PROTECTING THE WEB What needs to be done in order to keep the

SUMMER 2010 www.bcs.org/security

06 ATTACK SPOTTINGNot all the traffic on the internet is safe, but howdo you spot the malicious bits?

08 CACHING INWhy everyone needs to be aware of the potentialsecurity flaws in web browsers.

T H E M A G A Z I N E O F T H E B C S S E C U R I T Y F O R U M

PROTECTING THE WEBWhat needs to be done in order to keep the internet running

Information Security Group www.isg.rhul.ac.uk

[email protected] [email protected]

T: 01784 443101

We have extended the way in which Royal Holloway’s internationally recognised MSc is offered.• CPD/CPE Modules: Most MSc modules are now available as stand-alone courses of one week’s duration

(Block Mode). These modules may be taken with or without an examination.

As a result the MSc now has the following traditional delivery modes:Full-time, one year, on campus; Part-time, two years, on campus; Block Mode, two years, on or off campus; Distance Learning, up to four years via the Virtual Learning Environment.

The introduction of CPD modules has enabled us to introduce even more fl exibility into our methods of delivery.• Latest innovation – ‘Mix and Match’ degree programmes. It is now possible to obtain the MSc by

accumulating modules by any delivery method listed above (maximum period seven years).• Postgraduate Diploma – each module is also available in condensed mode and taught as a one, two or three-

day training course offered by QCC Training Ltd. Students may follow a structured programme of these courses and then undertake an MSc level project to obtain the Postgraduate Diploma in Information Security.

Information Security MScFlexible learning for everyone

Summer 2010 ISNOW 03

05 ISSG PERSPECTIVEGareth Niblett, Chair of the BCS ISSG, gives his view on how to protect the internet.

06 ATTACK SPOTTINGNot all the traffic on the internet is safe,but how do you spot the bad bits?

08 CACHING INWhy everyone needs to be aware of dangerous flaws in web browsers.

10 AFTER THE HACKBest practice tips for what you should do after you have been hacked.

12 TEST OF STRENGTHHow DNSSEC should help reinforce trust in DNS.

14 KEEP ON RUNNING Threats to the infrastructure are many and varied and we need to be wary.

16 LEGALA look at the ramifications of the new Digital Economy Act.

18 OPINIONThe internet was designed to withstand a nuclear war, but can it survive its users?

EDITORIAL TEAMHenry Tucker EditorBrian Runciman Managing Editor

PRODUCTION TEAMFlorence Leroy Production ManagerMarc Arbuckle Graphic DesignerWhoosh Design Typesetter

AdvertisingE [email protected] +44 (0) 20 7074 7921

Keep in touchContributions are welcome for consideration. Please email: [email protected]

ISNOW is the quarterly magazine of the BCS Security Forum,incorporating the Information Security Specialist Group.It can also be viewed online at:www.bcs.org/isnow

The opinions expressed herein are not necessarily those of BISL or the organisations employing the authors.© 2010 British Informatics Society Limited (BISL).Registered charity no. 292786.

Copying: Permission to copy for educational purposes onlywithout fee all or part of this material is granted providedthat the copies are not made or distributed for directcommercial advantage; BISL copyright notice and the titleof the publication and its date appear; and notice is giventhat copying is by permission of BISL. To copy otherwise, or to republish, requires specificpermission from the publications manager at the addressbelow and may require a fee.

Printed in the UK by Newnorth Print Ltd, Bedford.ISSN 1752-2455. Volume 4, Part 4.

The British Informatics Society LimitedFirst Floor, Block D, North Star House,North Star Avenue, Swindon, SN2 1FA, UK.T +44 (0)1793 417 424 F +44 (0)1793 417 444 www.bcs.org/contactIncorporated by Royal Charter 1984.

PROTECTING THE WEB


The internet is a wonderful thing; puttingknowledge at our fingertips, enablinginstant communication and helping ustarget new customers more effectively. As with everything, it comes at a cost –from technical exclusion through to newonline threats and vulnerabilities, whichhave the capability of affecting our lifeand business.

Problems, like hacking, viruses, spam andscams become more prevalent and mergeinto things like phishing and online identityfraud. Users need to learn and do more tostay safe, and governments need to focusmore on the virtual world, which may beoutside their direct control, to ensure thatthe benefits of the internet are fully realised.

Control issuesSome governments feel that the rightapproach is to try and control the internetand its users, from limiting what they cansay to blocking content they object to. Inreality, much of this control does little toprotect people from the real securitythreats out there; national ‘firewalls’ arenot for security, and protecting citizensfrom ‘outside threats’ is a convenientexcuse for control.

Big business‘Three-strikes’ style sanctions anddisproportionate financial penalties for civilinfringements say more about the undueinfluence of big business on the legalsystem than a real desire to move with the

ISSG PERSPECTIVE

internet times, to protect both users andartists. At least the UK Government isn’tcurrently proposing to take over theinternet in an emergency, as they are in theUS. Protecting the internet comes bestfrom educating users, businesses andgovernment and for them to come togetherto create balanced workable solutions.

Gareth Niblett is chairman of theInformation Security Specialist Group (ISSG). www.bcs-issg.org.uk

When it comes to keeping the internet up and running, Gareth Niblett, Chair of the ISSG,says it is about educating users and businesses.

Information Risk Management andAssurance Specialist Group:www.bcs.org/groups/irma

BCS Security Portal:www.bcs.org/security

ISNOW online:www.bcs.org/forum/isnow

FURTHER INFORMATION

EDUCATE TO PROTECT

The motivation of hackers has changedfrom gaining fame to financial gain. Largescale worm outbreaks have been replacedby application vulnerability exploits anddedicated malware that is owned,controlled and operated by well organised,financially motivated attackers. Cybercrime activities employ a new level ofnetwork attacks, which go undetected bystandard network-security tools.

