Points also to the issue that thinking about security from a perimeter point of view (everything outside firewall is bad, everything inside is good) is outdated. There is no inside vs outside anymore.
That always was a stupid strategy. Trusting stuff on one side of the firewall just because it is on the other side is not good enough, that means that after any breach at all your whole network is wide open.
Security should be applied at the lowest possible level, just like you would in a physical installation.
It's not like when you work in a bank once you are allowed 'backstage' that that automatically gives you the right to visit the tellers cage or the vault.
My bank takes a different approach, an old one, to security. Here are three things that happened to me at their main bank office over the last 6 months.
1 - I sat down with a mid-level manager asking about a debit card in my wife's name for one of my accounts. The manager pulled up my account and says "I see you were in Wilmington last week. My family is from there." And we chatted about Wilmington for a bit.
2 - I walked up to the teller desk and said "Please move $500 from account A to account B." I filled out no forms, showed no id, didn't even know the account numbers. The teller said "No problem Mr. Hancock, have a nice day."
3 - I needed to change my phone number linked to all my accounts. I walked into the teller and told her I have 5 accounts and wanted to change the phone number on all of them but didn't have my account numbers at hand. She handed me a post-it note and asked me to write down the new phone number: "No problem Mr. Hancock, we'll see it gets done."
The approach this bank takes is oriented around trust and liability, not IT security. Some may be upset that a bank manager would/could scan my transactions and openly acknowledge they see where I was last week. But I see this as openness in acknowledging that they can see the data. All banks can see this data and many credit data warehouses have this data. My bank simply doesn't pretend they can't see it.
In response to your post, jacquesm, I completely agree with your point of view from an IT perspective. However, I do not expect a bank, large or small, to get things perfect internally. So I choose to do business with one I trust to uphold their end of liability. I take this approach with most business partners, as I'm sure many do. When I buy a $50 item on ebay, I expect less of the supplier and pay accordingly.
If you were to walk in to say the New York city branch of a major bank that you have an account with in the countryside then you'd be looking at a completely different situation.
I once borrowed E100K from my bank just on my promise that I would pay it back within 7 days. That would have been a lot harder if I had not been a very good customer of theirs for more than a decade.
But I still doubt they'd let me past the 'no customers beyond this sign', simply because they have a duty to safeguard the privacy of their other customers, even if we'd have a higher than normal level of trust between ourselves as people.
Your right; that's why I don't do much business with large banks ;).
I have one account with a large bank. I have not had any problems, but I limit my transactions with them to well documented transfers and have standing orders to not allow any other type of transactions.
I have no expectation that a large bank will cover my liability better than they cover theirs. I engage with them accordingly.
The best way to spread your risk with banks is to make sure you never have more than your federally insured cap with any one bank. (that's a luxury problem though). Over that and you're up the creek without a paddle if anything should happen to that bank.
The funny thing here is that the people that the bank owes money over that amount are ruthlessly culled, but the people that owe the bank are not.
I think that should cut both ways, in other words if a bank folds then both the debts and the deposits should be capped or none. But it seems to be completely asymmetrical to keep the people that owe the bank on the hook while capping those with whom the bank is in debt.
I agree, but I don't think there ever really was an inside versus and outside. Flash drives, or even floppy disks for that matter, can bring worms into a company even if the firewall blocks them.
Companies have always needed to put security measures on each individual computer, or in this case, each individual person.
I shudder to think how routine may be such activity by Chinese corporations. Imagine sending a not-too-tech-savy sales/marketing dude to China. In the evening he gets 'friended' by a young lady offering a free thumb drive (or herself). How much training are western corporations giving their international staff about high-tech security?
At my job, at least (research at a major government contractor) we all have to undergo annual counterintelligence training. And that's for me, the intern who never leaves the country.
Among other things in the training is the assertion that multiple employees are currently being targeted for espionage and at least a few employees are most likely working for foreign governments. They also warn about accepting gifts and give examples of "spooky" things, like random strangers befriending workers on foreign travel only to reveal that they know way too much about that person.
Training is there in big corporations, maybe not in startups.
I took the Official Counterintelligence Training at a major aerospace contractor in the late 80s. It was bunk. The korean war vet who ran the class gave us some cock-and-bull story about Bulgarians flying ultralights at the state park not too far from the "Main Plant". But everything of merit about our rockets got published in Aviation Week every two years or so. Even material about possible payloads, which was so compartmentalized that we knew next to nothing, maybe a bolt pattern, mass and location of center-of-mass above the bolt pattern.
The "training" was all superstition and cargo cult management by slogan. When you thought about it for a minute or two, nothing they said made any sense.
The first time I took it, we had a video of an ex-KGB guy assuring us that agencies like his previous employer are indeed targeting us. These days, there's no concern about Bulgarians in ultralights, it's all about buying an employee a new car so he'll load up a USB drive with interesting info.
I wish I could be targeted for something like that... I don't even have access to secrets but "they" don't know that, and I could use some extra money.
"How much training are western corporations giving their international staff about high-tech security?"
