes, the imaginary sleuth famous for his clever use of incisive observation, deductive reasoning, and forensic skills to defeat malfeasants.

Let the bon temps role!

References:

Fearing Hackers Who Leave No Trace, by John Markoff and Ashlee Vance, published: January 19, 2010

Evidence Found for Chinese Attack on Google, by John Markoff, published: January 19, 2010

China: Cyber warfare, weapon of mass destruction? Published by Heike August 8, 2008

The recent hacking of Google left corporate networks, worldwide, questioning their cyber security, justifiably so. How malware find their way into networks is not as important as taking measures to make everyone aware of the possibility and implementing strict countermeasures automatically, back by strict penalties for not following security rules that reflect realities.

One improvement is to abandon the user/password methods and replace it with biometrics. Regardless of what the industry says the deployment of the technology is not difficult at all, just slightly troublesome for people. Although not the perfect deterrent, biometrics can reduce greatly email accounts highjacking, corporate networks penetrations, and even credit cards cloning.

Simple enrolment procedures of employees’ several biometrics measurement can take less than one (1) minute. A computer connected to a USB device such as a fingerprint reader or a camera biometrics can harvest and verify one’s ID faster than typing in a user/password combo. (Currently, 99% of all computers in used worldwide have at least one USB port.)

As for credit/debit cards, the chip on most of them can store enough information to enable solid biometrics ID at most point-of-sale interfaces.

However, no system connected to the Internet (cyberspace) will ever be 100% secured against a determine malfeasant! Additional organization-wide measures such as establishing sustainable Information Security Management Systems and reliable corporate governance are needed. Further, these measures must be backed by frequent independent audits conducted by trusted third party using such standard as ISOs 20000 (Information Technology Infrastructure Library), 24762 (Disaster Recovery), 27001 (Information Security Management System), 28000 (Supply Chain Management Security), 38500 (Governance of Enterprise IT), and BS 25999 (Business Continuity Management or ISO 22399).

One problem solved, now to the next generation of cybercrimes – the one committed by robots and AIs in the ever-growing virtual world… stay tuned!

References:

In Rebuke of China, Focus Falls on Cybersecurity by Miguel Helft and John Markoff Published: January 13, 2010

Companies Fight Endless War Against Computer Attacks by Steve Lohr Published: January 17, 2010

Hackers Said to Breach Gmail Accounts in China by Edward Wong Published: January 18, 2010

Like warring on each other for no other apparent reason than political gain was not bad enough, slavery goes on without abating. According to Time Magazine’s article “South Africa’s New Slave Trade and the Campaign to Stop It” by By E. Benjamin Skinner (Monday, Jan. 18, 2010) there are more slaves today worldwide than at any point in human history despite dozen international conventions banning slavery.

In addition, please purchase and read “A Crime So Monstrous: Face-to-Face with Modern-Day Slavery” by E. Benjamin Skinner – a shockingly revealing and powerful book that goes far to point out our governments ineffectual rhetorics and the UNHCR impotence.

It is available in bookstore, as well as:

• Amazon
• Barnes & Noble
• Books-A-Million
• Borders
• Overstock
• Powell’s
• Waldenbooks

Note: 25% of U.S. royalties go to Free The Slaves, a group that uses holistic, locally-based strategies through global partners to fight slavery, rehabilitate slaves and eradicate bondage. 25% of U.K. royalties go to the group’s British sister, Anti-Slavery International, the world’s oldest human rights organization.

Benjamin Skinner discusses the challenges of writing about the slave trade on NPR’s Day to Day – http://j.mp/2Uis0 – unbelievable, and yet not surprising.

A UNICEF program that spend US$27 million to decrease child deaths from disease in West Africa has failed, according to a new study that found a higher survival rate in some regions that were not included in the program.

The UN childcare’s agency pursued strategies like vaccinating children, giving them vitamin A pills, and distributing mosquito nets to protect them against malaria form 2001 to 2005 in parts of 11 countries. The aim was to reduce the death rate by at least 25 % by the end of 2006.

An analysis of the program in Benin, Ghana, and Mali found children in areas where it was not in effect had a better chance of surviving past age 5 than children who were covered by it. The study was published online Tuesday in the British medical journal Lancet – see here http://j.mp/5PLrLp.

