The CodeGuard Blog

The Chinese are at it again.  Canadian Business Online reports that the Chinese government has now required Chinese banks to stop using foreign information security technology.  You’ll find another good review of the regulation here at SiliconValley.com. The program is called Multi-Level Protection System (MLPS).  From these early reports, it’s hard to tell whether the Chinese government is genuinely concerned with foreign government spying or if this is just another effort to protect their own technology sector.  The articles did mention Cisco a lot, but I assumed that it’s because Huawei (a Chinese competitor) is getting deeply into the firewall business.  I expect that we will know more as the full story is reported in the media.

Before anyone gets too worked up about this, let’s remember that this type of thing happens all the time and in every major nation on the planet.  I personally remember conversations with several security pros in the U.S. government who described a quiet effort by a U.S. Security agency in the 1990s to curtail government use of a firewall technology built overseas.  We all know that the French required that encryption technology sold in France include keys so that government agencies could decrypt all traffic.  For a long time it was against the law to sell encryption technology in South Korea.  It is also very similar to the dispute between RIM and the governments of Saudi Arabia, Dubai, and India, don’t you think?

In this country, we often require that companies providing technology to the government make that technology inside the USA.  Our government also requires that U.S. banks use approved U.S. algorithms for encryption and data protection.  Finally, we have the International Trafficking in Arms Regulation (ITAR), which restricts technology that can be exported to other nations.  That’s been in place since 1976 and China was embargoed for a long time under ITAR.

And if we go back even earlier in the history of information security we could talk about the debate that raged around the crypto key length of the original Data Encryption Standard.  At the time it was rumored that the key link had been shortened from 64 bits to 56 bits, simply because the NSA did not have the computing power to effectively decrypt messages with a 64 bit key.  This is purely rumor, but I’m sure someone inside the People’s Republic is well acquainted with these restrictions on the use of security technology.

  As they say: “What goes around, comes around.”   So it’s reasonable to expect that the Chinese would also try some form of prohibition on the importation of security technology.  I only hope that their leaders will look back on all of these prior efforts and realize that these kinds of trade barriers hurt competitiveness and technology adoption.  I hope they will realize that general prohibitions are generally unproductive.  Otherwise they may spend several years and several billion dollars, while their own suppliers make the mistakes and learn the lessons of this industry.

Jim Molini, CISSP, CSSLP

I’m doing part 2 of my review of the CSIS paper on the human capital crisis in IT security.  I think anyone who’s ever participated in development of a certification program has dreamed of the kind of certification they describe in this report.  Wouldn’t it be great if we could build it and develop a group of world class security gurus?  This is the kind of “build it and they will come” scenario that makes me think of cornfields and Kevin Costner. 

However, I was surprised that the authors of this report could look at all of the certification work done over the past 20 years in the security profession and declare it “dangerous.”  In response, the commission would create a brand new organization that could start from scratch and come up with a technical certification program that would meet the needs of a diverse federal workforce.  As someone who was deeply involved in the design of the CSSLP certification, I can assure them that the devil is in the details.  Any one of the listed organizations could have built a certification program like the one described, but they didn’t.  There’s a reason for that.

Having worked on both the CISSP and the CSSLP I have also yearned for a more technical exam, possibly with code analysis.   I didn’t get what I wanted when we developed the CSSLP, but I’m now willing to admit that I could have been wrong in my initial assessment.  Although most technical security people will tell you that they’re happy to test their skills against a standard, it’s extraordinarily difficult to put a standard test onto paper (or into bits).  Then, how do you build equivalent tests using both Windows and Linux, or C++ and Java?  When you pair the subject matter experts up with the psychometricians, the discussions get messy.

IMO, the closest anyone has ever come in the federal government to this kind of program is the ISSEP concentration, started in 2004.  The ISSEP is a coordinated security concentration between the (ISC)² and the US National Security Agency.  It is a very tough concentration that tests candidates across a range of security engineering functions.  Incidentally, it also requires the CISSP as a base certification before a candidate can request the concentration.  It’s a very difficult technical program to complete and I wish the authors of this report had spent some time studying the lessons from the ISSEP.

