Many vulnerabilities are a result of the software or hardware not being up-to-date. Vulnerabilities are routinely discovered and corrected by the providers. Notice the “New updates are ready to install” on your Windows computer.

However, many software organizations maintaining large systems are loath to install regular updates. They prefer to wait until they have a large number of updates to install all at once. While this is ‘efficient’ from their point of view it leaves a vulnerability in place that can be exploited.

I’m wondering why control over major power generators are connected to the Internet. What’s the advantage there? Perhaps connectivity to utilities shouldn’t be accessible via the Internet. Is that an overly simplistic solution?

Quantum cryptography which is now being used for US government classified networks answers many of the questions being raised about cyber security.

Frontline did a hour long show on just this topic back in 2003 or 02 (http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar). They talked a lot about security at the Pentagon and government systems as well as the skada systems. Richard Clarke was in a lot and was on a tear about it. It is really sounding like the administration has ignored this whole issue.

Technology will do the human race in. We are a species too smart for its own good. We are getting access to too much power. Cavemen had a rock. We can destroy the earth many times over.

Our best hope for species-survival is to populate other planets.

Either we will destroy ourselves or AI (Artificial Intelligence)/computer/robots will take us over and destroy us. Maybe not in our lifetime, but we witnessed the beginning of it.

Nothing much can be done, the genie is out of the bottle. Can’t be Luddites now.

But, have a sunny day!

What many don’t understand is that new wars are cyber wars and propaganda wars ….Remember what Nazi propaganda minister Joseph Goebbels said ” if you repeat a lie often enough, it will be believed.”

Tom,

The segment on cyber-attacks, and the vulnerability of power plants to these attacks, was inaccurate, a fact which I tried to clarify when I called in. The gentleman who spoke to my point right afterwards skirted around the fact that a physical presence from an attacker, as well as intimate knowledge of the plant itself, is entirely necessary. The level of knowledge required would be next-to-impossible for someone to obtain, as it would consist of both physical, electrical, and software design documentation. The alarmist viewpoints presented by the gentleman are, as an engineer of the systems, offensive to me.

I will not, however, speak against an improvement of physical security at power generation facilities. However, that diverges from the topic of your show.

As a listener, I think it is necessary to clarify these points. It makes me question the dependability of the “experts” that editorialize on the topics of your show. For example, it is in Scott Borg’s best interests, as a security consultant, to produce public concern and fear of these nearly impossible, and highly improbable events. In other words, it’s his job to produce the “worst case scenarios” and present them not only as possible, but probable.

To me this just seems like a way to police the internet and control information. If this is such a goddamn important issue why aren’t governments and corporations building their own server infrastructure?

As always, these types of discussions about “cyberwarfare” never mention the elephant in the room: Microsoft Windows. Far too many companies and military organizations rely on Microsoft Windows and other Microsoft software, so much so that it has been described as a computer “monoculture.” Windows was never designed for a world full of hostile computers able to connect at will over a global network. Nowadays millions of computers around the world running Windows routinely operate under the control of anonymous masters. Some fraction of these are controlled by foreign governments; the remainder are largely controlled by organized crime syndicates around the world.

With so many insecure desktop computers available, prospective intruders soon realized it was far easier to establish a beachhead on some office worker’s computer than to break through an organization’s external “firewall” and other defenses. If you can entice someone into running a program that sets up a channel of communication with a computer out on the Internet, you can exploit that channel in countless, often quite invisible ways.

As just one example of the scale of this problem, take the case of email spam. Spam now approaches 99% of all email traffic, and most of those messages are sent from exploited Windows computers in homes and offices around the world. Recently an ISP was disconnected from the Internet when it was discovered that it hosted the command software for a number of these so-called “botnets.” Spam traffic fell as much as 75% in the days that followed, though all observers believe spam will return to and then surpass its earlier level once the spammers find new homes for their control software.

Julie Ryan mentioned that we need government regulation. The fact is that federal government departments must comply with the Federal Information Security Management Act (FISMA) of 2002. This has become a beltway joke — departments claim that they are meeting regulatory mandates but real progress is incremental and agencies like NASA are being hacked. Will FISMA 2.0 improve this? I have my doubts.

On another note, Microsoft Windows has its problems but most attacks now are aimed at applications, not operating systems. Like it or not, Windows is a dominant platform so any plan to secure cyberspace must be anchored by this assumption.

Policing the Internet is not the answer, regulation and policy enforcement is. The world is getting to the point where computers are like automobiles, a necessity. I think that government regulation of corporate computer systems would help stave off threats by bringing critical information and systems under a national security compliance template.

I am a systems administrator for a financial company and our systems are audited several times a year to be compliant with FDIC information security regulations. Our systems are very secure because of it. This type of auditing can be used in other sectors. The model is simple; if a company that holds sensitive data with in its network is insecure, they get fined or disconnected.

I agree with Nicholas’ post above. I listened carefully for real content, and found little. It also seemed to me that the host’s tone of voice was one where he would state things as if there was something very worrysome, and then the people he was conversing with, the “experts”, would repeatedly have to tone down his rhetoric. It was almost as if the host *wanted* to have an emotionally shocking topic, and was doing his best to manufacture it.

A good source of information on this topic, with much less hype, is http://www.csis.org/component/option,com_csis_pubs/task,view/id,5157/type,1/

I found that the program focused largely on the existence of the problem. I know the guests on the program must have many solutions available, but there was little discussion of solutions, and more time nebulously talking about events and weaknesses, many of which the guests did not feel at liberty to detail.

Personally, I think that many internal networks are compromised by Microsoft Windows and its many weaknesses. However, the programs running on computers, from internet browsers to word processors, are now at the forefront of unpatched security holes.

Many of the problems with Windows computers are systemic – stemming from poor updating strategies for the OS, attendant programs, and basically insecure networking. The guests mentioned public key encryption and secure communications within networks.

Oddly enough, Linux computers can be managed easily to update security patches, including all major programs running on computers, such as browsers, word processors, and security software. This allows all aspects of the computers’ OS and programs to be kept patched and up to date. Encrypted networking is also easily added to most Linux and BSD computers.

Companies like Google have already started to use Linux for desktop use, and I suspect most businesses should seriously consider why they continue to use Windows, when its security is becoming increasingly risky. This is only a small portion of the whole security problem, but insecure desktops are an easy portal into almost any network.

Nicholas,

With respect… Arrogance leads to vulnerability. As good as you think your security is, as good as you think YOU are, there’s someone out there who’s better. Your best hope is that they’re poking at someone ELSE’s systems and leaving yours alone.

I’m confident that if someone were to pay me to mount a long-enough sustained attack on someone else’s network or computer, that I would eventually succeed. And I’m not the best computer scientist I’ve ever seen…

Physical security only goes so far. Adding any media to a system (disk, tape, thumb drive) provides a point of compromise. You need to be CERTAIN that that update CD you insert is clean. And you can never REALLY be certain.

The safest approach is to assume your systems are being attacked, and that your systems have in fact been compromised. When possible, segregate sensitive information, keep it off any powered circuit with programmable logic in its design except where it’s simply unavoidable, and then limit its exposure as much as possible. Maintain security vigilance and do contingency and mitigation planning for when someone does break your computers.

Think in terms of “Andromeda Strain,” smallpox or ebola.
Confidence can be lethal.

To all who listened yesterday, while instilling fear, not one person mentioned viable solutions at the Enterprise and Federal levels, i.e. Identity and Access Management (IAM), Security Information Management (SAM), and Threat Management – all of which are hugely successful in thwarting “attacks.”
***********************************
IAM – automates the management of a user’s identity through its lifecycle – creation, modification, and deletion – and ensures that only properly authorized users can access critical IT resources – from the Web to the mainframe. CA IAM enables an organization to reduce IT costs, mitigate overall security risk, enable new business opportunities and deliver continuous regulatory compliance.

SAM – provides centralized management of real-time events and post-event forensics analysis to improve administrator efficiency and reduce costs, while assuring security.

TM – helps prevent spyware, viruses, worms, spam, and malicious content from infiltrating and infecting your network, email, and business applications.
******************************************
We at CA are world leaders in the Security of IT Infrastructure Management.
Feel free to contact me for additional information.
~ Chris.Lang at CA dot com

According to a recent survey by Secunia ( http://secunia.com/blog/37/ ) only 1.91% of all Microsoft Desktop PCs are fully patched. However even after applying all the patches, Microsoft’s most widely deployed platform and applications have not been secured.The XP platform has still has 32 unpatched vulnerabilities, Outlook 2003 ( the most widely deployed business version of Outlook ) still has one outstanding unpatched vulnerability ( since 2004 ) and Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities which put the desktop at high risk of being infected.

Even Microsoft’s flagship product Vista has Six unpatched vulnerabilities and the latest version of Internet Explorer still has 9 unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft’s own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft’s platforms makes it comparatively easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited.Even Apple has a better record of closing known vulnerabilities.

[...] Interview – On Point with Tom Ashbrook covering Cyber Insecurity – audio interview with a number of government experts and [...]

The current trend for individuals and larger entities such as corporations, is to use Internet Telephony (VoIP – Voice over IP) which exposes us all to hacking, espionage, intrusion and identity theft, and in its most extreme form possible takeover and paralysis.

All aspects of Internet calls travel unprotected over the Internet, and utilize the common Internet infrastructure that is under daily attack. The service depends upon the Internet Domain Name Service (DNS). Anyone can start their own Internet phone company, and anyone can run their own DNS servers. Currently, there are 11.9 million DNS servers, so the exposure to malicious activity is enormous.

One underlying problem is that security on the Internet is impossible to achieve because of the very architecture of the Internet, which views everyone as trustworthy, and gives them direct access to your computer, your systems, and your phone as well, if you subscribe to VoIP.

For a number of years we (Emerson Development) have been working on a system to create secure communications across the Internet and with our most recent patent (the 5th in this project) we believe we have been successful. The solution is theoretically simple but will require retrofitting our existing infrastructure or creating a new model. In its simplest terms, we can have secure telecommunications if we combine the best of the Internet (high speed, multimedia), with the best of the traditional telephone network (secure, reliable). We are eager to discuss our research, conclusions, and our early stage 5 patent suite to bring this solution to a wider audience.

Background: Harry Emerson is an expert in computers, voice and data communications, and the Internet. He has 25 years at AT&T under his belt including designing and managing large-scale, multi-million dollar enterprise applications and data systems. He has numerous patents issued and pending against a variety of technologies including FM radio, Internet streaming, PC software, and telecommunications. His background in switching systems and data networking, along with concepts he developed in corporate architecture and strategy positions, ultimately led to the development of a patent portfolio that defines the next generation of telecommunications, featuring secure, rich MultiMedia capabilities. Following AT&T he co-founded GEODE Electronics to commercialize a series of patented enhancements to commercial FM radio. Subsequently, he co-founded SurferNETWORK, a successful Internet streaming media business. He is a recently appointed member of the NJ Technology Council’s Telecommunications/Media Industry Advisory board.

To Jacqueline, no thanks for the spam. There are plenty of good and verifiably secure open-source VOIP clients. I’ll be sure to use one of those instead of your company’s “secure”-by-obscurity product.

I’m a software engineer who works on applications dealing with medical data that make heavy use of encryption to protect privacy. I’m also, in the words of the late, great ODB, “the paranoid [person] at the party”. That is, while I’m still learning, I’ve done my best to cultivate a mindset of mild paranoia and healthy skepticism.

As such, I was very disappointed with the guests of the show and their answers, particularly to Nicholas’s question.

If you want to keep a power plant from being hacked, at a high level it’s quite basic:

* Don’t plug anything important into the fscking *internet*

* Don’t let random, untrusted people plug random, untrusted media (usb drives, CDs, etc) into anything important.

(To the earlier commenter, it’s not arrogance to say that disconnecting important systems from the internet is inherently very secure. If anything, it’s a humble act; it acknowledges that it is in fact impossible to be completely secure from remote threats as long as you’re connected to the outside world. That qualification is key. An arrogant sysadmin assumes she’s covered all the bases. A practical one just unplugs the network cable.)

I can’t believe that power plant sysadmins are stupid enough to forget either of those things. I agree that the guest “expert” was doing more fear mongering than rational risk analysis.

PS: I should make clear that I love on Point; the shows are generally great. This one just didn’t live up to the Tom’s usual high standards.

[...] I completely take off on something else, I recommend the OnPoint Radio show on Cyber warfare. Much more high level than mere firewall scripts, but very [...]

The security issue is not as unsolvable as is presented. If the military would implement the security recommendations of the NSA available at http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1 many of the problems would be addressed. Why are we ignoring the advice of experts? We pay for their knowledge and recommendations.