Category Archives: Control

An Eerie Silence on Cybersecurity

Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.

NYTimes Editorial 26 February 2013, An Eerie Silence on Cybersecurity, notes a few exceptions, and then remarks:

American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash.

Maybe it’s better to have a prescribed burn of released breach information than to have a factory fire of unprescribed released information.

Why don’t companies do this?

Continue reading

Companies fear reputation for bad security

As more companies come out of the closet about their Internet security being compromised, still more start to admit it. But many (perhaps most) don’t even know. Fortunately, there is a way the public can get a clue even about those companies.

Nicole Perlroth wrote for the NYTimes 20 February 2013 that corporations try to hide successful cracking of their Internet security:

Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.

However, as some companies come out of the closet about this (Twitter, Facebook, Apple, etc.) and such

revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.

“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”

Now here’s the interesting part:

Continue reading

Syria and Yemen: 29 November 2012

At 10:30 AM GMT yesterday, 29 November 2012, routing to Yemen suddenly changed from London to Dubai through FLAG to New York to Dubai through ETISALAT, as shown in the animation here and detailed in the PerilWatch from InternetPerils. That timing closely matched the 10:26 AM GMT Syrian disconnect time reported by Renesys. This is very reminiscent of Mubarak disconnecting Egypt 22:30 GMT 20 January 2011. This tactic didn’t help Mubarak’s regime in Egypt, and it probably won’t help Assad’s regime in Syria; rather the opposite: people don’t like their Internet being turned off. And it tends to cause the international community to rally around the rebels.

-jsq

ISPs, spam, and botnets? a case in Finland

In Finland, some ISPs proactively detect spamming botnets and do something about it.

A small company that does computer maintenance, “HS-Works Oy” located in Helsinki, HS-Works Oy Finland, received a computer from a customer that needed to be fixed since it was acting slow. HS-Works personnel hooked up the malfunctioning computer to the company’s switch to gain Internet access and so they could control it over their LAN.

Sonera After the computer was through the LAN to the Internet for a while, the local ISP (Sonera) realized someone from HS-Works was connecting to a known botnet and acting in possibly malicious way. So what did the ISP do?

The solution was rigid: they closed the Internet connection from HS-works and informed the company via an SMS message that there had been illicit or malicious connections originating from their IP address and the connection would remain closed until the problem was solved. All web traffic was directed to the ISP’s “Access blocked” page, which offers a link to a free 30-day trial of Sonera Internet Security package (F-Secure software branded under Sonera name).

Network access would be returned after the infected host was fixed or removed from the network. The company raised their firewalls to a more strict level and got the Internet access back on the same day.

How about Finland’s ranking in spam listings in general and the rest of the big Finnish ISP policies on spam? Stay tuned, more information about these on the next post!

-Sami Sainio

Egypt Returns

Egypt returned to the Internet about 09:30 GMT today (2 February 2011). This sudden return after being as suddenly disconnected one week ago (27 January 2011) is obviously not due to ordinary causes such as congestion, cable cut, or router failure. This political disconnection of an entire country does not seem to have helped the regime responsible for it; quite the opposite.

-jsq

Our Friend Unfairly Maligned in London’s Court

Many of you are concerned as am I about our friend who has been hauled into court in London and unfairly maligned for the “crime” of distributing some government communications that he got from an anonymous source. I know our friend also has been a bit playful out of wedlock, and even had a son that way, but I don’t see what that has to do with the matter at hand.

Our friend represented his agency in the matter of procuring and forwarding the communications “as a public act, dealing with the public correspondence of public men.” His accusers were having none of it:

Into what companies will the fabricator of this iniquity hereafter go with an unembarrassed face, or with any semblance of the honest intrepidity of virtue? Men will watch him with a jealous eye &em; they will hide their papers from him, and lock up their escritoires. Having hitherto aspired after fame by his writings, he will henceforth esteem it a libel to be called a man of letters
His accusers made him out to be a vindictive destroyer of public confidence. He had “forfeited all the respect of societies and of men” and was not a gentleman, rather a common thief.

I am happy to hear our friend has been released by the court in London, although two days later he was fired from his job as deputy postmaster general of North America. Continue reading

Quis custodiet ipsos medici?