So, in order to get this out onto the blog, I’m going to stop by asking 3 questions:

1. Did the committee perform an evaluation of the legal ramifications of this type of certification in the federal workforce?  If so, we should hear more about this in the report.
2. Did the committee look at lessons from the existing ISSEP program?  There was no mention of this program in the document, so it would help to hear about direct experience with a program that most closely matches the one they describe.
3. At least 10,000 highly skilled intrusion analysts have passed through the SOCs of the federal government in the past 15 years.  If we have fewer than 1000 today, why did so many of them fall behind the technology curve?  If there is a half-life on deep security expertise, we should consider addressing that issue before training another 10,000, shouldn’t we?

That’s my take on the issue – in two installments.  I hope that the authors will take some time to take a closer look at the problem.  If you think I’ve missed something, please add a comment and we can talk.

Best,

Jim Molini, CISSP, CSSLP

In a 9 – 0 ruling, the U.S. Supreme Court decided that employees do not have a right to privacy when using company phones to text each other.  The court’s ruling sent a clear message to privacy advocates worldwide, by saying that a supervisor’s search through employee text messages was in fact a search, but was not an “unreasonable” search, in their opinion last Friday.  I read about it in the Los Angeles Times here. 

A couple of things are interesting in this case.  First, the court apparently considered text messaging to be similar to any other public paging system.  So, in effect, it looks like sending a text message could be legally as open as calling someone through the Airport public address system.  I’m sure we will hear more about this in the future.

Second, the court rejected a broad interpretation of in individual’s right to privacy by the US 9th Circuit Court.  Normally, I wouldn’t be surprised if the 9^th  Circuit Court supported and privacy rights for pigeons on the San Francisco Bay Bridge.  However, many people, including me, wondered if the Supreme Court would broaden privacy protection, somehow.  In this ruling, it didn’t happen.

Under this ruling, it looks like your employer can have a closer look at text messages.  It might also extend to email messages in some future decision.  Certainly, a broader interpretation of privacy would have opened up the possibility of lawsuits for those of us who monitoring corporate networks.  The threat of lawsuits would have prevented many legal searches, simply because it would be too much trouble to defend.

Some people will say that the US is losing a right to individual privacy.  I’d have to disagree.  This ruling is putting privacy into perspective.  It’s also going to help protect information security professionals from baseless lawsuits as they perform legitimate monitoring for employers. 

Jim Molini, CISSP, CSSLP

Let me start by saying that I was wrong.  Yep.  That’s the best way to begin this post.  This morning I read on Wired.com that Google had officially stopped censoring search results inside the People’s Republic of China.  They ignored the naysayers and have stopped doing searches inside mainland China, instead asking users to go to their Hong Kong site for searches.  Of course, it’s not likely that people inside mainland China will be able to get unfiltered search results from Hong Kong, but that’s beside the issue. 

Most importantly, Google is risking their China business to meet their stated goal of unfiltered search.  The g-men stood on principle and took action in favor of Internet freedom.  Bravo.

Just as the issue itself had strong cultural overtones, (see my earlier post) anyone reading the post from outside the USA may wonder about the title. We have a euphemism inside the US for anyone who has to retract a statement or admit that they were wrong.  It is called “having to eat crow.”  A crow is a particularly obnoxious bird that tastes like a rat.  It’s hard to catch and very hard to stomach.  So it’s an appropriate comparison for having to admit that you’re wrong.  In this case, I’m contrite and happy to see that my original skepticism has been upended.

Right or wrong, the leadership team at Google made a particularly tough decision.  It’s nice to see that they stood on principle in the face of opposition.  And to CEO Eric Schmidt and everyone in the company, please accept my heartfelt apology for doubting your ability to execute on the plan.

Jim Molini, CISSP, CSSLP

Two days ago, President Obama announced that Howard Schmidt would be the new Whitehouse Cybersecurity Coordinator.  Howard deserves our thanks for taking the job.  It’s arguably the biggest information security job in the world, although it’s neither the most lucrative, nor the most rewarding job in our business.  His responsibility will far outweigh his authority, so it will be a miracle if he’s thanked for the job he’s done in 3 years, after the next presidential election.  He’s not a cabinet member or a secretary or even a director – he’s a coordinator.  He will be tasked with developing a national security plan that also respects individual privacy; something akin to building a perpetual motion machine.  Personally, I wondered if I should send him congratulations or condolences for this move.

