Digital Frontier

Hello readers of Digital Frontier, I hope your day is going splendidly.  I just wanted to highlight a couple of things from the last few days.

First, I set up a Twitter account last night.  My twitter name is Scubastevo so go ahead and follow me.  Twitter is a “microblogging” platform that allows you to interact with friends with short messages of 140 characters.  I’m still trying to figure out the advantages of using this social network/blogging platform but it should be interesting.  I’m assuming it will get better when I get more friends and followers.  Go ahead and sign up for an account and add me as a friend; search for Steve S or Scubastevo to find me.

Second, I saw Indiana Jones 4 yesterday afternoon.  I must say that I enjoyed it immensely.  I’m not sure I liked the ending/points of the plot, but the action kept me engaged the whole time.  Additionally, it didn’t feel slow like Indiana Jones and the Temple of Doom did; or like any of the National Treasure movies.  I must say Harrison Ford is still badass in the role and the addition of Shia Leboeuf was a smart move in order to progress the Indy Series.

Third, I’m reading a book I got as a gift called Leading By Example, by Bill Richardson.  I’m not very far into it, but the overall theme of the book is energy independence and revolution.  His main points seem to be if we develop technology for better renewable resources, then we will become independent from the sources of non-renewable energy.  This advancement of renewable energy technology will act as a panacea for many of the problems we as Americans and citizens of the world encounter.  His book thus far has proven to be very frank and without bullshit or the normal ballyhooing that usually presents itself when talking about energy and resources.  I hope to write on this topic at a later date, but for now I think I’ll just finish the book.

Happy Memorial Day everyone!

Hewlett Packard’s Systems Security Lab has detailed a new type of attack that impacts hardware rather than software.  Exploiters, who are finding it harder and harder to to find loopholes in software systems, are beginning to take advantage of an attack called phlashing.  This attack, even though it has existed for a number of years, pinpoints Network Enabled Embedded Devices (NEEDS).

These NEEDS are vulnerable because of a security flaw found within the actual hardware of the computer.  Network enabled embedded devices have instructions called firmware for interfacing with other components.  Firmware is written in computer readable language- extremely basic in nature.  Exploits targeting this kind of language are not scannable by anti-virus programs since they exist at so basic of a level.

The principle vector for this type of permanent denial of service is loading a corrupted BIOS (Basic Input/Output Device System) onto the computer.  The corrupted BIOS ruins the hardware when it is turned on.  Options for mitigating this attack are limited- your only option is to replace the hardware.  Recently, reports have surfaced of counterfeited routers and other hardware being sold to the U.S. government and military.  The fear is that malicious coders and criminals would load corrupted firmware onto these networked devices.  If a company or government agency were to implement these corrupted devices into their network, it could possibly bring thier entire network to its knees.

A big debate is surfacing concerning the likelihood that this kind of attack would be implemented by hackers.  As my previous articles have highlighted, most hackers find it more efficient to hijack a computer to use as a part of a virtual army in a botnet; rather than render it useless with a virus.  Additionally, the risk of being caught executing this kind of attack on companies is very high.  Today, companies find it acceptable to guard against malware and phishing without too much involvement with law enforcement.  Messing with the hardware infrastructure of a company is an expensive proposition, making the attackers a prime target for investigators.  The way I figure, most criminals would prefer to stay out of reach of the long arm of the law.

Even if PDoS attacks don’t become a prevalent attack vector for exploiters and hackers, researchers at HP note that it reflects the ongoing diversification of  malware.  It is possible that the evolution of attacks such as these will one day denote a shift in common attack strategies.  The reserachers suggest that system engineers and administrators include protecting against this type of attack in thier network topology.  Defense in depth techniques could be strengthened with this type of attack in mind

Today, I passed the 1,000 view count!  This is very cool especially because the last blog I ran (on the Penn State blog system) was pretty lame.  I look forward to another 1,000 views which will likely come faster than the first thousand.