Internet security is in a position similar to that of safety in the medical industry. Many doctors have an opinion like this one, quoted by Kent Bottles:
“Only 33% of my patients with diabetes have glycated hemoglobin levels that are at goal. Only 44% have cholesterol levels at goal. A measly 26% have blood pressure at goal. All my grades are well below my institution’s targets.” And she says, “I don’t even bother checking the results anymore. I just quietly push the reports under my pile of unread journals, phone messages, insurance forms, and prior authorizations.”

Meanwhile, according to the CDC, 99,000 people die in the U.S. per year because of health-care associated infections. That is equivalent of an airliner crash every day. It’s three times the rate of deaths by automobile accidents.

The basic medical error problems observed by Dennis Quaid when his twin babies almost died due to repeated massive medically-administered overdoses and due to software problems such as ably analysed by Nancy Leveson for the infamous 1980s Therac-25 cancer-radiation device are not in any way unique to computing in medicine. The solutions to those problems are analogous to some of the solutions IT security needs: measurements plus six or seven layers of aggregation, analysis, and distribution.

As Gardiner Harris reported in the New York Times, August 20, 2010, another problem is that intravenous and feeding tubes are not distinguished by shape or color: Continue reading

What we can learn from the Therac-25

What does Nancy Leveson’s classic analysis of the Therac-25 recommend? (“An Investigation of the Therac-25 Accidents,” by Nancy Leveson, University of Washington and Clark S. Turner, University of California, Irvine, IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41.)
“Inadequate Investigation or Followup on Accident Reports. Every company building safety-critical systems should have audit trails and analysis procedures that are applied whenever any hint of a problem is found that might lead to an accident.” p. 47

“Government Oversight and Standards. Once the FDA got involved in the Therac-25, their response was impressive, especially considering how little experience they had with similar problems in computer-controlled medical devices. Since the Therac-25 events, the FDA has moved to improve the reporting system and to augment their procedures and guidelines to include software. The input and pressure from the user group was also important in getting the machine fixed and provides an important lesson to users in other industries.” pp. 48-49

The lesson being that you have to have built-in audit, reporting, transparency, and user visibility for reputation.

Which is exactly what Dennis Quaid is asking for.

Remember, most of those 99,000 deaths a year from medical errors aren’t due to control of complicated therapy equipment: Continue reading

What about the Therac-25?

Someone suggested that Dennis Quaid should be reminded of the Therac-25 “if he thinks computers will reduce risk without a huge investment in quality, quality assurance and operational analysis.” For readers who may not be familiar with it, the Therac-25 was a Canadian radiation-therapy device of the 1980s that was intended to treat cancer. It had at least six major accidents and caused three fatalities, because of poor software design and development.

Why should anyone assume Dennis Quaid doesn’t know that quality assurance and operational analysis are needed for anything designed or controled by software? The man is a jet pilot, and thus must be aware of such efforts by aircraft manufacturers, airlines, and the FAA. As Quaid points out, we don’t have a major airline crash every day, and we do have the equivalent in deaths from medical errors. Many of which could be fixed by Computerized Physician Order Entry (CPOE).

Or ask the Mayo Clinic: Continue reading

Route Hijacking: Identity Theft of Internet Infrastructure

Peter Svensson gives an old and quite serious problem some mainstream press in this AP story from 8 May 2010:
On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour. The hijacking was caused by an employee misprogramming a router, a computer that directs data traffic, at a small Internet service provider.

A similar incident happened elsewhere the next year, and the one after that. Routing errors also blocked Internet access in different parts of the world, often for millions of people, in 2001, 2004, 2005, 2006, 2008 and 2009. Last month a Chinese Internet service provider halted access from around the world to a vast number of sites, including Dell.com and CNN.com, for about 20 minutes.

In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the country and intentionally “black-holed” requests for YouTube videos from Pakistani Internet users. But it also accidentally told the international carrier upstream from it that “I’m the best route to YouTube, so send all YouTube traffic to me.” The upstream carrier accepted the routing message, and passed it along to other carriers across the world, which started sending all requests for YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were deprived of videos of singing cats and skateboarding dogs for a few hours.

In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.

The Pakistani incident is illustrated in the accompanying story and video by RIPE.

This problem has been known for a long time. Why hasn’t it been fixed? Continue reading