Private U.S. networks vulnerable to cyber attack: Pentagon
WASHINGTON — Privately-owned U.S. computer networks remain vulnerable to cyber attacks, and many U.S. companies are not doing enough to protect them, Deputy U.S. Defense Secretary Ashton Carter said on Wednesday.
“I hope this isn’t one of those situations where we won’t do what we need to do until we get slammed,” Carter told the annual Air Force Association conference.
Attacks on American computer infrastructure by other countries and criminal gangs have soared in recent years, according to U.S. government officials. Efforts to pass legislation to strengthen U.S. cyber security have met obstacles such as privacy issues.
Carter said the Pentagon was doing all it could to protect its own networks and develop offensive cyber weapons, but shoring up the nation’s overall cyber infrastructure — much of which is privately held — was far more challenging.
“When it comes to the nation’s networks there are many other forces and considerations that make it very complicated, and therefore very slow, and I’m concerned that it’s moving too slowly,” he told Reuters after his remarks at the conference.
“We’re still vulnerable and the pace is not adequate,” Carter told the conference, noting that many private companies either did not invest or invested too little in cyber security.
Congress’ failure to pass cyber security legislation this summer was very disappointing, Carter told Reuters after the speech, noting that the proposed measure would have helped increase U.S. cybersecurity “tremendously”.
As a result, the Obama administration was trying to move ahead on its own, within existing legislative constraints, he said.
“We’re trying to do without legislation some of the things — obviously we can’t do everything — that we need to do,” he said.
White House homeland security adviser John Brennan last month said the White House was exploring whether to issue an executive order to protect the nation’s critical computer infrastructure, but gave no details on the timing or possible content of such an order.
Carter told hundreds of industry executives and military officials at the conference that protecting the country’s privately-controlled computer networks raised myriad antitrust and privacy questions that needed to be addressed more quickly.
Some of those questions center on the amount and type of data that can be shared among private companies and with the government, and to what extent the government can get involved in protecting private networks.
The Pentagon is facing mounting budget pressures, especially if Congress fails to avert an additional $500 billion in across-the-board defense cuts due to start taking effect in January.
Carter said the budget reductions would have a devastating effect on a number of Pentagon programs, but continued investment in offensive and defense cyber operations would continue, along with unmanned systems, space capabilities and electronic warfare.
Debora Plunkett, of the secretive National Security Agency, whose responsibilities include protecting U.S. government computer networks, predicted earlier this month that Congress would pass long-stalled cybersecurity legislation within the next year.
She said other nations were increasingly employing cyber attacks without “any sense of restraint,” citing “reckless” behaviors that neither the United States nor the Soviet Union would have dared at the height of Cold War tensions.
In July, General Keith Alexander, head of the NSA, said during an interview at the Aspen Security Forum in Colorado, that the number of computer attacks from hackers, criminal gangs and foreign nations on American infrastructure had increased 17-fold from 2009 to 2011.
(Reporting By Andrea Shalal-Esa; editing by Andrew Hay)
(c) Copyright Thomson Reuters 2012. Check for restrictions at: http://about.reuters.com/fulllegal.asp
Privacy Threat Model for Mobile
An interesting article by Steve Roosa at FreedomtoTinker.com where he discuss the threat modeling privacy threats for mobile phones.
Evaluating privacy vulnerabilities in the mobile space can be a difficult and ad hoc process for developers, publishers, regulators, and researchers. This is due, in significant part, to the absence of a well-developed and widely accepted privacy threat model. With 1 million UDIDs posted on the Internet this past week, there is an urgent need for such a model to identify privacy vulnerabilities, assess compliance, scope potential solutions, and drive disclosure. This is not to say that there aren’t a number of excellent resources that provide lists of normative best practices for mobile app development. Several such resources come readily to mind: the EFF’s Mobile Bill of Rights, Future of Privacy Forum’s Best Practices for Mobile App Developers, and Via Forensics’ 42 Best Practices.
