- Email: [email protected]
Expert debunks regulation in cybersecurity
news
In Brief SCAM TARGETS NATWEST Natwest has been the latest victim of a phishing scam. Natwest customers were emailed and requested to enter their debit card number on a fake site, resembling the official Natwest site.
LINUX KERNEL ATTACKED A database containing code for the next Linux version was hacked according to reports. An intruder tried to install a Trojan horse but the intrusion was detected by an inherent security feature, known as BitKeeper. The database was shut down temporarily and the kernel was unaffected.
INTEL LAUNCH MOTHERBOARD ENCRYPTION Intel is launching a new motherboard with a hardware-based vault called the Trusted Platform Module. The vault stores encrypted keys to protect confidential information.
...Continued from front page (top) The Pentagon's plans envisage a capability to "detect a small, loosely organized group as they plan and execute an unconventional attack." The Pentagon plans to refocus its surveillance from nation-states to "sparse activity that was once too insignificant to notice." The cyber-surveillance programs under development will detect, correlate, and understand cyber and other anomalies. Among the Pentagon programs listed under the $437 million Asymmetric Threat program are:
Human Identification at a Distance (Human ID) This is a program to develop automated biometric technologies to detect, recognize, and identify humans at a distance. Fusion of biometric data is also a top priority. The Pentagon document states, "this system will be capable of multi-modal fusion using different biometric techniques with a focus on body parts identification, face
Expert debunks regulation in cybersecurity Richard Clarke, former Bush security advisor as chairman of the President’s Critical
ISSN: 1353-4858/03/ © 2003 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
identification, and human kinematics . . . at a distance, at any time of day or night, during all weather conditions, with noncooperative subjects, possibly disguised and alone or in groups."
The Endstate (Effects-Based, Nonlinear Analysis and State Estimation) A program that will permit the Defense Department to analyze the vulnerability of networks, including those involved with logistics and electrical power.
Mis-Information Detection and Generation (MIDGET) MIDGET reduces the Pentagon's vulnerability to open source information by "detecting intentional misinformation" and "inconsistencies in open source data with regard to known facts and adversaries goals."
Evidence Extraction and Link Discovery (EELD)
Genisys produces "technology for an ultra-large all source information repository to help prevent terrorist attacks on the citizens, institutions, and property of the US and its allies." The ultralarge database will contain information on all potential terrorists and possible supporters, terrorist material, training/preparation/rehearsal activities, potential targets, specific plans, and the status of American and allied defenses.
EELD extracts evidence from vast amounts of "unstructured textual data (such as intelligence messages and news reports" that lead to identification of unusual events, potential threats, or planned attacks. The document reveals that EELD was used to "perform surveillance during the 2001 Presidential Inaugural celebration activities" of George W. Bush and Dick Cheney. Privacy and civil liberties advocates are worried that such DARPA activities violate long standing laws that prevent the military from conducting surveillance against US civilians.
Infrastructure Protection (CIP) Board announced that government regulation is not the solution for policing cybercrime even though “things are getting out of control” in cyberspace.
Speaking at the RSA conference in Amsterdam, earlier this month, Clarke insisted: “The federal US Government does not have the answer. You can’t regulate cybersecurity.”
Genisys Program
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd
news This resistance to regulation was echoed repeatedly throughout the conference. Geoff Smith, UK Department of Trade & Industry said: “Regulation isn’t the answer because it can’t keep up with technology.” Clarke said that IT professionals have been watching the increasing deterioration of security for so long that they have failed to notice the drastic plummet over the past 12 months. Clarke points out that two years ago there were 21 000 separate viruses. So far this year there are 114 000 viruses. “This is not just more of the same. Things have become
unacceptably worse in the last year.” So if laws can’t help safeguard the Internet, then what can? Clarke believes the answer to safeguarding security lies in authentication. He advocates that ISPs should provide subnets on trusted servers where visitors are authenticated. In an ideal world visitors could surf in a safe environment using universally accepted authentication. John Fowler, CTO of Sun Microsystems also believes multifactor authentication is the way forward. However, Fowler believes regulation can’t be given the slip so easily. “Government regulation won’t go away,” he said.
...Continued from front page (bottom)
numbers of computers," he said. "There is no single country that has jurisdiction over the Internet and the controls and laws from nation to nation can be very different or nonexistent." This makes international cooperation very difficult. Stephenson believes it is childs play for virus authors to hide their identity to avoid detection. He said: "They simply need to avoid traceable references that allow a back trace. Also, they need to infect many initial targets at the beginning and launch the infections from a computer or computers that cannot be traced to them. It's trivial to do."
tery for law enforcement, the Slammer worm's author is also still at large. It is proving too complicated for law enforcement to track these virus writers because of the fast moving nature of worms, the immaturity of certain forensic techniques and the lack of jurisdiction over the Internet in some countries. Stephenson said: "Most code contains little or no evidence that can tie a virus to an author. Also a very fast moving virus or worm, by its nature, covers its own tracks simply by the rapidity with which it infects large
Why virus authors get away: • Forensic traceback techniques are too immature. • The international nature of the Internet makes law enforcement difficult over national boundaries. • Fast moving viruses infect many computers rapidly, making it difficult to trace the alpha victim.