Cyber criminals have found out that a lotof money comes from data theft, internet-based fraud and extortion. Much of thisactivity is driven by sprawling networks ofcompromised PCs or bots controlled bycriminal groups. The internet has become

saturated with botnets designed toefficiently spew spam, spread malicioussoftware, harvest sensitive data and launchdistributed denial of service (DDoS) attacks.

Organised crime has grabbed theopportunity and employs maliciouscomputer hackers to build, maintain andoperate the bot crimeware. The botsoftware spreads by means of a multitudeof propagation vectors: when innocent useraccess compromises legitimate websites,via mail spam, P2P-file-sharing programsand more. In most cases, the victims areunaware of the fact that their computer hasbeen infected by the malware code and hasessentially been recruited into a botnet.

06 ISNOW Summer 2010

ATTACK SPOTTING

The bot malware offers a wide variety ofservices including: network attacks such asDDoS floods, HTTP page floods and bruteforce; information harvesting, such as localusernames and passwords or license keys,network scanning and application scanning.

Vulnerable code to vulnerable serviceTraditional network security practices havefocused on the research of application-software code, finding flaws in the codethat can lead to a security breach exploitedby hackers and patching it. The flaws arereferred to as vulnerabilities. When hackersdiscover a vulnerability before the softwareand security vendors, they can launch

There is so much data flying around the internet and Ron Meyran, Director of Security Products at Radware,asks why it is so hard to distinguish between legitimate and attack traffic.


a zero-minute attack, exploiting the newlydiscovered and unpatched vulnerability. Inany case, the protection is about locatingvulnerable application code and issuing apatch for it. Software updates and patches,anti-virus updates, and intrusionprevention system signature updates allare about protecting vulnerable code.

To bypass existing security technologiesthat focus on patching vulnerable code,hackers deploy application-specific attacks,which are referred to as non-vulnerability-based attacks. This new type of attack doesnot exploit any flaw in the code, andtherefore patching will not help block it.Non-vulnerability-based attacks areexecuted on internet-connected servicesand on users. These attacks go unnoticedby existing protection technologies and canresult in information theft, fraud activitiesand service disruption.

So what is a non-vulnerability attack?Non-vulnerability-based threats aim toexploit weaknesses in server applicationsthat cannot be defined as vulnerabilities. Anon-vulnerability-based attack attempts tomisappropriate software without avulnerability. A non-vulnerability-basedattack can be typified by a sequence oflegitimate events, generally not associatedwith unusually large traffic volume. Theattack can break authenticationmechanisms and scan the application forhidden confidential files.

More sophisticated non-vulnerabilityattack forms include well-chosen, repeatedsets of legitimate application requests thatmisuse server CPU and memory resources,thus creating a full or partial denial ofservice (DoS) condition in the application.This new attack method allows attackers tointegrate well with legitimate forms ofcommunications and comply with allapplication rules, so that in terms of trafficthresholds or known attack signatures,they will pass under the radar of existingnetwork security technologies.

To emphasise the difference between thetraditional vulnerability-based attack (knownas a zero-minute attack) and the non-vulnerability-based attack, we can say thatfor the first, there is always the possibility of either creating a signature (sooner orlater) that represents the malicious codeand that can be used to block the attack or of developing an application patch thatfixes the relevant application flaw. In thecase of non-vulnerability attacks, themalicious code does not exist, and therefore,there is no attack signature nor is there anapplication patch.

Non-vulnerability-based attacks can beexecuted unnoticed by today’s protectiontechnologies on server applications such asfinancial online transaction services, andthus can have a severe negative impact onavailability and customer/client trust.

PROTECTING THE WEB

Examples of non-vulnerability attacks:• Brute force attack. Used to defeat an

authentication scheme by running asequence of login attempts until success.Each attempt is a legitimate applicationtransaction. However, the actual threat isin the systematic use of logins untilsuccessfully guessing a username andpassword.

• Web application vulnerability scanning.Scans a web server for knownvulnerabilities or pages left formaintenance. Hackers use thisinformation to launch targeted attacks orbreak into maintenance backdoors.

• Service flooding. More sophisticated thanthe older, simple DoS/DDoS packet-based flood attacks used previously byhackers. Hackers are moving to moresophisticated non-vulnerabilityapplication flood attacks including HTTP,SIP invite floods, etc. These types ofattacks are based on a completelylegitimate session-based set of requestsgenerated towards the victim server,exhausting CPU resources.

The above are only a few examples oftypical threats that rely on service misuse.

Hackers use services through legitimatesessions, easily integrating attack trafficwith real user traffic, undetectable bystandard security tools. The challenge isclear: differentiating between legitimateand attack traffic.

Standard network-security solutionsdepend on static signature technology,which is able to detect and prevent theknown application vulnerability exploits.This technology is insufficient againstemerging types of attacks that use non-vulnerability-based techniques.

To detect and mitigate non-vulnerability-based attacks there is need for expertsystems that perform network behaviouralanalysis (NBA). These systems createbaselines of normal traffic patterns of users,applications and network bandwidth. Oncean abnormal traffic pattern is detected thesystem moves from detection tocharacterisation and prevention mode. Thesystem characterises the abnormal (attack)pattern and then uses this characterisationto block the unwanted traffic.

For more articles go online to:www.bcs.org/articles

So what is a non-vulnerability attack? Non-vulnerability-based threats aim to exploitweaknesses in server applications that cannotbe defined as vulnerabilities.

