Tony Blair closes RSA 2012, denounces WikiLeaks

RSA 2012 Former British Prime Minister Anthony Charles Lynton Blair was RSA's pick to close out their annual security conference in San Francisco, and he took the opportunity to bash WikiLeaks as "disgraceful."

Blair took time out from his busy official role of bringing peace to the Middle East to pad his pockets speak for an unspecified sum at the conference's closing keynote, where he told his audience that he had very little knowledge of technology claiming he never even owned a mobile phone until he left political office. This was an advantage, as it turned out, given the News International hacking scandal, he joked.

Privacy is for politicians Blair claims

That said, he has some trenchant views on privacy and the activities of organizations such as WikiLeaks. Individuals need to have private communications, he said, but at the same time there are people who threaten our way of life that have to be stopped. Politicians, however, need privacy to function, and he denounced WikiLeaks for breaking that by publishing State Department cables.

"The thing with the WikiLeaks is that it was, in my view, a very bad and disgraceful thing to do," he said. "I was in Washington for meetings yesterday, and I have to be able to speak frankly. You can't have a situation where you're dealing with issues of extraordinary sensitivity and say there has to be complete openness."

Blair did say that, when it came to IT security legislation, politicians need to talk to people on the front lines to formulate laws that make sense and would work in the real world a remark that bought warm applause from the audience.

He also admitted to getting social media wrong. When social media first emerged, he said that politicians saw it as something which would act as a brake on the conventional media. In fact, he said it was having a multiplier effect, and now it was up to the mainstream media to provide clear facts. Social media is also having a revolutionary effect in cutting the influence of government censorship, he said.

He also described explaining technology to his 11-year old son. While the younger generation was adopting technology faster than their parents, Blair asserted that you needed "the wisdom of the oldies" to put the technology itself in context.

Blair said that, despite massive changes in geopolitics, democracy was the future for the world, and cited the creation of the internet as an example of how free thinking is superior in driving innovation. Ultimately the economies of China and others will move towards a democratic model, in his opinion.

One can't help but wonder at RSA's recent choices for keynote closers. Past alumni have included Simon Singh, author of "The Code Book", and serial (but reformed) fraudster Frank Abagnale people with knowledge of, and an interest in, security. But in the last few years RSA's choices have strayed from this path in favor of politicians giving stump speeches.

Last year Bill Clinton gave the closing address (from which press were barred possibly to disguise the fact that Bubba gave almost exactly the same speech as he had at several other tech conferences that year), and this time we got another technology know-nothing.

While booking washed-up politicians might look good, one suspects delegates would rather have something on-topic.

Cable-Modem Hacker Convicted in Boston

Ryan Harris and his defense attorney Charles Mcginty leave the federal courthouse in Boston after the second day of Harris' trial. Photo: Quinn Norton

Cable-modem hacker Ryan Harris has been convicted of helping users steal internet access that authorities say involved a $1 million scheme to defraud cable companies of business.

Harris, 26, was convicted in federal court in Boston on seven counts of wire fraud in connection to selling hacked cable modems and software that allowed users to bypass restrictions that providers placed on cable modems to filter content and cap usage. Each count comes with a maximum sentence of 20 years in jail and a $250,000 fine.

Harris, who used the online handle DerEngel, had published a book titled Hacking the Cable Modem: What Cable Companies Don’t Want You to Know and sold “rooted” cable modems that could be used to get free internet service or bypass subscriber limits. He sold preflashed cable modems through his company, TCNiSO, for up to $100, and also provided other tools and information to help users modify their cable modems.

The feds argue the business was set up to help users masquerade as paying subscribers in order to obtain internet service for free or increase their access. Harris argued that rooted modems allow for many tweaks that are perfectly legal and that he should not be responsible for what users did with the modems.

Uncapping a cable modem allows the user to remove bandwidth filters imposed by the cable ISP, which can increase the speed of the modem and defeat any throttling or content filtering an ISP may try to do.

One product Harris provided, a packet sniffer that he dubbed Coax Thief, intercepted internet traffic to snag the media access control (MAC) addresses and configuration files of modems from neighbors. TCNISO and Harris provided customer support through forums hosted on the TCNISO website.

The government asserted that by providing hacked firmware, tutorials and support to people who used the cable modems to steal internet service or upgrade their existing service in violation of their ISP’s terms of service, Harris participated in a conspiracy and aided their fraud.

The case could have larger implications for other technology tools that can be used for criminal purposes, such as software mods for mobile phones or even anonymizing software.

Harris is scheduled for sentencing May 23.

Secunia bets on open information for security growth

RSA 2012 Danish vulnerability specialist developer Secunia has released the latest beta of its Personal Software Inspector (PSI), and says it is betting on an open approach to security information to grow the company.

Founder Niels Henrik Rasmussen told The Register that his company will continue to work on open information sharing with the security industry, rather than trying to lock down data for its own advantage. The benefits were clear, he said: Secunia has grown 182 per cent in the last three years, at a time when less-open competition was performing less well.

"The security community provides us with a lot of intelligence, which we can assess and then give back, instead of 'if you want my offering you have to pay for it'," he said. "People like the fact that we provide open solutions, the fact that we push solutions to security community."

So far, the strategy is working very well indeed, he said. The company now gets nearly a third of its revenue from US customers, despite only having opened US operations in 2009. If Secunia's high-profile booth at the RSA expo is any indication, business is good the first time this El Reg hack met Rasmussen, the company had a tiny booth at the back of the hall held together with duct tape.

During the show the company released the beta of PSI 3.0, which scans host computers for unpatched code, back-checks against Secunia's list of released and stable patches, and then automatically updates the system.

The software is installed on over four million endpoints, Rasmussen says, and the final build of the code will be out in June.

Linode hackers escape with $70K in daring bitcoin heist

Popular web host Linode has been hacked by cyber-thieves who made off with a stash of bitcoins worth $71,000 (44,736) in real money.

The crooks pulled off the heist after obtaining admin passwords for Linode's network gear. Having infiltrated its systems, the thieves proceeded to target several Bitcoin-related servers, stealing $15k (9.45k) from one merchant and more than 10,000 bitcoins ($56k, 35k) from Bitcoinica, a trading exchange for the digital currency. Bitcoinica has promised to reimburse customers for any losses. It said in a statement:

Many of you have heard that several bitcoin services were victims of a recent Linode security breach today. Unfortunately, Bitcoinica is also among the services affected.

On 2012-03-01 at 6:30 UTC, our "hot wallet" hosted at Linode and containing over 10,000 BTC was emptied. The unauthorized access is consistent with that experienced by other bitcoin services, described by Linode as unauthorized access from Linode's "customer support interface".

Punters should avoid using any bitcoin addresses previously used to fund their Bitcoinica accounts, Bitcoinica advises:

We must assume that the thief has retained private keys associated with old bitcoin deposit addresses. This would allow them to access any new bitcoins sent to old deposit addresses. As of now, our website will only display new deposit addresses which are not affected by this. However any old bitcoin addresses which you may have recorded for convenience should never be used ever again. This is the most important thing.

Linode admitted it had been compromised and issued a statement to say the digital safety deposit boxes of eight customers had been ransacked. It promised to review and improve its security procedures in the wake of the hack:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated - no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

Bitcoins are a form of electronic currency that can be exchanged for real cash. The system relies on public-key cryptography and peer-to-peer networking to transfer the coins between users' wallets. Isolated incidents of cyber-crooks using number-crunching botnets to generate bitcoins were detected last year.

Some miscreants appeared to have moved over to stealing bitcoins directly but it's unclear whether the smash-and-grab raid against Linode is a one-off, or the start of a new tactic in cybercrime.

Manchester biz raided in text message spam clampdown

A clampdown on text spam has led to a police raid on offices in east Manchester and the seizure of equipment by the Information Commissioner's Office.

The UK data privacy watchdog was given enhanced powers last year to tackle the growing problem of junk SMS messages, including the authority to ask mobile operators for information and numbers. The ICO was also allowed to obtain warrants to search premises.

The latest use of these powers targeted an unnamed firm touting an ambulance-chasing injury claims service. The watchdog, which is poring over evidence collected from the raided biz, said in a statement:

As part of the ICOs ongoing investigations aimed at tackling the scourge of unwanted spam texts linked to the Claims Management Industry and the companies profiting from this unlawful activity, the ICO executed a search warrant on a premises situated in the Urmston area of Manchester on Tuesday 28 February.

The property was believed to be connected to individuals associated with a company that is suspected of sending out thousands of unsolicited electronic marketing messages.

We will take action where it is clear that individuals or companies are profiteering from unlawful activity. This includes issuing a monetary penalty of up to 500,000 to the worst offenders.

David Clancy, an investigation's manager at the ICO, explained the business model behind the mobile phone spam texts to the BBC.

"Once they [spammers] have trapped your number they will then sell it into the [claims] industry," he said. "First users will pay 1, 1.50 for that phone number. A month later it will be distributed to lots of organisations for 50p, 20p, 10p a time."

