Archive for May, 2011

Joint U.S.-China Report on Cybersecurity Released

The EastWest Institute and the Internet Society of China released the first joint China-United States report on cybersecurity, Fighting Spam to Build Trust.

Produced by Chinese and U.S. experts convened by EWI and the Internet Society of China, the report marks the first step in an ongoing bilateral process.

“When Presidents Obama and Hu Jintao met last January, they called for the U.S. and China to cooperate on cybersecurity,” says EWI’s Chief Technology Officer Karl Rauscher. “In anticipation of this need, over a year ago we brought U.S. and Chinese experts together on this major cyberspace challenge.”
The results are strong joint recommendations for fighting spam – an underrated problem in cyberspace according to Rauscher, who led the bilateral process with Yonglin Zhou, Director of the Internet Society of China’s Network and Information Security Committee. Spam, which comprises as much as 90% of all email messages carried in networks, irritates end-users, clogs networks and carries the malicious codes used by hackers for fraud and other crimes.
To fight spam, the experts made two key recommendations: first, the creation of an international forum to deal with spam; second, that network operators, Internet service providers and email providers follow 46 mutually-agreed upon best practices. Those best practices include the creation of international protocols to weed out spam from legitimate messages; consumer education about botnets; and that ISPs in both countries use feedback loops to discourage spam.
“People from all nations have to fight spam. With international collaboration, we can dramatically increase the effectiveness of our efforts to stop spam, botnets and other cyber threats,” says Zhou.
Fighting Spam to Build Trust will be one of the topics at EWI’s Second Cybersecurity Summit, to be held on June 1-2 in London. The summit has attracted more than 400 participants, including top government, industry and technical experts from 43 countries. At the summit, breakthrough groups, one of which will be chaired by Jerry Upton of the Messaging Anti-Abuse Working Group (MAAWG), will discuss how to set up the forum and implement the best practices.
EWI’s China-U.S. team will continue its collaboration, going on to address a series of more difficult and complex cybersecurity challenges in the coming months.
The team leaders see their work as more than a series of practical solutions to a pressing problem. According to Rauscher and Zhou, “In a time when most can only see a grim, downward spiral of recrimination when it comes to all things cyber, this report is the product of cooperation and offers some hope for an improved relationship between China and the U.S.”

Chinese responses to the International Strategy for Cyberspace

A week after the United States released its International Strategy for Cyberspace, Council on Foreign Relations guages some Chinese responses.

A week after the United States released its International Strategy for Cyberspace, it is possible to gauge some Chinese responses. Not surprisingly, there was a relatively high degree of skepticism about U.S. intentions. Chinese concerns revolved around three issues:

The strategy is really about military capabilities and deterrence.  Perhaps following the lead of some U.S. news reports, Chinese press reports focused on the statement that Washington reserved the right “to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law,” to defend itself and its allies.  This must be frustrating to the State Department since it was trying to de-emphasize cyberspace as a warfighting “domain” and stress its importance as a public forum, market, and source of innovation.  They wanted less talk about Cyber Command and more about international engagement.  Certainly it couldn’t have been an accident that Deputy Secretary of Defense William Lynn spoke after Homeland Security Advisor John Brennan, Secretary of State Hillary Clinton, Attorney General Eric Holder, Secretary of Commerce Gary Locke, and Secretary of Homeland Security Janet Napolitano.

Despite the calls for cooperation, the U.S. is trying to maintain its technological lead.  In the view of some Chinese analysts, the call for interoperability and global standards mask an effort to lock others into technologies owned by U.S. companies.  Global Times quoted one analyst as saying: “The U.S. masters a number of core technologies for cyberspace usage, and it aims to continuously consolidate its advantages.”  Similarly, in the area of Internet governance, no matter how often U.S. government officials refer to international cooperation, they still want the United States “to maintain its lead role. At a press conference on the same day, Hillary Clinton made this point very clear.”

The push for Internet freedom will lead to more conflict. While U.S. calls for the free flow of information and criticism of censorship usually create most of the fireworks in discussions with Beijing, most of the Chinese reports seem fairly uninterested that the strategy is grounded in the “principles of fundamental freedoms, privacy, and the free flow of information.”  Maybe they’ve heard it all before and are tired of making all the counter arguments; maybe they wanted to focus on what seemed new in the strategy.  Still, almost all the responses still managed to slip in the idea that the Internet freedom agenda would be used to pressure other countries and cause more conflict.

Of course, it is difficult to draw a straight line from Chinese press reports to official positions.  Maybe Chinese policymakers have been more flexible and expansive in the S&ED or at the ongoing track II dialogue on cyber issues.  But it suggests that Chris Painter, the State Department’s Cyber Coordinator, has his work cut out for him.

U.S. International Strategy for Cyberspace

The International Strategy lays out the President’s vision for the future of the Internet, and sets an agenda for partnering with other nations and peoples to achieve that vision.

