Yahoo catches up with Microsoft, Google on webmail security

General No Comments »

Yahoo has started providing webmail users the option of using a secure connection, matching a similar feature Google and Microsoft have offered for several years.

Yahoo's delay in providing a Secure Sockets Layer (SSL) connection for email sessions has been criticized by privacy groups that argue the cryptographic protocol help prevent hackers from reading messages sent over a Wi-Fi network.

However, the Electronic Frontier Foundation, which sent a letter in November urging Yahoo to implement SSL, praised Yahoo for catching up with rivals. "We're really happy that Yahoo is starting 2013 right by letting Yahoo Mail users use HTTPS to access their email accounts security," the digital rights group said in a statement.

HTTPS is the communications protocol layered on top of SSL to add the security capabilities to standard HTTP communications.

In providing SSL, Yahoo has left AOL as the only major email provider without the option. Chester Wisniewski, a senior security adviser for Sophos, said all Web services requiring a log in should provide an HTTPS connection by default.

"It is unacceptable in 2013 for anyone to offer something that you log in to without offering SSL/TLS," Wisniewski said in an email. But he said Yahoo still hasn't done it properly. "It should not be an option; it should be required."

Yahoo Web mail users can activate SSL in only a couple of clicks. Within the service, they only need to go to options and select "Make your Yahoo Mail more secure with SSL."

Google rolled out SSL for Gmail in 2010, after it accused China-based hackers of launching highly sophisticated attacks to eavesdrop on human rights activists.

Indeed, in its letter to Yahoo Chief Executive Marissa Mayer, the EFF said HTTPS communications was needed to protect dissidents. "As individuals who engage with at-risk communities targeted for surveillance and censorship, we see on a daily basis how this negligence (not providing secure connections) endangers human rights activists who fight in some of the most repressive environments to protect the basic freedoms that we take for granted," the letter said.

Oracle’s Java security update lacking, experts say

General No Comments »

Oracle's latest update of the Java Development Kit fails to go far enough in fixing the security-troubled platform, bringing only marginal improvements instead, experts say.

Among the improvements in Java SE Development Kit 7, Update 10 (JDK 7u10) is the ability to use the control panel to prevent Java applications from running in browsers. Vulnerabilities in Java are a major target for cybercriminals hoping to infect computers with malware.

That's because hackers know many people do not keep the Java plug-in for browsers up to date, leaving old flaws open to exploitation. This has resulted in a high success rate for attackers. In 2011, an exploit integrated into the Blackhole toolkit, a hacker favorite, had more than an 80 percent success rate, according to HP's security research division.

Other improvements in JDK 7u10 include using the control panel to choose from four levels of security for unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. In addition, Oracle has added a dialogue box that will warn people when the Java plug-in needs to be updated to prevent exploits.

While welcoming the changes, experts said it is only a start. "New features notwithstanding, Oracle still has a long way to go to improve security," said Andrew Storms, director of security operations at nCircle.

Because consumers are not bothering to update Java now, they are unlikely to take the time to learn how to use the control panel, experts say. In addition, Storms points out that large businesses with a full-time IT security staff will only find the new settings help if they can be centrally managed from Microsoft Active Directory or other directory servers.

"Without this access, the new settings will essentially be useless to enterprise IT teams," Storms said.

[Bill Brenner in Salted Hash:If we disable Java, what replaces it?]

More important improvements needed for Java is for Oracle to perform "fuzz" testing on the platform's codebase, said Paul A. Henry, security and forensic analyst an Lumension. Fuzzing is a software testing technique for finding coding errors and security holes.

Wolfgang Kandek, chief technology officer for Qualys, suggested Oracle add a URL blacklisting/whitelisting feature that IT administrators could use to limit what Java applets can run in the browser. Hackers use the mini-programs in order exploit flaws.

Oracle also needs to release patches faster, particularly when a previously unknown vulnerability is discovered, said HD Moore, chief security officer for Rapid7. Oracle releases patches on a quarterly basis, while Microsoft and Adobe release theirs monthly.