A previous raid last December led to the deactivation of 20,000 SIM cards. An ICO spokeswoman said the cards "had been used to send spam text messages".

Spam texts are usually sent using unregistered pay-as-you-go SIM cards. Under regulations introduced last year mobile operators are obliged to assist the ICO in pinpointing the locations from which clusters of junk messages have been sent. This cleared the way for the ICO to obtain a search warrant, authorising a raid by ICO investigators and local police.

The ICO advises punters to avoid responding to spam text messages.

30m gov ID scheme to be steered by dole office

Identity assurance remains a hot topic at the Cabinet Office. And, despite a false start late last year, Whitehall is pushing ahead with its plans to offload ID-handling onto the private sector.

The department's digital boss Mike Bracken confirmed yesterday that, as expected, the Department for Work and Pensions had been tasked with overseeing procurement of identity services across government.

It published a notice in the Official Journal of the European Union (Ojeu) that signalled the Cabinet Office's intention to create a private sector market for the handling of taxpayers' ID.

As The Register exclusively revealed last year, such a plan will almost certainly need primary legislation to make the scheme a reality in the UK.

Despite that, plenty of cash has already been plonked on the ID assurance pile, with the price tag standing at 30m, according to Bracken. In November, Francis Maude's department had allocated 10m to the scheme.

While some would argue that it remains unclear why it is necessary to build an entirely new platform for transactions between benefit claimants and the DWP given that a system for handling taxpayer's identity credentials is already in place the Cabinet Office is convinced that a market can be created wrapped around its digital agenda.

That digital agenda amounts to the development of a fancy-looking website GOV.UK that will replace New Labour's Directgov, while the ID assurance scheme is expected to eventually kibosh the grandly named government gateway that was built by Microsoft back in 2001.

Maude has repeatedly insisted that the so-called "digital-by-default" agenda will save money in the public purse.

"Commercially, it means that the potential cost of procuring services for the cross-government Identity Assurance programme has been slashed from 240m to 30m," explained Bracken in a blog post yesterday.

Whether the cost of ID assurance might balloon remains open to question, however. After all, the scheme remains at the development stage of what a Cabinet Office spokesman told us in November last year involved only the "initial instantiations of the model". Beyond that, the offloading of identity-handling onto the private sector is expected to require legislation.

But hey, what's 30m to the taxpayer, right?

As for the details laid out in the tender document to the Ojeu, ID assurance is expected to initially support Universal Credit and the Personal Independent Payment systems to be implemented by the DWP in 2013 for 21 million claimants in the UK.

Providers need to offer either online, telephone or face-to-face identity verification.

Some other tidbits include:

• Identity verification Verification will be performed in an appropriate channel (web, telephone or face-to-face). The provider will verify that sufficient evidence exists to verify that a person presenting on a given channel is the owner of the claimed identity.
• Credential management The provider will securely manage the credential lifecycle (eg, user name, password, hard or soft tokens, grids, voice samples, memorable information, one time passwords etc), from issue to decommission, including all aspects of management of the customer, which will include for example credential loss/recovery/ reissue.
• Identity correction services For example, managing and resolving errors identified by the customer and / or DWP.
• Identity revocation services Revocation of the identity (or use thereof for government authentication purposes) from the supplier.
• DWP is building interfaces to its systems for Identity Assurance that currently use standard SAML 2 profiles. The initial set of services for DWP will therefore need to be built so that they can interface with this, and support authentication requests and responses in the telephony channel. However this interface may not necessarily apply as the services roll out across HMG.

The tender document also points out that it's difficult at this stage to work out the cost of the ID assurance scheme to government.

"In advance of market engagement it is difficult to quantify the expected length of contracts or cost of this service. However, this manner of ID assurance provision represents a brand new, cross-HMG approach that will be of significant value across HMG," it said.

The dole office actually stuck its ID services tender in the EU journal in late December, only to almost immediately yank it because the DWP had failed to follow the necessary procedures required for the procurement process.

As an aside, Google is among the companies involved in the gov's private sector identity marketplace. The Chocolate Factory changed its privacy policy this week to allow the search giant to more easily track its users across its online estate with ID verification placed at the centre of its plans to earn even more ad bucks. And Europe isn't happy about the potentially "unlawful" terms of service tweak.

Online advertising isn't creepy enough

Open ... and Shut Privacy advocates endlessly worry that online advertising companies track your every move in order to serve you creepily well-targeted ads. They needn't bother. After all, when was the last time this hyper-invasive tracking of your online behavior actually resulted in you getting a deal on something you really wanted?

And it is invasive. Just ask The Atlantic's Alexis Madrigal, who discovered that 105 advertising-related companies tracked his online behavior over a 36-hour period. In theory, such tracking is anonymous. In practice, this is not really the case.

While we may not mind a gaggle of marketers sniffing around our online behavior, we may be slightly more squeamish over a digital portfolio collected about us that can so easily be shared with others, including governments, crime syndicates, ex-boyfriends, you name it.

But perhaps that's the price we pay for high-quality online content for free. We pay with our privacy.

Personally, I don't mind this very much. I'm as boring online as I am offline. If someone wants to know just how many gallons of Jersey cow milk I drink a year, that's their loss.

No, what grates on me is that for all the spying these companies do on my online behavior, they can't seem to serve me an ad for something I'd actually want to buy. Worse, they're terrible at delivering anything close to approximating a deal on the things I'd like to buy, even when I tell Google exactly what I want.

What gives?

For example, I ski a lot. And I spend a reasonable amount of time on Backcountry.com, Rossignol.com and other ski-related sites. Even the most rudimentary tracking technology should know that I'm interested in Rossignol skis (perhaps it would even know I bought two pairs of Rossignol skis this past year), yet when I type in "skis" into Google or even "Rossignol" into Google, the ads served up are for ... something completely different. Even the store that sold me my last pair of Rossignol skis EVO keeps trying to show me every kind of ski except Rossignol skis.

And Backcountry.com, which is one of the most aggressive technology adopters among online retailers, serves up a display ad that suggests: "Dynafit, K2, Armada, Salomon & more Free Shipping on Orders Over $50."

Come on, people: if you're going to track my online behavior, at least use it to get me to buy something I want!

It's possible that this mismatch between online behavior and online ads is intentional. Studies have shown that ads that are too finely targeted tend to be less effective, because people get "creeped out" by them.

Still, I'm happy for "creepy" ads to be served to me, if only it resulted in getting a deal. But the most targeted ads tend to be served up on behalf of the big retailers who are least likely to give me a deal worth buying. Instead of matching my interest in Rossignol Super 7s with a real deal on Teton Gravity's gear swap or a Craigslist ad, I'm shown full retail pricing on Backcountry.com, REI, EVO, and even eBay.

I understand that the advertisers willing to pay to track me and show me ads are different from the individuals or companies willing to sell gear for peanuts on these classified ad services. I get that. But as a consumer I'm being asked to give up my privacy for a mess of full-retail priced pottage.

It's not worth it.

There is a disconnect in the online advertising world. Despite widespread adoption of invasive user-tracking tools, consumers are neither getting well-targeted ads, nor deals that would justify that we click on the ads. We're being asked to give up much for very little. This is a raw deal, and perhaps explains why an increasing number of people are worried about online privacy. It's not what we're giving up but what we're getting in return that nettles us.

Anonymous web weapon backfires with hidden banking Trojan

Anonymous supporters queuing up to participate in denial-of-service attacks are being tricked into installing ZeuS botnet clients.

Hacktivists grabbed what they thought was the Slowloris tool, which is designed to flood websites with traffic just like the Low Orbit Ion Cannon program. However, the download included a strain of ZeuS, which promptly installed itself on their Microsoft Windows machines.

The Trojan will carry out the distributed attacks, but that's not all it does - it'll also steal users' online banking credentials, webmail logins, and cookies.

The deception began on 20 January, the same day as the FBI Megaupload raid, Symantec reports.

Malware pedlars swiped the template of an Anonymous guide to launching denial-of-service attacks from Pastebin, modified it to include a link to the nobbled build of Slowloris, and reposted the message on Pastebin to snare victims.

Anonymous is normally highly antagonistic to white-hat security firms, especially Symantec. This time however Twitter accounts maintained by the hacktivist collective were happy to endorse Symantec's warning.

Twit AnonymousIRC wrote: "Anonymous supporters tricked into installing Zeus trojan. This MUSTN'T happen. Be careful what you post and click on!"

Becrypt disk crypto earns first Brit spook kitemark

A full disk encryption product has become the first bit of kit to be certified by Brit spooks in their new Commercial Product Assurance scheme.

Covent Garden-based Becrypt's DISK Protect demonstrated good commercial security practice, earning it the official stamp of approval to be used by the UK government and public sector bodies in lower threat environments. The foundation-grade certification earned by Becrypt means the DISK Protect is trusted to safeguard data sensitive enough to earn the classification of "restricted". The technology is not approved for guarding more sensitive "confidential" or "secret" material. Nonetheless the seal of approval will make it easier for Becrypt to sell full disk encryption to public sector organisations.