Read more here:

The factsheet:

White House Unveils its Cybersecurity Legislative Proposal

The American Administration has transmitted a cybersecurity legislative proposal to Capitol Hill in response to Congress’ call for assistance on how best to address the cybersecurity needs of the USA. This is a milestone in the effort to ensure secure and reliable networks for Americans, businesses, and government.
Fundamentally, this proposal strikes a critical balance between maintaining the government’s role and providing industry with the capacity to innovatively tackle threats to national cybersecurity.
Just as importantly, it does so while providing a robust framework to protect civil liberties and privacy.

Read more at:

Chinese Hackers Are Hungry for Information

Stuart McClure, Senior Vice President & General Manager, Risk & Compliance, McAfee co-authored his best-selling book Hacking Exposed: Network Security Secrets & Solutions 12 years ago. In an interview with Varun Aggarwal, he talks about how things have changed since then as he launched the new edition of his book.

Q: What major changes have you seen in the last 10 years since you first wrote your book?

Web has been the major change in the last decade. From almost 0% to 50% attacks exploit web technologies. Javascript that has become an integral part of Web right now, is highly unsafe to use from a security perspective. There is so much bad guys can do with Java script to wrap malicious code around it that it almost impossible to detect it. You sometimes need to unwrap 10-20 layers of code in the Javascript to find the true source of the bad code.

Moreover, malware has evolved a lot. Malware writers have started obfuscating and encrypting the malicious code so that any security company is not able to detect it. Encryption makes it extremely difficult to reverse engineer the code. So we have to run a malware in a sandbox environment to observe what it does but it gets really challenging to do that with so many new variants of the same malware.

Q: We get about 60,000 samples of unique samples of malware every day.

The biggest advancement in security technologies is the white listing technology. This would prevent 99.9% of malware. So, instead of stopping something that is bad, we let the user run only the applications that are good.

Q: After being acquired by Intel, what would be the key initiatives you’d be involved in?

One reason Intel bought McAfee was to add value to their chips. And one of the values was security. We’d be leveraging the relationship with Intel and would now get into the embedded systems world.

We’ll be building security solutions for embedded systems. There is however, no plans yet to build hardware security at the chip level. We are also moving into securing non-Intel chip platforms like ARM.

Q: Can you talk about the Project Night Dragon and its impact on India?

China has become hungry for information and they have cyber world to be rich with information. So they’ve targeted many different industries and many different countries including India.

They are not just targeting the websites but actual databases and data repositories. While some of these databases in India that were targeted by Chinese hackers were all connected to the Internet while they didn’t really needed to be.

While there have been various attacks targeted at Indian government, utilities, oil and gas companies etc, the defences are still very nascent and defocused. This is not a good combination against people who are highly motivated and highly skilled.

Night Dragon was just another incident where some nation states were going after other nation states for their industries data. The bad guys took advantage of the weaknesses in the security of oil and gas companies.

They used were commonly used techniques and public tools that are commonly known for over a decade to target these organisations. They stole their data over many months or possibly even years before the organisations actually got to know about it.

The problem is that most of these are almost never detected when they occur. They are detected only long after the bad guys have already left.

Q: What according to are the basic steps to get your security right?

The first step to secure yourself, is by making sure you’ve installed all the latest patches for all the applications that you’re using including the operating systems.

Second step is to restrict access of sensitive information to only select people in the organisation. Map the access right on what and where and who and how. That also means you need to built strong authentication. Try and use two factor authentication, if not multi-factor authentication.

The Anonymous group that was trying to defend WikiLeaks by launching DDoD attacks on companies that stood against them also got into a security company called HB Gary. And the number one reason they were able to get in was because of weak passwords.

The number three is about educating the user. Just train and retrain them on one simple thing: Don’t click on anything you don’t trust. We just need to use good security hygiene in Internet usage.

If you just follow these three basic steps, you’ll be 90-95% safe.

Q:  With the popularity of Twitter there is a new click jacking technique that the bad guys are using, which is the url shortening services like How should one prevent such attacks?

Twitter is a popular platform and you get only 140 characters to convey a message. People often use url shortening services to ensure they’re able to convey their message within the available space. You cannot get to know if the shortened url is leading you to a malicious site unless you actually click it.

Therefore, we’ve created a new secure url shortening service called We ensure that whatever url is being shortened using this service doesn’t contain any java script or doesn’t lead to a malicious site.

Facebook as ‘Most Appalling Spying Machine’

WikiLeaks founder, Julian Assange, blasted Facebook, calling it the “most appalling spying machine that has ever been invented,” Russia Today reported Tuesday.
Assange, who is currently fighting extradition to Sweden from the U.K., claimed on the Russian news channel that the social networking site was used by the U.S. government to spy on its citizens. “Here we have the world’s most comprehensive database about people — their relationships, their names, their addresses, their locations and the communications with each other, their relatives — all sitting within the United States, all accessible to U.S. intelligence,” he said. “Facebook, Google, Yahoo — all these major U.S. organizations have built-in interfaces for U.S. intelligence.”

Assange added, “It’s not a matter of serving a subpoena. They have an interface that they have developed for U.S. intelligence to use.”

He also claimed that people using Facebook were helping U.S. intelligence operatives.
“Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them” he added.