Security solution for voice and digital data communication

16 08 2012

Voice communications over the telephones can be easily tapped, by eavesdropping and interceptors attack. All public communications over the phone are not so confidential, whereas the voice communications related to defense, national security, and business sensitive discussions needs to be secure to maintain the confidentiality, Integrity and availability. These defense, national security, and business channels are always under threat by inceptor’s and man-in-the-middle, mainly enemy nations, terrorists, business competitors and rivals. Hence there is a possibility of tapping the communication cable or wireless networks.

A robust security is required for all voice communication and devices used in defense, national security, and business organizations for any data communications. These security threats on voice and data can be protected using the solutions available in growing digital world. This allows digitizing the voice or data (like some image any map, presentation) using the Digital Signal Processors and microcontrollers in case of VoIP phones [5]. Where the voice audio signals and data are digitized and communicate through Ethernet using the TCP/IP protocol.

Even if the voice or data is digitized still the intruders or man-in-the-middle are intelligent enough to decode [1] these digital voice samples and can be able to regenerate the original voice information by eves dropping on the communication channels either by active or passive channel tapping. Possible solution is by using some crypto logic to embed the crypto device [2] as part of the VoIP phones, to avoid these threats using any standard encryption mechanism to scramble the voice and key management in the communication devices like telephones, CDMA or GSM systems and CDMA and GSM Terminals.

There are lots of vendors in the market for providing the crypto devices to establish a virtual private network, which can able to provide end-to-end protection between two hosts. Either using DES, Rijndale – AES, Secure Hash Algorithm, Diff-Hellman and Key exchange protocols for authentication. But always in organization the money is big question, there will be lot of machines and phones will be used in organization, so it’s difficult to implement the crypto devices for each phone or system.

The below solution which I propose will be helpful for the telephone system design engineers and manufacturers, where they can embed this crypto device as part of the VoIP phone itself. Which is huge money saving, because IP phones will anyhow have at least one DSP and a 16 or 32 bit controller, just by selecting an industry standard encryption algorithm and key management technique one can easily embed the crypto device as part of the IP phone. At the same time, encryption algorithm and key management should be identical across the caller and the called phones.

Since user can easily connect to IP subnets using the communication terminals and users must be an authorized registered user in the IP servers. Hence they can easily expand this to computer or laptop, FAX and CDMA or GSM terminals with proper interface to route, since the IP phones use a Ethernet cable only, so they can even utilized to encrypt any digital data and transmit and receive through this device.

Solution: Digitize the analog voice input signal using the PCM codec (64 kbps) and compress the voice data using the DSP or directly feed the digital data from a computer or fax machine or laptop etc. Design a 256/192/128 bits Rijndale – AES encryption algorithm [1] running in the microcontroller, where the data and the key are fed into the microcontroller.

Figure 1: Digitized voice data Encryption using AES

Operation of AES for cipher encryption [1] by expanding the key, shift the Row, Mix columns, Replace data from look up table, Multiplication, Add round key and looping ‘n’ number of rounds. Decryption can be achieved by applying the Inverse Expand key, Shift Row, Mix Columns, Replace data from look up table, Multiplication, Add round key and Looping ‘n’ number of rounds.

Key management can be achieves using following mechanisms:

-By using specific key for communication.

-Allowing handset to select from the pool of available key at random, communication with the called party’s headset with the key exchange protocol.

-Using public key and private key methodology

Encryption on the digitized voice data can be achieved as follows:

-Consider digitized voice input in hex format as a 4 x 4 matrix / block data and consider each cell at a time.

-Add round key by making XOR with the data cells from the input cell and the cipher key cell for all the data.

-Substitute bytes by considering 4×4 data units to the first add round key block of data. Use an lookup table which includes 0 to f rows & 0 to f columns with the different lookup table hex data in 16 x 16 matrix. Considering each data unit of block and replace that data unit by the data unit of lookup table which matches with that data unit’s position. Similarly replace all data units.

-Use shift all 4 rows in the 4×4 matrix, like 0th row by ‘w’ times, 1st row by ‘x’ times, 2nd row by ‘y’ times and 3rd row by ‘z’ times.

-Mixing the data by doing the row column multiplication with the respective multiplication matrix to get the resultant 4×4 matrix.

-Finally by adding the round key for each column from the data block with the respective round key column from the Round key block and XOR them and replace the data block with the result column.

Decryption at the called handset can be achieved by inversing the above steps, can able to reproduce the actual digitized voice data, and codec can decode the data and DSP can reproduce the voice back.

With this solution telephone manufacturer can easily enhance their VoIP phone to a crypto capable phone, which saves a lot of money, instead of designing a standalone crypto device. Also organizations can save huge cost and business sensitive data with less investment by using this type of devices. The main advantage in this system they can use the same communication channel for voice and data.

