Charles Croom, of Lockheed Martin will talk about "The State of Cyber Security 2011" at the UMBC Visionaries in IT Forum at 8:00am on Wednesday, February 23rd at the BWI Airport Marriott. The event is free but registration requested.

Croom joined Lockheed Martin Information Systems & Global Solutions as Vice President of Cyber Security Solutions in October of 2008. In this capacity, he shapes the corporation’s cyber security strategy with insight from his 35 years of distinguished service, leadership, and technology experience from the U.S. Air Force. He co-chaired a National Security Telecommunications Advisory Committee Task Force on “Strengthening Government and Private Sector Collaboration” which issued a May 2009 report recommending that the President direct the establishment of a Joint Coordinating Center. He currently serves on the Boards of the National Cyber Security Alliance (NCSA) and the Internet Security Alliance (ISA).

Croom retired as a U.S. Air Force Lieutenant General, Director of the Defense Information Systems Agency (DISA), and the Commander of the Joint Task Force for Global Network Operations in September 2008. While at DISA, he led a worldwide organization of more than 6,600 military and civilian personnel to serve the information technology and telecommunications needs of the President, Secretary of Defense, Joint Chiefs of Staff, combatant commanders, and other Department of Defense stakeholders.

The North American electric power system has been called the world’s largest interconnected machine and is a key part of our national infrastructure. The power grid is evolving to better exploit modern information technology and become more integrated with our cyber infrastructure. This presents unprecedented opportunities for enhanced management and efficiency but also introduces vulnerabilities for intrusions, cascading disruptions, malicious attacks, inappropriate manipulations and other threats. Similar issues are foreseen for other cyber-physical infrastructure systems including industrial control systems, transportation, water, natural gas and waste disposal.

A one-day Smart Grid Cyber Security Conference will be held at UMBC on February 15, hosted by the UMBC Computer Science and Electrical Engineering Department and Maryland Clean Energy Technology Incubator. The conference will be a comprehensive presentation by the National Institute of Standards and Technology regarding an Inter-agency Report 7628 (NISTIR 7628) named Guidelines for Smart Grid Cyber Security which is a critically important document for guiding government, regulatory organizations, industry and academia on Smart Grid cybersecurity. This regional outreach conference is valuable to any organization that is planning, integrating, executing or developing cyber technology for the Smart Grid.

The conference is free, but participants are asked to register in advance to help us organize for the correct number of participants.

A full copy of the 600 page report is available here.

The DoD-sponsored JASON study group was asked to consider the question of whether there is a ‘science’ to cyber-security or if it is fundamentally empirical. They released an 88-page report last month, Science of Cyber-Security with the following abstract:

“JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. Our study identified several sub-?elds of computer science that are specifically relevant and also provides some recommendations on further developing the science of cyber-security.”

The report discusses to general technical approaches to putting cyber-security on a scientific foundation. The first is based on the standard collection of frameworks and tools grounded in logic and mathematics such as cryptography, game theory, model checking and software verification. The second is grounding cyber-security on a model based on an analog to immunology in biological systems.

It concludes with some observations, recommendations and responses to nine questions that were included in their charge. One interesting observation is that cyber-security, unlike the physical sciences, involves adversaries, so its foundation will use many different tools and methods. A recommendation is that the government establish cyber-security research centers in universities and other research organizations with a “long time horizon and periodic reviews of accomplishments”.

The Tech Council of Maryland is the state’s largest technology trade association and has more than 500 members. It is sponsoring a series of meetings on cyber security:

“Understanding that the conversation about cyber security needs to continue among all stakeholders, the Tech Council of Maryland is moving its CyberMaryland Forum throughout the state. The Forum is open to anyone with an interest in the cyber security industry.”

The next CyberMaryland Form meeting will be held this coming Wednesday morning at UMBC:

“The next meeting of the CyberMaryland Forum will be held on Wednesday December 8, 2010 from 8:30 to 11:30 am at the University of Maryland, Baltimore County. Our content will cover the latest developments in the state’s initiative to be the “Epicenter for Information Security and Innovation”, the development of the UMBC/Northrop Grumman Cyber Incubator program to help grow fledgling cyber security companies and other hot topics in the cyber security industry. To learn more about the CyberMaryland Forum, contact Mark Glazer at 240-243-4045 or mglazer@techcouncilmd.com.

The Tech council encourages UMBC faculty, staff and students to participate and is waiving the registration fee for the UMBC community. The meeting will be held in the main conference room at UMBC’s South Campus Technology Center at 1450 South Rolling Road.

I always think of things I should have added in the hour after making a post. Sigh. Here goes…

The situation is perhaps not so different from mailing lists, Google groups or any number of similar systems. I can set up one of those and add people to them without their consent — even people who are are not my friends. Even people whom I don’t know and who don’t know me. Such email-oriented lists can also have public membership lists. The only check on this is that most mailing lists frameworks send a notice to people being added informing them of the action. But many frameworks allow the list owner to suppress such notifications.

But still, Facebook seems different, based on the how the rest of it is configured and on how people use it. I believe that a common expectation would be that if you are listed as a member of an open or private group, that you are a willing member.

When you get a notification that you are now a member of the Facebook group Crazy people who smell bad, you can leave the group immediately. llBut we have Facebook friends, many of them in fact, who only check in once a month or even less frequently. Notifications of their being added to a group will probably be missed.

Facebook should fix this by requiring that anyone added to a group confirm that they want to be in the group before they become members. After fixing it, there’s lots more that can be done to make Facebook groups a powerful way for assured information sharing.