"Oracle's quarterly patch cycle is at odds with other makers of high-risk browser add-ons, such as Adobe," Moore told CSO Online.

Storms agreed that Oracle was slow in fixing holes and added that the vendor needs to provide the security industry with more details on vulnerabilities and patches. "Oracle has done a lousy job addressing Java security throughout 2012 and there's no reason to expect they will change their approach in 2013," he said.

Oracle became Java's steward in 2010 with the acquisition of Sun Microsystems.


Security stories to watch this week

General No Comments »

A new week is upon us and, with it, new challenges. Here are some of the big security stories to watch for in the coming days.

Online attacks will play on Sandy Hook Elementary tragedy.
With the news about a gruesome massacre of school children at Sandy Hook Elementary school in Newtown Connecticut still dominating the headlines around the world, security experts are warning folks to be wary of scams and malware attacks playing on the still-unfolding tragedy. The SANS Internet Storm Center (ISC) issued an alert on Monday about Newtown scam sites. The ISC said that several new domain names have been registered relating to the tragic killings in Newtown, and at least some are likely to be the creation of scam artists floating fake charities in the hope of tapping into the outpouring of public grief over the incident. So far, there aren't any scams to report, but SANS said that will change in the days ahead.

Hackin' around the Christmas tree: holiday scams ramp up
We all know that, at least in the U.S., the holiday shopping season starts sometime before Halloween. But things really get going in December. Online shopping makes up a bigger and bigger piece of the holiday season retail pie. Cyber Monday – the first Monday following Thanksgiving – was the biggest online shopping day ever, topping $1.5 billion. Online criminals know that, and are using social media like Facebook and Twitter to lure would-be shoppers with bogus offers. The web site Facecrooks warned of one such scam: a spam campaign on Facebook promising $1,000 Walmart Christmas gift cards. Clicking on the link leads, circuitously, to an online survey that you're asked to fill out and a Facebook application you're asked to install. Doing so will spread the spam to all your contacts.

China's Great Firewall gets taller as government moves to ban VPN.
To China's all-powerful government censors, disallowing encrypted Internet sessions may have seemed like a small tweak to make its government-backed firewall more effective. But that small tweak will have huge repercussions for citizens and businesses operating within the country. According to a number of reports in recent days, the Chinese government started using an enhancement to its Great Firewall to terminate encrypted Web and VPN sessions. For consumers, that means popular sites like Facebook and Google Mail that require secure HTTP (https) can't be used. But the feature will also block encrypted virtual private network (VPN) connections in and out of the country – and that's disrupting the ever important business sector. According to a report in the Global Times, VPN service providers Astrill, Witopia and StrongVPN reported that users in mainland China were having their connections blocked, VPN technology is commonly used by many businesses, including multi-nationals with operations in China, to conduct business. The government maintains that all organizations wishing to offer VPN services much register with the Ministry of Industry and Information Technology, and it is illegal for foreign firms to operate a VPN business in the country.

WordPress Pingbacks being used for evil
The security firm Acunetix is warning web site owners that use the popular WordPress content management system that a new attack tool is exploiting unpatched vulnerabilities in a feature used to track links to web posts. In a post on Monday, Acunetix's Bogdan Calin said that problems with the way WordPress handles so-called “Pingback” or “Trackback” requests from external web sites can be used to extract information about the system hosting the blog, or even to launch a denial of service (DOS) attack against another web site. With no fix (yet) from the WordPress Foundation (one is expected soon), users need to disable a file used to do pingbacks, or hold tight and hope not to get attacked!


When password security questions aren’t secure

General No Comments »



When you select a password, you might choose to store it in a password manager, write it down, or commit it to memory (see How to remember passwords for some advice). Sometimes, however, things go wrong: You find yourself without access to your password manager, you lose the paper on which you recorded your passwords, or you forget a password you thought you memorized. Or maybe someone tries to break into one of your accounts, and after a few unsuccessful attempts at entering your password, the site locks out further access until you can confirm your identity.