__________

  1. Security in Computing, Fourth Edition, By Charles P. Pfleeger –  Pfleeger Consulting Group, Shari Lawrence Pfleeger –  RAND Corporation
  2. Hardware TCP/IP Encryption – http://www.copytele.com/pdf/DCS-1700%20Spec.pdf
  3. IP-KRYPTO cipher machine for military use – http://www.nit.eu/czasopisma/JTIT/2004/4/64.pdf
  4. Voice and Data Encryption Rohde & Schwarz SIT – crypto technology for mission-critical environments http://www.rohde-schwarz.co.in/file_18186/TopSec-Mobile-VoIP_bro_en.pdf http://www.rohde-schwarz.co.in/file_18187/TopSec-Mobile-VoIP_bro_de.pdf
  5. IP Telephone Design and Implementation Issues – White Paper William E. Witowsky, Senior Vice President Engineering & Chief Technical Officer http://focus.ti.com.cn/pdfs/bcg/ip_telephone.pdf

 

Advertisements




Cloud computing

15 08 2012

Cloud computing is taking on a larger role in the way we use technology.  In our personal and professional lives, we use iPads, iPods and other iDevices to connect to Apple’s cloud, which contains everything from our vacation photos and workout playlists to our budget spreadsheets and business presentation slideshows (we also use Android devices to do the same with Google’s cloud).  We love the convenience of being able to access our data from anywhere, at anytime, and that we don’t have to worry about purchasing or toting around storage devices with limited space.

A similar movement is taking place in the business realm, as well.  According to an article at Comupterworld, the “market for public cloud infrastructure, platforms and applications is large and growing much more quickly than any other type of IT spending.”  The article cites various studies which predict the market to reach anywhere from $56 billion to $100 billion by the year 2014, but all of the numbers are moving upward (it states that the market was $16 billion in 2010) [1].

However, cloud computing is not completely free from scruples held by potential adopters.  A Forbes article recently cited a North Bridge Venture Partners survey of 785 companies and revealed that only 50% of responders expressed “complete confidence” in this form of data management.  “Security remains the primary inhibitor to adoption in the burgeoning cloud marketplace with 55% of respondents identifying it as a concern,” the article states. [2]  With great legal, financial, and reputational stakes at risk, it is understandable why some business organizations may be shy about outsourcing the management and protection of sensitive data to outside entities.

However, new developments in data management may change this.  One notable breakthrough includes “fully homomorphic encryption,” developed by IBM.  This method

uses a mathematical object called an ideal lattice, to allow people to fully interact with encrypted data in ways previously thought impossible. The implications of the technique mean that computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their client’s behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, states a release, the analysis of encrypted information can yield the same detailed analysis as if the original data was fully visible to all. [3]
Such a technique would provide useful in many business contexts.  For example, a healthcare organization who entrusts the management of patient data to a cloud provider may wish to request a report of the number of patients presenting with a particular complaint, or the frequency with which a particular medication was administered over the past month.  With fully homomorphic encryption, the provider could generate such a report without needing to directly view any sensitive patient information.

While the ascent into the cloud is likely to continue, developments in data security will play a large factor in speeding its acceptance.

_____________

[1] http://blogs.computerworld.com/16863/cloud_computing_by_the_numbers_what_do_all_the_statistics_mean

[2] http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/

[3] http://www.banktech.com/risk-management/218101557





Disaster Recovery and Business Continuity Planning ~ Success Path

14 08 2012

As the name implies, disaster recovery planning means a process of developing procedures to recover from disaster, and bring back the life of productive assets, businesses, properties, systems, people, and the list goes on and on. People believe it to be a fact that if one does not benefit from it and of no value; one does not care too much about the matter. The issue does not have to be that way. The next neighbor may get hit with fire, and that may affect the near domain. There are so many things to consider concerning disaster recovery planning.  Many businesses have gone for so many years without looking back or take a step back and review and analyze the dynamic existing business process about what may happen. It only takes a second for a disaster to strike. On the other hand, there are companies with solid disaster recovery plan in place, but yet not effective. There are flaws and limitation, and organization needs to do something to get on the success path. Below are some of the challenges and the key steps to get on the right path to success.