What seems to be lacking, however, is a logical and complete picture of the privacy characteristics and vulnerabilities—i.e. a model or models—of the mobile ecosystem and, more specifically, its component platforms. The idea that privacy threat models generally—not just for mobile—haven’t received adequate attention is an observation that has also come up in the literature. In 2010, a group of researchers from the Interdisciplinary Institute for Broadband Technology (IBBT) noted that the absence of such a model contrasted vividly with the security space where such models (i.e. security threat models) are widely used. M. Deng, K. Wuyts, R. Scandariato, B. Preneel and W. Joosen, A Privacy Threat Analysis Framework: Supporting the Elicitation and Fulfillment of Privacy Requirements, IBBT: 2010 Belgium. That observation, with respect to mobile, is as true today as it was in 2010.
Read More Here
Microsoft Urges Customers to Install Security Tool
BOSTON – Microsoft Corp urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.
The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft’s website.
Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.
When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or “zero-day” vulnerability, in Internet Explorer.
“Any time you see a zero-day like this, it is concerning,” said Liam O Murchu, a research manager with anti-virus software maker Symantec Corp. “There are no patches available. It is very difficult for people to protect themselves.”
Zero-day vulnerabilities are rare, mostly because they are hard to identify – requiring highly skilled software engineers or hackers with lots of time to scrutinize code for holes that can be exploited to launch attacks. Security experts only disclosed discovery of eight major zero day vulnerabilities in all of 2011, according Symantec.
Symantec and other major anti-virus software makers have already updated their products to protect customers against the newly discovered bug in Internet Explorer. Yet O Murchu said that may not be sufficient to ward off adversaries.
“The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place,” he said.
Some security experts said computer users should avoid Internet Explorer, even if they install the EMET security tool available from Microsoft.
“It doesn’t appear to be completely effective,” said Tod Beardsley, an engineering manager with the security firm Rapid7.
Rapid7 released software on Monday that security experts can use to simulate attacks that exploit the security flaw in Internet Explorer to see whether corporate networks are vulnerable to that particular bug.
Marc Maiffret, chief technology officer of the security firm BeyondTrust, said it may not be feasible for some businesses and consumers to install Microsoft’s EMET tool on their PCs.
He said the security software has in some cases proven to be incompatible with existing programs already running on networks.
Dave Marcus, director of advanced research and threat intelligence with Intel Corp’s McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.
Laptop Security Tips: How to Keep it From Getting Lost or Stolen
Thinking about taking your laptop on the road? It is a great way to work and stay in touch when you are our and about. However you need to take some steps to keep your laptop safe and in your possession.
- Treat your laptop like cash
- Get it out of the car, don’t ever leave your laptop behind
- Keep it locked, use a security cable
- Keep it off the floor, or at least between your feet.
- Keep passwords somewhere else, not near the laptop or case
- Don’t leave it “for just a sec” no matter where you are
- Pay attention in airports, especially at the security check
- If you have an alarm, turn it on
An Annotated Bibliography of Human-Computer Interaction Security (HCISec) Body of Works 3/3
An annotated bibliography is a bibliography that gives a summary of a body of work such as an article, research or thesis. The purpose of annotations is to provide the reader with a summary and an evaluation of the source. Each summary should be a concise exposition of the source’s central idea and give the reader a general idea of the source’s content.
HCISec is the study of interaction between humans and computers, or human–computer interaction, specifically as it pertains to information security. Its aim, in plain terms, is to improve the usability of security features in end user applications.
An annotated bibliography was conducted on 5 bodies of work focused on HCISec and Usability Security.
Annotated Bibliography
Sasse, M. and Flechais, I. (2005). Usable Security: Why do we need it? How do we get it?. O’Reilly Media Inc.
This article begin with a common theme used in many HCISec and Usability Security literature by stating users are the weakest link in the chain of system security. The authors further explained how the famous hacker Kevin Mitnick hardly ever had to crack a password, since it was easier to trick users to tell him with the use of social engineering. The author also explained as the system become more complex, they become harder to configure, manage and maintain. The errors become issues; increasing the chance of poorly configured systems and improper management, therefore reducing the security of the system.
The author introduces the principle of psychological acceptability that states security controls should not make accessing the resources more difficult than it would be if the security control were not present. The author also provides various examples, for example, passwords add minimal overhead for the user, providing it is easy to remember. To allow for effective security, the password must be difficult. Therefore, a balance must be in place. If a password is too long and hard, the user will resort to writing it down, if a password is too simple a hacker can guess it and compromise the system. The author also discusses the process in patching a system should be transparent to the user. That is not always the case on system with custom code or when system reacts adversely to the patch.