In all those cases, online services need a secondary way of granting you access to your account or your data when you dont have (or cant use) your password. Sometimesespecially in lower-security situations such as access to an online publication or discussion forumthe provider lets you click a link that results in your existing password, a new password, or password-reset instructions being sent to the email address you have on file. When those simple mechanisms are considered too insecure, the site may ask you to respond to verification questions for which youve previously provided the answers.

Unfortunately, password-reset messages and verification questions come with their own problems and risks. You can reduce your chances of being hackedor being unable to respond correctly to one of these questionsby following a few simple tips.

Prevent password-reset mischief

Of all your passwords, the one for your email account may be the most valuable. Thats because whoever has access to your email account will be able to read and click links in any password-reset messages you receive (such as when you click an 'I Forgot My Password' link). A hacker who guessed or stole just that one password could unlock many other accounts and do all sorts of damage. You can limit your risk here in a couple of ways.

Use a dedicated password-reset account: Consider setting up a new email account for yourself (using a free service such as Gmail) with an address that youll never share or post publicly. Use this account only when prompted to supply an email address for the purpose of verifying or resetting your passwords. That way, even if someone breaks into your main email account, the security of your other accounts wont be compromised.

Take extra care with your email account password: Be sure to choose an especially secure password for your email account. Make sure to set your email client to communicate securely with the mail serverusing Secure Sockets Layer, or SSL, protocols for exampleso that your password never travels over the air unencrypted. In Apple's Mail, select Mail > Preferences, click Accounts, choose an email account from the list, and click Advanced.  Here you'll see the option Use SSL.

Question the questions

Security questionssuch as the timeless classic What is your mothers maiden name?are supposed to have answers that youll never forget but that most other people wont know or be able to guess. Unfortunately, most of the questions from which you can choose arent secure at all.

Your mothers maiden name is a matter of public record, and nearly anyone can learn it online in a few minutes. If you ever wrote a blog entry or a Facebook post about your first pet, your favorite teacher, or other common security question topics, those facts are in the public domain too. To make matters worse, some questions invite ambiguous answers, which could work against you. Where did you meet your spouse? That might be in New York or at a baseball game or at Yankee Stadium, for example. Years from now, will you remember which answer you gave?

Devise memorable lies: To address such problems, theres only one right way to answer verification questionslie. And dont just lie, but come up with one or more answers that follow the same rules as other passwords to prevent guessability; use either a reasonably long (but memorable) phrase or a series of random characters. So, what was the name of my first pet? Why, it was bookends-qualitative. My mothers maiden name? Her dad was Mr. E27jrdU!8. My favorite car? I loved my 1986 Toyota Recalibration Cantaloupe. It doesnt matter what answers you give, as long as you and you alone know what they are, and can supply the same ones you entered previously if asked.

I know one security expert who says he normally uses the same pseudo-random answer everywhere, although some companies (including Apple) require you to provide different answers to each of several questionsmeaning you have even more password-like data to keep track of. Of course, you can write down your answers or store them in a password manager, but then the same problems that prevent you from accessing your password could prevent you from accessing your security answers.

You might make up a little story for yourself about fictional parents, cars, pets, and the like that you can memorize and then draw on when asked for security answers on different sites. Ultimately, since youre not going to be giving truthful answers, you should go out of your way to remember which lie(s) you told.

Keep them phone friendly: Remember that you could wind up in a situation where youll have to supply these answers over the phone. If that should happen, both you and the person on the other end will have an easier time coping with a series of plain-English words than a bunch of random characters.

How to change your security questions and answers

Each service that uses security questions has its own procedure for choosing the questions and answers (and for changing them after the fact). Check the FAQ pages on the websites for your bank and other important accounts to see how to modify your responses.

Update your Apple info: To change the questions or answers for an Apple ID (which you use for iCloud, among many other purposes), go to the Apple ID page, click Manage your Apple ID, enter your username and password, and click Sign in. On the left, choose Password and Security. Answer your existing security questions, and click Continue. Then you can choose new questions and answers (remember, no two answers can be the same) and also edit your Rescue Email Address if you like. Click Save when youre done.

