Anthony M. Freed's Open Salon Blog

Wozniak, et al Discuss Ripcord VoIP Security

Fri, 22 May 2009 19:05:02 -0400

I recently had the opportunity to talk to some of best known innovators of our time, including Steve Wozniak, John McAfee, Alex Fielding, Phil Zimmermann, Jon Callas and Marc Hodosh. They discuss the fatal flaw in VoIP which create the ability to perform warrantless wiretaps and what they have done to lead the industry toward more trusted and secure Cyberspace.

Can VoIP Really Be Encrypted? No, or at least not until now.

Forrester Consulting fielded an online survey of email decision makers at large US, UK, German, French and Australian companies. Respondents were asked about their concerns, priorities and plans related to the content of email leaving their organizations, as well as related concerns about the risks associated with mobile devices, blogs and message boards, media sharing sites and other electronic communications technologies.

Forrester gathered a total of 424 responses from companies with 1,000 or more employees, including 301 US, 32 UK, 30 German, 31 French and 30 Australian companies. The findings of the 2008 study are published in the report “Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008”

The greatest interest by survey respondents was in having the ability to make phone calls from a laptop computer, in allowing employees to make phone calls from a PDA, and in unified messaging, which allows (among other things) users to access e-mail messages from their voice mail boxes.

The number of cellular/WLAN subscribers will reach over 256 million worldwide by 2009, or roughly 12% of all cellular subscribers. By 2009, the numbers of subscribers using WLAN for voice is expected to exceed those using WLAN for data only.

Overall, about 60% of decision-maker respondents believed that it would be beneficial to have a solution that integrates the WWAN with the WLAN.

The number of voice over IP (VoIP) users in Europe has quadrupled in two years, driven by aggressive pricing for bundled communications services, says telecommunications analyst Telegeography.

The firm reported that at year-end 2007, 25.3 million consumer VoIP lines were in service in Western Europe.

This was up from 15 million in 2006, and nearly four times the 6.5 million VoIP subscribers in 2005.

Costs of Data Compromises Rising – Data Thieves Becoming More Aggressive

The Ponemon Institute in a study of 43 companies, sponsored by PGP, found the total cost of coping with the consequences data compromise events rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.

There are some distinct consequences of a data breach, especially in healthcare and financial services, Ponemon notes. In these two industries more than others, customers notified of a data breach are more likely to discontinue association with companies that failed to secure sensitive data about them.

In other findings, the Ponemon study said 88% of all the cases for 2008 were traced back to insider negligence.

The survey also showed that 44% of data breaches occurred due to external causes involving third parties, an increase from 40% in 2007 and 29% in 2006, the Ponemon report states. A third-party breach is defined as third-party professional services, outsourcers, vendors and business partners that were in possession of the data and responsible for holding it.

Costs for a data breach mount up because of lost business and legal defense, which grew in 2008, while costs of customer support, notification and free services such as credit monitoring decreased, according to the study.

Legal Impact – VoIP Can Compromise Client – Attorney Privilege

Cynthia Stamer, Partner, Curran, Tomko and Tarski and Board Certified in Labor & Employment Law by Texas Board of Legal Specialization Corporations, verified that the Ponemon reports aligns exactly with her client’s issues and concern:

Cynthia: Board Members, Directors, Officers, Executive Management and employees must operate with a heightened awareness to insure that they are using encrypted voice over ISP or any other technology, businesses and their leaders must constantly consider the potential implications that the use of any technology on the records and evidence created and retained. Too often the accessibility of technology and accompanying lack of awareness of when they preserve data that could be evidence lures business leaders and others to stay and do things with inadequate caution. Because of the way equipment and its technology have evolved, some record or other evidence almost always is created and retained when businesses use even basic technology including a pencil, a tape recording, text message or e-mail, telephone conference call, computer note or otherwise. Failing to recognize and properly manage the information across of these technologies can create unnecessary risks. Concurrently, however, businesses also need to remember that the management, retention and destruction of this information in itself may be used as evidence. Business leaders always must plan for the potential need to prove that they are doing the right thing and communicate and act accordingly.

Now What?

Ok recap time: We now know that VoIP is taking over the world. Data thieves in these hare economic times are drilling faster and deeper.

The most respected researcher in data security and protection warns the industry that the costs to recover from a data compromise have risen by almost $2 Million in the last 24 months.

Then to top things off, the telephone call I make to my attorney for help and advice may be used as evidence against me unless I find a hacker proof way to keep employees, vendors and my biggest competitor from listening in and recording my VoIP calls.

The Perfect Solution: Ripcord Networks and the IT Industry Icons Who Are Involved

Lucky for me, my internet search of the Internet Engineering Task Force (IETF) database provides the answer to my first question: Is there a best practice or standard for encrypting VoIP connections to prevent Man in the Middle attacks?

Yes, it’s called “ZRTP: Media Path Key Agreement for Secure RTP”.

My second question: Who sells products or software that use the protocol?

The answer: Ripcord Network.