So why would he do it?  Why would anyone do it?  

Personally, I would guess that he wanted to serve his country again.  Imagine that.  After a prestigious 40 year career, spanning government and industry, when he should be settling down, this guy volunteers to go into the political viper’s den (the beltway, not the Whitehouse) and do an impossible job that has no promotion potential.  He knows how bad it can be, because he’s been there before, but he signs up anyway.  As they say in Philadelphia – go figure.

In these difficult times, there is no shortage of heroes.  The spectacular feats of heroism by people fighting against the narco-trafficers in Mexico or those bringing peace and security to other parts of the world might make it hard for people in the technical community to feel like they’re making a difference.  In fact, I don’t know of anyone who would compare themselves to these protectors of the free world.  But we should also talk about the other people who have shown courage, dedication, and a sense of duty that would bring tears to your eyes. 

The next time I think of courage, dedication, and service, I’ll be looking in the direction of Washington, D.C. and remembering a guy named Schmidt, who took on a massive national security problem just because the President called. 

Thanks, Howard.

I noticed a recent article talking about additional fines for ChoicePoint.  They were fined for a second breach of security that occurred 4 years after the original intrusion.  This may be an extreme case, but it’s a tragic reminder of the importance of proactive security.

As you may recall, ChoicePoint became a poster child for data loss when a 2004 breach was discovered. They struggled for years as the fines piled up and subsequently sold themselves off piecemeal, with Reed Elsevier retaining the ChoicePoint name.  However, the story is not as important to me as the company they keep.

Nowadays, whenever someone writes about data breaches, they inevitably mention three names: ChoicePoint, TJX, and Heartland Systems.  This continual rehashing of past mistakes is doing massive harm to the brands that the companies have developed.  And in that, there are lessons here for every company that must make a claim about security.

If you are talking to your leadership team about spending for security, be sure to let them know that the cost of a positive brand image is many times the amount you will spend on computer security this year.  If your organization makes a spectacular blunder in the security space, you could be one of those names that gets bandied about any time someone needs a cheap joke about cyber crime.  No matter how much work you do after the breach, it probably won’t matter. 

Your job as a security professional is to translate these problems into business terms.  Start by estimating the annual value of your corporate brand. Then model a catastrophic security scenario and cost out the 10 year effort it could take to rebuild the brand, after the incident occurred.  Once you’ve done all that, the real value of good security might be more interesting to Management.

Jim Molini, CISSP, CSSLP

The Internet turned 40 years old this month. Back on Sept. 2nd, 1969 several people at UCLA began the first test of a networking protocol for the US Department of Defense that would later become ARPANET and then Internet. You can read more about it: (less technical and more technical). The big surprise in this announcement is the fact that most people reading this post can remember a time when long distance communication meant picking up a telephone handset and paying a lot of money. More impressive is the thought that most of us can hardly remember how we managed to live without “the net.”

With the Internet came Internet crime. The first wakeup call for most of us came with the Morris Worm in 1988. In my experience, that worm came closest to shutting down the net – the entire net. At the time I was doing computer security at a government research facility and our best estimate came in at 4000 infected machines, all running SunOS. It took 4 days and a lot of work to correct the problem, but the world moved on and Robert Morris, Jr. honorably paid his debt to society. Oh, those were the good old days.

Today, my own back of the envelope estimate shows that we spend more than $54 billion annually on protecting ourselves from Internet borne threats. The cost in time and aggravation is many times that amount.

So the next time some hacker claims that he is doing something good for the little man by raging against the machine, writing malware, or building rootkits, you can tell him for me that he is also costing the world more than 100 million hours every year that could be used for better things. If the criminals would stop building software to harm the rest of us, I would happily donate 3 hours every year and the money I spend on security software to help make the world a better place. Wouldn’t you?

