Morning Keynote Address, April 4, 2012.

Summary by Keith Watson

In the introduction, Professor Spafford mentioned many of the roles that Howard Schmidt has had over his many years in the field. He specifically highlighted Mr. Schmidt’s service to the nation.

He also indicated that things in information security are not necessarily better since Howard last attended the CERIAS Symposium in 2004, but that was not Howard’s fault.

Howard Schmidt began his keynote address by thanking the staff and faculty associated with CERIAS for their efforts. Mr. Schmidt disagreed with Spafford regarding his opening comment about things not being better since his last visit. “The system works,” he said. It is fraught with issues with which we have to manage. Mr. Schmidt indicated that there are many things that we can do online that we were not able to do twenty years ago. We can make it work better though. We have bigger threats and more vulnerabilities due to increased accessibility, but it works. We have to make it work better.

In 2008 when then Senator Obama visited Purdue, he talked about emerging technologies and cybersecurity. He stated, “Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being.” We take technology infrastructure for granted, and we must ensure that it continues to be available.

One of the issues discussed in the government today, is reducing the likelihood that new generations of victims are created. We need cybercrime prevention. Then law enforcement agencies have a better opportunity at scaling up to deal with the issue. Currently, law enforcement can only focus on the most egregious crimes. The FBI is moving cyber crime moving up on their priority list. They are looking at cyber crime internationally.

An estimated $8 trillion were exchanged over wired and wireless networks last year. Online shopping increased even in a down economy.

The President has promised to make cyber infrastructure a strategic national asset. He has called on all of us to look ahead and design and build a stronger infrastructure.

Howard related a story about about writing code for a TI-99/A for aiming his antenna to conduct Earth-Moon-Earth (EME) communications for his ham radio hobby. He sat down with expert developers to talk about buffer overrun issues. The question that the developers had was, “Why would anyone do that?” Because they can.

The President created the Office of the Cybersecurity Coordinator in a unique way. The Office is part of the National Security Counsel and the National Economic Counsel. Mr. Schmidt has two roles in addressing security issues and ensuring that the system remains open. If specific expertise is needed from other government agencies, those experts can be brought in to assist. Setting strategy and policy is a major effort of the Office. It is also responsible for execution.

The FBI Director has identified the primary and high-level actors in the cyber world:

1. Foreign intelligence services. They are no longer breaking into buildings and doing surveillance. We have to protect our cyber infrastructure from them.

2. Terrorist groups. They are interested in critical infrastructure and how to attack it.

3. Organized crime. They see cyberspace as a business opportunity. Some hacker groups are loosely organized but working together to disrupt the infrastructure.

Mr. Schmidt outlined several programs and initiatives of his office:

• International Strategy for Cyberspace

• A Policy Framework for the 21st Century Grid

• Electric Sector Cybersecurity Risk Maturity Model Pilot

• Consumer Privacy Bill of Rights

• National Strategy for IDs in Cyberspace (NSTIC)

• National Initiative for Cybersecurity Education (NICE)

Questions/Answers:

Question: What is your vision for Continuous Monitoring?

Answer: It is possible to be FISMA-compliant and still unsecure. The creation of the reports required by the law take away time and effort from actually protecting the infrastructure. The goal now is to use continuous monitoring to deal with issues in real-time.

Question: What are the challenges in getting service providers to allow third-party identifiers?

Answer: We hope that there are multiple drivers for federated IDs. One is a market driver for business. They can reduce costs and lower risks by accepting trusted identifiers. We hope that innovators address some of the technical challenges. Finally as consumers, we have to demand better IDs.

Question: Are we at the point where we need to create a new agency responsible for cybersecurity?

Answer: No. It is not necessary. What we need is coordination, not another branch of government. The Office of Cyber Coordinator is the right model to coordinate activities across government.

The fireside chat was an open discussion among several important persons with very interesting positions in the security world. The conversation covered a broad range of topics, as each participant contributed their unique insight and perspective. The summary below will collect just the main points for easy review.

Present were (in seating order):

Dr. J.R. Rao of IBM Research Manager of the Internet Security Group at IBM Research (abbreviated below as IBM)

Howard A. Schmidt, Office of the U.S. President Cyber-Security Coordinator of the Obama Administration (abbreviated below as GOV)

Dr. Eugene Spafford, Purdue Executive Director of Purdue CERIAS (abbreviated below as SPAF)

Sam Curry, RSA Chief Technology Officer, Identity and Data Protection business unit and Chief Technologist for RSA, The Security Division of EMC (abbreviated below as RSA)

The first question addressed was: Why do commercial products still fail to adopt basic security practices, (such as separation of privilege, limited connectivity and minimization of function) even though their importance and efficacy has been well-understood for decades?

RSA: Product designers aren’t security experts; security is usually added as an afterthought and considered an interruption to progress. Although there’s some market pressure for more secure products, there is incredible pressure to be the first to release a new product. The long term outlook gets forgotten. Possibly if contracts included penalties for developers who made obviously vulnerable products or did not properly integrate basic security measures into their products, the balance might be better.

IBM: Security is definitely an afterthought in most product design. On the other end of the scale, though, high assurance ‘ivory tower’ systems exist, but are incredibly expensive to build. One aspect of convincing commercial interests to integrate security policies into their development is finding a good balance among what is effective, efficient, and economically feasible. Currently companies with web-facing applications who are concerned about security often use off-the-shelf products to perform source-code scans. Unfortunately, these aren’t as helpful as they might be, even as after-thoughts. They often produce a flood of output, with little to indicate which faults are actually important, and as a result much of their advice may be disregarded.

SPAF: Some fixes are obvious and simple, like languages which prevent buffer overflows. Why aren’t they in use? The vast majority of people don’t make use of the explosion of features in their gadgets: why don’t product developers practice minimization of features? The problem is that there is basically no liability for security flaws. Potentially, we need to consider penalties for software companies whose security performance is extremely negligent.

GOV: Companies aren’t completely unaware of security concerns; delegation of privileges is much more widespread than it used to be. The difficulty may be that companies don’t understand which security policies are applicable to their products (“it’s secure, it has a password!”). Customers need to demand secure products, or else there’s no market pressure for companies to improve their records. A concern about government regulations, managing security from the top down, is that introducing lawyers limits innovation, and we can’t afford to have an economic disadvantage in the global economy. However, the “Power of Procurement” is a very valuable tool. The government penalizes its contractors/suppliers for obvious security flaws in the products they provide, and this forces higher standards to be adopted within those companies, which helps the standards spread out into the technology ecosystem. There has been visible progress in the past decade.

Next, Spafford asked about the possible worst-case consequences of our slow adoption of good security practices: Is a catastrophic event, a “cyber-security pearl harbor”, possible?

RSA: Every new technology brings concerns like this, and generally we prepare and the threat doesn’t come to pass. Of more concern are less glamorous, slower threats, which we are not defending against: like the involvement of organized crime in technical spheres.

GOV: We actually have been developing tools for a long time, within the DOD, to protect against catastrophic attacks, and we’re working on making those tools available for law enforcement and civilians now as well. What’s more difficult is protecting against these more long-term, subtle threats. Law enforcement has been trained to do computer forensics on localized, physical computers. How do they adapt when an intrusion investigation can easily become a global affair?

IBM: One of these subtle threats is intellectual property loss. It doesn’t take much to remove a company’s competitive edge, and that loss can eventually destroy the company. The FBI has been helpful in tracking IP threats throughout the world, but there are clearly still problems. Commercial tech developers are extremely worried about the security measures which protect their IP, and this may be a good vector for encouraging them to adopt better security practices generally.

This was followed by a slightly more personal question from Dr. Spafford, “What keeps Dr. Rao (IBM) up at night?”

IBM: Intellectual property loss; existing products aren’t sufficient protection. How quickly can an effective approach be developed and adopted?

GOV: A similar issue: The government was able to greatly reduce global issues with money-laundering, by diplomacy with other countries who were blindly enabling it for their own personal, or national benefit. We’re hoping to form a similar global coalition to reduce IP theft: an agreement such that if someone steals your product which you’ve invested deeply in developing, and pushes their version out the door before you, there will be sanctions. There won’t be a market for the pirated product. Also, note that although CEO’s of companies may be concerned about IP protection, the structure of companies often leaves no one actually in charge of managing it: auditors are concerned about financial books rather than security.

RSA: In fact, the CFO’s and audit committees have their own language, and aren’t likely to learn a separate language for security. For example, the word “risk” means very different things to the two groups. If security professionals want to be successful, they need to learn to speak business language; they can’t allow themselves to be separated into a pool of technology talent and kept away from the overall workings of the company.

This prompted the general question: How does a company or a government manage security concerns in a multi-national environment?

GOV: We work diplomatically with other countries on our common cyber-security issues, and our common desire to be able to safely support multi-national companies who have concerns IP protection.

IBM: We sell defensive products in 176 countries, never products to be used for offensive purposes. We never align with any government against any other.

RSA We’re in an interesting situation as a multi-national company: we actually work with many, many different governments and thus have personnel with security clearances in a variety of countries. We use a pools of trust system to make certain sensitive information stays segregated within the company.

The speakers then responded to three questions which had been previously submitted by audience members:

How do we deal with the fact that the critical infrastructure we need to protect is often owned by a variety of small regional businesses?

GOV: Again, the power of procurement allows the government to help encourage high standards of security for the products which these smaller companies use.

IBM: The national labs and IBM have worked together with regional utilities to roll out an extremely secure, well-designed smart grid system. This is another way in which private-public partnerships can improve security generally.

SPAF: However, the government can’t cover every small utility. Really effective new security is often prohibitively expensive for these small businesses. We need to find ways for them to break needed improvements into a sequence of small, gradual changes and amortize the costs over time.

RSA: Even large utilities have very small IT departments, and often a large age and cultural gap between the old staff and the new tech experts. The two groups don’t communicate well, and incredibly valuable knowledge is being lost as people retire. This endangers the security of the entire system. Is there any way we can change the model/organization of these institutions to prevent this?

Will users, rather than the corporations they deal with, ever have direct control over their own privacy?

GOV: This is very important, and it needs to happen sooner rather than later. Unfortunately, we’ve already gone a long way down the wrong path, and it may be very difficult to get back.

Nine years ago, Dr. Spafford collaborated on a list of the [Grand Challenges for Cyber-security] (https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/01264859.pdf). What progress has been made?

SPAF: Progress has been made against epidemic attacks, such as flash worms. Now we’re dealing with slower penetration by bot-nets, and we’re getting better at fighting those as well. There is considerable work left to be done, in general, though.

IBM: There is industry inertia, but active work is being done on these.

RSA: These are very useful rallying points, things we should continue to work on. He once got a question from a German reporter at an RSA conference, “When will we solve this security thing?” This was his favorite question ever. It’s all, always, a work in progress. Right now, it’s very important that existing security is made effortless for users, so it’s commonly adopted.

GOV: We actually have a hard time comparing the costs and prosecution rates of these cyber-attacks to the costs of physical attacks, such as burglaries. Only 3% of cyber-attacks were prosecuted (in a recent year), but what percentage of burglaries are prosecuted? What’s the relative cost? In general, we need to educate people about simple ways of defending themselves.

In conclusion:

SPAF: To achieve widespread adoption, security needs to be made effortless and economic. We can’t hope to succeed by telling people what “not” to do. We need to build security into products, so there’s no choice necessary: so users aren’t even aware it’s there.

Panel Members:

• Saurabh Bagchi, Purdue
• David Keppler, MITRE
• Jeremy Rasmussen, CACI

Panel summary by Robert Winkworth.

The panel was moderated by Keith Watson, CERIAS, Purdue University.