Everywhere I have worked (public sector, private sector, startup, ISP, defence) there has been scant regard given to security. Anyone who wants to attack a UK-based organisation via its IT is basically at liberty to do so, often through the most old-fashioned of means (password guessing would be fruitful, for example). I have never enjoyed any success, as a sys admin with > 15 years trying, getting people to take security seriously. They still think it won't happen to them, even when you explain to them that when it does, they won't know about it (let alone the danger of honeytraps against specific personnel; lambs to the slaughter afaic). So, yes, it will be routine and lucrative and it's all but encouraged by lax security and dumb optimism almost everywhere.
Fear of this sort of thing is why many larger corporations are locking out USB drives as part of group policy updates. They will never disable autorun, but by gosh, they'll make it so you can't plug any sort of USB device in.
There have been several stories of people tossing trojaned USB "thumb drives" into parking lots at large companies in order to get their payload installed, and it works. This is a fatal flaw of autorun.
Re comments that this has been going on a long time, and that the West does it too.
It probably has been happening a long time. Many may have assumed it. If Western governments have been papering it over, it's good that it comes out so that citizens and businesses can know how widespread the problem is, and how likely or unlikely anyone will be affected directly. I suspect that if we knew exactly what was happening, most would be surprised at the extent.
The West probably does do it too. I strongly suspect that there are a set of "niceties" that Western governments observe (or sometimes not, but there is that restraining tendency). I doubt that any similar niceties exist within the Chinese government at all; the very concept is probably amusing to them.
When China starts selling cars in the US, how much espionage do you think will be brought to bear on their US operations and employees? I'm guessing little more than an entry in a catalog at the CIA.
How much espionage is potentially brought to bear on Western companies operating within China? If I brought my business to China I would assume it was targeted. If I brought my business to Canada I wouldn't give it a thought.
Are MI5 trying to suggest that they don't use the same tactics against other countries? Industrial espionage has always been common, so this is nothing new except perhaps for the particular technologies used.
Yes CPNI is technically part of MI5 but they're not full on spooks per se (and MI5 don't do CPNI's job). They receive intelligence from other departments and are responsible for certain elements of gov.uk security, although the primary source for information assurance/security is CESG based at GCHQ (which is more MI6 than 5).
CPNI also handle liaison what's called the Critical National Infrastructure. That is to say things that are not government owned but would cause problems if affected (like power companies, transport firms etc.).
As an analogy CESG are probably closer to NIST and the standards part of the NSA, whereas CPNI are closer to the FBI. Note that in the US model something like that type of tactic would be a CIA or military operation, not NSA - MI5 and MI6 would be the same, offensive security if anywhere would have fallen in the remit of the armed forces, at least until the recent cybersecurity strategy came out which establishes the structure of the UK's offensive function.
Well whatever the particular acrynms might be I find it hard to believe that British secret service agencies don't use near identical tactics to obtain information from other countries or organisations.
Don't you just think these news about hacks from China are getting way to frequent?
The attack on Google was said to be a way to get access to the accounts of free rights activists, but they also attacked several other US companies. The reason must be to steal the companies' know how.
Would you be surprised if a few years from now a Chinese Google was announced and similar and maybe better products in other industries?
And I think these actions are all supported by the Chinese goverment which knows getting chinese competitors in some key fields is the only way of exponentially develop its economy.
According to Bruce Schneier, the Google attacks were using the CALEA intercept points which are mandated by US law. There is no possible way that Google could shut down those access points without violating US law.
> In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
For some reason I'm strangely reminded of the episode of Big Bang Theory where Sheldon talks on NPR whilst having helium pumped into his room. That would be an authoritative Schneier.
There is a big difference between stuff happening and having the media spotlight on it, that usually gives an impression of something being suddenly much larger.
Exactly. 7-8 years ago, these same types of stories were going around about France being the evil hacker country, and that in most hotels catering to business travellers, there were pinhole cameras above the desks that would monitor and record businessmen typing passwords, so the evil maid spies could then unlock the laptops when the travellers were away.
Back then our media was also slamming France for being "cheese eating surrender monkeys" and renaming "french fries" into "freedom fries" because they would not support our activities in Iraq. And now we're slamming China because China isn't supporting our activities in Iran.
To be perfectly honest if the all the people caught in Chinese honey traps just went to their wives and the press saying "I committed adultery because the Chinese attempted to get leverage over me, it was irresistible"
I think they'd get awarded the Victoria cross for bravery or something. Ig noble prize for politics please?
CHINA! Feel free to send honey traps this way. I'm in local government. Fantastic. They've obviously not looked at the divorce statistics lately.
I feel we've just been introduced to the realities of the new world of warfare.
Getting inside information on Google, Adobe, etc, would be of immense value for cyberwar. I don't think the information is as nearly useful for economic purposes as it is for making new software weapons. Every bit of source code or critical system you access gets you more information your teams can analyze for "0-day exploits" and more backdoors/trojans you can place to get more access to more networks whenever you need.