The article concludes by stating, the information from the examples provided are key to implementing the principle of psychological acceptability based systems.
Greiter, F. (2011). Situated Usability Testing for Security Systems. Pacific Northwest National Laboratory. PNNL-2-201
The article explains usable security is a concept that has emerged to ensure the security and privacy of computer systems while usability refers to how well a system supports the user’s needs and its ability to accomplish a task. The author acknowledge, while usability testing is a common practice, usability of security software needs more consideration.
The author examines why the common computer user may lack confidence in the security system they use or why they often circumvent the security mechanisms in places. He describes the concept of primary goal and secondary goal into the discussion. Primary goal pertains to completing a task, for example, sending an email or producing a document. The secondary goal pertains to adding the layer of security needed for the primary functions. Often the user may not be focused on the secondary goal even though it may be just as important as the primary goal. Recent research depicts users forced to implement security task, but the authors concludes the introduction of bias is added. The author states the security issues must be concealed behind the primary goal, thus making the software more acceptable to the user. Differing setups between the real-world environment and the testing environment will conclude conflicting data.
The author provided an example using online banking requiring different security controls. The primary task is the completion of the transaction, but the secondary task is the authentication that must occur beforehand. In the study, the author depicted an online banking scenario were security was employed, but the primary focus was not security. In other environments, the more difficult the secondary task, the less likely it will be implemented.
Ackerman, S. and Mainwaring, S. (2005). Privacy Issues and Human-Computer Interaction. O’Reilly and Associates.
The paper reviews privacy being a key aspect of the user experience when online as well as on computing devices by examining how users view computer system to aid in improving privacy through Human-Computer Interaction (HCI).
The authors explain, privacy is the process in which users can effectively control personal data and like security, it contains risk. To build a system that takes user’s privacy into consideration, the core HCI rules must be examined. For example, basic design consideration, reviewing how users interact with and through the system, how users differ in their capabilities and lastly, the role of HCI in next generation architecture.
The authors surveyed current computer-supported cooperative work (CSCW) literature related to privacy and discovered as people interested in privacy area aware, people have very nuanced views of their interactions with other people and find it problematic when those social interactions are constrained.
Other applications have cause concerns in CSCW privacy such as, shared calendar. Users may access a manager’s calendar to conclude information about a company’s hiring or lay off status. These privacy concerns are being research to understand the balance between information awareness and information privacy. It was stated in the article, awareness requires the release of personal information, thus conflicting with privacy.
The authors concluded there are a number of research areas in the field of HCI that can help design better privacy mechanisms such as usable evaluations and requirements gathering.
Schultz, E. (2006). Research on Usability in Information Security.
The article states, usability engineering focuses on optimizing the interaction between humans and the tasks they perform. The author explains, even though authors in the field argue for the need to consider usability when applied to software, in actuality, there are very few papers displaying results to the fact.
The author, examines research in the area of usability and discusses their findings. For example, a review conducted on Whitten and Tygar (1999) looked into the usability problems within PGP 5.0. This is one of the first researches that incorporated the balance between usability and security. PGP is email encryption software and in the test, users were allotted 90 minutes to digitally sign and encrypt an email. A majority of the test subject failed to do so. It was concluded, even though PGP had an attractive graphical user interface, there were a number of user design weaknesses.
The author also examined the usability problems in firewalls. Configuring a firewall is often a resource intensive task. Rules in the firewall determine what various systems and network in an organization interact with the outside world. Using a graphical user interface can ease the process and provide a more usable implementation.
The author concludes, the review he examined is but a subset of the total research conducted in the usability security space, but notes the total amount of research is still not enough. All is the above reviews point to the need for attention in the human-factors in information security related task.
An Annotated Bibliography of Human-Computer Interaction Security (HCISec) Body of Works 2/3
An annotated bibliography is a bibliography that gives a summary of a body of work such as an article, research or thesis. The purpose of annotations is to provide the reader with a summary and an evaluation of the source. Each summary should be a concise exposition of the source’s central idea and give the reader a general idea of the source’s content.