Update your Google info: If you have a Google account (for Gmail and other services), log in as you normally would. Click the gear icon in the upper-right corner of the window and choose Settings from the pop-up menu. Click Accounts and Import followed by Change password recovery options. Under Security question, click Edit. Choose one of the existing security questions or write your own, and fill in your answer. If you also want to change your secondary address, click the Edit link in the 'Recovery email address' section and fill in the new address. Then click Save.

5 Ways to Stay Safe Online on Black Friday, Cyber Monday

General No Comments »

Thanksgiving is just around the corner in the U.S., and so are Black Friday and Cyber Monday, two of the busiest shopping days of the year. It's also a peak period for malware, phishing and spam. Since employees are increasingly using their own devices to access corporate resources (or simply using a work PC to sneak in a little shopping on Cyber Monday), it's a good idea to share some best practices with your users to help protect them and your network from threats.

"You could tell them no," says Bob Bunge, professor of Cyber Security in the College of Engineering and Information Sciences at DeVry University. "In some circumstances, that's absolutely what you should be telling them. Don't use the office network for retail. It's just a bad idea, period. It's a lousy, bad thing to do."

However, employees often don't perceive the security threat as acutely as IT managers do, so a few pointers on keeping safe are a good idea. After all, shopping sites are among the top malware-infected sites on the Web, according to Symantec.

Five Best Practices to Stay Safe Online

When it comes to dodging malware and phishing attacks, there are a few simple things you can watch for on shopping sites to help keep you safe:

Look for an HTTPS and/or padlock in the address bar before submitting personal information on a website. This is a sign that the site is leveraging the SSL/TLS cryptographic protocol to secure your communications with the website in question. This helps protect against man-in-the-middle attacks that allow an attacker to intercept your communications with the site and inject new ones.

Look for your browser address bar to light up green. This is an indication that the identity of the website you're visiting has been strictly validated with an Extended Validation Certificate. In other words, you really are at the website of the merchant you're trying to shop with rather than fake site created by a malicious attacker to fool you into sharing personal information.

Look for a trust seal. Many merchant websites bear trust seals, usually at the bottom of the home page or on pages where you are asked to provide personal information. They come in many different shapes, sizes and colors and are used to verify a number of different claims about a website, from its use of data encryption to its status as a legitimate business entity. For instance, the TRUSTe seal is a privacy seal that indicates TRUSTe has reviewed the site's privacy policy, while the Verisign Trust Seal verifies the identity of a website's owner and operator and that the site is subject to daily malware scans and uses verified data encryption. Scammers can forge a legitimate seal, so you should always verify a trust seal's authenticity by clicking on it and checking the seal's validation page.

If an offer in an online ad or email sounds too good to be true, avoid it. These are often lures to infect you with malware or gather your personal information. "If it sounds scammy, it's probably scammy," Bunge says. "If I had to cut a large IT security training program into just a paragraph or so, probably the first thing I'd say is 'Don't click on that link!' The whole phishing industry nowadays is based on finding ever more creative ways to get you to click on some link.

Use good passwords. Pay attention to the passwords for your email, social networking and online banking accounts. Don't use the same one for everything. "Add up the asset value of everything in the world you have attached to that password," Bunge says. "All your email, all your online storage, all your credit cards and bank accountsthat's an awful lot of asset attached to just one password." Symantec recommends you use passwords that are at least eight characters, a random mixture of upper and lower case characters (including numbers, punctuation and symbols) and are not found in the dictionary. Additionally, never use the same password twice and change your passwords every six months.

"My main advice to consumers is to get yourself simple, reliable routines," Bunge says. "Find three, four or five online merchants that you trust and stick to known commodities. If you do want to branch out and surf the general Internet and try some merchants you haven't work with before, do some research. Put the name of the merchant in a search engine and see how often "fraud" or "rip off" pop up.

Facebook moves all users to HTTPS for added security

General No Comments »

The move adds a layer of encryption to data transfer, making the information harder to see by attackers.

