Cyber Security Draft Law Tightens Grip on China’s Network Security

China is taking a no-holds barred approach to cyber security, especially with respect to the acquisition of foreign cyber security technologies. Their new draft cyber security law really tightens up the Chinese governmental stranglehold on the countries network-oriented security:

Ensuring the security of network products and services is fundamental to cyber security. The Chinese government intends to implement a strict policy on network products and services to improve China’s cyber security. The Draft sets up a system where key IT hardware and equipment must meet mandatory security qualifications, and acquire government certification, before being sold and implemented.

Article 19 of the Draft states that key network facilities and special network safety products may only be sold after being certified or after passing a test established by the relevant authority. The catalog of key network facilities and special network safety products will be published by the national network and information authority and relevant departments under the State Council separately.

However, this approach may not be novel—it may be a reflection on, and consequence of, recent events. Specifically, foreign IT suppliers may face greater challenges when attempting to provide any of the aforementioned products or services.

Until recently, Chinese companies and administrative authorities widely used foreign software and hardware in their IT systems. However, when the PRISM project was uncovered in 2013, the Chinese government was alerted to the inherent dangers of foreign IT products; products from American IT tycoons like IBM, Oracle, and EMC ( IOE ) were ubiquitous. Since these foreign IT products create the potential risk that foreign governments could be provided with critical and confidential information, more and more Chinese companies and administrative authorities stopped using foreign IT products (including, but not limited to, IOE). Instead, Chinese entities have turned to domestically developed products and services, or have started developing their own technologies.

In response to these concerns, the Guidelines on Banks Using Secure and Controllable Information Technology (2014-2015) (《银行应用安全可控信息技术推进指南(2014-2015)》) ( Guidelines ) were promulgated by the Ministry of Industry and Information Technology and the China Banking Regulatory Commission ( CBRC ) on 26 December 2014. While the Guidelines does not explicitly prohibit foreign suppliers from selling IT software and hardware to the Chinese banking industry, it does set a very high bar for foreign suppler entry into the market. For example, source codes of the software attached to certain network equipment (e.g. backbone routers ) and storage equipment (e.g. storage FC switches) must be filed with the Technology and Information Department of CBRC for recording purposes; the monitoring and administering interface of certain network equipment (e.g. firewalls) must be tested and certified by the Technology and Information Department of CBRC; suppliers of certain kinds of network equipment (e.g. core switches) and storage equipment (e.g. tape library) are required to establish R&D centers in China.

It is going to be exceptionally tough for American cyber defense technology vendors to (pun intended) penetrate China as a result of this law.

Disclosure: I work for Intel Security, a cyber security product and services vendor.

Former Homeland Security Secretary Michael Chertoff Publicly Discloses His Disagreement With FBI Director James Comey on the Government Desire to Backdoor Encryption

In what most cyber security experts would say is a surprising change of heart, former Homeland Security Secretary Michael Chertoff publicly discloses his disagreement with FBI Director James Comey on the governments desire to backdoor encryption (emphasis added):

I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door even if you hedge it with the notion that there’s going to be a court order. And I say that for a number of reasons and I’ve given it quite a bit of thought and I’m working with some companies in this area too.

First of all, there is, when you do require a duplicate key or some other form of back door, there is an increased risk and increased vulnerability. You can manage that to some extent. But it does prevent you from certain kinds of encryption. So you’re basically making things less secure for ordinary people.

The second thing is that the really bad people are going to find apps and tools that are going to allow them to encrypt everything without a back door. These apps are multiplying all the time. The idea that you’re going to be able to stop this, particularly given the global environment, I think is a pipe dream. So what would wind up happening is people who are legitimate actors will be taking somewhat less secure communications and the bad guys will still not be able to be decrypted.

The third thing is that what are we going to tell other countries? When other countries say great, we want to have a duplicate key too, with Beijing or in Moscow or someplace else? The companies are not going to have a principled basis to refuse to do that. So that’s going to be a strategic problem for us.