In Brief FTC SAY DISABLE MS MESSENGER The US Federal Trade Commission has recommended that Windows Messenger Service should be disabled as it is a channel for marketing pop up ads.
WORLDPAY HIT BY DOS Worldpay has been hit by a large denial-of-service attack. In a statement, Worldpay said: "Although we have been subject to a 'denial-of service' attack, the integrity and security of our systems and our customers' data is in no way compromised."
AOL TURN OFF MS MESSENGER Aol has disabled Microsoft Messenger on its customers computers without notifying them. According to a report in the Associated Press, AOL has turned off Windows Messenger for 15 million customers.
ORBITZ SECURITY BREACHED Orbitz, an online travel company, has suffered a security breach, which has allowed spammers to email its customers. Orbitz says a number of its customers has received spam from an authorized source. AL JAZEERA HACKER SENTENCED A Web designer has been sentenced to 1000 hours of community service for hacking
into AlJazeera.net and redirecting traffic to a website displaying the American Flag.
MICROSOFT DISCLOSE 4 VULNS. IN NOV. A buffer overflow in the Microsoft Workstation service has been discovered. According to ISS, as the vulnerability is a stack overflow, it is easy to exploit. Windows 2000 and XP are affected. Microsoft has released another three vulnerabilities for November including a cumulative security update for Internet Explorer, a vulnerability in Word and Excel and a buffer overrun in Microsoft FrontPage Server Extensions.
MICROSOFT OFFER SPAM BLOCKING Microsoft is providing antispam technology as an add-on to Exchange 2003. The technology, known as Smartscreen has already been used in Outlook, MSN 8 and Hotmail. The technology works on a classification scheme based on judgements by hundreds and thousands of Hotmail users on what constitutes as spam. EXPLOIT FOR MS NOV. VULNERABILITY Exploit code is circulating for a vulnerability in Microsoft Workstation Service (MS03-049) affecting Windows XP and Windows 2000. Microsoft disclosed the vulnerability on 11 November.
3
In Brief SCAM TARGETS NATWEST Natwest has been the latest victim of a phishing scam. Natwest customers were emailed and requested to enter their debit card number on a fake site, resembling the official Natwest site.
LINUX KERNEL ATTACKED A database containing code for the next Linux version was hacked according to reports. An intruder tried to install a Trojan horse but the intrusion was detected by an inherent security feature, known as BitKeeper. The database was shut down temporarily and the kernel was unaffected.
INTEL LAUNCH MOTHERBOARD ENCRYPTION Intel is launching a new motherboard with a hardware-based vault called the Trusted Platform Module. The vault stores encrypted keys to protect confidential information.
...Continued from front page (top) The Pentagon's plans envisage a capability to "detect a small, loosely organized group as they plan and execute an unconventional attack." The Pentagon plans to refocus its surveillance from nation-states to "sparse activity that was once too insignificant to notice." The cyber-surveillance programs under development will detect, correlate, and understand cyber and other anomalies. Among the Pentagon programs listed under the $437 million Asymmetric Threat program are:
Human Identification at a Distance (Human ID) This is a program to develop automated biometric technologies to detect, recognize, and identify humans at a distance. Fusion of biometric data is also a top priority. The Pentagon document states, "this system will be capable of multi-modal fusion using different biometric techniques with a focus on body parts identification, face
Expert debunks regulation in cybersecurity Richard Clarke, former Bush security advisor as chairman of the President’s Critical
ISSN: 1353-4858/03/ © 2003 Elsevier Ltd. All rights reserved. This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. Permissions may be sought directly from Elsevier Rights & Permissions Department, PO Box 800, Oxford OX5 1DX, UK; phone: (+44) 1865 843830, fax: (+44) 1865 853333, E-mail: [email protected]. You may also contact Rights & Permissions directly through Elsevier’s home page (http://www.elsevier.nl), selecting first ‘Customer Support’, then ‘General Information’, then ‘Permissions Query Form’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: (978) 7508400, fax: (978) 7504744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: (+44) 171 436 5931; fax: (+44) 171 436 3986. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal
2
identification, and human kinematics . . . at a distance, at any time of day or night, during all weather conditions, with noncooperative subjects, possibly disguised and alone or in groups."
The Endstate (Effects-Based, Nonlinear Analysis and State Estimation) A program that will permit the Defense Department to analyze the vulnerability of networks, including those involved with logistics and electrical power.
Mis-Information Detection and Generation (MIDGET) MIDGET reduces the Pentagon's vulnerability to open source information by "detecting intentional misinformation" and "inconsistencies in open source data with regard to known facts and adversaries goals."
Evidence Extraction and Link Discovery (EELD)
Genisys produces "technology for an ultra-large all source information repository to help prevent terrorist attacks on the citizens, institutions, and property of the US and its allies." The ultralarge database will contain information on all potential terrorists and possible supporters, terrorist material, training/preparation/rehearsal activities, potential targets, specific plans, and the status of American and allied defenses.
