Big Business Cyber Crisis

There were a couple of articles over the weekend that indicate an increased awareness of cyber intrusions and the corporate reaction to it.  I will get to these in a minute.  In 2005, I gave a speech in Canada on the interconnected networks that extend between different corporate entities, their customers, and suppliers, that emphasized the path into their networks from the outside world.  My point was that corporations knowing the threats that were evident, should have enough due diligence and special diligence to start reacting to the theft of data from their own networks.  Until Target's Board got trampled over by outside events, nobody paid much attention to the threat.  That makes it personal for them.

Eight years later, we have two articles on companies that see the light and are starting to do things to protect themselves.  This is more than odd.

The two examples are these: Ed Crooks, Demetri Sevanstopulo and Geoff Dyer wrote an article Cyber Espionage Concerns Rise Up U.S. Business Agenda, Financial Times, 20 May 2014 and another article today, with a slightly different slant.  [http://www.ft.com/intl/cms/s/0/c5779a1e-dfe0-11e3-9534-00144feabdc0.html#axzz367jx5IdL  and Danny Yadron, Corporate Boards Race to Shore Up Cybersecurity, The Wall Street Journal, 30 June, 2014  http://online.wsj.com/articles/boards-race-to-bolster-cybersecurity-1404086146]
A reasonable person might think these big corporations, who have seen their brethren hacked over the past several decades, would have seen the light a long time ago.  Security professionals are not keeping any of these attacks a secret, and one would think the numbers and variants would have crept up to the top of the organization through the CISO, or similar position.  In yesterdays article, we note that the super-large Kellogg, famous for its cereal, has suddenly decided to appoint one.  That might account for why they didn't get the word at the Board level, until recently.  The 10K reports referenced in the first article show increased interest in cyber threat is actually being backed up with money.  That also means the money wasn't there when all the hacking we have seen for 20 years was taking place.

Over and over, we faced the corporate culture that said cyber was just another business area that had to be cost-justified, without a real assessment of what risks to client data and corporate secrets would cost.  The sum of two guesses (risk and cost) that were both wrong.  Second, the rationalization of risk was a leading driver in ruling on the cyber defense budget.  "Don't worry about that client data.  There is so little of it, it won't cause any harm" should be familiar to people who have been around for awhile.  It wasn't until they found out that it could cause the Boards harm that they became suddenly interested.

Corporations and governments have been taking risks with data they don't own for 25 years or more.  Very few give a hoot that my private data is in their hands, or that their own corporate secrets are on the same networks with 10,000 of their "best corporate customers".  They want to make sure those clients have access to advertising and marketing approaches.  Some of them want to sell data.  They need to be reminded every now and again that they already have defined requirements for security, but they are different for each company.  These definitions are from Blacks Law Dictionary.

Due Diligence:   " Such a measure of prudence, activity, or assiduity, as is properly to be expected from, and ordinarily exercised by a reasonable and prudent man under the particular circumstances;  not measured by any absolute standard, but depending on the relative facts of the special case. ”

Special Diligence:  "The measure of diligence and skill exercised by a good business man in his particular specialty, which must be commensurate with the duty to be performed and the individual circumstances of the case; not merely the diligence of an ordinary person or non-specialist.”  For CISO's, you can hang or go free on this one.    Amazon books:

An Amazon Secret

I got this the other day, as part of a response to my question about lowering the price of one of my books, Keeping Secrets.  

Amazon.com, as well as other retailers, sets the selling price of items on its website. In some cases, the selling price will be above the list price; in other cases, the selling price will be discounted to a price below the list price. Keep in mind that you set and control the list price of your work, while the selling price and any discounts are set at the discretion of the retailer and are subject to change.

Only you can alter the list price you set in your CreateSpace account. The royalties you earn from Amazon.com retail sales, as well as sales by other retailers, will be based on the list price, not the selling price. Neither you nor CreateSpace has the ability to change the selling price of your work on Amazon.com.