In light of its unprecedented growth, wireless mobile communications remains a major focus of security research. The stated purpose of this panel was to address the challenges in securing data and processing, limiting communication to designated parties, protecting sensitive data from loss of device, and handling new classes of malware.

Professor Bagchi opens the discussion with these key points and predictions:

• 3G routing often circumvents institutional barriers and filters.
• Information is leaking from one application to another within the device.
• More anti-malware software packages are sold now. This will increase.
• Virulent code will spread by near-field technologies, such as Bluetooth.
• It is becoming more lucrative to commit unauthorized remote monitoring.
• Encryption for mobile services will improve in the future.
• Behavior-based detection will become more popular.
• New features are often rushed to market before being functionally secure.

MITRE’s David Keppler joins the discussion with these thoughts:

• Mobile devices are single-user devices, and are highly personalized.
• On the device, we are separating apps rather than users.
• Contacts, social network data, banking info, etc. are stored in mobiles.
• Locking down devices can reduce productivity.
• Users like to have one device for many different actions.
• A single compromised device can enable a threat against many network users.
• Mobiles are “always connected”, and that brings security implications.

CACI’s Jeremy Rasmussen contributes:

• DoD facilities are still trying to prevent mobile activity on premises.
• New proposals would extend popular connectedness to government workers.
• Policy is lagging behind what technology provides.
• Everything needed, even for NSA standards, is available as free software.
• Vouching for a unit is vouching for every combination of apps it can run.
• The US government struggles greatly to keep pace with technology.

The audience submits questions:

Attendant: “What will it take to make mobiles as secure as desktops?”

David: “I would argue that the vulnerabilities of a handheld are actually no worse than those of a laptop. A proper risk assessment should be done for each. Expect that exploits will always be possible, but invest for them accordingly.”

Saurabh: “Protocols and architecture need to be standardized. This will be helpful to developers. And we need openness in standards.”

Attendant: “Does it seem inevitable that Android will allow lower-level access to the hardware in the future?”

Jeremy: “Yes, and that can benefit the user, who really should unlock the device and install a personalized solution. We must have root access to the phone to get better security. An app cannot protect the user from system abuses that occur at a lower level than app.”

David: “I agree. What we must do is break the current security in order to rebuild it in a more robust way. There are also some underling market issues at work here. Commercial products are unfortunately vendor-specific, but need to be standardized. How can this happen where there is DRM?”

Attendant: “What are the key differences in user experience between desktop and mobile?”

Saurabh: “Energy consumption, bandwidth, and limitations in the user interface.”

David: “Users trust mobiles MORE rather than less than their desktops. They have not grasped the magnitude of the mobile threat.”

Keith: “What advice would you have for CSO/CIO as they face these threats?”

Saurabh: “CSOs and CIOs don’t ask me for advice! [laughter] What I would recommend, though is strong isolation between applications, and a means to certify them before loading.”

David: “There are some utilities available that employers can have users run if they’re going to be on a private network. Some risk is inevitable, though. There is no perfect solution.”

Jeremy: “Yes—NAC (Network Access Control) used to be required for user devices if they’d be allowed on a corporate network. We need that for mobiles, but I don’t see how it’s possible; we can be circumvented so easily.”

Panel Members:

• William S. Cleveland, Purdue University
• Marc Brooks, MITRE Corporation
• Jamie Van Randwyk, Sandia National Laboratories
• Alok R. Chaturvedi, Professor, Purdue University

Panel Summary by Nabeel Mohamed

The panel was moderated by Joel Rasmus, CERIAS, Purdue University.

A quick review on Big Data:

Big Data represents a new era in data analysis where the volume of the data to analyze is so big that it does not work with current traditional database technologies and algorithms. The size of the data set needs to be collected, stored, shared, analyzed and/or visualized continue to grow as the information has been produced at an unprecedented rate from ubiquitous mobile devices, RFID technologies, sensor networks, web logs, surveillance records, search queries, social networks and so on. Increasing volume of the data is only one challenge of big data, and there are other challenges. In fact, Gartner analyst, Doug Laney, defined big data challenges/ opportunities as 3V’s:

1. Volume - it refers to the increasing volume of data as mentioned above.

2. Velocity - it refers to the time constraints in collecting, processing and using the data. A traditional algorithm which can process a small set of data quickly may take days to process a large set and give the results. However, if there is a real-time need such as national security, surveillance, and health care, taking days is not good enough any more.

3. Variety - it refers to the increasing array of data types that need to be handled. It includes all kinds of structured and unstructured data including audio, video, image data, transaction logs, web logs, web pages, emails, text messages and so on.

Panel discussion:

First, each of the panelists gave their perspective and their experience with big data analytics.

William S. Cleveland, Shanti S. Gupta Professor of Statistics, Purdue University, mentioning the challenges and experience in handling large volume of data in their research group, described their divide and recombine (D&R) approach to parallelize the processing by dividing the data into small subsets and applying traditional numeric and visualization algorithms on such subsets. They exploit the parallelization exhibits by the data itself. Cleveland described their tool called RHIPE built based on this concept. It is available to the public at www.rhipe.org. RHIPE is a merger of R, a free statistical analysis software and Apache Hadoop, an open source MapReduce framework.

Marc Brooks, Lead Information Security Researcher, MITRE Corporation, mainly focused on anomaly detection in large data sets. He raised the question of how one can detect an anomaly without sufficient test data sets. Further, in his opinion, it is expensive to create such data sets. Brooks sees the trend of moving from supervised learning to unsupervised learning such as clustering due to the above reason. Most of the big data sources provide large amount of unstructured data. We know well to handle structured data as we already have a schema of it. He raised the question of what are the effective ways of handling unstructured data and thinks that there should be a fundamental change in the way we model such data. He also touched on the subject of what it takes to be a data scientist which is becoming an attractive career path these days. He thinks that the skill set is a mixture of software engineering, statistics and distributed systems.

Jamie Van Randwyk, Technical R&D Manager, Sandia National Laboratories, started off with the idea of relativity behind the term “big data”. In his opinion, for different organizations big data means different sizes and complexities. Specially the volume of the data which can be called as big data. Randwyk mentioned that while most commercial entities such as Amazon, Microsoft, Rackspace and so on, handle the big data needs of the industry, Sandia mainly focus on US government agencies. He raised the question that we use Hadoop and other technologies to perform analytics and visualizations on large volume of data, however, we still don’t know how to secure such data in these big data environments. Randwyk and his team deal mainly with cyber data which is mostly unstructured. He pointed out the challenge of analyzing large volumes of unstructured data due to the lack of schema.

Alok R. Chaturvedi, Professor, Krannert Graduate School of Management, Purdue University, started his perspective with the idea that one has to collect as much information possible from multiple sources and make actual information stand out. Chaturvedi briefly explained their big data analytics work involving real time monitoring of multiple markets and multiple assets. A challenge in doing so in the real world is that data is often inconsistent and fragmented. They build behavioral models based on the data feeds from sensors, news feeds, surveys, political, economical and social channels. Based on such models they perform macro market assessment by regions in order to spot opportunities to invest. Chaturvedi thinks that big data analytics is continue to going to play a key role in doing such analysis.

After the initial perspective short talks by each panelist, the floor was open to the questions from the audience.

Q: Is behavioral modelling effective? What are the challenges involved?

A: Panelists identified two ways in which the behavior would change: adversarial activities and perturbation of data or the business itself. It is important to understand these two aspects and build behavioral model accordingly. Also, if the behavioral model does not keep up with the changes, it is going to be less effective in identifying behaviors that one wants to look for. Some of the challenges involved are deciding what matrices to use, defining such matrices, understanding the context (data perturbation vs. malicious activities) and keeping updating the model. It is also important to put the correct causality to the event. For example, 9/11 is due to a security failure not anything else.

Q: Do you need to have some expertise in the field in order to better utilize big data technologies to identify anomalies?

A: Yes, big data analytics will point to some red flags, you need be knowledgeable in the subject matter in order to dig deep and get more information.

Q: Is it practical to do host based modeling using big data technologies?

A: Yes, you have to restrict your domain of monitoring. For example, it may not be practical to do host based monitoring for the whole Purdue network.

Q: How do you do packet level monitoring if the data is encrypted?

A: Cleveland is of the view that one cannot do effective packet level monitoring if the data is encrypted. In their work, they assume that the packets are transmitted in cleartext.

Q: To what extent intelligence response being worked out? Can you do it without the intervention of humans?

A: Even with big data analytics, there will be false positives. Therefore, we still need human in the loop in order to pinpoint the incident accurately. These people should have background in computer security, algorithms, analysis, etc.

A challenge in current big data technologies like Hadoop is that it is difficult to do near real time analysis yet.

Q: (panel to audience) What are your big data problems?

A: (An audience) Our problem is scalability. There is nothing off the shelf that we can buy to meet our need. We have to put a lot of effort to build these system by putting various component together. Instead of spending time on defending attacks, we have to spend a lot of time on operational tasks.

Q: Is it better to have a new framework for big data for scientific data?

A: It is not the science per se that you have to look at; you have to look at the complexity and size of the data in order to decide. From an operational perspective, a definition/framework may not be important, but from a marketing perspective, it may be important. For example, defining the size of the data set could be potentially useful.

Q: We want to manage EHRs (electronic health records) for 60m people. Can these people be re-identified using big data technologies?

A: Even EHR data confirming to safe harbor rules where 18-19 elements are not there may be re-identified. Safe harbor rules are not sufficient, neither they are necessary. They will protect most people, but not all. You can protect even without safe harbor. This is a very challenging problem and CERIAS has an ongoing research project.

Q: Have you seen adversaries intentionally trying to manipulate big data so that they go undetected? Specifically have you seen adversaries that damage the system slowly to stay below the threshold level of detection and that damage very fast to overwhelm the system?

A: We have seen that adversaries understand your protocols, whether your packets are encrypted or not, etc., so that they can behave like legitimate users. I have heard anecdotal stories of manipulating data in bank and other financial institutions, but can’t point to any specific incident.

Q: Often times, we have to reduce the scope, when many parameters are to be analyzed due to the sheer volume of data. How do you ensure that you still detect an anomaly (no false negatives)?

A: You have to analyze all the data otherwise it may result in false negatives.

Panel Members:

• Hal Aldridge - Sypris Electronics
• William Atkins – Sandia National Laboratories
• Jason Holcomb – Lockheed Martin - Energy and Cyber Services
• Steven Parker – Energy Sector Security Consortium
• Lefteri Tsoukalas – Purdue University

Panel Summary by Matt Levendoski

The panel was moderated by Charles Killien, Computer Science, Purdue University.

Dr. Hal Aldridge, the Director of Engineering at Sypris Electronics, opened today’s first panel on the currently popular topic of SCADA security. Dr. Aldridge initially presented his current research interests, which involves the defining of who takes true ownership and responsibility for the security of our nation’s backbone infrastructure, our SCADA and control systems. An interesting opposition he presented was, what if the responsible party doesn’t have a well-defined background in the security realm?

Dr. Aldridge further delved into the aspects of smart grids and the fact that they are everywhere. Hal discussed how it is a scary thought of how much code is being utilized to run the control system of an automobile. In some aspects cars have more code then a variety of our current fighter jets. He further teased about the concept of an Internet based coffee maker. All concepts aside, these systems have their cons, which are present in the form of security problems. Dr. Aldridge closed with the statement that he greatly appreciates the interdisciplinary stance of CERIAS and how this allows for great innovation in the industry and current academic research.