Just in time for holiday travels, Facebook is moving all users to HTTPS connections to help block attacks over Wi-Fi networks.

HTTPS is a secure version of the Hypertext Transfer Protocol, the essential method your browser uses to connect with websites. At the expense of a little speed, it adds a layer of encryption to data transfer, making the information harder to see by attackers on the same wireless network.

Without HTTPS, gathering information over a local network is surprisingly simple. Packet sniffers such as Firesheep and FaceNiffare designed specifically for this purpose, and require very little technical know-how. Indeed, these tools caused a bit of a stir when they first emerged, because they made it so easy to discover other peoples login details or other sensitive information over standard HTTP connections.

As a result, more Web services have adopted HTTPS, beyond just financial institutions and e-commerce sites. In 2010, Gmail made HTTPS the default for all users. Twitter did the same this year.

Facebook added HTTPS as an option last year, but at the time, many third-party apps didnt support the protocol. All apps have since been required to support HTTPS, and now Facebook is rolling out the added security measure to all users.

Encryption does add load time to Web pages, so there is a small tradeoff of speed for security. For that reason, users will have the ability to opt-out of HTTPS in their account settings, according to TechCrunch.

To see if the site youre on is using an HTTPS connection, just look at the address bar. For Facebook, you should see if the connection is secure.

For added security on other sites, Chrome and Firefox users can install the HTTPS Everywhere add-on. This will automatically activate HTTPS on sites where its supported but not activated by default. If youre worried about virtual creepers, it could come in handy during holiday travels as youre bouncing between public Wi-Fi hotspots.

Nine security controls to look for in cloud contracts

General No Comments »

LAS VEGAS — Palo Alto Networks founder and CTO Nir Zuk took to the stage to deliver the closing keynote address at the company's first-ever user conference here by trumpeting his company's success in firewall innovation and what he described as his competitors' weak attempts to follow.

Zuk, an engineer who once worked at Check Point and Juniper, has more than once enjoyed delivering feisty jabs at his former employers which, along with others such as Sourcefire and Cisco, have come to develop application-aware firewalls that compete with Palo Alto's next-generation firewalls (NGFW). But yesterday in his keynote address, Zuk pulled out all the stops and lambasted his competitors, whom he ridiculed as being on "death row" in terms of their ability to compete against Palo Alto.

"They do what all inmates do, file appeals," Zuk said. He said competitors' products with NGFW application-layer controls can only be considered "lipstick on a pig," a statement illustrated on the movie-size screen behind him on stage by a pig with bright red lips.

Israeli-born Zuk then turned to his native language, Hebrew, to dismiss them all with a biblical expression, saying their fate in the NGFW market can be summed up as "Let me die with the Philistines," the cry of Samson as he pulled the temple down around him. He added: "It sounds better in Hebrew."

But that was just for starters. Zuk continued his rant against Check Point, claiming this rival is offering 85% discounts to customers to take their firewall products, basically saying they "give away products for free" because of Palo Alto's success. Check Point "truly believes they do what Palo Alto does," he said, dismissing Check Point as weak in the area where Palo Alto has focused, application-aware firewalls.

Zuk then turned his attention to a new class of competitors, firms that offer specialized anti-malware services and products, including Damballa, Sourcefire and FireEye. He ran through a list of perceived shortcomings in how they might detect malware and provide prevention, an exercise clearly intended to promote Palo Alto's own WildFire anti-malware service associated with its NGFW.

Palo Alto's growing focus on making its NGFW the place in the enterprise network to manage security in a range of ways was highlighted by Zuk's brief remarks that, as far as the future goes, there's thought being given to how mobile device malware detection could be done well on the network rather than via scans on the device itself. But he left it at that, saying there are a few technology areas that Palo Alto does not see getting into: Web application firewalls or full-featured data-loss prevention.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.

Effectiveness: Theoretically high

How common? Never

Hacking insurance

Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.

Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach

How common? Rare, but growing

Negotiate security clauses

These allow customers to negotiate higher levels of security for certain programs or data.