A Company With Credentials

When I research a company, I usually start with “Who Runs the Company” and much to my surprise I discovered where all of the IT Industry Icons and Einsteins have all been planning their next show stopper.

I picked up the phone (land line) and called the CEO of Ripcord, Alex Fielding and arranged to interview him and the members of the Board of Directors.

Over a period of time each Board Member graciously answered questions for the interview. Only after I had talked to everyone did I discover that, Ripcord has never issued a press release and has only been briefly mentioned in three articles.

The best “Easter Egg” appears on the company’s Investor Relations page. See for yourself.

I sat down with Alex Fielding, the CEO of Ripcord networks and we began our chat:

KMN: Alex I can’t tell you how great it is to have a chance to talk to you today. Let’s start with some background. What does Ripcord do?

Alex: No matter where you are in the world, no matter what handset you are using, we enable secure-encrypted private voice and video conversations across a wide variety of popular off the shelf devices including: mobile phone, desk phone, PC software, Instant Message, teleconference, and Conference Bridge.

(Basically we provide the encryption software and protocols that are leading the charge in secure interoperable IP voice and video communications.)

Alex: Steve Wozniak (co-founder Apple), John McAfee (founder McAfee Associates), and I are on the Board of Directors of Ripcord Networks. Additionally we have the best employees and advisors in this space. Ellen Hancock is Chair of our Board of Advisors (former company affiliations include: IBM, Apple, Exodus, Aetna, Colgate/ Palmolive, EDS). The Board of Advisors includes: Jon Callas (CTO & CST of PGP), Phil Zimmermann (PGP founder, ZRTP author, and privacy advocate), Marc Hodosh (President, TEDMED, Archon XPrize Genome Project), Dan Pitt, and others.

Alex: Everything is moving to real-time IP based communications. The latest release covers IP based communications, specifically: all voice and video communications, Desk Phones, Wi-Fi, Chat- Video-Voice, Laptops, eBooks, and Tablets. The next release will include: Conference Bridging, Voice over Satellite, Remote Sensors, Mobile Phones, and Tactical Radios. Securing these devices has unique and specialized challenges that Ripcord's product offerings are well suited to solve. There was no previously elegant or easy way to secure these IP based devices and we have a solution to the problem that is unified.

(At this point Alex introduced me to Steve Wozniak. (What a nice guy! Our Q&A session had been rescheduled several times due to his participation on “Dancing with the Stars” and so we got right down to business.)

KMN: Steve I am really glad to have this chance to get to know more about your vision for Ripcord. Do you mind if I use your nickname in the article?

WOZ: No problem whatever works best.

KMN: There are other companies in the secure communications space for voice communications; what makes Ripcord different?

WOZ: Ripcord is a 100% US operation when it comes to code development and R&D. We write all the code here in the states and our employee base is very specialized and suited to the needs of very discerning customers. We offer a level of security, NSA Suite B with elliptic curve mathematics, and provide the best key generation and exchange available to non-classified personnel and projects for non-type 1 communications.

KMN: Why did you select ZRTP?

WOZ: Simple. ZRTP was developed by the finest minds in the encryption business and Ripcord has the finest minds implementing their hardware and software in the most secure and easy to use ways.

KMN: How can you be sure that your technology isn't breakable or able to be cracked?

WOZ: We open a flavor of our Secure Ripcord API, our key generation, mathematics, and exchange under GPL to the open source community.Zimmermann does the same with a flavor of his ZRTP protocol. However, we don't open all our code but we do open the relevant parts so that developers can scrutinize what we're doing openly and provide harsh criticism of our technology and of our code. We really take this feedback to heart and a lot of the ideas and suggestions end up making it into our code- base through our own developers writing code that meets the need and matches the desire of the community at large. There are some really smart people out in the secure communications community and we figure that there are more of them than there are of us inside the company, so it's like having a huge Quality Assurance developer community working to benefit our products. There aren't too many companies in the secure products space in the World that can say they have as many people scrutinizing their source code and methods as we do. We are very proud of that. We hope others in this space will someday follow suit.

KMN: What would you say makes Ripcord different from General Dynamics or L-3 in the hardcore crypto space?

WOZ: First of all, we're a lot smaller so we can adapt very quickly to our customers’ needs. Secondly, GD and L-3 both specialize in Type 1 secure communications products. This is commonly referred to as NSA Suite A and could be thought of as security for classified government communications. Those guys focus on providing secure devices and specialized hardware that enables Type 1 secure communications for classified communications on custom hardware. We are a COTS (commercial off the shelf) company. We build very secure hardware and software for the commercial market. Our technology works on a ton of handsets that are popular everyday devices. We build very little custom hardware and the hardware we do build is designed for commercial markets; the fact that government can use it and loves it is just a nice bonus. If you were looking for a secure mobile phone for instance, GD or L-3 would sell you a SME PED (aka “The Crypto-Brick) that is a custom designed Type 1 secure communications device. We'd give you a BlackBerry, iPhone 3G, or G1 with our software running on it. We really are focused on IP based communications while the other guys are focused on migrating from circuit-switched. We are very different companies in too many ways to list.