For the fourth installment of my Daily Scoop series, I have a bunch of great links for you to check out.

First up is a Q & A from the Commanding Officer of AFCYBER- Major General William Lord.  The questions were posed from a Slashdot forum and answered very honestly and objectively by General Lord.

This article continues coverage on AFCYBER and related projects.  The article’s title is Mutually Assured DDoS, which caught my eye.

Here is something that also piqued my interest.  The Wired article basically explains that buying a used car is more energy efficient than buying a hybrid car.  As a consumer that is soon going to be thrust into the used car market, it is nice to have this kind of detailed comparison.

Release Candidate 1 for Firefox Beta 3 has been released.  I have been using the beta of the much anticipated third installment of Firefox for a few months.  It is chock full of new features, most of which I will detail in a review upon its final release.

I thought it was interesting to find out that Google (Search Engine Master) has started a Beta Version of a Public Health Record Storage System.  Their aim is to provide a central location for people to share their medical records with medical professionals.

As I was doing some research for my summer internship this past Thursday, my travels on the internet lead me to explore more about the NSA security guides.  As I tried to navigate my browser to the main NSA page, it proved unresponsive.  I thought to myself, well this is quite odd, how come one of the agencies that is charged with cyber security is down.

As it turns out, the DNS servers used to turn web addresses into computer and network readable IP addresses for NSA.gov were unavailable.  A spokesperson for the NSA said that their two DNS servers had become unreachable Thursday morning.  As for the reason behind this error, McPherson (a industry analyst) had this to say,

“It’s either an internal routing problem of some sort on their side or they’ve messed up some firewall or [access control list] policy,” he said. “Or they’ve taken their servers offline because something happened.  That “something else” could be a technical glitch or a hacking incident,” McPherson said.

Recommendations to avoiding this type of problem were also offered by McPherson saying that the NSA should have hosted the two DNS servers on different machines for redundancy.  Additionally the server that the DNS resides on is also home to the NCSC (National Computer Security Center) which means, if exploited, hackers would have access to truly valuable information.

I also had trouble accessing the website sporadically on Friday, but the reason for that may have been that some internet service providers cache information from websites.  This feature would have saved the unavailable websites and prevented access to them.  I suppose the moral of this story is that even the industry pros experience catastrophic malfunctions sometimes.

It seems as though I’m on a blogging spree tonight!  I have just added a separate page on this blog that is all about Ubuntu.  I have copied my few entries on Ubuntu over to that page mostly to see if traffic shifts.  I was getting a ton of hits from my two Ubuntu stories especially dual monitor configuration and TV tuner setup.  Here is the link in case you are too lazy to put your mouse to the upper right hand part of the screen.  

As you probably know, I fell a little behind on my blog posts in the past three weeks.  In order to help me catch up, I’m going to do a (or a few) blog posts that contain shorter accounts of events that I have found interesting during my time off.

Word has come in from Russia in the past month that the government agency in charge of regulating the mass media and communications is going to start requiring that citizens register every single Wi-Fi enabled device.  Not only does the citizenry have to register the devices, but they also have to receive special permission in order to operate the hardware that they bought.  Processing such a registration could take up to 10 days for laptops and handheld devices and even longer for access points.

Paypal has issued a press release saying that they are implementing yet another security feature to prevent phishing, spamming and identity fraud.  They plan on requiring users of the e-commerce site to only use current and up-to-date web browsers in order to reduce the risk from outdated, breached software.  Their plan goes like this: if you use “first tier browsers” like Firefox 2 (and soon to be 3), Internet Explorer 7, and Opera 9 and up, you will be able to use Paypal the same way you have done in the past.  Next, if you are a user of a so called “second tier browser” such as any first tier browser that is a version behind, you will be warned at the point of login that you are at risk.  And last (as you probably guessed) are the “third tier browsers” which probably reflect browser versions that are ancient by software update standards.