The certificate was handed out by CESG (Communications-Electronics Security Group), which is part of the UK's snooping centre GCHQ. CESG has evaluated and certified security products for years prior to the introduction of the CPA scheme in April 2011. Under the new regime, CESG and independent test labs evaluate commercial security products against published security standards. Products that meet the foundation or tougher augmented grade get the seal of approval for public sector use. Even augmented-grade certification is only good enough for the protection of "restricted and some confidential data", CESG explains.

The CPA scheme is not just for cryptographic products but also covers any security-enforcing gear - such as firewalls and virtualisation technology. The certification scheme does not cover services, which are likely to fall under a separate assurance scheme, currently under development.

A spokesman for CESG said: We are grateful to Becrypt and our first test labs Enex and Siventure for the interest and support they have given us during the pilot phase of CPA."

Election hacked, drunken robot elected to school board

RSA 2012 Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election.

"It was too good an opportunity to pass up," explained Professor Alex Halderman from the University of Michigan. "How often do you get the chance to hack a government network without the possibility of going to jail?"

With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. This wasn't exactly difficult, since the user name and password were both "admin".

Once in, the team searched the government servers for additional vulnerabilities and system options. They found that the cameras installed to watch the voting systems weren't protected, and used them to work out when staff left for the day and so wouldn't spot server activity. More worrying, they also found a PDF file containing the authentication codes for every Washington DC voter in the forthcoming election.

The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board. They also set up systems so that any further ballots would come under their control.

According to the log files the team found, plenty of people were also busy trying to get into the system. They spotted attempts to get in from the Persian University, as well as India and China. Using their inside access, they blocked these attacks. Finally, they inserted the word "owned" onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.

It took two days before the authorities discovered they'd been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying. Halderman has now published a full account of the attack.

The attack demonstrates several of the flaws in electronic voting systems, and at numerous sessions at the RSA 2012 conference in San Francisco, experts have consistently warned against the dangers of this technology. In the US, there are 33 states that have introduced some kind of electronic voting systems and none of them are secure enough to resist a determined attacker said Dr. David Jefferson from Lawrence Livermore National Labs.

"The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," he said. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse."

E-voting was a national security issue, he said. Financial attacks by hackers are relatively easy to detect because at some point money has to leave the system. But if an election is hacked then we may never know, because it's a one-time action that typically isn't checked after the results have been announced and officials elected.

It will be decades before we have the technology to vote securely, Jefferson said, if indeed it is even possible. At stake is democracy itself, but politicians don't seem to understand the problems of electronic voting, and both Jefferson and Halderman expressed fears for the future if current systems become more popular.

Report: Hackers Seized Control of Computers in NASAs Jet Propulsion Lab

Illustration showing NASA's newest Martian rover, the Curiosity, which will look for past or current conditions favorable for life when it lands later this year. Photo: NASA/JPL

Hackers seized control of networks at NASAs Jet Propulsion Laboratory last November, gaining the ability to install malware, delete or steal sensitive data, and hijack the accounts of users in order to gain their privileged access, according to a report from the National Aeronautics and Space Administration’s inspector general.

The breach, originating from Chinese-based IP addresses, allowed the intruders to compromise the accounts “of the most privileged JPL users,” giving them “full access to key JPL systems,” according to Inspector General Paul K. Martin in a report to Congress (.pdf).

The investigation of the breach is ongoing, but Martin says the intruders had the ability to modify sensitive files; modify or delete user accounts for mission-critical JPL systems; and alter system logs to conceal their actions.

“In other words, the attackers had full functional control over these networks,” Martin writes.

But this wasn’t the only breach NASA experienced. In 2010 and 2011, the agency had 5,408 computer security incidents that resulted in the installation of malicious software and the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million. Some of the breaches “may have been sponsored by foreign intelligence services seeking to further their countries objectives,” Martin writes.

One March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of algorithms used to command and control the International Space Station. In one of the most successful attacks, Martin notes, intruders stole user credentials for more than 150 NASA employees, which could have been used to gain unauthorized access to NASA systems.

NASA operates more than 550 information systems that control spacecraft, collect and process scientific data, and enable NASA personnel to collaborate with colleagues around the world, and spends about $58 million annually for IT security.

“Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nations competitive technological advantage,” Martin writes.

But even more troubling, he said, skilled attackers “could choose to cause significant disruption to NASA operations, as IT networks are central to all aspects of NASAs operations.”

Hacking back puts security on the offensive

SAN FRANCISCO Hacking back is a legal and ethical quandary for legislators, policy makers andthe military. While there have been a few high-profile court-approved takedowns of botnets andinfiltrations into cybercrime online infrastructures, these are few and far between, and are oftenmet with a fair share of judicial challenges.

Apparently, though, it doesnt have to be that way. Two penetration testers speaking at RSAConference 2012 Thursday offered some technical solutions that companies can use to frustrateattackers attempting to penetrate systems, gather information about the attacks, and softly hackback.

Hacking back is bad, but we want to flip hacking back on its head.

Paul Asadoorian

Product Evangelist 

Tenable Network Systems

The best defense is to have a good offense. We thought, what if we could take offensivemeasures that weve been using successfully in pen tests and employ them defensively, said PaulAsadoorian, product evangelist with Tenable Network Systems and host of the popular PaulDotCompodcast. Hacking back is bad, but we want to flip hacking back on its head.

Asadoorian and co-presenter John Strand, both of whom are instructors with the SANS Institute,advised that even this type of hacking back cannot be a one-off project.

Discuss this within your organizations, and not just in the basement of the IT department,Strand said. Discuss it openly, and document it, and plan it out. And finally, dont be evil. Onceyou get access to an attackers system, dont look at files or take down their Web history. Thiscan get you in trouble.

The pair suggested seeding sensitive webpages or VPN and other network entry points with warningpages that explain that, in order to connect to the network in question, visitors would be subjectto NAC-like security checks. The warnings should spell out to anyone logging in that everythingfrom machine information to IP and MAC address location data would be collected.

Its illegal to set up lethal traps, Strand said. But you should warn them of the [security]checks.

Asadoorian said of the three components to their hack back strategy -- annoyance, attributionand attack -- annoyance is meant merely to stress out and frustrate an attacker. Using tools suchas honeyports, SpiderTrap and WebLabyrinth,security pros can send attackers into endless scanning loops of false ports, services anddirectories.

Attacks often dont start until Web spider crawls are done looking for particular directoriesand pages, Asadoorian said. These crawls never finish.

There are also tools that network admins can use for attack attribution. Word Web-Bugs, forexample, takes advantage of Microsoft Words built-in browsing capabilities where an iFrame can beembedded in Word metadata that calls back to you once a sensitive document is downloaded. Anothertool is the Metasploit Decloaking Engine found in the Metasploitframework, which unmasks the real IP address behind an attack.

As for attacking another system, Asadoorian and Strand were careful to stress that usingtechniques such as a Java Applet Attack are meant to extend your annoyance and attributioncapabilities -- thus the reason for the extensive warning banners. The two demonstrated a Javapayload attack found in Metasploit that enabled them to get geolocation data about an attacker.

We got a shell, but we dont want persistent long-term access, Strand said. We are justgetting longitude and latitude information.

Follow @Mike_Mimoso

View all of our RSA2012 Conference coverage. 

Tiny Antennas Dont Prevent Copyright Suit

An array of mini-antennas that power Aereo. Photo Aereo

Fox Television, PBS and Univision Television and others Thursday asked a federal judge to halt an impending subscription service that enables the streaming of broadcast television to any internet-enabled device.

The suit targets Aereo, a $12 monthly subscription service set to debut in New York on March 14. The suit claims that the upstart, backed by media mogul Barry Diller, has failed to acquire licenses from the networks.

Aereo is to deliver broadcasts from NBC, ABC, CBS, PBS, Fox and others — broadcasts it acquires over the air with multiple tiny antennas placed at its New York headquarters.

Think of it as turning your tablet, smartphone or PC into a television set.

What’s more, each customer is hooked to a personal antenna housed at Aereo’s headquarters, a service the broadcasters called “technological gimmickry.”

“Aereo has not licensed this television programming from those who own it. Nor has it sought or received consent from the television signal owners,” the New York federal lawsuit said.

It’s hard not to liken the legality of the service to Zediva.

Zediva’s offering was quite simple: $2 for a digital movie rental that lasts for two full weeks. It didn’t strike any deals with studios and didn’t plan on doing so. Zediva thought it could circumvent the need to be licensed by literally renting customers a remote DVD and a DVD player, while a customer’s computer, tablet or Google TV acted as the controller.

The Motion Picture Association of America sued the company out of existence, and it shuttered in October.