William Atkins, a Senior member of Technical Staff in Sandia National Laboratories, followed up with his stance and the difference between SCADA and control systems. He specifically focuses on general computing systems security. More precisely, he introduced the term ‘cyber physical systems’. He presented the recent trend that calls for these systems to have inter-compatibility because customers don’t want to be locked into a single vendor for their solutions. He further stressed that this topic is vague and largely unknown which has created a lot of media attention, more specifically topics like the stuxnet worm.

William further addressed the current trends of security as they relate to control systems. These systems are changing from a less manual or analog approach to a more automated and digital methodology. We want our systems to do more yet require less. This trend tends to bring about unforeseen consequences, especially when these systems hit an unknown state of inoperability. Additionally, all the hypothetical attacks being posed to the public are actually becoming a reality. Attackers now have the capability to purchase or acquire the hardware online via surplus sales, eBay, or the like.

William closed with his perspective on SCADA security and how the odds are asymmetrically stacked in favor of the offense verses the defense. Essentially, security tends to get in the way of security. The stuxnet worm is a great example in that it utilized vulnerabilities within the access level of anti-virus software that allowed for a lower level approach to the attack.

Jason Holcomb is a Senior Security Consultant at Lockheed Martin in Energy and Cyber Services. He opened his panel discussion with an interesting spin on how he got involved with SCADA security. Jason indirectly introduced a denial of service conflict within the SCADA system he was working on in which he had to, in turn, remediate.

Jason presented Lockheed’s current approach to the security threads within SCADA systems. Their current research and solutions look to bring some of the advantage back to the defense. This was a great contrast to the perceptions that William Atkins previously presented. Jason then further introduced the following Cyber Kill Chain:

• Reconnaissance – Gather information. Names, emails, employee info, etc
• Weaponization – Create malware, malicious document, webpage etc
• Delivery – Deliver the malware. Email hyperlink *Exploitation – Exploit vulnerability to gain access to assets *Installation – Install on assets
• Command and Control – Create channel of communication back to attacker
• Actions on Objectives – Adversary performing their objectives

Steven Parker is the Vice President of Technology Research and Projects with the Energy Sector Security Consortium. Steven stated that when it comes to control systems and SCADA, we don’t need to necessarily solve the hard problems but focus more on easy solutions. Steven then continued to compare the security industry with that of the diet industry. A few of his comparisons included how the diet industry has Dietitians and we have CISSPs, they have nutritional labeling and we have software assurance, everyone wants a no effort weight loss program while security wants an easy solution for everything, and lastly the diet industry has a surgical procedure called gastric bypass where the security industry has something called regulations and compliance. He then closed with the notion that a lot of challenges aren’t all necessarily technical. These challenges include economic strategies, human interactions, public policy, and legal issues.

Lefteri Tsoukalas is a Professor of Nuclear Engineering at Purdue University. Prof. Tsoukalas jumped right into making the statement that the energy markets are currently undergoing a phase transition. Demand isn’t affected by high prices as the resources have changed state from abundance to resource scarcity. This is why energy allocation is key. We need to utilize our resources when energy prices are lower rather then during peak cost timeframes. Prof. Tsoukalas also suggested that we take the same perspective as Europe and look into alternative resources. At this point in time we aren’t sitting as comfortably on our current supply of energy resources as we were, say, 100 years ago.

Q&A Session

Question 1: There is a lot of research in SCADA/Control Systems. How do we adapt our research to be more applicable to Control Systems?

Answers/Discussion:

• Turn problem away from keeping attackers out and focus on other aspects.
• Looking at domain specific research.
• Don’t limit research to a very specific area but rather apply it across all platforms.
• It’s not an issue that systems are attached to Internet but the fact that we need better control of these systems in both physical and cyber worlds.
• Looking from the console perspective things may be fine, but sometimes they aren’t. We can’t always rely on the digital tools.
• Understanding the business is critical for research.
• Developing methods for evolved systems.
• Resilience is key, protect privacy and confidentiality.

Question 2: How do we get a handle on global regulations?

Answers/Discussion:

• A lot can be shared that doesn’t involve personal or corporate data.
• Here is where the offense has the advantage over defense. The Offense doesn’t care about regulations where defense has to.
• Discussion was diverted to a more local level and the differences and difficulties with sharing data across large and small companies and how smaller companies tend to be more agile from this perspective.

Question 3: What skills do students and staff need, to be affective in this area?

Answers/Discussion:

• Good communication, understand business requirements, wide range of experience skills.
• The industry needs more security experts then there are job openings.
• Technical experience, also good social engineer.
• Core fundamental concepts, you will be able to be trained to flourish in this domain.
• May want to visit and acquire physics skillsets to operating in Control/SCADA systems

Question 4: What type of attacks have you actually experienced?

Answers/Discussion:

• This question was diverted for confidential and security reasons.

Further discussion was taken from the following perspective:

• Be careful with internal use of thumb drives etc. Attackers don’t always know what they are looking for but rather just collect data until they find something of interest.

Keynote summary by Gaspar Modelo-Howard

The State of Security

Arthur W. Coviello, Jr., Chairman, RSA, The Security Division of EMC

Mr. Coviello opened his keynote with a quote from Nicholas Negroponte: “Internet is the most overhyped, yet underestimated phenomenon in history”. This statement, Mr. Coviello argues, it is still true today. And to determine the state of security, one does not have to look beyond the state of the Internet.

The growth of the Internet has driven the evolution of computing in the last few decades. Computing has gone through radical transformations: from its early days with mainframes, to computers, moving later to networks in the 80s and then to the rise of the Internet and the World Wide Web in the mid 90s. We are currently experiencing a confluence of technologies and trends (cloud computing, big data, social media, mobile, consumerization of IT) that make clear that the next transformation of computing is well underway and creating new challenges to security. Coviello contended the past evolution of IT infrastructure gives clear signals to the fast and deep changes security should continue to experience in the future. As an example and in just a couple of years, the IT industry has moved from 1 exabyte of data to 1.8 zettabytes, from the iPod to the iPad, from 513M to over 2B Internet users, from speeds of 100kbps to 100Mbps, and from AOL to Facebook (which would be the 3rd largest country in the world, by considering its number of users as population).

Coviello then used an interesting analogy to explain the impact in security of the continuous growth of the Internet, and therefore the need to better empower security. Imagine that the Internet is a highway system that is experiencing an exponential growth in the number of cars that use it. The highway system then needs to increase the number of lanes of existing roads, add new roads, and provide better ways for cars to access the system. But all this growth also increases the number and complexity of accidents on the roads. Then, security needs to grow accordingly to better manage (prevent, detect, and respond) the new scenario of potential accidents.

Looking at the security world, things have also changed dramatically over the years. Not long ago there were tens of thousands of viruses and their corresponding signatures, where as now there are tens of millions. Organized crime and spying online is a very real threat today that was not really happening in 2001. The scenario is then more difficult today for security practitioners to protect their networks. Stuxnet opened a new threat era for security. We have long moved away from the times of script kiddies. The new breed of attackers include: (1) non-state actors, like terrorists and anti-establishment vigilantes; (2) criminals, that act like a technology company by expanding their market around the world to distribute their products and services, and have sophisticated supply chains; and (3) nation-state actors, which are stealth and sophisticated, difficult to detect, well-resourced, and efficient.

Coviello briefly explained the high profiled breach experienced by RSA in 2011. They were attacked by two advanced persistent threat (APT) groups. From the steps taken, it is very clear that a lot of research on the company was made before the attacks. Phishing email was used to get inside their networks, sending the messages to a carefully selected group of RSA employees. The messages included an Excel attachment that contained a zero-day exploit (Adobe Flash vulnerability), which installed a backdoor when triggered. The attackers knew what they wanted, and went low and slow. The attack went on for 2 weeks, with RSA staying two to three hours behind the attackers’ moves. The attackers were able to ex-filtrate information from the networks, but RSA ultimately determined that no loss was produced to the company from the attack. As for the experience, Coviello acknowledged that is still not a good idea for a security company to get breached.

We are past the tipping point, were physical and virtual worlds could be separated. Additionally, the confluence of technologies and trends is creating more ‘open’ systems. The security industry is challenged as the open systems are more difficult to secure (than close systems, each under a single domain). We need to secure what in a way can’t be controlled. It is then not difficult to explain what has happened recently, in terms of breaches. In 2011, many high-profiled attacks occurred (in what others have labeled as the ‘Year of the Security Breach’) to big organizations like Google, Sony, RSA, PBS, BAH (Booz, Allen, Hamilton), Diginotar, and governmental entities such as the Japanese Parliament and the Australian Prime Minister.

Coviello argued that vendors and manufacturers must stop the linear approach used in the security industry to keep adding layer after layer of security control mechanisms. Security products should not be silos. We need to educate computer users, but keeping in mind that people make mistakes. After all we are humans. Our mindset must change from playing defense, as protection from perimeter does not work alone. Also, security practitioners and technologists must show an ability for big picture thinking and having people skills.

We need to get leverage from all security products, therefore the need to move away from the security silos architecture. Fortunately, the age of big data is arriving to the security world. Coviello provided a definition to big data: collecting datasets from numerous sources, at a large scale, and to produce actionable information from analyzing the datasets. The security objective is then to reduce the window of vulnerabilities for all attacks. The age of big data should also promote the sharing of information, which unfortunately is currently a synonym for failure. Organizations do not work together to defend against attacks.

Mr. Coviello calls for the creation of multi-source intelligence products. They must be risk-based, as there are different types of risks and should consider the different vulnerabilities, threats, and impacts affecting each organization. The intelligence products should be agile, having deep visibility of the protected system. They should detect anomalies in real time and the corresponding responses should be automated in order to scale and be deployed pervasively. Unfortunately today, systems are a patchwork of security products, focusing only on compliance. Finally, the intelligence products should have contextual capabilities. The ability to succeed against attacks depends on having the best available information, not only security logs. Such information should come from numerous sources, not only internals.

The Q&A session included several interesting questions, after the stimulating talk. The first one asked about the possible impediments to achieve the goals outlined in the talk. Coviello pointed out three potential roadblocks. First, the lack of awareness regarding the impact of a security situation by the top board of the organization. Top management should understand that security problems are the responsibility of the whole company, not just the IT department. Second, ignoring the requirement to follow a risk based approach when making security decisions and developing strategies. Third, is important that security programs grow as organizations increasingly rely on their IT systems.

A question was made regarding the asymmetric threat that security practitioners face and what can be done about it. Coviello pointed out the need to work around risk analysis in order to reduce the potential risks faced by organizations. It should be understood that the digital risk cannot be reduced any more than the physical risk. So organizations should get more sophisticated on the analytics, following a risk-based approach.

A member of the audience pointed out that several federal cybersecurity policies are based on the concept of defense in depth. Such concept is not driven by risks, which ultimately might raise costs to organizations required to comply with policies and regulations. Coviello agreed that if a risk-based approach is not followed, security programs might not achieve cost effectiveness. He also mentioned that defense in depth is sometimes misunderstood as it is not a layering mechanism to implement cybersecurity. It should encompass information sharing among organizations and even countries. He offered an example, calling for ISPs to play a more aggressive role and work with organizations to stop the threat from botnets.

A final question was made regarding the push by elected officials to use electronic voting, especially in small counties that might lack the resources to protect those systems. How to make elected officials understand the risk faced when using electronic voting, when such authorities usually do not have the capability to secure the voting system? Coviello sounded less than enthusiastic about electronic voting. But more importantly, he said there is a need to aggregate the security expertise and services so it can be outsourced to small and medium-sized organizations. The security industry should follow on the steps of the software and hardware industries, offering outsourcing services and products.

One aspect of our efforts is an on-going need to attract and retain the very best faculty members possible to provide leadership in all aspects of what we do.

