Security and Risk Management Strategies Blog

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training.  Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

Blogger: Dan Blum

Just as King Arthur’s knights gathered around their roundtable to try and divine the future intentions of invaders and other threats to the realm, financial services and other enterprise organizations have a critical need to share information about emerging cybercrime threats and attacks. So it was that one day this Fall in New York, I found myself at a private Wall Street roundtable meeting with leading thinkers from a number of large financial institutions (FIs).

Whereas the previous roundtable meeting I blogged about in the summer concerned general issues, the second meeting addressed predictive threat analysis. Attending were a number of Wall Street firms, National Cyber Forensics and Training Alliance’s (NCFTA), FBI and Burton Group.

The meeting started with a general introduction noting the evolution of the threat from script kiddies to organized crime to state sponsored industrial espionage or low grade information warfare activities. For example, the Russian Business Network (since gone underground, apparently) was a front for organized crime, a one stop shop allegedly tolerated by the Russian government as long it kept its attacks external. The speaker also noted that:

• China, France, Japan, Israel, Germany are similar in that they make no distinction between industrial espionage and national espionage. Some would argue the US is the same. Welcome to globalization!
• There has been good news and bad news for vulnerability management. iDefense says that OS vulnerabilities are generally down. On the other hand, there is now a thriving marketplace for vulnerabilities and the bad guys can find them.
• One thing hasn't changed - 85% of threats are still internal. One financial service had to surveil senior management after finding increased "rolodex activity" after executive departures. The company is working on ways to discourage or stop this behavior.
• Not all solutions are purely technical. With bad guys turning to pump and dump schemes against penny stocks, E*Trade lost $18M. But application developers at one bank were tapped to change the code on the web site so that customers have to call in low priced stocks trades, which are in any case a low revenue source for the company. This procedural solution was a decisive win against pump and dump schemes.

The NCFTA, a non-profit member-supported organization, described “Stock-Aid”, an information sharing service it provides for financial
services facing pump & dump attacks. Through NCFTA, the banks share feeds with the bad guys’ IP addresses and the names of stocks that are being attacked.

Could the industry do more than just block cyberattacks and perhaps shut down the botnets they’re coming from down? In the game of whack-a-mole NCFTA provides a hammer. And the FBI’s Botroast operation took down two large botnets. But new botnets keep emerging.

A more productive approach is to catch criminals by following the money: NCFTA noted that eGold gave over all their data, PayPal cooperates, and so do many other organizations that have been used for money laundering. Unfortunately criminals keep finding new places to hide in the money game; the latest ploy is to move money through online games like World of Warcraft.

The issue of information sharing is important to all industries, not just financial services. That’s why it’s so beneficial to participate in ISACA, BITS, I4 and other organizations. The warriors of information protection can either band together and share information like King Arthur’s knights, or risk falling into a dark age of cybercrime.