   |
May 2009 ArchivesThere has been a lot of discussion about the internal struggle of the Indian intelligence community views of implementing Hauwei's Telecom products throughout India's core infrastructure and views of India's DOT and Government owned BNSL on the matter.
According to the Economic Times and Gulf Base.com , "The Indian communication ministry has warned state-owned telco BSNL that telecom networks supplied by Chinese equipment major Huawei must be tested for trapdoors, blackboxes, malwares, and also, if it is susceptible to remote hacking before they can be allowed to be operational." "In fact, Huawei was also the sole company that was shortlisted for BSNL's 25 million lines in Western India, but the PSU now plans to award this contract, worth $1.5 billion, to French-Indian combine Alcatel-ITI. BSNL has identified this as an alternate solution as the telco cannot award this contract to Chinese equipment major Huawei on security grounds as the West zone shares sensitive boundaries with Pakistan." India is very competitive in the design of telecom components but China remains the leader in bulk manufacturer of telecom equipment. While Huawei is fastly becoming one of the world's largest Telecom providers to China, India, Africa, and Europe, there still remains this concern that the company is linked to Chinese supported cyber war initiatives funded by the Chinese military. ZTE, China's second largest telecom provider and the world's 6th largest cell phone provider, is trying to grow its market in the EU. ZTE is now ready to provide China with its approved 3G Network. This year China is also coming up with its own 586 Billion Dollar stimulus package to help its economy. While Huawei is accused of being linked to cyber warfare or cyber intelligence gathering, ZTE has had its share of accusations. In 2007, ZTE was accused of being involved or linked in hacking to some German Government files, and there was trouble with a deal with the Philippine Government. Its an interesting contrast being two of the world's fasting growing telecom providers implementing ADSL, WiMAX and LTE networks and 4G phones, or is it this embedded portal for the Chinese military for cyber intelligence gathering. I believe at one time Microsoft was accused of providing cryptology plugins for the NSA, or involved with the development of Vista and maybe that ZTE, Huawei, or any one else does not have any choice in the matter when it comes to the concerns of its government's national security issues. Perhaps maybe it is a 'Cyber Arms Race' having back doors into some of the world's largest networks is probably too tempting for any intelligence security agency. These are some of risks that nations have to be concerned about when it comes to their own interests of national security and sovereignty when purchasing software or networking infrastructure. Who is your business partner and what risks are you willing to take? The reality is just like our economies - all the networks and software are interconnected.
Today Canada's Public Safety Minister Peter Van Loan said, Cyber Security is like the new arms race. He said there is not one minute of the day that someone somewhere is trying to break-in to our information systems. Everyone knows information security and information services in this global economy Peter Van Loan's comments go along to point out that executive governance on information security practices and procedures are not just coming in the government sector but in the private and public sectors as well. In the U.S. we have seen mandates from states on the protection of privacy information and new bills introduced for the forth coming legislation on Information Security. PCI Security Standards for the way that your information security architecture needs to be structured for Payment Card applications and the new Red Flag Law for Identity Theft. At the same time the U.S and Canada met to discuss a new partnership to protect against trans-border theats: UPI.com . They discussed: -- Developing joint threat and risk assessments. -- Advancing initiatives that manage risk while facilitating movement of legitimate goods and people. -- Working to ensure that separate systems prevent entry of dangerous goods or people to either country when national laws bar sharing managed risk initiatives. -- Expanding integrated law enforcement operations along the border and waterways to prevent criminals and terrorists terrorists from evading enforcement or harming the two countries.
ZDNet May12th Report on D-Link add CAPTCHA to home routers and Hack-A-Day D-Link-adds-Captcha-to-Routers According to SourceSec Security Research , the attack works like this: 1. Malware loads the router's index page and glean the salt generated by the router. Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page. See these additional articles: How DNS Pinning Works and why my router was not effective DNS Pinning Death by 1000 Cutts
May 21st 2009: ICANN published it's 2009‐2012 Strategic Plan. "Security,stability and resiliency will remain a top priority and ICANN will work ICANN is moving forward with its commitment to enhance DNS Security through DNSSEC, working with Verisign and the NTIA implementing root level resource public key infrastructure practices in the Top Level Domain (TLD) community. ICANN has been working with the Internet Registry's using DNSSEC to sign the reverse parts of the Internet Tree in an effort to authenticate ip addressing and boarder gateway routes through rPKI. ICANN is investigating implications for the root server system as a whole, with regard to a series of potential changes within the DNS including the implementation of new gTLDs and IDNs, along with possible implementation of DNSSEC signing of the root zone over the following 18 months. Their report on this study is expected September 2009. ICANN staff plans to work with the Software Engineering Institute (SEI) at Carnegie Mellon University to leverage the SEI Resiliency Engineering Framework (REF) to ensure its security, continuity and risk management programs incorporate best practices, and to measure improvements to maturity over time. For the complete Plan Draft view: Security, Stability and Resiliency Program The international community is calling for more international control of ICANN. I don't know what will be the international response to ICANN's design plans for 2009-2012. There are a lot of outreach programs listed in this document to international country code top level domain operators and registry's, but I don't know if this design will be enough to satisfy the international community's request for more control.
