Sunday, May 10, 2009

Wireless Security Raises Privacy Issues

May 5, 2009 (Computerworld) SAN FRANCISCO -- The wireless industry is abuzz with plans for expanding remote monitoring of just about any device over wireless networks.

Examples range from reading water and power meters remotely, to helping police see how long a car has been parked on a city street and monitoring traffic congestion via wireless cameras.

But with the growth in the technology, there's also growing concern that Big Brother will have more eyes and ears than ever before.

"That's the scariest part of this [trend] -- the potential for Big Brother," said Rich Redelfs, a general partner at Foundation Capital, a venture capital firm invests in wireless technologies.

In an interview at the Go Mobile 2009 conference here, Redelfs said he and his partners take into account privacy concerns when reviewing an investment proposal for a new technology. "Privacy is ultimately a moral issue, and that matters to us," Redelfs said.

"The Internet as a whole has raised the issue for how much our personal information might be seen by others," Redelfs said.

"I'd say the biggest worry is the growing use of wireless video cameras in traffic," which could be used to trace where a person has been, Redelfs said.

Much of the technology enabling remote wireless monitoring has been available for several years, but now that wireless networks are faster and more widespread, the number of wireless monitoring applications has mushroomed, said analysts and attendees at Go Mobile.

In separate keynote addresses, representatives of Verizon Wireless and AT&T Mobility underscored the trend. They noted that their companies plan to be connecting with a wide range of wireless devices in coming months.

AT&T has mostly emphasized wireless connectivity for consumer electronics products, while Verizon seems to envision a wider scope that includes machine-to-machine communications via wireless, and more.

Maurice Thompson, director of business development for Verizon's open development efforts, said the carrier is working on supporting any application over any operating system via wireless networks.

He said one example of what is coming is the ability to monitor home appliances wirelessly, so that a homeowner could arrange in advance for a warranty company to know, for example, when a compressor on a refrigerator is failing. If news about a compressor's bad health were transmitted wirelessly to a warranty company, a repair technician could be dispatched to fix the refrigerator before it fails.

The concerns over privacy are mostly abstract so far. During a panel discussion at the conference, Redelfs mentioned a San Francisco-based company called Streetline Inc., which provides a wireless sensor that can be placed in a parking spot to determine whether a car is parked there.

The city of San Francisco launched a trial of the sensors on 6,000 parking spaces last fall. Streetline and the city could not be reached for an update on the project's outcome.

Redelfs said the sensors could be linked to systems used by the police, who could dispatch an officer to issue a ticket shortly after a parked car exceeded the time limit. But Gerry Purdy, an analyst at Frost & Sullivan, said it might be better if the wireless message was sent to the cell phone of the car's owner, so he could move the vehicle right away.

Purdy's comment drew laughter from the gathered audience, but Redelfs and another venture capital investor picked up on the potential for wireless monitoring to ignite concerns about police and other government groups gaining too much oversight via technology. "We're backing a company called 'Big Brother -- not!'" joked David Lane, a general partner at Onset Ventures.

Redelfs said a company he backs, Dust Networks, provides the wireless networking technology behind Streetline's sensors. Even so, he said his firm does take privacy worries into account when deciding whether to fund a new technology.

While no technology he has reviewed was actually rejected because of privacy problems, he said a current funding proposal in the health care sector that he would not identify might be turned down because of ethical concerns.

Redelfs said many factors can kill an investment, including the possibility that a particular technology will arouse public concerns about privacy and ethics. Last year, Foundation Capital interviewed makers of 118 technologies who were seeking funding, but it chose to invest in only two of them, he said. In addition, he read lengthy proposals for another 160 technologies, meaning nearly 300 came to his attention.

"That's a typical year," he said. (source)

Thursday, April 30, 2009

Learn To Screen Your IT Folks Better

April 28, 2009 (Computerworld) A systems administrator pleaded guilty in a federal court yesterday to charges that he tried to extort an undisclosed amount of money and even forcibly secure good job references from a New York-based mutual fund company that had just laid him off.

Investigators asked that the mutual fund company not be identified.

Viktor Savtyrev, of Old Bridge, N.J., pleaded guilty to cyber extortion in U.S. District Court in Newark, N.J. Under the plea agreement, Savtyrev, also known as Victor Savturev, faces a suggested sentence of up to five years in federal prison and a fine of $250,000.