KMN: Alex, you told me that your software secures instant messenger; which ones?

Alex: AOL Instant Messenger, Google Talk, Gizmo, SJ Phone, MSN Messenger, iChatAV, etc. Basically we operate with everything except Skype, and that was a very specific business decision of ours. Skype elected to provide China with all of their encryption specs, and we operate with a philosophy of “Made in America”. We provide software that has an incredible RTP detection heuristic that is very accurate and secures voice and video sessions on these instant messenger platforms. Not only do we operate with various IM applications we are also interoperable with Mac OS X, Windows Vista (32-bit and 64-bit) as well as Linux.

(WOZ is on his iPhone so Alex and I continue.)

KMN: You have a hardware product, Ripcord Secure Appliance, what does that do?

Alex: Ripcord Secure Appliance is an inline encryption device. Basically you just plug it into your VoIP desktop phone, and plug it into the network and it does the rest. No configuration required. This box securely encrypts and decrypts your calls without any chance for human error in the configuration. It's centrally manageable for large organizations and stand-alone capable for smaller ones. It also has a feature where if your PBX fails, it will allow you to continue to do ad hoc calling for a number of VoIP desktop phones. We have a number of these deployed now and our customers love them.

KMN: Tell me a little bit about your customers?

Alex: We get a lot of people coming to us with real problems that have substantial impact to their businesses and need solutions today. We have customers that are multi-national medical companies, banks, insurance, petroleum, aerospace companies and defense contractors.

(WOZ is off the phone and ready for a philosophical question.)

KMN: How do you keep bad people from doing bad things with your technology?

WOZ: While we can't and won't police our potential customers, we all know when something just doesn't smell right. We are cautious about who we partner with, who we hire, who our investors are, and who our customers are. Our employees go through a very detailed background investigation before ever working on code. Our employees, if required, could all pass a rigorous background check required to have a level of security clearance that is well above that which is required. We have a strict ethical compass and mantra to "Do Some Good". We turn down a lot of opportunities for development because the proposals sometimes don't fit the bill for the standard that we hold ourselves to. We have turned down prospective employees and investors for very similar reasons. We want to always be on the right side of the line more often than anyone else in this space.

Alex adds: It's a lot like being in the data center business, a business from my past, where we made a decision that we wouldn't seek out certain types of customers that were doing things that didn't improve life for anyone, even if it was legal for them to operate, just because we didn't think they added value to our makeup as a company. We didn't think that certain customers fit the type of customer we could be proud of having. We didn’t do it in the data center space and the same is true at Ripcord.

KMN: What do you see the biggest challenge in secure communications?

Alex: There are a number of huge challenges in secure communications. One area that we are working on is securely connecting first responders like EMTs, police, sheriffs, troopers, border and customs agents to DHS and FEMA and up the food chain of government securely with some base level of communications tools so that the off the shelf devices these guys use in the field work together and enable secure communications without any specialized hardware or any private network. We have solutions in this space that are very attractive for this. Just imagine being President Obama and being given a “Crypto-Brick” and glancing back and forth between that device and your BlackBerry...Which one would you want to use?

KMN: Does your encryption have any effect on communications during pandemics?

Alex: The obvious answer is that during a pandemic, many employees will be asked to work from home and telecommute to avoid infection. When you are in certain regulated industries or really any business where you don't want your information being sent over the internet in the clear, you will see value in securing your conversations and video conferences. We enable both. Other companies, like Sun with Sun Ray, are offering great solutions for authentication and login so that employees working at home can really validate and certify their identities and access levels. Without technology like ours and like Suns, having employees working at home and talking on their phones about confidential customer or patient records is just not a smart idea and is unlawful in certain cases.

KMN: What about regulatory compliance?

Alex: There are some call recording requirements now on VoIP calls because VoIP is seen as data in the eyes of certain regulatory bodies. This is becoming true for SAS-70 and HIPAA now and in the near future. Imagine being a hospital or bank and having to record, transcribe, and securely store call recordings of all your phone calls that were VoIP... That costs a lot of money and takes a lot of resources. The regulations on encrypted data are much less severe and in many cases the recording and storage requirements don't exist for encrypted communications. So, just install Ripcord solutions and save yourself millions of dollars. There are a lot of other regulatory compliance issues sprouting up around encrypted voice communications and it just means that the market is really maturing and understanding the threat level.

KMN: Why do you think that Ripcord is gaining traction in this space?

Alex: We are getting some recognition as a brand and a technology that provides a great level of encryption for voice and video communications. We partner with companies in the data encryption space that specialize in stuff like email encryption and whole disk encryption but we know where our core competency is. We are great at voice and video for IP based communications. I think the reason we are succeeding here is that we are one of the only companies in the United States in this field and we're doing some of the most innovative stuff. Also, because we're not bogged down by circuit switched integration projects, we're just looking forward and not looking behind. We learned our history quite well and now is the time to lead and innovate.