HCISec is the study of interaction between humans and computers, or human–computer interaction, specifically as it pertains to information security. Its aim, in plain terms, is to improve the usability of security features in end user applications.
An annotated bibliography was conducted on 5 bodies of work focused on HCISec and Usability Security.
Annotated Bibliography
Kluever, K. (2008). Evaluating the Usability and Security of a Video CAPTCHA. Rochester Institute of Technology. Master of Science Thesis
The thesis discusses the security and usability of a Completely Automated Public Turning Test to Tell Computers and Humans Apart (CAPTCHA), which is a variation of the turning testing, used to determine humans from computers. The author provides a new approach in which the users provide three words that describe a video. The author states, many users find the traditional form frustrating and carry a break rate of approximately 6o percent.
The author explains, in order to evaluate the success of a CAPTCHA, a list of desirable properties must first be established. The following sets of properties include, automation, in which the machine can generate and grade challenges on its own. The second property is “Open” which pertains to the algorithm be publicly available. “Usable” is the third property and it pertains to challenges should be easily and quickly solved the humans and lastly, it should be secure. The author performed an experiment in which 184 participants where used on over 20 videos. The author was able to increase humans pass rates of the CAPTCHA video from 69.7% to 90.2%.
The author does state limitations and assumptions in the experiment. For example, it is language dependent with English tags needed to determine the human subjects. In addition, the video from the online database exposes the ID of the video and lastly, the usability and security analyses are preliminary assumptions.
The author concluded only 20% of the participant preferred text-based CAPTCHA while 58% preferred the video-based alternative. The author also presented how extending the ground truth tags allowed for different usability and security trade-offs.
Patrick, A., Long, A. and Flinn, S. (2003). HCI and Security Systems. CHI 2003, April 5-10. ACM 1-58113-630-7/03/0004
The authors explain, the human factor is often the weakest part of a security system and users are often thought of the weakest link in the security chain. The goal is to provide other researchers and software developers with an understanding of the roles and demands place on users as well as provide design solutions to assist with the creation of secure and usable system.
The authors state, three areas of interest includes authentication, security operations and developing secure systems for security. The authors stated, authentication, the most common form of security consisting of using username and password is the weakest link due to the human factor. Users tend to use guessable passwords, write them down or even forget them. In security operations, the human factor is not just focused on the end-user; system operators can also improperly implement solution to open security flaws. Lastly, developing security systems is critical. If developers do not create user-friendly systems, it will not sell. However, if developers create a secure system, user may try to circumvent to increase usability. The authors states, usability and security are often thought to be contrary to each other is not the case by recent research from Yee (2002). In Yee (2002), he provided ten HCI design principles that can be used to improve the usability of security.
The authors concluded the goal is to build a cohesive and activate the HCISEC community researchers and practitioners. The authors further states, security is a large topic so there are many areas where Chisel in important.
Flechais, I. (2005). Designing Security and Usable System. PhD. Dissertation. University of London
The thesis aimed to investigate the process of designing secure systems and how developers can ensure security controls are effective and usable at the same time. The article reiterate a common notation that users are the weakest link within information security and the result of an unusable user interface with result in ineffective security. The author explained, while HCISec had identified the need to improve usability in computer systems, most of the research is this area are addressing the issue by improving user interface to security tools. The thesis provides an interesting insight into the cause of data breach by suggesting, research efforts to address human factors in security have concluded that security mechanisms are too difficult to use, and that most users do not maliciously break security policies, but do so as a result of bad design.
The author states, the thesis does not seek to evaluate security system design, instead it plan to evaluate the Appropriate and Effective Guidance for Information Security (AEGIS). AEGIS is a secure system design technique that actively adopts a socio-technical approach in order to assist developers in designing secure systems. Thus, any research that will affect design methods are difficult in the empirical form. The author conducted the research in two parts, first, he identified the issues in the development process of the secure systems and secondly, the presentation and evaluation of a socio-technical design method for secure systems.
The results from the research identified important factors for usable security; the model provides insight into real-world issues and will be useful into improving current and future secure system design methodologies.