The broadcasters added that “no amount of technological gimmickry by Aereo — or claims that it is simply providing a set of sophisticated ‘rabbit ears’ — changes the fundamental principle of copyright law that those who wish to retransmit plaintiffs’ broadcasts may do so only with plaintiffs’ authority.”

When Aereo unveiled the service two weeks ago, its founder and CEO Chet Kanojia said he was on solid ground because each customer is linked to a personal antenna — even if it’s not theirs physically.

It’s a model, he said, “consistent with over-the-air broadcasting.”

He said the monthly fee “supports the infrastructure and power and bandwidth, not licensing.”

No hearing date has been set.

Hat tip: PaidContent

FBI Director Mueller: For U.S., cybersecurity threats will surpass terrorism

SAN FRANCISCO FBI Director Robert Mueller envisions a day soon when cybersecurity threats will surpass terrorism as the top threat to the United States, and in turn will become the bureaus top priority.

Were going to take our lessons learned from terrorism and apply them to cyber, Mueller said during a Thursday keynote at RSA Conference 2012. Our agents specializing in cyber will have the highest skill sets.

Mueller referenced the work of the National Cyber Investigative Task Force and recent successes it has had in shutting down the CoreFlood botnet, responsible for $100M in fraud, and Operation GhostClick, which took down a $14M click fraud operation. He said the task force will soon have more resources and capabilities, including a structure where its agents will work in a virtual environment to counter the latest threats to financial institutions, manufacturers and the defense industrial base.

The end result of these developments is that we are losing data, losing money, ideas and innovation. And as citizens, were increasingly vulnerable to losing our personal information, Mueller said. We must find a way to stop the bleeding.

Mueller, who was U.S. Attorney for the Northern District of California from 1998-2001, has seen cybercrime evolve from the denial-of-service (DoS) attacks perpetrated by Mafiaboy in 2000 to the rampant loss of payment data and intellectual property today.

When we caught Mafiaboy, the 15-year-old was at a sleepover, eating junk food and watching Goodfellas. Those seem like the good ol days, Mueller said. Today terrorists use the Internet as a recruiting tool, a money maker and a town square. Weve also seen the rise of hacktivists, organized crime syndicates, hostile nation states and mercenaries willing to hack for the right price. Its imperative we work together to protect our intellectual property, critical infrastructure and economy.

Mueller repeated a familiar refrain from his previous talks at RSA he was last here in 2010 calling for improved information sharing between the public and private sector.

Real-time information sharing is essential and it must be shared with the private sector. You must have the means and motivation to work with us, he said. The need for a collective approach, true collaboration and timely information sharing has never been more pressing.

The bureau is embedded worldwide; Mueller said there are 63 legal attach offices globally sharing information and coordinating investigations into cybersecurity threats such as Operation Ghost Click, which was executed in Estonia, as well as New York and Chicago. And China continues to be a spectre against U.S. interest; the Chinese are habitually implicated in espionage (.pdf) schemes carried out online, such as those against RSA SecurID and the Operation Aurora attacks.

Hostile foreign nations seek our intellectual property and trade secrets for military and competitive advantage, Mueller said. State-sponsored hackers are patient, calculating and have the time, money and resources to burrow in and wait.

Mueller said systems must be designed with some offensive capabilities, which would include the ability to trace attacks.

We cannot minimize vulnerabilities and deal with the consequences, he said. Systems have to be designed to catch threat actors, not just withstand them.

Follow @Mike_Mimoso

View all of our RSA 2012 Conference coverage.

More than hype: Security big data helps bank to boost security program

SAN FRANCISCO Like other organizations, Zions Bancorporation was dealing with increased cyberthreats and had reached security appliance fatigue.  With every new threat, a vendor would pop up with a new appliance.

The bank had a ton of security data, including Windows and IDS logs, but had difficulty leveraging it for security analytics. Two security information and event management (SIEM) systems helped with log analysis, but Zions reached the limits with existing technology in search of its goal of enabling a data-driven security strategy.

For the Salt Lake City-based bank holding company, the solution was found by leveraging one of the hottest concepts in information security: big data. More specifically, it harnessed information from its disparate security data sources by developing a Hadoop-based security data warehouse.

Big data is not entirely hypeWe think its a game changer for the industry, Preston Wood, chief security officer at Zions said Thursday in a presentation at RSA Conference 2012.

Wood said the strategy for making use of security big data enables the company to mine data across the entire enterprise to speed up forensics investigations and improve fraud detection, as well as overall security.

The warehouse allowed Zions to gather data that was spread across multiple locations, and to keep a couple years worth of data, which is better for security modeling, said Michael Fowkes, director of fraud management. The warehouse stores more than 120 different types of data, including transactions, logs, fraud alerts, server logs, firewall logs and IDS logs. After two years of collecting data, it currently stores 120 terabytes.

Zions uses a layer of analytics tools, both commercial and custom, and analysts to mine data. To derive value from data," Fowkes said, "we obviously need people who can dig into the data.

Aaron Caldero, data scientist at Zions, said his position represents an emerging field that involves applying statistical methodologies to filter and mine data. He described the process as a different way of looking at data security that enables proactive instead of reactive security.

Being a data detective, I feel like Sherlock Holmes, he said.

Fowkes said the biggest benefit with the big data strategy for forensics has been speed. In the past, incident response involved a time-consuming process of examining voluminous log files. Having that in Hadoop is like having distributed grep, he said.

Kelly White, director of information security at Zions, said the big data strategy has helped the company to improve threat modeling. For example, the security analyst team had already identified signs of a spear phishing attack, but combining that data with the statistical methodologies boosts the banks ability to identify potential attacks.

Account takeover fueled by malware is a major security problem for financial firms, Fowkes said, but the intelligence provided via its big data strategy helps Zions to quickly act on intelligence it receives from various sources on malware threats and counter them.

In the future, Wood said, the bank would like to leverage analytics and intelligence for automatic response.

While implementing a similar system may seem daunting to some organizations, Wood told attendees that many of them likely have pockets of the skills needed for data-driven security analytics. Instead of relying on security products and the reports they produce, he advised security teams to take a closer look at your data and gain that intelligence yourself.

A big data security strategy isnt a product you can buy, Wood said. He said organizations can start small and leverage the tools they have, and can investigate business intelligence or open source tools.

View big data as a journey instead of a destination, he said.

Follow @marciasavage

View all of our RSA 2012 Conference coverage.

DHS, Not NSA, Should Lead Cybersecurity, Pentagon Official Says

NSA headquarters in Fort Meade, Maryland. Photo: Courtesy NSA

In the midst of an ongoing turf battle over how big a role the National Security Agency should play in securing the nations critical infrastructure, a Defense Department official asserted on Wednesday that the militarys controversial intelligence agency should take a backseat to the Department of Homeland Security in this regard.

Obviously, there are amazing resources at NSA, a lot of magic that goes on there, said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense. But its almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function.

Rosenbach, who was speaking at the RSA Security conference in San Francisco, was adamant that the DHS, a civilian agency, should take the lead for domestic cybersecurity, with the FBI taking a strong role as the countrys domestic law enforcement agency.

But that doesnt mean that DoD and NSA dont play in the game, he said. Were more the supporting effort.

Current and former Defense Department officials have been asserting in the last several years that the NSA should have a more leading role, and specifically should be allowed to monitor network traffic to detect and thwart malicious attacks before they occur. In addition to its role in spying on other governments and threats to the U.S., the NSA has responsibility for securing the government’s classified networks, and its defensive skills are highly regarded in the security community.

But the agencys involvement in the governments warrantless wiretapping program following the Sept. 11 terrorist attacks has caused critics to question whether the agency could be trusted to monitor traffic for computer security reasons without at the same time recording and data-mining the contents of communications for intelligence purposes. Recent reports note that the White House has pushed back against the NSA’s efforts to gain a more leading role in securing the civilian internet.

The issue is expected to be at the forefront of congressional battles around cybersecurity legislation introduced in the House and Senate, which some Republicans have asserted dont give the NSA a strong enough role in the nations cybersecurity defense.

Two Senate bills have proposed different approaches to the problem. Two weeks ago Sen. Joe Lieberman (I-Conn.), along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.),introduced the Cybersecurity Act of 2012 (.pdf).

The bill gives the Department of Homeland Security regulatory authority over the private companies that control designated critical infrastructure systems — such as telecommunications networks and electric grids — and would require owners and operators of critical infrastructure to meet security standards established by the National Institute of Standards and Technology, the National Security Agency and other designated entities, or face unspecified civil penalties. A second bill introduced on Thursday by Sen. John McCain (R-Arizona) focuses on information sharing to secure systems, rather than regulation.

The government’s increasing focus on cybersecurity can be seen in DHS’s 2013 budget request, which asks for $769 million for cybersecurity efforts – 74 percent higher than 2012′s budget request. The Defense Department’s budget for security is counted in billions, though the precise amount is classified.

