Some times they come back

View image | gettyimages.com

I wrote a few time ago about double standards in IT security that affect eastern countries’ companies as Chinese Huawei and ZTE or Russia’s ones when dealing with western countries.

I wrote this effect is quite evident every time you read news on cyber security threats. Guess what… I was reading some news lately and I encounter some statements that make me think (again) about it:

Let’s take the FREAK attack as an example.

FREAK attack is a security vulnerability that breaks HTTPS protection. The troubles today owe to ‘export grade encryption’ – a deliberately weaker form of encryption baked into products shipped outside of the United States, enforced by the American government. The restrictions were removed in the late 1990s, but the encryption remains a part of software still used to this day: even in products now bought and sold in the United States.

According to Washington Post “export grade encryption” was the originating issue for this vulnerability, this is a several years old problem, although “discovered” recently.

Same day other news, in an article reported by the Boston Business Journal (click the link for the article) mr Gregory J. Touhill (the deputy assistant secretary for cybersecurity operations and programs in the office of Cybersecurity and Communications) states at the last cybersecurity panel discussion on Tuesday organized by the New England chapter of the National Association of Corporate Directors, which represents board members of the largest companies around the region :

Who’s doing the hacking? State-sponsored hacking — from countries like China or Russia, for example — “they get the get the big splash in the newspapers, but they represent less than 2 percent of the attacks that we see,” said Touhil. Hacktivists — people who use hacking to further their political agenda — are a large and growing group.

so basically the same who create the FREAK issue are blaming others for activities yet to be proven.

Meanwhile the Chinese official response to Obama administration accusations on being unfair with new cyber security rules state:

“With transparent procedures, China’s anti-terrorism campaign will be different from what the United States has done: letting the surveillance authorities run amok and turn counter-terrorism into paranoid espionage and peeping on its civilians and allies.”

— Xinhua, China’s state-run news agency, addressing President Obama’s criticism earlier this week of a proposed Chinese law that would require tech companies doing business in that nation to install backdoors in their software and turn over their encryption keys. “Contrary to the accusations of the United States, China’s anti-terror law will put no unfair regulatory pressures on foreign companies, because the provisions will apply to both domestic and foreign firms,” Xinhua also wrote.

The BBC reports: Fu Ying, parliamentary spokeswoman, pointed out that the U.S. government had imposed restrictions on Chinese companies it considered potential security threats, such as Huawei and ZTE. She also said Beijing’s proposals were in line with the same kind of access to online communications sought by the U.S and British governments.

This westeast friction is changing slightly with rising of cyber security awareness, this have been pointed out also by computer weekly that in a recent article

“US technology companies facing growing UK pressure over internet spying”

talked about rising friction between UK and USA over cyberspying issues (i wrote on the same issue many times ago, see: PRISM Lessons On Privacy, Cloud and US IT Companies).

Let be clear, this is not just a USA problem, recently France have had its part of glory with the fake Google certificates delivered by ANSSI (human mistake was the official explanation) or the Casper malware affair.

And also UK while complaining with USA for the PRISM consequences has its own fingerprint in the NSA-GCHQ affair.

So who can we trust?

If someone is familiar with X-Files may be recognize the statement “Trust no one”. This is the basis when implementing security. This does not means that all commercial product are un-trustable, but from a security perspective we should assume the worst.

Can be sponsored state, human error or criminal intent something can go wrong everywhere (shit happens).

From a security perspective this means that processes are assuming the greatest importance, while from an HWSW point of view a multivendor approach with a not all from the same country attitude, could be reasonable.

To rise confidence vendors are approaching several correction, from a safer software writing cycle to a better control to supplier and resellers, in order to avoid unwanted tampering with their solution from an external source. This kind of processes are today even more important according to the recent news and outbreaks so the bigger is the vendor the stronger has to be its politics in controlling the whole chain, from production to delivery.

But nevertheless we could not assume that any vendor is 100% secure (again shit happens), so implementing continuous and sound process of auditing, penetration and vulnerability testing and quality analysis of the IT structures will give us a better perspective of surviving the current threat environment. We should also remember that without contingency plan for disaster recovery and cyber threat attack all our effort could be vain.