STE WILLIAMS

Russia and China are using cyber-espionage to steal the US’s tech and economic secrets, according to a government report.

COLD WAR INTELLIGENCE REPORT (click to enlarge)

The Office of the National Counterintelligence Executive (ONCIX) presented the report (PDF) to Congress on Thursday, which claimed that both “adversaries” and “partners” were sticking their nose into government and business computers.

“Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect US technological and economic information will continue at a high level and will represent a growing and persistent threat to US economic security,” the report said, eschewing any attempts at modesty.

The report, which was titled Foreign Spies Stealing US Economic Secrets in Cyberspace and covered 2009 to 2011, singled out China as a place where cyber intrusions often originated, although it didn’t specifically finger the country’s government.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the intelligence community [or the IC as the report offhandedly acronyms it]* cannot confirm who was responsible,” the office said.

Russia was another country to be named and shamed by ONCIX for pervasive cyber threats.

“Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets,” the report pointed out.

However, “US allies and partners” weren’t above a bit of pottering about in US networks looking for the odd tidbit either.

“Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence [another lovely acronym – HUMINT] tactics. Some of these states have advanced cyber capabilities,” ONCIX said.

The office rather obviously pointed out that stealing secrets in cyberspace was a lot easier than attempting to sneak out of offices carting folders, and as a result the US was suffering millions of dollars in losses from thieved classified information.

And it is not predicting that things will get much better either. Cloud computing and the proliferation of devices connected to the internet are both a concern, and “the IC anticipates that China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies”.

The report said China would continue to be driven to espionage by its policy of “catching up fast and surpassing Western powers”.

It said an “emblematic” programme in this drive was Project 863, which according to China is intended to “boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena”, and according to the report “provides funding and guidance for efforts to clandestinely acquire US technology and sensitive economic information”.

ONCIX also points to possible future risks from different countries “as a function of international economic and political developments” and the risks from non-state actors such as terrorist groups, hacktivists and hackers for hire.

Bootnote

* In case you’re wondering why the US might need an acronym for the intelligence community, it might be because of the dizzying array of groups that make it up. To put this report together, ONCIX gathered inputs and reports from “many US government agencies, including the Air Force Office of Special Investigations (AFOSI), Army Counterintelligence Center (ACIC), Central Intelligence Agency (CIA), Defense Intelligence Agency (DIA), Defense Security Service (DSS), Department of Energy (DoE), Department of Health and Human Services (HHS), Department of State (DoS), Federal Bureau of Investigation (FBI), National Geospatial-Intelligence Agency (NGA), National Reconnaissance Office (NRO), National Security Agency (NSA), and Naval Criminal Investigative Service (NCIS)”. And that’s just the ones it’s happy to name… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/china_russia_cyber_spies/

Developers submitting applications to Apple’s Mac App Store will soon be required to add an extra layer of security for their wares to be accepted.

Beginning in March, all apps submitted must implement sandboxing, a protection that tightly restricts the way applications can interact with other parts of the operating system. By isolating the app from sensitive OS resources, sandboxing minimizes the damage that can be done when vulnerabilities are exploited. It was significantly improved with this year’s release of OS X Lion.

“The vast majority of Mac users have been free from malware and we’re working on technologies to help keep it that way,” a blurb on Apple’s developer news page stated. “As of March 1, 2012 all apps submitted to the Mac App Store must implement sandboxing.”

The move comes as the quality and quantity of malware targeting Macs has steadily risen over the past year. The recently discovered DevilRobber.A trojan, for instance, commandeers a Mac’s graphics card to coin the digital currency known as Bitcoin, and OSX/Revir.A can install itself even without explicit user permission, bypassing a protection that has long brought comfort to many Mac fans.

Recent changes to the Flashback trojan prevent the malware from running on virtual machines, a stealth technique adopted years ago by Windows malware developers.

The new sandboxing requirement was quickly applauded by many security researchers, but the reaction among Mac developers was decidedly more mixed. According to The Unofficial Apple Weblog, Apple’s sandboxing approach has the potential to interfere with some functions, particularly those involving AppleScript and the programming interface known as Carbon.