Rosenbach was speaking on a panel at the conference, moderated by Dmitri Alperovitch, co-founder of a newly-launched cybersecurity firm called CrowdStrike. The panel included Adam Segal, senior fellow for counterterrorism and national security studies at the Council on Foreign Relations; Jim Lewis, senior fellow and program director with the Center for Strategic and International Studies, and Martin Libicki, a senior scientist with the RAND Corporation think tank.

The panelists also discussed whether U.S. adversaries actually had the ability to conduct a destructive attack against the nations critical infrastructure. Despite recent rhetoric from government officials and intelligence agencies that Anonymous, Iran, Al Qaeda and others are bent on destroying U.S. critical infrastructure in a cyberattack, they lack the capability to do so, the panelists said.

There are not that many good hackers out there among the jihadists, Libicki said. He noted that Its one thing to hack into a system and do damage to it, its another to hack into a system and get everything to go off at exactly the right time [to cause real destruction]. That requires a degree of command and control . . . a degree of being able to hide a lot of things for a certain length of time that is really very difficult.

And others who do have the capability to successfully attack critical infrastructure, such as China and other nation states, lack the intent to do so, since they recognize that they are equally susceptible to such attacks.

Lewis said a Chinese military officer, in speaking about cybersecurity, once told him, Look, America has big stones in its hand but it also has plate glass windows. China has stones in its hand, but we also have plate glass windows. They have an understanding there are shared vulnerabilities, he said.

He added, however, that this doesnt mean China and other countries that are capable of such attacks arent already routinely doing the necessary reconnaissance to be ready to conduct such attacks.

Everybody is ready to do what they need to do, he said. We dont want to make the mistake of underestimating our opponents, in particular the high-end opponents. . . . Theyre doing the reconnaissance and they have capabilities.

The panelists also addressed the issue of economic espionage and the leading role that China appears to be playing in hacking U.S. company systems to steal trade secrets.

The Chinese are inside virtually every major company here in the U.S. and in other western countries, Alperovitch said. Theyre stealing everything weve got, and literally vacuuming it off.

Segal saw three reasons the Chinese might eventually taper off this activity, though he wasnt convinced they would actually do so.

As the Chinese economy modernized and became more dependent on IT, and the Peoples Liberation Army becomes more net-centric like the U.S. military, he said the Chinese would become more vulnerable to the same types of attack and would therefore re-calculate the usefulness of conducting such attacks against others.

He also thought espionage might decrease because of its threat to important bilateral relations with the United States and the European Union, who are becoming more vocal in their condemnation of China over the attacks.

And finally, he pointed out, the Chinese dont like being positioned as pariahs, outside the globally accepted norms. He noted that Chinas stance on nuclear proliferation has improved since the 1980s, due in part to outside pressure to conform with the positions of other nations.

Rosenbach noted that the U.S. had taken unprecedented steps in recent months by publicly condemning China for espionage, referring to an unclassified report released several months ago that explicitly named China among nation states that were perpetrating economic espionage against the United States. As funny as it sounds, thats a big step forward for the United States government, he said.

But he noted that there are major constraints when dealing with the espionage threat from China. They have a lot of economic leverage against the United States, and thats something we have to think very seriously about, weighing all of our national interests.

Alperovitch said that while the U.S. has an explicit policy against economic espionage, many of our allies are doing the same thing China is doing. He wondered if it wasnt hypocritical to complain about China when our allies were also committing economic espionage.

Rosenbach insisted it wasnt hypocritical of the U.S., but didnt elaborate other than to say that he didnt know how economic espionage would work in the U.S. should the U.S. decide to engage in it.

Can you imagine the horde of lawyers that would descend on D.C. to try to pick which companies were going to get the R&D we had stolen from the Chinese?

FBI boss warns online threats will outpace terrorism

RSA 2012 The head of the FBI warns that the threat to the US from online attacks will shortly become greater than that posed by terrorists.

"In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country," the FBI's director Robert Mueller told delegates at the RSA 2012 conference in San Francisco. "We need to take lessons learned from terrorism and apply them to cybercrime."

He quoted the Roman Stoic philosopher Seneca the Younger, who said that the more connected a society becomes in Seneca's day it was the spread of roads then the more likely it is that an individual would become a slave to that connectivity.

The same is true of modern society, Mueller said. If the electronic systems on which society relies are removed, the result would be chaos and anarchy, he suggested. Interestingly, this goes against the advice of security guru Bruce Schneier, who pointed out that the purpose of terrorism is to terrorize, and if his phone doesn't work he'd be annoyed, but hardly terrified.

As a society we can't turn back the clock, Mueller said, nor should we try to. Instead, we need to share information and tactics to beat any enemies in the future. To that end, the FBI will make changes to its own force, and push for more changes to business practices from government.

All FBI special agents are now being trained in electronic methods, he said, and those who specialize in the area will get the best possible training. The agency is setting up virtual meeting rooms in which investigators can compare notes and follow up on cases.

In addition, Mueller wants a national breach law, so that when a serious hack takes place, the company hit has a responsibility to let law enforcement know. Currently, 47 states have breach laws of some sort, but the FBI wants this to be standardized across the country. Companies need to share their data on attacks and devise strategy together with law enforcement.

Report: Hackers Seized Control of NASAs Jet Propulsion Lab Computers

Illustration showing NASA's newest Martian rover, the Curiosity, which will look for past or current conditions favorable for life when it lands later this year. (NASA/JPL)

Hackers seized control of networks at NASAs Jet Propulsion Laboratory last November, gaining the ability to install malware, delete or steal sensitive data, and hijack the accounts of users in order to gain their privileged access, according to a report from the National Aeronautics and Space Administration’s inspector general.

The breach, originating from Chinese-based IP addresses, allowed the intruders to compromise the accounts “of the most privileged JPL users,” giving them “full access to key JPL systems,” according to Inspector General Paul K. Martin in a report to Congress (.pdf).

The investigation of the breach is ongoing, but Martin says the intruders had the ability to modify sensitive files; modify, or delete user accounts for mission-critical JPL systems; and alter system logs to conceal their actions.

“In other words, the attackers had full functional control over these networks,” Martin writes.

But this wasn’t the only breach NASA experienced. In 2010 and 2011, the agency had 5,408 computer security incidents that resulted in the installation of malicious software and the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million. Some of the breaches “may have been sponsored by foreign intelligence services seeking to further their countries objectives,” Martin writes.

One March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of algorithms used to command and control the International Space Station. In one of the most successful attacks, Martin notes, intruders stole user credentials for more than 150 NASA employees, which could have been used to gain unauthorized access to NASA systems.

NASA operates more than 550 information systems that control spacecraft, collect and process scientific data, and enable NASA personnel to collaborate with colleagues around the world, and spends about $58 million annually for IT security.

“Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nations competitive technological advantage,” Martin writes.
But even more troubling, he said, skilled attackers “could choose to cause significant disruption to NASA operations, as IT networks are central to all aspects of NASAs operations.”

DHS, Not NSA, Should Lead Cybersecurity, Pentagon Official Says

NSA headquarters in Fort Meade, Maryland. Photo: Courtesy NSA

In the midst of an ongoing turf battle over how big a role the National Security Agency should play in securing the nations critical infrastructure, a Defense Department official asserted on Wednesday that the militarys controversial intelligence agency should take a backseat to the Department of Homeland Security in this regard.

Obviously, there are amazing resources at NSA, a lot of magic that goes on there, said Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense. But its almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function.

Rosenbach, who was speaking at the RSA Security conference in San Francisco, was adamant that the DHS, a civilian agency, should take the lead for domestic cybersecurity, with the FBI taking a strong role as the countrys domestic law enforcement agency.

But that doesnt mean that DoD and NSA dont play in the game, he said. Were more the supporting effort.

Current and former Defense Department officials have been asserting in the last several years that the NSA should have a more leading role, and specifically should be allowed to monitor network traffic to detect and thwart malicious attacks before they occur. In addition to its role in spying on other governments and threats to the U.S., the NSA has responsibility for securing the government’s classified networks, and its defensive skills are highly regarded in the security community.

But the agencys involvement in the governments warrantless wiretapping program following the Sept. 11 terrorist attacks has caused critics to question whether the agency could be trusted to monitor traffic for computer security reasons without at the same time recording and data-mining the contents of communications for intelligence purposes. Recent reports note that the White House has pushed back against the NSA’s efforts to gain a more leading role in securing the civilian internet.

The issue is expected to be at the forefront of congressional battles around cybersecurity legislation introduced in the House and Senate, which some Republicans have asserted dont give the NSA a strong enough role in the nations cybersecurity defense.

Two Senate bills have proposed different approaches to the problem. Two weeks ago Sen. Joe Lieberman (I-Conn.), along with Sen. Susan Collins (R-Maine) and Sen. Jay Rockefeller (D-W.Va.),introduced the Cybersecurity Act of 2012 (.pdf).