(WOZ is back on the phone again so Alex and I wrap for the day. The continuation of my discussions with the other Board Members will continue in Part 2.)

Kevin M. Nixon, MSA, CISSP®, CISM®, CGEIT®, has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Stay Tuned With RSS Feeds or Email Alerts Here:

Heartland Regains PCI Compliance Status

Sun, 3 May 2009 17:05:55 -0400

By Anthony M. Freed

Heartland Payment Systems (HPY) announced via email that they have once again attained a PCI compliant status following less than two months of suspension.

Heartland’s removal from the list of compliant payment processors had followed revelations that the company had suffered what may have been the largest data breach of payment card information to date, although details of the incident and similar events at RBS WorldPay (RBS) have not been made available due to ongoing investigations.

PCI DSS is the self-regulatory set of guidelines that the payment card industry and retail merchants use to encourage financial information security best practices throughout the industry.

Heartland’s email:

HEARTLAND PAYMENT SYSTEMS RETURNS TO VISA’S LIST OF PCI DSS VALIDATED SERVICE PROVIDERS

Princeton, N.J. (May 1, 2009) – Following the completion of its annual Payment Card Industry Data Security Standard (PCI DSS) assessment, Heartland Payment Systems has successfully validated its compliance with PCI DSS. As such, Heartland is returning to Visa’s List of PCI DSS Validated Service Providers. According to Visa, Heartland will appear on the list – which can be found at www.visa.com/cisp — on Monday, May 4.

Heartland Payment Systems (HPY), one of the largest credit card processors in North America had finally been sanctioned in March of this year for the lapses in their security standards that contributed to the 2008 breach :

On January 20th of this year, Heartland Payment Systems (HPS) publicly disclosed a large-scale compromise involving account data from all card brands. In light of this event, Visa has taken the following actions to help protect the Visa system:

Removal from Visa’s List of Compliant Service Providers - Visa has removed Heartland from its online list of Payment Card Industry Data Security Standard (PCI DSS) compliant service providers. HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards. The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets other related compliance conditions.

System Participation - HPS is now in a probationary period, during which it is subject to a number of risk conditions including more stringent security assessments, monitoring and reporting. Subject to these conditions, Heartland will continue to serve as a processor in the Visa system.

Given that the suspension was really in name only, Heartland was allowed to continue business as usual while obtaining re-certification of their PCI compliance, which is something they would have been required to complete regardless of Visa’s (V) actions, as compliance re-certification is required on a yearly basis anyway.

So here we are back a square one, with little improvement in security for an industry that can arguably be considered to be crucial to our national security, as well as our individual financial identities. And the industry itself is no better off, as a weak economy yields meager revenues and ever tighter budgets for the IT Security professionals whose job it is to try to always do more with less.

The future of PCI DSS is at stake, yet the leadership to required to secure its future and the much needed cooperation of all interested parties appears to have been tabled in favor of the status quo.

I again offer my opinion that the biggest threat to PCI DSS does not come from the endless supply of criminal hackers the industry will certainly face in perpetuity, but instead comes from the fractured portrait of an industry in crisis, and its inability to effectively manage itself.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Business Continuity Guidance for Swine Flu

Mon, 27 Apr 2009 14:04:30 -0400

By Kevin M. Nixon, Information-Security-Resources.com Security Editor

“Business continuity and disaster recovery are crucial parts of sound corporate governance - for industries like the financial sector and the nation’s critical infrastructure, they are mandates. Organizations that fail to plan and prepare for events like public health emergencies, natural disasters, and man-made disruptions face loss of business, and potential corporate exposure if they fail in these obligations. It is time to get serious about earlier and better handling of risk issues.” Laura Wilson, Information-Security-Resources.com Corporate Liability Editor

President Obama, speaking at the annual conference of The National Academy of Science, stated during his opening remarks that the Department of Health and Human Service (HHS) has declared a Public Health Emergency.

The President immediately emphasized that this was a precautionary measure, and not one which should be a cause for panic.

The president is receiving regular updates and briefings from John Brennan, Assistant to the President for Homeland Security and Counterterrorism; Dr. Richard Besser, the Acting Director of the Centers for Disease Control and Prevention, and Janet Napolitano, the Secretary of Homeland Security.

The Center for Disease Control and Prevention (CDC) has already taken important steps: The CDC has stated: “Laboratory testing has found the swine influenza A (H1N1) virus susceptible to the prescription antiviral drugs such as [Tamiflu (oseltamivir phosphate), Relenza (zanamivir)] and has issued interim guidance for the use of these drugs to treat and prevent infection with swine influenza viruses.; CDC also has prepared interim guidance on how to care for people who are sick and interim guidance on the use of face masks in a community setting where spread of this swine flu virus has been detected. This is a rapidly evolving situation and CDC will provide new information as it becomes available.