“For 99.44% of the applications out there, sandboxing is a workable technology, whose adoption curve is relatively flat and low-friction, and whose users won’t notice any functional difference,” Rich Siegel, founder and CEO of the Mac development house Bare Bones Software, said in an email. “Applications whose functional scope is in that last 0.56% will require solutions that take into account the notion of ‘implicit user intent,’ which to date hasn’t been adequately addressed by the sandboxing model as currently presented.”

Siegel’s percentages are figurative and not intended to be taken literally.

The contrasting reactions highlights the longstanding conflict between the security and functionality of software. More often than not, when one is increased, the other suffers.

Ultimately, the new Apple mandate is a good thing. An analysis from last year showed that some of the most popular Windows applications, including Java, Apple Quicktime, and OpenOffice.org, failed to implement security protections that had been available for years in the Microsoft OS. What’s more, the report found that the Mozilla Firefox, Chrome, and Opera browsers applied the mitigations inconsistently.

Clearly, the build-it-and-they-will-come approach doesn’t always work when OS developers bake important protections into their systems. Apple’s mandate may be painful for some developers, but if it protects end users, it will be worth the hardship. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/mac_app_store_sandbox/

LCC Any British response to a foreign state’s cyberattack would be proportionate, a Foreign Office official told The Register yesterday.

On Monday, UK Prime Minister David Cameron told the London Conference on Cyberspace (LCC) that threats of electronic attacks were “a real and pressing concern” for the country.

“This summer a significant attempt on the Foreign Office system was foiled. These are attacks on our national interest. They are unacceptable. And we will respond to them as robustly as we do any other national security threat,” Dave said.

John Duncan, the FCO’s special representative for the conference, told El Reg that the nation’s response, military or otherwise, to cyberattacks was under constant review.

“The UK has just revised its nuclear declaratory policy, that is a reflection of the way the world is changing,” he said.

“As we look at the response to an attack through cyberspace, you can be quite sure that the government will keep this very closely under review to ensure that we respect the obligation to act proportionately – which is the fundamental principle of armed force. That’s a really key point in understanding what the Prime Minister is saying,” he added.

Duncan said that a major problem in dealing with international hacking attempts was working out where attacks are coming from.

“If one country launches an attack on another country using proxies – be they proxies in the original sense, meaning agents of that country, or proxy servers in the cyberspace world – we have to judge whether that is actually coming from a country,” he said. “And the first step is the diplomatic means and then the military means, as it has always been. We have to stand ready to respond in kind, because we’re very vulnerable, we’re all very vulnerable.”

Rise of the gangster-hacker

In other cases the attack may be coming from within a country, but enacted by criminal gangs or groups of terrorists, another possibility the government has to investigate.

“We no longer have the certainties of the Cold War,” Duncan said. “It’s very difficult to identify what the threat is and therefore it’s very difficult to train against the threat and to budget for the threat.

“It’s the non-state actor and the proxy actor that is the more dangerous threat to us today and it’s more difficult to prepare for because you don’t know where it’s coming from,” he added, acknowledging that it was the same in the real world.

Some would suggest that a weapon governments would like to have in their arsenal to deal with online issues is the ability to constrict social networks, something that has come up during the conference while both the Foreign Secretary William Hague and the Prime Minister have insisted that the UK supports an open and free internet.

After the summer riots, the government considered a move against the websites and services used by looters to communicate and organise raids.

“If you see something that’s a threat on one side of the cyberspace architecture, you have to be really careful in understanding that if you take action against it, it doesn’t damage the other parts of the architecture that you are trying to promote,” Duncan said. “And the British government did understand that.”

“There was a reaction of ‘What’s happening here, we need to have a look at it’, and the conclusion was we should not do anything to constrain Facebook and BlackBerry and all those things because it would damage other things we are trying to do,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/uk_cyberattack_response/

LCC The London Conference on Cyberspace wasn’t a forum for outing the states that had launched cyberattacks in the UK, the Foreign Secretary said yesterday.

One of William Hague’s “messages” from the conference, outlined in his closing remarks, was that “state-sponsored attacks are not in the interests of any country long-term, and those governments that perpetrate them need to bring them under control”.

The statement was rather weak when compared with the Prime Minister’s promise in his speech on Monday that the UK would respond “robustly” to any cyberattack.

When challenged on why Britain hasn’t done more about the state-sponsored attacks that have already happened, Hague told reporters that they were going about this issue in a diplomatic way.

