Level 3 Communications, the NSA, and the end of the Physical-Digital Divide. What needs to be done?

The Level 3 Communications (NYSE: LVLT) blog recently published an article entitled "Say Goodbye to the Physical-Digital Divide." It's a light-hearted, upbeat corporate feel-good piece about how television shows are become Twitter-enabled. It's also a very disturbing piece when you realize that Level 3 is one of the Tier 1 backbone providers who has assisted the NSA in its collection efforts:

This is an exciting time!  Not only for Joe Consumer, who is being further enabled (and actively encouraged) to merge his offline and online behavior, blurring the lines of the physical-digital divide, but also for major content providers – many of whom we’re fortunate enough to call customers.  This is the new model of content consumption.  Always-on and always-available. Cross-media and cross-platform. 

Think about that from the standpoint of legal intercepts and data collection, and you'll see my point. We used to be vulnerable based upon what we read at the library, what we threw away in our trash, and what we wrote to our friends. Today, that has expanded exponentially and we've lost control of exactly how and where we are vulnerable to exposure.

Now consider that Level 3 is Google's upstream provider. Is that how the NSA was able to intercept the data traveling between Google's data centers? To be clear, Level 3 isn't doing anything illegal, nor is the NSA for that matter. And that's precisely the problem that needs addressing.

In less than 10 years, the physical - digital divide has disintegrated. In less time than it takes a human being to achieve mastery over a skill, technology has exponentially expanded how we interact with each other and, conversely, how we can harm each other.

Intelligence and law enforcement agencies, whose mission is to identify and intercept those who wish to cause us harm, have leveraged legal regimes like the Patriot Act, EO 12333, etc. to gain a foothold within the networks that are the primary supports (i.e., backbone) for our digital environment. The difference between what those out-dated laws still allow and what technology has made possible in the way of data collection and analysis is where our focus needs to be. In other words, the laws must be amended to catch up with how exposed we are in today's digital and physical world so that a better privacy:security balance can be restored.

Wasting time bashing the NSA and other intelligence services does more harm than good because it fails to address the real problem (out-dated authorities that need revising) in favor of lashing out at an easy and unpopular target - the NSA and its fellow agencies who diligently attempt to accomplish the very difficult tasks that we expect from them.

In an effort to help move this debate forward and clarify where reforms are needed, I've set aside two hours for a panel discussion at Suits and Spooks DC on how our parallel needs for security and privacy can be met through reform of the current laws authorizing data collection by the IC. It's not an easy panel to fill, so let me know if you have any suggestions for experts to participate on it. Dr. Catherine Lotrionte of Georgetown University will be the moderator. 

Add to Cart View detail

Google's Worst Security Idea Ever

Today, Google announced that it will notify a subset of its Gmail customers if they're the victim of a State-sponsored attack. The actual wording is "Warning. We believe that state-sponsored attackers may be attempting to compromise your account or computer." However as you read further down Google's blog posting, it seems like an actual attack isn't required to receive this warning. Google may send it to you if they believe that you "may" be targeted.

If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware ....

The warning then makes recommendations that you increase your security by selecting a strong password, using Google's two-step verification, updating your browser, etc.

There are so many things wrong with this new Google initiative that I hardly know where to begin.

First, it generates fear on the part of Google's customers because regardless of the fine print, such a warning will most likely send the recipient into panic mode when there's no reason to panic.

Second, it makes a claim which upon investigation is so vague that it's meaningless. You may be the victim of a state or someone working on a state's behalf? That's pretty much the case for all targeted attacks.

Third, if you are a target of interest for a foreign intelligence service (FIS), one of the first things you should do is STOP USING GMAIL or any popular cloud-based service that cannot guarantee you where in the world on its many data farms your data resides. If the Mossad, the FSB, the MSS, or the NSA is interested in you, they'll find a way to legally and covertly intercept your data without sending a spear phishing email to your Gmail account.

Spear phishing attacks are used by both financial cyber criminals as well as hacker crews who, having cracked a high value target's account, will sell that information to a FIS, a corporate competitor, or some other customer. Security advice for a high value target (which is what my firm specializes in) could range from moderately to highly restrictive depending on who you are but one thing's for sure. None of Google's recommendations will keep you safe if you're in that group.

On the other hand, if you aren't a HVT, read my article "Cyber Self Defense for Non Geeks" to understand what your best security options are. The bottom line as far as Google's advice is concerned is that it's FUD-inducing for the people who aren't targets and its insufficient for those who are. I have to wonder what Google was thinking when it created this awful program.

Add to Cart View detail

China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it. 

Add to Cart View detail

A History of Google's Government Sales

After reading Noah Shachtman's article at Danger Room "Google Adds (Even More) Links to the Pentagon", I was curious about the scope of Google's (NASDAQ:GOOG) government sales so I used the FFATA Search Portal and plugged Google's name into the search field. The results were surprising. The largest number of sales by far is with the Department of Defense (264); which is about two and a half times more than NASA who's in 2nd place with 104 sales. Here's the Top Ten search results:

• Defense, Dept of (264)
• NASA (104)
• Justice, Dept of (75)
• State, Dept of (68)
• Treasury, Dept of the (44)
• Health and Human Services, Dept of (43)
• Interior, Dept of (42)
• Agriculture, Dept of (41)
• Commerce, Dept of (40)
• Transportation, Dept of (37)

Sales within the Department of Defense are to:

• Army (130)
• Air Force (50)
• Navy (44)
• Defense Information Systems Agency (10)
• Defense Logistics Agency (8)
• U.S. Special Operations Command (6)
• Defense Contract Management Agency (5)
• Uniformed Services: University of the Health Sciences (3)
• Defense Threat Reduction Agency (3)
• Defense Media Center (2)

Sales with the Department of Justice are to:

• Drug Enforcement Administration (45)
• Federal Bureau of Investigation (8)
• Offices, Boards, and Divisions (7)
• Office of Justice Programs (6)
• Federal Prison System (6)
• U.S. Marshalls Service (2)
• ATF Acquisition and Property Management Div (1)

To be fair, every technology company sells to the government and compared to Microsoft and Apple the above numbers are pretty low, but since Google is more intimately connected with our search habits and email content (for advertising) than anyone else, these statistics still make me a little uncomfortable.

Related:
The Google-Clinton-China Martini with a Cyber War Twist

Add to Cart View detail

Dark Cloud Rising: Cloud Services are Becoming the Attackers' Preferred Target

The largest Cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the Web instead of on their individual desktop. Then of course there’s social networks, online gaming, video and music sharing services - all rely on a hosted environment that can accommodate millions of users interacting from anywhere on Earth yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:

• The cloud provider is not responsible for securing its customers’ data
• Attacking a cloud-based service provides an economy of scale to the attacker
• Mining the Cloud provides a treasure trove of information for domestic and foreign intelligence services.

No Security Provisions

A Ponemon Institute [1] study on Cloud Security revealed that 69% of Cloud users surveyed said that the providers are responsible, and the providers seemed to agree, however, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer. For example:

• From Amazon [2]: “Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”
• From Google [3]: “Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim: (i) regarding Customer Data...” 
• From Microsoft [4]:“Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An Economy of Scale

NASDAQ’s Directors Desk is an electronic boardroom cloud service which stores critical information for over 10,000 board members of several hundred Fortune 500 corporations. In February, 2011 [5], an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used. From an adversary’s perspective, this type of breach offers an economy of scale has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money not to mention risk. Now one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An Open Source Intelligence Goldmine

China’s national champion firm Huawei is moving from selling telecommunications network equipment towards developing Infrastructure-as-a-Service software (the Cloud stack) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei who will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley”; a dedicated 7800 square meter industrial area which is home to ten companies focusing on various aspects of Cloud technology such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the Peoples Republic of China’s State Council in its 12th Five Year plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies.  Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the US-China Council website [6], MIIT was created in 2008 and absorbed some functions from other departments including COSTIND (Commission of Science, Technology, and Industry for National Defense):

“From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations, as well as R&D and production relating to "defense conversion"--the conversion of military facilities to non-military use.”

Clearly, the PRC has made a serious commitment to Cloud Computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft; especially if buying decisions are made on price.

In Summary

The move to the Cloud is both inevitable and filled with risk for high value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others. To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual which owns it. That could potentially put the customer’s data at risk for being compromised legally under foreign laws which would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch: “Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances - even under a request by the Patriot Act?” Frazier replied: “Microsoft cannot provide those guarantees. Neither can any other company.” 

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

References:

1 The Ponemon Institute, “Security of Cloud Computing Providers Study” April 2011 

2 The Amazon Web Services (AWS) agreement available on Amazon.com 

3 Google Apps for Business Online Agreement 

4 Microsoft Information on Terms of Use, “Member Account, Passwords, and Security”, Microsoft.com 5 The Wall Street Journal, “Hackers Penetrate Nasdaq Computers” February 5, 2011 (online edition)

6 The US-China Business Council website, “12. Ministry of Industry and Information Technology (MIIT)”

Add to Cart View detail

If Your Data Lives In Moscow, Are You At Risk In The U.S.?

Google's new data center - Finland

Even though I'm a U.S. citizen residing in the U.S., my Gmail messages, attached files, Google documents, and Google chat logs may reside in one of 17 different nation states, and may be accessed through differing legal standards in each. Those states are the U.S., Canada, Brazil, Germany, Switzerland, The Netherlands, Belgium, France, U.K., Ireland, Italy, Russian Federation, Japan, Peoples Republic of China, Malaysia, Austria, and Finland. If the foreign government of a state where Google does business issues an order for Google to provide information on parties of interest who represent a threat, have committed a crime, or whatever is required under that state's security laws, then Google is frequently obligated to comply. This also applies in states where Google has established a sales office but not a data center.

2008 Wayfaring map of Google data centers

Google provides partial information on the user data requests that it receives from governments here and information about its Transparency program can be found here. It's interesting that neither Russia nor China are on the user data list, but Hong Kong is (with 90 requests in the 2H 2010). That's probably due to the very low use of Google services by Russian and Chinese mainland citizens.

The question that's puzzling me is whether or not a U.S. citizen's data which is hosted on a foreign server can be accessed via a request from that state's security agency? And an even more basic question is shouldn't I as the owner of my own data know where in the world that data resides and have a say in the matter? Google's Privacy Policy specifies that your data may be moved around:

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.

In a different twist on the same problem, Gordon Frazer of Microsoft U.K. was recently asked a very pointed question:

Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

Frazer's answer was "Microsoft cannot provide those guarantees. Neither can any other country." Most folks won't be affected by this layer of extended vulnerability, but for those individuals who are of interest to foreign states, including the U.S. government if you're from another country, it should serve as a warning to avoid cloud-based services as much as possible. Speaking personally, I've cut way back on my use of Gmail and I'm having second thoughts about my use of Google +. The same would apply to Microsoft, Amazon or any other cloud provider that refuses to guarantee that my personal data will stay in the same country that I live in.

UPDATE (9 AUG 11): Google acknowledges the same legal requirements that Microsoft did regarding its E.U. customers and its requirements under the U.S. Patriotic Act in this German article (Google Translate).

Add to Cart View detail

The Chinese IP Address Fallacy In Cyber Attribution

Google recently announced a spear phishing campaign that had been going on for over a year and "which appears to originate from Jinan, China" that targeted the personal Gmail accounts of hundreds of various persons of interest presumably to the Chinese government.  The proof to support the headline was that Chinese IP addresses were involved. What both Google and Siobhan Gorman who reported on the story for the Wall Street Journal failed to disclose was that other countries IP addresses were used as well including South Korea and the United States. Copies of the spoofed emails along with the originating IPs were disclosed back in February on the Contagio blog. Of the six IP addresses used in the military and government employee phishing scheme, 2 were from Hong Kong, 2 were from Beijing, 1 was from Seoul, and 1 was from New York:

• 113.28.117.4: Hong Kong (PCCW Business Internet Access)
• 115.160.146.16: Hong Kong (Wharf TT Ltd)
• 218.56.241.32:  Beijing (China Unicom)
• 218.56.239.206: Beijing (China Unicom)
• 61.106.26.226: Seoul (Korea NIC)
• 69.147.251.108: New York (Nobis Technology Group LLC)

In 2010, Telegeograhy rated China Telecom (55 million customers) and China Unicom (40 million customers) as the two largest ISPs in the world serving 20% of all broadband customers on earth. And neither company restricts its customer base to residents of the Peoples Republic of China. Anyone can buy server time on any of these mainstream Chinese ISPs:

• China Telecom
• China Mobile
• China Unicom
• HiChina Zhicheng Technology Ltd
• Beijing Xinnet Digital Information Technology Co. Ltd

Payment per year ranges from 5,000 yuan to 25,000 yuan, and can be made via bank online transfer, domestic and international wire, Alipay (China's Paypal), and even cash in certain cities such as Beijing and Guangzhou. In other words, no matter where in the world you live, you can lease server time and set up an email account that will resolve to the PRC. And if you use it to phish the Gmail accounts of your targets, you've hit the gold standard of mis-direction because there's almost no alternative analysis done anymore when it comes to attacks that geolocate to an IP address in China.

Google probably chose to focus on the two IP addresses that resolved to Jinan, the capital of Shandong province, because its home to Lanxiang Vocational School, which was associated with the Google attacks of December 2009 - January 2010 and because it has a PLA regional command center. The problem with this argument is that Jinan is a high tech industrial zone with over 6 million people and more than a dozen universities. Sourcing an email to Jinan is like sourcing a fruit shipment to California's Central Valley. It wasn't good evidence back in January, 2010 and it's no better now. There are at least a dozen foreign governments that I can think of who have a vested interest in reading the personal email accounts of U.S. China policy makers, military leaders, government officials, etc. and all of them are standing up Cyber Commands and enjoy the benefit of their own nationalistic hacker crews from time to time.

None of this rules China out as the responsible party, of course. I'm simply arguing for a higher bar of evidence before making the leap that China did it. One alternative method, for example, is to try to answer "why" the spear phishing attack was done. Once you have a clear grasp as to why, you can move on to creating a list of those who would benefit and then look for reasons that might exclude each member of that list. The discipline of alternative analysis has been a difficult one to adopt even among those who do it for a living within the intelligence community because our individual perceptions are highly biased in favor of something called mirror-imaging; i.e., we imagine that everyone sees things as we do. Another obstacle to alternative analysis is fear: the feat of being wrong; of looking silly; of taking an unpopular stand and suffering the consequences; and so on. Now that the Pentagon has determined that a cyber attack may be sufficient to justify a kinetic response, it is even more imperative that corporate leaders like Google, government leaders like the U.S. Secretary of State, and influential media like the Wall Street Journal exercise more due diligence before leaping to conclusions that may have harmful, possibly irreversible international repercussions.

Add to Cart View detail