Facebook has rolled out a new version of groups announced on the Facebook blog.

“Until now, Facebook has made it easy to share with all of your friends or with everyone, but there hasn’t been a simple way to create and maintain a space for sharing with the small communities of people in your life, like your roommates, classmates, co-workers and family.
…
Today we’re announcing a completely overhauled, brand new version of Groups. It’s a simple way to stay up to date with small groups of your friends and to share things with only them in a private space. The default setting is Closed, which means only members see what’s going on in a group.”

There are three kinds of groups: open, closed and secret. Open groups have public membership listings and public content. Private ones have public membership but public but private content. For secret groups, both the membership and content are private.

A key part of the idea is that the group members collectively define who is in the group, spreading the work of setting up and maintaining the group over many people.

But a serious issue with the new Facebook group framework is that a member can unilaterally add any of their friends to a group. No confirmation is required by the person being added. This was raised as an issue by Jason Calacanis.

The constraint that one can only add Facebook friend to a group he belongs to does offer some protection against ending up in unwanted groups (e.g., by spammers). But it could still lead to problems. I could, for example, create a closed group named Crazy people who smell bad and add all of my friends without their consent. Since the group is not secret like this one, anyone can see who is in the group. Worse yet, I could then leave the group. (By the way, let me know if you want to join any of these groups).

While this might just be an annoying prank, it could spin out of control — what might happen if one of your so called friends adds you to the new, closed “Al-Queda lovers” group?

The good news is that this should be easy to fix. After all, Facebook does require confirmation for the friend relation and has a mechanism for recommending that friends like pages or try apps. Either mechanism would work for inviting others to join groups.

We have started working with a new group-centric secure information sharing model being developed by Ravi Sandhu and others as a foundation for better access and privacy contols in social media systems. It seems like a great match.

See update.

University of Michigan professor J. Alex Halderman explains how his research group compromised the Washington DC online voting pilot in his blog post, Hacking the D.C. Internet Voting Pilot.

“The District of Columbia is conducting a pilot project to allow overseas and military voters to download and return absentee ballots over the Internet. Before opening the system to real voters, D.C. has been holding a test period in which they’ve invited the public to evaluate the system’s security and usability. … Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots. In this post, I’ll describe what we did, how we did it, and what it means for Internet voting.”

The problem was a shell-injection vulnerability that involved the procedure used to upload absentee ballots. Halderman concludes

“The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I’m confident that we would have found another way to attack the system.”

If you are interested in the Stuxnet worm, take a look at this blog post from F-secure Labs, Stuxnet Questions and Answers. It’s relatively free of over ventilation and speculation. F-secure is a Finnish company specializing in anti-virus and computer security software. Here’s an intriguing example from the post that does speculate a bit.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509″ as an infection marker.

Q: What’s the significance of “19790509″?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Hat tip HN.

update: Another good resource is SYmantec’s W32.Stuxnet Dossier.

“While the bulk of analysis is complete, Stuxnet is an incredibly large and complex threat. The authors expect to make revisions to this document shortly after release as new information is uncovered or may be publicly disclosed. This paper is the work of numerous individuals on the Symantec Security Response team over the last three months well beyond the cited authors. Without their assistance, this paper would not be possible.”

Ars Technica has an an article on bad Android apps, Some Android apps caught covertly sending GPS data to advertisers.

“The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user’s location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.”

TaintDroid is an experimental system that “analyses how private information is obtained and released by applications ‘downloaded’ to consumer phones”. A paper on the system will be presented at the 2010 USENIX Symposium on Operating Systems Design and Implementation later this month.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth, OSDI, October 2010.

The project, Realtime Privacy Monitoring on Smartphones has a good overview site with a FAQ and demo.

This is just one example of a rich and complex area full of trade-offs. We want our systems and devices to be smarter and to really understand us — our preferences, context, activities, interests, intentions, and pretty much everything short of our hopes and dreams. We then want them to use this knowledge to better serve us — selecting music, turing the ringer on and off, alerting us to relevant news, etc. Developing this technology is neither easy nor cheap and the developers have to profit from creating it. Extracting personal information that can be used or sold is one model — just as Google and others do to provide better ad placement on the Web.

Here’s a quote from the Ars Technical article that resonated with me.

“As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important.”

We, and many others, are trying to prepare for the next step — when users can define their own privacy policies and these will be understood and enforced by their devices.

There have been reports over the past weeks about Stuxnet, a new malware system that experts say is designed to seek out and damage certain kinds kind of industrial sites. Some argue that it has already hit and damaged its target.

The Christian Science Monitor published a good overview earlier this week.

“Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.”

The computer security company Symantec has been tracking it for a while and reported back in August that Stuxnet differs from typical Windows oriented in that it is designed to infect the Programmable Logic Controllers used in industrial control systems.

“As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”

Symantec’s analysis of where Stuxnet has been found supports the theory that it was intended for targets in Iran, as the following map illustrates.

Security expert Frank Rieger writes that Stuxnet is exceptionally well designed and written and starts out on infected USB sticks.

“stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossil Windows 2000 to the most modern and supposedly secure Windows 7.”

Rieger further argues that evidence suggests that Stuxnet is targeted not at Iran’s Bushehr reactor but at the uranium enrichment plant in Natanz and has already achieved success. To support the last conclusion, he sites a note on Wikileaks about a “a serious, recent, nuclear accident at Natanz” in July 2010.