His sentencing hearing is scheduled for Aug. 24, according to Assistant U.S. Attorney Seth Kosto.

Savtyrev was employed as a systems administrator at the company before he and nine fellow employees were laid off last Nov. 5. All of the laid-off workers were given a severance package, according to a criminal complaint filed with the courts.

Kosto said that with the slumping economy causing layoffs in a variety of industries, companies should be extra cautious about securing their networks.

"Certainly, companies need to be extra vigilant," he said. "We continue to encourage companies to be extra cautious and monitor carefully their procedures regarding laid-off employees. And they need to call the authorities at the first threat."

Late on the morning of Thursday, Nov. 6, Savtyrev used a Gmail account to e-mail the company's general counsel and three other employees, saying he was "not satisfied with the terms" of his severance, FBI Special Agent Gerald Cotellesse wrote in the complaint. The FBI charged that Savtyrev threatened to cause extensive damage to the company's computer servers if it didn't increase his severance pay, extend his medical coverage and provide "excellent" job references.

The sysadmin also threatened to alert the media after attacking the server.

According to the complaint, the company contacted law enforcement personnel the day of Savtyrev's first threat. That evening, at the direction of investigators, a company employee recorded a phone call in which Savtyrev repeated his demands. During the call, he also said he would get his "comrades from Belarus" to help him hack into the company's servers, the complaint said.

Savtyrev sent a second e-mail to the company on Friday, Nov. 7, and in a taped phone conversation that evening agreed to show company officials how he could exploit the systems in return for meeting his demands, the complaint said.

The criminal complaint notes that he sent a third e-mail on Saturday saying he had opened several back doors in the company's systems and it would take months to find them.

Assistant U.S. Attorney Erez Liebermann, who also worked on the case, noted in an earlier interview that with a rocky economy and increased layoffs, companies need to shore up their defenses by shutting down internal and remote access immediately upon terminating a worker, monitoring system logs for any anomalies, adding extra layers of security and having a process in place for quickly reporting any threats or breaches to law enforcement agencies.

"And it's important that they report instances like this before they go from a threat to a loss of data," he added. (source)

Thursday, April 23, 2009

Learn From The Crooks

If security vendors are to truly help customers strengthen their infrastructure, they need to take a page from the cybercriminals, Art Coviello told the crowd at the RSA opening keynote this week. The adversaries have developed a collaborative ecosystem marked by innovation and agility, he explained, one which works as well as any interdependent system within the legal marketplace.

“This group has some unique advantages. Unlike you, they are not bound by rule of law, they are not bound by SLAs beyond a basic honor among thieves, and they are not bound by governance,” Coviello said. “They collaborate, both offline to build their attacks and online in real time. And they've found ways to create relationships to build their supply chain.”

In order to succeed against such adversaries, the security community needs to do a better job of working together to build a common security framework.


“Security technologies are still being applied piecemeal, cluttering the landscape and leaving perilous gaps,” Coviello said, explaining that this approach sprung forth from IT's ad hoc development.

“If you think about it, our core business structures evolved with no overarching design or master plan,” Coviello said. “As new technologies emerged, they were stacked one on another in what one IT executive in the audience referred to as a leaning tower of technology on the brink of collapse.”

As a result, too many security products have been designed to only protect a single element of the infrastructure.


Coviello's vision of collaboration revolves around taking the four steps of security—policy management, policy decisions, policy enforcement and policy audits—and decoupling them from the point products so that these steps are performed across the entire infrastructure in one cohesive step. As he explained it, such a decoupling shouldn't strip individual point products of function, but instead should allow them to work interdependently.

“No one wants to know if one particular point product is working; they want to know if the entire (security) infrastructure is working,” Coviello said. “In the Web 2.0 world, we've seen the power of mashups. So why not in the security world?”


As he explained, the answer is not a single cohesive product from one vendor. Instead, it requires 'inventive collaboration' from a number of partners to interweave their solution into an adaptable ecosystem as good as the bad guys'.

Coviello outlined three ways the security vendor community can breathe life into this ecosystem. First, vendors must collaborate more on security standards.

Second, they have to be better about sharing technology with one another in order to improve their firepower against the criminals.