Finally, I guess I have a couple of overarching comments. One is we do not historically organize our society to make it maximally easy for law enforcement, even with court orders, to get information. We often make trade-offs and we make it more difficult. If that were not the case then why wouldn’t the government simply say all of these [takes out phone] have to be configured so they’re constantly recording everything that we say and do and then when you get a court order it gets turned over and we wind up convicting ourselves. So I don’t think socially we do that.

And I also think that experience shows we’re not quite as dark, sometimes, as we fear we are. In the 90s there was a deb — when encryption first became a big deal — debate about a Clipper Chip that would be embedded in devices or whatever your communications equipment was to allow court ordered interception. Congress ultimately and the President did not agree to that. And, from talking to people in the community afterwards, you know what? We collected more than ever. We found ways to deal with that issue.

These are all the exact same arguments security experts have been saying in opposition of the idea for some kind of unicorn dust magic key that will unlock every form of encryption available on the planet. It is very curious to see Chertoff have this change of heart considering his background, and especially since he used to have to tow the governmental party line on law enforcement capabilities.

That he hits the nail directly on the head with respect to why the FBI’s notion of a backdoor is such a bad idea is quite noteworthy. Chertoff is quite possibly the first former federal law enforcement senior leader to publicly disagree with Comey and the Obama administration on its ardent desire to make it easy for the FBI and other federal agencies to spy on Americans.

Hopefully Chertoff’s influence extends beyond his own nose and others in his sphere come to the realization that this idea of the government holding a magic backdoor key is nothing but a pure pipe dream.

US Will Face a Paralyzing Cyber Attack Against the Power Grid

Cyber security experts agree on many things, and one of the more recent themes is the US will face a paralyzing cyber attack against the power grid:

The attack scenario described by Business Blackout illustrates the effects of a malware-based attack on systems that controls the national power grid. The attack causes an electrical blackout that plunges 15 US states and principal cities, including New York City and Washington DC, into darkness. Nearly 93 million people will remain without power in the scenario hypothesized by the study.

The attackers spread the ‘Erebos’ Trojan through the network with the effect of compromising the electricity generation control rooms in several locations in the Northeastern United States.

According to the researchers, the attack will cause health and safety systems to fail, disrupting water supplies as electric pumps fail. The chaos will reign causing the failure of main services, including transportation. The malware is able to infect the Internet and search and compromise 50 generators that it will destroy, causing prolonged outages in the region.

The total of claims paid by the insurance industry has been estimated to be included in the interval comprised between $21.4b and $71.1b, depending on the evolution of the scenarios designed by the researchers.

The researchers involved in the simulation have calculated the economic losses could range from $243 million to $1 trillion, depending on the number of components in the power grid compromised by the attack.

Harvard Business Review Tackles Why Cybersecurity Is So Difficult to Get Right

It seems like everyday we read about a new breach or data leakage, especially if it involves the US government. Because of this, a lot of people are asking why cyber security is so difficult to get right? The Harvard Business Review attempts to tackle this question:

The reality today is that no matter how careful we are, no matter how well we design our strategies or how thoroughly we educate and engage employees, we’re never 100% safe against a cyber-attack. Our best defense is to revamp how we’ve been approaching security, and to move from constantly bombarded, isolated defensive positions to a united, intelligence-driven collaborative front against cybercrime.

We need to begin thinking like the hackers that are so successfully penetrating companies. Hackers use the Dark Web underground network to share data, expertise, and resources. Using collaboration, they’ve formed complex and highly efficient cybercrime rings, from which 80% of malicious campaigns start. The private sector is still largely working in silos, with no visibility as to what attacks are on the horizon until they hit.

To truly fight back as best as we can, we need to collaborate on the same level as hackers, sharing information across industries and organizations to see attacks in real time. Just like a disease epidemic, if we’re able to put the right infrastructure, warnings, and precautions in place before a malicious attack comes to us, chances are that we’ll be much better equipped to spot it and shut it down if it does get into our systems.

