Senate sees exponential rise in computer attacks, might be time to rethink security posture, not just spend more to respond

In comments justifying a requested $15 million operating budget increase for fiscal 2011, the Senate Sergeant-at-Arms stressed the need to improve computer security in the face of an extraordinary rise in security “events,” which reported went from 8 million per month in 2008 to 1.6 billion (yes, billion) per month in 2009, and still climbing. The Senate security operations center apparently sees nearly 14 million attempted attacks or other events every day. Managing the IT security for the Senate’s computing and network infrastructure is among the responsibilities of the Sergeant-at-Arms, which also provides a variety of support services to U.S. senators and Senate and committee offices, such as printing, direct mail, audio and video recording studios, and wireless telecommunications services through Verizon, the Senate’s preferred provider. With that kind of increase in attack activity directed at your environment, you’d want more resources too, but it might also be a good time to look at your environment to see if there are any architectural or design characteristics that are contributing to the volume of attacks coming in, particularly including the visibility of Senate network infrastructure to outsiders.

The core computing operations for the Senate Sergeant-at-Arms reside in the Postal Square building in the shadow of Union Station in northeast Washington, DC. From this central location, the Sergeant-at-Arms oversees a wide-area network providing connectivity not only to Senate offices on Capitol Hill, but also to all home-state Senate offices across the country. The computing infrastructure is segregated according to political party, at least since the 2004 incident when Republican Senate staffers allegedly took advantage of the fact that Democratic and Republican files were co-located on the same server to gain unauthorized access to Democratic files. The Senate, like many federal agencies both large and small, does not use network address translation (NAT) and instead assigns IP addresses to its servers from its allocated netblock. Both the primary public-facing Senate web servers (www.senate.gov) and its intranet servers (us.senate.gov) are hosted by the Senate Sergeant-at-Arms, in contrast to the House of Representatives, for example, whose network configuration directs users requesting www.house.gov to edge content servers hosted by Akamai. Even without the use of NAT-ed IP addresses, it is somewhat surprising that the primary IP address for the intranet appears in publicly accessible nameservers, including the sen-dmzp.senate.gov primary nameserver for the senate.gov domain. The simple fact that the intranet server IP address is so publicly accessible makes it far more likely for network probes and attempted intrusions to be launched against the Senate’s internal network.

None of these configuration or network characteristics are new, so they have little explanatory value in getting to the root of the 200-fold increase in a single year in potentially malicious network security activity. It seems likely that the change in administration and, specifically, the change in the political alignment of the Senate coupled with the significance of some of the items it has taken up on its agenda, would serve to heighten its visibility and therefore make the Senate more attractive as a target, whether threats are intended to cause denial of service, disrupt operations, or just call attention to information security weaknesses. In light of the increased demands on security operations personnel, devoting a portion of what amounts to a less than 7 percent budget increase seems unlikely to help the Sergeant-at-Arms really get a handle on its environment. It is possible that by distributing some of the perimeter infrastructure and network computing services more attention could be focused on traffic filtering and intrusion detection and prevention, while also insulating the core support infrastructure for the Senate from potential disruption, data corruption, disclosure, or other loss.

Is the recent focus on the “cyberwar” intended to build support for more government monitoring?

Homeland Security secretary Janet Napolitano emphasized in her keynote speech at the RSA conference last week the need for greater collaboration between the government and private sector in order to effectively address cybersecurity challenges facing the U.S. In what amounted to an open call for participation by the private sector, Napolitano announced DHS’ new National Cybersecurity Awareness Campaign Challenge, an initiative intended to come up with ideas on the best ways to raise security awareness not just among government agencies and private sector organizations, but among the public at large. The reiteration of what has become a consistent theme from administration officials comes amid an intensifying public debate about the state of information security in the U.S. and particularly the country’s ability to protect its critical infrastructure from a major cyberattack. In recent days senior officials from both the current and previous administration have taken sides on the issue of America’s position in the the “cyberwar.” Outspoken former director of national intelligence Michael McConnell’s took to the op-ed pages of the Washington Post last weekend to argue both that our country is engaged in a cyberwar, and that we’re losing. Current administration cyber czar Howard Schmidt responded during an interview with Wired magazine during the RSA conference, declaring “There is no cyberwar.” This debate was sparked to its current level of acrimony in part by the recently conducted Cyber Shock Wave exercise, some observers of which concluded that it exposed significant gaps in preparedness that called into question how effectively the government could respond to a large-scale incident if one occurred.