Saumil's Shah presentation "Pwnage 2.0 - How to Own the World" at the Hack In the Box Conference in Dubai was certainly a prelude to this week's Gumblar explosion. One born every minute: • IE XML Mass SQL Injection Remote control utilities Hack in the Box Conference Materials Bruce Schneier's book Secrets and Lies clearly points out the complexities with the browser framework. Unmaskedparasites Blog Space about Gumblar Unmasked Parasites Blog space posts 12 facts about the Gumblar injection Scripts
The Chinese military attempted to hack into computers at the South Korean Embassy in the United States last year, a South Korean Air Force publication said Wednesday, according to Yonhap News. According to the annual publication that details the defense capabilities of global powers, China operates a "Red Hacker" unit of about a million hackers mainly attacking the U.S., Japan and Taiwan. The hackers, including those recruited from U.S. institutes such as MIT, attempted to hack systems at the South Korean Embassy in March last year, the publication said, citing military intelligence. "It was concluded based on the tracing of the Internet Protocol address that the attempt came from a Chinese military hacking unit," it said. The case marks the first time South Korea has made it public knowledge that it believes the Chinese military has tried to hack into its diplomatic office abroad
This year's Gartner Risk Management and Compliance Summit track on IT Security stresses the importance of Information Security's ability to relate the information security risks to business risk. How does the risk impact the business? Aligning your information security management program to provide information about the risks to the Lines of Business, targeting IT processes that are critical to business success. Understanding the Roles and Responsibilities in each process is critical for success. You need to keep the awareness and expression of risk and compliance to executive management, line of business managers, and end users consistent and simple. Jay Heisner's session on "Ending the Culture Wars" calls for the "Criticality" scale to be High, Medium or Low. "Enable the business to understand its own risk, and to accept its own risk." According to ISACA the Final Acceptance of Residual Risk takes into account the following: 1. Organizational Policy (appetite for risk) By understanding the Trust Relationships and Business Processes between Business Units will help determine whether the Residual Risk accepted by one organization would have a business impact on another organization. Paul Proctor's Session - "Five Practical Tips to Link IT Risk Management and Compliance to Corporate Performance" outlines how to relate your operational risk to executive management aligning your goals to corporate initiatives. Not to use Operational Language: MS08-67 Vulnerability in Server Service Could Allow Remote Code Execution (958644), but use Maturity Model Scales levels 1 - 5 display the status of the Current State, Planned State, Desired State, Developing Project Plans. Mark Nicolett's session on Applying Monitoring, Assessment and Operations Technologies to Reduce Risk and Improve Compliance - discusses the SOC (Security Operation Center) and NOC (Network Operation Center) integration of work flows. This allows IT Operations to support 24/7 monitoring with security specialists providing 2nd level support. There are some issues though as Mark points out on Privilege User Monitoring and Security Incident Management. Mark outlines the broad scope of SIEM, user access monitoring, real time event aggregation, correlation, alerts, reporting and historical analysis: 1. To Monitor external threats The items above that I have covered only cover a fraction of the sessions available at the IT RISK Summit. INFORMATION SECURITY RISK is just one of the Summit's Tracks and I covered a small section of that. Next Year's RISK and Compliance Summit will be held in Washington D.C. I recommend reading "IT RISK turning business threats into competitive advantage"
nFX SIM One version 4.1 introduces CMDB integration into its SIEM Business Topology Frame Work. Assets can be imported by their CMDB domain with their associated asset attributes, including quantitative or qualitative asset valuation. CMDB is a fundamental component of the ITIL framework's Configuration Management process. nFX SIM One assets are grouped by Customers, Business Units and Asset groups. This allows the SIM One information security management framework to match the Business Organizational structure or Mission Area Types providing a consistent view of the organization to ITIL Operations, as well as to SOC and NOC Operations. Vulnerability Assessment Scans of corresponding assets are automatically linked to CMDB defined assets. CMDB integration and Vulnerability Scan Assessment integration can be defined as automated processes or manual processes. nFX SIM One reports on synchronization differences between the last and current CMDB state of its asset information and also reports on assets that are defined in nFX SIM One to those not seen in CMDB. Assets can be automatically created and assigned value from Vulnerability Assessment Scans, so it could be that assets were detected by Assessment Scanners that are not defined in CMDB. HP UCMDB asset valuation modifications and other attribute changes are sent to HP OVO as an alarm that the asset valuation has changed for this particular asset, This allows information security to view what controls are protecting critical business processes and allows information security to view the effectiveness and efficiency nFX SIM One's Vulnerability Correlation Engine correlates the threat criticality with the vulnerability criticality and the asset criticality to the business in real-time and offers the ability to notify ITIL operations, NOC and SOC when the attack matched a specific vulnerability. nFX SIM One's Rules Based Correlation Engine allows information security to build custom rules that will help identify trust relationship issues between service providers, business partners, business units, asset groups, assets, applications or users. Identifying when threats are getting closer through layered controls to critical business assets and that have a severe business impact. nFX SIM One provides integration with Network and IT Operations Center monitoring systems, selected events or incidents can be sent to end users for notification and analysis, provides Helpdesk ticket integration with major help desk vendors. To provide segregation and integrity of incident management, nFX Sim One provides it's own Incident Management Resolution Built-in Application where security analysts can work on various Investigations without having other operational users be able have access to that information. nFX SIM One also has the ability to allow its incident management system to have two way integration with OVO letting the operations staff and IT management know what state a incident is being worked on and to whom it is assigned by the request of the analyst or incident manager working on the incident status at the time. nFX SIM One allows the CIO, Risk Management, and the CISO the ability to jumpstart their information security program, reduce risks, and improve compliance.