Although few people are aware of it, acommon computer technique known ascaching, where a temporary storage area isused to allow rapid access to frequentlyaccessed data, is putting both businessesand consumers at risk of a serious securitybreach. The problem is caused by the factthat sensitive data is routinely being storedby the user's web browsing software, oftenwithout their knowledge.

Although many people still believe thatonly users of shared systems, web-cafés,kiosks and other public locations areaffected by this potential threat, insecurecaching is increasingly having a seriousimpact on business users in particular,especially since web browsers havebecome a prime target for hackers.

Modern web browsers use cachingtechnology to store previous responsesfrom web servers, such as web pages, inorder to reduce the amount of informationthat needs to be transmitted across thenetwork. Since information previouslystored in the cache can often be re-used,this approach reduces the bandwidth andprocessing requirements of the webserver, and therefore helps to improveboth speed and responsiveness forinternet users.

However, there are two key reasonswhy internet users may want to preventthis kind of data storage: either to preventany sensitive information from beingstored inadvertently, and/or to ensure thatthey are always viewing the most current


CACHING IN

information available, since cached copiesof websites may contain out-of-date data.

For both of these reasons, caching issomething that businesses in particularneed to get right from both a performanceand security perspective, as the caching ofdata in the browser and the ability to keeppotentially sensitive data from being storedin the cache is paramount to informationsecurity. It is therefore in the applicationdeveloper's interest to tag data correctly inorder to prevent its exposure, and in theusers' interest to ensure that their dataremains private.

As part of a recent white paper on thesubject, called Cache for Questions, weexamined the risk of sensitive data beingstored in a user’s web browser, as well as

Although many people are unaware of it, there is a serious security issue that affects how the world's mostpopular web browsers store your data, according to Rogan Dawes, Principal Security Consultant for independentconsultancy, Corsaire.


the variations that exist in different webbrowsers and the effectiveness of themitigations currently being recommended.This study also looked at the shortfalls inboth browser security and the commonwisdom in this area, and considered whatremediation could be applied to keep bothpersonal and business data safe.

Having completed this research, andafter conducting security assessments ofweb applications and technologies for overa decade, it has become clear that webbrowsers are inconsistent and insecure intheir operation relating to cache behaviour.Unfortunately, the guidelines andstandards being used to combat thisproblem are often conflicting, and routinelyinclude assumptions, misinterpretationsand mistakes. To make matters worse, thesecurity breaches being caused as a resultare largely invisible to end-users andservice providers, which makes theproblem even more dangerous.

PROTECTING THE WEB

At the same time, a growing number oflost and stolen laptops as well as anabundance of second-hand systems andhard-drives are now being sold via theinternet on auction sites. Unfortunately,once purchased, this equipment is liable tobe picked over by individuals who knowthat local caches can often provide a richsource of valuable information.

Although some users think that theycan enhance their security by simplydeleting their browsing history, this singlestep alone is simply not enough. Abrowser’s cache is still a valuable store ofinformation. For example, a JavaScript file(which is generated dynamically whenrequested) often contains a uniquetracking ID and can live permanently in thebrowser’s cache when labelled with theright HTTP cache-control headers.

This JavaScript file can then beaccessed by external pages and, becausethe script is never re-requested, it keepsthe same unique ID, which means that itcan call upon resources on the server-sidein order to track the user. A hacker wouldjust need to associate this unique ID withthe user's account once (when he/she logsin for the first time, after the ID wascreated) in order to set cookies (the shortlines of text that a website puts on acomputer's hard drive when a useraccesses the site) to track any activityeasily. The result is that the users can betracked uniquely, even after they havecleared any cookies.

Even though modern browsers typicallyhave privacy tools for clearing caches, thevast majority of users still do notunderstand how or when to use them. Plus,most web browsers lack efficient cachedisposal controls (compared to their abilityto delete cookies), which means that thiswhole area requires more attention.

At the moment, a user's web browser caneasily be tagged and tracked using a uniqueidentifier that lives in the web browser’scache for a very long time (using HTTPcache control headers and the browser'suse of conditional get requests to ask theserver for a document that matches specificparameters). As a result, we believe that it isin the interests of both consumers andbusinesses to ensure that sensitive data isnot persistently cached in the first place.

In actual fact, it is not very difficult toprevent a web browser from cachingpages to disk. However, if you ask tendevelopers how to prevent the caching ofa resource served via HTTP, you’llprobably get ten different answers. Adviceabounds on the internet, but it’sinconsistent and outdated in many cases.

For all of these reasons, there is atemptation in some quarters to restrictaccess to specific browsers or evenversions of browsers. This approach,however, is counter-productive for anumber of reasons, not least of which isthe fact that many browsers give the userthe ability to operate under an alternativeidentity.

Instead, applications should bedeveloped in line with the W3C standardsfor maximum compatibility and – eventhough providers should be aware of thevariations and inconsistencies and wherepossible to accommodate them –responsibility in this area must ultimatelybe shared with both browser developers,application developers and end users.

What can users do to protectthemselves from this issue? Users shouldperiodically clear their browser’s cache, toensure that no sensitive data remains.


Even though modern browsers typically haveprivacy tools for clearing caches, the vastmajority of users still do not understand how orwhen to use them.

When a business discovers it has beenhacked there are different mentalities onhow to deal with it; for private sectororganisations the most important thing isto detect when the firm’s network or ITsystem has been hacked.

Once an attack has been detected itthen becomes important to identify theextent of the compromise, isolate anycompromised networks or systems andcontain them to stop the attack effectingother networks or systems.