Interim CDC Guidance for Nonpharmaceutical Community Mitigation in Response to Human Infections with Swine Influenza (H1N1) Virus

The United States government already has guidance in place on community mitigation and relies on knowledge of the Pandemic Severity Index (PSI) to characterize the severity of a pandemic and identify the recommendations for specific interventions that communities may use for a given level of severity, and suggests when these measures should be started and how long they should be used.

Companies and employers that have not done so are being urged to establish a plan for Continuation of Business should the government direct state and local governments to immediately enforce their community containment plans.

If the Federal government does direct states and communities to implement their emergency plans the following events will occur:

Community mitigation recommendations will be based on the severity of the pandemic and may include the following:

Asking ill people to voluntarily remain at home and not go to work or out in the community for about 7-10 days or until they are well and can no longer spread the infection to others (ill individuals may be treated with influenza antiviral medications, as appropriate, if these medications are effective and available).

Asking members of households with a person who is ill to voluntarily remain at home for about 7 days (household members may be provided with antiviral medications, if these medications are effective and sufficient in quantity and feasible mechanisms for their distribution have been developed).

Dismissing students from schools (including public and private schools as well as colleges and universities) and school-based activities and closure of childcare programs for up to 12 weeks, coupled with protecting children and teenagers through social distancing in the community, to include reductions of out-of-school social contacts and community mixing. Childcare programs discussed in this guidance include centers or facilities that provide care to any number of children in a nonresidential setting, large family childcare homes that provide care for seven or more children in the home of the provider, and small family childcare homes that provide care to six or fewer children in the home of the provider.

Recommending social distancing of adults in the community, which may include cancellation of large public gatherings; changing workplace environments and schedules to decrease social density and preserve a healthy workplace to the greatest extent possible without disrupting essential services; ensuring work-leave policies to align incentives and facilitate adherence with the measures outlined above.

The guidance which the US Government recommends using is the Community Strategy for Pandemic Influenza Mitigation.

Corporations, businesses, and employers who have not already done so should immediately consider developing their Continuity of Business plans. To help organize the effort, the government has established a website to assist in the quick development of plans. The website is www.pandemicflu.gov and provides templates and guidelines. The place to start is the Business Pandemic Influenza Planning Checklist.

Resources Available to Provide Quick Plan Development:

Planning Guide for U.S. Businesses with Overseas Operations

Planning Guide for Businesses and other Employers

Planning Guide for Childcare Programs

Planning Guide for Elementary and Secondary Schools

Planning Guide for Colleges and Universities

Planning Guide for Faith-Based and Community Organizations

Planning Guide for Individuals and Families

Kevin has testified as an expert witness before the Congressional High Tech Task Force, the Chairman of the Senate Armed Services Committee, and the Chairman of the House Ways and Means Committee. He has also served on infrastructure security boards and committees including the Disaster Recovery Workgroup for the Office of Homeland Security, and as a consultant to the Federal Trade Commission.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Hathaway Bolsters Internet Security Alliance

Mon, 27 Apr 2009 12:04:31 -0400

By Kevin M. Nixon

Despite numerous lukewarm reviews of the 2009 RSA Security Conference by attendees and reporters, the Internet Security Alliance’s President Larry Clinton recognized that the keynote address to the collective conference body by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils, offers affirmation of the mission and principles on which the Internet Security Alliance (ISAlliance) was founded.

The ISAlliance began in April of 2001 as the result of the Former Chairman of the House Intelligence Committee of the U.S. House of Representatives, Dave McCurdy, in direct collaboration with Rich Pethia, Director of the Carnegie Mellon University Software Engineering Institute’s CERT/CCâ„ .

In an email communiqué, sent to “ISAlliance Insiders”, Mr. Clinton provided an update on the RSA Conference overall and then by distributing an advance copy of the text of Melissa Hathaway’s remarks, demonstrated the strength of the collaborative efforts between the ISAlliance and the National Security and Homeland Security Councils.

Early in 2002, after the devastating events of 9/11, the ISAlliance Board of Directors forged a relationship with the then Cyber Tsar Richard A. Clarke and “Assistant Tsar” Howard Schmidt.

The ISAlliance members worked tirelessly on numerous Whitehouse Work Groups and National Critical Infrastructure Committees to create the foundational elements of cyber security policy with the various agencies that were eventually reorganized into what is now know as the Department of Homeland Security. The ISAlliance played a key role in the final report to the President entitled “The National Strategy To Secure Cyberspace” which was officially released in February 2003.

Over the last 6 years and 3 months, many of those original recommendations have languished and were continuously reprioritized due to the war on terror and redirected funding in support of other efforts.

However, the ISAlliance never lost sight of their mission, their vision and most importantly the value of a unified approach to securing our national computing infrastructure.

The current administration realized during the post election transition period, it was faced with a crumbling economy and what can best be described as a shaky global financial network, the time had arrived for serious collaboration on a unified posture.

Even before the clock struck 12 noon on inauguration day, some of the brightest security, privacy and public policy minds across industries were assembled to resurrect the previous work papers in preparation for an official Presidential Directive to assemble recommendations.

