ContraRISK

There’s a new social networking system on the block, but you’re not going to become a member any time soon. A-Space is for US intelligence spooks only, and it’s an attempt to bring about joined-up thinking in the covert community. Good luck with that.

Some 16 agencies are involved in the project (did you know there were that many?). In part, it’s a response to the embarrassing chaos in intelligence sharing that was highlighted by 9/11. But it’s also part of a general trend in military and intelligence spheres - an attempt to live up to the image we all have of these agencies as high-tech, highly efficient snoops.

In the Bourne trilogy, Bond movies and countless other thrillers, the CIA, NSA and the like are portrayed as having capabilities of which the real agencies can only dream. Instant, highly detailed imagery of any place on Earth. Access to database information and intelligence reports that can tell you, in just a few taps of the keys, where the bad guys are and what they’re having for lunch.

The reality is patchy information, much of it usually out of date and of dubious provenance, held in mutually inaccessible islands of information. It is often hard to merge the data because it is held in incompatible formats on unconnected machines.

Much work is being done on this in the military world. Huge amounts of money are being invested in networked systems - the buzzwords are Network Enabled Capability (NEC), a cornerstone of the UK’s Defence Industrial Strategy, which is now becoming the Enabled Network. In today’s battlespace, every soldier, weapon, vehicle or aircraft is regarded as a node in the network. There is much talk of the ’sensor-to-shooter’ loop (hopefully going via a decision maker at some point), and ’situational awareness’ made possible by creating a Common Battlespace* Picture.

Two key technology areas - C4I (command, control, communications, computers and intelligence) and ISTAR (intelligence, surveillance, target acquisition and reconnaissance) - are being merged in the holy grail of C4ISTAR. What this means is having all the technology in the battlespace sufficiently joined up that there is a continuous process from a potential target being spotted to action being taken. For instance, you might have a grunt on the ground radio back (possibly with a helmet-mounted video camera providing extra info) to a commander that a suspicious target has been spotted. This is escalated up a networked command chain. Along the way, other assets might be used to add to the picture - perhaps the weapons video or radar in an overflying jet, or pictures from a rapidly launched UAV. At HQ, this data is merged (actually, ‘fused’ is the preferred term) with info from, say, recent satellite imagery or intelligence reports. A decision is made that this target is indeed a bad guy (and not, say, a wedding party). Targeting data is fed up to the jet which uses it to guide its missile.

Similar efforts are being made to fuse data in the intelligence sector. The problem has often been the incompatibility of various systems, but this is being tackled through a level of abstraction. For example, General Dynamics - in part, developing work by Cardiff University - has created the OSIRIS system. This is capable of extracting information not just from various intelligence databases but also from any number of other sources, regardless of structure. This includes public domain information on the Internet. Your Facebook page, perhaps. It can actively seek out data sources. And it doesn’t just merge it: it applies a degree of intelligence itself, to decide what is relevant, what might be reliable or unreliable, important or unimportant, through ’semantic tagging’.

You probably thought they were doing stuff like this already. But the military and intelligence sphere has been hampered for years by stovepiped systems, developed by scores of separate suppliers with little co-ordination, often in response to the specific need of a specific agency or service. Incompatibilities are rife even within each country’s forces, let alone between nations. (’Interoperability’ is another big buzzword on everyone’s lips, but so far with little practical applications beyond sharing common ammunition, sometimes.)

So now we have A-Space, where spies, spooks and Feds of all stripes will be able to share their favourite bands and pictures of kittens. Of course, we’ll never know because, they say, it’s not connected to the Internet. (Oh really? Are you sure? At no point whatsoever?) This has ‘hacker bait’ written all over it. For the successful black hat there’s the lure of ultimate peer respect - and maybe a long trip to Cuba.

–

* The military uses the term ‘battlespace’ rather than ‘battlefield’ because some of the entities involved (decision makers, UAV pilots) might be a very long way from where the shooting’s taking place - like in Florida, or Nevada.

What do presidential campaigns and corporate risk have in common? Quite a lot, apparently. With both presidential candidates having picked their running mates, we’re starting to see a pronounced difference in their environmental stances, and that could have significant ramifications for future corporate fortunes.

Barack Obama chose political veteran Joe Biden, who the League of Conservation Voters is backing (following its official support of Obama’s platform). Conversely, John McCain finally plumped for Sarah Palin, governor of Alaska, as his future veep - and she’s an environmental disaster in the making.

McCain likes Palin because he loves the idea of offshore oil drilling, which is one of the main ways in which his platform differs from Obama’s. He wants to rescind the Congressional ban on offshore drilling (Bush already lifted the federal one). Palin loves offshore drilling, too. Alaska stands to benefit from oil exploration in areas such as the Chukchi Sea. But therein lies the problem.