Five Lessons Learned on the “Security of Things” From the Jeep Cherokee Hack Aftermath

Five lessons learned on the “Security Of Things” from the Jeep Cherokee hack aftermath (emphasis added):

This is the one of the most dramatic demonstrations to date of the cybersecurity challenges that will accompany the growth of the Internet of Things (IoT). And, it offers an opportunity to make some broader observations about the changing landscape of cybersecurity as systems become increasingly connected and decentralized.

Here are five takeaways on the Security of Things (SoT) that designers—as well as companies building products for the cybersecurity market—should keep in mind as they build increasingly complex and connected systems:

1. Connectivity has outpaced security

In the rush to increase connectivity, manufacturers—and not just vehicle manufacturers –are often giving insufficient attention to the additional security exposures created when complex systems become increasingly linked. More connections mean more pathways and back doors that could be exploited by a hacker—especially when a system’s own designers may not be aware that those pathways and back doors even exist. To address this, designers need better tools to enable them to fully understand all of the ways that information will be able to move around a complex, dynamic, distributed system.

This is just one of the five, with all being well thought out. Internet of Things vendors need to consider a lot to keep the world safe in the coming era where device connectivity will be a requirement rather than a feature. As IoT overtakes traditional computing, the attack surface is going to increase exponentially, whereby every device – such as your refrigerator, toaster, washing machine, etc. – becomes a potential vulnerability waiting to be exploited by malicious actors.

Phishing Attacks Continue to Remain the Most Popular Attack Vector and Is Driving a Spike in DNS Abuse

Phishing attacks continue to remain the most popular attack vector and is driving a spike in DNS abuse:

No one attack campaign is behind the spike in malicious domains, but popular and pervasive exploit kits such as Angler are a big piece of the puzzle, he says. “The backend stuff is being done by domains,” he says.

DNS, which converts domain names into machine-readable IP addresses, has become a popular vehicle for the bad guys to use in the distribution of their malware, the theft of information, and distributed denial-of-service attacks.

The DNS Threat Index has been on the rise for three quarters straight. “This could indicate cybercriminals are expanding the infrastructure to leverage targeted attacks for spreadkign malware and/or exfiltrating data,” the Infoblox report said.

Internet pioneer and DNS expert Paul Vixie says there are ways to slow and possibly trip up DNS abuse. He has proposed a “cooling-off period” for DNS providers to activate new domains, an approach that would help minimize domain abuse. A new generation of inexpensive and quick startup domain names has made it easier for bad guys to set up shop in the DNS infrastructure, according to Vixie.

CIA Considers Preventing American Spies From Working Overseas Ever Again Thanks to OPM Breach

As a result of the recent OPM breach, the CIA is considering preventing a large number of its American spies from working overseas ever again because of the potential danger they face (emphasis added):

The C.I.A. and other agencies with undercover officers would be cautious about immediately withdrawing spies from China because that would raise suspicions among Chinese counterintelligence operatives. A C.I.A. spokesman declined to comment.

The C.I.A. and other agencies typically post their spies in American embassies, where the officers pose as diplomats working on political affairs, agricultural policy or other issues. The American Embassy in Beijing has long housed one of the largest C.I.A. stations in the world, with intelligence officers gathering information on China’s political maneuvering, economic development and military modernization.

Several current and former officials said that even if the identities of the agency officers were not in the personnel office’s database, Chinese intelligence operatives could run searches through the database on everyone granted visas to work at American diplomatic outposts in China. If any of the names are not found in the stolen files, those individuals could be suspected as spies by a process of elimination.

The director of the National Security Agency, Adm. Michael S. Rogers, alluded to that problem Thursday night during an interview at the Aspen Security Forum in Colorado.

“From an intelligence perspective, it gives you great insight potentially used for counterintelligence purposes,” Admiral Rogers said. “If I’m interested in trying to identify U.S. persons who may be in my country — and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose? — there are interesting insights from the data you take from O.P.M.”