True to form and within the first 30 days in office, President Obama called for a report on the requirements necessary to transition to a more secure computing environment.

Larry Clinton stated in his communiqué that the Federal Agency Deputies are now considering the recommendations in a (yet to be made public) report created by Ms. Hathaway’s team.

The agency deputies are pouring over recommendations that cover everything from necessary alignments in the Code of Federal Regulations, holes in the national budget, and the agencies and departments which must all congeal into a final report that must be on the President’s desk on schedule.

Mr. Clinton optimistically pointed out that Ms. Hathaway’s team and agency deputies are advocating support for three (3) major issues that the ISAlliance has considered fundamental since the organization was founded.

The ISAlliance was pleased to hear the following items covered in the keynote, notably:

Recommendations calling for greater consideration of economics when discussing cyber security (i.e. this is more than a technical [funding or tax relief] issue - it is an enterprise wide risk management issue)

Recommendations calling for the focus of control for Government cyber security be elevated to White House oversight

And most importantly Ms. Hathaway stated, (for the first time by an Administration), the need to improve market incentives for private sector cyber security.

The third point is a position originated by ISAlliance and for which it is the leading and most sophisticated and vocal organization in this effort. It should be noted that as far back at 2001, representative members of the Internet Security Alliance testified before the Republican High Tech Task Force and the Senate Armed Services Committee to illuminate members of Congress on the necessity of improved incentives of various types which will strengthen the very infrastructure which connects the global economy.

So, while the attendees at the RSA Conference may have left the keynote with less than warm and fuzzy feelings that things will change, it is clearly an optimistic time for the very dedicated members of the Internet Security Alliance. ISAlliance understands far better than most that adage, “with time and patience the mulberry leaf turns to silk”.

To view the entire keynote presentation via streamed video click on the link below:

RSA Keynote address by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils

The complete written text of the Senior Director’s remarks is reprinted below as provided by the Internet Security Alliance.

Remarks by Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils As Prepared for Delivery At the RSA Conference 2009, San Francisco, California

Released April 22, 2009

As many of you know, I am Melissa Hathaway, the Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils. It has been my great honor to serve the President of the United States and the nation as part of the 60-day cyberspace policy review completed last week. I feel that it was just yesterday when we were celebrating New Years, and that was only “2” sixty-ish day periods ago! The days have been long and the task at hand has been the most challenging of my career.

Introduction

Oh yes, I almost forgot, this speech will now self-destruct, but don’t worry… this is the Internet-age, there are already hundreds of copies which you can download online. Thank you.

I am proud of the momentum that we have garnered in the last two months and I believe that we have a strong view of what is needed to drive change. As Ralph Waldo Emerson said, “who shall set a limit to the influence of a human being?” Today, I ask each of you, who shall limit our influence if we work together? Only ourselves and as a testimony to that, I want to thank you for the opportunity to speak here today.

All humor aside, the United States really is at a crossroads. The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. This technology has transformed the global economy and connected people in ways never imagined. For example, my boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and to feed their Webkinz. As their mom, I stand before you today with no less than 3 blackberries and a pager! One of which will, apparently, self-destruct soon. I just have to figure out which one.

The Threat and What’s at stake

Despite all of our efforts — and I know that many of you understand well the challenges — our global digital infrastructure, based largely upon the Internet, is neither secure enough nor resilient enough for what we use it for today and will need in to the future. This poses one of the most serious economic and national security challenges of the 21st century. The design of today’s digital infrastructure was driven more by considerations of interoperability and efficiency than of security.

Consequently, a growing array of state and non-state actors are able to compromise, steal, change, or destroy our information. We have witnessed countless intrusions that have allowed criminals to steal hundreds of millions of dollars and allowed nation states and others to steal intellectual property and sensitive military information. They even have the ability to threaten or damage portions of our critical infrastructure.

One recent example from November 2008 illustrates both the speed and the scope of these challenges. In a single 30-minute period, 130 automated teller machines in 49 cities around the world were illicitly emptied.

These and other risks have the potential to undermine our confidence in the information systems that underlie our economic and national security interests.

A few hours south of here, there are creative Hollywood writers and actors who have imagined and produced stories that capture the essence of the problem, including: Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.

Previous attempts to deal with cyber security in isolation have failed, in no small part, because they were perceived to be in conflict with the broader societal goals of progress and innovation, civil liberties and privacy rights. However, cyber security only succeeds in the context of broader economic progress. At times, it was a destination in itself, rather than a compass that guides us toward our objective. If treated in a broader context, cyber security will enable higher and far-reaching national goals, have better acceptance, and as a result, a greater chance for success. Our goals depend on trust, and trust cannot be achieved if people believe that they are vulnerable to fraud and theft or if they cannot depend upon the resources (infrastructure services, i.e., water, power, telephone service) being available when needed most. At the same time, security has no meaning if the application that serves society no longer is practical or usable. Stated differently, progress and security must not viewed in a zero-sum fashion.