Drilling off the Alaskan shore isn’t just about the oil. It caps an underlying debate about carbon emission regulations that will ultimately affect companies’ ability to do business, along with small stuff like the future of the planet as we know it. And in two short years, Palin has shown just how little she cares about this issue.

This month, she sued the US Government over the listing of the polar bear as an endangered species, citing its potential effect on oil drilling. A gaggle of conservation groups led by the Center for Biological Diversity had finally got the polar bear listed under the Endangered Species Act in May. The listing followed a multi-year battle, during which they repeatedly sued the Department of the Interior after it refused to issue a decision.

The DoI wanted to delay its decision because it was scrambling to sell off oil exploration leases in the area and those lease sales have now happened. Selling the leases, just like exploring for oil, would be much more difficult if the bear was on the ESA, because anything that could threaten an endangered species under the ESA is automatically subject to what’s called a section seven consultation with the US Department of Wildlife and Fisheries. For ‘consultation’, read ‘red tape’, and ‘delay’.

Aside from stopping the lease sale, the Government was also wary about putting the polar bear on the list because of what the underlying threat meant. The CBD wanted the bear on the list because its habitat was being eroded. Ice floes were melting. Bears were drowning, and starving. And what melts arctic ice? Warming, of the global kind.

The outgoing administration doesn’t want climate change mentioned in the same breath as the ESA, because it doesn’t want to legally admit a link between carbon emissions and environmental effects such as habitat erosion. If conservation groups manage to use existing environmental legislation to establish that precedent, the Government might have to regulate emissions. That means lots of section 7 consultation, and a mountain of red tape, for a wide variety of federal activities. The effect on business could be immense.

The problem is that this precedent had already been set. A group of states and conservation groups sued the EPA to make it recognise carbon dioxide as a pollutant under the Clean Air act, and in April last year, they won. With CO2 recast as a pollutant, the Supreme Court ordered the EPA to consider whether it should regulate it, and it had to issue a decision.

Environmental groups waited. And waited. Eventually, the EPA sent a draft decision to the White House, which leaned strongly toward regulating CO2. The White House decided to dodge the issue by simply refusing to read it. We’re not kidding. Look.

Seven months later, EPA administrator Stephen Johnson issued an Advanced Rule of Proposed Notemaking (APNR) on the decision, which effectively meant that the EPA wouldn’t have to make any decision until the next Administration took office. Why the about face? Jason Burnett, a whistleblower who left the EPA and testified to a House Oversight Committee, gave evidence strongly suggesting that the White House directly leaned on Johnson, who refuses to talk about the concept of executive privilege. That testimony suggests that the opposition to carbon regulation comes from as near the top as dammit. From Cheney, if others are to be believed.

That’s why the Administration has been so eager to sidestep the legislative system in its attempt to stop GHG regulation. When the polar bear was listed, the Government put in place a ’special rule’, 4D, which prevented climate change being factored into the bear’s fortunes. Then, this month, the DoI issued a proposed regulation which would effectively nix the concept of section 7 consultations altogether. Instead, it would let the EPA conduct an in-house consultation, only approaching third party experts if it deemed it necessary.

But if the White House is already dictating EPA policy, where does that leave us? And with Palin set to fill the role of Cheney, one has to wonder just how much will change in a republican government.

All this will come as no surprise to environmentalists, but why should businesses care? Because their investors do. By August 22, 57 resolutions had been bought against US firms by shareholders concerned about the effect of climate change on corporate fortunes. Businesses and their shareholders like certainty. Climate change and its causes bring uncertainty, and are bad for business. This is already translating into policy. Look to firms like Swiss Re in the insurance sector, who stand to suffer the most as the effects of global warming begin to hit.

Forget discussions on the economy, abortion, and Iraq. This is going to be an environmental presidency, and a pivotal one. Kert Davies, research director of Greenpeace US, recently told me that if we didn’t carry out some serious environmental mitigation under the forthcoming administration, the fight for sustainability would essentially be over. We’re running out of time.

With both candidates promising a cap and trade mechanism for carbon emissions in the US, we may yet see some action, but existing cap and trade systems in the US look set to be relatively toothless. The Regional Greenhouse Gas Initiative, which enforces carbon trading across multiple northeastern states, has enforced a trading cap that’s more than the combined emissions of affected power plants (in other words, it doesn’t matter).

So we can’t just look toward broad policy and its effect on climate change. We have to look the specifics of implementation, which could be influenced by individuals like Palin (and the guy who chose her). And at this stage the game, presidential hopefuls won’t want to release too much information. We have to rely on their existing records.