Challenges

  1. Inadequate planning: One issue in disaster recovery planning is the inability to provide a thorough and comprehensive planning. Any company that fails to plan accordingly is planning to fail. Response team must develop comprehensive actions that take place before, during, and after a disruptive event. “A variety of concerns have prompted IT organizations to create a disaster recovery plan, with 69% citing natural disasters, 57% naming virus attacks and 31% specifying war and /or terrorism” [2].  This quote specifies that there are many risks that an organization faces when it fails to plan adequately for disasters. Disaster strikes often and probability of getting stroke by the disaster as a well prepared organization is the same as people not prepared well enough. The only difference is that if an organization has a thorough planning in place, and well executed, the recovery will not be as bad as the organization with no plan or fail to have a proper planning in place.  Many factors have to be taken into consideration. Every day events fill with incidents. Disaster may occur from having tumultuous weather, earthquakes, terrorist attacks, unrest civil war, political turmoil and or even natural disaster like floods. These create awareness within a dynamic technical environment, and the society as a whole. Organization needs to analyze these factors in relation to the business operational commitments.
  2. Lack of effective communication: Is not a smart idea to wait until the last minute when disaster occurs to define the roles and plan for communication. The earlier the better. In general, communication plays an integral part in business operation, either in engineering, information technology, logistics, medical, laws, or military defense operation. In business world, organizations that have a good communication plan in place are known to be more successful than other counterpart that lacks good communication plan. Snedaker (2007) stated, “Poor handling of the crisis communication piece results in an exacerbation of the existing problems and leads to further decline in sales and customer confidence” (p. 101) [3]. Based on the quote above, not knowing how to properly handle communication crisis within an organization can result in a disaster that may not be controlled in a short period.  This is why training and practices of any operational measure are essential part of business and how organization develops. There is a saying that “if you don’t use it you lose it”. The same concept applies to developing communication skills.  This is in relation to military environment in which each unit or command has in place, training plan that consists of general quarter for fire and flooding drill, flight and rescue operation drill, and other pertinent drilling scenarios. The members practice and practice, and practice until all members of the team are capable of performing assigned roles.  The reason for this is that the unit can get tasked to forward deploy to dessert at any time, and communication is the key to survive as it indicates attention to detail.
  3. Lack of top management full support: Management support of disaster recovery and business continuity planning is crucial. Unfortunately, not many organizations view disaster recovery as an operational subject. In a situation like this, disaster recovery team finds it hard to fully execute the plan, as it is not of organizational interest. Funding issue let many organizations down to pursue what may safeguard the business operation. Many top executives do not develop interest in disaster recovery and business continuity planning until the first disaster strikes and almost nothing left to continue the business operation. “So getting buy in at the top requires a Business Continuity professional to have better understanding of the concerns of Top Management and an ability to communicate any risk concerns in a language they are familiar with” [1].  In some cases, disaster recovery team will needs to convince top management in a very simple presentation along with justification that further explain the benefits and how to move forward in business and recover from disaster. Again, and unfortunately, that is just how things work with some folks in the business world.

Key Steps

  1. Gathering recovery planning team:  One of the key steps of disaster recovery and the first key step perhaps is identifying the members of the planning team.  This may go from security team, assessment team, and all the way down to damage control team. It is imperative that the members of the team work together and communicate effectively to achieve a common goal. Every member should learn each other’s role when assigning roles within a team. That way if a member is unavailable, other backup members can fill in that position and carry on the mission. As soon as the teams are set-up, the team management should start scheduling date and time on when to meet for activities, drill, rehearsals, and the likes. At this point the team should make sure the top management get involve, and have at least one executive take a role in team management. This will help process concerning funding for team training on disaster recovery planning. Main focus is to carry everyone along because safety is all hands.
  2. Evaluating the risk within and outside the organization: Risk assessment is one of the key steps that go toward disaster recovery and business continuity planning. Analyzing these risks will give the management typical ideas of what to look for before, during, and after disaster. Management should review everything from rules and regulations, laws, governing bodies, business processes, incident response procedures, safety guidelines to previous disasters. In addition to this, all IT infrastructures should be examined to determine the status of the business operation in relation to the outside parties. Management should engage with outside entities and establish effective communication.
  3.  Establishing guidelines and policies: There is a saying that “a town with no laws in place there is no sin”. Management must have some sort of control measures that all employees adhered to and follow diligently. These guidelines and policies must be thoroughly analyzed and reviewed from time to time to ensure up-to-date information. Management should develop guidelines and policies in a way that everyone can understand, as the purpose is to reach a common goal.
  4. Disaster recovery documentation: This is another important key step in disaster recovery planning. With the guideline and policies in place, management must set-up a define way of documenting all the key steps in DR/BCP planning. The team must document every step properly with details of each incident. In addition to this, organization must identify a team to manage, monitor, and maintain the documentation.
  5. Incorporating DR/BCP testing and ongoing training: Disaster recover planning requires testing to ensure functionality that what the organization put in place is functioning well to accommodate the needs. As mentioned earlier, training is crucial to any business operation. Top management capability of handling crisis within a working environment will help as well in the event of a disaster.
  6. Continuous Improvement: This step indicates the maintenance stage of the disaster recovery and business continuity planning. It is crucial to maintain momentum with planning process by making sure the management reassess and reevaluate the planning to meet up with the ongoing technological advancement and working environment. Change is inevitable, and the management should be flexible to integrate any changes that may affect the initial planning requirements.