History has taught us that security, when pursued properly, enables innovation and growth and protects existing investments. In no small part, security is about protecting what already exists, creating a safe environment where innovation thrives unthreatened, and enabling the unencumbered natural growth for the future. Harmonized innovation and security are mutually reinforcing ideas; and policies, including our government’s policies, must recognize and treat them as an integrated and synergistic whole.

It can be said that the Federal government is not organized appropriately to address this growing problem because responsibilities for cyberspace are distributed across a wide array of federal departments and agencies, many with overlapping authorities and none with sufficient decision authority to direct actions that can address the problem completely. We need an agreed way forward based on common understanding and acceptance of the problem.

This is why the President requested the clean-slate review.

Recognizing the challenges and opportunities, the President identified cyber security as one of the top priorities for his Administration and directed an early 60-day, comprehensive review to assess U.S. cyber policy and structures. The review addressed all missions and activities associated with the information and communications infrastructure, a.k.a. digital infrastructure. It included the missions of computer network defense, law enforcement investigations, military and intelligence activities, and the intersection thereof with information assurance, counter intelligence, counter terrorism, telecommunications policies, and general critical infrastructure protection. I am not sure many people at the outset and possibly even now, understood the breadth of our task…and we had, effectively, two months to complete it! By the way, sixty days included the Saturdays and Sundays.

I assembled a team of experienced government cyber experts and in our first week we inventoried relevant presidential policy directives, executive orders, national strategies and studies from government advisory boards and private sector entities. We identified over 250 needs, tasks, and recommendations. We also solicited input from government departments and agencies on their specific cyber activities, authorities, and capabilities and requested them to identify any new or existing requirements that may not have been identified as part our initial inventory.

Scores of legal issues emerged during this review, such as the aggregation of authorities, data sharing with third parties within the Federal government, and liability protections for the private sector.

We successfully engaged a wide array of stakeholders inside and outside of the Federal government, including some of you here today. We engaged industry, academia, the civil liberties and privacy communities, State governments, international partners, the Legislative Branch, and others in the Executive Branch.

We know there are opportunities for everyone — academia, industry, and governments — to work together to build a trusted and resilient communications and information infrastructure. We engaged you and asked to be informed by you. We had more than 40 meetings with different stakeholder groups during those 60 days and received and read more than 100 papers that provided specific recommendations and goals. You helped us identify key requirements, illuminated policy gaps, suggested areas for improved collaboration, and framed the decision space for cyberspace policy. You will see your influence in our report when it is released in the coming days.

Our outreach involved unprecedented transparency and engagement for a National Security Council initiative and having come from the private sector myself, I recognized it was vital to the review’s overall success.

When the report is made public you will see that there is a lot of work for us to do together and an ambitious action plan to accomplish our goals. Cyberspace won’t be secured overnight and on the basis of one good plan. As they say, this is a marathon not a sprint. But with this review, we have taken the first steps to make real and lasting progress.

Sixty days’ work is just the beginning of the beginning, and the pace for this marathon we’re now running is one that we’d best set to ensure we have the legs to make it over the finish line. Being in security, I’ve learned that security is just that, a marathon…and here in San Francisco, you can well appreciate it being an uphill run.

The Report

Last Friday, April 17th, we completed our report and it summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. It provides the President with recommendations for a White House organizational structure that can effectively address cyberspace-related issues and include, as I have mentioned, an action plan for identifying and prioritizing further work in this area. After the President and his Administration have had an opportunity to carefully review our report, we will begin discussing the results publicly.

Having said that, I am able to share with you the 60-day movie trailer–if you will…

It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and to ensure that the United States and the world can realize the full potential of the information technology revolution.

This responsibility transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective to match the sweep of the challenges.

It requires leading from the top — from the White House, to Departments and Agencies, State, local, tribal governments, the C-Suite, and to the local classroom and library. The national dialogue on cyber security must advance now. We need to explain the challenges and discuss what the Nation can do to solve problems in a way that the American people can appreciate the need for action.

The United States cannot succeed in securing cyberspace if our government works in isolation. Cyberspace knows no boundaries. There is a unique opportunity for the United States to work with countries around the world to make the digital infrastructure a safe and secure place that drives prosperity and innovation for all nations.

The Federal government cannot entirely delegate or abrogate its role in securing the nation from a cyber incident or accident. The Federal government has the responsibility to protect and defend the country, and all levels of government have the responsibility to ensure the safety and well-being of citizens. The private sector, however, designs, builds, owns, and operates most of the digital infrastructures that government and private sector use in concert. The public and private sector’s interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Information is key to preventing, detecting, responding to and recovering from cyber incidents. Again, this requires evolving our partnerships together. Government and industry leaders, both here and abroad, need to delineate roles and responsibilities, balance capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cyber security and reap the full benefits of the digital revolution.

Building toward the architecture of the future requires research and development that focuses on game-changing technologies that could enhance the security, reliability, resilience and trustworthiness of our digital infrastructure. We need to be mindful of how we, government and industry together, can optimize our collective research and development dollars and work together to improve market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services. The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation.