Imagine you've amassed a lot of brilliant computer scientists and security experts. Getting access to source code and installing trojans would be of immense value to you because you'd be sitting on a huge stockpile of weapons just waiting for you to analyze them in parallel long after you've infiltrated (and even if you were detected/shut-off). If we're seeing exploits streaming out of small security firms and off-shore spammers--- imagine the wealth of exploits a well-funded military division would be able to come up with. Now imagine you wanted to stay competitive with other such militaries... To them the means to get new weapons is more important (in a meta-sense) than pretty much anything else.
From my arm chair, I'd say for weapons of mass cyber influence the most prized possessions would be:
(1) control over the pipes (presumably the U.S. has this for a lot of key stuff, but these backdoors, too, might be exploitable)
(2) unknown exploits in common software
(3) control of highly/specially trafficked systems/services
(4) unknown exploits in specialized software
I'm not trying to make anyone paranoid, but it does seem to me that this sort of infiltration into corporations and government software/systems would be just as valuable to any country anywhere that had a powerful high-tech army. A weapon is a weapon and would be just as valuable to anyone.
There are only a few places that could coordinate attacks like these. We'd have to assume military-- the only other real option being organized crime (with their growth in this economy).
As such, I put it at, maybe, 80% chance that the attacks from China were from Chinese military sources, but (given motive, skill, and funding) there's at least 10-15% chance these are actually coordinated by the U.S. military or intelligence agencies themselves and pinned solidly on China. The remaining 5-10% or so falls on other militaries or maybe brilliant criminals.
If I was thinking like a cybergeneral, I would want someone else to be scrutinized other than myself. I might even specifically seek out companies important to me that also did business with my opponents so that it was easier to pass the blame. I feel the U.S. intelligence/military probably has the cleverness to make that all happen if they wanted. I very much doubt they did so, but I think we're silly to ignore the possibility.
What we really need to stop ignoring is that our software and systems are actually turning into weapons. I think the days of idle worry over spambot exploits is behind us--- now we have to imagine that your favorite websites, your business servers, and your home PCs are pawns in a very big game of chess.
You're doing a good job at it, however! Your scenario reminds me of Issac Asimov's Foundation series, particularly where the Foundation had the ability to disable its enemies' technological, nuclear in this case, infrastructure, as their enemies little understood it themselves.
Coming back to reality, it's not the case that Adobe, et al, poorly understand their own software, simply that only they could see its potential problems, being as it's closed-source. I'm somewhat biased, but in your scenario it would be much better to give the souce code a larger audience, via open sourcing it, to negate, albeit not entirely, the prevalence of such government-researched 0-day exploits.
I think the chess analogy is fundamentally flawed. You're presuming that there's a Chinese "chessmaster". Instead, as we have seen from all sorts of phenomena, from the Anonymous protests against Scientology to Al Qaeda terrorism, distributed movements with no central control are as powerful (and, in many cases, more powerful) than centralized armies.
Where you envision a controlled, organized hacking scheme organized by the Chinese military, I see a widespread group of nationalistic Chinese hackers employing whatever means are at their disposal to advance Chinese interests and disrupt Western businesses and governments. The threat might be the same, but the way one responds is vastly different.
"Instead, as we have seen from all sorts of phenomena, from the Anonymous protests against Scientology to Al Qaeda terrorism, distributed movements with no central control are as powerful (and, in many cases, more powerful) than centralized armies."
Are you sure the Anonymous have done any long term damage to Scientology? Or that Al-Qaeda actually achieved anything meaningful against the occident? If you look at history, those who are more centralized are always the ones how are the more powerful. Up until the point they become too big and things start to break down. After that, it's back to normal and the more centralized win. Short-term imperialism and attempts at unification throughout history gives us good examples of how things unfold.
There's certainly a lot of nationalistic Chinese hackers, but I don't think they could pose any significant threats. The best they could do is adding noise so that the "real" government hackers go undetected. They would also become dangerous if coordinated by the government, but at that point they're no longer decentralized.
I think decentralization have its advantages when considered in the right context. But politics and religion are all about centralization and always have been.
Even though Darth Siddy may own the times, journalistic integrity is a point of pride in Britain. Not everywhere but in the Times, BBC, Guardian etc it certainly is.
He also owns Sky and that's our version of faux news. Sky is rubbish and complains the BBC is 'too big' and a 'monopoly'.
Why? Because the BBC is made of uhm. 'Win'. No adverts and an insane amount of programming for less than a couple of months of Sky (For Sky think Cable). Fantastic.
I'm not sure I understand your point, however the link I posted was Fox News syndicating the Times which as you say, does have journalistic integrity...
I'm sure this document is real, I'm just saying that the fact that the chinese government has been spying on large multi-national corporations across the world is not "news" or even "hacker news".
If one government trying to hack another using gifted USB sticks and cameras isn't hacker news then I really don't know what would be, but if you feel that way there is always the 'flag' option.
the report this journalist quotes appeared on wikileaks over the summer. I wonder how legitimate his sources are. I'd like to see an official report from MI5, but of course, as the writer puts it, it is a "restricted report", so I guess we wont actually get a source on this.
"The growing threat from China has led Evans to complain that his agency is being forced to divert manpower and resources away from the fight against Al-Qaeda."