And last, they need to enhance technology integration in order to embed security into the infrastructure.
Security practitioners out in the field also have a role in this collaborative process, Coviello said: “Vendors must take the lead, but practitioners must demand this of us.”(source)

Wednesday, April 22, 2009

Network Security At America's Utilities Companies: What Will It Take?

I remember in the spring of 2008 when a nuclear power plant caused a massive electricity outage in south Florida for an afternoon. It happened during work hours, and it provided a chance for our network of 20 different offices between Sarasota and Naples to test our APC battery backups for a few hours.

The good news is that we churned along just fine running on emergency power. The bad news is that the outage was a result of network penetration by what I discovered to be Chinese hackers. It wasn't any hardcore sleuthing I did to find this out, of course, because I wasn't even working for the utility companies involved. I found out about it from keeping up on a wide variety of news sources, such as the National Journal.

As soon as I came across the article, I sent it to the rest of the guys in my IT department. Only one wrote me back, asking for the source of the article. He was a network administrator--one of 3 we had at the time.

April 17, 2009 (Network World) As far as the headline writers at the Wall Street Journal were concerned the battle was over and the U.S. electricity grid was under control by the enemy -- "Electricity Grid in U.S. Penetrated by Spies." There has been a bunch of speculation on the Web and in the blogosphere over just why this story came out when it did - this sort of thing is a fertile area for conspiracy theorists. But I'm more interested in the underlying issue and why it's not actually getting the attention it should.


The underlying issue is the security of the U.S. utility infrastructure -- electricity, water, gas, sewer. Observers have been warning for years that U.S. utility companies seem to have a negative understanding of security when it comes to protecting their systems from non-physical threats. Yet stories like the one in the Journal keep showing up. A quick look shows such a story each of the last three years. In June 2007 the U.S. Department of Homeland Security leaked a video of the results of a cyber attack on a power generator. A year later Forbes published a story headlined "Congress Alarmed At Cyber-Vulnerability of Power Grid." Now we get the WSJ article.


It looks like the utility folk have not been paying attention to the real world or are operating in utility-time rather than Internet time.


Why else would you only be at the requirements stage of protecting utility infrastructure? (see "Smart grid, other environmental control systems not smart about security") And why else would you get Michael Assante, the chief security officer of the electric industry's North American Electric Reliability Corporation (NERC), to say the day before the WSJ article, either as a coincidence or as a part of the conspiracy, that new thinking about security was needed from the utility companies?


Assante said NERC was requesting that utilities "take a fresh, comprehensive look at their risk-based methodology" to evaluate the potential misuse of utility systems by "intelligent threat actors."


Why is it so hard to get these people's attention? I assume it is not that they just don't care. Maybe it's that the technology of data networks is so different than that of power generators that the comprehension is just not there. I can sympathize -- to some degree. I do not have the faintest idea on how to design an overload protector for a 133 megawatt generator (the size of the generators in Hoover Dam), but I do have an idea that such a device is needed. The utility managers seem to not have any idea that data security is needed.

I heard from Advanced Metering Infrastructure Security Task Force after my last column. I was invited to come talk at their next meeting about the need to develop real-world security requirements and technology.


From the letter I received, it sounds like they do understand that the first set of requirements were not implemental enough. That is good news, but the utilities are already in trouble. They are already deploying security-free (or at least security-challenged) systems. That needs to be fixed now, whether or not they are already controlled by Russian spies.


Disclaimer: Whatever some politicians have said in the past I have seen no evidence that Harvard is controlled by Russian spies nor have I seen any opinion from the university on the (non)quality of utility security. So the above rant must be mine. (source)

Another Plea For Security Vendors from RSA '09


April 21, 2009 (Computerworld) SAN FRANCISCO -- Two years after suggesting that independent security vendors were headed for extinction, Art Coviello, president of RSA, is calling for "inventive collaboration" among vendors for dealing with the expanding range of threats facing business and government.

Delivering the opening address at the RSA Security Conference here today, Coviello said factors such as the sagging economy, the proliferation of new technologies and the growth of organized crime were driving the need for vendors to work with each other on key security practices.

Coviello's is a sentiment shared by multiple industry representatives at the conference, who said that the threat facing private and government networks called for a more unified response from all cybersecurity stakeholders.