IBM sells farm to China

In the Wed Wall Street Journal, Spencer Ante describes the sale to China, we heard so much about [see http://online.wsj.com/articles/ibm-lenovo-tackle-security-concerns-over-server-deal-1403733716 ]. This is the X86 line of servers IBM builds.  CFIUS still hasn't ruled on this deal and there are quite a few questions being asked about the risk of selling the server farm manufacturing line to China.  Those questions are certainly late, but take into account the risks of selling a line of products like the Lenovo computers or the X86 servers to another country, especially one like China.

They are late because most server components and lots of servers are already made in China.  So many, that it is almost impossible to look for a U.S. made server that is competitively priced.  There are really two issues that Ante describes:  the product vulnerabilities, and the maintenance vulnerabilities.  Neither of these is new, but have been widely disregarded by Federal officials in the past.

Lenovo offered a solution to allow IBM to do maintenance on the product line for 5 years.  This means the service would be provided by IBM, in some cases by U.S. citizens of IBM, but the computers would be made in China, and the parts and upgrades made from there.  Whoever made such an agreement must not  be thinking clearly.  Firmware based attacks, embedded ways into the infrastructure for control and access, are not made by the maintenance person, but by the stuff he brings in to do upgrades.

The X86 server is ubiquitous in the enterprises of government agencies.  Having them in the total control of the Chinese is not worth discussing.  They are everywhere and while DoD "studies the possible effects" they don't need to study very long.  Of all the places where Buy American is needed, this is the first.  We need U.S. manufactured servers and we need to control our own parts and software distribution for those National Security parts of the infrastructure.  Yes, it is more expensive;  does that mean we can't or won't protect ourselves from the risks that go with it?

We have let this erode over the years and one day it will bite us.  Not everybody is our friend.  Maybe in the international markets there is a place for this kind of deal, but we should be exempting contracts that apply to that part of our networks.  If we don't we could end up with the Chinese controlling our entire infrastructure.  I doubt that even IBM thinks that is a good idea.  Amazon books:

Lerner's E-mail

Where is the e-mail server for Lerner's e-mail?  A lot has been said about her own computer, but nothing about the server that e-mail was processed on.  Is IRS really saying they had no backups for the servers?

GAO posted a review of IRS security in March of 2013.  It says the following:

...A business impact analysis is an analysis of information technology system requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption. Moreover, it correlates the system with the critical mission/business processes and services provided and, based on that information, characterizes the
consequences of a disruption. The Internal Revenue Manual requires the
agency to develop, test, and maintain information system contingency
plans for all systems, and to review and update these plans. The manual
also requires a business impact analysis for each system, and includes
steps for completing this process. In addition, according to the manual,
IRS shall implement and enforce backup procedures for all systems and
information.

The report recognizes the IRS has some problems identified the year before, and was making progress on them.  It would be impossible to believe that GAO did not look at backup and recovery procedures because they tested some of them during the audit.  They also did not call out any area of backup as being deficient.

Spyware in a New Phone, from China

Stephan Dorner, in today's Wall Street Journal has an interesting story about malware found in a phone manufactured in China.  See:  Spyware Detected in Phone, The Wall Street Journal, 18 June 2014
http://online.wsj.com/news/articles/SB20001424052702303384304579630700003634772?mg=reno64-wsj

The phone is the Star 9500 made by a company called Tianxing.  The malware is called Usupay.d and was discovered originally by Kaspersky Labs in 2013, and in the phone by G Data, a German cybersecurity company.  It is embedded in firmware of the phone, making it hard to get rid of without a firmware update. The server for the phone version was in China, which we might expect with a phone made there.  

There are two main things to consider about this kind of trojan that sends back location information and gives access to the phone to other parties:  (1) it may have not been installed on purpose, and (2) it may be an indication of something even more interesting than just the detection of it.  