“We have not been having a judgemental conference. I don’t think you can simultaneously hold a conference of this kind, drawing governments into the discussion and then doing the equivalent of pointing the finger at them all saying ‘You are guilty men’,” he said.

He also said that people made a lot of assumptions about who was behind state attacks and they weren’t always right.

However he added that he expected the government would have “vigorous and private discussions about these things” in the future.

The conference has also come under some criticism for apparently stirring the brewing trouble between Western countries and China and Russia over the issue of internet regulations.

William Hague acknowledged that the UK and US message from the conference that the internet shouldn’t be subject to strong state control was in some conflict with China and Russia’s call for a code of conduct online, but said he hadn’t expected to solve that conflict in the last two days.

“There’s a difference between Britain, the US and European societies on the one hand and China and Russia, of course. There’s different attitudes to freedom of expression, offline as well as online,” he told reporters, adding that he didn’t expect to “square” those differences right now.

However, he reiterated the British government’s stance that there should be freedom of expression and openness online and said states that hoped to curb their citizens on the web were likely to be disappointed.

“In the long term, efforts to resist the free flow of information, the tide that’s going towards greater transparency and accountability, will fail,” he said.

A statement on the findings of the conference can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/cyber_attack_states/

A UK government minister has reassured Parliament that upcoming deployments of smart meters will be secure.

The assurances by junior energy minister Charles Hendry follow admissions by a senior civil servant at a House of Commons Public Accounts committee on Monday that the government’s £12bn plan to roll out smart energy meters in the UK by 2019 might yet be shelved, depending on the outcome of a review next year. The review will focus on the business case for the deployment of smart meters but security concerns also exist.

Last year Ross Anderson, professor in security engineering at the University of Cambridge Computer Laboratory, warned that smart metering would introduce a “strategic vulnerability” that might be exploited by hackers to remotely switch off elements on the gas or electricity supply grid. Software errors introduced during an update also pose a risk.

Security researchers at IOActive previously highlighted (PDF) flaws in poor authentication, lack of encryption and inadequate authorisation in smart meter rollouts during a research project that looked at rollouts in the US and Europe.

Asked about these security concerns, and in particular fears that smart meter systems may not have been properly secured against hacking by third parties, Charles Hendry, minister of State for the Department of Energy and Climate Change, told Parliament on Wednesday that a comprehensive risk assessment programme would accompany the deployment of the technology.

The government are putting robust arrangements in place for the security of the smart metering system, which have been informed by a rigorous risk assessment. DECC has a dedicated team of security experts within the Smart Metering Implementation Programme, who perform ongoing risk assessments in order to identify the nature of possible threats, including hacking by third parties.

Security requirements are being developed to minimise: (i) the likelihood of such an event taking place, and (ii) the impact should it occur. The development of these requirements has involved extensive consultation with other government departments and relevant agencies, as well as with industry.

We have a comprehensive risk assessment and we are developing a plan for implementation, which will specify the enduring security governance roles and responsibilities to ensure risks are appropriately managed.

Smart meters introduce two-way communication between a meter and the central system of a utility absent from older analogue meters. The devices feature sensors, so they can monitor and report on the quality of gas and electricity supply, as well as how many units are consumed for billing purposes.

Utilities want to deploy smart meters because the technology will simplify the process of collecting meter reading and controlling supply at times of high demand. The kit also makes it easier to switch subscribers to higher tariffs in cases where they fail to pay their bill on time.

But for consumers the rollout of an estimated 47 million smart meters to the UK’s 26 million homes is likely to cost £6 per annum per household at a time when energy prices are already rising at record rates, a trend that shows no signs of turning around anytime soon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/smart_meter_security/

Security appliance firms are using the big industry push towards cloud services, and the trend of allowing staff to bring their own devices into work, to sell technology that attempts to fix the resulting security mess.

ForeScout Technologies launched a scheme to sell its CounterACT Network Access Control (NAC) technology as a cloud platform to hosted and managed service providers (MSPs) on Tuesday. The firm already plays in hosted but MSPs will be a new string in its bow.

The move coincides with the release by Bradford Networks, a competitor to ForeScout, of an app that enables secure network access for trusted iPads, iPhones and other Apple devices. The app is a feature of the latest version of Bradford’s Network Sentry, version 5.3, which will be generally available this month.