National security organisations maydecide to take an altogether differentapproach where, once they are satisfied it is

being properly risk managed, they let theattack continue in order to monitor itsmovements, understand how it is workingand what specific information it is targeting.They may argue that in some casesimmediately isolating a malicious attackmay mean that they are unable tounderstand the full extent and modusoperandi of the attackers, which isstrategically useful to prevent future attacks.

Who to notifyThe next step is for the organisation todecide who it needs to tell and whatindustry specific rules it should follow.


COPING AFTERTHE HACK

The first point of call would be to notifysomeone in a security leadership positionso that they can decide on the nextdefensive step and whether to escalatethe incident up to someone more senior.

If a virus is involved, for example, it maybe best to move up the chain of commandto the head of security who will then decideon the severity of the problem and whetheror not to notify the board.

Depending on the severity of theincident, law enforcement authoritiesshould be notified. Many large privatesector organisations frown upon thisapproach however, embarrassed to be

Giri Sivanesan, Senior Security Consultant at Pentura,provides advice on thesteps that should betaken from the point ofdiscovery of a hackingincident onwards.


caught out, and resort to tackling andcontaining the problem themselves.Unfortunately this can often lead to pressleaks and public uproar causingconsiderable reputational damage andthe possibility of fines.

Recent incidents in the NHS andManchester Police are prime examples ofwhat can happen when the public sectorfalls foul to hackers. These incidents havemade top news stories and have made thepublic question just how safe theirpersonal data is. By notifying lawenforcement authorities of a serioushacking incident, information provided can

PROTECTING THE WEB

then be included in any ongoinginvestigations. There may have alreadybeen many similar hacking incidents and bypulling together disparate sources ofinformation from multiple attacks, lawenforcement authorities are able to respondmore effectively to protect organisations.

It is not always clear how widespread anattack is – it could be on an internationallevel where organisations such as theSerious Organised Crime Agency (SOCA)will need to respond. SOCA has strong linkswith other law enforcement communitiesthroughout the world and, where necessary,may be able to share information aboutsimilar hacking incidents to strategicallyprepare and protect organisations againstfuture attacks.

UK organisations that come under theumbrella of critical national infrastructure(e.g. communications, energy, finance etc.)could seek advice and guidance from theCentre for the Protection of NationalInfrastructure (CPNI). Businesses shouldalso look at damage limitation and howbest to protect business branding andmarket position.

There are certain people andorganisations that should be informedstraight away; we would encourageorganisations to notify law enforcementauthorities of serious hacking incidents evenwhen the incident is particularly sensitive.Once the attacks have been identified,contained and eradicated and systems arerunning without any hiccups, a decisionshould then be made by the board on whento go public. Going public before managingthe situation may cause customers to panicand may even benefit competitors.

Reputation protectionIt is important to minimise the amount ofdamage done to an organisation, and to dothis effectively it must be prepared. If anorganisation doesn’t have incidentmanagement, business continuity anddisaster recovery policies in place, then itwill become more difficult to minimise thedamage caused. Establishing and testingthese policies and having clear proceduresand governance structures in place meansresponding to hacking incidents becomesmuch easier.

In general, the faster an organisationresponds to, and contains, an attack, the lessdamage it will cause. Most organisations canexpect to be attacked by hackers at somepoint, but by being proactive and ready for

the attack beforehand, they can usuallyreduce the impact attacks will have.

Following an incident, the best way foran organisation to clean up is to knowwhere its information systems werebeforehand. Backing up IT systemsregularly will enable a restore of systemsand information to an accurate level andwith minimal downtime, allowing theorganisation to get back to its baselinequickly. Good computer forensics coupledwith intrusion detection, operating systemand firewall logs may be needed to fullyinvestigate the full extent of an attack.

Lessons learnedUnderstanding what an organisation’svulnerabilities are and lessons learned

from an incident should help minimisethe likelihood and impact of it happeningagain. In general, critical systems andassets should be cleaned first. With thesharp increase in corporate espionage, itis also important to understand where allinformation assets are and what impacthacking can have on these assets and an organisation.

Espionage works when it is not detectedso if an organisation is not aware of itsassets it may not know what has beenstolen or damaged. A well-maintainedinformation security policy, along withunderlying incident management, businesscontinuity and disaster recovery policies,are a must for businesses andorganisations to recover fully from anyform of a serious hacking incident.

Organisations must learn from theirmistakes in order to manage the risksfrom hackers and minimise the impacthacking incidents cause. They mustunderstand how the incident happenedfrom the detection of the attack all theway through to the recovery. How wellthey responded to the incident and whatthey should have done better are some ofthe key questions that need to be askedat board level and pushed downwards.

By having a good understanding of whatthe risks and vulnerabilities are, whatassets need to be protected from hackersand the impact future incidents can haveon the organisation both financially and interms of reputation, is a good basis to winthe financial support needed to implementproportionate controls against hacking.


It is not always clear how widespread an attackis – it could be on an international level whereorganisations such as the Serious OrganisedCrime Agency (SOCA) will need to respond.

With each new real-world test of DNSSecurity Extensions (DNSSEC),technologists gain a better understandingof how to maximise the security benefitsof DNSSEC while minimising compatibilityand implementation issues. As DNSSEC isdeployed ever more broadly, thisdisciplined commitment to testing will bethe key to ensuring that the technologyachieves its full potential to strengthentrust and security in the DNS.

A recent test of DNSSEC in the .edudomain demonstrated the value of thisdisciplined approach. Conducted by

VeriSign and EDUCAUSE, the non profithigher-education group that manages the.edu domain, the test bed process gaveuniversities greater confidence in theirability to effectively implement DNSSECon their networks.

