Google attacks, Web 2.0 fuel FUD at RSA

[Muhiudin]

Google attacks, Web 2.0 fuel FUD at RSA
Analysis: Both themes attract a lot of attention at annual security trade show
- SAN FRANCISCO -- Fear, uncertainty and doubt is an integral part of the security industry. Vendors sell FUD, the media loves reporting it, and trade shows thrive on it.
So it's not surprising that the RSA Security Conference held here this week had vendors, analysts and assorted others serving up huge dollops of FUD.
But two themes in particular appeared to be fueling much of the trepidation at this year's show; the recent attacks against Google and the change being forced on enterprise security models by the increasing adoption of mobile and Web 2.0 technologies by users.

The attacks on Google and dozens of other high-tech companies including Intel and Juniper Networks, by operatives apparently based in China have stirred a lot of emotions. Although there has been some discussion on exactly how sophisticated (or not) those attacks really were, the mere fact that even such technology savvy companies could be compromised for an extended period of time, is stirring considerable anxiety.
The attacks clearly appear to have convinced many in the industry that U.S. government, commercial and military networks are being systematically targeted in an escalating campaign to steal trade secrets and intellectual property. Many see the attacks as being state-sponsored and focused increasingly in scope almost daily.
Off the record, some say that the attacks against Google were not really about merely stealing e-mail accounts. Rather, they see a more fundamental compromise of the company's networks at a time when it is migrating more corporate and government accounts to its cloud infrastructure. The fact that the company has asked for the National Security Agency's (NSA) help and has threatened to walk away from China are indicative of a far more serious problem than has been let on.
FBI director Robert Mueller gave voice to some of those concerns during a keynote address at RSA where he warned about hackers making subtle changes to software source code in order to create a "permanent window" into a company's operations. Such changes, he said, were resulting a bleeding of data and intellectual property.
Tom Kellerman, vice president of security awareness at Core Security Technologies and a member of a commission that developed a set of cybersecurity recommendations for President Obama last year, says it's time for the government to deal with the problem with the seriousness it deserves.
Over the past two years, there's been a 200% increase in attacks against government targets. Global supply chains and the virtual networks behind them are also under constant attack, Kellerman said. Alhough the U.S continues to host the most number of bot-infected computers, almost all of the servers controlling them are based overseas, Kellerman said.
Dealing with the issue will require concerted action on the part of the U.S government, he said, Cybersecurity needs to be to become an item on the agenda at the next G20 summit, Kellerman said. The U.S also needs to raise the issue at the World Trade Organization under the premise of IP theft, he said.

It's crucial to stop thinking only in terms of deterrent action when it comes to eliminating hacker havens, he said. Instead, a focus on using economic aid to help hacker-friendly countries improve their abilities to go after cyber-criminals is also needed, Kellerman said.

Robert Rodriguez, a former Secret Service Special Agent and founder of the Security Innovation Network, said it's time for the Department of Defense and the NSA to take a broader role in responding to such attacks. He suspects that there is no longer such as thing as a trusted supply chain and that many commercial and government networks are already penetrated and ready to be exploited.

It's important not to make any assumption about the real motivations behind such attacks just by looking at what's going on at the surface, he said. "Like the Statute of Liberty play in football, [these attacks] could be a kind of trick play," Rodriguez said. "We have to take the position that we are already compromised [when formulating a response.]"

Meanwhile, the growing ubiquity of mobile devices and the increasing adoption of Web 2.0 tools and social networking sites such as Facebook and YouTube also appeared to be fueling much of the FUD at this year's RSA. The main concerns appeared to be focused on the issue of users getting control over enterprise data in ways that were not anticipated a few years ago.

The growing use of smartphones and other mobile technologies -- some enterprise-owned, but many of them not -- to access and store enterprise data for example, appeared to be a major concern. So too is the trend by many to use tools such as Gmail and Google Voice to access and store enterprise data.

There are considerable fears also of enterprise data being leaked out via sites such as Facebook, LinkedIn and YouTube by users indiscriminately posting sensitive material on such sites. "You need to be aware of the fact that users have more control over data," said Asheem Chandna, partner at venture capital firm Greylock Partners.

Increasingly "enterprise data is going where your users are going," Chanda said. Many of the tools that are being used to store and access corporate data don't support robust security features such as remote wipe technologies and data encryption, he said.
Source: Computerworld.com