Network Access Control (NAC) technology can be compared to nightclub bouncers. Instead of saying that you can’t get in a club with jeans, NAC tech stops laptops accessing a network unless they are fully patched and running up to date anti-virus, for example, an approach that guards against cross-contamination of computer worms. NAC tech can also restrict what areas of a network a guest device (smartphones, mobile, tablet etc) can access, much like bouncers who block access to the VIP area of a club (for VIP area read customer database, accounts etc.)

ForeScout and Bradford Networks compete in the network access control (NAC) and policy compliance market with products and services from the likes of Cisco, Juniper and McAfee.

NAC technology attempts to solve various problems including policy enforcement and access management that other bits of security tech also attempt to tackle. Perhaps because of this confusion the technology, first talked about seven or eight years ago, is still in the early adopter phase. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/nac/

Facebook has once again been forced to defend its use of cookies after a German watchdog said it was “suspicious” that the dominant social network was creating tracking profiles of its users without seeking their consent to do so.

The company denied it was slurping such data from its stalkerbase as claimed by the Hamburg data protection authority (DPA).

“Facebook does not track users across the web,” it said in a statement. “Instead, we use cookies on social plugins to personalise content (e.g. Show you what your friends liked), to help maintain and improve what we do (e.g. Measure click-through rate), or for safety and security (e.g. Keeping underage kids from trying to signup with a different age).

“No information we receive when you see a social plugins is used to target ads, we delete or anonymise this information within 90 days, and we never sell your information.”

On the thorny topic of logged-out cookies, Facebook said it deleted the files when a user signed out of the site.

“We do not receive personally identifiable cookie information when logged-out users browse the web,” the firm said.

The Hamburg DPA has previously warned Facebook that it would be fined by the watchdog if the company failed to delete the “biometric data” it harvested from its facial recognition tech.

The Register understands that Facebook has offered to provide the DPA with a technical explanation of how it uses cookies. For its part, the company considers any conclusion reached by the Hamburg watchdog before proper consultation with Facebook to be “incomplete”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/facebook_cookies_data/

Google is among 26 companies that have signed up to the government’s latest effort to create a British business sector out of the handling of private data and an individual’s online identity.

The logo depicts the comforting eye of

Sauron midata…

UK.gov prefers to cast this agenda as part of its push to make the government and private companies more transparent about the information they hold on taxpayers and consumers.

The Business, Innovation and Skills department launched “midata”, which is based on a voluntary partnership, today and said that consumers in Blighty would soon be able to access information held by the likes of British Gas, MasterCard and Google via online “personal data inventories” (PDIs).

According to BIS, companies that sign up to midata would benefit from more information being shared by consumers.

“As customers get used to updating and managing preferences and permissions, they are more likely to opt in rather than out of marketing communications,” said the department in a document outlining the “potential benefits” to business.

BIS claimed that consumers would be “empowered” by such data sharing online.

But the agenda also feeds heavily into the Cabinet Office’s plan to offload identity-handling onto the private sector.

“Under the government’s proposed ID assurance scheme, a market for providers of identity services will be created. Individuals will be able to take these ‘tokens of identity’ with them from organisation to organisation,” said BIS.

“The same approach can be extended to other tokens of verification, for example that this person ‘has this credit score’, or ‘is entitled to these benefits’. These tokens can reduce risk and streamline sales processes.”

Unsurprisingly, the government – anxious not to see a backlash from privacy advocates accusing it of mounting its own infant ID card system, sans the card – reasserted that it won’t have a huge data repository in Whitehall that holds all of this information.

“Midata will not create any central databases or data portals,” said BIS.

“Any data that companies pass back to customers will passed to individuals and no one else. The government won’t see or have access to any of the data that is released. Releasing data back to individuals is a matter for companies and their customers alone.”

It will make the first PDIs available in 2012.

“Consumer data is an incredibly valuable commodity and the amount of data kept and used is set to grow as people increasingly use online and digital services,” said watchdog Consumer Focus.

“This data should not just benefit the businesses and services who collect it. Midata is an important initiative that could help people retrieve and reuse their own personal data for their own benefit.

‘”But there is also the risk of serious consumer detriment if data is lost, leaked, misused or stolen. Protecting consumer data will be the pass or fail criteria for this initiative.”

Meanwhile, Information Commissioner Christopher Graham said he hoped the new scheme would operate within the current law.

“It goes without saying that privacy and data security principles must continue to be upheld and I’m pleased that consumer data security has been a key strand from the outset,” he said.

