Roger Halbheer on Security » International

Should the Government be able to enforce security updates?

Roger Halbheer — Sun, 13 Jun 2010 08:59:05 +0000

This is actually an interesting question. A lot of governments enforce rules and regulations on how you have to run your car, how often you have to check it, in which condition you have to keep your tires etc. The same is true for a lot of other devices we are using.

Now, it seems that the US just passed a bill to give the president the power to order companies to deploy security updates or block a certain type of traffic. I understand where this is coming from: You need some level of authority if your critical infrastructure is under attack. Here, a lot of governments rely on the collaboration of the different players. The US seems to go one step further. Honestly, I am not completely sure whether I like it or not. It has a lot of pros and cons.

What is your view?

Roger

A Detailed Analysis of an Attack – Do We Need an International Incident Sharing Database?

Roger Halbheer — Wed, 21 Apr 2010 12:46:34 +0000

I recently came across a paper called Shadows in the Cloud, which is actually a follow-up report of Tracking GhostNet: Investigating a Cyber Espionage Network, an investigation of the attacks on the office of the Dalai Lama and some governmental bodies. The report is written by two bodies who had the privilege to investigate those attacks: the Information Warfare Monitor and the Shadowserver Foundation.

Even though the report is out since quite some weeks, I think it makes sense to dig in it here as there are a few fairly remarkable conclusions and statements in there. One of the key things we should think about globally is an International Incident Sharing Database (see the end of the post).

Sharing and Collaboration

If you are a regular reader of my blog posts, you know that I am a big supporter of international collaboration and I am clear about the need of a common set of rules to establish this collaboration. If you read through the paper, you see in different areas that they were challenged during the investigation. On page 8 that state that On our side, we felt unsure about the protocol around information sharing, and were in an awkward position to be able to give information over to governments and affected parties directly without being entirely clear about whom would be responsible and whether or not our interlocutors were appropriate authorities. The notification problems around Ghostnet informed our approach to the Shadows in the Cloud investigation, including being more conscious from the outset of documenting our notification procedures. Think about that for a second. You investigate a security incident e.g. in your company. During the investigation you realize that you are not the only victim but that there are others, being it companies or governments. What do you do with this information? Whom do you contact? How can you be sure that this information gets into the right hands? A fairly hard question to answer and finally, what kind of information are you allowed to pass on? Additionally, Information sharing, generally speaking, is immature and underdeveloped, often hampered by proprietary concerns surrounding the commercial market for cyber security services (page 10) and Information sharing among victims of network intrusions and espionage is rare (page 10). Well, what I see fairly often is, that incidents do not happen as they are not supposed to happen. Rarely somebody talks openly about what happened to them.

In order to combat such attacks, the legal collaboration is key (again ). As otherwise, it points to the possibility of a perfect storm that may result from a lack of international consensus, ill-developed and implemented security practices, a paucity of notification mechanisms, and the growing confluence of cyber crime, traditional espionage, and the militarization of cyberspace (page 10). This simply tells us that we will lose the fight without international legal collaboration and harmonization as well as the willingness of the public and the private sector to share information.

Technology

From a technical perspective, they started to use Internet-based services. For example, they used Twitter to control the botnet as well as free mail services like Gmail and free blog services like Baidu. This is to enhance the command and control infrastructure of a botnet, something I was never aware of but is actually a logical enhancement of what we know already. The next point, when it comes to technology is the software they seem to have exploited: We observed the group using PDF, PPT, and DOC file formats to exploit Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003 – old software, software which was designed to cope with completely different threats than the ones existing today! And even is they decided to stay on the previous versions: The Microsoft Word 2003 and PowerPoint 2003 files were mostly older exploits, which have been circulating in the underground hacker community for some time. In other words: It is about patch management again… But to be fair, they fell victim of some vulnerabilities in PDF which were not patched at the time of the attack.

Source

Finally let’s think about the people behind the attacks. It is a joint understanding that the attacks originated from China. The Chinese government was accused to be the source behind it but they denied it and it has never been proven otherwise. Generally – not only in China – it can be expected that there is a close collaboration between governments and the hacking or as the report states: The degrees of the reported relationship vary between “authorize” to “tacit consent” to “tolerate” (Henderson 2007b).

Conclusions

What can we learn from the report? Actually nothing new, it just re-enforces my view of the world:

We have to be better in sharing incident information. This has two sides: One is between victims. There has to be a way (and, honestly, I do not have a solution yet) to find the right contact within a government or an organization to help them understand that they were attacked.
We need smooth and fast international legal collaboration. This has to be based on a solid harmonized legislation.
There are two calls when it comes to your software maintenance: Make sure you are on the latest version of your software and make sure you are patched. Patch Management is one of your fundamental processes in your organization!

And now to the final point I am thinking of since quite a while. The airline industry suffered initially from quite some technical incidents. The way the industry finally dealt with it was, to establish a sharing of incident information (as well as near misses) and a global body taking care of the airline safety (and the willingness of the governments to collaborate and share). The same actually started now in certain countries in the healthcare sector.

When it comes to Information Security we all deny incidents unless they become public – because we fear an impact on our reputation. We have to start thinking differently. We need a place where we are able to (anonymously?) file incident which happened or ways somebody was attacked to be shared between security professionals. That’s the only way where we can learn collectively and increase the pace of the products becoming better at defending and security professionals improve their skills in protecting the critical information. The critical question is who can own such a database? It has to be an organization which is trusted internationally and therefore cannot be state-owned. It could be an international association or and inter-governmental organization. Ideas are very welcome as I am convinced that there is a huge need of an International Incident Sharing Database.

Roger

Legal Challenges of International Business and the Cloud

Roger Halbheer — Tue, 09 Mar 2010 07:10:41 +0000

To start with: I am an engineer not a lawyer – and this might be part of the problem…

When I started to think about the Cloud and security and thought about all the work I do with Law Enforcement and the challenges they face. Additionally, I started to think about the legal challenges we – as an industry – already had. Or better, the legal challenges I knew about. Our Cloud Security Challenges paper just touches a little bit on this but to me it is a big challenge (to big for an engineer ?)

Let me give you an example: A case which happens often is that Law Enforcement is approaching any mail-provider with the request to access the content of a mailbox because they have a case where the suspect is expected to have mails which can be used as evidence. This is actually fairly standard and within the legal boundaries of a country straight-forward if the law enforcement officer has a court decision. Now, with international providers it gets more complicated as a case in Belgium showed: The Belgium policed asked Yahoo! to give them access to a mailbox of a person living in Belgium based on a Belgium court decision. However, this data is hosted in the United States. Pretty normal: The police then should the FBI for help, they issue the corresponding papers (together with the court) and Yahoo! would hand over the data – this process is called MLAT (mutual legal assistance treaty). Belgium refused to do that as it was their position that a Belgium decision is good enough because the suspect lives in Belgium. Yahoo! now had two choices: Violate the US law by handing over the data or violate the Belgium court decision by not handing over the data – a lose-lose position they were in .

And the worst thing to me is that we all have just one goal: We want to get the criminals arrested – this is a battle where law enforcement, policy makers and the industry are on the same side! If you want to read more: Yahoo Fined By Belgian Court For Refusing To Give Up E-Mail Account Info

And there are a lot of cases like this. Cases where the data retention policy in one country asks for data up to 12 months and another country tells you that you are not allowed to keep data for longer than 8 months because of the Data Protection law – if you operate in both, what do you do?

The longer I work in this space the more complicated it gets for me and more of such challenges pop up. This morning I read the following article: A step in the right direction. Basically this blog post covers a privacy law put in place in Massachusetts which has broad impact as it is valid not only if you are located in Massachusetts but if the company owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. In other words – if you “run the risk” of selling to somebody in Massachusetts, you are subject to this law!

As I said, the situation gets incredible complex.

Where does this lead us to? To me there are a few things which should be done:

Governments and the industry have to work much closer together. The industry has to have the ability to show the stumbling blocks for the businesses and together – the government and the industry – have to find solutions which protects the citizens’ rights, helps to grow the economy and helps to go after the criminals.
Governments have to think globally and act locally. Today’s cybercrime environment does not allow anymore for “local only” solutions. There needs to be a certain level of harmonization of laws across the countries and the willingness to collaboration fast. As there is not a global jurisdiction on that level, the willingness to have harmonized legislation will be key. The challenge however is that governments are re-elected locally – not globally…
The Industry has to behave responsibly. In order to make this happen, the industry has to be seen as a partner for the government. The only way to get there – in my opinion – is to act responsibly. If I look at certain behaviors I see in the industry, it is sometimes too much focused on the short-term revenue, rather than a responsible behavior.

This will definitely be the basis for a better collaboration and an environment where the legal challenges (see the Yahoo! case above) do not have to be solved on the shoulders of the businesses “just because” of legal deficiencies between countries. As I said above, we all want to fight crime as it is necessary and as it is the only way to grow the Internet in the future. And this all helps us I think

Roger