Universities have a mechanism for attracting and retaining the best people: endowed chairs for faculty. These are special designations for positions for leading faculty. The associated endowment provides discretionary funds for travel, research, staff and a salary supplement to support the position. Only a small number of these positions exist in any computing field at universities nationally…and almost none in information/cyber security and privacy. Having one of the oldest and largest programs in this field, Purdue University really should have a few of these positions available to attract and keep the best faculty we can find.

Normally, the endowments for these chairs are provided by generous individuals or foundations who support the university and/or the research area. As a small token of appreciation, the university allows the benefactor(s) to name the chaired position (within reason), thus resulting in something such as the Homer J. Simpson Distinguished Professor of Cyber Security or the Yoyodyne Propulsion Systems Professor of Information Security and Privacy. This name is kept in perpetuity, and is on all stationery and publications of that professor henceforth.

Purdue has just announced a new program to match donations 1:1 for chaired positions with no restrictions. It is thus possible for someone (or a group, company, club or foundation) to endow a distinguished chair at ½ of the usual amount. Further, that amount may be pledged over a three-year period, and the donor(s) still retain full naming rights!

Note that Purdue University is a 503(c) organization and thus donations to support this have potential tax advantages for the donor(s).

We really would like to have CERIAS continue to be the leader in the field of information security. Obtaining at least one (and preferably, several) named chairs in the field, most likely with homes in the CS department, would help us keep that lead, and keep our program strong.

If you are interested in taking part in this great opportunity to help fund one of the first few endowed professorships globally in this important area, please contact me. And if you know of others who might be interested, please pass this along to them. Fields including computer games and graphics have dozens of endowed professorships around the country. Isn't it about time we showed that information security is taken seriously, too?

What follows is a more formal obituary, based on material provided by his family and others. That is followed by some personal reflections.

Personal Details

Gene was born September 10, 1946, in Chicago to E. Eugene Sr. and Elizabeth Schultz. They moved to California in 1948, and Gene’s sister, Nancy, was born in 1955. The family lived in Lafayette, California. Gene graduated from UCLA, and earned his MS and PhD (in Cognitive Science, 1977) at Purdue University in Indiana.

While at Purdue University, Gene met and married Cathy Brown. They were married for 36 years, and raised three daughters: Sarah, Rachel and Leah.

Gene was an active member of Cornerstone Fellowship, and belonged to a men’s Bible study. His many interests included family, going to his mountain home in Twain Harte, model trains, music, travelling, the outdoors, history, reading and sports.

Gene is survived by his wife of 36 years, Cathy Brown Schultz; father, Gene Schultz, Sr.; sister, Nancy Baker; daughters and their spouses, Sarah and Tim Vanier, Rachel and Duc Nguyen, Leah and Nathan Martin; and two grandchildren, Nola and Drake Nguyen.

You should also take a few moments to visit this page and learn about the symptoms and response to stroke.

Professional Life

Gene was one of the more notable and accomplished figures in computing security over the last few decades. During the course of his career, Gene was professor of computer science at several universities, including the University of California at Davis and Purdue University, and retired from the University of California at Berkeley. He consulted for a wide range of clients, including U.S. and foreign governments and the banking, petroleum, and pharmaceutical industries. He also managed several information security practices and served as chief technology officer for two companies.

Gene formed and managed the Computer Incident Advisory Capability (CIAC) — an incident response team for the U.S. Department of Energy — from 1986–1992. This was the first formal incident response team, predating the CERT/CC by several years. He also was instrumental in the founding of FIRST — the Forum of Incident Response & Security Teams.

During his 30 years of work in security, Gene authored or co-authored over 120 papers, and five books. He was manager of the I4 program at SRI from 1994–1998. From 2002–2007, he was the Editor-in-Chief of Computers and Security — the oldest journal in computing security — and continued to serve on its editorial board. Gene was also an associate editor of Network Security. He was a member of the accreditation board of the Institute of Information Security Professionals (IISP).

Gene testified as an expert several times before both Senate and House Congressional committees. He also served as an expert advisor to a number of companies and agencies. Gene was a certified SANS instructor, instructor for ISACA, senior SANS analyst, member of the SANS NewsBites editorial board, and co-author of the 2005 and 2006 Certified Information Security Manager preparation materials.

Dr. Schultz was honored numerous times for his research, service, and teaching. Among his many notable awards, Gene received the NASA Technical Excellence Award, Department of Energy Excellence Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman's Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award and the National Information Systems Security Conference Best Paper Award. One of only a few Distinguished Fellows of the Information Systems Security Association (ISSA), he was also named to the ISSA Hall of Fame and received ISSA's Professional Achievement and Honor Roll Awards.

At the time of his death, Dr. Schultz was the CTO of Emagined Security, an information security consultancy based in San Carlos, California. He held certifications as a CISM, CISSP, and GSLC.

Personal Reflections

As I recall, I first “met” Gene almost 25 years ago, when he was involved with the CIAC and I was involved with network security. We exchanged email about security issues and his time at Purdue. I may have even met him earlier — I can’t recall, exactly. It seems we have been friends forever. We also crossed paths once or twice at conferences, but it was only incidental.

In 1998, I started CERIAS at Purdue. I had contacted personnel at the (now defunct) company Global Integrity while at the National Computer Security Conference that year about supporting the effort at CERIAS. What followed was a wonderful collaboration: Gene was the Director of Research for Global Integrity, and as part of their support for CERIAS they “loaned” Gene to us for several years. Gene, Cathy and Leah moved to West Lafayette, a few houses away from where I lived, and Gene proceeded to help us in research and teaching courses over the next three years while he worked remotely for GI.

The students at Purdue loved Gene, but that seems to have been the case for everywhere he taught. Gene had a gift for conveying complex concepts to students, and had incredible patience when dealing with them one-on-one. He came up with great assignments, sprinkled his lectures with interesting stories from his experience, and encouraged the students to try things to see what they might discover. He was inspirational. He was inspirational as a colleague; too, although we both traveled so much that we didn’t get to see each other too often.

In 2001 he parted ways with Global Integrity, and moved his family back to California. This was no doubt influenced by the winters they had experienced in Indiana — too much of a reminder of grad student days for Gene and Cathy! I remember one time that we all got together to watch a New Year’s Purdue football bowl appearance, and the snow was so high as to make the roads impassable for a few days. Luckily, we lived near each other and it was only a short walk to warmth, hors d’oeuvres, and wine.

In the following years, Gene and I kept in close touch. We served on a few committees and editorial boards together, regularly saw each other at conferences, and kept the email flowing back and forth. He returned to Purdue and CERIAS several times to conduct seminars and joint research. He was generous with his time to the students and faculty who met with him.

Earlier this year, several of us put together a proposal to a funding agency. In it, we listed Gene as an outside expert to review and advise us on our work. We had room in the budget to pay him almost any fee he requested. But, when I spoke with him on the phone, he indicated he didn’t care if we paid more than his expenses — “I want to help CERIAS students and advance the field” was his rationale.

Since I learned of the news of his accident, and subsequent passing, I have provided some updates and notes to friends, colleagues, former students, and others via social media and email. So many people who knew Gene have responded with stories. There are three elements that are frequently repeated, and from my experience they help to define the man:

• Equity. Gene treated everyone the same when he met them. It didn’t matter if someone was a CEO, Senator, freshman, or custodian — he treated them with respect and listened to what they might have to say.
• Humor. Gene loved to laugh, and loved to make others laugh. He shared funny stories and odd things found on the WWW, and had wonderful stories that helped make others smile. And he smiled, a lot, and shared his joy.
• Consideration. Gene was compassionate, thoughtful, and gentle. He would often inconvenience himself for others, without complaint. He loved his family and let his friends know they were special.   

Gene Schultz was a wonderful role model, mentor and friend for a huge number of people, including being a husband to a delightful wife for 36 years and father to three wonderful daughters. Our world is a little less bright with him gone, but so very much better that he was with us for the time he was here.

E. Eugene Schultz, Jr., 9/10/46–10/2/11. Requiescat in pace.

Back in the late 1980s and early 1990s, I quietly built some counterhacking and beaconing tools that I installed in a "fake front" machine on our local network. People who tried to break into it might get surprises and leave me log info about what they were up to, and things they downloaded would not do what they thought or might beacon me to indicate where the code went. This was long before honeypots were formalized, and before firewalls were in common use. Some of my experiences contributed to me writing the first few papers on software forensics (now called digital forensics), development of Tripwire, and several of my Ph.D. students's theses topics.

I didn't talk about that work much at the time for a variety of reasons, but I did present some of the ideas to students in classes over the years, and in some closed workshops. Tsutomu Shimomura, Dan Farmer and I traded some of our ideas on occasion, along with a few others; a DOD service branch contracted with a few companies to actually built some tools from my ideas, a few of which made it into commercial products. (And no, I never got any royalties or credit for them, either, or for my early work on firewalls, or security scanning, or.... I didn't apply for patents or start companies, unfortunately. It's interesting to see how much of the commercial industry is based around things I pioneered.)

I now regret not having actually written about my ideas at the time, but I was asked by several groups (including a few government agencies) not to do so because it might give away clues to attackers. A few of those groups were funding my grad students, so I complied. You can find a few hints of the ideas in the various editions of Practical Unix & Internet Security because I shared several of the ideas with my co-author, Simson Garfinkel, who had a lot of clever ideas of his own. He went on to found a company, Sandstorm Enterprises, to build and market some professional tools in roughly this space; I was a minor partner in that company. (Simson has continued to have lots of other great ideas, and is now doing wonderful things with disk forensics as a faculty member at the Naval Postgraduate School.)

Some of the ideas we all had back then continue to be reinvented, along with many new and improved approaches. Back in the 1980s, all my tools were in Unix (SunOS, mostly), but now there are possible options in many other systems, with Windows and Linux being the main problems. Of course, back in the 1980s the Internet wasn't used for commerce, Linux hadn't been developed, and Windows was not the widespread issue it it now. There also wasn't a WWW with its problems of cross-site scripting and SQL injection. Nonetheless, there were plenty of attackers, and more than enough unfound bugs in the software to enable attacks.

