Breach of the Drones

When it was discovered that video feeds from U.S. Predator and Reaper unmanned drones were being hacked by insurgents in Iraq, it became evident that cybersecurity has a long way to go to become more secure. The natural reaction is to point the finger at software producers, the government, and the push for functionality over security. But it may be that a different model is needed for the software itself.

When you think of military security, if you are like me, you think of planes, tanks, guns, and bombs. If you look at a tank, you have a weapon that can withstand direct attack against some serious ammunition. It is designed to be attacked and still fulfill its mission.

Software is not designed to be attacked. It is designed to provide features and functionality, but it is seldom designed specifically to be attacked. Instead, software is designed to minimize vulnerabilities.

What would happen if software were developed as if it were a military tank? If you were to develop a design pattern for software that resembled a tank, it would obviously require a very tough exterior interface to protect the crew and equipment inside. It would require very strong encapsulation to ensure that all interfaces to the outside world are well-defined and secure.

If all software were created using such a Tank design pattern there may be a variety of predefined, standardized system utility interfaces that allow secure communication with other systems and other subsystem components. This would allow the developer to implement the Tank pattern and simply select secure interface services without having to worry about coding each one.

Do you think it is possible for a one-size-fits-all design pattern or perhaps even a framework that toughens the exterior of software so it can better withstand attacks?

Read More...

Implementing Trust Between Systems

When designing or reviewing a system, it is common to ensure that trust is established between end-users and the applications. Trust in this context means that the users are trusted because they have proven their identity, and their authority to access the application has been verified. Many times, trust between system components is overlooked. This can be a deadly sin for software design that can lead to security vulnerabilities.

When trust is not established between system components, it means that any application that has access to the network can connect to the subsystem's exposed ports. For example, consider an application that exposes port 443 for receiving XML using HTTP over SSL. You might think that this is secure, since it uses encryption; however, encryption does not guarantee trust. Any web browser or system that supports HTTP over SSL can connect to that application and send malicious XML payloads.

You may say, "But my application uses a proprietary protocol that people would not understand." Unfortunately, security by obscurity is not security at all. With enough time or inside information, an application that does not require trust of the systems that connect to it may be easily compromised.

Trust generally comes with a certain amount of overhead. Here are two ways you can establish system trust in your application. First, you can require that all clients that connect to an open port present a user name and password or a shared secret key. This approach has the lowest overhead. When using web services, this can be accomplished using WS-Security. Second, you can use asymmetric encryption for non-repudiation to ensure that only the client could have connected because only it has a public key that can decrypt the message. This approach has high overhead, since encryption requires time and system resources, but it also ensures that the credentials are not exposed in clear text.

Many companies allow so many other companies into their networks, and insiders are frequently as much of a threat as external attackers. With this in mind, firewalls have limited value and are not very good at establishing trust. They are good for building a layer of security around your applications, but this does not compensate for a listening port that does not require trust.

How are your applications doing at establishing trust?

Read More...

Cybersecurity in 2010: Bubble or Blip?

Take a look at Google trends for the word "cybersecurity", and see what you find. In the third quarter of 2008, there were two small blips on the radar for this search term. In 2009 there was a sharp rise throughout the year. What will 2010 look like for cybersecurity, and are we at the beginning of a cybersecurity bubble?

The Internet bubble was driven primarily by new web technologies and the potential for rapid profit. Cybersecurity, at present, is driven by regulatory compliance and government initiatives. It is unrealistic that this will be a bubble of the magnitude of the Internet bubble, but here are a few interesting parallels.

First, there are currently plans to hire up to 1,000 cyber security professionals by the Department of Homeland Security. This is in addition to the hiring of contractors that serve the government. During the Internet bubble, it was very difficult to obtain quality technical personnel. They were snatched up quickly, and the rates skyrocketed.

Second, there is the potential for the development of new security technologies. Research universities, working with Northrop Grumman, will be exploring new technologies to provide better security. This may trigger the development of new products from existing and new vendors. This also parallels the Internet bubble.

Third, regulatory requirements related to security continue to increase, putting more pressure on companies to improve their information security operations. This gives rise not only to personnel who implement the compliance programs, but also to consultants and auditors.

What will 2010 look like? My prediction is that cybersecurity professionals will be in high demand, making staffing them especially challenging. As boards and CEOs take an increasing interest in security, new companies will enter the security technology market, and this will create even more strain on the talent pool.

What should you do? If you are a cybersecurity professional, keep your skills honed, certifications up-to-date, and finish your degree. There is great opportunity ahead. If you are not experienced in cybersecurity, keep an eye on companies that rise to the challenges of the new year and consider investing in those that have the most potential.

What do you think? Will the rise in cybersecurity be a bubble or a blip?

Read More...

Cybersecurity Government Job Fair

With the increasing attention to cybersecurity in the government sector and in critical infrastructure protection, the Department of Homeland Security announced in October that it would be hiring for as many as 1,000 cybersecurity jobs. DHS is moving forward on that promise with a virtual job fair.

The job fair can be accessed at http://www.dhs.gov/xabout/careers/cyberjobfair, and it works like a typical job board. There are currently 12 jobs posted, but it appears as though these are job titles, and that there are many positions to fill for each.

There are three different job titles, but each is available in four different pay grades, ranging from GS 12 through GS 15. This translate to salary ranges from $73K - $153K. The four titles are: Information Technology Specialist (Cyber Security); Intelligence Research Specialist (Cyber Security); and Security Specialist.

This comes at a time when the US and Russia are actively talking about limiting military use of cyberspace and strengthening Internet security (NY Times).

This is good news for the career outlook for security professionals. Will this become a security bubble?

Read More...

On-the-fly Encryption with TrueCrypt

How sensitive is your data? You may use highly confidential data at work or at home. If you are concerned about the potential exposure of that data, encryption may be a good solution for ensuring that your data remains protected. One tool that you can use to encrypt your data is TrueCrypt. It is a free, open source program that works on Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is a very easy-to-use tool. I installed it today on my Ubuntu laptop, and within about five minutes, I created an encrypted drive and put sample data in that drive. You can download the software at http://www.truecrypt.org/.

When you create an encrypted drive with TrueCrypt, you are creating a file on your file system that contains all of the encrypted data you will be protecting. Creating the encrypted drive is the trickiest part, but the on-line tutorial for beginners makes it very easy to use. If you are more experienced with encryption technologies, you may like that it offers a variety of algorithms, including my favorites - AES and SHA-256.

After you create your encrypted drive, the next step is to mount it. To do this, you select a drive letter (Windows) or a slot (Linux) to which to mount the drive. Next you select the encryption file you just created and mount it. You will be prompted for the password for the encrypted drive that you entered when you created it. If you enter the correct password, the drive mounts, and you can use it like any other drive or file system.

In Ubuntu, from the Settings / Preferences window, I chose to use automatically open the mounted drive in Explorer once it was mounted, so a normal file system window popped up and allowed me to use it like any other mounted partition. I was also able to find the mounted partition in /media/truecrypt1, which allowed me to use it from the command line as well.

From what I have seen, the Windows version has some added functionality for encrypting system partitions and even creating a hidden encrypted partition that can be used for creating a hidden operating system. This may be good if you are trying to cover your tracks, but from a security professional's view, this may be hard to detect in a forensic investigation. Perhaps in a future post, I will try to find a hidden TrueCrypt system partition using FTK or Encase.

Have you used TrueCrypt? What do you think of it?

Read More...