In another interesting story, AFCYBER plans to create a military botnet in order to combat future enemies.  The Air Force’s cyber defense command admits that attacks via a DDoS (Distributed Denial of Service) are a huge problem that we, as a country, have done nothing to protect ourselves against.  Concern over where the computing resources to create such a botnet is great as there is talk about using civilian infrastructure to supplement Air Force resources.  I plan to write more on this topic as more news starts trickling in.

The World Congress of IT will attempt to start a co-op of companies and countries to make a International Multilateral Partnership Against Cyber-Terrorism (IMPACT).  The board is said to be made up of security all-stars from companies like Google and Symantec.  It is the hope of the World Congress of IT that IMPACT becomes a Centers for Disease Control (CDC) type of organization for cyber security.  Its main function will be to provide a place for communication when cyber attacks occur.  This coordination system will help organize international response to these attacks, particularly on civilian targets.

The Bush Administration’s new Cyber Security initiative has already received $150 million dollars this year and is expected to receive an astounding increase next year for a total of $192 million.  The mission of this new initiative is to improve on tools that currently exist to protect classified networks on federal networks in order to reduce the likelihood of major damage to all government networks.  According to a blog post at Wired Magazine, the government also would like to minimize the connections to the internet from 2,000 to 50 in order to make patrolling the cyber perimeter more manageable.

Likely to drain up to $17 billion dollars from the federal budget, the Cyber Security Initiative is cloaked in secrecy.  Apart from what you just read in the first paragraph, the public knows little more about the new initiative.  Analysts believe that the secret parts of this plan would spend billions of dollars on, “unproven, embryonic technology, and possibly illegal or ill-advised projects.”

Just as with the Patriot Act, many things are hidden in that normal citizens just wouldn’t be comfortable with.  A study by the Armed Services Committee reports that a great deal of spying will happen under the name of cyber security.  For example, many of the projects purportedly included in this umbrella initiative also look to expand foreign intelligence gathering.  Additionally, it may give agencies like the NSA free reign to examine emails, information transfers and search engine requests without a warrant.

Because the Bush Administration has marked the initiative with the “For Official Use Only” mark, normal citizens cannot get access to the documents; even though they are not technically classified.  This mark prevents widespread public knowledge of this new program, which in itself presents a problem of civil liberties.  Not to mention the reduction of civil liberties in not being able to learn about the initiative, citizens are also at risk of having their liberties attacked based on the actual content of the document.

Department of Homeland Security Michael Chertoff explained at April’s annual RSA conference that he hopes that this 21st century Manhattan Project will lead to tech breakthroughs that will transfer over to the private sector.  Chertoff’s stance on better cyber security is that improvement will lead to less intellectual property and identity thefts.  He went on to explain that security and privacy are complementary to each other, rather than feuding ideas.

Despite early reports of hidden programs and the lack of more specific information in the new Cyber Security Initiative, I believe that it is a step in the right direction.  For years, analysts and security professionals have warned that the United State’s cyber security strategy was incredibly lackluster.  In the past six months, the Bush Administration has pushed for the hardening of government networks.  Large advances in the development of cyber security in the U.S. have appeared in many forms.  The U.S. Air Force is the the process of creating a cyber security element (see my article on AFCYBER for more information).  Additionally, President Bush has recently signed a new Executive Order to beef up the jurisdiction of the Department of Homeland Security and the NSA to monitor and patrol domestic networks.

Many private industry professionals moffed Secretary Chertoff and President Bush’s plans for increasing security.  Ray Kaplan, a founder of the RSA Conference believes that government has a large role to play in increasing cyber security and protection, particularly in grants for research.  Kaplan also details the fact that the U.S. government must released real threat metrics so the individual industries know how susceptible they are from attacks.  Presently, the information isn’t shared and there isn’t a common language that everyone agrees on.  It sounds like standardization of metrics dissemination of critical information is something that needs to be a priority for the government.

