Ghost in a data center

Is the next big cyber threat lurking in government systems?

The evolution of IT can take place at revolutionary speed, and when systems don’t keep up with the pace of change they can become vulnerable to serious risks, says retired Lt. Gen. William T. Lord, former Air Force CIO.

“I think that the next Achilles’ heel is legacy software,” Lord said.

A combination of unsupported software, well-known vulnerabilities and new applications that expose old platforms to networks can create unnecessary complexity and open critical systems to threats, he said.

Not every piece of old software is a risk, however. “Some of the things we use in our nuclear command and control are so old, but so reliable and unconnected to anything else, that it probably does not pose a threat,” Lord said. “But our problem is that most of our legacy systems in government are 20 or 30 years old,” and need to be updated.

Fixing this installed problem will requires more flexible contracting to let government take advantage of smaller, more nimble contractors. Lord, who now is an IT systems and services consultant, is making legacy software something of a crusade in his post-military career, calling it the greatest obstacle to IT progress in government.

Defining “legacy software” can be difficult. Some would argue that any software in use can be called legacy, because if you’re using it, it’s already old. Most would agree that any software still in use that is not supported by its developer or vendor could be classed as legacy. There is a huge installed base of this. A recent analysis by the Web Security company Websense, for example, found that three quarters of government computers are running unsupported versions of Java.

Getting rid of legacy software is even harder than defining it. Wholesale programs can be expensive and often end in failure. The Air Force in 2004 began a program to replace 240 outdated systems in its Expeditionary Combat Support System with an Enterprise Resources Planning system. A contact was awarded to Computer Sciences Corp. in 2006 and terminated six years and $1 billion later. “The effort got stopped,” Lord said.

The problems included “budget doldrums,” which complicates almost any kind of project, and the difficulty of finding a good time for replacing operational systems. This can be particularly difficult with combat support systems when the combat never stops, Lord said. “In my experience in the Air Force, there was no end to the battle.”

The skills needed to update, modernize or replace legacy software can come from non-traditional service providers, he said — smaller software companies that often do not have the resources to compete in the government market. It would help to have major league contractors partner with the minor league companies for government contracts, but there often is little government incentive for this.

Agencies are supposed to make small and minority-owned business contracts, but accounting policies give contracting officers little credit for acquiring services from small companies through a larger contractor, Lord said.

Another problem is a lack of dedicated money for fixing vulnerabilities in old applications. The Air Force sets aside money for hurricane damage, but not for software bugs, so that maintaining old software is difficult. Government needs to realize that vulnerabilities are as inevitable as bad weather, Lord said. “We haven’t caught up with that kind of thinking.”

Posted by William Jackson on Apr 09, 2013 at 9:39 AM4 comments

Phone DOS hacker

Phone DOS: What's in it for the crooks

The Homeland Security Department has warned emergency communications centers about a recent spate of denial of service attacks against Public Safety Answering Points and other government phone lines in an effort to extort money from them. Although the audacity -- or stupidity -- of targeting government offices for extortion might be new, Telephony DOS (TDOS) has been around for some time.

Back in 2010 the FBI warned  of a surge of TDOS incidents that apparently were diversions for more serious crime. “During these TDOS attacks, online trading and other money management accounts are being accessed by the perpetrators who are transferring funds out of those accounts,” the agency warned. While the crooks were accessing the victim’s account to change the profile and allow looting, the legitimate phone number was being blocked to keep the victim from accessing the account and to keep account managers from calling to verify changes being made. One victim in Florida lost $400,000.

The bad guys used multiple voice over IP accounts with automatic dialers to flood the target number. But if you don’t want to go to the trouble of doing this yourself, there are people who will do it for you at reasonable rates.

Research analyst Curt Wilson at Arbor Networks last year reported several hacker ads for TDOS-as-a-service. “We also provide service to flood telephones (both mobile and stationary) from $20 a day,” one ad promised. Another offered the service starting at $5 an hour, up to $40 for an entire day. The service providers can either use their own PBX software or can compromise VOIP or PBX systems to use them as bots in TDOS attacks.

“Default credentials are one of the security weaknesses that the attackers leverage to gain access to the VOIP/PBX systems, so organizations should ensure that their telecommunications systems credentials are strong enough to resist brute force attack, and that the ability to reach the telephone system is limited as much as possible in order to reduce the attack surface and convince the attacker to move on to the next victim,” Wilson warned.

There is no word on whether any of the communications offices targeted in the most recent round of attacks have paid the extortion money. But, as Wilson observed last year, “clearly, there is money to be made in the underground economy or these services would not be advertised.”

Posted by William Jackson on Apr 08, 2013 at 9:39 AM0 comments

Security conscious meerkats watching for danger

Do the security conscious see something we don't?

It’s not a seismic shift, but a recent survey on security seems to show a trend, at least among the security conscious, away from Microsoft’s Internet Explorer browser and paid antivirus products in favor of Chrome, Firefox and free antivirus software.

Many readers might say, “What took them so long?”

The growing number of exploits targeting IE for some years prompted recommendations to replace it with alternatives from Google or Mozilla — or to at least limit use of IE. And antivirus has become a low-priority commodity. More intelligent anti-malware tools are taking precedence over signature-based applications. Nobody wants to get rid of the signature-based tools because when they work, they work. But why pay for them? Just use a free download and save your money for more sophisticated products.

Still, I found the degree of the shift interesting.

The survey was conducted by AV Comparatives, an Austrian non-profit that does independent antivirus testing. The results come from 4,715 computer users from around the world, about 16 percent of them in North America. The respondents came primarily from Europe (about 43 percent) and Asia (about 26 percent).

AV Comparatives says that it used control questions to filter out security experts and others trying to spin the results, so that the results reflect average users. Still, if I were a betting man I’d bet that the respondents skew toward the security aware and the paranoid. Who else is likely to take the time to answer a security survey?

As you might expect, operating systems used were dominated by Microsoft, with nearly 62 percent using Windows 7 (32- or 64-bit versions) and about 17 percent using Widows 8. The company noted that Windows 8 use by respondents is significantly higher than among the general public, according to commercial metrics. Older versions of Windows, including XP (12.5 percent) and Vista (about 4 percent) still outranked Apple OSes, which totaled 2.4 percent, although Apple accounts for 7.2 percent of the North American market.

But when it comes to browsers, Microsoft lost its advantage among the survey respondents. About 39 percent said they use Mozilla Firefox and 35 percent use Google Chrome. IE was a distant third with 14.4 percent. The results reflect what had been a trend worldwide away from IE, long the dominant browser, and toward Firefox and Chrome. However, recent statistics from Net Applications  show that IE has rebounded with the release of IE 9 and 10. In February, IE held 55.8 percent of the worldwide market, followed by Firefox (20.12 percent), Chrome (16.27) and Safari (5.42).

As for security software, about 40 percent of respondents are paying for a commercial suite of security tools, and nearly 16 percent are paying for stand-alone antivirus. This combined percentage was about 10 percent higher last year, the company said. About 37 percent were using free antivirus solutions. In North America, free antivirus accounts for 40 percent.

The top choices among antimalware providers also varied with geography. In North America, the top providers in the survey were, in order, Microsoft, Symantec, Avast, Kaspersky and AVIRA. Worldwide, the top providers were Avast, Kaspersky, AVIRA, ESET and Microsoft.

Apparently users are satisfied with the security of the tools they are using. Although they ranked good malware detection rates as more important than impact on system performance, they said vendors needed to work more on reducing the impact on computer performance than on detection rates.

If the people who took this survey know what they are doing, maybe it’s time for those of us who have stuck with Microsoft IE and are paying for antivirus to reevaluate priorities.

Posted by William Jackson on Mar 28, 2013 at 9:39 AM3 comments

IPv6 killer apps Internet globe images

Killer app for IPv6? It’s the Internet.

I recently solicited comments on what the killer app might be that would drive demand for and adoption of IPv6, the next generation of Internet Protocols. From what the readers had to say, the killer app is the Internet itself. Despite the possibilities for improved functionality in the new protocols, the overriding reason for using them is simply to keep the Internet alive and well as the old address pool dries up.

With the current IPv4 infrastructure becoming increasingly fragmented and fragile, “the Future is IPv6, or no Internet,” one reader commented. “You choose.”

There were no examples offered of anyone actually using the capacity or capability of the protocols for anything innovative. The only reason for enabling them is that this is where future growth of the Internet must take place, and anyone who wants to remain accessible without living behind increasingly congested bottlenecks will have to accept IPv6 traffic.

Two readers offered examples of current applications that would benefit from eliminating the fragmentation caused by Network Address Translation, voice over IP and multicasting for delivery of radio and television over the Internet. Some current trends support these ideas.

The NPD Group recently announced that there are more than half-a-billion Internet-connected devices in the U.S. homes, an average of 5.7 per household. Since the beginning of 2013, the number of tablets in use grew by nearly 18 million and the number of smart phones by 9 million.

This growth in IP is occurring at the same time that reliance on traditional electronic media is shrinking. As early as 2010, the National Center for Health Statistics reported  that nearly 27 percent of American homes did not have traditional wireline telephones. And the Nielsen Co. estimated that the number of households in the United States with television dropped from 115.9 million in 2011 to 114.7 million in 2012. The drop started with the digital conversion of television in 2009. The poor economy and demographic shifts with more young people relying on Internet for entertainment also contributed to the decline.

It appears that for the near future, the primary job of IPv6 will be keeping the Internet robust enough to enable its continued expansion as communications, information and entertainment medium. But that does not mean that the new protocols will not be put to some interesting and innovative uses.

“The ‘Killer App’ is, first and foremost, the increased connectivity implicit in the larger address space,” one reader commented. “What comes from that increased connectivity is, well, up to you to decide!”

Posted by William Jackson on Mar 22, 2013 at 9:39 AM7 comments