No disruptionEven as it helped universities, the test bedalso provided critical information thatVeriSign can use to ensure that largerDNSSEC implementations are conductedin a way that provides maximum benefitand minimum disruption to users.


Vital stepThe .edu test bed, like the others that havecome before it, represents a vital steptoward the global deployment of DNSSEC,which will add an important new layer ofsecurity to online communication andcommerce by limiting the ability ofcriminals to forge DNS data and puttingan end to the serious threat of so-called‘cache poisoning’.

Ideal environmentVeriSign provides registry services for the.edu domain on behalf of EDUCAUSE. With

TEST OF STRENGTHChris Klein, Product Manager at VeriSign, explains how the addition of DNS Security Extensions (DNSSEC)should strengthen trust and security in the DNS.


a comparatively small registrant base andhighly skilled technical administrators atthose registrants' institutions, .edurepresented an ideal environment in whichto conduct a fully integrated DNSSEC testbed. The process tested interactionsbetween registrants and registrar, as wellas between registrar and registry, andculminated in users being able to provisionand then perform real-world DNSvalidations on the DNSSEC-enabled names(via test name servers).

Continuing challengesThe test bed gave us an opportunity totake a closer look at some of thecontinuing challenges to establishing aneffective DNSSEC implementation. At atechnical level, the activities in the testbed underscored the importance ofunderstanding the more complexoperational practices that come alongwith DNSSEC, including cryptographic keygeneration and rollover.

We know from the test bed that we stillhave work to do to ensure that DNSSECsigning and key-management functionswill be simple and transparent to allwithin the continuum of the key-signingprocess.

In support of our continuing work toease the implementation of DNSSEC intothe internet infrastructure, VeriSign isextending this end-to-end testingenvironment to its registrar communityfor the .com and .net top-level domains.The aim will be to provide the registrarcommunity members with a place wherethey can verify their DNSSECimplementations in a controlledenvironment.

Interoperability LabAnother resource that VeriSign is offeringto registrars and other organisations is ourDNSSEC Interoperability Lab. Opened tomembers of the DNS and internetcommunities earlier this year, the DNSInteroperability Lab allows solution andservice providers to determine if DNSpackets containing DNSSEC informationwill cause problems for their internet andenterprise infrastructure components.

The goal of the Interoperability Lab isto help identify and address potentialcompatibility issues throughout the DNS,from the core of the network to the end-user. Each issue the community canidentify today, in a lab setting, is one lessthat will impact users as DNSSECreaches global adoption. Companies likeCisco and Juniper have already used thelab to test DNSSEC compatibility.

Maximum benefitFor VeriSign, all of this testing serves tofurther the process of implementing

The goal of the InteroperabilityLab is to help identify andaddress potential compatibilityissues throughout the DNS,from the core of the network to the end-user.

PROTECTING THE WEB

DNSSEC in .net and .com in a manner thatprovides the maximum benefit to userswhile causing the least confusion anddisruption. As we move to implementDNSSEC in much larger, less homogenouszones, we fully expect that the number of

issues we will discover will increase. Buta disciplined approach will ensure thatwe are prepared for any eventuality.


With a small registrant base and highly skilledtechnical administrators at those registrants'institutions, .edu represented an idealenvironment to conduct a DNSSEC test bed.


KEEP ON RUNNING

Many of us rely on the internet to such an extent, what would we do if it stopped working? Carole Theriault, Senior Security Consultant at Sophos, says the threat to the internet is there and we shouldn’t ignore it.


In 1987, phone companies reported that sharkshad an inexplicable taste for fibre-optic cables.How did they guess they were sharks? Teeth were found embedded in the cable.

PROTECTING THE WEB

I imagine many people do exactly as I dowhen a debate starts brewing: someonemakes a statement, another refutes it, andthen someone checks online to determinethe answer. We simply no longer discusshow something is spelled, what ingredientsare needed to make an authentic kedgereeor what year did the dreadful music duoBros hit the big time. You would have to beout of range or in an internet-unfriendlylocation, like a jail cell or a snobbish eatery,to actually have a long-winded discussionabout something factual.

Isn’t that sad? I remember manyenjoyable hours honing my persuasiveskills before the omnipresence of the web.That said, just imagine a world without theinternet. It's a bit frightening how reliantwe have become on cyber connectivity.

According to the world internet usagestatistics, about 1 in 3 people alive todayhave access to the web. Many of our jobs,hobbies and entertainment are internet-dependent – some of us even havestronger virtual communities than real lifeones. And with today’s trend of storing ourdata, like email, contacts and documents,in the cloud, what happens if the internetwere ever zapped into nothing – what theheck would we do? I mean, is it evenpossible for that to happen?

Ironically, I googled to see what I couldfind on the topic and chatted with a few ofthe brainiacs I have the privilege ofworking alongside at Sophos.

VolunteersThe internet, unlike most colossalbusiness tools, is not under any centralgovernance. The Internet Engineering TaskForce (IETF), a non-profit managed bytechnically-savvy volunteers, looks afterinternet standards, like IPv4 and IPv6protocols, and ICANN, another non-profitoutfit based in California, is responsiblefor managing the assignment of IPaddresses and domain names.

DNS (Domain Name System) is thehierarchy for all internet resources, wherethe root domain sits on top of the pile.There are 13 root domain serveroperators, labelled A to M, hosting todayabout 200 servers, and the number ofredundant servers increases all the time.These servers used to be based only inthe US, but are now hosted in multiplelocations around the globe. (see www.root-servers.org)

The sheer fact that the internet isincreasingly decentralised makes itinherently resilient. But it is by no meansinfallible – problems have affected thecore of the internet in the past.