Leaving the semantic debate about the “cyberwar” aside, what seems unambiguous is the government’s intention to do more to establish and maintain situational awareness of the nation’s critical infrastructure. Given how much of that infrastructure is owned and managed in the private sector, there doesn’t seem to be a feasible approach to improving overall cybersecurity without the private sector playing an integral role. In this context it also seems non-coincidental that the government is giving public notice of its intention to someday provide comprehensive monitoring of all critical infrastructure, not just government networks. The mechanism for this would presumably be the Einstein program, administered by DHS but operated by the National Security Agency (NSA), which has long alarmed privacy advocates concerned about the prospect of the government potentially reading the personal communications of private citizens. Some in the media are now suggesting that cyber-hand-wringing by McConnell and others is really intended to garner public support for the expansion of telecommunications monitoring programs by the government. Whether or not you find this argument convincing, there is a pretty strong precedent in the form of the USA PATRIOT Act for the government using evidence of weaknesses in the national security posture to greatly extend government authority in the name of national security, at the expense of civil liberties and personal privacy rights.

Hacking of high school grading system raises key security practice issues

Although it is one of the top-ranked schools in high-performing Montgomery County, Maryland, in the past few months Winston Churchill High School has been more noteworthy for the alleged hacking by students into the school’s grade reporting system, resulting in changes to as many as 54 grades. The investigation into the hacking incident is now a criminal one, and not all the details of the incident have been disclosed, but from what has been reported, several key issues emerge in terms of security practices (or the lack thereof) that may have facilitated the intrusion. These issues at a minimum provide food for thought for other organizations thinking about their own security controls, and they also offer valid points of reference for any organization conducting an assessment of its own computing environment.

The attack scenario described in published media reports suggests that up to 8 students were involved in first capturing teacher passwords to the grading system with the use of a keylogger or similar program contained on a USB drive attached to a school computer. Once the passwords were obtained, the students were able to gain access to the grading system on multiple occasions and make changes to grades. It seems that the students in question had routine authorized access to the computers used to access the grading system, and there is no mention of whether the grading system can be accessed remotely. Looking at the incident from a defense-in-depth perspective, there appear to have been exploitable vulnerabilities at multiple levels, including at least in the physical, platform, application, and user layers, and possibly the network layer as well.