The Chinese are notorious for stealing almost everything, and it should not surprise anyone that they might have been stealing software that was already infected with this trojan.  They can say it wasn't installed by them, it wasn't done as a part of their commercial operations that manufactured the phone, or they can say it was done after the phone was manufactured.  Commercial operations that are discovered putting hacking software into their commercial products will not live very long in the marketplace.  Even Chinese companies know this, and I would guess they didn't do it on purpose.  They are probably scrambling around like fools trying to find out where this came from and how they can get rid of it.   
This has happened before.  If you want to read a spooky account, see last years Ars Technica story by Dan Goodin describing an attack against their software used to discover attack vectors for software.  Firmware attacks are hard to discover and get rid of.  They can end up in commercial products when the machines being used to build a product are already infected.  It doesn't say much for the builder of the product, except "sloppy and unprofessional".  
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

The second aspect is, I suspect, justice for the people the Chinese steal things from.  Anyone who doesn't use commercial standards for product development deserves what they get.  Amazon books:

IRS E-Mail

In Today's Wall Street Journal, another story of woe from the IRS Lerner e-mail story.  IRS now claims that it was not keeping backups for longer than 6 months and archived e-mail was stored on individual machines, so when they crashed, they could not be recovered.  Incredible.

First, this isn't even standard business practice, and if true, a few CIO heads should roll.  The article also says they were using tape for backup, which is somewhat hard to believe.  There have been a hundred or so versions of "IRS Modernization" sold to Congress in the past 25 years, and one of them must have addressed backup and recovery of the network.  We did not get our money's worth on that one.

The point of yesterday's story was the incredibility of the statements coming from  the IRS.  All this does is add to them.   No organization in government does this kind of IT.  There is no reason to believe IRS would either.

Computer Eats Louis Lerner's Email

In what is the most incredible set of circumstances, the IRS lady who was responsible for exempt-organizations and ended up taking the 5th (for those outside the country the 5th Amendment is in the U.S. Constitution and says, in effect, a person does not have to testify if the information given will incriminate them), says her computer ate her e-mail.  This e-mail, some believe, will show there was somebody in the White House who knew that she was trying to make it harder for Tea Party groups to get tax exempt status, maybe even directing that it be done.  No evidence of it was ever found, which means there was none to be found, or what was there was not "discovered" in discovery.  This is not the first time that has happened, as any good lawyer knows.

So, after a year of slogging around, providing "unprecedented efforts" costing over $10M (undoubtedly a hard number to believe), to supply Congress with documents and information covering the matter of her testimony, this revelation is announced, almost as an aside.  [See John D. McKinnon, IRS Says Official's Emails were Lost in Computer Crash, The Wall Street Journal, 14 June 2014
http://online.wsj.com/articles/irs-provides-more-emails-in-conservative-group-targeting-probe-1402684543?cb=logged0.8742854848969728  ]

When you teach, you hear all of the usual stories about why my term paper was not submitted by the due date, why I can't take that exam on Tuesday, or why I missed class that day.  I have reminded more than one student that grand-parents can only die once, and that new computer will keep those documents somewhere, even if you don't try hard to make it happen.  There are no systems in government that don't have backups, and even a public person with something to hide, knows that hiding is not easy to do.  But, even IRS knows, nobody with a brain is buying this story.

Anytime a government agency tries to sell an incredible story, it usually ends up in hot water.  Watergate was the best of them, but the "I didn't have sex with that woman" was right up there with the best.  Lately, we are treated to such beauties as "we weren't negotiating with terrorists", "we always bring our boys home", and "a video caused those people to riot and kill our Ambassador".  These are tied up in ritual beliefs that the public will buy anything if it is packaged in a way they are comfortable with.

An incredible story, creates a black space that is looking to be filled.  It can be filled with facts, or we can make up something to fill it, but one way or another, our brains don't buy incredible.  We don't accept it.

I managed a forensics function in EDS and understand what can be sucked out of a computer after it is dead, crashed, erased, even sabotaged.  A woman who erased all the financial records she could find, found out that we could not only show that they could be recovered, but that we could prove she erased them.   She was surprised and confessed.  Plenty of others followed her.  It is really, really hard to get rid of this type of data, even when you know what is there and how to do it.  Computers are just not very good at cooperating, when somebody tries to get rid of things.

IRS is not trying.  It isn't just an oversight, or a lack of initiative on their part;  they are not trying or they could recover those e-mails.  They may not want to;  they may be told not to;  they may just not have the expertise in-house.  Whatever it is, they are not trying.  Furthermore, not trying is not a good excuse.