________________

[1] Bird, L FBCI (2012) Business continuity – getting buy-in at the top. Retrieved from Disaster Recovery Journal website: http://www.drj.com/business-continuity-getting-buy-in-at-the-top.html

[2] Symantec Corp. (2007). Companies Exposed from Inadequate Disaster Recovery Planning, Testing. Retrieved from Symantec website: http://www.symantec.com/about/news/release/article.jsp?prid=20071016_01

[3] Snedaker, S. (2007). Business Continuity & Disaster Recovery for IT Professional. Burlington, MA: Syngress Publishing Inc.





The Future of Gaming……Security

9 08 2012

When most people think of online security they don’t immediately think of online gaming through popular outlets such as Facebook (i.e. Farmville / Mafia Wars), XBOX Live, Sony PlayStation Network, or Blizzard (World of Warcraft), but the virtual world is ripe for the picking and full of vulnerabilities.  These social media outlets connect people like never before but they also expose a rich new environment for cyber criminals to exploit.  Consumers should be aware of the risks that exist in the virtual world of online gaming so that they can best protect themselves.

Online Gaming Vulnerabilities / Risks:  There are several vulnerabilities that exist in online gaming that can result in loss of confidential consumer information.  These vulnerabilities are as follows along with their associated risks and real world exploitation examples:

  • Account Hosting Vulnerabilities:  Because online gaming is typically a subscription service users must register with the provider and establish an account.  In doing so the user must provide personal information and a credit card to the provider.  This information is kept on the providers hosting environment and is used to pay for the subscription service & to purchase items relevant to the online game.  Many online games also use virtual currency to make transactions within the game, and this currency must be purchased by the user with real world money using a credit card.  Because these online gaming services contain an extremely large user base they make a desirable target for hackers interested in stealing consumers confidential information in order to conduct identity theft.  A prime example of this occurred on April 20, 2011 when the Sony PlayStation Network was hacked.  The attack resulted in theft of 24.6 million PlayStation accounts and 12,700 credit card numbers (Wikipedia, 2012).  From the stolen information it was believed that the hackers were able to obtain user’s confidential information such as names, addresses, birthdates, email addresses, PlayStation Network usernames / passwords, & security questions / answers that could be used in identity theft or fraud (Schreier, 2011).  To make matters worse Sony waited nearly a full week (6 days) before announcing to PlayStation Network users what had occurred and who was affected.  After the intrusion was detected Sony shut down its PlayStation Network for 24 days while they attempted to discover the extent of the damage and repair the vulnerabilities in the network.  The 24 day service outage outraged the Sony PlayStation Network’s 77 million customers and was estimated to cost the company $171 million dollars from lost revenue and untold amounts in reputation damage (Wikipedia, 2012).  Sony claimed that user’s credit card information was encrypted, and account passwords were stored as a hash value but hackers may have been able to decrypt the credit card info while inside the network (Wikipedia, 2012).
  • Social Engineering Vulnerabilities:  Much like traditional online scams.  Online gamers are susceptible to Phishing.  Phishing is a popular form of online game hacking because these criminals know that once they have access to a user’s account they can purchase items or cyber currency using the credit card that is stored on file.  In particular phishing has become a major issue for Microsoft where users have received phishing attempts via email or pop-ups while playing popular titles such as Modern Warfare 2 in an attempt to gain user’s confidential information (Yin, 2011).  Once this information is known a criminal can log onto the target account as the user and purchase items or cyber currency.  In some cases the stolen account information is also sold on the black market.  Microsoft has experienced a large number of compromised accounts and fraud as a result of phishing attempts coupled with an XBOX Live system vulnerability that has been discovered.  It was discovered that a hacker attempting to access an XBOX Live account via the Internet at XBOX.com with a valid email address was returned an error message indicating that either the account ID was invalid or that the account password was incorrect (Pereira, 2012).  With this information the hacker could attempt a brute force attack once the ID was known.  This method was successful because Microsoft failed to lock accounts after a set number of failed logon attempts.  Instead Microsoft would display a CAPTCHA screen after eight failed logon attempts.  CAPTCHA screens display characters only readable by humans that must be typed in to proceed.  The CAPTCHA screen was defeated by hackers by scripting a brute force attack to try less than seven time to crack the password and then to click on an external link.  The external link reset the CAPTCHA counter and the attack could continue (Pereira, 2012).
  • Online Game / Software Vulnerabilities:  Much like traditional application software, online games frequently have software vulnerabilities that can be exploited by hackers for malicious purposes or to wreak havoc on a virtual community.  An example of this was seen in Blizzard’s popular World of Warcraft where a group of hackers called “griefers” found and exploited a vulnerability in the game that allowed malicious players to use a contagious disease called “Corrupted Blood” against other players, causing death.  The disease was only intended to be experienced in a particular portion of the game however game developers failed to limit the affected area of the curse and the hackers were able to exploit this vulnerability with a self-propagation feature to create a plague in the virtual World of Warcraft (Lemos, 2005).  A second example of this in the online gaming world, and a predecessor to “Corrupted Blood” was seen in the Sims 2.  The Sims developer, Will Wright, intentionally added a malicious Trojan horse in the game.  In the game, players were able to purchase a pet guinea pig.  If the player failed to keep the guinea pig’s cage clean and attempted to pet the guinea pig they could be bitten.  Once bitten the player was infected with a contagious virus and would begin sneezing.  The virus could then be spread to nearby players.  If the infected player failed to get sufficient rest the virus would result in death (Markoff, 2000).  Both of these examples show how online game vulnerabilities can be exploited to disrupt game play or to cause mayhem but one could also see how software vulnerabilities could be exploited by hackers for more malicious purposes such as gaining control of an account or finding a backdoor into the system in order to steal confidential information.

