CIA agent: Beware mixing votes and electrons

An interesting story by Greg Gordon of McClatchy Newspapers on testimony by CIA agent Steven Stigall to the US Election Assistance Commission.

Basically what I'm saying, you heard the old adage, follow the money. Here I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to get into the system and tamper with the vote count or make bad things happen...

One thing I was continuously reminded of in looking at this, if you look at that very bottom bullet there, I'm not so much looking at shenanigans on election day as I am all of the things that foreign actors try to do to try to effect the outcome of the election long before election day...

Any computer hooked up to the Internet either through a wire or through a wireless connection is a porthole for hackers. You heard that. I'm here to confirm it very simply...

Bottom line is all the countries I've looked at, yeah, about 36, 37 countries, all the scenarios by which they use electronic voting, they produce a paper ballot receipt, and it's part of the social contract that they have...

Now, again, what I said, traditionally in a traditional voting scheme, the greatest opportunity for fraud that we've seen in other countries is at the local level. When you introduce computers into the equation, you're moving that fraud upstream, and you're allowing a single point, electronic single-point failure. Meaning the potential for mischief can occur higher up the food chain electronically, much faster, and affect a lot more people in terms of the vote count than would be the case if fraud occurred at an individual level, where, again, you're talking about the classic scenario where ballot boxes get thrown in the river or fraudulent ballots get produced. Here it's electronic...

See also Michael Richardson's story for Boston Progressive Examiner

(Computer) Virus to Outer Space

Interesting BBC story.

It is thought that the virus might have travelled via a flash or USB drive owned by an astronaut and taken into space.

The space agency also plans to put in place security systems to stop such incidents happening in the future.

Putting too much trust in one person

The San Francisco Chronicle has a story by Jaxon Van Derbeken about how a disgruntled programmer has managed to lock San Francisco officials out of major parts of the city's computer system. Apparently he was able to put a non-escrowed password, known only to himself, on the system--as job insurance.

Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said.

He was taken into custody Sunday. City officials said late Monday that they had made some headway into cracking his pass codes and regaining access to the system.

It's actually somewhat surprising that this sort of thing doesn't happen more often, given the level of trust that organizations place in sysadmins. A testament to the honesty of the vast majority, I guess.

Paying for secrets: national security vs. tech innovation

Excellent post by Jon Stokes on Ars Technica. Stuff readers here will be familiar with, but nicely collected and summarized.

The ID Divide

Bruce Schneier has a nice post on the Center for American Progress paper on identification and identification technologies: "The ID Divide: Addressing the Challenges of Identification and Authentication in American Society."

Among other things, the paper identifies six principles for identification systems:

• Achieve real security or other goals
• Accuracy
• Inclusion
• Fairness and equality
• Effective redress mechanisms
• Equitable financing for systems

From the Executive Summary:

How can these principles be honored in practice? That’s where the "due diligence" process comes into play when considering and implementing identification systems. Due diligence in the financial world of mergers and acquisitions and other important corporate transactions is conducted before a company makes a major investment. Proponents of, say, a merger (or in our case, a new identification program) can err on the side of optimism, concluding too readily that the merger (or new ID program) is clearly the way to go. Thorough due diligence protects against such over-optimism.

Data breach tied to identity theft

A common response to reports of data breaches is that "that's just the number of people whose data was exposed--there's no reason to believe that the data will be used fraudulently."

ComputerWorld has an article by Robert McMillan reporting on one case where there definitely is reason to suspect fraudulent use.

A data breach at United Healthcare Services Inc. has led to a rash of identity-theft crimes at the University of California, Irvine.

To date, 155 graduate and medical students at the school have been hit by the scam, in which criminals file false tax returns in the victim's name and then collect their tax refunds. The breach affects 1,132 graduate students who were enrolled with the university's graduate student health insurance program in the 2006-07 school year, said Cathy Lawhon, the university's media relations director...

Based in Minnetonka, Minn., UnitedHealthcare is one of the largest health care service providers in the U.S. A company spokeswoman confirmed that some university students' personal information "may have been accessed without authorization," but she could not comment on the source of the breach.