“I look forward to continuing to work with the government and businesses to ensure the scheme complies with the Data Protection Act.”

As we revealed yesterday, the government’s £10m-and-counting ID assurance scheme will almost certainly be subjected to primary legislation. But it remains to be seen whether such a new law, if passed in Parliament, would include provisions for the Midata marketplace now in play. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/bis_midata_id_assurance/

Interview As information and privacy commissioner of Ontario, Ann Cavoukian’s jurisdiction is limited to the Canadian province. But that doesn’t mean the effects of her post don’t extend into territories across the globe.

“What I always say is privacy transcends jurisdiction,” she says. “It knows no boundaries. So if I’m going to protect the privacy of people in my jurisdiction, I’m going to protect privacy everywhere. Everyone is using Google, Facebook. How do you ensure that the information you give to these people or collect from them is safe anywhere? So to me, privacy is a global issue.”

Indeed, the Privacy by Design initiative she spearheaded has become an internationally recognized recipe for embedding privacy protections into the very fabric of a website or product.

Ontario Information and Privacy Commissioner Ann Cavoukian

She put those design principles to the test a few years ago when the Ontario Lottery and Gaming Corporation began using facial recognition technology in casinos to spot people who identified themselves as gambling addicts. To prevent police, Casino employees, or others from accessing the database and using the contents for unauthorized purposes, the system adopted what’s known as biometric encryption.

Developed by researchers from the University of Toronto, biometric encryption binds a random key with the biometric data to create a private template that’s unique and can’t be cross-matched with other databases. The key can be retrieved only when a fresh biometric sample from one of the problem gamblers is presented, making it hard for the data to be tapped for other purposes.

El Reg recently caught up with Commissioner Cavoukian at the Web 2.0 Summit in San Francisco.

The Register:Tell us more about Privacy by Design.

Cavoukian: My message through Privacy by Design is try to prevent the harm from arising to begin with. It’s a preventative approach. It’s proactive, it’s holistic. Don’t wait for the privacy harm to arise and then you, the business, have to assume the regulatory burden of compliance with the legislation and the ramifications of that breach in terms of loss to your business, to your brand, and the cost of lawsuits.

So that’s what Privacy by Design is. It’s coming before the privacy harm has arisen. And if you can do that as a business, and we’ll tell you how to do it, then you can gain a sustainable competitive advantage. There’s a significant payoff to be had by protecting privacy.

Do you find by mandating that certain protections or practices are followed in your province, it ultimately means those practices are going to be followed universally?

It’s not a definite, but this one I can say absolutely. I put forth a resolution on Privacy by Design to make it an international standard, and it was unanimously passed [at the International Data Protection and Privacy Commissioners Conference last year in Jerusalem]. What that means is Privacy by Design, this proactive framework, is now being adopted globally, in all jurisdictions, including here in the United States.

[The US Federal Trade Commission adopted Privacy by Design in December.]

So it is an international framework now for privacy protection, and people, regulators, everyone is saying if you can do this Privacy by Design thing you’re way better because you prevent so much of the burden that arises after a privacy harm takes place.

Next page: ‘Positive sum model’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/privacy_commissioner_speaks/

Over the next five years Beijing will get 480,000 free Wi-Fi hotspots, but using them will require a mobile number and an agreement to have your activities tracked and monitored.

The network is being put together by China Mobile, China Unicom and China Telecom, and will be free to use for least the next three years. However, access will require one to hand over your mobe’s number, which can be used to “trace those whose online activity might endanger social security”, China.org was told.

The Beijing network could well be the largest municipal Wi-Fi network in the world, with 90,000 hotpots to be live by the end of 2011 and another 390,000 being connected over the next five years. But by the time it’s finished time users might be expected to pay for access as well as being tracked at every turn, as free access is only being offered until the tail end of 2014.

Not that locals seems worried about government snooping: internet usage is already notoriously restricted in China. The real concern is that creating a link between a mobile phone number and a web browsing history (plus a physical location) will open the door to even more mobile spam.

The Chinese are bombarded with advertising pushed to their handsets, and some argue that a few more ads won’t make a significant difference. The state’s officials are saying the data won’t be sold off to private companies, but Beijing residents don’t seem to be as trusting as the wonks might hope. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/china_free_wifi/