Effectiveness: Potentially high

How common? Mostly for large customers only

Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.


Cybersecurity bill fails in US Senate

General No Comments »

Some senators had raised concerns about government authority and privacy issues in the legislation

The U.S. Senate has voted against moving forward on a cybersecurity bill that supporters have called critical for national security.

The Senate late Wednesday voted 51-47 to end debate and move toward a final vote on the">Cybersecurity Act but 60 votes were needed to move the bill forward. The Senate also">failed to move forward on the bill during an August vote.

Tech trade group BSA called on lawmakers to give a high priority to cybersecurity legislation in 2013.

"It is disappointing that senators haven't yet been able to reach an agreement on cybersecurity legislation — but stalemate doesn't make the issue go away," BSA President and CEO Robert Holleyman said in a statement. "There is no getting around the fact that we need to bolster America's cybersecurity capabilities. We urge both parties to put this issue at the top of the agenda in the next Congress."

Some Republicans have raised questions about the bill, which would allow the U.S. Department of Homeland Security to set cybersecurity standards, developed with the help of private companies, for operators of critical infrastructure. Critics have said the bill gives DHS too much power.

Other senators have raised privacy concerns about the bill, saying it would allow Internet service providers and other Web businesses to spy on customers to share information with the government without the need for a warrant.

The bill would create a new intra-agency council to work with private companies to develop cybersecurity standards that businesses could voluntarily adopt. The bill would offer incentives to companies that volunteer for cybersecurity programs, including protection from lawsuits related to cyberincidents and increased help and information on cybersecurity issues from U.S. agencies.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

UN’s civil aviation body recommends cybersecurity task force

General No Comments »

The U.N.'s civil aviation body will recommend creating a cybersecurity task force at a meeting next week in Canada, as new technologies introduced into aviation systems are increasing the risk of cyberattacks.

The International Civil Aviation Organization (ICAO) said a task force is needed due to an increasing reliance on interconnected IT systems with operating systems such as Microsoft Windows and Linux, and protocols such as IPv6 and Avionics Full Duplex Switched Ethernet (AFDX), according to a working paper.

"Currently cyber security is a relatively minor issue in civil aviation, but this is changing," the ICAO wrote. "Although the adoption of new technology is an ongoing activity in civil aviation, the current pace and extent of new information technologies is notably increasing the risk from cyber attacks."

Earlier this year, Cyprus-based researcher Andrei Costin showed at the Black Hat security conference major problems in ADS-B (automatic dependent surveillance broadcast), a next-generation protocol used by air traffic control systems to track aircraft positions.

Costin, who also gave his presentation at the Power of Community (POC2012) security conference on Friday in Seoul, described weaknesses in the ADS-B protocol, which has been adopted so far in Australia and in busy flying areas in the U.S. It allows for more precise aircraft tracking, which allows more planes to fly closer together in the sky, carrying more passengers and bringing in more revenue.

Costin showed how it was possible to tamper with ADS-B tracking data for planes in the sky and also make planes that aren't flying appear to be in the sky to air traffic controllers. The equipment needed for such an attack costs as little as US$1,500. The weaknesses in ADS-B have been known for years, but Costin showed on Friday a practical attack.

"Basically, we kind of helped them [the ICAO] understand that there's a real problem and a real risk in this," Costin said.

But while an ICAO cybersecurity task force would be good development, it won't mean a fix for the ADS-B protocol, Costin said. Fixing ADS-B will be difficult and could cost billions of dollars, he said, an effort that has no business incentive and wouldn't bring in new revenue.

"Nobody will do it [fix ADS-B] for the next 50 years for sure unless there is a big attack," Costin said.

The ICAO cited Costin's research as well as other vulnerabilities, such as jamming of GPS signals, and malicious incidents, as justification for a cyber security task force. In one example, the ICAO wrote three software engineers were accused of sabotaging code in June 2011 at a new airport terminal, allegedly because they didn't get a pay increase from a subcontractor.