I have frequently posted on this topic. Let's hope there aren't many more such stories to come. The next victim could be you! (Or, even worse, me. :-)

More on protecting the bulk power system

Following up on "The power grid? Why would hackers want to mess with that?":

House Homeland Security Committee Chairman Bennie Thompson and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James Langevin sent a letter late Thursday to Energy and Commerce Chairman John Dingell detailing their recent efforts to review the United States' bulk power systems operators' efforts to secure their information networks.

The BPS [bulk power system] of the United States and Canada has more than $1 trillion in asset value, more than 200,000 miles of transmission lines, and more than 800,000 megawatts of generating capability, serving over 300 million people. The effective functioning of this infrastructure is highly dependent on computer-based control systems that are used to monitor and manage sensitive processes and physical functions... According to the United States Computer Emergency Readiness Team ("US-CERT"), "this transition towards widely used technologies and open connectivity exposes control systems to the ever-present cyber risks that exist in the information technology world in addition to control system specific risks." ...

The risk to these systems is steadily increasing. Ten years ago, the President's commission on Critical Infrastructure Protection ("PCCIP") released a report on the risks associated with interconnected computers systems on the BPS, stating that "the widespread and increasing use of supervisory control and data acquisition systems for control of energy systems provides increasing ability to cause serious damage and disruption by cyber means." Since the release of that study, numerous unintentional cyber incidents -- the Davis-Besse power plant incident in 2003, the Northeast blackout in 2003, and the Browns Ferry nuclear power plant failure in 2006 -- suggest that the concerns raised by the PCCIP were warranted. Malicious actors also pose a significant risk to this infrastructure. The Federal Bureau of Investigation has identified multiple sources of threats, including foreign nation states, domestic criminals and hackers, and disgruntled employees working within an organization.

Clearly, intentional and unintentional control systems failures on the BPS can have a significant and potentially devastating impact on the economy, public health, and national security of the United States. For a society that runs on power, the short term or long term disruption of electricity to chemical plants, banks, refineries, hospitals, water systems, and military installations presents a terrifying scenario. Economists recently suggested that the loss of power to a third of the country for three months would result in losses of over $700 billion...

While the NRC [Nuclear Regulatory Commission] could issue specific requirements for its owners and operators, the Electric Sector was unable to make similar demands... Though NERC [North American Electric Reliability Corporation] testified during the hearing that it sent a survey to industry members to determine compliance with the advisory and received a response from approximately 75 percent of the transmission grid that mitigations had been implemented or were in the process of being implemented, the Commmittee later learned that the survey was not sent until October 19, 2007 -- two days after the hearing...

In fact, all of the utilities interviewed requested additional information to help understand the technical implications of the attack and the specific strategies to mitigate the identified vulnerabilities...

In the interest of national security, a statutory mechanism is necessary to protect the grid against cyber security threats...

We look forward to working with you and your Committee to pass this critical legislation.

With this degree of urgency, perhaps we can hope for a suitable new law within 10 years, at which point the NERC can start drafting regulations with teeth in them...

Secrecy vs. Homeland Security

Interesting blog post from the Federation of American Scientists, taking off from testimony by Stephen Flynn at a May 15 hearing of a House Homeland Security subcommittee.

The basic thesis is that often secrecy undermines, rather than supports, security, particularly in situations where the public itself constitutes the bulk of “first responders.”

On September 11, 2001, Mr. Flynn recalled, the only hijacked aircraft that was prevented from reaching its target was stopped not by security professionals with Top Secret clearances but “by one thing alone: an alert and heroic citizenry.”

Yet “overwhelmingly, the national defense and federal law enforcement community have chosen secrecy over openness when it comes to providing the general public with details about the nature of the terrorist threat and the actions required to mitigate and respond to that risk.”

“The discounting of the public can be traced to a culture of secrecy and paternalism” that is rooted in the Cold War, when the Soviet threat dictated adoption of a highly compartmented security regime. “Despite the passage of nearly two decades since the fall of the Berlin Wall, this secretive system remains almost entirely intact.”

The power grid? Why would hackers want to mess with that?

Interesting story by Andy Greenberg at Forbes.com on a few folks who are uncomfortable that the US power grid is hackable, and that neither DHS nor the power industry seem to be working very hard to improve its security.

Last June, the Department of Homeland Security leaked a video documenting a disturbing experiment. Using only digital means, researchers hacked into a power plant's generator and caused it to cough and shake before shutting down in a cloud of black smoke.