• Students had unsupervised physical access to school computers sufficient to allow the placement of the keylogging devices on the computers and, after passwords had been captured, to use the computers to access the grading system and make changes. Given the sensitivity of applications and corresponding data accessible from these computers, physical access should either be monitored more closely if valid reasons exist for students to use the computers, or better yet, access to these computers should be restricted to faculty and administrative staff only.
• Without knowing what sort of network or system-level monitoring was in place at the school, it is hard to say whether the attachment of the USB drives containing the keylogging program was unrecorded, or recorded but unnoticed, but in either case, the fact that USB drives were permitted to be plugged into school computers without any sort of scanning or verification provided a vital weakness for the hackers. There is a big difference between a USB drive functioning purely as a file storage device and one from which a malicious application is able to run undetected, so assuming disabling the USB ports is not practical due to legitimate uses of USB devices, the use of end-point device monitoring or even closer monitoring of Windows security and event logs would presumably provide technical administrators sufficient visibility into what’s happening on the computers to close down this attack vector.
• The grading system would appear to provide user authentication and authorization based only on usernames and passwords, which may or may not be appropriate given the perceived risk to the school of an intrusion into this system. The use of a keylogger renders moot the question of password strength, although in the wake of the attack school administrators apparently did urge teachers to change their passwords immediately, and to do so again on a regular basis, suggesting that users were not required to change their passwords periodically.
• On a positive note, it appears the grading system did log all record updates, including tracking which records (and grades within records) were changed and at what time, but unfortunately not by which user. This audit log did give the school some ability to reconstruct the unauthorized changes, although the school had to enlist the help of its teachers, asking each of them to review their grades. It is not clear if any sort of log inspection or alerts are generated from the logs, potentially based on factors such as the number of times a single grade is changed, the time lag between changes (especially for changes after the end of the grading period), or the number of grades changed in a single session for a given user. Automated log analysis of this sort would go a long way towards more quickly identifying suspicious grade changes.
• Despite the fact that transactions like grade changes are recorded, the unauthorized changes apparently only came to light because a teacher noticed discrepancies in his or her own grades.This seems one of the hardest elements of this story to understand, as it implies that over a period of a semester or longer, individual teachers were not sufficiently detail oriented to recognize grade changes among their rostered classes. It’s not a stretch to think that most or all teachers would have some paper-based grading records that are used to support the entry of course grades in the system, so presumably the raw data should exist to help investigators as they examine the grade records of all students.
• The level of security awareness among users may be somewhat less than it should be at the school. It may be unreasonable to assume that an average user would visually inspect the computer he or she was using, and it’s entirely likely that the keylogger-containing USB drive was attached to a port on the back of the machine or other unobtrusive location. Organizational security awareness (or more generally, risk awareness) also seems sub-optimal, based on no other evidence than the permitted student use of faculty computers without supervision.
• As noted previously, there is nothing in published reports to suggest that the grading system can be accessed remotely, whether over the Internet using a Web-based interface or perhaps after establishing a VPN session or other secure connection to the school’s network. Many school districts run centralized computing resources, including administrative systems such as grade reporting and online classroom applications, so network-based access appears likely, and remote access is at least feasible. While the ability to access the system remotely might facilitate student hacking efforts (removing a risk of being caught while misusing a school computer), the use of additional network access credentials (such as a separate username and password for a VPN connection) would provide an additional layer of security for scenarios not involving student use of on-site workstations.

The most positive aspect of this incident appear to be the simple fact that the unauthorized changes were discovered at all, although there is still some question as to how long the changes had been occurring. Subsequent news reports placed the number of teacher gradebooks involved in the unauthorized changes at 35, far more than originally reported. It may be that the student hackers were victims of their own ambition, and if they had changed fewer grades they might have escaped notice, or at least delayed the discovery of the intrusion.

Microsoft working with German government to implement claims-based ID cards

While promoting the release of its Forefront Identity Manager product set during this week’s RSA conference in San Francisco, Microsoft announced its support for a prototype national ID card system in Germany that is designed to allow individual citizens to use a single ID card yet precisely control the personal information disclosed by individuals to the minimum necessary to perform a given function or complete a specific transaction. This is a practical implementation of claims-based identity management principles, which Microsoft (among many others) has been advocating for several years. Even without going to the level of a nationalized identity system, giving users the ability to manage all their identity attributes but limit the disclosure of personal data to just what’s needed is a promising approach within specific industry contexts such as healthcare. The U.S. federal government, through agency-specific initiatives as well as the efforts of the Identity, Credential, and Access Management (ICAM) Subcommittee of the Federal CIO Council, is pushing forward with federated identity management following a user-centric approach using open identity, while continuing to try to address some of the key security and privacy challenges associated with this approach.

Read-only computer security hardware device claims to be hack-proof

Despite the dismissal-as-foolishness that such claims often bring, security start-up vendor InZero Systems is marketing a sort of hardware proxy device that it claims is hackproof.
As featured in an article in the March 8, 2010 issue of Business Week, the device operates using read-only memory and operating system execution, yielding no foothold for malware or other invasive threats to succeed. Users place the InZero device between their own computer and the Internet, presenting a protected outward facing interface while passing safe content through to users. The article likens using the device to using a webcam pointed at another computer to insulate yourself from anything malicious that might be out there. The company cites a fairly impressive list of penetration testers and other expert security evaluators, none of which apparently have been able to compromise the device.