As I keep saying, the OPM breach is one of the worst in the history of the US government and will have unintended consequences for years to come.

NSA Has Publicly Disclosed It Will Finally Cease Using Bulk US Telephone Metadata in November

The NSA has publicly disclosed it will finally cease using bulk US telephone metadata in November in compliance with the recently passed USA Freedom Act:

The office of the Director of National Intelligence said in a statement that the bulk telephony data — the subject of leaks by former intelligence contractor Edward Snowden which shocked many in the US and abroad — would be destroyed “as soon as possible” to comply with a law passed by Congress in early June.

The statement said that during the 180-day transition period required under the USA Freedom Act, “analytic access to that historical metadata… will cease on November 29, 2015.”

But it added that “for data integrity purposes,” NSA will allow technical personnel to continue to have access to the metadata for an additional three months.

Additionally, the statement said NSA must preserve bulk telephony metadata collection “until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations.”

The data kept for litigation “will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.”

Surely there are other authorities the NSA will leverage so they can continue to access either this metadata or other forms of collected data. This is definitely not the end of NSA bulk phone record collection.

Web Sites Need to Wake Up and Stop Blocking Password Managers Because, You Know, Its 2015!

Any web site disabling the ability to “paste” a password from the clipboard is a web site not deserving of anyone’s patronage because they show they lack even the most basic cyber security knowledge, not to mention the customer unfriendliness of such an act:

You know that. But what’s crazy is that, in 2015, some websites are intentionally disabling a feature that would allow you to use stronger passwords more easily—and many are doing so because they wrongly argue it makes you safer.

Here’s the problem: Some sites won’t let you paste passwords into login screens, forcing you, instead, to type the passwords out. This makes it impossible to use certain kinds of password managers that are one of the best lines of defense for keeping accounts locked down.

Typically, a password manager will generate a long, complex, and—most importantly—unique password, and then store it in an encrypted fashion on either your computer or a remote service. All you have to do is remember one password to enter all of your others. In essence, the task of remembering dozens of passwords is relegated to the manager, meaning that you don’t have to deploy that same, easy to remember password on multiple sites.

Forget About the Ashley Madison and Sony Hacks, a Crippling Cyber Attack Against the United States Is Imminent

Forget about the Ashley Madison and Sony hacks, a crippling cyber attack against the United States is imminent and something the entire nation, especially average people, need to start taking seriously (emphasis added):

By 2020 the US will be hit with an earthquake of a cyber-attack that will cripple banks, stock exchanges, power plants and communications, an executive from Hewlett-Packard predicted. Companies are nowhere near prepared for it. Neither are the Feds. And yet, instead of mobilising a national defence, we want a toaster that communicates with the washing machine over the internet.

In many ways the Target event and the dinner demonstrate a kind of collective cognitive dissonance about technology. We’ll eagerly pursue innovations like the internet of things and electronic health records even as we’re increasingly aware of how vulnerable such technology makes us to terrorists and criminals. In fact, the reference to earthquakes was fitting. Scientists have long predicted the “Big One” – a massive earthquake in Seattle or San Francisco that will kill lots of people and cause trillions of dollars of damage. Yet people still build houses and buildings on what is essentially the most dangerous land in the country.

What struck me about the dinner, attended by executives from Hewlett-Packard, software company Cloudera and PayPal, along with academics and investors, was the naked pessimism in the room. Nobody even tried to put a happy face on the situation. “A slow-moving train wreck,” one executive said. Forget about coordinating with each other or the Feds: companies don’t even know how to deal with their own hacks, never mind worry about someone else’s. A whopping 57% of chief executives have not been trained on what to do after a data breach, according to a report by HP. And more than 70% of executives think their companies only partially understand the risks. Buying antivirus software is one thing; deploying an effective strategy is quite another. However, companies don’t even want to admit they were hacked in the first place.

The entire article succinctly captures what many of us in the cyber security deal with each and every day.