Thursday, 6 May 2010

Security Digest #8

For software designers, developers and testers, April's Computer Security news was obviously dominated by the SDL 5 release; now we return you to your regular programming, albeit with a slight and curious aura of Sinophobia this month...


My God It's Full Of Eyes

Apparently that's what they call the holes in a Jarlsberg cheese. Hefting a pack* at my local Waitrose last Sunday, I was momentarily distracted by its spongiform... ah, it's sold by weight, that's ok then. Wake up, brain.

Google's new app is similarly riddled with security holes, so they've called that Jarlsberg too. It's the basis of a codelab, a small, cheesy web application that allows its users to publish snippets of text and store assorted files.

The holes in this cheese comprise security bugs, such as cross-site scripting and request forgery, remote code execution, information disclosure, and DoS. Organised by vulnerability type, the codelab guides you through the techniques used to discover and repair these. Both black- and white-box hacking are involved, so the challenges are also tagged by their level of opacity. Some can be solved just by using black box techniques; others require some specific knowledge of Jarlsberg; still others will require access to the Jarlsberg source code itself.

The fun starts here: http://jarlsberg.appspot.com/start

* Update: turns out it was actually a pack of Leerdammer, sorry. I know you'd immediately want to know that.
Pic: genuine Jarlsberg from The Cheese Store of Beverly Hills.


All Your Base

Anti-spam and anti-hacking software, data backup and recovery systems, smart cards, secure routers, database and network security systems; these are a few of the thirteen categories of computer encryption and other security products, whose most intimate inner workings and secrets Beijing wants to know all about. Or else: no billions of dollars in trade for you!

The draconian set of rules - originally postponed from their 2009 implementation schedule, thanks to stern US complaints, and scaled back in scope from all Chinese sales to just government procurement - finally took effect on Saturday 1st May.

Or did they? Some are disputing the rules.

The EU and Washington want Beijing to scrap or once more postpone these demands, pointing out that no other nation imposes such a "protectionist" regime. On Tuesday 27th April the visiting EU trade commissioner Karel De Gucht revealed that he'd raised this issue with Chinese Commerce Minister Chen Deming. The requirement "has no real base in reality," he said, "We cannot see what they see in regard to security, so we are in fact disputing this."

And in an e-mail the following day, U.S. Trade Representative spokeswoman Nkenge L. Harmon called for Beijing to "follow global norms", noting that American officials in last month's meeting "pressed China to address the concerns of foreign governments and industry before implementing the testing and certification rules."

It's certainly not just a matter of "national security". The communist government is of course less than happy to rely on managing its secrets via foreign technology, but Beijing's desire to help Chinese companies catch up and compete with global rivals is another spur. Their own admission includes the statement that the rules are meant to develop Chinese industry. Beijing is using regulations to support its companies at the expense of foreign rivals.

Chinese Government panels would require disclosure of trade secrets such as encryption codes, and foreign companies are worried about these being leaked to competitors. Many industry researchers see these fears as justified, and further point out that:
  1. Certain countries prohibit security product sales to customers such as banks, once sensitive details such as encryption codes are revealed to Chinese regulators.
  2. Employees of rival Chinese companies are included on the very government panels who would review foreign products.
  3. Beijing's extensive system of Internet filtering and monitoring would also be strengthened by the acquisition of such data, giving their security forces the ability to pry into encrypted messages.
Chilling.


The First Worldwide Cybersecurity Summit

Launched with a lunch tagged The Cybersecurity Awareness Dinner on Monday May 3rd, this Dallas Texas event organised by The EastWest Institute tried to be the first truly international conference directly and actively addressing international co-operation on contemporary security issues.

The Summit proper occupied Tuesday and Wednesday, and was much smaller than other security conferences. Annual conferences focusing on hackers' demonstrations of their latest research, such as Black Hat and DefCon in Las Vegas, have generally come to expect thousands of attendees. But the EWI event did play host to more than 400 government officials, industry executives and other players from 30 countries, and generally succeeded in its prime stated aim of bringing together leaders of governments, businesses and civil society from around the world to determine new measures to ensure the security of the world’s digital infrastructure.

From its pre-publicity:

Electronic attacks around the world have compromised confidential information, crippled official web sites and have exposed the vulnerability of financial data. They have heightened fears that criminals or terrorists could use cyberspace to paralyze communications infrastructure, international financial systems or critical government services.


Despite the severity of these threats, the international community has not come to agreement on how best to deal with them. EWI’s Worldwide Cybersecurity Summit will work to fill this gap, bringing together leaders from the public and private sectors to reframe cybersecurity concerns and to devise collective strategies to address them.

The mere idea of being able to discuss cybercrime and similar shared threats even informally, by getting the right officials together, is quite a challenging one. Such people are inevitably and understandably suspicious of any organiser's motives, and do not generally have immediate and unrestricted access even to their own counterparts in other countries. So the fact that such a summit can be organised at all, and in the event prove to be comparatively well attended, is in itself a considerable achievement.

Speakers included White House's cybersecurity coordinator Howard Schmidt (above) and senior officials from Canada, China, the EU, India and Japan; CEOs from AT&T and Dell (the event's top sponsor); and executives from both Microsoft, and China's largest telecoms manufacturer, Huawei Technologies.

Presentations were drawn from categories: Information and Communications Technology, Financial Services, Essential Governmental Services, Energy, Transportation, National Security, and the Media. Matters covered included: dialog and concern about computer warfare between nations; the potential damage that can be caused by computer attack, particularly in sensitive areas such as online banking; and possible remote control of power plants, or other critical infrastructure.

Highlighted were comparatively recent cases including last year's revelation of spies hacking the US electric grid, leaving behind malware to let them disrupt service, and the more recent attacks on Google, compromising its e-mail service, which caused their move out of China.

Reports on Tuesday's proceedings:
Wednesday's business is well summarised by AFP's tagline Cybersecurity meet ends with calls for global cooperation, but also don't miss their China Daily update:


That's all for now. Clean up that mess before you go to bed.

No comments:

Post a Comment