Why am I not surprised…

On the Huffington Post website, founder Arianna Huffington introduces what she calls the “move your money” campaign. The idea is to get all Americans to close their accounts at big banks and transplant their personal finances to smaller banks. The budding cause has its own web site, moveyourmoney.info, including a link where you can plug in your zip code and find a list of smaller banks.

Huffington singles out the Big Four banks (that would be Bank of America, Citi, JP Morgan Chase and Wells Fargo) for particular ire, pointing out that they’ve curbed business lending even since receiving TARP money. She urges Americans to bank their money at community banks instead of these TARP-receiving behemoths.

I hope this campaign makes enough of an impact for the big banks to notice. At the end of the day, even if this campaign doesn’t succeed in making the Big Four don’t change their ways, if more Americans wind up at banks that make them feel like valued customers, that’s a good thing. In addition, it would serve has a revenge for the rest of us in the world that cannot participate, but paid just the same – here is a change of Americans to do something for the rest of the world that does not involve propping up a war machine in support of decrepit unappreciative corrupted governments.

If you can please make that resolution for 2010 – Move Your Money!

PS. I love the reference to the 1946 classic Frank Capra film It’s a Wonderful Life – just brilliant.

The Open Web Application Security Project (OWASP) has released a new Top 10 most critical Web application security risk. Top Ten 2010 version provides a powerful awareness document to mitigate Web application security risk.

Further, this time around the Top 10 are presented from a risk-base approach, thus playing to a wider audience.

You can download the Release Candidate version here — http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf

Really worth the time.

Security Now! Steve Gibson and Leo Laporte this week plow into a recently discovered serious vulnerability in the fundamental SSL protocol that provides virtually all of the Internet’s communications security: SSL – the Secure Sockets Layer. Steve explains exactly how an attacker can inject his or her own data into a new SSL connection and have that data authenticated under an innocent client’s credentials.

This is an excellent podcast that should be listen too by all involved with SSL and/or TLS.

High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-223.mp3

Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-223-lq.mp3

The transcript can be found here: http://www.grc.com/sn/sn-223.htm

SSL and TLS protocols renegotiation vulnerability

Vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction. This issue affects SSL version 3.0 and newer and TLS version 1.2, and older versions.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, and LDAP. Vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source.

According to the PhoneFactor’s Marsh Ray and Steve Dispensa, and Nasko Oskov of Microsoft :

SSL and TLS renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client’s initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.

TLS[RFC5246]allows either the client or the server to initiate renegotiation – a new handshake which establishes new cryptographic parameters. Unfortunately, although the new handshake is carried out over the protected channel established by the original handshake, there is no cryptographic connection between the two. This creates the opportunity for an attack in which the attacker who can intercept a client’s transport layer connection can inject traffic of his own as a prefix to the client’s interaction with the server.

To start the attack, the attacker forms a TLS connection to the server (perhaps in response to an initial intercepted connection from the client). He then sends any traffic of his choice to the server. This may involve multiple requests and responses at the application layer, or may simply be a partial application layer request intended to prefix the client’s data. He then allows the client’s TLS handshake to proceed with the server. The handshake is in the clear to the attacker but encrypted over the attacker’s channel to the server.

Once the handshake has completed, the client communicates with the server over the new channel. The attacker cannot read this traffic, but the server believes that the initial traffic to and from the attacker is the same as that to and from the client.

If certificate-based client authentication is used, the server will believe that the initial traffic corresponds to the authenticated client identity. Even without certificate-based authentication, a variety of attacks may be possible in which the attacker convinces the server to accept data from it as data from the client. For instance, if HTTPS [RFC2818] is in use with HTTP cookies [REF], the attacker may be able to generate a request of his choice validated by the client’s cookie.

This attack can be prevented by cryptographically binding renegotiation handshakes to the enclosing TLS channel, thus allowing the server to differentiate renegotiation from initial negotiation, as well as preventing renegotiations from being spliced in between connections. An attempt by an attacker to inject himself as described above will result in a mismatch of the extension and can thus be detected.

For a list of systems affected systems visit CERT-US

References

http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786
http://www.links.org/?p=789
http://blogs.iss.net/archive/sslmitmiscsrf.html
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
https://bugzilla.redhat.com/show_bug.cgi?id=533125
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html
http://cvs.openssl.org/chngview?cn=18790
http://www.links.org/files/no-renegotiation-2.patch
http://blog.zoller.lu/2009/11/new-sslv3-tls-vulnerability-mitm.html
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt