Tuesday, May 4, 2010

Washington hypes Cyberattack threat to justify regulating Web

Networks have been under attack -- and successfully handled by operators -- as long as they’ve been around. Be wary of calls for more government supervision of the Internet.

By Jerry Brito and Tate Watkins
posted April 29, 2010 at 1:31 pm EDT

Arlington, Va. —
We marched into Baghdad on flimsy evidence and we might be about to make the same mistake in cyberspace.

Over the past few weeks, there has been a steady drumbeat of alarmist rhetoric about potential threats online. At a Senate Armed Services Committee hearing this month, chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.”

The increased consternation began with the suspected Chinese breach of Google’s servers earlier this year. Since then, press accounts, congressional pronouncements, and security industry talk have increasingly sown panic about an amorphous cyberthreat.

Bush administration cybersecurity chief Michael McConnell recently warned that the United States “is fighting a cyber-war today, and we are losing.”

According to McConnell, now a vice president at Booz Allen Hamilton, “our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy.” More recently, Sens. Jay Rockefeller (D) and Olympia Snowe (R) wrote about “sophisticated cyber adversaries” with the potential “to disrupt or disable vital information networks, which could cause catastrophic economic loss and social havoc.”

Yet none of the prognosticators of disaster presents any evidence to sustain their claims. They mention the Google breach, but that was an act of espionage that, while serious, did not lead to catastrophe.

There have been and continue to be many “cyberattacks” on government and private networks, from the Korea attacks to the denial-of-service attacks during the Georgia-Russia war. To be sure, these attacks are a serious concern and we should continue to study them.

But so far, these types of events tend to be more of a nuisance than a catastrophe. The biggest result is that websites are down for a few hours or days.

This shows that security should be a serious concern for any network operator. It does not show, however, that these attacks can lead – much less have ever led – to the types of doomsday scenarios that politicians imagine. There is no evidence that these attacks have ever cost any lives or that any type of critical infrastructure has ever been compromised: No blackouts, no dams bursting, no panic in the streets.

The cyberalarmist rhetoric conflates the various threats we might face into one big ball of fear, uncertainty, and doubt. This week for example, the director of the Central Intelligence Agency announced that a cyberattack could be the next Pearl Harbor.

Cyberwar, cyberespionage, cyberterrorism, cybercrime – these are all disparate threats. Some are more real than others, and they each have different causes, motivations, manifestations, and implications. As a result, there will probably be different appropriate responses for each.

Unfortunately, the popular discussion largely clumps them into the vague and essentially meaningless “cyberthreat” category.

Let’s take a deep breath.

Before we can effectively address any of these amorphous “cyberthreats,” we must first identify what, specifically, these threats are and to what extent the federal government plays a role in defending against them.

The war metaphor may be useful rhetoric, but it is a poor analogy to the dispersed and different threats that both public and private information technology systems face.

The fact is, as long as we have had networks, they have been under attack. But over the past 20 years network operators have developed effective detection, prevention, and mitigation strategies.

This is why we should be wary of calls for more government supervision of the Internet. Last week, as part of its National Broadband Plan, the Federal Communications Commission began an inquiry into whether to establish a “voluntary cybersecurity certification program.” Through the program the FCC would certify communication service providers based on a set of cybersecurity standards developed directly by the FCC, or indirectly through a third party.

More ominously, Senators Rockefeller and Snowe have introduced the Cybersecurity Act of 2010 that aims to change how the Internet works in the name of security. It would also create a national system of licensing for security professionals, and would dole out millions of dollars in cyberpork to “regional cybersecurity centers” and other programs.

At the heart of calls for federal involvement in cybersecurity is the proposition that we reengineer the Internet to facilitate better tracking of users in order to pinpoint the origin of attacks. The Rockefeller-Snowe bill looks to develop such a “secure domain name addressing system.”

That’s a slippery slope.

And there’s the fact that we have seen a wasteful military-industrial complex develop before, and in this rush to “protect” we might be seeing a new one blossoming now. The greater the threat is perceived to be – and the less clearly it is defined – the better it is for defense contractors like Booz Allen Hamilton, which last week landed $34 million in Defense Department cybersecurity contracts.

That money could certainly be put to better use right now.

Anyone concerned about net neutrality or civil liberties – in particular online privacy and anonymity – should take notice. Before the country is swept by fear and we react too quickly to the “gathering threat” of cyberattacks, we should pause to calmly consider the risks involved and the alternatives available to us.

Rather than pass a sweeping “cyberdefense” bill right away, Congress should take the time to untangle the different threats that confront us and make sure they are addressing each appropriately. If not, we will be saddled with an overreaching one-size-fits-all result.

Giving the military and federal agencies the tools to protect their online assets might be an appropriate first response. But reengineering the Internet and imposing standards and licensing on the most innovative sector of our economy should give us pause. There is no reason to rush to action.

~~//o)X(o\\~~


Hacked US Treasury websites serve visitors malware
05-04-2010

Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.

To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven't already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.

The attack is most likely related to mass infections that two weeks ago hit hundreds of sites hosted by Network Solutions (http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/) and GoDaddy, said Dean De Beer, founder and CTO of security consultancy zero(day)solutions.

He made that assessment based on the observation that the compromised Treasury websites are hosted at Network Solutions and the owner of grepad.com is also the owner of record for most of the websites used in the earlier attacks.

"There's a very high probability that it's the same person," De Beer said. "The only things that are changing are the domains."

Earlier, Thompson speculated the attack might be the result of someone exploiting a SQL injection vulnerability on the Treasury websites. After investigating that possibility, De Beer said it was unlikely because the hacked Treasury sites contained static HTML pages that aren't susceptible to such exploits.

Media representatives at the Treasury Department didn't return a phone call seeking comment. 

This posting was updated to include details linking the attacks to similar mass compromises that hit sites hosted by Network Solutions and GoDaddy.

No comments:

Post a Comment