For the sake of history, I thought I'd document a few of the things I remember as working well, so the memories aren't lost forever. These are all circa 1989-1993:

• Everything was built on a decoy system. I had control over my own Sun workstation. I configured it to have 2 separate accounts, with one (named spaf) exported via NFS to the CS department Sun, Pyramid and Sequent machines. My students and fellow faculty could access this directory, and I populated it with contents to make it look real. If I wanted to share something with my classes, I'd copy it to this account. A second account (rspaf) was on a separate partition, not exported, and locked down. It was my real account and where I got email. No system had rsh access in, nor any other indication that it existed — the support staff knew it was there, but almost no one else. (For real paranoia, I kept copies of sensitive files and source code on a Mac running OS 7, and it was off the network.)
• My original idea for Tripwire came several years before Gene Kim arrived as a student and we built the actual Tripwire tool. I built a watcher program for bogus, "bait" mail files and attractively-named source files that would never be touched in normal operation. When accessed, their file times changed. The watcher "noticed" and would start taking repeated snapshots of active network connections and running processes. When lsof was written (at Purdue), I included it in the logging process. After a few minutes, my watcher would freeze the active network connections.
• As a matter of good security practice, I disabled most of the network services spawned at startup or by inetd. In their places, I put programs that mimicked their output behavior, but logged everything sent to them. Thus, if someone tried to rsh into my system, they'd get output claiming incorrect password for most accounts. For spaf and root it would randomly act like it was connecting but very slow or an error would be printed. At the same time, this would send me email and (later) a page. This would allow me to run other monitoring tools. The tcp wrappers system was later independently developed by Wietse Venema, and the twist option provided the same kind of functionality (still useful).
• Some attackers would try to "slurp" up interesting sounding directories without looking at all the contents. For instance, a common tactic was to take any directory labeled "security" and the mail spool. For a while, attackers were particularly interested in getting my copy of the Morris Internet Worm, so any directory with "worm" in it would be copied out in its entirety. I built a small utility that would take any file (such as a mail file or binary) and make it HUGE using the Unix sparse file structure. On disk the files might only be a few thousand bytes long, and you could read it normally, but any copy program thought they were gigabytes in length. Thus, any attempt to copy them offsite would result in very long, uncompleted copies (which left network connections open to trace) and sometimes filled up the attackers' disks.
• The previous idea was partially inspired by one of Tsutomu's tricks. The authd daemon, implementing the ident protocol (RFC 1413), was somewhat popular. It could be useful in a LAN, but in the Internet at large it was not trustworthy; to make this point, several admins had it always return some made-up names when queried. Tsutomu took this a step further and when a remote system connected to the ident port on his machine, it would get an unending string of random bits. Most authd clients would simply accept whatever they were given to write to the local log file. Connecting to Tsutomu's machine was therefore going to lead to a disk full problem. If the client ran as root, it would not be stopped by any limits or quotas — and it usually logged to the main system partition. Crash. As Tsutomu put it, "Be careful what you ask for or you may get more of it than you counted on."
• I sprinkled altered program source on my fake account, including many that looked like hacking tools. The source code was always subtly altered to neuter the tool. For example, some Unix password cracking tools had permuted S-boxes so that, when presented with a password hash to attack, the program would either run a long time without a result, or would give a result that would not work on any target machine. I also had a partial copy of the Morris Worm there, with subtle permutations made to prevent it from spreading if compiled, and the beacon changed to ping me instead of Berkeley. (See my analysis paper if you don't get the reference.)
• I also had some booby-trapped binaries with obfuscated content. One was named "God" and had embedded text strings for the usage message that implied that there were options to become root, take over the network, and other tasty actions. However, if run, it would disable all signals, and prompt the user with the name of every file in her home directory, one at a time. Any response to the prompt would result in "Deleted!" followed by the next prompt. Any attempt to stop the program would cause it to print "Entering automatic mode" where every half-second it would state that it was deleting the next file. Meanwhile, it would be sending me logging information about who was running it and where. If run on a Purdue machine, it didn't actually delete anything — I simply used it to see who was poking in my account and running things they didn't know anything about (usually, my students). It also gave them a good scare. If taken and run on a non-Purdue machine, well, it was not so benign.

There were many other tools and tripwires in place, of course, but the above were some of the most successful.

What does successful mean? Well, they helped me to identify several penetrations in progress, and get info on the attackers. I also identified a few new attacks, including the very subtle library substitution that was documented in @Large: The Strange Case of the World's Biggest Internet Invasion. The substitute with backdoor in place had the identical size, dates and simple checksum as the original so as to evade tools such as COPS and rdist. Most victims never knew they had been compromised. My system caught the attack in progress. I was able to share details with the Sun response team — and thereafter they started using MD5 checksums on their patch releases. That incident also inspired some of my design of Tripwire.

In another case, I collected data on some people who had broken into my system to steal the Morris Worm source code. The attacks were documented in the book Underground . The author, Suelette Dreyfus, assisted by Julian Assange (yes, the Wikileaks one), never bothered to contact me to verify what she wrote. The book suggests that my real account was compromised, and source code taken. However, it was the fake account, my security monitors froze the connection after a few minutes, and the software that was accessed was truncated and neutered. Furthermore, the flaws that were exploited to get in were not on my machine — they were on a machine operated by the CS staff.   (Dreyfuss got several other things wrong, but I'm not going to do a full critique.)

There were a half-dozen other incidents where I was able to identify new attacks (now known as zero-day exploits) and get the details to vendors. But after a while, interest dropped off in attacking my machine as new, more exciting opportunities for the kiddies came into play, such as botnets and DDOS attacks. And maybe the word spread that I didn't keep anything useful or interesting on my system. (I still don't.) It's also the case that I got much more interested in issues that don't involve the hands-on, bits & bytes parts of security — I'm now much more interested in fundamental science and policy aspects. I leave the hands-on aspects to the next generation. So, I'm not really a challenge now — especially as I do not administer my system anymore — it's done by staff.

I was reminded of all this when someone on Twitter posted the URL of a video taken at Notacon 2011 (Funnypots and Skiddy Baiting: Screwing with those that screw with you by Adrian "Iron Geek" Crenshaw). It is amusing and reminded me of the stories, above. It also showed that some of the same techniques we used 20 years ago are still applicable today.

Of course, that is also depressing. Now, nearly 20 years later, lots of things have changed but unfortunately, security is a bigger problem, and law enforcement is still struggling to keep up. Too many intrusions occur without being noticed, and too little information is available to track the perps.

There are a few takeaways from all the above that the reader is invited to consider:

• Assume your systems will be penetrated if they are on the network. Things you don't control are likely to be broken. Therefore, plan ahead and keep the really sensitive items on a platform that is off the net. (If the RSA folks had done this, the SecurID breach might not have resulted in anything.)
• Install localized tripwires and honeypots that can be monitored for evidence of intrusion. Don't depend on packaged solutions alone — they are known quantities that attackers can avoid or defeat.
• Don't believe everything you read unless you know the story has been verified with original sources.
• Consider encrypting or altering critical files so they aren't usable "as is" if taken.
• Be sure you are proactively logging information that will be useful once you discover a compromise.

Also, you might watch Iron Geek's video to inspire some other ideas if you are interested in this general area — it's a good starting point. (And another, related and funny post on this general topic is here, but is possibly NSFW.)

In conclusion, I'll close with my 3 rules for successful security:

1. Preparation in advance is always easier than clean up afterwards.
2. Don't tell everything you know.

First, if a largely uncoordinated group could penetrate the systems and expose all this information, then so could a much more focused, well-financed, and malevolent group — and it would not likely result in postings picked up by the media. Attacks by narcotics cartels, organized crime, terrorists and intelligence agencies are obvious threats; we can only assume that some have already succeeded but not been recognized or publicized. And, as others are noting, this poses a real threat to the physical safety of innocent people. Yes, in any large law enforcement organization there are likely to be some who are corrupt (the claimed reason behind the attack), but that is not reason to attack them all. Some of the people they are arrayed against are far worse.

For example, there are thousands (perhaps tens of thousands) of kidnappings in Mexico for ransom, with many of the hostages killed rather than freed after payment. Take away effective law enforcement in Arizona, and those gangs would expand into the U.S. where they could demand bigger ransoms. The hackers, sitting behind a keyboard removed from gang and street violence, safe from forcible rape, and with enough education to be able to avoid most fraud, find it easy to cherry-pick some excesses to complain about. But the majority of people in the world do not have the education or means to enjoy that level of privileged safety. Compared to police in many third-world countries where extortion and bribes are always required for any protection at all, U.S. law enforcement is pretty good. (As is the UK, which has also recently been attacked.)

Ask yourself what the real agenda is of a group that has so far only attacked law enforcement in some of the more moderate countries, companies without political or criminal agendas, and showing a total disregard for collateral damage. Ask why these "heroes" aren't seeking to expose some of the data and names of the worst drug cartels, or working to end human trafficking and systematic rape in war zones, or exposing the corruption in some African, South American & Asian governments, or seeking to damage the governments of truly despotic regimes (e.g., North Korea, Myanmar), or interfering with China's online attacks against the Dalai Lama, or leaking memos about willful environmental damage and fraud by some large companies, or seeking to destroy extremist groups (such as al Qaida) that oppress woman and minorities and are seeking weapons of mass destruction.

Have you seen one report yet about anything like the above? None of those actions would necessarily be legal, but any one of them would certainly be a better match for the claimed motives. Instead, it is obvious that  these individuals and groups are displaying a significant political and moral bias — or blindness — they are ignoring the worst human rights offenders and criminals on the planet. It seems they are after the ego-boosting publicity, and concerned only with themselves. The claims of exposing evil is intended to fool the naive.

In particular, this most recent act of exposing the names and addresses of family members of law enforcement, most of whom are undoubtedly honest people trying to make the world a safer place, is not a matter of "Lulz" — it is potentially enabling extortion, kidnapping, and murder. The worst criminals, to whom money is more important than human life, are always seeking an opportunity to neutralize the police. Attacking family members of law enforcement is common in many countries, including Mexico, and this kind of exposure further enables it now in Arizona. The data breach is attacking some of the very people and organizations trying to counter the worst criminal and moral abuses that may occur, and worse, their families.

Claiming that, for instance, that the "War on Drugs" created the cartels and is morally equivalent (e.g., response #13 in this) is specious. Laws passed by elected representatives in the U.S. did not cause criminals in Mexico to kidnap poor people, force them to fight to the death for the criminals' amusement, and then force the survivors to act as expendable drug mules. The moral choices by criminals are exactly that — moral choices. The choice to kidnap, rape, or kill someone who objects to your criminal behavior is a choice with clear moral dimensions. So are the choices of various hackers who expose data and deface systems.

When I was growing up, I was the chubby kid with glasses. I didn't do well in sports, and I didn't fit in with the groups that were the "cool kids." I wasn't into drinking myself into a stupor, or taking drugs, or the random vandalism that seemed to be the pasttimes of those very same "cool kids." Instead, I was one of the ones who got harassed, threatened, my homework stolen, and laughed at. The ones who did it claimed that it was all in fun — this being long before the word "lulz" was invented. But it was clear they were being bullies, and they enjoyed being bullies. It didn't matter if anyone got hurt, it was purely for their selfish enjoyment. Most were cowards, too, because they would not do anything that might endanger them, and when they could, they did things anonymously. The only ones who thought it was funny were the other dysfunctional jerks. Does that sound familiar?

Twenty years ago, I was objecting to the press holding up virus authors as unappreciated geniuses. They were portrayed as heroes, performing experiments and striking blows against the evil computer companies then prominent in the field. Many in the public and press (and even in the computing industry) had a sort of romantic view of them — as modern, swashbuckling, electronic pirates, of the sorts seen in movies. Now we can see the billions of dollars in damage wrought by those "geniuses" and their successors with Zeus and Conficker and the rest. The only difference is of time and degree — the underlying damage and amoral concern for others is simply visible to more people now. (And, by the way, the pirates off Somalia and in the Caribbean, some of whom simply kill their victims to steal their property, are real pirates, not the fictional, romantic versions in film.)

The next time you see a news article about some group, by whatever name, exposing data from a gaming company or law enforcement agency, think about the real evil left untouched. Think about who might actually be hurt or suffer loss. Think about the perpetrators hiding their identities, attacking the poorly defended, and bragging about how wonderful and noble and clever they are. Then ask if you are someone cheering on the bully or concerned about who is really getting hurt. And ask how others, including the press, are reporting it. All are choices with moral components. What are yours?

Update: June 26

I have received several feedback comments to this (along with the hundreds of spam responses). Several were by people using anonymous addresses. We don't publish comments made anonymously or containing links to commercial sites. For this post, I am probably not going to pass through any rants, at least based on what I have seen. Furthermore, I don't have the time (or patience) to do a point-by-point commentary on the same things, again and again. However, I will make a few short comments on what I have received so far.

Several responses appear to be based on the assumption that I don't have knowledge or background to back up some of my statements. I'm not going to rebut those with a list of specifics. However, people who know what I've been doing over the few decades (or bothered to do a little research) — including work with companies, law enforcement, community groups, and government agencies — would hardly accuse me of being an observer with only an academic perspective.

A second common rant is that the government has done some bad things, or the police have done something corrupt, or corporations are greedy, and those facts somehow justify the behavior I described. Does the fact that a bully was knocked around by someone else and thus became a bully mean that if you are the victim, it's okay? If so, then the fact that the U.S. and U.K. have had terrorist attacks that have resulted in overly intrusive laws should make it all okay for you. After all, they had bad things happen to them, so their bad behavior is justified, correct? Wrong. That you became an abuser of others because you were harmed does not make it right. Furthermore, attacks such as the ones I discussed do nothing to fix those problems, but do have the potential to harm innocent parties as well as give ammunition to those who would pass greater restrictions on freedom. Based on statistics (for the US), a significant number of the people whining about government excess have not voted or bothered to make their opinions known to their elected representatives. The more people remain uninvolved, the more it looks like the population doesn't care or approves of those excesses, including sweetheart deals for corporations and invasions of privacy. Change is possible, but it is not going to occur by posting account details of people subscribed to Sony services, or giving out addresses and names of families of law enforcement officers, or defacing the NPR website. One deals with bullies by confronting them directly.

The third most common rant so far is to claim that it doesn't make any difference, for one reason or another: all the personal information is already out there on the net or will be soon, that the government (or government of another country) or criminals have already captured all that information, that it doesn't cost anything, security is illusory, et al. Again, this misses the point. Being a bully or vandal because you think it won't make any difference doesn't excuse the behavior. Because you believe that the effects of your behavior will happen anyhow is no reason to hasten those effects. If you believe otherwise, then consider: you are going to die someday, so it doesn't make a difference if you kill yourself, so you might as well do it now. Still there? Then I guess you agree that each act has implications that matter even if the end state is inevitable.

Fourth, some people claim that these attacks are a "favor" to the victims by showing them their vulnerabilities, or that the victims somehow deserved this because their defenses were weak. I addressed these claims in an article published in 2003. In short, blaming the victim is inappropriate. Yes, some may deserve some criticism for not having better defenses, but that does not justify an attack nor serve as a defense for the attackers. It is no favor either. If you are walking down a street at night and are assaulted by thugs who beat you with 2x4s and steal your money, you aren't likely to lie bleeding in the street saying to yourself "Gee, they did me a huge favor by showing I wasn't protected against a brutal assault. I guess I deserved that." Blaming the victim is done by the predators and their supporters to try to justify their behavior. And an intrusion or breach, committed without invitation or consent, is not a favor — it is a crime.

Fifth, if you support anarchy, then that is part of your moral choices. It does not invalidate what I wrote. I believe that doing things simply because they amuse you is a very selfish form of choice, and is the sort of reasoning many murderers, rapists, pedophiles and arsonists use to justify their actions. In an anarchy, they'd be able to indulge to their hearts content. Lotsa lulz. But don't complain if I and others don't share that view.

I am going to leave it here. As I said, I'm not interested in spending the next few weeks arguing on-line with people who are trying to justify behavior as bullies and vandals based on faulty assumptions.

Of course, our whole definition of "war" is itself a little muddled. We have the World Wars, certainly. But from a strictly U.S. perspective, consider the Korean and Vietnam conflicts — were those wars? Or the Gulf War, Bosnia and Herzegovina, Iraq, Afghanistan — was the U.S. at war? And is that what is going on with Libya? In one sense, yes, because in each we employed military forces against a defined enemy. But how many of those had a formal declaration of war? And none were really existential threats that required the entire U.S. to be involved. War, historically, has usually been an issue of whether a state continued to exist under its current rule or not, and sometimes whether a significant percentage of the current population continued to live or not; some wars resulted in all the adult males being killed or enslaved, or whole populations slaughtered.

Then there is the War on Drugs, the War on Poverty, and most recently, our War on Terror (among others). In these conflicts we don't actually have a nation-state as an enemy, but we do have some defined objective requiring concerted, forceful action. (Of course we also have silly, demeaning uses of the term, such as the inane "War on Christmas.")

This can all lead to a certain confusion of definitions and roles. Prior to 9/11/2001, terrorists on U.S. soil were criminals. Whether it was Timothy McVeigh, Ramzi Yousef, Eric Rudolph, Ali Abu Kamal, or the ELF, civilian law enforcement, civilian courts, and civilian prisons were the mechanisms involved. Since 9/11, we have a strong contingent claiming that terrorism is now solely a military matter, that military courts must be used, and civilian prisons are somehow insufficient (although supermax prisons have held worse mass murders and gang members for years). Why? Because we are in a "war on terror." Further, administrative rules and laws were passed to classify a particular class of terrorists as belonging under military jurisdiction as enemy combatants and heated political debate occurs around any aspect of how to deal with these individuals.

This essay is not an attempt to sort out all those issues: I'm going after something else, but I needed to illustrate these few points, first. Above, I noted that "war" is a somewhat fuzzy term, as are the definitions of who might wage it. Next, let's consider how we have been preparing to react to cyber incidents.

With the fuzziness about defining "war," and the shifting boundaries of whether it is something confronted by law enforcement or the military, it is not surprising that "cyber war" has not really been well-defined. What has happened over the last decade is that stories of potential "Cyber Pearl Harbors" have been presented to legislators, coupled with demonstrations of vulnerabilities, to justify a massive investment in the military cyber arena — but not so much our civilian law enforcement. It is simple to scare policy makers with tales that the country might be destroyed by evil hackers working for another country's military; cyber crime does not make for as compelling a picture. The result has been massive buildup in offensive military tools, intelligence support, and personnel training to support military missions.

But that buildup does little to help civilian companies under attack within U.S. borders by unknown parties. So, we now have civilian companies turning to DHS for help rather than the FBI or another law enforcement agency. But the responsibility of DHS is to secure the .gov systems, so they are now turning to the military (NSA) because they don't have the infrastructure or expertise they need for even that. We are thus well down a path to turn over the bulk of our law enforcement in cyber to the military, with the specter of terrorists and cyber war held out by those who benefit from this situation continuing to push us in that direction. Soon we will have so much infrastructure built up we will not be able to afford to go back. The Posse Comitatus Act of 1878 was intended to keep the military from becoming a national police force, but this will further erode what is left of that law. Many people reading this will say "So what?" because we're now safer against a cyberwar attack as a result of this buildup — aren't we?

But here comes the problem, and the main point of this essay. We have a history of our military and leaders preparing to fight the last war. They are preparing for an offense that is unlikely to come at us the way they have portrayed. They are building a Maginot Line for a frontal attack that any intelligent adversary will never attempt.

In fact, we're under attack NOW. And we're losing. We're losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales, with all that money going to buy houses, cars, and consumer goods for people in Eastern Europe, China, Russia, and so on — in non-US economies. (And not only victims in the U.S., but Canada, the UK and a number of other countries.) It is a war of economic attrition and it is one that the DOD is never going to be in a position to fight because it has no kinetic component, no uniformed foe, no base of operations, and no centralized command. Once again, we have been preparing for the last war, so we are losing the current one. Most of our leaders don't even seem to recognize that we are in one. If we fall, it will not be by the swift stroke of the sword, but by the death of a thousand cuts.

If we are to have any hope of surviving, we have to completely change the way we look at this situation. Every intrusion, theft, or fraud should be reported, investigated and prosecuted (when possible). It should be tallied and brought to public attention, at least in aggregate so we understand the magnitude of what is going on. Right now, too much is hushed up or written off because each incident is too small to follow up, but the combined weight is staggering; for years I've been calling it "being pecked to death by ducks" because no single duck is lethal, but millions are. By letting so many incidents go, we encourage more and fund the development of yet new crime We need to refocus ourselves with a massive law enforcement effort, with a weighting towards local response, filtering up to Federal, not a Federal response directing local response. All those billions being dumped into the Federal contractors for cyber weapons should be directed to cyber law enforcement and investigation, to development of forensic tools, and to raising awareness at the local level. Your average business and consumer is going to be much more likely to install patches to protect against criminal behavior if encouraged by local authorities than told by someone in DC to install patches against some robotic threat from overseas. And we should adopt a get-tough policy at the diplomatic level to start demanding that countries that harbor criminals see some pushback from us; the new Federal international strategy on cyberspace is a good start on this.

I have described it to some people this way: our traditional DOD is structured to protect our borders and keep enemies from crossing those borders, or even getting near them. They are very, very good at that. In fact, they're so good, they may even stop an enemy from crossing their own borders to get here! However, the enemy we're engaged with is already here — is installed on millions of our computers and has thus subverted millions of citizens throughout the country without their knowing it....including some of the military. It is like the movie "The Puppet Masters." This can't be fought by the DOD — they aren't equipped to train their weapons inward. It requires an entirely different approach, but unfortunately, our leadership doesn't understand this, and the loudest voices right now are those of the lobbyists and members of the military who stand to benefit most in the short term by continuing the status quo, and by those who don't understand the magnitude of the situation.

Concomitant with this, within the next decade I fear that we will start seeing more of our best and brightest students from the US going to universities in India, China and other countries the way those countries' students have been coming to the US for years; I'm not the only one predicting this. Why? In the US we are shuttering university programs, decreasing funding, and shrinking campuses across the country, and politicians are vilifying K-12 teachers as if they are somehow part of the problem instead of being part of the cure. Meanwhile, in India, Russia, China, Korea, Taiwan and the Middle East they are opening major new universities and hiring away faculty from the US, Australia, the UK and elsewhere to staff their research labs, paying them extraordinary salaries and benefits and giving them access to modern resources. Major corporations have already located labs near those places because of cheap labor and are helping to subsidize the growth of the universities as are the national governments so as to obtain trained help. Our national policy of booting new PhDs & MS graduates who aren't citizens, and restricting so many high-tech jobs to US nationals only means that we train the world's best, then send them back to their own countries...to compete with us. The Rising Above the Gathering Storm and Rising Above the Gathering Storm, Revisited: Rapidly Approaching Category 5 reports nailed this, but were largely ignored by policymakers and certainly by the general public. Not only are we indirectly funding other countries' ascendency via their largely unhindered theft of our intellectual property and fraud, we are accelerating it by strangling our own intellectual capital and increasing theirs.

Everyone in IT and beyond should understand — fundamentally — that this is a new form of competition, of warfare (if we are to use that term). It is competition of the mind. It is information warfare in a much more fundamental sense than using information in support of kinetic weapons. It is employing information resources in a vast strategic way, across industries and generations to shape the future of nations. We do not have enough people who are able to think strategically, with that long a view and an understanding of the issues to see the threats, to see the trends, and to see the hard choices necessary to take a safer path. We, as a people, do not have the patience. Unfortunately, some of our enemies do.

What inspired the above, in part, is that this is Memorial Day Weekend. Many people will celebrate it as a holiday with picnics or trips, watch the Indy 500, and break out the summer clothes.

But Monday is a special day in the U.S. to remember the many men and women who sacrificed their lives in the service of the country, while serving in uniform. Whether in declared war or standing guard, whether grizzled veteran or new recruit, whether defending the bridge at Concord in 1775, or on patrol in Kandahar in 2011, those who did not return home deserve special thought from those who are here to enjoy this weekend. They had husbands, wives, children, siblings, parents and friends who treasured them. On Memorial Day, we should all treasure their memories as well.

And perhaps that is the one good thing about "Cyber War" — by nature, it is unlikely to add to the list of those we should remember on Memorial Day who are not here with us.

One of the best ways to honor their memory is to remain vigilant, and that is why I wrote the above.

As a researcher and educator, I regularly follow many newsletters, blogs and newsfeeds on a near daily basis. Some items I bookmark for my classes and research, but most I simply read, note, and discard. I read many dozen such items per day -- sometimes as many as 100 when there is a lot happening and I have a backlog.