Please get involved and have a view

It takes a combination of strategies aimed at a handful of vital behaviors to solve weighty and persistent problems. The tasks we face are many and interdependencies profound.

During this 60-day review I had a chance to read the book “Influencer.” The authors argue that peer pressure can help create social support and harness the power of everyone to make change. People who are respected and connected can propel people to act in ways that are hard to imagine.

I can think of no better venue and more connected people than all of you here today.

Can we call for changes in widely shared norms?

Are we ready to talk openly about the challenges we face and how we share the responsibility for reversing the trend? Can we create the conditions where innovation and security are mutually reinforcing and treat them as an integrated and synergistic whole? Can government and the private sector, national and international parties accelerate the changes we need? And, if not us, then who? If not now, then when?

I worry about these questions every night; they infiltrate my dreams. And since the theme of this year’s conference relies upon the influence of Edgar Allen Poe, I cite you words from his work, “A Dream. “

“A few evenings since, I laid myself down for my night’s repose. It has been a custom with me, for years past, to peruse a portion of the scriptures before I close my eyes in the slumbers of night. I did so in the present instance. By chance, I fell upon the spot where inspiration has recorded the dying agonies of the God of Nature. Thoughts of these, and the scenes which followed his giving up the ghost, pursued me as I slept.”

I often wake up at 2:30 or 4:30 in the morning having “worked” the problem in my sleep…and sometimes even develop a good idea.

We need to sow the seeds for a national dialogue, nurture them, even see them in our dreams, to help this critical conversation grow.

Cyber security isn’t only the responsibility of governments and corporations, but that of individuals, including each of us here today, as well.

Closing
Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law. We need to demonstrate abroad and here at home that the United States takes cyberspace issues, policies, and activities seriously. Achieving this vision requires leadership and commitment from the highest levels of government, industry, and civil society. That leadership and commitment will allow the United States to continue to innovate and adopt cutting edge technology, while enhancing national security and the global economy.

About RSA® Conference

RSA® Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Japan. Throughout its 17 year history, RSA® Conference has consistently attracted the world’s best and brightest in the field, creating opportunities for conference attendees to learn about IT security’s most important issues through first-hand interactions with peers, luminaries and emerging and established companies. As the IT security field continues to grow in importance and influence, RSA® Conference plays an integral role in keeping security professionals across the globe connected and educated.

RSA® developed the RSA® Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, the RSA® Conference and related, RSA® Conference branded activities, are still managed by RSA®, the Security Division of EMC, with the support of the industry. RSA® Conference event programming is judged and developed by information security practitioners and other related professionals.

About the Internet Security Alliance

Mission: To use the collective experience of the members of the Internet Security Alliance to promote sound information security practices, policies, and technologies that enhance the security of the Internet and global information systems.

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

The Internet Security Alliance is a non-profit collaboration between the Electronic Industries Alliance (EIA), a federation of trade associations, and Carnegie Mellon University’s CyLab.

CyLab works closely with the CERT® Coordination Center (CERT/CC®), a leading, recognized center of Internet security expertise.

About CERT® and CERT/CC®

While we continue to respond to major security incidents and analyze product vulnerabilities, our role has expanded over the years. Along with the rapid increase in the size of the internet and its use for critical functions, there have been progressive changes in intruder techniques, increased amounts of damage, increased difficulty of detecting an attack, and increased difficulty of catching the attackers. To better manage these changes, the CERT/CC® is now part of the larger CERT® Program, which develops and promotes the use of appropriate technology and systems management practices to resist attacks on networked systems, to limit damage, and to ensure continuity of critical services.

The Author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Judge Orders ML-Implode To Divulge Identities of Anonymous P

Thu, 2 Apr 2009 16:04:23 -0400

Posted By Anthony M. Freed

I received a very disturbing email from my friends at ML-Implode.com.

In their long war against well-moneyed interests who seek to silence a free press on the Internet, they lost a crucial battle.

What could it mean? It could mean that all of you anonymous bloggers and commenters could be outed by a frivolous lawsuit brought on by a powerful company.

Or even a single reader who does not like what you have to say.

From: Aaron Krowne, Publisher

Date: Thu, Apr 2, 2009 at 11:13 AM
Subject: Judge Orders ML-Implode To Divulge Identities of Anonymous Posters
To: Everyone

The order was made regardless of the fact that the underlying allegations (defamation, breach of secrecy) were never proven:

http://ml-implode.com/article/mchugh_order

In other words, operators of forums or other online publications may be compelled to take down posts and give up identities before it is even shown defamation occurred or "secrecy" was breached.

We are appealing to the NH Supreme Court.

This is quite a bad precedent for bloggers or those who run forums. It is very easy to come up with wrong-minded and unfounded allegations like the above. The mainstream media should be concerned too, though they are less likely to be picked on, for obvious reasons (still, they could end up in court a lot longer for user posts to their online articles that might "upset" someone).

Feel free to cover this or spread the news around.

-Aaron