Jim Molini, CSSLP

Back in 2007, I heard a speaker talk about planned updates to an ISO standard.  In his presentation, he indicated that one of his colleagues had asked him to update the ISO standard to include language on “Information Assurance.”  To make a long story short, the ISO standards couldn’t accommodate an update if assurance meant “Security.”  However, too often, we find that entire federal departments say the word “Assurance” when they mean “Security.”  The Defense Department is the worst offender.

Dictionary.com says this:

1. Assurance – a positive declaration intended to give confidence.
2. Security – freedom from danger, risk, etc. 

This problem is almost as old as the Unix operating system.  Back then, some bright people in the intelligence community began using the term “assurance” because a purist engineer told them that no computer could truly be labeled “secure.”  Obviously, this happened in the days before “portable computers” or “Service Oriented Architecture,” but I digress.

Instead of saying “secure systems,” they said “assured systems” (which was a condensation of “security assured systems”) to please the theoreticians and an entire industry grew up to support this thing they call “assurance.”  It was further shortened to “information assurance” at some point in the 1990’s.

Fast forward to the 21^st Century and we find that many aspects of computing must be assured.  Safety assurance is important, as is reliability assurance.  If we travel from “The Beltway” to “The City,” we must stop saying “assurance” and start saying “security.”  If you’re starting to feel like an edge router, you’re not alone.

All of this might be entertaining, if there wasn’t a real underlying problem with the misuse of this term.  It turns out that saying security when we mean security helps us to balance risks.  If assurance only means security assurance, how can we do tradeoffs between security and safety?  Can we ever have safety assurance if every one of our software developers is looking over his or her shoulder at the security group?  Even if we could, could we teach a computer to understand the nuance?

For example, how would you interpret the following business requirement?  “The system must provide high assurance for all valve management safety processes.”  If you read ISO 15226, it means that the safety systems have to work.  If you read the SOAR report or any of the major DoD Assurance directives, it means that your safety systems should not have read up or write down.  These are two fundamentally different things.

So let’s begin reclaiming the language that our global audience understands.  When you want security – say security.

Jim Molini, CISSP, CSSLP

In words that may go down in history, on July 6, 2009, U.S. District Court Judge Richard Jones wrote: “In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” An overview of the ruling is here.

This ruling dismissed a case by certain people against Microsoft, claiming that Microsoft’s recording of their IP addresses constituted a violation of Microsoft’s End User License Agreement or EULA.  The plaintiffs claimed that a user’s IP is personally identifiable.  Microsoft, claimed otherwise.  In this case, the judge agreed that an IP is not PII.  That’s a good thing for all of us in the security business, but it’s also the right logical conclusion at this time in history.  Here’s why.

1. IP addresses are assigned by ISPs.  They are not assigned by end users.  Most computers only obtain a lease on an IP address for days or hours.  As such, the IP address is often just a temporary association between a computer and the Internet.  It’s not the same as the relationship between a user and the user’s computer.
2. You can’t buy an IP address, you can only lease one.  In this regard, it is not “property” as would be defined in many legal circles.
3. IP addresses are easily computed and many attack programs generate IP addresses randomly and attempt to connect to those addresses.  If you look up a specific IP address via reverse DNS, you can associate it with a domain, but users can also mask their personal information in the domain record – if they work through an ISP or other representative.  If IP addresses are considered PII, it will destroy the long term viability of DNS.
4. Finally, the Internet is not a government owned or regulated entity, as are the phone companies in many parts of the world.  Although certain governments may choose to limit use of the Internet as a matter of national policy, those regulations would not and should not apply across national borders.  In short, they can’t tell the Internet what to do.  The Internet is flat and those who would unflatten it are swimming upstream. Just ask people who want to tax Internet sales.

There are other issues, but I think you get the idea. 

Of course, this means that I think the EU made a mistake when they required ISPs to restrict access to IP information.  It is harming the competitiveness of IT companies over there.  If you disagree, let me know why.  I’m interested in your opinion.

Jim Molini, CISSP, CSSLP

File this one under the heading “No Good Security Deed Goes Unpunished.”  This week, the Wall Street Journal reported on a former Vice President at Goldman Sachs who was arrested by the FBI for allegedly stealing source code from his former employer.  You’ll find a detailed description of the circumstances and possible impacts by Tyler Durden on the Zero Hedge web site.