Online Gaming Protection:  Clearly the vulnerabilities that exist in online gaming pose a threat to consumers that can lead to fraud or identity theft.  The question remains what can one do online to protect themselves in order to help prevent these issues.  The answer to this question is to abide by the same good access control principles that are recommended for traditional cyber security.

  • Strong IDs / Passwords:  Online gamers should use unique IDs and passwords for online gaming accounts.  Additionally passwords should be strong, greater than 10 characters containing numbers and letters as well as upper and lower cases.  Passwords should also be changed on a predefined frequency (Trendmicro, 2012).
  • Virus Protection / O/S Patches:  Usersgaming from a PC should always ensure that they are running up to date virus protection and current operating system patches (Trendmicro, 2012).
  • Never Share Credentials:  Online gaming users should never share credentials with other users or supply credentials to individuals claiming to work for the parent game hosting company (XBOX.com, 2012).
  • Avoid Suspicious Emails or Pop-ups:  Online gaming users should be suspicious of pop-ups or emails requesting confidential information.  Many of these are phishing attempts by hackers (Trendmicro, 2012).
  • Use Secured Networks:  Online gaming users should never play online using an unsecured Wi-Fi connection.  Users should utilize a Wi-Fi connection that utilizes WPA or WPA2 security.  Additionally online PC gamers should ensure that they are connected to the host site with a secure SSL connection as indicated by HTTPS in order to ensure their data in transit is encrypted (Trendmicro, 2012).
  • Credit vs. Debit:  When establishing an online gaming account, users should opt to use a credit card over a debit card in order to avoid responsibility should any fraudulent activity occur (Trendmicro, 2012).

Conclusion:  The world of online gaming is full of vulnerabilities that can be exploited by hackers and is a highly desirable target due to the exceedingly large number of users.  As shown by the Sony PlayStation Network case the consumer is at the mercy of the provider to ensure that personal information is kept confidential and vulnerabilities are reported in a timely manner.  However the consumer can still take certain precautions as outlined above in order to help protect their personal information’s confidentiality and integrity.

 _____________

Cummings, A. (2012, June). 95-752 Information Security Management. Lectures 1-4. Pittsburgh, Pennsylvania, USA.

Lemos, R. (2005, September 9). Digital plague hits online game World of Warcraft. Retrieved June 27, 2012, from SecurityFocus: http://www.securityfocus.com/news/11330

Markoff, J. (2000, April 27). Something Is Killing the Sims, and It’s No Accident. Retrieved June 27, 2012, from The New York Times: http://partners.nytimes.com/library/tech/00/04/circuits/articles/27sims.html

Pereira, C. (2012, January 1). Is Xbox.com to Blame for Frequent Xbox Live Account Hacks? Retrieved June 27, 2012, from 1up.com: http://www.1up.com/news/xbox-com-security-loophope-hacks

Pfleeger, C. P. (2009). Security in Computing. Upper Saddle River, NJ: Prentice Hall.

Schreier, J. (2011, April 26). PlayStation Network Hack Leaves Credit Card Info at Risk. Retrieved June 6, 2012, from Wired.com: http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Trendmicro. (2012, April 1). A simple guide to gaming security. Retrieved June 27, 2012, from Trendmicro.co: http://www.trendmicro.co.uk/media/br/simple-guide-to-gaming-en.pdf

Wikipedia. (2012, June 6). PlayStation Network outage. Retrieved June 6, 2012, from Wikipedia: http://en.wikipedia.org/wiki/PlayStation_Network_outage

XBOX.com. (2012, June 27). Xbox LIVE Account Security Check List. Retrieved June 27, 2012, from XBOX.com: http://www.xbox.com/en-US/Live/Account-Security/Security-Checklist

Yin, S. (2011, April 27). Microsoft Warns of ‘Modern Warfare 2’ Phishing Attacks. Retrieved June 27, 2012, from PCMag.com: http://www.pcmag.com/article2/0,2817,2384395,00.asp

 





Cloud Computing

6 08 2012

Cloud computing is taking on a larger role in the way we use technology.  In our personal and professional lives, we use iPads, iPods and other iDevices to connect to Apple’s cloud, which contains everything from our vacation photos and workout playlists to our budget spreadsheets and business presentation slideshows (we also use Android devices to do the same with Google’s cloud).  We love the convenience of being able to access our data from anywhere, at anytime, and that we don’t have to worry about purchasing or toting around storage devices with limited space.