EELD extracts evidence from vast amounts of "unstructured textual data (such as intelligence messages and news reports" that lead to identification of unusual events, potential threats, or planned attacks. The document reveals that EELD was used to "perform surveillance during the 2001 Presidential Inaugural celebration activities" of George W. Bush and Dick Cheney. Privacy and civil liberties advocates are worried that such DARPA activities violate long standing laws that prevent the military from conducting surveillance against US civilians.
Infrastructure Protection (CIP) Board announced that government regulation is not the solution for policing cybercrime even though “things are getting out of control” in cyberspace.
Speaking at the RSA conference in Amsterdam, earlier this month, Clarke insisted: “The federal US Government does not have the answer. You can’t regulate cybersecurity.”
Genisys Program
circulation within their institutions. Permission of the publisher is required for resale or distribution outside the institution. Permission of the publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Contact the publisher at the address indicated. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publisher. Address permissions requests to: Elsevier Rights & Permissions Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. 02158 Printed by Mayfield Press (Oxford) Ltd
news This resistance to regulation was echoed repeatedly throughout the conference. Geoff Smith, UK Department of Trade & Industry said: “Regulation isn’t the answer because it can’t keep up with technology.” Clarke said that IT professionals have been watching the increasing deterioration of security for so long that they have failed to notice the drastic plummet over the past 12 months. Clarke points out that two years ago there were 21 000 separate viruses. So far this year there are 114 000 viruses. “This is not just more of the same. Things have become
unacceptably worse in the last year.” So if laws can’t help safeguard the Internet, then what can? Clarke believes the answer to safeguarding security lies in authentication. He advocates that ISPs should provide subnets on trusted servers where visitors are authenticated. In an ideal world visitors could surf in a safe environment using universally accepted authentication. John Fowler, CTO of Sun Microsystems also believes multifactor authentication is the way forward. However, Fowler believes regulation can’t be given the slip so easily. “Government regulation won’t go away,” he said.
...Continued from front page (bottom)
numbers of computers," he said. "There is no single country that has jurisdiction over the Internet and the controls and laws from nation to nation can be very different or nonexistent." This makes international cooperation very difficult. Stephenson believes it is childs play for virus authors to hide their identity to avoid detection. He said: "They simply need to avoid traceable references that allow a back trace. Also, they need to infect many initial targets at the beginning and launch the infections from a computer or computers that cannot be traced to them. It's trivial to do."
tery for law enforcement, the Slammer worm's author is also still at large. It is proving too complicated for law enforcement to track these virus writers because of the fast moving nature of worms, the immaturity of certain forensic techniques and the lack of jurisdiction over the Internet in some countries. Stephenson said: "Most code contains little or no evidence that can tie a virus to an author. Also a very fast moving virus or worm, by its nature, covers its own tracks simply by the rapidity with which it infects large
Why virus authors get away: • Forensic traceback techniques are too immature. • The international nature of the Internet makes law enforcement difficult over national boundaries. • Fast moving viruses infect many computers rapidly, making it difficult to trace the alpha victim.
In Brief FTC SAY DISABLE MS MESSENGER The US Federal Trade Commission has recommended that Windows Messenger Service should be disabled as it is a channel for marketing pop up ads.
WORLDPAY HIT BY DOS Worldpay has been hit by a large denial-of-service attack. In a statement, Worldpay said: "Although we have been subject to a 'denial-of service' attack, the integrity and security of our systems and our customers' data is in no way compromised."
AOL TURN OFF MS MESSENGER Aol has disabled Microsoft Messenger on its customers computers without notifying them. According to a report in the Associated Press, AOL has turned off Windows Messenger for 15 million customers.
ORBITZ SECURITY BREACHED Orbitz, an online travel company, has suffered a security breach, which has allowed spammers to email its customers. Orbitz says a number of its customers has received spam from an authorized source. AL JAZEERA HACKER SENTENCED A Web designer has been sentenced to 1000 hours of community service for hacking
into AlJazeera.net and redirecting traffic to a website displaying the American Flag.
MICROSOFT DISCLOSE 4 VULNS. IN NOV. A buffer overflow in the Microsoft Workstation service has been discovered. According to ISS, as the vulnerability is a stack overflow, it is easy to exploit. Windows 2000 and XP are affected. Microsoft has released another three vulnerabilities for November including a cumulative security update for Internet Explorer, a vulnerability in Word and Excel and a buffer overrun in Microsoft FrontPage Server Extensions.
MICROSOFT OFFER SPAM BLOCKING Microsoft is providing antispam technology as an add-on to Exchange 2003. The technology, known as Smartscreen has already been used in Outlook, MSN 8 and Hotmail. The technology works on a classification scheme based on judgements by hundreds and thousands of Hotmail users on what constitutes as spam. EXPLOIT FOR MS NOV. VULNERABILITY Exploit code is circulating for a vulnerability in Microsoft Workstation Service (MS03-049) affecting Windows XP and Windows 2000. Microsoft disclosed the vulnerability on 11 November.
3