The bill gives the Department of Homeland Security regulatory authority over the private companies that control designated critical infrastructure systems — such as telecommunications networks and electric grids — and would require owners and operators of critical infrastructure to meet security standards established by the National Institute of Standards and Technology, the National Security Agency and other designated entities, or face unspecified civil penalties. A second bill introduced on Thursday by Sen. John McCain (R-Arizona) focuses on information sharing to secure systems, rather than regulation.

The government’s increasing focus on cybersecurity can be seen in DHS’s 2013 budget request, which asks for $769 million for cybersecurity efforts – 74 percent higher than 2012′s budget request. The Defense Department’s budget for security is counted in billions, though the precise amount is classified.

Rosenbach was speaking on a panel at the conference, moderated by Dmitri Alperovitch, co-founder of a newly-launched cybersecurity firm called CrowdStrike. The panel included Adam Segal, senior fellow for counterterrorism and national security studies at the Council on Foreign Relations; Jim Lewis, senior fellow and program director with the Center for Strategic and International Studies, and Martin Libicki, a senior scientist with the RAND Corporation think tank.

The panelists also discussed whether U.S. adversaries actually had the ability to conduct a destructive attack against the nations critical infrastructure. Despite recent rhetoric from government officials and intelligence agencies that Anonymous, Iran, Al Qaeda and others are bent on destroying U.S. critical infrastructure in a cyberattack, they lack the capability to do so, the panelists said.

There are not that many good hackers out there among the jihadists, Libicki said. He noted that Its one thing to hack into a system and do damage to it, its another to hack into a system and get everything to go off at exactly the right time [to cause real destruction]. That requires a degree of command and control . . . a degree of being able to hide a lot of things for a certain length of time that is really very difficult.

And others who do have the capability to successfully attack critical infrastructure, such as China and other nation states, lack the intent to do so, since they recognize that they are equally susceptible to such attacks.

Lewis said a Chinese military officer, in speaking about cybersecurity, once told him, Look, America has big stones in its hand but it also has plate glass windows. China has stones in its hand, but we also have plate glass windows. They have an understanding there are shared vulnerabilities, he said.

He added, however, that this doesnt mean China and other countries that are capable of such attacks arent already routinely doing the necessary reconnaissance to be ready to conduct such attacks.

Everybody is ready to do what they need to do, he said. We dont want to make the mistake of underestimating our opponents, in particular the high-end opponents. . . . Theyre doing the reconnaissance and they have capabilities.

The panelists also addressed the issue of economic espionage and the leading role that China appears to be playing in hacking U.S. company systems to steal trade secrets.

The Chinese are inside virtually every major company here in the U.S. and in other western countries, Alperovitch said. Theyre stealing everything weve got, and literally vacuuming it off.

Segal saw three reasons the Chinese might eventually taper off this activity, though he wasnt convinced they would actually do so.

As the Chinese economy modernized and became more dependent on IT, and the Peoples Liberation Army becomes more net-centric like the U.S. military, he said the Chinese would become more vulnerable to the same types of attack and would therefore re-calculate the usefulness of conducting such attacks against others.

He also thought espionage might decrease because of its threat to important bilateral relations with the United States and the European Union, who are becoming more vocal in their condemnation of China over the attacks.

And finally, he pointed out, the Chinese dont like being positioned as pariahs, outside the globally accepted norms. He noted that Chinas stance on nuclear proliferation has improved since the 1980s, due in part to outside pressure to conform with the positions of other nations.

Rosenbach noted that the U.S. had taken unprecedented steps in recent months by publicly condemning China for espionage, referring to an unclassified report released several months ago that explicitly named China among nation states that were perpetrating economic espionage against the United States. As funny as it sounds, thats a big step forward for the United States government, he said.

But he noted that there are major constraints when dealing with the espionage threat from China. They have a lot of economic leverage against the United States, and thats something we have to think very seriously about, weighing all of our national interests.

Alperovitch said that while the U.S. has an explicit policy against economic espionage, many of our allies are doing the same thing China is doing. He wondered if it wasnt hypocritical to complain about China when our allies were also committing economic espionage.

Rosenbach insisted it wasnt hypocritical of the U.S., but didnt elaborate other than to say that he didnt know how economic espionage would work in the U.S. should the U.S. decide to engage in it.

Can you imagine the horde of lawyers that would descend on D.C. to try to pick which companies were going to get the R&D we had stolen from the Chinese?

Election hacked, drunken robot elected to school board

RSA 2012 Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election.

"It was too good an opportunity to pass up," explained Professor Alex Halderman from the University of Michigan. "How often do you get the chance to hack a government network without the possibility of going to jail?"

With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. This wasn't exactly difficult, since the user name and password were both "admin".

Once in, the team searched the government servers for additional vulnerabilities and system options. They found that the cameras installed to watch the voting systems weren't protected, and used them to work out when staff left for the day and so wouldn't spot server activity. More worrying, they also found a PDF file containing the authentication codes for every Washington DC voter in the forthcoming election.

The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board. They also set up systems so that any further ballots would come under their control.

According to the log files the team found, plenty of people were also busy trying to get into the system. They spotted attempts to get in from the Persian University, as well as India and China. Using their inside access, they blocked these attacks. Finally, they inserted the word "owned" onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.

It took two days before the authorities discovered they'd been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying. Halderman has now published a full account of the attack.

The attack demonstrates several of the flaws in electronic voting systems, and at numerous sessions at the RSA 2012 conference in San Francisco, experts have consistently warned against the dangers of this technology. In the US, there are 33 states that have introduced some kind of electronic voting systems and none of them are secure enough to resist a determined attacker said Dr. David Jefferson from Lawrence Livermore National Labs.

"The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," he said. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse."

E-voting was a national security issue, he said. Financial attacks by hackers are relatively easy to detect because at some point money has to leave the system. But if an election is hacked then we may never know, because it's a one-time action that typically isn't checked after the results have been announced and officials elected.

It will be decades before we have the technology to vote securely, Jefferson said, if indeed it is even possible. At stake is democracy itself, but politicians don't seem to understand the problems of electronic voting, and both Jefferson and Halderman expressed fears for the future if current systems become more popular.

Can SMBs sue their bank and recover losses from a hacked bank account?

SAN FRANCISCO -- When attackers hack into a business bank account and empty the account ofmillions of dollars, can the business sue its bank and successfully win reimbursement? Two courtsin the U.S. decided such cases differently, ruling in favor of the business in one case and infavor of the bank in the other. According to a panel consisting of two attorneys, a judge and abank representative at RSAConference 2012 this week, the two different decisions reflect the current state of courtrulings when businesses sue their banks for money lost from a hacked bankaccount.

Court finds multifactor authentication sufficient

In the case of Patco Construction Co. Inc. versus Peoples United Bank, hackers employed the Zeus Trojan to captureanswers to Patcos bank account security challenge questions, and then used that information to login to Patcos bank account and transfer more than a half million dollars to the hackers accountsin Eastern Europe. Patco sued Peoples United Bank, but the U.S. District Court in Maine ruled infavor of the bank. The court found the bank had exercised commercially reasonable securitypractices, noting the banks use of two-factorauthentication.

The court requires banks to offer reasonable security, not the best security.

Hoyt Kesterson,
Terra Verde Services

Peoples United Bank relied on a software-based device ID cookie -- a cookie the hackers hadcaptured and used to carry out their attack. Patco argued the bank should have used a physicalcookie, but this argument did not sway the court. The court requires banks to offer reasonablesecurity, not the best security, said Hoyt Kesterson, senior security architect for Scottsdale,Ariz.-based Terra Verde Services.

Court looks for good faith by the bank

In the case of Experi-Metal Inc. versus Comercia Bank, the U.S. District Court for the EasternDistrict of Michigan also looked for commercially reasonable security by the bank in determining ifthe bank was liable for stolen funds. Yet in this case, the court went a step further to determineif the bank had acted in good faith when processing transactions that transferred millions ofdollars from Experi-Metals account to a number of newly opened accounts in one weekend. The courtruled the bank had not acted in good faith and Experi-Metal was able to recover most of the lostfunds from Comercia.

More bank breaches

NewYork banks hacked

Citigroupacknowledges breach

Trojan targets UKbanks

According to panelist John Facciola, U.S. Magistrate for the U.S. District Court for theDistrict of Columbia, the definition of good faith in cases of this type is still unclear and maybe a subjective observation made by the court. 

Advice for SMB security pros

With these two different court decisions, how can security pros plan to protect their businessfinancial assets? The panelists in the RSA Conference session, entitled Whose fault is it? Ididnt know it wasnt you, offered some advice for small- and medium-size businesses that maynot have enough security resources to oversee all aspects of their banks security processes.

Business owners are required to sign a contract with the bank when they open a commercialaccount, and according to Kesterson, this is the first opportunity for security pros to getinvolved in protecting their business. He advised security pros to add alerting requirements to thebanks standard contract.

