Wednesday 15 May 2013

"When it comes to cyber security QinetiQ couldn’t grab their ass with both hands"

So said Bob Slapnik, vice president at HBGary, the security experts "detecting tomorrow's threats today", as reported by Bloomberg, the company that's been using its financial information terminals to spy on its clients. So says the New York Times, the company whose cyberdefences were breached in 2012 by the Chinese, seeking to stop people being rude about Prime Minister Wen Jiabao. Although the Chinese say they didn't.

You can see why Mr Slapnik was cross back in 2010. QinetiQ had just won a contract to advise the Pentagon on how to counter cyberespionage despite QinetiQ's own computer systems having been comprehensively hacked for the previous three years.

But talk about the pot calling the kettle black, one reason QinetiQ's inability to grab its ass with both hands came to light was an examination of the documents hacked out of HBGary in 2011 by Anonymous, the cybervigilantes previously derided as mere "script kiddies", who were so piqued by Aaron Barr, HBGary's CEO, pretending that he had infiltrated them that Anonymous ...
... infiltrated HBGary’s servers, erased data, defaced its website with a letter ridiculing the firm with a download link to a leak of more than 40,000 of its emails to The Pirate Bay, took down the company’s phone system, usurped the CEO’s twitter stream, posted his social security number, and clogged up fax machines ... 'You brought this upon yourself. You’ve tried to bite the Anonymous hand, and now the Anonymous hand is bitch-slapping you in the face', said the letter posted on the firm’s website ...
That's according to Dr Thomas Rid, who finishes his report with: "the attack badly pummeled the security company’s reputation". Yes, you can see how it would, but HBGary (detecting yesterday's threats tomorrow) had been commissioned to sort out QinetiQ's cybersecurity problems so circumspice, Mr Slapnik.

Not to be left out, Bloomberg had been targeted by the same Chinese hackers in pursuit of the same object – keeping Mr Wen's business dealings out of the news. Fail. Everyone who is anyone had been hacked. The Pentagon briefed "about 30" defence contractors like QinetiQ about Chinese hacking in 2007-08, too late to stop the Chinese acquiring so much information on Lockheed Martin's F-22 and F-35 fighter jets that it's doubtful now whether it's worth deploying them. Ditto the designs for the US combat helicopter fleet, drones, satellites and military robotics, all of which were copied from QinetiQ's computers.

Bloomberg's computers weren't hacked straight from China. The Chinese tried to come in via computers they had taken over in various US universities. Same modus operandi, NASA complained to QinetiQ that it was under attack by the Chinese via QinetiQ's computers and would QinetiQ please sort it out. Investigators into that hack found that you could just sit in the car park and connect to QinetiQ's network via an unsecured wifi. They also found that the Russians had been stealing trade secrets from QinetiQ for 2½ years.

Towards the end, the Chinese had access to 13,000 internal passwords at QinetiQ and they could do pretty much whatever they wanted: "by 2009, the hackers had almost complete control over TSG’s computers". TSG is QinetiQ's Technology Solutions Group, whose boss reckoned that investigating all this hacking took too long. "You finally have to reach a point where you say let’s move on" and, indeed, he has now moved on.

HBGary weren't the only security experts trying to sort out QinetiQ. Mandiant were in there (and at the New York Times) and suggested using two-factor authentication to log on to the QinetiQ network, the way those of us with a Lloyds business account do. No, said QinetiQ, and off went all their robotics designs.

HBGary's counter-espionage software was installed on 1,900 QinetiQ computers but it wouldn't run on a lot of them and when it did it missed some rogue software and reported some benign software and it slowed the machines down so users did what they always do and deleted it. HBGary accused another consultant, Terremark, part of Verizon, of withholding information and Terremark said damned if they were telling HBGary anything, their clunky software was alerting the hackers to the investigation.

Two months after the all-clear, the FBI had to tell QinetiQ they were losing data again and all the consultants came back and tried to clear out the malware they had missed last time round. Meanwhile, the Chinese have got bomb disposal robots on the market that look remarkably like QinetiQ's but they're cheaper.

All of which is just by way of introductory remarks. Setting the scene.

Remember Skyscape? The cloud computing company owned by just one man? The company with contracts from the MOD, HMRC and the Government Digital Service (GDS)?

GDS never did respond to the letter asking them how they had seen fit to entrust GOV.UK to a one-man company. But HMRC did. Twice. Which is very proper of them.

The HMRC response came from Phil Pavitt, HMRC's Director General Change, Security and Information. He said (22 October 2012):
Skyscape’s services are provided through a number of key, or “Alliance”, Partners. These partners are industry leading organisations that provide services in the data centre or “cloud” arena such as EMC (storage  and security services), Cisco (networking) and Ark Continuity (UK based high security data centres) ...

... data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3) ...

This accreditation is expected imminently, at which point HMRC will be in a position to begin securely moving data over to Skyscape and decommissioning our old servers ... will be re-competed to ensure HMRC continues to take advantage of innovative, secure and low cost solutions ...

It should also be noted that for security reasons HMRC does not discuss details of the data that it holds, or where it stores it, however we are able to confirm that by using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies ...

The data, which will be securely stored by Skyscape, currently resides on several hundred servers, across multiple HMRC office locations. This change will consolidate that data and place it into a small number of secure and highly resilient cloud data centres hence improving the security of the data, the efficiency of managing that data ...
and (28 November 2012):
I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS) ... FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.

HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service ...

Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance ...
It's not just HMRC. Here's GDS in their Government Digital Strategy:
We know that our users often find it hard to register for our online services, so it is
vital that we offer a more straightforward, secure way to allow our users to identify
themselves online while preserving their privacy ... (p.34)

Legality, security and resilience

Transactional services will be redesigned to:
  • be robustly protective of the security of sensitive user information
  • maintain the privacy and security of all personal information ... (p.46)
And here's Mydex, one of the UK's eight identity providers, writing about PDSs (personal data stores):
Personal Data Stores create a single, secure, easy-to-access store for such information so that when we need it it’s at our finger tips ... (p.8)

... the PDS can create one single message informing them of the fact that the card has been lost. It can then be sent securely, direct to their systems ... (p.9)

... behind each payment there is a hugely sophisticated system of highly secure data ‘handshakes’ taking place across a complete eco-system of supporting players ... (p.14)

Etc ...
Skyscape is in an alliance with QinetiQ. That doesn't bode well. But it's not just QinetiQ. The Pentagon felt it necessary, remember, to brief about 30 contractors on cybersecurity. They all have problems. Are any of them capable of grabbing their ass with both hands?

Judging by the daily diet of cyberattack stories, no. Cybersecurity looks like a myth. Just bear that in mind whenever a supplier offers you security.


(Hat tip: Anonymous @ 3 May 2013 10:31, see also the excellent 'Chinese' attack sucks secrets from US defence contractor in ElReg®)


Updated 22.5.14

There were bound to be consequences.

With all these allegations of Chinese hacking flying around, the US had to do something. And now they have. 19 May 2014:
America sues China over corporate spying
America's fraught trading relationship with China turned even more hostile on Monday, after Washington filed an unprecedented lawsuit against Beijing for corporate spying.

The US Department of Justice accused members of China’s military, the People’s Liberation Army, of stealing sensitive information from major energy and metal companies, including Alcoa, the aluminium producer, and Westinghouse, which makes nuclear reactors.
The post above was written three weeks before the Edward Snowden revelations. We now know what we didn't in mid-May 2013 that the US is quite capable of a bit of hacking themselves. It's not just China.

Which may be what China had in mind in their initial response to the US suing them. They called the US a "high-level hooligan". Not entirely impolite – it's better than being a low-level hooligan.

Then they raised the stakes, by calling the US a "mincing rascal". It's not clear which international law being a mincing rascal contravenes. But it sounds bad. China wins phase one of the epithet war.

This whole cybersecurity and countersecurity business is fraught with dilemmas. Ethical, legal, diplomatic and trade dilemmas.

Given that you are a rascal, is it better to be a mincing one than not? It's not clear.

And then there's the FBI problem.

Like everyone else, they're trying to recruit infosec/information security experts. These experts are exceptional people. Few and far between, an inordinate number of them lead lives fuelled on drugs, 21 May 2014:
Wacky 'baccy making a hash of FBI infosec recruitment efforts

... FBI Director James Comey ... reportedly told the White Collar Crime Institute that he needs a “great work force” to compete with the black hats, but “some of those kids want to smoke weed on the way to the interview”.
Ethics, the law, diplomacy or trade? Which one will win?

Trade. It often doesCisco to Obama: get NSA out of our hardware. Etc ...

Updated 19.1.15

China now knows what most people in the west are catching up with: that the F-35 Joint Strike Fighter is a lemon.

The latest round of managed information release by Edward Snowden via Spiegel (one of a series) includes the snippet that Chinese security services copied “terabytes” of data about the aircraft ...
Please see also China calls Snowden's stealth jet hack accusations 'groundless'. "Lockheed Martin is producing the F-35 for the U.S. military and allies in a $399 billion project, the world's most expensive weapons program.".

So much for the security of Lockheed Martin's computer systems.

Lockheed Martin must be among the best in the business. The security business. And $399 billion should buy you the best of ... just about everything. And yet "the F-35 Joint Strike Fighter is a lemon".

Charming old stick-in-the-muds that they are, the Government Digital Service may believe that they can offer the public a secure national identity scheme, GOV.UK Verify. But they really can't expect us to believe it. Not now.

Updated 25.5.15

John Bercow mood music

"Read our blog", said the self-proclaimed Digital Leaders on 25 May 2015, and pointed us all at a 12 February 2015 blog post by John Bercow MP, Speaker of the House of Commons, British democracy and the digital revolution.

Mr Speaker established a special Commission in late 2013 to "consider how the digital revolution has changed or might further develop British representative democracy".

The Commission has reported now. It sets five targets. And target #4 is:
By 2020, secure online voting should be an option for all voters.

Just reading over the post above, you can't help noticing that Lockheed Martin of all people couldn't keep the design of the F-35 Joint Strike Fighter secure. Ditto the F-22. Ditto the designs for the US combat helicopter fleet, drones, satellites and military robotics, all of which were copied from QinetiQ's computers. But Mr Speaker thinks that on-line voting could be secure.

Why does he think that? What does he know that Lockheed Martin and QinetiQ don't?

And Sony. What does Mr Speaker know that Sony don't know?

Remember Sony?
For two weeks or so now [we said in December 2014], we have all watched as Sony's private and confidential correspondence has been published by hackers, personal details about the stars of their films have been revealed and the value of the company's intellectual property has been destroyed.
If Mr Speaker can obtain endorsements from Lockheed Martin, QinetiQ and Sony to the effect that they have good reason to believe that he knows how to deliver secure on-line services including electronic voting, maybe we'll believe that his target #4 is feasible. Otherwise, no, his words are just John Bercow mood music.

No comments:

Post a Comment