 I'm astounded that the press is not all over this.  Somebody knows where those e-mails are.  Somebody knows what is in them.  Somebody knows that floating a story like this is tantamount to suicide for any agency that does it.  It is only arrogance that allows it to happen.  I worked in IRS for awhile, years ago, and the people there are not like that.  Somebody will turn this and the press people who get there first will have an interesting story worth telling.  No amount of political manipulation will stop it.  Those things are available, and they will be found.   Amazon books:  

Don't Mess with the ISI

The New York Times, on Saturday, carried a story about the mess a news agency can get into when it clashes with an Intelligence Service like Pakistan's ISI, known for its lack of subtly and friendship with the Taliban.  (see Declan Walsh, Pakistan Suspends License of Leading News Channel).

Geo News, a popular CNN-like news channel, blamed ISI for a shooting attack on one of its reporters.   The military puts some heat on cable tv operators to drop the station, which many of them did.  Advertising revenue dropped off, four vehicles were burned in different cities, and a journalist was beaten up by someone calling him a "traitor". On Friday, the government suspended Geo's license for 15 days, and fined them $100,000.      The current situation came from having a popular news anchor, Hamid Mir, beaten up.  His relatives blamed ISI and their claims were broadcast on the network.  The government of Pakistan sided with Geo.  

If this happen in the U. S. it would be something like this:  

The Director of National Intelligence is accused by CNN of having someone from Seal Team Six shoot at one of its reporters.  Given the skill of this team, there is little doubt they did not intend to kill the guy, because they could easily have done it.  The White House issues a statement critical of the DNI and backs up CNN's reporting, leaving everyone thinking the DNI is overreaching his authority by a good bit.  

CNN starts talking to a Cuban news station, trying to get a peace initiative started.  

NSA starts calling the advertisers for CNN, the cable operators like Verizon, COMCAST, and Time Warner, asking them to drop CNN.  CNN has more news and less commercials, which is a positive.  

Cars the CNN uses to beam back stories are burned in Atlanta, Baltimore, San Diego and Kansas City.  One of CNN' s reporters is beaten up and threatened.  Right after his news show is over, Jake Tapper is beaten up in the parking lot of CNN.  Jake's mother, uncle and a first cousin from Toledo, are on air the next day blaming the DNI and every Intelligence outlet they can think of.  

The White House praises Tapper as " a great American".  The DNI says no comment, letting a representative of the FCC speak.  The spokeswoman says the license of CNN is suspended for two weeks and they are fined a small amount.  Many people switch over to MSNBC and Fox News, which no longer have representatives in the White House.  

We take for granted that this kind of thing wouldn't, and couldn't happen in the U.S. but judging the rest of the world by your own standards isn't always a good idea.  I thank

God for the difference.  We have to wonder who is running Pakistan.  

Chinese Crackdown vs U.S. Methods

In today's Financial Times, Jamil Anderlini (Artist detained in Tiananmen clampdown) that China controls information better than most countries.  Chinese versions of an interview with Guo Jian that appeared in the weekend version of FT, had the article removed.  Gou was at Tianamen when the PLA started shooting people near him.  He tells the story like it was yesterday, but it was 1989.  "Dozens" of people like him have been arrested or disappeared in the run up to the anmiversary.  The event is not taught in schools.  No mention of it is permitted in the Internet or social media.

There is something about censorship that makes an enemy of people speaking the truth, and an enemy of governments that hold it down.  

I was reminded of it yesterday when a stream of spokesmen hit every news broadcast to tell us that a soldier, who was traded for 5 of the most dangerous men in the world, was not being swapped in a prisoner exchange.  Congress couldn't be notified because it was urgent, or they were already notified and should have remembered, depending on who was talking.  His health was failing, though it seems he is in good health.  The White House "didn't give a shit" that he walked away, leaving a note of dissent.  He was a soldier not left behind.  This whole affair, and Tiananmen Square's 25th anniversary are an incredible mix of politics and control of the press.  There is something wrong with a government that can lie with a straight face, beat back the opposition, stifle anyone who disagrees, and claim a free press.  It's amazing that both use dissimilar methods to get to the same result.