U.S. HOUSE OF REPRESENTATIVES COMMITTEE ON SCIENCE AND TECHNOLOGY
Planning for the Future of Cyber Attack Attribution
On August 17, 2010 Mr. Giorgio responded to various follow-up questions (re: his testimony from July 2010) from members of the House of Representatives Committee for Planning for the Future of Cyber Attack Attribution. … Read more
U.S. HOUSE OF REPRESENTATIVES COMMITTEE ON SCIENCE AND TECHNOLOGY
Planning for the Future of Cyber Attack Attribution
On July 16, 2010, Mr. Giorgio testified before the subcommittee on Technology and Innovation on the subject of ‘Planning for the Future of Cyber Attack Attribution’.
For the complete webcast click here
To download Mr. Giorgio’s testimony, click here
Let me begin by commending the chairman and committee members for looking into this important matter. Having personally spent a career in science and technology and having witnessed numerous R&D innovations that improved the quality of our lives, economic livelihoods, security, and privacy, I’m confident that this committee will undertake the proper initiatives to solve long term and extremely difficult problems such as the one we face with cyber attack attribution.
Post-attack attribution today is not effective, and the protocols we have today are insufficient to provide it. The recent attacks on Google are neither new nor surprising. What is new is the extensive publicity they generated, but despite all this publicity, and a convincing case that they were perpetrated by a state-sponsored actor in China, the rate of such cyber attacks coming from China has not decreased. Current attribution capabilities are clearly no deterrent.
This is the first of a three part blog series about writing code using the relatively new programming technique: Test Driven Development (TDD). These blog posts will cover the basics of TDD, benefits, drawbacks, examples of implementation, and finally how it can be used to more effectively create secure code. … Read more
Welcome to the Information Age. We currently produce, and have ready access to, more information than has ever existed in our history. Information of all sorts is readily available to anyone, at any time, from a multitude of sources. Even in the face of this wealth of information, however, there exist pockets of data that you just can’t have.
We all have secrets. If you’re a business, an agency, a bureau, or a organization, you probably have a particular set of bits somewhere that – when taken as a set and interpreted as data – represent some fact or set of facts that are very important to you. Maybe you call it proprietary information; maybe you call it business critical data. Maybe you call it secret, and use a grading system to determine exactly how secret it is. Regardless, you want to make sure that you always have that data, and you want to make sure that someone else doesn’t have it.
Here’s the problem: if that information is valuable to someone else, they probably already have at least some part of it. They certainly know more about your secrets than you want them to know, and none of your firewalls, intrusion detection systems, or security policies are going to keep them from learning more. At best, even your most effective security infrastructure only serves to slow them down.
History’s on my side on this one. … Read more
For more than 40 years, computer scientists have researched mechanisms to make software systems more secure. From cryptographically assure boot processes to process segregation to capabilities-based operating systems, there are many fantastic concepts that modern day engineers could leverage to build higher assurance systems. Unfortunately, most of the attempts to apply these concepts have resulted in stunning failures. The few systems that have survived are relegated to niche markets and solutions that require much higher security than commodity COTS systems can provide.
With 40 years of failure under our belt, many of these high assurance concepts have been written off. However, given the current threat environment many enterprises are facing it may be time to re-examine some of them. Enterprises around the world, including banks, manufacturing companies, and even local governments are finding that the defensive security mechanisms they have in place are becoming useless in the face of modern-day attackers. Phishing attacks are easy to carry out and can result in malware being placed deep within networks as well as total compromise of credentialing systems. Fed up with attempting to stop the attackers, some enterprises are turning their efforts toward detection of successful attack… basically admitting that there is no effective defense available.
This talk examines the history of high assurance computing. Then, using the backdrop of the current state of the attack space, this presentation discusses why the current trend of defensive technologies (such as firewalls, proxies, host based security, and policy engines) is unlikely to stop attackers. Finally, it closes by examining the current state of initiatives such as the Trusted Computing Group and discusses high assurance technologies that may be of use to developers in the next 3-5 years.
Every day, security professionals do battle the trenches; good vs. evil, whitehats vs. blackhats, our network vs their l337 tools. And what do we do to unwind after work? For many of us, it’s doing battle in the trenches with terrorists, Nazi’s, and that pesky Blue team that keeps stealing our intelligence.
Video games are a multi-billion dollar industry that rivals the movie industry in size. And recently, many games have taken a decidedly online tone. People from all over the world meet up on servers every day to meet, frag, and respawn into the wee hours of the morning. But what about the security of these servers? How secure are they, and how does the underlying integrity of these servers effect you and your ability to blow up other players?
From hardware interaction to network protocols, this talk that Bruce and I gave at Defcon 17 presents the inner workings of the Source Dedicated Server (used for games such as Left4Dead and Team Fortress 2). We also discuss some of the weaknesses in these game engines and ways they are exploited in the wild.
The fox is guarding the hen house, and both the fox and the hens are making a lot of money in the process. Such is the state of the security industry in 2008. For the last 15 years, we have been building security into our networks and applications using concepts like “defense in depth” and “responsible disclosure.” It turns out, that the attackers are now leveraging our security systems against us. Worse, we have made the security industry a self feeding, self fulfilling prophecy that may actually be causing harm to those we are trying to protect. While this may sound fatalistic and like an attempt to stir up a flame war, there are real issues that we need to face when it comes to the next steps in computer security. This talk will uncover some of the dirty secrets of the security industry. Some you will believe, some you will be skeptical of, and some my strike a little too close to home.
For years, we have treated wired and wireless authentication as two different issues; wireless authentication was complicated and not scalable and wired authentication was non-existent. However, with the increase of threats due to bots and spearphishing, wired authentication is gaining popularity. At the same time, wireless authentication is stabilizing and more systems are capable of performing advanced authentication without the addition of extra software. This whitepaper examines how to unify your wired and wireless authentication infrastructures while increasing security and driving down costs.
In a large enterprise, efficiency of security processes is as important as the effectiveness of those processes. Automation of these processes is a key aspect in running a successful IT security organization. This whitepaper examines automation techniques including the use of the SCAP suite of protocols.