In 1997, for instance, a technical faultimpacted a reported seven of the 13servers. In 2002, all 13 servers fell prey toan attack that disabled them all for aboutan hour. And in 2007, a malicious attackhit four servers rendering them practicallyinoperable, with two almost brought to astandstill while another two experiencedimmense amounts of traffic.

Geographical spreadThanks to the increased resiliency, greatergeographical spread, the clustering ofservers and mirroring of information, it ismuch more difficult to perform a bruteforce attack, like a distributed denial-of-service attack. This is where servers areflooded with copious amounts informationfrom huge numbers of computers with theaim of flooding them to their inherentfailure point. It is a bit like stuffing yourselfsenseless at the holidays with turkey,trimmings, cake and chocolate so that youare basically a blobby fat mass unable torise from the couch.

Physical attacks or accidents can alsoseriously impact internet connectivity. Inearly 2008, the BBC reported that two ofthe three submarine cables that connectthe internet together were cut, or split. Itserved to reduce internet capacitybetween India and Europe by a whopping75 per cent. In 1987, phone companiesreported that sharks had an inexplicabletaste for fibre-optic cables. How did theyguess they were sharks? Teeth werefound embedded in the cable.

Kill switchAs recently as June this year, a US legislation proposal has been makingheadlines. Bill S.3480, also known as theProtecting Cyberspace as a National AssetAct of 2010 (PCNAA), includes looking atmeasures to respond to a cyber attack onnational security. This is being touted as a‘internet kill switch’ by the press, but theSenate Committee for Homeland andGovernmental Affairs are vehementlycountering this and have published a glutof information explaining their reasoning,the main statement being that the currentCommunication Act was drafted in 1934

and is in desperate need of updating. Section 706 of the 1934 Communication

Act gives the President a virtual carteblanche to close ‘any facility or station forwire communication’ if the Presidentproclaims war, or threat of war. Theauthority can be exercised for six monthsafter the threat has expired. So, the storygoes that this old legislation grants thePresident, I think, way too much power,and this proposal bill addresses thisconcern. The only way that could happen,as far as I can see, is either by convincingor forcing those that maintain the rootdomain servers, ISPs and search enginesto play ball.

Despite talks of shark attacks and killswitches and cyber-attacks attempting tokick in the shins of internet, I have learnedthat communities can work together tobuild beautifully resilient systems. Weobviously recognised our dependenceearly on, learned from our mistakes andcontinue to tweak and improve theinternet’s infrastructure.

Much more likely are continued attacksat the application level. Finding avulnerability in a program that is used bya large proportion of users, like a searchengine, YouTube or Facebook, can haveserious consequences. After all, there arevery few reported attacks to the rootdomain servers, but countless newmalware that threaten the averagecomputer user every day.

As I was explaining how cool theinternet design is to a friend’s seven-year-old son, he said, ‘Ya, but you have to plug itin, right, so what if there is a world-widepower cut?’ Good point I said, and smiled.


ISNOW Summer 201016

The Digital Economy Act 2010 (Act)received Royal Assent on 8 April as part ofthe parliamentary ‘wash up’ procedure.The majority of the Act comes into force inJune, but there are aspects of it that arealready in effect.

The Act is a result of the Digital BritainReport, the original aim of which wastwofold: (i) to maximise the benefits of thedigital revolution by improving Britain’scommunications structure; and (ii) toaddress the issues of online copyrightinfringement. The Act contains provisionsand severe enforcement measures relatingto the UK network communicationsstructure, public-service broadcasting, onlinecopyright infringement and digital safety.

This article focuses on the keyobligations placed on internet serviceproviders (ISPs) which are aimed at thereduction of online infringement ofcopyright and the controversial newpowers for the Secretary of State andOfcom to penalise such infringement.Ofcom is in the process of producing acode of practice in relation to the newobligations and powers, specifying boththe enforcement procedures that Ofcommay use and the rights of appeal forsubscribers. Ofcom expects to publish thefinal code in September.

One of the key aims of the Act is totackle online copyright infringement, inparticular unlawful file sharing via peer-to-

peer online networks. Court proceedingspreviously dealing with this problem werelengthy and time-consuming and thereare various new measures introduced bythe Act to deal with it more effectively.

Firstly, certain ISPs will be required tonotify their subscribers of allegationsmade by copyright owners that theiraccount, or IP addresses associated withit, has been used for unlawful file sharing.Subscribers must be provided withsufficient information in any notificationsuch that they can challenge the basisunder which the notification has beensent. ISPs are also required to maintain alist of the subscribers who receivemultiple unchallenged notifications and, ifthe number of copyright infringementreports regarding that subscriber reachesa certain threshold, to provide anonymouscopyright infringement lists to copyrightowners. The copyright owner will then beable to apply to the courts to obtain thenames of those subscribers.

Secondly, by way of regulations, theSecretary of State can provide for court toissue a blocking injunction in respect ofan internet location that the court issatisfied has been, is being, or is likely tobe used for, or in connection with, anactivity that infringes copyrights. TheSecretary of State can only make suchregulations if they are satisfied that theuse of the internet for activities that

LEGALinfringe copyright is having a seriousadverse effect on businesses orconsumers, and that making regulationsis a proportionate way to address thateffect and would not prejudice nationalsecurity or the prevention of crime. Thereare many considerations that the courtwill have to take into account whendeciding to issue such an order, and themeasure must receive approval by bothHouses of Parliament. This is thereforenot a step which will be taken lightly.