A similar movement is taking place in the business realm, as well.  According to an article at Comupterworld, the “market for public cloud infrastructure, platforms and applications is large and growing much more quickly than any other type of IT spending.”  The article cites various studies which predict the market to reach anywhere from $56 billion to $100 billion by the year 2014, but all of the numbers are moving upward (it states that the market was $16 billion in 2010) [1].

However, cloud computing is not completely free from scruples held by potential adopters.  A Forbes article recently cited a North Bridge Venture Partners survey of 785 companies and revealed that only 50% of responders expressed “complete confidence” in this form of data management.  “Security remains the primary inhibitor to adoption in the burgeoning cloud marketplace with 55% of respondents identifying it as a concern,” the article states. [2]  With great legal, financial, and reputational stakes at risk, it is understandable why some business organizations may be shy about outsourcing the management and protection of sensitive data to outside entities.

However, new developments in data management may change this.  One notable breakthrough includes “fully homomorphic encryption,” developed by IBM.  This method

uses a mathematical object called an ideal lattice, to allow people to fully interact with encrypted data in ways previously thought impossible. The implications of the technique mean that computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their client’s behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, states a release, the analysis of encrypted information can yield the same detailed analysis as if the original data was fully visible to all. [3]
Such a technique would provide useful in many business contexts.  For example, a healthcare organization who entrusts the management of patient data to a cloud provider may wish to request a report of the number of patients presenting with a particular complaint, or the frequency with which a particular medication was administered over the past month.  With fully homomorphic encryption, the provider could generate such a report without needing to directly view any sensitive patient information.

While the ascent into the cloud is likely to continue, developments in data security will play a large factor in speeding its acceptance.
______________

[1] http://blogs.computerworld.com/16863/cloud_computing_by_the_numbers_what_do_all_the_statistics_mean

[2] http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/

[3] http://www.banktech.com/risk-management/218101557





Who are these hackers anyway? Why not put their skill to productive use?

5 08 2012

Earlier this year, at my job, at the facility I work at, it was discovered that the site had become infected with a virus.  Later, during the incident response, other viruses were found.  In total, it took about 40 IT professionals and technicians to work for a week, around the clock,  to “clean” the site, during which time, the facility operated at significantly reduced efficiency.

This was not the first time I was involved in a virus infection remediation effort, I participated in one about a dozen years before.  I suspect I’ll be involved in another sometime.

Shortly after that incident, I began a graduate level course entitled “Information Security Management”.  During the virus incident, and in the course, I heard references to hackers being the folks creating all this havoc.   I pondered, “Who are these hackers and why are they doing this stuff?  It’s seems so senseless and a waste of time.  Can’t they find a better use of their time?  Can’t they make a career from their skill?”

What exactly is a hacker?

This was the first question I wanted answer.

According to Merriam-Webster Online dictionary, two definitions are:

  • “an expert at programming and solving problems with a computer” or
  • “A person who illegally gains access to and sometimes tampers with information in a computer system”[i].

However, in reading articles about hacking and interviews with hackers, and from responses I received to my own inquiries, I’ve come to the conclusion that the Merriam-Webster dictionary definitions are poor.

During my quest to answer this question (and others that also came to mind), I found, via web searches, some very interesting interviews that were recorded with infamous and not-so-infamous hackers.  I also conducted my own “interviews” by contacting a few high level security professionals I knew of for the purpose of this article and a term paper I am writing, and asked the following questions:

  1. Do you hack?
  2. Is IT security a top priority for your organization?
  3. Do you conduct vulnerability assessments that include attempting to hack your own systems?
  4. Do you have any employees/associates in your organization that were hired for their hacking skills, knowledge, and experience?
  5. Do you (or your organization) consider hacking experience when hiring?
  6. How do you verify hacking experience?
  7. Do you see growth in the next several decades in this field?

I won’t go into each of those questions here.  But the answers to these questions did provide some insight.  One of the responses I received (name withheld) included, what I believe is, a pretty good description of a hacker and what hacking is:

“Hacking is a mindset. Maybe one is born with it, maybe one can develop it; definitely I was born with it and have then continued to further develop it throughout my life. Hacking is not just accepting that something is, but questioning how and why it is. How does it work? Why does it work that way? How can I change it? How can I make it do something different? A hacker thinks outside the box, questions what others assume to be true, and then tries to either prove, or disprove, depending on your viewpoint. Computer hacking is questioning the “security” of a device, application, or enterprise, and then trying to prove, or disprove, the “assumption of security.”