That clip, demonstrating what has since become known as the Aurora vulnerability, served as a wake-up call for regulators, highlighting the need to guard against cyber-security threats to critical infrastructure like power plants and the telecom system. But at a hearing Wednesday, members of the House Committee on Homeland Security warned that those regulatory bodies aren't moving fast enough.

"I think we could search far and wide and not find a more disorganized response to a national security issue of this import," said Rep. James Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology...

The subcommittee hearing also highlighted a new example: a report by the Government Accounting Office released Wednesday reveals a litany of cyber-security vulnerabilities in the systems of Tennessee Valley Authority, the nation's largest public power company. The GAO report said that that TVA had failed to implement simple security measures like updated firewall and anti-virus software. Many access points to the company's network lacked password protection, and some insecure systems connected to TVA's systems for controlling power generation, GAO director of information security Greg Wilshusen told the subcommittee.

Meanwhile, the states are chafing under pressure from the federal government to do more to protect their roads from improvised explosive devices (IEDs)...

Updated to add: Meanwhile, in Russia...

ISIPS 2008 Notes

As I previously noted, the Rutgers University program on Interdisciplinary Studies in Information Privacy and Security sponsors an annual workshop on the topic. This year's workshop was last Monday. The conference proceedings will be published in the series Lecture Notes in Computer Science (LNCS) published by Springer.

The caliber of the participants was high; they were interesting people with interesting things to say. For me, much of the benefit came from the fact that at least half of them were people that I would probably not otherwise have met, representing viewpoints that I don't generally encounter. (I plan to say more about this in future posts.)

Given the diverse backgrounds and interests of the participants, the discussions were remarkably amicable and constructive. The atmosphere was that everyone had good reasons for what they were trying to do, and that it was worthwhile for the rest of us to understand the reasons, the approach, the results, and the limitations.

I probably learned the most from the presentations by Joan McNamara of the Los Angeles Police Department on "Suspicious Activity Reporting," and by Timothy Edgar of the Office of the Director of National Intelligence on "Protecting Civil Liberties & Privacy in the Use of Advanced Analytic Tools."

Joan's talk was a lesson in the power of even simple taxonomies (event codes) when applied broadly and consistently.

Timothy's talk provided me with a lot of new information about the policies and processes within "the IC" (the US national intelligence community) intended to ensure that information about "US persons" (citizens and legally resident aliens) is collected and disseminated only as allowed by US law and regulations (e.g., EO 12333). One of the surprises was the extent to which he said that the policies and processes are matters of public record--even though information about their application to particular cases is closely held (because "you don't want a potential terrorist to be able to discover whether or not he is on the watch list"). In fact, Timothy expressed some frustration at ODNI's inability to interest the national press in reporting on these policies and processes--"We'd have much better success if we stamped them SECRET and 'leaked' them to the Washington Post than we have had with putting them on our website.") I plan a further post on this topic after I gather more information.

I gave a short talk focusing on the various meanings of the words "privacy" and "security," and the confusions that can result from using the words without ensuring that your audience knows which meanings you intend (e.g., despite the similarities in the titles, there was very little overlap between the subjects discussed at ISIPS 2008 and those that are discussed at the annual IEEE Symposium on Security and Privacy and in the journal IEEE Security and Privacy). The talk seemed to be well-received and drew some good questions. Only time will tell whether I persuaded my audience to use these words more carefully in the future.

They don't add up!

Ed Felten has a new post on the discrepancies observed in vote totals from some of New Jersey's electronic voting machines in the 2008 presidental primary. See also this post.

Every time Ed (with the assistance of troubled voting officials) documents a new inconsistency in the machine reports, the vendor (Sequoia) and the New Jersey Secretary of State come up with a new explanation of how a harmless error could have crept in. Then he comes up with another clear error, and the explanation has to be made more elaborate to cover it, too.

It's not obvious how long this charade will have to continue until someone in authority insists on an independent investigation. Of course, it's "just votes," it's not like money was involved...

My past posts on evoting.

Spear phishing for CEOs

No matter how often people are reminded that they shouldn't click on links in unexpected emails, and that they shouldn't download software from an unknown source, there are still victims. Even highly-placed, affluent victims. The kind phishers really like.

A ComputerWorld story by Robert McMillan details a recent example.