Three days later, check-in services failed at the terminal, with 50 flights delayed. Cyberattacks could have "an effect analogous with the recent Icelandic volcanic ash problems, shutting down air travel across parts of Europe for several days. In that case estimated costs run into the billions of dollars or euros," the ICAO wrote.

ICAO's 12th Air Navigation Conference is scheduled to run from Nov. 19-30 in Montreal.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk


Huawei security chief: We can help keep U.S. safe from ‘Net threats

General No Comments »

The chief security officer of Huawei, the Chinese company recently flagged by Congress as a national security threat, says the network equipment maker could actually help the United States defend itself against malicious Internet traffic


BACKGROUND: U.S. House Intelligence report blasts Huawei, ZTE as national-security threats

HUAWEI: Separating fact from fiction

Andy Purdy, Huawei Technologies' CSO, spoke here today on a Cloud Security Alliance Congress panel of security experts from the U.S. government and industry that raised warnings about Chinese espionage across the Internet.

In representing the sole China-based company on the panel, Purdy said there are ongoing discussions between the U.S. and China on supply-chain safety, and private companies should be part of it. There should be "openness, transparency and freedom," he said.

"Part of the planning of the U.S. hopefully is collaboration with the private sector and part of the strategy should be planning how to block malicious traffic," said Purdy, adding ISPs could do that. He said: "It's disgraceful the government isn't doing anything to address the Internet underground."

Purdy pointed out that Huawei agreed with the U.S. administration about possible risks to the global supply chain. He noted that Huawei, with $32 billion in revenues, makes less than $2 billion in the U.S., but a third of its components come from the U.S., meaning thousands of U.S. jobs are supported.

Nevertheless, China has been stealing vast amounts of U.S. corporate intellectual property by breaking into networks, said Scott Borg, director and chief economist for the U.S. Cyber Consequences Unit, described as a research organization set up by the U.S. government specifically to look at the nature of cyberattacks and supply-chain safety issues.

"We're also finding malicious firmware in products from China," Borg said. "China and Chinese companies aren't playing by the same rules we are."

Borg said that research indicates that China, as a country rapidly climbing out of poverty into wealth, has done that largely by "copying the developed countries," and if someone doesn't hand you the basic technology to do this, you steal it. "Stealing is part of the national economic development model for China," he said. China has basically held its people hostage, encouraging them in this, in order to raise the standard of living, he continued.

However, Borg said other companies are tired of getting hacked and "taking it on the chin." He suggested there's now increasing interest in fighting back, and this would mean carrying out counter-strikes in some way.

Marcus Sachs, vice president for cybersecurity at Verizon, also on the panel, said the idea of hiring private armed guards to defend you is well-established in the physical world, and thus raises the question, "Why not do that in cyberspace?" But he pointed out that the armed guards in the physical world face limited distances in which to act, while in cyberspace you're across the planet within milliseconds. He said the idea of counter-strikes of any sort will come to deep consideration of policy issues.

John Streufert, director of the National Cybersecurity Division at the Department of Homeland Security, said offensive cybersecurity is the responsibility of the military in the U.S., and he said if citizens see specific threat problems they should report them.

But during a session later in the day, Streufert also described a long-planned DHS program called Continuous Monitoring. Coming soon will be a contract solicitation for managed security services called Continuous Diagnostics and Mitigation, including cloud-based services, to protect civilian federal agencies' data from stealthy attacks.

The Continuous Monitoring concept calls for a layer of sensors and scanners to check hardware and software used by the federal government for vulnerabilities.

A project expected to take the federal government a few years to complete, it would include a security dashboard view managed by Continuous Monitoring service providers that would likely be shared at the agency department level. Streufert called it a "cyberscope" for the federal agencies.

Streufert said the goal is to get the agencies away from the hugely expensive paper-based vulnerability reports they generate today that are seen as inefficient and untimely. The program could extend as well to state and local government agencies, he said, for an estimated total of up to 25 million seats.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Get Your VPN NOW!

©2011 TUVPN.COM. All rights reserved.