Thirdly, there are provisions that allowthe Secretary of State to require ISPs, byorder, to take certain drastic technicalmeasures against subscribers rangingfrom limiting internet connection speed tothe suspension of an infringer’s internetconnection. Again, this power is limited tothe most serious situations. Beforeexercising its powers, the Secretary ofState will have to consider a formalOfcom assessment of the need for suchtechnical measures and Ofcom’s report onthe infringing activity itself. Such an orderalso requires both a 60 day consultationperiod and approval by both Houses ofParliament and cannot be made until theOfcom code of practice has been in placefor more than 12 months.

Finally, the Act has introduced severepenalties for contravention of generalobligations of ISPs and website operatorsor for contravention of obligations toimpose technical measures. Themaximum penalty is £250,000, althoughthe Secretary of State can increase thisamount by order.

The Act has received a lot of presscoverage, largely because of thesecontroversial measures to tackle severerepeat offenders of copyrightinfringement. There has also been strongobjection from opposition parties of theway that the Bill was passed into lawthrough the wash-up procedure ratherthan under normal parliamentaryprocedure. The coalition agreement doesnot address any possible review of the Actbut, in the lead up to the general election,Nick Clegg recommended its repeal andthe Conservatives pledged to amend anyflawed aspects of the legislation. It willtherefore be interesting to see how thescope of the Act develops and is enforcedover the coming months.

Charlotte Walker-Osborn, Partner, and Jennifer Liddicoat, Solicitor,Technology Group, Eversheds LLP, discuss the Digital Economy Act.

Please note that the informationprovided above is for generalinformation purposes only and should not be relied upon as a detailed legal source.www.bcs.org/legal

DEA WASH UP

Assessing InformationSecurity: Strategies,Tactics, Logic andFramework Andrew Vladimirov,Konstantin Gavrilenko andAndriej MichajlowskiIT GovernancePublishingISBN 978-1-84928-035-8£49.95

This is a book about information securityauditing. It has been written by threepractitioners who are all joint founders ofan information security consultancycompany based in the UK. The main themethroughout this book is that you can learna lot about defending yourself againstcybercrime by drawing parallels withmilitary strategy. Hence, there are manyquotations from the military throughoutthe book. Whilst I agree that this analogy isa good one, the continual quotes from themilitary did start to irritate me.

The authors claim to be radical andcontroversial in their thinking. Although I did find some examples of controversialthinking, I struggled to find anything

significantly radical unless you arecompletely inexperienced in securityauditing, in which case you shouldfind the book helpful.

The book is not intended to be areference book. Rather, the reader istaken through a logical sequence of stepsrequired to perform a successful securityaudit. The reader is reminded to take aholistic view, to think like a cybercriminaland to adapt rather than be constrained orblinkered by static security policies,technology and vulnerability scan results.

Types of assessments, planning andstrategies are discussed given theconstraints of time and budgets, such asthe need to identify and concentrate onthe ‘critical points’.

Just as important is reporting theoutcome of the assessment. Contents,structure and style of the report arediscussed. In the final chapter the authorsdiscuss what could go wrong with the auditand how such problems could be avoided.

If you are new to security auditingyou’ll find some useful nuggets ofinformation in this book that will help youto avoid the common pitfalls and get youinto the right mindset.

Mehmet Hurer MBCS CITP CEng

IT Induction andInformation SecurityAwareness: A Pocket Guide Valerie MaddockIT GovernancePublishingISBN 978-1-84928-033-4£9.95

This is a gem of a handbook that covers just about everything an ITdepartment needs to know about putting together an IT induction programme. It’s a slim volume butone that packs considerable contentinto its seven chapters and is writtenby an IT Industry Awards finalist withconsiderable experience and expertise in the topic being covered.

As befits the organisation theauthor works for - The SalvationArmy - volunteers are includedalongside the usual employees,contractors and third party staff thatneed to be included in an inductionprogramme. As the title describes,the book covers both securityawareness and the use of IT facilitiesand so will have wide appeal.

A clear distinction is madebetween the role of a subject matterexpert (SME) providing content forinduction programmes and thefunction that may end up delivering it – and good advice is offered on therespective roles of HR and IT, whichsupports what the Chartered Instituteof Personnel and Development (CIPD)have long recommended. Oneimportant area that is also covered isrefresher training as facilities changeor are moved, and the scope ofinduction also includes executives.

The author provides acomprehensive list of contentcovering many areas not oftenconsidered in a classical inductionapproach. The way The SalvationArmy approached its IT inductionprogramme is included as a casestudy. The style of writing is easy toread and assimilate and the book iscommended to anyone who needs toscope and deliver an introduction toIT facilities and/or informationsecurity for staff, contractors, thirdparty employees and volunteers.

Peter Wheatcroft FBCS CITP

BOOK OFTHE MONTH

Hacking Exposed:Computer ForensicsSecrets & Solutions (2nd edition) Aaron Philipp, DavidCowen and Chris DavisMcGraw-HillISBN 978-0-07-162677-4£34.99

This updated edition provides the readerwith the required technical knowledge tocarry out an investigation and also somevery helpful practical advice in regard tofollowing correct processes, securingevidence and complying with legalrequirements (admittedly with a US bias].

The book starts with a couple ofchapters concerned with protecting theinvestigator’s credibility when testifying. A nice touch is a chapter giving acomprehensive summary of ITfundamentals, which is provided forrevision purposes the day before takingthe stand to prevent attempts to discreditthe investigator with pedantic questionsabout the mechanics of hard disks, filepartitions in MS-DOS and so on. Thechapter following this explains how toproperly secure all evidence to preventtampering and spoiling and to allow the

8/10


7/10

investigator to testify with fullconfidence that they are presentingforensically sound evidence.