After news of the Sony incident broke on April 20th, I saw items about how some people knew about vulnerabilities in parts of the Sony network, and servers running old versions of the Apache webservers. Those postings had material similar to what was published in Wired on April 28th. To the best of my memory, at least one of those postings mentioned that some of these vulnerabilities were exposed to Sony in a mailing list or blog prior to the compromise. It may be that the reference was to the PSN webserver vulnerabilities, it may have been about the earlier flaw with the PS3 connecting to the PSN, or it may have been some other vulnerabilities...but I am pretty certain it was about the webservers. There was no discussion about how the breach occurred or whether the old software played a part in those breaches.

After reading these stories, I moved on to other issues. I was not a customer of Sony or the Playstation Network (PSN), and they have never had a relationship with our research group, so I had no reason to pay close attention to the story. Furthermore, we were approaching the end of the semester, I was teaching a graduate class and also preparing for two trips to workshops. Thus, I had several other things to occupy my time and attention, and this story was definitely not one of them.

Hearing

On May 1st, in my capacity as chair of USACM, I received an invitation to appear at a House subcommittee meeting on the morning of May 4 on the issue of data breaches and privacy. This is a topic that has been one of USACM's main thrust areas, and is in my main areas of interest, so even though it was extremely short notice, I said yes. I spent the next 48 hours frantically trying to rearrange my teaching and administrative schedule at the university while also producing a formal written testimony to deliver to Congressional offices by a Tuesday noon deadline. This occurred, but with very little sleep over that two day period. Tuesday afternoon I had to drive to Indianapolis to fly to Washington for the Wednesday morning hearing.

Wednesday morning at 9:30am. the House Subcommittee on Commerce, Manufacturing and Trade of the House Energy and Commerce Committee held its hearing on “The Threat Of Data Theft To American Consumers.” I was the 4th witness in the panel (our written statements are available online). Three days of little sleep and too much coffee, plus the TV lights, combined to give me quite a headache, but that may not be evident if you watch the C-SPAN recording of the hearing.

In my written testimony I indicated that "...some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk." During questioning, I stated that I had read this on security lists that I normally read.

The fun begins

My comment that I had seen accounts about the server software being out of date and no firewalls was reported accurately by a few media outlets. However, a few others widely misquoted as me stating, authoritatively, that Sony was running outdated, unpatched software and implied that this was somehow the cause of the breach. Other news sources, blogs, and aggregators then picked up this version of the story and repeated it as their own, often with some other embellishment.

In only a few cases did a responsible journalist contact me to fact-check the story and determine what I had actually said, and what I actually knew.

I tried to correct one or two of the incorrect reports, but most occurred in places where there was no contact address for corrections, and they soon were spreading faster than I could possibly respond. I gave up.

Soon after the stories started circulating, I received email from Eugene Alvarado (he has given me permission to name him), who indicated that in early February he reported to Sony that there was widespread hacking of the network going on that was interfering with use of the network. He never got a response. So, at least one other person observed problems and reported them to Sony in advance of the breach in April. If the problem was significant, there may well have been others.

More recently, at least one "commentator" who "thinks" he is "clever" because he can put quotes around words like "security expert" to imply something meaningful about my expertise has posted a critique pointing out that some of Sony's servers were, in fact, up-to-date. However, at least one follow-up by someone else observes that other Sony servers (with interesting names such as "Login" and "Auth") were running software dated 2008. Thus, it may well be the case that some of the systems were current and some not. As we well know, it only takes one system out of rev or with a missing patch to serve as an entry point to a whole network.

Bottom Line

To this day, I have never heard from nor spoken with anyone at Sony. I have never bothered to probe or investigate their systems, because frankly, I don't care. Those issues are for others to determine and settle. What I think were the bigger issues to the story at the hearing were about having standard breach notifications and the 24 USACM privacy principles that were in my testimony. There are hundreds of other breaches occurring every year in the U.S. resulting in fraud, identity theft, and other crimes. Those are smaller than this incident with the PSN, but the victims are no less damaged. We need for the FTC and law enforcement to have more resources to help fight these problems, and we could definitely use some appropriate Federal legislation on minimum privacy protections and breach notifications. Read the 4 written testimonies from the hearing to get a sense of what is involved.

As to the spurious story, I tried to be clear in my testimony (written and oral) that I was simply repeating what I had read in some online newsgroups. I am really quite appalled at the number of places that have twisted that into a claim that Sony was somehow, definitely, running substandard software or systems. It is possible they were, but it is also possible they were running very well-maintained systems that fell prey to a clever attacker. That has happened to other high profile victims.

I certainly bear the good folks at Sony no ill will, and I hope they resolve the situation with the Playstation Network soon.

In the meantime, perhaps this can serve as an abject lesson about dealing with the media and bloggers — some of them want a sensational story, whether the facts support it or not, and you had better not get in the way!

It seems a client of Amazon was not able to contact support, and posted in a support forum under the heading "Life of our patients is at stake - I am desperately asking you to contact." The body of the message was that "We are a monitoring company and are monitoring hundreds of cardiac patients at home. We were unable to see their ECG signals"

What ensued was a back-and-forth with others incredulous that such a service would not have a defined disaster plan and alternate servers defined, with the original poster trying to defend his/her position. At the end, as the Amazon service slowly came back, the original poster seemed to back off from the original claim, which implies either an attempt to evade further scolding (and investigation), or that the original posting was a huge exaggeration to get attention. Either way, the prospect of a mission critical system depending on the service was certainly disconcerting.

Personnel from Amazon apparently never contacted the original poster, despite that company having a Premium service contract.

25 or so years ago, Brian Reid defined a distributed system as "...one where I can't get my work done because a computer I never heard of is down." (Since then I've seen this attributed to Leslie Lamport, but at the time heard it attributed to Reid.) It appears that "The Cloud" is simply today's buzzword for a distributed system. There have been some changes to hardware and software, but the general idea is the same — with many of the limitations and cautions attendant thereto, plus some new ones unique to it. Those who extol its benefits (viz., cost) without understanding the many risks involved (security, privacy, continuity, legal, etc.) may find themselves someday making similar postings to support fora — as well as "position wanted" sites.

The full thread is available here.

Panel Members:

• Gerhard Eschelbeck, Webroot
• Lorraine Kisselburgh, Purdue
• Ryan Olson, Verisign
• Tim Roddy, McAfee
• Mihaela Vorvoreanu, Purdue

Panel Summary by Preeti Rao

The panel was moderated by Keith Watson, Research Engineer, CERIAS, Purdue University

Keith kick-started the panel with an interesting introduction to the term Web 2.0. He talked about how he framed its definition, gathering facts from Wikipedia, Google searches, comments and likes from Facebook, tweets from Twitter while playing Farmville, Poker on the Android phone!

All the panelists gave short presentations on Web 2.0 security challenges and solutions. These presentations introduced the panel topic from different perspectives - marketing, customer demands, industry/market analysis, technological solutions, academic research and user education.

Mihaela Vorvoreanu from Purdue University, who gave the first presentation, chose to use Andrew McAfee’s definition of Enterprise 2.0: a set of emerging social software collaborative platforms. She noted that the emphasis is on the word “platform” as opposed to “communication channels” because platforms are public and they support one-to-one communication which is public to all others, thus making it many-to-many communication.

She talked about the global study on Web 2.0 use in organizations which was commissioned by McAfee Inc, and reported by faculty at Purdue University. This study defined Web 2.0 to include consumer social media tools like Facebook, Twitter, YouTube and Enterprise 2.0 platforms. The study was based on a survey of over 1000 CIOs and CEOs in 17 countries, sample balanced by country, organization size, industry sector. The survey results were complimented with in-depth interviews with industry experts, analysts, academicians to get a comprehensive view of Web 2.0 adoption in organizations globally, its benefits and security concerns. While overall organizations reported great benefits and importance to using Web 2.0 in several business operations, the major concern was security - reported by almost 50% of the respondents. In terms of security vulnerabilities, social networking tools were reported to be the top threat followed by Webmail, content sharing sites, streaming media sites and collaborative platforms. Specific threats that organizations perceive from employee use of Web 2.0 included malware, virus, information over-exposure, spyware, data leaks. 70% of the respondents had security incidents in the past year and about 2 million USD were lost due to security incidents. The security measures reported by organizations included firewall protection, web filtering, gateway filtering, authentication and social media policies.

She presented a broad, global view of organizational uses, benefits and security concerns of Web 2.0.

Lorraine Kisselburgh from Purdue University continued to present the results from McAfee’s report. She discussed an interesting paradox that the study found.

Overall, there is a positive trend with significant adoption rate (75%) of Web 2.0 tools world-wide. There are also significant concerns among those who haven’t adopted the technology. 50% of non adopters report security concerns, followed by productivity, brand and reputation concerns. Not all tools have the same perceived value or even same concerns/risks/threats. Social networking tools and streaming media sites are considered most risky. Nearly half of the organizations banned Facebook. 42% banned IM, 38% banned YouTube. Collaborative platforms and content sharing tools are considered as less risky and their perceived value/usefulness is high when compared to social tools. But survey of those organizations who have adopted report the real value of social tools to be quite high - helpful in increasing communication, improving brand marketing etc. In fact social tools realized greater value than webmail etc.

So, the paradox is: social tools (social networking and streaming media sites) are mostly considered highly risky from a security standpoint, perceived least valuable to organizations, but yet they realize great value among adopters.

This reflects the continuing tensions between how the value of social media tools is perceived vs realized by organizations. This is also in-line with some historical trends in adopting new/unknown, emerging technologies. Example: email. The tensions are also because of where the technology is located and where to address risk: internal tools vs external on the cloud. It also has to do with recognizing organizational tools vs people tools.

Tim Roddy from McAfee addressed his comments on Web 2.0 security from a buying organization standpoint, giving it a product marketing perspective, about selling web security solutions. He commented that initially people were concerned about malware coming in to the organizations through email. Now the model and dynamics have changed and it has an influence on how we investigate our products and how we see our customers using security solutions from a business standpoint. His comments focussed on two areas: 1) stopping malicious software from coming in 2) having customizable controls for people using social media tools.

He pointed out that about 3 years ago, his customers were using their products to block access to sites like Twitter, Facebook because they saw no value in using them in businesses. But periodic McAfee surveys show a dramatic change in this trend. Organizations are allowing access to these tools; this trend is also driven by the younger generation of employees in the organizations demanding access. While it was a URL filtering solution that was used 3 years back to just block for eg, social networking sites category, now it is changed because they allow access to those websites.

So, how do we allow safe productive access?

There is a dramatic increase/acceleration in malware; they are automated, targeted and smarter now. Therefore web security efforts need to be proactive. By proactive security, it means not only to stop malware with signature analysis but include effective behavioral analysis to break the chains/patterns of attacks. McAfee’s Gateway Anti-Malware strategies focus on these.

Secondly, organizations allow access to social media tools now; but no one filters the apps in those tools to make sure they are legitimate. For eg: are the game apps on Facebook legitimate and secure? Such apps are one of the most common ways of attacks. The solution is to customize controls. Industries, especially finance and healthcare, are worried about leakage of data. Say, an employee sends his SSN through a LinkedIn message. Can it be blocked/filtered? Security solution efforts are now bi-directional – to proactively monitor and filter what is coming in as malware and what is going out as data leakage.

Lastly, the security concerns for use of mobile/handheld devices are growing. There is a great need to secure these devices, especially if corporately owned. It needs to have the same level of regulations and be compliant to corporate network standards.

Gerhard Eschelbeck from Webroot talked about why securing Web 2.0 a big deal and how we got there.