Set up a plan where the bank alerts you whenever it receives a request to process a transactionof a certain level or type, Kesterson said.  And dont rely on text alerts, which canthemselves be intercepted. Have the bank pick up the phone and call you, even if it delays thetransaction. 

David Navetta, founding partner of New York-based Info Law Group, concurred. He explained thatbanks are generally willing to accept such modifications to their standard contract because of thecompetitive nature of the banking industry.

Navetta also emphasized the importance of security education for employees, noting that theattack on Experi-Metals account got its start from a phishing email. Be aware of your ownsecurity because thats where most of these cases start, Navetta said.

Ken Baylor, vice president of antifraud for Wells Fargo Bank, reminded fellow panelists thatbanks are doing their best to maintain account security, but they are dependent on the securityproducts they deploy. Small banks rely on vendor claims as the basis for their contracts, Baylorsaid.

The two cases discussed by the panel were decided by their respective courts in 2011, andsecurity pros and attorneys are currently examining the cases as likely indicators of future courtdecisions.

Judge Facciola concluded the RSA panel session on a promising note for security teams. Thecourts are coalescing upon a particular point of view, Facciola said. The trend may very wellpoint in favor of liability of the banks. 

Follow @searchsecurity

View all of our RSA2012 Conference coverage. 

Copycat apps, runaway coding a growing threat, RSA panel says

SAN FRANCISCO -- A panel of mobile security experts painted a bleak picture of the state of mobileapplication security, warning IT security professionals that the potential exists for theemergence of weaponizedmobile apps on Google Android and Apple iOS devices.

At some point the application developers are going to have tofollow some sort of code ethics and responsibilities.

Ward Spangenberg,
director of security operations, 
Zynga Inc.

Dozens of copycatapps, designed to mimic popular games, can give application developers access to a growing poolof victims, according to the panel of experts discussing mobileapplication security issues Wednesday at RSAConference 2012. Currently, adware and spyware is a problem, where applications collect as muchpersonally identifiable information as they can with the goal of selling the information to athird-party, said Elias Manousos, CEO of RiskIQ, a company that provides code analysis for Androidand Apple application marketplaces.

Some of these apps dont even work; this is relevant because there are literally hundreds oreven thousands of apps that do nothing, Manousous said. The running theory here is that they arethere to drive traffic.

Manousous said a cybercriminal who has hundreds of applications in an app store may notcurrently have a working exploit, but at some point they could theoretically put in an iFrame andlaunch a pop-up inside an app with malicious intentions. Apps installed on thousands ofmachines could give an attacker the foothold they need to turn them into a malware deliverymechanism, he said.

Considering, engineers behind the popular app stores are beginning to monitor them in a sandbox environment.

Ward Spangenberg, director of security operations, at San Francisco-based Zynga Inc., a companyknown for developing popular gaming apps including Words With Friends and FarmVille, has a teamthat is dedicated to weeding out copycat apps and getting them shut down as fast as possible. Theteam conducts its own code analysis on copycat apps and has found some coded to steal credentialsor simply designed to harvest as much user data as possible.

As consumers we are going to have to pressure these brands into giving some protection,Spangenberg said. At some point the application developers are going to have to follow some sortof code ethics and responsibilities... We are all shifting some of the blame around but there areresponsibilities for everybody with regards to these devices.

The panelists said the threats posed by rogue mobile applications extend to the enterprise. Somefirms are already taking a cautious approach to protecting Android and Apple devices. Microsoftdeliberately locks out mobile devices from obtaining sensitive corporate data, said MikeConvertino, director network security at Microsoft. Convertino said his team constantly monitorsfor network anomalies and ensures that mobile devices cant cache sensitive information fromcorporate servers. We are really strict, he said. The screens are small and some of this datadoesnt really present itself well on the phone anyway.

Convertino said malicious applications are evolving from being junkware that collect personaldata to creating a botnet out of infected devices in certain countries. The bots can be used bycybercriminals to conduct DDoSattacks at will, he said. Microsoft is taking steps to bolster its new app store withprotection by incorporating both static and dynamic code analysis, he said. In addition, developerswill be required to run a malware scanning program and apply the outcome of that program with theapplication submission, he said.

Even more cautious is Zynga, Spangenberg said, which has to not only monitor devices formalicious activities, but also track the devices so sensitive gaming development data doesnt fallinto the wrong hands. The company uses its own internal application store and has developed its owncustom app to track devices and ensure they are meeting security policies. Spangenberg said he isconsidering using radio frequency identification technology to keep some of the most sensitivedevices from leaving certain areas within the company.

We all have the ability to put in controls and address this issue, he said. This isnt ourfirst rodeo so you should just think about the new environment.

Follow @rwestervelt

View all of our RSA2012 Conference coverage.

Tick-like banking Trojan drills into Firefox, sucks out info

A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns.

Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists.

"Like Zeus, Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Neloweg stores this on a malicious webserver," Symantec analyst Fred Gutierrez explains.

The malware is designed to snatch online login credentials, primarily (but not exclusively) those for online banking sites. It infects machines by tricking Microsoft Windows users into installing it via a drive-by-download, spam or targeted email, or with the help of other malware.

Neloweg also targets browsers that utilise the Trident (Internet Explorer), Gecko (Firefox) and WebKit (Chrome/Safari) browser engines. In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines rather than a simple extension a development that makes the Neloweg more stealthy than previous strains of banking malware.

"In the past we have seen threats create malicious extensions," Gutierrez writes. "All users had to do was disable that particular add-on and they would be safe.

"For Neloweg, this is not the case. Since it is a component, it does not appear as an add-on in Firefoxs add-ons Manager, like other extensions and plugins do. Furthermore, because of the way Firefox is designed, Neloweg will be recreated and reinstalled every time Firefox attempts to connect to the Internet."

Google rolls out privacy policy, snubs Euro outcry

Google has defended its decision to combine around 60 of its privacy policies into one simplified document that makes it clear that users of the company's products and services will be more uniformly tracked by the Chocolate Factory.

The search giant debuted its revised terms of service today, after announcing in late January that it would be tweaking its data-handling policy to cross-pollinate its huge online business with a single ID verification process to more accurately target its users.

Privacy advocates, data protection officials and top lawyers have been hugely critical of the move. Google's privacy policy overhaul even prompted the independent European advisory body on DP the Article 29 Working Group which is vice-chaired by the UK's Information Commissioner Christopher Graham to task French regulator CNIL with investigating Google's actions.

The preliminary response from CNIL, as we reported yesterday, was to confirm that Google's changes to its privacy policy did not meet the requirements of the current European 1995 Data Protection law.

Nevertheless Google has implemented the tweaks and defended the move by saying that halting it at this stage would "confuse" the firm's userbase.

At a seminar hosted by Microsoft-backed Brussels' lobbyist ICOMP in London last night, Graham danced around the question of whether Google was in the wrong.

"We don't know if Google is operating outside of EU law... I'm not going to say it isn't lawful as it's being investigated," he said.

Graham had earlier noted that the company's CEO Larry Page deserved some "credit" after Google sent out "consumer alerts" earlier this year, but further pointed out that Page had failed to answer the question on lawfulness levelled at him by CNIL.

Google's UK policy wonk, Theo Bertram, was the one lonely Choc Factory voice at the ICOMP seminar last night. He asked the speaker, ex-US Federal Trade Commissioner Pamela Jones Harbour, to explain how Google could have better communicated the changes to its users.

Jones Harbour, who sits on the Electronic Privacy Information Center's advisory board, declined to answer by saying she didn't speak for Microsoft a company to which she currently offers legal representation, although in her previous role at the FTC she fought against Redmond over antitrust behaviour relating to the browser market.

After the event, Bertram told The Register that the former commissioner's argument against Google's data-handling and dominance in search would have been much stronger had she provided a more "balanced view" of the current online landscape.

Jones Harbour, who is a partner at Fulbright & Jaworski LLP, countered in a telephone conversation with this reporter this morning that Microsoft's search engine Bing has just 3 per cent market share in Europe, and added that Google's dominance in the online business deserved scrutiny not only by data protection watchdogs but also from antitrust regulators.

The lawyer cited the Article 29 Working Group's previous discussion with Europe's Directorate General for competition about Google's 2007 takeover of ad company DoubleClick.

Those talks didn't lead anywhere, however. Jones Harbour reckons that it's now "time for competition officials to take another look".

It's unclear whether the European Commission might yet widen its current investigation of Google's business practices to work out if that behaviour has been anti-competitive in the EU market by also considering how the company collects data from its users, given today's significant terms of service tweak.

For Jones Harbour, competition and privacy in the online world needs to be much more closely knitted together by antitrust watchdogs then is currently the case.

"The traditional ways of looking at the market don't apply here when it comes to companies such as Google," she said.

The lawyer added that she had never seen a business behave in the way Google had by declining to halt its privacy tweaks while DPAs scrutinised the move.

She claimed that "Google is arrogantly saying 'make me do it' to regulators".