Mercury News reports that 160,000 UC-Berkeley students' records have been compromised and about 97,000 of them had links between their health records and their social security accounts. Theft at Berkeley "Patient privacy and quality care are cornerstones of our services," said Steve Lustig, associate vice chancellor for health and human services. "We are deeply troubled that this breach will concern our current and former clients and want to reassure them that the medical records systems were not touched in this incident."
The technology journalist John C. Dvorak is generally worth reading, whether or not you agree with his frequent, sweeping pronouncements and hyperbole. He wrote a recent column on "Why Tech Today is Boring." He makes a pretty good, if overstated point about one of the rarely considered side-effects of the knee-jerk Sarbanes-Oxley Act of 2002 - that it killed the technology IPO, and with it, innovation: The law killed the IPO market that innovative small companies used to get funding for continued growth. The only thing a small company could hope for was to be bought by Google or Microsoft. While I agree with his primary points about SOX being the death-knell of dotcom era IPOs, that it has done little to protect us from anything, and it has done more harm overall than good, I doubt SOX is truly responsible for "everything bad that has happened in the technology world." One point we often make around here is that compliance should follow from security, but security does not automatically follow from compliance. In light of that, the one good thing I have seen from companies considering SIM and other security technology to achieve compliance (SOX, PCI, HIPAA, FISMA or any other acronym) is that some of the more forwarding-thinking ones use these systems to actually improve their security posture. It isn't innovative, and it isn't exciting, but it is a proper step for companies entrusted with our private data.
ICANN is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet's unique identifiers. ICANN also operates the IANA the internet assigned numbers authority which is the global authority for DNS Root, IP addressing, and other internet protocol resources. Yesterday the EU Commissioner for Information Society and Media said that this fall when the current contractual relationship with ICANN and the US Dept. of Commerce ends that ICANN should now report to a new G-12 Internet Governance group composed of representatives from all the major continents. There has been a speculation that ICANN will end up under the authority of the United Nations although the commissioner feels that decisions on Internet Governance should be more expedient and have a less formal international forum. EU commissioner for Information Society and Media, Viviane Reding view on ICANN. Read public comments on the NITA website (The NITA is under the authority of the US Dept. of Commerce) about ICANN privatization from Feb. 2008 and the Midterm Review of the Joint Project between the NITA and ICANN Recently there are those who believe that Rockefeller-Snowe Cybersecurity Act would provide for an authoritarian control over Internet connectivity. Notice of Inquiry - Assessment of the Transition of Technical Coordination and Management of the Internet Domain Name and Addressing System. (NTIA) seeks comment regarding the upcoming expiration of the Joint Project Agreement (JPA) with the Internet Corporation for Assigned Names and Numbers (ICANN). This agreement has been in existence since November 25, 1998, and is scheduled to expire on September 30, 2009. Comments may be submitted electronically to: DNSTransition@ntia.doc.gov Why is DNS broken in Plan Language. ICANN explains why Domain Name System (DNS) is vulnerable to attack, and why that is important, without needing a computer science degree to understand it.
According to Isreali based Ynetnews , Ehud Tenenbaum, an Isreali citizen and alleged master mind behind a 1990's U.S. Pentagon cyber break-in, is to be transferred from Canada to the United States. Since 2008, Ehud Tenenbaum was being held in custody for an attempt to steal 1.8 million CDN dollars from a Canadian based company 'Direct Cash.'
|