"Our adversaries operate as a true ecosystem that thrives through interdependence and constantly adapts to ensure its growth and survival," Coviello said. "For us to succeed against such advantaged adversaries, the vendor community must take the lead," in building a similarly interdependent security ecosystem, he said.

The key to this happening is for vendors to stop viewing their technologies as "piecemeal" products aimed at addressing discrete security problems, Coviello said. Rather the emphasis needs to be on ensuring that each vendor's products works well with others' products to provide better information risk management opportunities, Coviello said.

"Technologies are still applied piecemeal from multiple vendors -- cluttering the information landscape -- leaving perilous gaps of risk," Coviello said. "We must embrace a common development process that allows us to clean up this landscape, creating a more secure infrastructure today."

The strategy within the security industry should be to have common standards around certain core functions such as security policy management, policy enforcement and policy auditing, Coviello said. Vendors also need to be willing to share technology -- such as key management -- where appropriate so as to accelerate the "growth and productivity of the ecosystem," he said.

Enrique Salem, president and CEO of Symantec Corp., said that the record pace at which malicious activity has been growing necessitates a change from the single-vendor approach to security that has been the norm. Last year alone, Symantec alone created more than 1.6 million new signatures to deal with malicious code. "That's more than we've created in the last 17 years combined," Salem said.

Attackers are increasingly moving away from mass distribution of a few threats to "micro-distribution" of millions of threats aimed at specific targets, Salem said.

Companies needed to bring together handling of security, storage and systems management tasks, he said. Such collaboration means "more visibility into what is happening in the external threat environment and internally across the organization," Salem said.

Lt. General Keith Alexander, director of the National Security Administration (NSA), said in a keynote address at the conference the task of handling cybersecurity was too big for any one entity alone. Going forward, government, the private sector, and academia need to find ways to collaborate with each other to effectively dispel cyber-threats, he said.

The Internet is shared by not just the government or the military but all players, he said. Securing it effectively will require collaboration and sharing of information among all of the stakeholders, Lt. General Alexander said. (source)

RSA '09: The 'blessing' of homeland security



San Francisco - "Dude, it's a blessing."

That was the unhesitating and enthusiastic response of Dr. Hugh Thompson, chief security strategist of PeopleSecurity, the specialist in enterprise security education, when GSN asked him how he felt about the elevation of cyber-security to a fundamental pillar of homeland security.

He had just finished a spirited discussion, with an audience of approximately 150 attendees, at the RSA Conference, now underwayhere, about lessons IT security could draw from other industries.

Why hasn't IT security progressed further? GSN asked him. "We are so damn young," Thompson replied, adding that in some other industries "an armageddon had to happen" before changes were instituted.

Plus, the cyber-security industry hasn't done a good job of marketing security to its users," he said. "Why is that?"

One reason may be that there is no independent third party that's "accountable," in the manner of the FAA in the airline industry.

Airlines, he observed, may lose luggage and delay flights, yet the flying public generally accepts that flying is safe. One of the reasons is that the pilot flying the plane is considered both a "trusted user" and a "motivated user," said Thompson. "We don't have that," he added.

Another possible factor is that "security really isn't taught as a foundational skill" at most universities, he observed, adding that, in fact, he himself teaches such a class at Columbia University.

Another area where security is still lacking is in its standards of training and awareness, and that means potential changes in accreditation. "Are we headed to mandated certification," with additional government regulation of the industry ahead, he asked.

One audience member suggested that, as in some other industries, IT security needs to "stress" its systems until they fail, then it needs to analyze the results and
learn from them.

Thompson agreed and also noted that airline regulators and the airline industry study crashes intensively, examining black boxes and so forth, to learn from them. And in medicine, doctors and hospitals regularly convene "mortality and morbidity" reviews to understand the causes when patients die.

"That's something that's missing in our space," he said.

When one audience member suggested the arcane physics process, straight-out-of-science-fiction, called "quantum entanglement" as a way to ensure password security, Thompson looked amazed by the possibilities.

"Dude," he said, "I smell start-up." (source)

Nikon P80 Review

If you're looking for a nice point-and-shoot camera, I recommend this model: the Nikon P80. It has 10 mp, and 18x zoom. I got one for my girlfriend Pam for Christmas, and she's been diggin' it since then.










Just click on each one to see her great shots: