GEEKONOMICS

BusinessWeek has learned the U.S. government has launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government's most critical networks. The full article from BusinessWeek is here.

The article goes on to state the U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years. "It's espionage on a massive scale," says Paul Kurtz, a former high-ranking national security official.

Now, of course my question is, how did such widespread intrusions become possible. BusinessWeek has this to say (note my emphasis below):

The government has yet to disclose the breaches related to Byzantine Foothold. BusinessWeek has learned that intruders managed to worm into the State Dept.'s highly sensitive Bureau of Intelligence & Research, a key channel between the work of intelligence agencies and the rest of the government. The breach posed a risk to CIA operatives in embassies around the globe, say several network security specialists familiar with the effort to cope with what became seen as an internal crisis. Teams worked around-the-clock in search of malware, they say, calling the White House regularly with updates.

The attack began in May, 2006, when an unwitting employee in the State Dept.'s East Asia Pacific region clicked on an attachment in a seemingly authentic e-mail. Malicious code was embedded in the Word document, a congressional speech, and opened a Trojan "back door" for the code's creators to peer inside the State Dept.'s innermost networks. Soon, cyber security engineers began spotting more intrusions in State Dept. computers across the globe.

The malware took advantage of previously unknown vulnerabilities in the Microsoft operating system. Unable to develop a patch quickly enough, engineers watched helplessly as streams of State Dept. data slipped through the back door and into the Internet ether. [my emphasis]

Although they were unable to fix the vulnerability, specialists came up with a temporary scheme to block further infections. They also yanked connections to the Internet.

The malware used by the attackers took advantage of previously unknown vulnerabilities (important, this word is plural) for which patches were not yet available. So the world's one and only superpower is potentially laid to bare because of a defect that went undetected by the manufacturer before its product was released into the global stream of commerce?!?

The world's one and only super-power also just happens to be the world's one and only super-crash test dummy (a reference to Geekonomics that states that software buyers are crash test dummies for software manufacturers. We "crash" so the manufactuer knows what to fix.).

More from BusinessWeek:

Adding to Washington's anxiety, current and former U.S. government officials say many of the new attackers are trained professionals backed by foreign governments. "The new breed of threat that has evolved is nation-state-sponsored stuff," says Amit Yoran, a former director of Homeland Security's National Cyber Security Div. Adds one of the nation's most senior military officers: "We've got to figure out how to get at it before our regrets exceed our ability to react."

I would suggest this: reduce the supply of vulnerabilities. Software exploits do not exist in a vacuum. A software exploit requires a corresponding software vulnerability. Attackers do not "break" software. The software comes already broken from the manufacturer. As such, attackers merely discover the defect, not create it. The attacker's "sophistication" derives from the direct incentive to do what the manufacturer had no (or very little) incentive to do: find the defect first.

Remove, or drastically disincentive the production of insecure software by software manufacturers, and our ability to react might just foreclose our regrets.

In a remarkably tasteless move, hackers broke into the Epilepsy Foundation's web site in April 2008. Emily Bishop from Iowa State Daily writes:

Sometimes computer hackers hack into a Web site as a joke - but the recent hacking of the Epilepsy Foundation's Web site was no laughing matter.

Rapidly flashing images, which can trigger seizures in people with photosensitive epilepsy, were put on the Web site, according to the site itself.
...
Doug Jacobson, professor of electrical and computer engineering, said what happened to the Epilepsy Foundation's Web site is "unique in that, usually, a computer by itself can't cause harm." [my emphasis]

"It's getting press because of the uniqueness of what [the hackers] did," Jacobson said. "[Hackers] look for vulnerable software and take advantage of it."

The complete article is here.

There are two recent articles that seemed rather uncomfortably related.

The first article is from Yahoo! News:

US Olympic tourists warned about monitoring in hotels

An except from the article:

WASHINGTON (AFP) - Americans traveling to China for the Olympic Games in August can expect their hotel rooms there to be monitored, the State Department warned on its website.

"All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," according to the State Department site.

"All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences and offices may be accessed at any time without the occupant's consent or knowledge," it said.

The second article is from Steinnon on Security from Network World:

China takes off cyber gloves

An excerpt from the article:

Are you a manufacturer? Are you responsible for IT Security at a government agency or research lab? Are you an athlete? Do you represent the cause of freedom in Tibet or peace in Darfur? If so, you have a new enemy.  The government of the largest country in the world [China] is after your data. They have resources you cannot even dream of. They are organized. They know what they are doing.

Now, imagine the two articles juxtaposed. The following might give you a taste of how pervasive and devasting espionage, cyber or otherwise, can be. My additions are in square brackets.

Americans traveling [the Internet]...can expect their [actions] to be monitored, the State Department warned on its website. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations [on the Internet]," according to the State Department site. "All hotel rooms and offices[, computers, blackberries, iPhones, gaming systems] are considered to be subject to on-site or remote technical monitoring at all times. [These] may be accessed at any time without the [owner's]occupant's consent or knowledge," it said.

There are no small targets on the Internet. Once you connect, you and your software are part of the whole whether you like it or not.

CSO Magazine ran this article on March 8, 2008:

Insanity - Doing the Same Thing Over and Over Again Expecting a Different Result

To quote:

A Gartner study indicates that 75% of security breaches are due to flaws in software...Do you think we would see a significant decrease in the number of data breaches and records stolen if we shifted our spend to actually writing proper code and protecting data at the source instead of at the edge? I think it is time we gained a few IQ percentage points and stopped the insanity.

I would tend to argue, unequivocally, yes. Absolutely yes. Our perverse and dysfunctional relationship with software, particularly insecure software, is not only insane, but outright madness. Those who have read my blog and Geekonomics know my mantra:

Insecure software sends an unmistakable message of disorder into the environment of cyber space. Small elements of disorder (like software vulnerabilities) invite greater elements of disorder, even cyber crime.

Cyber crime, in part, preys on the weaknesses software manufacturers themselves fail to detect before releasing/publishing the application into the global stream of commerce. To change the story of software, and thus the story of cyber crime, software manufacturers need different incentives to improve the quality and security of software.

Stop the rising trend of vulnerabilities, and thus the insanity, at its source. To do so is painful, difficult, complicated, and troublesome. Human endeavors of any significance are like this. I would argue History has taught us that much, at least.

I had a great discussion with Dorothy Denning after she read Geekonomics. For the benefit of those readers outside the information security profession, Dorothy is one of the world's most respected computer-security experts having published four books and over 120 articles. She was a professor at Georgetown University and is now a professor at the Naval Postgraduate School. I am truly delighted to post the following review by Dorothy:

"I loved this book. It is probably the most engaging and important book relating to security that I've read. Geekonomics tackles head on the growing security and safety problems brought on by faulty software, and what needs to be done. If you read only one book this year, Geekonomics should be it."

Thanks so much for the wonderful review, Dorothy.

Raj Samani wrote the following review on Amazon.co.uk:

A Call to Action?

I really enjoyed this book, but not solely because of the message the author delivers - in terms of the poor quality of software we the consumer are forced to accept, but more in terms of the manner in which his argument is made.

The software industry is unlike any other industry, with no true comparables. It would therefore ordinarily be impossible to say look at industry x, they did solution y - so we should replicate that in its entirety. Rather, what the author did was to break down the many intricacies of the industry and found comparables there. For example, the early example regarding the manner in which portland cement was created would ordinarily have one assuming it has no correlation whatsoever with software. Any attempt to link this back would ordinarily have proved clumsy, yet the author does link it back effeciently and with consumate ease. This achieves two things, firstly it breaks the problem down without over burdening the reader with convulated descriptions, but also I particularly enjoyed a tour through history, and learning something new.

Such examples are littered throughout the book, including but not limited to the fight for standardisation - in screws!!!

Although the description of the legal framework did leave the mind to wander elsewhere, it is incredibly harsh to fault the author for this area to be, shall we say 'a little dry'.

I did find myself disagreeing on some minor points, but this was not related to facts merely a difference of opinion. Subsequently I would strongly urge one and all to not only read this, but more importantly make an attempt to demand better quality code from the software companies.

Make sure you read this so you can fully appreciate the magnitude of the problem. Thereafter treat this a vital tool in your arsenal, in the call to action - in the demand for better software.

Thank you for the wonderful review, Raj.

Ben Rothke gave a very complimentary review of Geekonomics on Slashdot:

Geekonomics

Excerpts from the review:

"First the good news — in a fascinating and timely new book Geekonomics: The Real Cost of Insecure Software, David Rice clearly and systematically shows how insecure software is a problem of epic proportions, both from an economic and safety perspective. Currently, software buyers have very little protection against insecure software and often the only recourse they have is the replacement cost of the media. For too long, software manufactures have hidden behind a virtual shield that protects them from any sort of liability, accountability or responsibility. Geekonomics attempts to stop them and can be deemed the software equivalent of Unsafe at Any Speed. That tome [warned] us against driving unsafe automobiles; Geekonomics does the same for insecure software."