This description was consistent with other descriptions I found on the web.  However, I also discovered that many hackers despise the idea of being associated with those that cause harm to systems and others.

As it turns out, there are good hackers and there are bad hackers, and others that are on/off the fence.

My interpretation from what I’ve read is that the good guys, folks typically working for a respected organization, are called “White Hat” hackers, and use their skill to access systems or code they are authorized to hack for the purpose of identifying vulnerabilities.  They then report their findings so that those vulnerabilities can be addressed.

The bad guys are the ones not working for a respected organization, and use their skills to gain access to systems that they do not have permission to enter.  They do not necessarily report their findings to the folks that can remedy the situation, and may use the vulnerability to perform covert actions that may cause harm of some type.  These are the “black hats”.

But are they the ones writing the viruses, worms, and such?  According to D.D. Shelby in his blog “The Viral Mind: Understanding the Motives of Malicious Coders”[ii], people writing viruses are either:

  • hobbyists
  • just having fun
  • experienced coders pushing the envelope
  • seeking fame and fortune
  • A lone madman trying to cause harm.

The hackers in the first, three categories above are generally not seeking to cause harm, but unfortunately, indirectly still do because their code still manages to get out and be put in use.  The last two categories include the truly bad hackers because they truly intend to put their code to use.

Why do they do this stuff?

According to one of my interviewees:

“The current computer hacker is motivated by

  • Financial gain,
  • Geopolitics/Righteous cause (activism), or
  • State sponsorship

Cyber-criminal organizations are run like big business and in some cases are state-sponsored or at least protected by the state. For instance the Russian mob is heavy into cyber-crime with office buildings staffed with security experts, programmers, project managers, and operations managers all functioning to create, propagate, and operate malware to steal personal information, credit information, and any type of financial information that can be used to steal money from the individual, the business, or directly from the financial institution itself.  The security resources working for these organizations are recruited, paid well, and provided with insurance, vacation, and other benefits. These organizations also troll the hacker and security conferences looking for recruits. The skilled hacker without a conscience would be well-compensated by these organizations.

Hactivism, hacking for a geopolitical or righteous cause, can be a single actor or team-based function.

Team-based operations such as those performed by Anonymous and LulzSec are gaining the most attention.  These operations are performed by actors who volunteer to participate and they tend to be loosely tied together rather than a tight, cohesive team. There is very little money involved and some of the purported leaders are supposedly security consultants working their day job for large corporations and firms. These may in some cases be examples of black-hat hackers working both sides.”

The FBI confirms the above assertions about the Russian mob.  In an article published by eWeek regarding Russian organized crime hacking, they quoted John Collingwood, FBI assistant director for public affairs saying, “For the foreseeable future, we are going to see an explosion in this area.”[iii]

Can’t they make a legal career from their skill?

Of course they can!  In fact, many do.  A perfect example is the professional that I referenced earlier in the section entitled “what is a hacker?”, and quoted above.   That professional, in fact, works for a large fortune 500 company and his credentials include:

  • Certified Information Systems Security Professional (CISSP),
  • Certified Ethical Hacker (CEH),
  • Sun Certified System Administrator (SCSA),
  •  Information Technology Infrastructure Library – Foundation (ITIL-F),
  • The Open Group Master Certified IT Architect,
  • and Enterprise Security Architect.

Another respondent to the questions I posed is the CISO for a large building material supply company.  This CISO hacks professionally and stated (in response to the question “do you hack?”), “I do this on a regular basis to understand, for example, a product or service we invest in and baseline the overall effectiveness.”

Finding a better use of their time

It will be impossible, in my opinion to stop hacking altogether, since it is founded on human curiosity.  In researching this topic, I’ve come to respect the free spirit mindset, the curiosity, ingenuity, creativity, the sense of adventure that is so much a part of what makes a true hacker what they are.  In fact, after learning about their traits, I found myself relating very well to their way of thinking.  I personally don’t take the time to hack with computers, I find myself being more focused on being a good parent and husband.  If I did not have that to do, I think I might have found hacking to be a very enjoyable past time.

Regarding the truly harmful hacking such as that generated by organized crime, and hacktivist groups, I think governmental authorities and the hacking community need to work together.  In fact, that may already be occurring.  I’ve discovered that there are large conventions held on both the black hat and white hat sides of hacking.  Interestingly enough, the Black Hat convention is for the white hats.  The DefCon convention is for all hackers and is an event that protects the attendant’s anonymity[iv].  I hope that in these conventions cross-socialization is occurring and that the white hats are getting positive help from those attending DefCon. These conventions would be a great forum for that to occur.

Going further, I hope the great minds at Defcon will use their abilities to coerce their peers to use their skills in a more productive and organized fashion.

I had a thought that it would be great if some people at DefCon would establish a non-profit that would apply their efforts to help society and technology providers make the networked world less vulnerable.  For example, at the convention, they could advertise and promote their cause and seek the participants at the convention to apply their craft toward their effort.