Panos Anastassiadis didn't click on the fake subpoena that popped into his in-box on Monday morning, but he runs a computer security company. Others were not so lucky.

In fact, security researchers said that thousands have fallen victim to an e-mail scam in which senior managers such as Anastassiadis are told that they have been sued in federal court and must click on a Web link to download court documents. Victims of the crime are taken to a phony Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear phishing," is a variation on the more common "phishing" attack. Both attacks use fake e-mail messages to try to lure victims to malicious Web sites, but with spear phishing, the attackers try to make their messages more believable by including information tailored to the victim.

The troubling thing is that so many reputable sites legitimize phishers by asking people to do the same things: Click on this link to log in to your account. Download this plugin to view your bill.

If you're used to getting such messages from your bank, the phone company, and your health insurer (not to mention your professional society), you will likely not be so wary when you get a message that is only pretending to be from one of them, or that is pretending to be from some important organization that you deal with less frequently, like the Federal courts or the IRS. I must get a dozen such messages a week.

Shame on ACM! Shame on Verizon Wireless! Shame on Blue Shield of California! And the list goes on... But kudos to Wells Fargo!

HSBC's turn to lose customer data

Michael Krigsman has a very good post on ZDnet about how the UK's largest bank sent unencrypted data on 370,000 customers through the mail, and lost it. It's amazing who shows up prominently on the list of those who don't have a clue about data security... They should have read this.

Sensible risk analysis

ComputerWorld has a nice article by Charlie Martin on "Assessing the risks and cost of encryption." It not only gives a reasoned justification for encryption of personal data on a laptop's disk, it explains a general method for doing a back of the envelope calculation (BOTEC) for any similar security/risk question.

This technique of risk analysis can be applied to almost any decision about any security measure: It's worthwhile only if it costs less than the reduction in your expected loss per year. For example, there are a number of special disks available now that have specialized on-disk encryption hardware. How much of a premium is it worth to buy one of these disks, compared to using encryption software? Simply extend the reasoning: If the special hardware makes it 100 times harder to get data off the disk, the expected loss per year is around $1. If the special hardware costs significantly more than $199, it doesn't actually
pay off.

So the next time the CEO asks you one of these questions, you can make a back-of-the-envelope estimate in just a few seconds' thought. Won't that make you look good?

Loss of personal data on still on the rise

An article by Mark Boslet in the San Jose Mercury News reports that 2007 was 40% worse than 2006, in terms of number of reported personal data breaches in the US; however the number of records compromised grew sixfold, to 128 million.

There's a good chance that at least one of those compromised records was yours.

"We think people are going to learn from their mistakes, but they aren't," said Mary Monahan, senior analyst at Javelin Strategy & Research, a Pleasanton research firm.

This is a clear example of market failure; more government intervention will apparently be needed to counter widespread organizational complacency. We would hardly know anything about it at all if California had not enacted its notification law.

Security, Economics, and the Internal Market

Ross Anderson, Rainer Böhme, Richard Clayton, and Tyler Moore have just published a 114-page study commissioned by the European Network and Information Security Agency (ENISA). The executive summary contains 15 recommendations for the European Union, most of which are just as appropriate for the United States.

We recommend that the EU introduce a comprehensive security-breach notification law.

We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime.

We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected if they assume full liability.

We recommend that the EU develop and enforce standards for network-connected equipment to be secure by default.

We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch-development cycle.

We recommend security patches be offered for free, and that patches be kept separate from feature updates.

The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions.

We recommend that the European Commission prepare a proposal for a Directive establishing coherent regime of proportionate and effective sanctions against abusive online marketers.

ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online.

We recommend that ENISA should advise the competition authorities whenever diversity has security implications.

We recommend that ENISA sponsor research to better understand the effects of Internet exchange point (IXP) failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience.

We recommend that the European Commission put immediate pressure on the 15 EU Member States that have yet to ratify the Council of Europe Convention on Cybercrime.

We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model.

We recommend that ENISA champion the interests of the information security sector within the European Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.

Thanks to Bruce Schneier for the pointer.

U.S. unprepared for ongoing cyberwar

This story by Bob Brewin in GovExec.com says that we're already engaged in cyberwar, but aren't anywhere close to prepared.

"Cyberwarfare is already here.... It's one of our major challenges," said Defense Deputy Secretary Gordon England on Monday at the annual National Community Service and Legislative Conference of the Veterans of Foreign Wars.

"I think cyberattacks are probably analogous to the first time, way back when people had bows and arrows and spears," he said. "And somebody showed up with gunpowder and everybody said, 'Wow. What was that?'"

England made his comments the same day that the Pentagon released a report saying that the 2007 cyberattacks against its networks and those operated by other governments around the world "appear" to come from China.

During a Senate Armed Services Committee hearing last week, Sen. John Thune, D-S.D., asked National Intelligence Director Michael McConnell if the United States was prepared to deal with threats against military and civil networks and information systems. "We're not prepared to deal with it," said McConnell, identifying both China and Russia as adversaries who are attempting to penetrate U.S. information systems.

Army Lt. Gen. Michael Maples, director of the Defense Intelligence Agency, agreed with McConnell and told the panel that a key threat facing this country is the "sophisticated ability of select nations and nonstate groups to exploit and perhaps target for attack our computer networks."

NJ election officials call for evoting investigation

A ComputerWorld article by Robert McMillan reports that a group representing county clerks in New Jersey has asked the state's attorney general to step in and investigate voting discrepancies observed in e-voting machines used in last month's presidential primary election.

"We want to know what the problems were and how do we fix them," Michael Dressler, the group's president, told IDG News Service.

Clerks from a half-dozen New Jersey counties reported discrepancies in the voting tallies generated by approximately 60 of the state's Sequoia Voting Systems AVC Advantage e-voting machines during last month's election. In most cases the discrepancy involved a one- or two-vote difference between the paper tape logged by the machine and the number of votes stored in the computer's memory cartridges.

Sequoia blamed the discrepancy on pollworker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation.

Last Tuesday, Dressler's group asked Princeton computer science professor Edward Felten, a respected critic of e-voting systems, to examine the Sequoia machines. That plan was abandoned, however, after Sequoia threatened legal action against Felten and the county that offered to provide the systems, saying that such a review would violate the company's licensing agreement...


According to Joanne Rajoppi, the clerk with Union County New Jersey that had offered Felten the systems, Sequoia's explanation is not good enough. Her county has been using the Sequoia machines for about a decade, without incident. "We never had this problem in 10 years," she said. "Why did this problem never occur in another primary?"

Because only five or six counties double-checked their e-voting results, it's unclear how widespread the voting issues really were in New Jersey, Rajoppi said.

Updated to add: Ed Felten gives a very clear explanation of the nature and seriousness of the problem.

Supermarket chain exposed 4 million card numbers.

According to this story in the New York Times, the Hannaford Brothers supermarket chain has reported a security breach that potentially exposed 4.2. million credit and debit card numbers. However, only 1,800 cases of resulting fraud have been identified so far.

Stay tuned.

This is a problem that won't go away until all companies processing financial information are put on the hook for all resulting losses, and are made to realize that they are on the hook. (Sarbanes-Oxley for the shopping and working public.) As with so many other things, public outrage is losing its force from sheer repetition of the offence.

Cybersecurity is the new FEMA trailer.

Interesting story by Dennis Fisher about a hearing by the House Committee on Homeland Security on the Bush Administration's Cyber Initiative.

Congressional leaders on Thursday questioned the Department of Homeland Security's past and present efforts to secure the government's networks and dismissed its new plan to improve security as inadequate and behind the times.

"It's hard to believe that this administration believes it has the answers to securing our networks and critical infrastructure," said Rep. Bennie Thompson (D-Miss.) during an often contentious hearing on President Bush's so-called Cyber Initiative before the House Committee on Homeland Security Thursday morning. "I have enormous questions about this initiative. Thus far, I have been extremely disappointed in this administration's efforts in cybersecurity."
...

Several committee members, including Thompson, Rep. Jane Harman (D-Calif.) and Rep. Bob Etheridge (D-N.C.), were surprised by how little information DHS and other agencies involved in cybersecurity share with each other about current threats, past attacks and other critical issues.

"I have been sitting here with my mouth open. This hearing reminds me of the FEMA trailers. The fact that you don't have threat information is shocking," Harman said. "We are not being serious about our response to threats. How is that we're going to have in real time a response to a significant threat? I just don't see it."

2/29/08 update: See also this article by Andy Greenberg in Forbes.