Meanwhile, Google's Alma Whitten reiterated what the privacy policy revamp meant in a blog post confirming that the company had effectively ignored CNIL's request:

"The new policy doesnt change any existing privacy settings or how any personal information is shared outside of Google. We arent collecting any new or additional information about users. We wont be selling your personal data. And we will continue to employ industry-leading security to keep your information safe."

ICO slaps Durham Uni for exposing staff, students' privates

Durham University leaked the personal details of 177 staff and students in a training manual that turned out to reveal more than how to take out a library book. The university has just been given a slap on the wrist by the Information Commissioner's Office (ICO) and has promised to reform its data protection policies.

In illustrating the internal workings of its systems, Durham Uni unfortunately revealed personal information about its employees and students and posted screenshots of webpages full of information including names, addresses and dates of birth.

Details that should have been fictionalised or anonymised turned out to be the real details of 177 members of staff and present and past students.

The information was online for five months until July 2011, when Durham officials realised their mistake, took the images down and reported themselves to the ICO.

Durham has now committed to ensuring all staff receive appropriate training on data protection.

Steve Eckersley, Head of Enforcement at the ICO said: All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff."

We've asked the university what type of training the manuals were for, and we'll update if we hear back.

Stolen NASA laptop had Space Station control codes

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee.

NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was stolen in March 2011, which "resulted in the loss of the algorithms used to command and control the ISS".

Martin also admitted that 48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA's Constellation and Orion programmes.

The actual number of missing machines could be much higher, because the agency relied on staff to 'fess up when their notebooks were lost or stolen and admit what information was on them.

"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," Martin told the Subcommittee on Investigations and Oversight.

The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues, but the government might want to remember that its own cybersecurity has had "mixed success".

"Many of the technologies developed and utilised by NASA are just as useful for military purposes as they are for civil space applications. While our nations defense and intelligence communities guard the front door and prevent network intrusions that could steal or corrupt sensitive information, NASA could essentially become an unlocked back door without persistent vigilance," warned Subcommittee chairman Paul Broun.

As well as facing the continuous disappearance of unencrypted staff laptops, NASA is also subject to increasingly sophisticated cyber attacks, Martin told the hearing.

"In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems," he said.

"These incidents spanned a wide continuum: from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries objectives."

He said the intrusions had disrupted mission operations, had resulted in the theft of sensitive data and had cost the agency more than $7m.

Chairman Broun said that since the inspector general's last report on IT security at NASA, the agency had taken steps to follow the IG's recommendations, but said it still needed to do more.

Despite this progress, the threat to NASAs information security is persistent, and ever changing.Unless NASA is able to constantly adapt their data, systems, and operations will continue to be endangered," he said.

Feds crack suspect's encrypted drive, avoid Constitution meltdown

Investigators have cracked the encryption key for a laptop drive owned by a Colorado woman accused of real-estate fraud - rendering a judge's controversial order to make her hand over the passphrase or stand in contempt of court irrelevant.

The government seized the Toshiba laptop from Ramona Fricosu back in 2010 and successfully asked the court to compel her to either type the key into the computer or turn over a plain-text version of the data held on her machine.

Her lawyer's argument that compelling her to hand over encryption keys would violate her Fifth Amendment rights against self-incrimination was rejected. Prosecutors offered Fricosu limited immunity in this case without going so far as promising they wouldn't use information on the computer against her.

The Electronic Frontier Foundation filed a brief supporting the defence in the case, arguing that Fricosu was being forced to become a witness against herself. District Judge Robert Blackburn refused to suspend his decision for the time it would take to convene an appeal. The regional 10th U.S. Circuit Court of Appeals refused to review his decision.

Fricosu was left with the stark choice of either coughing up her encryption keys by the end of February or risk a spell behind bars for contempt of court. Philip Dubois, Fricosus attorney, claimed that his client had forgotten the encryption passphrase.

The closely watched case set the scene for a legal showdown that would test the US Constitution's Fifth Amendment rights in the digital age. However the Feds handed the plain-text contents of the laptop to Dubois on Wednesday. It seems more than likely that the authorities had come across the right passphrase without Fricosu's forced assistance.

"They must have used or found successful one of the passwords the co-defendant provided them," Dubois told Wired.

Fricosu, and her ex-husband co-defendant Scott Whatcott are both accused of mortgage fraud.

The development comes days after a federal appeals court ruled in a separate case that a defendant did not have to hand over keys to decrypt a laptop drive believed to be storing images of child abuse. The ruling by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed Florida suspect upheld the defendant's right to resist forced decryption.

This was the first appellant court to rule on the balance between Fifth Amendment rights against compelled self-incrimination and the public interest in allowing police to potentially unearth evidence in criminal cases involved encrypted computers and storage devices. However the ruling is not binding in other regions, especially in the absence of a Supreme Court ruling on the issue.

The US Fifth Amendment holds that no one "shall be compelled in any criminal case to be a witness against himself". Supreme Court rulings have previously ruled that a criminal suspect can be compelled to turn over a key to a safe possibly containing incriminating evidence, but is not obliged to supply the combination of a safe to investigators.

Dan Kaminsky offers unconventional wisdom on security innovation

To get help with secure software development issues, find your own flaws

SAN FRANCISCO When it comes to internal evangelism for secure software development, it helps to point to external examples of companies that have suffered from ignoring security, but highlighting internal software security problems is the best motivator for change.

That was one of the key messages espoused Thursday at RSA Conference 2012 by a panel of software security experts who represent several of the industry's biggest software vendors. Moderated by Brad Arkin, director of product security and privacy at Adobe Systems Inc., the panelists shared best practices for fostering secure software development.

The most powerful way to foster internal support for secure software development is to shine a spotlight on real or potential flaws and examine how the fallout would affect one's own organization, said Gunter Bitz, director of software quality assurance for German software giant SAP AG.

Bitz highlighted two examples from 2005 that helped spawn a greater emphasis on secure software development at SAP.

In one case, a close inspection of SAP software engineers' coding practices revealed that a developer had inserted a shortcut into the code that allowed him to debug his own code more quickly by skipping the security authentication capabilities built into the software.

"And the scary thing was: What happens if Joe Developer forgets to remove that before the product ships? Bitz asked. Basically you have a backdoor in the code."

Bitz said after finding that example, he took it to an SAP board meeting and explained the problem and the implications for the company and its customers if such an issue had ever gone undetected.

"It would send out the message that our company is not able to control our own software development lifecycle. That's a pretty bad message to send out," Bitz said. "The response from the board was straightforward: Make sure things like that don't happen."

In another example, Bitz said an independent security researcher approached SAP with more than a half dozen security vulnerabilities he had found in the vendor's software, which all together would grant someone complete control over a system.

Instead of ignoring the problem, Bitz said SAP invited the researcher to present the issues to the software company's key stakeholders, and negotiated an agreement with the researcher to not reveal the flaws until they had been fixed. Those two instances together, he said, convinced executives to invest more in secure software development.

Steve Lipner, senior director of security engineering strategy within Microsoft's Trustworthy Computing Group, shared a similar experience. Back in 2001, when the Nimda virus was ravaging the Internet and a devastating Universal Plug-and-Play (UPnP) flaw had been discovered in Windows XP, his team had an off-site meeting to strategize ways to evangelize the need for improving secure software development at Microsoft.

Lipner said that's when the idea to halt Windows development for several months was first conceptualized. With several worst-case scenarios already playing out in the public domain, the team began what was essentially an internal marketing effort to change how the software giant built its products.

What made the difference, Lipner said, was pure persistence: Only after many meetings with numerous department heads and executives did the value proposition of secure software development work its way up the chain of command, eventually resulting in the fundamental changes brought about by Microsoft's Trustworthy Computing program.

Gary Phillips, senior director of research and development for security software vendor Symantec Corp., said his company's reasons for initially investing in secure software development some years ago could be boiled down into one word: fear.

Phillips said his malware response team began to see malware exploiting zero-day flaws in its software. While there was no one watershed moment, he said the combination of several such events over a short period of time made it clear that secure software development needed to be a dedicated practice within the organization.

Bitz said the best method for finding secure software development issues to foster support for change will vary from one organization to another. He said some organizations with strong development teams will likely be able to find their own flaws, but in other cases, it's necessary to hire external penetration testers to find weaknesses that can then be leveraged in internal discussions.

Even if it takes a while to find flaws, Bitz said, start with the organization's flagship software, because software security problems there will serve as the most powerful motivator for decision makers.

Attendee Bianca Lee, with the Navy Common Access Card Program Management Office (CAC PMO) at the Naval Air Station in Pensacola, Fla., agreed that looking for secure software issues internally can bring about change, but that shouldn't mean ignoring external examples either.

"Your own disaster isn't the only way," Lee said, adding that there are plenty of powerful external incidents happening all the time. "If I see my neighbor's roof is on fire, maybe I should invest in fire insurance."

Follow @searchsecurity

View all of our RSA 2012 Conference coverage.