After having these thoughts, I spent more time on DefCon’s webpages.  In doing so, I came to realize that in fact this is happening; an organization called “Hackers for Charity” promotes their cause at DefCon.[v]

Summary

When I started this assignment, my general opinion was that what hackers do is bad.  After looking into the hacker culture, I’ve changed my mind.  They are not all bad.  As is true in all cultures, there are people behaving well, and others that are not behaving properly.  The question is: are there just a few bad apples, or are there a whole lot of them in the bushel?  Can bad apples become good apples?





Cyber warfare capabilities

4 08 2012

China has largely been seen as a formidable player in the burgeoning battle for cyber supremacy. Over the past few years, Western governments have begun to stand up their own cyber warfare capability. How far have we come and how far do we have to go? The threat of cyber attacks continues to manifest itself. There is considerable debate as to the risk involved or the motivation, but one thing cannot be denied. Systems and networks are compromised every day. As a result, the United States has begun to invest resources in the realm of cyber defense and cyber attack capabilities.

Realistically, our ability to cultivate a force of network defenders seems somewhat elementary. This is a discipline which not only requires a fundamental education in the legal considerations of defending (or attacking) networks, but also a healthy education “in the trenches”. Network defense capabilities rely on the disciplines of protection, information assurance, and computer and network forensics. Network attack relies on strategy, evasion, research, subterfuge, and a little luck. There are also ethical considerations when determining how to create a force of network attackers. We have little legislation that governs offensive action over the network. While we are increasing our cyber warfare capability in the military, there is minimal published doctrine governing the deployment of this capability.

Additionally, we must be careful in how we evaluate the cyber domain when cultivating our cyber capabilities and, of course, waging cyberwar. Rand researcher Martin C. Libicki argues that our cyber capability should be largely focused on defense rather than offense because “something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace” (Libicki, 2009). In essence, it is much more difficult to uncover and reuse reliable attack vectors than with conventional warfare. The lifespan of a kinetic weapon system is measured in years, but a cyber attack vector lifespan may only be measured in days, especially if cyber enemies are aware of their own vulnerabilities and their enemy’s ability to exploit them. The monetary investment required to create an operational force of network attack specialists, that can quickly uncover and exploit vulnerabilities may be too great. It can be argued then that recruiting and growing network defense specialists is indeed a smarter strategy for cyber warfare.

There are commercial organizations that teach network defense and attack skills, under the standard of “ethical” hacking, but this is an entirely different subset of hacking that isn’t necessarily suited to actual warfare. The military may indeed be the only place that can appropriately train this skillset. Certainly, many penetration testers were curious system or network administrators that were quick learners and had a knack for hacking. For them, the challenge of accessing a system through unconventional means was a bit of a rush. Many hackers have taught themselves how to attack systems. But this type of education doesn’t seem to support the type of warfare that a mature government and civilization would prefer to wage. For instance, self-taught hackers may specialize in a particular area. A cyber defense force would require personnel with a firm grounding in multiple attack vectors and disciplines.

Dr. Mark Maybury, Chief Scientist of the United States Air Force said “without the right talent we are not going to be able to do anything” (Brownlow, 2012) in terms of defending and exploiting the cyber domain. This lack of talent is a challenge that the Air Force is heavily focused on resolving for the future. Creating a pipeline of cyber warriors seems somewhat futuristic, but the decision to do so is becoming

more urgent. Many colleges are beginning to offer programs in cybersecurity (or a similarly named area of study). However, many of these programs prescribe a healthy dose of defense or incident response centric courses (criminal investigation or computer forensics), yet minimal instruction in attack methodologies or hands-on vulnerability assessment courses. For example, Utica College’s Cybersecurity program focuses heavily on cybercrime investigations. They do offer a system vulnerability assessment course, but it is an elective. The United States Air Force teaches an undergraduate network warfare training course which is starkly different from civilian collegiate offerings. A major difference is its use of mission simulators and network emulators that create an environment where targets are identified and exploited based upon strategic scenarios. This is the type of training that can adequately cultivate a force of network defenders.

In order to position ourselves as a formidable presence in the cyber domain, and to protect our national assets, we must smartly invest in the creation of a reliable cyber defense force. Fundamental cyber defense or security offerings at the collegiate level are one method, while military specific training is another. These methods rely on an appropriate evaluation of the cyber domain and the best way to defend it. An offensively focused strategy may not be the most efficient way to deter cyber attacks, and so new doctrine may be necessary to appropriately define our strategy.

_______________

Brownlow, C. (2012, Jul 19). Top AF scientist: ‘Airmen key to cyberspace success’. Retrieved 07 22, 2012, from The Official Website of the U.S. Air Force: http://www.af.mil/news/story.asp?id=123310613

Libicki, M. C. (2009). Cyberdeterrence and Cyberwar. Arlington: Rand Corporation.