First gen of web apps were designed for static content to be displayed by browser. All execution processing was on server side and mostly trusted content. There were no issues about client/side browser side execution so the number of attacks happening was significantly less. The only worry then was to protect the servers. Now, the security concerns are mainly because of interactive content in Web 2.0. Fundamentally the model changes from 1-way-data from server to client to 2-way interactive model. Browser has become part of this execution environment. Billions of users’ browsers that are a part of this big ecosystem are exposed to attacks.

There is a major shift from code execution purely on server-side to distributed model of code execution using ajax and interactive, dynamic client side web page executions. While useful in many ways, it introduces new vulnerabilitie and this is the root cause for Web 2.0 security concerns.

He highlighted four areas of concerns:

1. User created, user defined content which is not trusted content
2. To bring desktop look and feel to the Web 2.0 applications, interactive features like mouse rollovers, popups have caused significant amount of interaction between server and client and this causes more vulnerabilities
3. Syndication of content and mashups of various sites
4. Offline capabilities of some applications now lead to storage of information on one of those billions of desktops

All these have led to increased security exposure points in turn leading to vulnerabilities.

Ryan Olson from Verisign talked about malware issues with Web 2.0.People are sharing a lot of their personal information online which they weren’t doing earlier. Access to personal information of people has become easy now, and is available to friends on social networks, or even anyone who has access to that friend’s account. A lot of organizations now have started using a security question/answer as a form of authentication after login/password. Answers to questions like user’s mother’s maiden name or high school name can be easily found on social networking sites. Most of such questions can be answered by looking at the user’s personal data that is available online, often without much authentication. This way Web 2.0 offers more vectors for malware. It offers many ways of communicating with people hence opening up to a lot of new entry points that we now need to monitor. Earlier it was mostly email and IM but now each of these social networks allow an attacker to send message, befriend and build trust. There are additional avenues provided by these tools to social-engineer the user into revealing some information about self, by exploiting the trust between user and his friends. A lot of malware are successful purely through social engineering attacks, by befriending them or enticing them and then extracting information. Primary solution to this problem is to educate people about the consequences of revealing personal information and the value of trust.

Questions from audience and discussions with the panel:

Keith Watson: How much responsibility should be held with the Web 2.0 providers (organizations like Facebook, Twitter) in providing secure applications? How much responsibility should be held with the users and educating them about safe usage? Is there a balance between user education and application provider responsibility?

Discussions:

TR: Just like any application provider, the companies do have a lot of responsibility; but educating the users is also equally important. Users are putting so much information out on the Web (for eg: Oh, I am in the airport). People should be made to realize how much and what to share.

RO: It should be a shared responsibility. It is the market that drives Web 2.0 to become more secure. For example, the competition between social network providers to provide a malware-free, secure application drives everything. If one social network is not as secure then users will just migrate to the next one. This way market will help and continue to put pressure on people in turn the providers to make secure applications.

LK: While it has to be a shared responsibility, it also has to do with recognizing the value of social media tools and encouraging its participation in businesses. Regarding user education, what we have found in some privacy research is that understanding the audience of these tools - who has access, what are they accessing, to whom are you disclosing, and being able to visualize who is listening helps the users in deciding what and how much information to disclose. Framing this through technology, system design would be helpful from an educational standpoint.

MV noted that there could be unintended, secondary audience always listening. She took a cultural approach to explain/understand social media tools. Each tool may be viewed as a different country – Facebook is a country, Twitter is another country. Just like how people from one country aren’t familiar with another country’s culture, and they may use travel guidebooks, travel information for help, users of social media tools need to be educated about the different social media tools and their inherent cultures.

GE: While the tourism and travel industry comparison is good, it doesn’t quite work always in the cyberworld because it is different. There is no differentiation anymore between dark and bright corners; even a site which “looks” safe might be a target of an awful attack Educational element is important but the technological safety belt is much needed. Securing is also hard for the fact that server-side component is usually from provider but client-side/browsers are with the people. It is important how we provide browser protection to users and reduce Web 2.0 attacks.

Brent Roth: What are your thoughts on organizations adopting mechanisms/models like the “no script add- on in Firefox”?

Discussions:

RO: This model would work really well for people who have some security knowledge/background, but doesn’t work for a common man. We need to look at smarter models for general public that make decisions about good and bad by putting the user in the safety belt.

TR: Websites get feeds and ads. While some may be malicious, they also drive the revenue. McAfee’s solutions block parts of the sites/pages which could be malicious. Behavioral analysis techniques help. It has to be a granular design solution.

RO: If all scripts are blocked then what about the advertisers? If we block all advertisers, the Internet falls because they drive the revenue. Yes, a lot of malware comes from ads and scripts but you cannot just completely block everything.

Malicious script analytics, risk profiling need to be done. The last line of defense is always at the browser end. User education is as important as having a technology safety belt to secure Web 2.0.

Panel Members:

• Paul Ratazzi, Air Force Research Laboratories
• Saurabh Bagchi, Purdue
• Hal Aldridge, Sypris Electronics
• Sanjai Narain, Telcordia
• Cristina Nita-Rotaru, Purdue
• Vipin Swarup, MITRE

Panel Summary by Christine Task

In Panel #3: “Fighting Through: Mission Continuity Under Attack”, each of the six panelists began by describing their own perspective on the problem of organizing real-time responses and maintaining mission continuity during an attack. They then addressed three questions from the audience.

Paul Ratazzi offered his unique insight as the technical advisor for the Cyber Defense and Cyber Science Branches at the Air Force Research Laboratory in Rome, NY. He noted that military organizations are necessarily already experienced at “guaranteeing mission essential functions in contested environments” and suggested that the cyber-security world could learn from their general approach. He divided this approach into four stages: Avoid threats (including hardening systems, working on information assurance, and minimizing vulnerabilities in critical systems), survive attacks (develop new, adaptive, real-time responses to active attacks), understand attacks (forensics), and recover from attacks (build immunity against similar future attacks). Necessary developments to meet these guidelines are improved understanding of requirements for critical functions (systems engineering) and real-time responses that go beyond our current monitor/detect/respond pattern. As a motivation for the latter, he gave the example of a fifth generation fighter, nicknamed a ‘flying network’. When its technological systems are under attack, looking through the log file afterwards is “too little, too late”.

Dr. Saurabh Bagchi of CERIAS and the Purdue School of Electrical and Computer Engineering described an innovative NSF-funded research project which offered real-time responses to attacks on large-scale, heterogeneous distributed systems. These systems involve a diverse array of third-party software and often offer a wide variety of vulnerabilities to an attacker. Additionally, attacks across these systems can spread incredibly quickly using trust relationships and privilege escalation, eventually compromising important internal resources. Any practical reaction must occur in machine-time. Dr. Bagchi’s research chose the following strategies: Use bayesian-inference to guess which components are currently compromised at a given time, and from that information estimate which are most likely to be attacked next. Focus monitoring efforts on those components precieved as at risk. Use knowledge of the distributed system to estimate the severity of the attack in progress, and respond appropriately with real-time containment steps such as randomizing configurations or restricting access to resources. Finally, he emphasized the importance of learning from each attack. Long-term responses should abstract the main characteristics of the attack and prepare defenses suited to any similar attacks in the future.

Dr. Sanjai Narain, a Senior Research Scientist in Information Assurance and Security at Telcordia Research, described his own work on distributed systems defense—a novel, concrete solution for the type of immediate containment suggested by Dr. Bagchi. Although the high-level abstraction of a network as a graph is relatively straightforward, the actual configuration space can be incredibly complex with very many variables to set at each node. ConfigAssure is an application which eliminates configuration errors by using SAT constraint solvers to find configurations which satisfy network specifications. For any given specification, there are likely many correct configurations. In order to successfully attack a network, an attacker must gain some knowledge of its layout (such as the location of gateway routers). By randomizing the network configuration between different correct solutions to the specification, an attacker can be prevented from learning anything useful about the network while the users themselves remain unaware of any changes.

Dr. Cristina Nita-Rotaru, an Assistant Director of CERIAS and an Associate Professor in the Department of Computer Science at Purdue, introduced an additional concern with maintaining mission continuity: maintaining continuity of communication. She offered the recent personal example of having her credit cards compromised while traveling. She was very quickly informed of this problem by her credit card companies and was thus able to make a risk-assessment of the situation and form a reasonable response (disabling one card while continuing to use the less vulnerable one until she could return home). When an attack compromises channels of communication, for example by taking out the network which would be used to communicate—as in jamming wireless networks, the information necessary to make a risk-assessment and form containment strategies is not available. Thus when considering real-time reactions to attacks, it’s important to make sure the communication network is redundant and resilient.

Dr. Hal Aldridge, the Director of Engineering at Sypris Electronics and a previous developer of unmanned systems for space and security applications at Northrop Grumman and NASA, discussed the utility of improving key-management systems to respond to real-time attacks. Key management systems which are agile and dynamic can help large organizations react immediately to threats. In a classic system with one or few secrets which are statically set, the loss of a key can be catastrophic. However, a much more robust solution is a centralized cryptographic key management system which uses a large, accurate model of the system to enable quickly changing potentially compromised keys, or using key changes to isolate potentially compromised resources. He briefly described his work on such a system.

Dr. Vipin Swarup, Chief Scientist for Mission Assurance Research in MITRE’s Information Security Division, emphasized one final very important point about real-time system defense: high-end threats are likely to exist inside the perimeter of the system. Our ability to prevent predictable low-end threats from entering the perimeter of our systems is reasonably good. However, we must also be able to defend against strategic, targeted, adaptive attacks which are able to launch from inside our security system. In this case, as the panel has discussed, the key problem is resiliency; we must be able to launch our real-time response from within a compromised network. Dr. Swarup summarized three main guidelines for approaching this problem: reduce threats (by deterring and disrupting attackers), reduce vulnerabilities (as Ratazzi described, understand system needs and protect critical resources), and reduce consequences (have a reliable response). Any real-time response strategy must take into account that the attacker will also be monitoring and responding to the defender, must be able to build working functionality on top of untrusted components, and must have a more agile response-set than simply removing compromised components.

After these introductions, there was time to address three questions to the panel [responses paraphrased].

“What time-scale should we consider when reconfiguring and reacting to an attack?”

Swarup: Currently we’re looking at attacks that flood a network in a day, and require a month to clean up [improvement is needed]. However, some attacks are multi-stage and take considerable time to execute [stuxnet]—these can be responded to on a human time scale.

Aldridge: It can take a lot of time to access all of the components in the network which need reconfiguring after an attack [some will be located in the ‘boonies’ of the network].

Bagchi: It can take seconds for a sensor to rest, while milliseconds are what’s needed.

“What are some specific attacks which require real-time responses?”

Aldridge: If you lose control of a key in the field, the system needs to eliminate the key easily and immediately.

Nita-Rotaru: When you are sending data on an overlay network, you need to be able to reroute automatically if a node becomes non-functional.

Narain: If you detect a sniffing attack, you can reroute or change the network-architecture to defend against it.

Ratazzi: Genetic algorithms can be used to identify problems at runtime and identify a working solution.

“What design principles might you add to the classic 8 to account for real-time responses/resiliency?”

Swarup & Nita-Rotaru: Assume all off-the-shelf mobile devices are compromised, focus on using them while protecting the rest of the system using partitioning and trust relationships, and by attempting to get trusted performance of small tasks over small periods of time in potentially compromised environment. Complete isolation [from/of compromised components] is probably impossible.

Ratazzi & Bagchi: minimize non-essential functionality of critical systems, focus on composing small systems to form larger ones, using segmentation-separate tools and accesses for separate functions-where possible to reduce impact of attack.