The main section of the book is themost technical and is more interestingto the more technical reader. It dealswith the collection of evidence from avariety of machines including Macs,PCs, Linux machines, enterprise serversand mobile devices. Some compre-hensive coverage is provided detailing

techniques and tools to isolate andrecover information and to retrieve‘deleted’ data.

Sections concerning the justice systemand criminal law related to IT contain vitalknowledge for a forensics practitioner, butany reader in the UK would need tosupplement their knowledge using othersources as the book is written for a USaudience. This is understandable whenviewed in terms of the size of therespective markets, however it doesreduce the value of the book to UK readers.

While all the advice given is very goodand very comprehensive, the readershould be advised that it would be unwise,to say the least, to attempt to carry out aforensic investigation solely under theinstruction of this book, without additionaltraining and support.

Nick Dunn

10/10

BOOK REVIEWS

ISNOW Summer 201018

The predecessor of the internet (Arpanet)was designed to survive an atomic war. As such, the prime directive of anyinternet connected computer is to respondwith a ‘yes’ to any enquiry from anothercomputer asking the question ‘are you stilloperational’. This very responsemechanism has since been exploited byhackers pinging internet addresses withthe hope of getting a response fromanother computer. Knowing that acomputer is online presents them with theopportunity of either subverting it orlaunching a denial of service attackagainst it. As the internet is a network ofnetworks which consists of millions ofprivate, public, academic, business andgovernment networks that are linked by abroad array of electronic and opticalnetworking technologies, it stands toreason that international cooperation isrequired to protect the service. But what ifa sovereign government decides toremove another country from the internet?Well, this is exactly what happened in2007, when it is alleged that Russiaconducted denial of service attacksagainst Estonian government websites.Whether Russia was responsible is a mootpoint, but the fact remains that for twoweeks Estonia had severe internetavailability problems.

Responsibility for protecting the UKinfrastructure rest with the Centre for theProtection of National Infrastructure (CPNI).This is a government agency that providesprotective security advice to businesses andorganisations across the nationalinfrastructure. Note the use of the wordadvice. It is up to the recipient of the adviceto take the relevant action. In many casesthe decision is likely to be taken oncommercial considerations (even not-for-profit organisations have budgets), along thelines of ‘will implementing this advice costme more than I am likely to lose as a resultof any disruption?’ So what is in theinterests of UK plc may not makecommercial sense to a single company. Nowmost organisations are selfish, rather thanaltruistic, so the message has to be that weare all in the same boat so let’s share thecost in order to reduce the pain. However,the issue is now clouded by the growth ofoutsourcing, off-shoring and cloudcomputing. Whose infrastructure is yourcritical application running on? It is possiblethat the critical infrastructure you arerelying on is hosted in another country over

which the UK has no control. Do they havethe equivalent of a CPNI? Where is yourdata? Who manages your email? Where isthe attack coming from? Do we havejurisdiction in that area? Anyone whoreceives unsolicited communications (spam)knows just how difficult it is to stop it.

The US government has had somesuccess in prosecuting spammers, but themajority carry out their business withoutinterruption as they operate fromcountries without extradition agreements.Spam is a limited form of denial ofservice, which can easily be ramped-up tooverwhelm a target as Steve Gibson ofZone Alarm firewall fame found when heinadvertently questioned the technicalability of a 13-year-old hacker. Gibsonknew how to protect himself, but washelpless against the storm of continuousand various attacks against his website. Inthe end, only a public apology stopped themaelstrom of pings against his IPaddress. And therein lies the problem. Inmuch the same way as the launching ofthe Dreadnaught battleship by the Britishin 1906 made all other battleships

OPINION

obsolete, and hence set a level playingfield for all nautical nations, we now havea situation where countries without aninvestment in expensive, up-market,weapon systems have a level playing fieldwhen it comes to cyber warfare.

It has often been said that the next warwill be won by the side with the fastestcomputers. This makes sense as thefaster the computer, the quicker it canboth attack other devices and defenditself against counter-measures. Militaryaircraft still have old fashioned,mechanically-based inertia guidancesystems in case the state-of-the-art GPSsatellite navigation system is disrupted.True business continuity planning. Whatfall-back do we have if we lose theinternet? Precious little is the answer. Butgoing back to where I started from, theinternet is designed to survive an atomicwar; which is more than we humans are.Do I see the founding of a machinecivilisation that will outlive us?

For additional articles please visit:www.bcs.org/articles

ATOMIC SURVIVALThe internet was designed tosurvive an atomic war, John Mitchell asks if it cansurvive attacks from the peoplewho use it too.

Gartner Security & Risk Management Summit 201022 – 23 September 2010 | Park Plaza Westminster Bridge, London, UKeurope.gartner.com/security

EARLY BIRD SAVINGSRegister by 23 July 2010 and save 300

Register Noweurope.gartner.com/securityTel: +44 208 879 2430Email: [email protected]

europe.gartner.com/security

The Gartner Security & Risk Management Summit will give you the information you need to create a layered approach combining risk management and compliance, secure business enablement and infrastructure protection. Hear the latest analysis revealing market trends, opportunities and threats to you and your company.

Embrace Your Challenges in Security and Business in 2010: The Year We Make Contact

View the full agenda online at europe.gartner.com/security

SUMMIT CO-CHAIRS

Benefi ts of Attending

Agenda Tracks

Track 1:

Track 2:

Track 3:

Carsten Casper

Gartner

Tom Scholtz

Gartner

PROTECTING THE WEB What needs to be done in order to keep the

Documents

Transcript of PROTECTING THE WEB What needs to be done in order to keep the