Now the bad news — we live in a society that tolerates 20,000 annual alcohol-related fatalities (40% of total traffic fatalities) and cares more about Brittany Spear's antics than the national diabetes epidemic. Expecting the general public or politicians to somehow get concerned about abstract software concepts such as command injection, path manipulation, race conditions, coding errors, and myriad other software security errors, is somewhat of a pipe dream.

Geekonomics is about the lack of consumer protection in the software market and how this impacts economic and national security. Author Dave Rice considers software consumers to be akin to the proverbial crash test dummy. This combined with how little recourse consumers have for software related errors, and lack of significant financial and legal liability for the vendors, creates a scenario where computer security is failing.

Most books about software security tend to be about actual coding practices. Geekonomics focuses not on the code, but rather how insecurely written software is an infrastructure problem and an economic issue.

...

Overall, Geekonomics is an excellent book that broaches a subject left unchartered for too long. The book though does have its flaws; its analogies to physical security (bridges, cars, highways, etc.) and safety events don't always coalesce with perfect logic [My edit: please read my response to a similar critique from Richard Bejtlich here]. Also, the trite title may diminish the seriousness of the topic. As the book illustrates, insecure software kills people, and I am not sure a corny book title conveys the importance of the topic. But the book does bring to light significant topics about the state of software, from legal liability, licensing of computer programmers, consumers rights, and more, that are imperatives.

It is clear the regulations around the software industry are inevitable and it is doubtful that Congress will do it right, whenever they eventually get around to it. Geekonomics shows the effects that such lack of oversight has caused, and how beneficial it would have been had such oversight been there in the first place.

To someone reading this review, they may get the impression that Geekonomics is a polemic against the software industry. To a degree it is, but the reality is that it is a two-way street. Software is built for people who buy certain features. To date, security has not been one of those top features. Geekonomics notes that software manufacturers have little to no incentive to build security into their products. Post Geekonomics, let's hope that will change.

Geekonomics will create different feelings amongst different readers. The consumer may be angry and frustrated. The software vendors will know that their vacation from security is over. It's finally time for them to get to work on fixing the problem that Geekonomics has so eloquently written about.

From Network World:

Another new Trojan intercepts online banking information.

The Trojan, dubbed Trojan.Silentbanker by security software company Symantec, can intercept online banking transactions that normally are well guarded by two-factor authentication procedures. During a banking transaction, Silentbanker will change the user's bank account details over to the attacker's account, all the while mimicking what the user would expect to see from a typical banking transaction. Because users have no idea their account data has been changed, they then unknowingly send money to the attacker's account after entering their second authentication password.

Although the Trojan.Silentbanker is listed by Symantec as having a low level of distribution and being easy to remove from infected machines, Symantec security response team member Liam O'Murchu says it still poses a danger because of its ability to work without users detecting it.

"The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis," writes O'Murchu on Symantec's security response blog. "This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey -- the list goes on."

The Trojan can be "downloaded or delivered silently through Web exploits," according to Symantec. Once it has been loaded to a machine, it can hook onto various APIs in both Internet Explorer and Firefox. As soon as the program is in place on a Web browser, it is free to cause all kinds of mischief, including redirecting legitimate banking requests to attacker-controlled computers; altering the HTML of pages shown to the user; and recording user names and passwords, as well as capturing screenshots of any Web pages the user visits.

Additionally, says O'Murchu, the Trojan can constantly update itself, as it relays URLs and HTML from banking Web sites to the attackers on a daily basis. "Using these submissions they can target banks for which they do not have bank accounts already," he says. "We are currently monitoring all of the updates to this Trojan."

From the Register:

Polish teen derails tram after hacking train network

An excerpt:

A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.

The 14-year-old modified a TV remote control so that it could be used to change track points, The Telegraph reports. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank.

"He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks," said Miroslaw Micor, a spokesman for Lodz police.

"He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.

"He treated it like any other schoolboy might a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions," Micor added.

Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.

From Wired Magazine:

FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack

A short excerpt:

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

The revelation is causing concern in security circles because the physical connection of the networks makes the plane's control systems vulnerable to hackers. A more secure design would physically separate the two computer networks. Boeing said it's aware of the issue and has designed a solution it will test shortly.

"This is serious," said Mark Loveless, a network security analyst with Autonomic Networks, a company in stealth mode, who presented a conference talk last year on Hacking the Friendly Skies (PowerPoint). "This isn’t a desktop computer. It's controlling the systems that are keeping people from plunging to their deaths. So I hope they are really thinking about how to get this right."

...

The design "allows new kinds of passenger connectivity to previously isolated data networks connected to systems that perform functions required for the safe operation of the airplane," says the FAA document. "Because of this new passenger connectivity, the proposed data-network design and integration may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane."