U.S. Seeks to Shut Backdoors in Tech Products
As part of a comprehensive cybersecurity push, the U.S. government will focus on improving its network defense capabilities and revamping acquisition rules to protect against malicious code installed during the manufacturing process of electronic devices.
The National Cybersecurity Initiative, announced in January, will replace the government’s outdated network perimeter defense system, officials from the U.S. Department of Homeland Security (DHS) and other agencies said at the cybersecurity conference held last month by the Information Technology Association of America.
Cyberattacks have grown more sophisticated in the past year, says Melissa Hathaway, senior advisor for cybersecurity at the Office of the Director of National Intelligence (DNI).
“We are faced with a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and very weak situational awareness at this time,” she says. “We see this as a growing economic and national security crisis.”
Government officials are increasingly concerned about hidden vulnerabilities and Trojan horses in commercial technology products, says Paul Schneider, deputy secretary at DHS. The U.S. government needs to better protect its supply chain, particularly when a growing number of tech products are produced overseas.
The U.S. government will work with private vendors to address those supply-chain concerns, he says. DHS is also looking at implementing stricter acquisition rules for tech products.
There have been examples of credit-card point-of-sale machines stealing credit card numbers and passwords, Hathaway notes. “We need to be more concerned about backdoors in the supply chain,” she says.
Another major concern is the U.S. government’s perimeter defense, officials say. The current perimeter defense scanner, nicknamed Einstein, was launched in 2004 and is a largely passive monitoring system, Schneider says.
“Simply put, [Einstein] is a flow-management system that lets us know after we’ve been attacked,” adds Neill Sciarrone, special assistant on cybersecurity in the White House.
Einstein protected a small percentage of the access points to the federal government’s networks, adds Robert Jamison, undersecretary for national protection and programs at DHS. His agency is currently testing a new version of Einstein that would protect all of the government’s networks, he says.
The long-term cybersecurity initiative will focus on several other issues, including better sharing of information about cyberattacks and sharing government defense capabilities with private companies, officials say. The government also will work on recruiting more cybersecurity experts to work for U.S. agencies and educating Internet users about vulnerabilities, they say.
– Grant Gross
Can’t Recall Your Password? Try This.
Our brains are littered with passwords from bank accounts, PINs, work e-mail, network log-ons, e-commerce and social networking sites.
How bad is the alphanumeric clutter in our heads? The average person now must remember five passwords, five PIN numbers, two number plates, three security ID numbers and three bank account numbers, according to research from Ian Robertson, professor of psychology at the Institute of Neuroscience and School of Psychology at Trinity College in Dublin, Ireland. His research found that nearly 60 percent of those studied felt they couldn’t remember all these numbers and letters. As a result, most users create weak passwords or rely on technology to create or store alphanumeric data.
Robertson says that people can remember more information if they practice visualizing it. “We could happily remember two dozen passwords using some fairly standard memory methods,” he says.
He points to one long-standing way to recall numerical-based passwords: visual imagery. First, create an easy-to-recall rhyming word for each number of your password, one through 10. “One is bun, two is shoe, three is tree, four is door, five is hive, six is sticks, seven is heaven, eight is gate, nine is wine and 10 is hen,” Robertson suggests. So if, say, your code is 6329, you would first visualize a pile of sticks (for six), spread all around a tree (three), where a shoe (two) is hanging on the tree, and a glass of wine (nine) is pouring over the tree. The same approach works for alphanumeric passwords.
“The first few times will be time consuming,” says Robertson. “But if you get into the habit, you could remember two or three dozen visual images.”
– Tom Wailgum
Most IT Teams in Need of a Culture Overhaul
If it seems like your IT team works on an island all of its own making, a recent report by Forrester Research may explain why. As many as 85 percent of those surveyed believe a firm’s IT’s culture differs from its overall culture.
Forrester analyst Marc Cecere estimated that IT department culture fails to jive with overall corporate culture in about half of all businesses. A distinct IT culture may evolve due to different ways of measuring success. However, Forrester says problems can arise when the IT culture strays too far in three directions:
1) Too IT-Centric or Fearful | When IT doesn’t have a healthy relationship with the business, it’s in danger of forming an us-versus-them culture where IT hunkers down behind the technologies it manages and the problems it solves.
2) Too Heroic or Autonomous | The danger here is a tendency to firefighting and working extreme hours to solve problems. This can also lead to developing workarounds, rather than fixing the underlying issues.
3) Too Bureaucratic | IT can isolate itself if it sets up too many formal processes for customers to follow. Overly complex requirements can create unnecessary barriers between business needs and IT solutions.
So, how does a CIO go about overhauling IT culture? Cecere says identify the cultural gaps, examining differences in decision making styles and levels of risk. Strong leadership and clearly defined metrics will help close those gaps, as will a network of people within IT who regularly share information with the CIO.
“It’s what I call ‘institutionalizing communication,'” he says. “It’s more than just communicate, communicate, communicate.
It’s actually being very disciplined and very organized about it.”
– Marissa Berenson
SSDs Are hot, But Not Without Security Risks
Solid-state drives (SSDs) are becoming popular replacements for hard drives, especially in laptops, but experts caution that SSDs aren’t as secure as commonly thought.
SSDs offer better data security than traditional hard drives but they do not completely erase data and are vulnerable to physical hacks. The drives are gaining in popularity, particularly for use in laptops, because they consume less power and access data more quickly.
But many SSDs use industry-standard NAND flash chips designed for cameras and MP3 players, so they have no physical security hooks that prevent them from being removed from enclosures, says Jim Handy, director of Objective Analysis, a consulting firm. A hacker could unsolder NAND chips from an SSD and read the data using a flash chip programmer. Once the data is read, the files could be reassembled using data-recovery software. “There’s really nothing sophisticated about this process,” he says.
Another hack involves using an ultraviolet laser to wipe out lock bits-or encryption locks-from fuses on chips that secure SSDs, says a chip hacker who prefers to be called Bunnie and runs the blog site Bunnie Studios. Data arrays from SSDs can be read using standard means after the lock bits are wiped.
To lessen chances of hackers stealing data, encryption keys could be integrated inside the SSD controller device to handle disk encryption at the hardware level, says Craig Rawlings, marketing director at Kilopass, a vendor of products using extra permanent memory technology that stores keys in system-on-chip devices.
– Agam Shah
U.S. Border-Crossing Database Raises Concerns
A plan by U.S. Customs and Border Protection (CBP) to collect personal information on travelers coming into the country and keep it in a database for 15 years could have huge privacy implications for U.S. residents, one privacy group says.
The Center for Democracy and Technology (CDT) says the plan raises serious privacy concerns. The proposal represents a “vast scope of data collection,” because data wasn’t formerly kept for U.S. citizens crossing into the country by land, the CDT says.
In addition, the 15-year retention period for the data is “excessive,” wrote Gregory Nojeim, senior counsel at CDT. “It cannot be justified as necessary for determining whether the record subject is admissible, or is dangerous or is the subject of an outstanding criminal warrant,” he wrote in comments filed by the CDT.
The plan allows for the agency to share the information with other government agencies for a wide variety of reasons. In the past, CBP could only share information when it became aware of a violation or potential violation of laws or regulations.
A DHS spokeswoman discounted the privacy concerns, saying the traveler database is not new. Border officials have collected information on some travelers in the past, and this is an attempt for CBP to be more transparent about its information-collection practices, says spokeswoman Amy Kudwa. “This is not something new,” she says. “We are not using the information in a new way.”
CBP has also come under fire by privacy advocates in recent months for searches of laptops at U.S. borders without having specific suspicions of criminal behavior. CBP and DHS officials have defended the practice of searching a small number of laptops by saying it helps catch terrorists and other criminals.
– Grant Gross
What the New HP-EDS Means for You (and IBM)
Hewlett-Packard recently unveiled its multiyear plan to assimilate its purchase of IT outsourcing powerhouse EDS, which involves 250 integration projects, nearly 10,000 integration milestones and the elimination 24,600 jobs. The moves, HP Chairman and CEO Mark Hurd says, will save the combined company US$1.8 billion.
But what does it mean for customers of HP, EDS-or both?
Most layoffs will occur in EDS support positions, not customer-facing roles, the company claims. “The main concern for potential customers is whether an announcement like this will have a chilling effect on the workforce that would normally transfer from the customer to the provider,” says Edward Hansen, a partner in the business and finance practice of Morgan Lewis & Bockius.
As a result, “Many clients will be asked to accept changes to elements of their service, be it personnel or delivery location, advises Mark Robinson, an executive director of outsourcing consultancy EquaTerra. “They should be mindful of the contractual protections they have that will allow them to remain in control.”
Only time will tell if HP can successfully sync these two distinct corporate cultures. “With some 30-plus acquisitions under its belt in the past three years, HP is treading on familiar ground,” says John Madden, research director for IT consultancy Ovum. But “it will take six to nine months for the first real signs of progress from the integration to emerge.”
If the HP-EDS marriage lives up to its on-paper promise, the new company could offer outsourcing customers their first real alternative to IBM Global Services. “IBM, for the first time, is facing a global competitor that will be able to match it for both infrastructure and service capabilities in most, if not all, categories and geographies,” says Robinson.
However, an integrated HP-EDS may be bad news for customers who used both companies as competing service providers. “Those customers will have to migrate over time to one or more other suppliers,” says Lowell Williams, EquaTerra’s head of human resources advisory services, “to ensure this new 800-pound gorilla plays nice.”
– Stephanie Overby
Web Founder Aims for Truly Global Internet
Tim Berners-Lee, the inventor of the World Wide Web, plans to launch a new foundation focused on extending the capabilities of the Web and bringing the Internet to all the world’s people.
The World Wide Web Foundation, scheduled to launch early next year, will “advance a Web which is open and free,” Berners-Lee said at a Washington, D.C., event. The foundation will promote democracy, free speech and the freedom of users to access the online content they want, he said. It will also push Web standards and interoperability.
A major focus of the foundation will be to provide Web access to the 80 percent of the world’s population that is not currently online, said Berners-Lee, now a professor at the Massachusetts Institute of Technology. He acknowledged that the goal is a “very big undertaking,” but said it’s important for the Web to benefit all of humanity.
The Knight Foundation will provide $5 million in seed money to help launch the foundation.
– Grant Gross