If all the allegations are true, Sergey, who managed a software development group in the program trading business for the Goldman Sachs, apparently decided to steal some of the software that makes it work.  Whether this is Goldman’s “magic sauce” for trading or not, is beside the point right now.  Here’s what I can see from the recent media reports:

Sergey worked for Goldman in their VP of Equity Strategy, according to information uncovered by  Zero Hedge.  According to the affidavit sworn out against him, Sergey downloaded 32 MB of source code from his company, within 5 days of leaving for another firm.  BTW, the other firm was apparently willing to triple his salary for making the move.  About a month later, he was arrested while returning from Europe and charged with stealing the software. 

To a computer security guy, this would say that Goldman Sachs had a program in place to detect and report unauthorized transfers of certain software components.  This is a good thing, right?  Moreover, the response team was good enough to identify a potential theft and run it through channels until an arrest warrant had been prepared and served by the FBI.  All of this happened in less than a month.  That’s great security work.  How many other firms would have been able to find and track this kind of event at all?

Unfortunately, other reports have focused on many of the possible negatives for Goldman.  That’s too bad.   This was a classic bit of investigative and response work at a major financial institution and it may have prevented important software from falling into the wrong hands.  If nothing else, it has sent a great message to everyone who develops software at the firm.  The message is, “We will protect your intellectual investment in our success.”  My advice is to gut it out while the world gets used to a company who will protect all assets.  So my hat’s off to Goldman Sachs.  Hopefully, after all the legal wrangling is over, they can tell us how they did it.

 Jim Molini, CISSP, CSSLP

President Obama touted the new U.S. plan for Cybersecurity.  (Cybersecurity is the US government’s term for computer and information security these days.)  The new proposal is based on a Policy Review conducted by the administration and has several important changes for anyone who thinks about security from a global perspective.  In some ways, the bland “bureaucratese” hides a major change in U.S. policy toward the Internet.  Be prepared.

First, this document changes the game in privacy.  The new approach offered by the Obama administration places privacy as a distinct element of the new universal policy.  Notice how the document discussed privacy and tried to reframe the discussion of network monitoring.  It might not be a huge change for many of the federal agencies that deal with information today, but this will begin a major shift in American industry.  My three-word analysis for the IT community in the U.S. is:  “Expect More Offshoring.”

Most U.S. companies have enjoyed a competitive legal advantage over European firms when operating in a privacy-sensitive environment.  Our current laws are not tuned to fully protect the private data of individuals, so US companies had more flexibility in defining the protections for individual privacy.  That will change, if not through legislation, probably through the courts.  This will mean that many companies could end up radically changing the way they handle customer or visitor data.  It is not necessary, but many business people may opt to take the easy way out.

Second, we are finding that the world really is flat.  That could make offshoring a kind of protection against civil suits.  If companies find that offshore firms provide insulation from civil suits, you will see an avalanche in offshore data processing and outsourced jobs.  Add in the new taxes being proposed by the administration and it could make a perfect storm for IT offshoring.

If you’re a US software developer, there are a few things you might do to keep your work closer to home.  First, learn how to develop for a privacy-focused service.  Find an expert to help with the basic policy and tune it to the needs of your organization.  Think about whether you want to be aggressive or conservative in your privacy protection for site visitors.  Privacy is not a switch.  You have many options.

Eliminate unnecessary data and reduce the amount of information you collect from users.  A good way to start is to use federated authentication, like Windows Live ID, or OpenID.  These offerings give you only what you need and reduce your need to protect authentication data.  If you inventory the PII stored by your site, you may find that much of it is required just for authentication purposes.  Why take that risk?

Think about your monitoring options.  If you have a promiscuous network intrusion detection system (NIDS) on your site, you may be collecting too much personal data.  Tune down what you keep and “anonymize” the rest.

Next, consider how you will protect any Personally Identifiable Information (PII) that you do collect.  If you are out to create a community, it’s not necessary to know everything about every member.  Finally, start working on the design changes necessary to reflect an adequate privacy policy.  You will improve your image and your  sessions per unique visitor if you have a respectable privacy policy.  It’s not easy, but it is likely to be important in the next two to three years.

Jim Molini, CISSP, CSSLP