The devil will be in the detail. But hopefully not in the White House.

The report of a vulnerability in Facebook applications is just the latest sign that threats to the average web user’s security are moving off into the clouds.

The proof-of-concept javascript exploit (reported at The Register) takes advantage of a failure by Facebook’s systems to sanitise code.

What is significant about this new breed of vulnerability is that it makes no difference how good your firewall is, how up to date your patching, how many anti-virus packages you’re running or even what operating system you’re using (so OS X and Linux users can take that smug smile off their faces). In the much-hyped world of Web 2.0 and cloud computing, the applications that contain the flaws come nowhere near your own machine.

That’s bad enough. It means you have no means of fixing the vulnerability other than waiting for the system’s owner to admit there’s a problem (which, so far, Facebook has refused to do) and get around to sorting it. You have no control over your own level of risk and exposure other than to stop using the system.

In that sense, it’s not much different to using proprietary, closed-source software. But there is a difference. Even if you do stop using the system, it probably won’t be enough. And that’s because the real danger lies in the exposure or misuse of your private information. The dangers posed by the Facebook flaw, for example, range from letting everyone see your private photos through to ID theft. And this is because it’s not just the application that lives in the clouds: your personal information is there too. And unlike the sensitive data residing on your hard disk, you can’t personally take any steps to protect it. It’s out of your hands.

As social networking becomes a social norm, people are putting more and more of their lives on to the servers of Facebook, MySpace and who knows how many other Web 2.0 sites. Their documents, address books and spreadsheets now exist in Google’s cloud. Leaving these sites - shutting down an account and having all your personal information wiped from the servers - is notoriously difficult, with no guarantee that it has been competently accomplished. So even if you learn of a vulnerability, the options open to you to mitigate any potential damage are … well, essentially none.

So, in the Web 2.0 world, we are no longer capable of managing our personal security. Perhaps it’s time for the service providers to accept more stringent requirements and greater legal responsibility. Given they they have such total control over our security, it’s time for them to accept the risk.

A new report details the current generation of threats to web security.

Finjan, which describes itself as a pro-active Web security and anti-spam specialist, has released its Q2 2007 IT security trends report.

The report details some interesting types of attacks designed to by-pass signature-based and database-reliant IT security technology.

The report also details the proliferation of affiliation networks based on a ‘hosted model’ for malicious code, which use off-the-shelf malicious code packages to compromise popular web sites.

The last major discovery on the malware and hacker attack front from Finjan was last year, when the company revealed hackers were starting to use code obfuscation (hiding) techniques to prevent their malware being discovered.

These techniques even stretched to storing the malware and/or infected code on a cached server, such as Google’s Webcache, meaning that conventional URL filters could not spot the malware, and allowed hapless web users to load up the infected pages without question.

But now it gets worse, as Finjan has discovered that hackers are keeping track of the actual IP addresses of visitors to a particular site or web page.

Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address.

Put simply, this means that the second time an IP address tries to access the malicious page, a benign page will be loaded in its place, causing all traces of the original infected pages to disappear.

According to the report, hackers are also being motivated by commercial greed, locating infected pages on a dedicated malicious code server and then offering affiliate codes - which are added to the web site URL - to third-party hackers.

These third-party hackers are then paid commissions according to the number of infected visitors to the main site.

Basically hackers are being rewarded for driving traffic by fair means or foul (and usually the latter) to a malware-laden web site.

For the master hackers involved in these types of scams, the rewards are potentially quite high, as the infected pages load key logging and other site logging programs to the hackee’s PC.

The hackee’s PC then drip feeds personal data such as bank account log-in details and credit card details back to a web storage site, from which the hacker’s harvest data for fraudulent usage.

According to Yuval Ben-Itzhak, Finjan’s CTO, the problem with these types of attacks is that a growing number of sites are getting hit by stealthy attacks.

These attacks, he says, leave no visible damage and simply insert a line of HTML code that points to malicious code on an external server.

“The upshot is that any visitor to such a site may be jeopardising his/her personal identity, bank account details and credit card numbers to the criminals behind these operations,” he explained.

As you might expect, Ben-Itzhak is keen to promote Finjan’s IT security technology, but he does note - quite correctly - that businesses that rely solely on signature-based anti-virus or URL filtering technology may be left vulnerable to these types of attacks.

Against this backdrop, Finjan offers the following advice for business users of IT security technology:

1. Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always ‘too little, too late’, particularly if you get hit by a zero-day attack that your security solution does not recognise.

2. Make sure that your IT security technology is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.

3. Check your vendor’s research capabilities and its ability to provide up-to-date information which is immediately translated into actionable security measures.

4. Examine your egress data policy to make sure that you cover all known and suspicious sites.