Update:  Upon further research I found Secretary Chertoff’s outline of the new initiative:

• Reducing and consolidating the thousands of federal network Internet connections under the Trusted Internet Connections initiative. Reducing the number of connections to fewer than 100 could enable better control and monitoring of activities.
• Using the certification and accreditation authority of the Office and Management and Budget under the Federal Information Security Management Act to ensure that agencies establish watch-and-warning capabilities on their networks on a 24/7 basis, to improve cyber incident detection and response capabilities.
• Developing a faster process for detecting and responding to anomalous behavior on global networks, so that attacks can be spotted in a matter of minutes, not hours.
• Fully developing the potential of Einstein, the system used by US-CERT to spot problems on global networks.
• Ensuring the trust and assurance of information technology components acquired for critical systems in a global marketplace.
• Better internal security and baking security into the culture of critical infrastructure organizations.
• Improving methods and technology for using security to improve online privacy, because the Internet has become an essential part of the nation’s economy.

I just wanted to update my readers on a few things.  If it has seemed like I have not posted anything in a long time, I apologize.  I’ve been busy with finals for school, packing, going home and starting my summer internship which have prevented me from writing about interesting things.  The good news is that my internship at Applied Information Sciences is going to be a great opportunity for me and for my career.  I hope to bring some general experience that I obtain from the internship into the classroom and on this blog.

Next, I wanted to bring readers’ attention to two of my friends from Penn State who are attending (with other SRA students) the SARMA Conference in Arlington, Virginia.  The second annual event plays host for a terrific speaker series and a huge turnout of security and risk management/analysis companies.  Unfortunately, due to my internship hours, I am not able to attend.  Hopefully later in the summer I will be able to attend some other interesting security conferences hosted in the D.C. area where I live.  Please take a look at both Russ Beck’s and Matt Maisel’s blogs for a summary of interesting speeches and interactions with SARMA members.

Lastly, I would like to get some input on what you like about this blog both content and design.  If there are things you want me to discover and write about or have questions about other topics, please leave a comment in the form below.  I get a great deal of page hits for my two Ubuntu articles, but I would like to drive traffic to other parts and topics of this blog.  Any input and interaction about this blog is definitely appreciated.

It has been a while since I have posted anything mostly due to finals and projects.  I finally got a chance to relax after unpacking and go to a baseball game with my family.  A few years ago, the Montreal Expos moved to Washington D.C. and became the Nationals.  They played up until this season in RFK stadium which is the former home of the Redskins and present home of the D.C. United.  The new baseball arena is built by the Washington Naval Yard, very close to the Marine Barracks where John Phillip Sousa led the Marine Band.  The brand new stadium is beautiful in every aspect.  It is very open and allows for a fantastic view of the field from any seat.  Even from my nosebleed $5.00 seats I was able to enjoy the game immensely.  It was designed by the same person who built the Pirates’ stadium in Pittsburgh.

A quick word on technology (since this blog is centered on that topic).  In the past, my brother explained to me, ushers carried a green sign and a red sign.  This was the indicator to let stadium security know if someone was hurt after catching/getting hit by a foul ball.  In the Nationals’ new stadium, they all carry radio transmitters that do the very same job.  This update to system that has worked in ballparks for years allows stadium safety officials to be far more accurate and get information fast if there is a problem.

The LED scoreboard is the biggest in baseball- measuring an astounding 4,532 square feet.  It is even rumored to be high definition, though I couldn’t tell from so far away.

The new stadium is also LEED certified, which means it meets energy saving standards that rival normal buildings.  I first encountered LEED certified buildings during the Future Forum, and it is nice to see a new, multi-million dollar sporting complex to be a part of this building technology.  Also noticeable from my nosebleed seats (besides major D.C. landmarks like the Capitol Building, Georgetown University and other monuments) were several examples of green roofs that are planted with apparently 1,200 plants that promote better drainage and keep buildings cooler in the warm summers in D.C.

For more information about the new ballpark, click here.

Update: I should also note that the Nationals lost to the Marlins at the game I attended.