Unconventional-Weapons Warnings from Obama Advisors

Two reports in the news this week offer a glimpse of how unconventional-weapons oversight and government regulation of chemical plants might change under the next U.S. administration.

According to the New York Times, a report on the use of unconventional weapons calls congressional oversight of the issue "dysfunctional" and faults the Bush administration for not devoting enough resources to the threat of bioterrorism. The report, the result of six months of deliberation by the bipartisan, congressionally created Commission on the Prevention of Weapons of Mass Destruction and Terrorism, will be released this week.

The report's authors hope that its recommendations will guide the next administration, which is likely, since some of its authors, including Wendy Sherman, have already been advising Obama during his transition.

From the Times story:

Prepared before last week's deadly terrorist attacks in Mumbai--which American officials say were most likely carried out by Pakistani militant groups based in Kashmir--the report also singled out Pakistan as a top security priority for the coming Obama administration . . .

The panel's 13 recommendations focus on fighting the threat of bioterrorism, including improved bioforensic capabilities, and strengthening international organizations, like the International Atomic Energy Agency, to address the nuclear threat. It also calls for a comprehensive approach for dealing with Pakistan . . .

"Unless the world community acts decisively and with great urgency, it is more likely than not that a weapon of mass destruction will be used in a terrorist attack somewhere in the world by the end of 2013," the report states in the opening sentence of the executive summary.

And in related news, Chemistry World reports that the U.S. chemical industry is concerned about the release of a report by the Center for American Progress (CAP), a liberal think tank founded by John Podesta, the former Clinton chief of staff who heads Obama's transition team. The report, "Chemical Security 101," lists the country's most dangerous chemical-manufacturing and water-treatment plants. Based on an assessment of chemical facilities' risk-management plans, the report warns that hundreds of plants in 41 states put 110 million lives at risk. According to the report, these plants could become less vulnerable to terrorism--and would lower the risk to their neighbors--if they switched to alternative chemicals and processes. Bleach plants, for example, could generate chlorine on-site instead of having it shipped in by rail. And the report says that the Department of Homeland Security's plan for dealing with chemical safety (CFATS), which expires next year, is inadequate.

From Chemistry World:

Paul Orum, a safety consultant who drafted the report for CAP, says the expiration of CFATS in October 2009, 'could provide an impetus for creating a comprehensive chemical safety programme. Just reauthorising the current programme will not provide effective chemical security.'

Orum and others believe that Obama could significantly strengthen the government's chemical safety rules after taking office on 20 January, 2009. Obama and incoming vice president Joe Biden have both in the past introduced legislation that pushes chemical facilities to use safer alternatives where practicable.

A Chemical Facilities Anti-Terrorism Act, which requires high-risk chemical facilities to use safer methods and eliminates the exemption of water facilities, was introduced in March 2008, but has not yet been reviewed by the House, nor introduced in the Senate.

In our March/April 2006 cover story, Mark Williams reported on the threat of bioterror. And this year, TR has reported on how Obama used technology in his election campaign and on the science and technology policy challenges that he will face as president.

The Nostradamus Attack

As early as November 2007, a group of security researchers predicted that Barack Obama would be elected president this month. But before you get too impressed, you should know that they also created predictions for John McCain, Ralph Nader, and Paris Hilton. Anyone can come up with a bunch of bum predictions, but what matters here is that the researchers came up with a scheme that could have allowed them to present any one of these predictions as their single guess.

The researchers created the scheme to illustrate a point about cryptographic hash functions, which are key building blocks of secure protocols on the Internet, including those used for e-commerce. Cryptographic hash functions reduce a message of any size to a "digital fingerprint" of a set size, which can then be used as a stand-in for the original. The idea is that, from the fingerprint, it won't be possible to derive the original message. It also shouldn't be easy to find "collisions"--two messages that produce the same fingerprint. These fingerprints can be used as digital signatures. In other words, I could send you the fingerprint as proof of my prediction, and then reveal the prediction itself at a later time.

The researchers' predictions, which all look like perfectly ordinary PDF files, are a virtuosic example of producing collisions. Every one of the researchers' predictions has the same fingerprint when using the cryptographic hash function MD5, which was broken in 2005 by Xiaoyun Wang, a professor at the Center for Advanced Study at Tsinghua University, in China, and her coauthors. The researchers' Web page explains the work in more detail.

For more about cryptographic hash functions, look for a story tomorrow about the current search for a new standard algorithm.

Black Hat's Pwnie Awards

Last night, the Black Hat security conference in Las Vegas wrapped up for the day with the second annual Pwnie Awards, where a group of judges gave out golden miniature ponies with flowing pink hair to their selections for categories such as "lamest vendor response," "epic FAIL," "most overhyped bug," and "best song." The Pwnie Awards take their name from the slang verb "pwn," pronounced to rhyme with "own," which, according to the Urban Dictionary, means "an act of dominating an opponent."

For the most part, the awards were given and received with good humor. Someone claiming to be from McAfee made a surprise acceptance of the Pwnie for "lamest vendor response," awarded for McAfee's Hacker Safe certification program. The Pwnie Award judges mocked the program for certifying as "hacker safe" more than 60 websites that were later reported to be vulnerable to cross-site scripting attacks, which can be used to gain unauthorized access to sensitive data stored by the website's database.

According to the Pwnie Awards' website, McAfee responded to the vulnerabilities by claiming that cross-site scripting attacks can't be used to hack a server, although they may affect the end user or the client.

The Pwnie for "most overhyped bug" went to Dan Kaminsky, who discovered a flaw in the system that helps direct traffic over the Internet. After Kaminsky held a press conference in July about the flaw, without releasing details of its exact nature, the news received massive media attention.

"You were in the New York Times, the Wall Street Journal," one of the judges said to Kaminsky while announcing his win. "What weren't you in?"

Finally, the Pwnie for "best song" went to "Packin' the K!," a hip-hop-style ditty advertising the services of Kaspersky labs. It can be viewed here. In spite of "Packin' the K!"'s win, audience response seemed best for Dr. Raid's "Clockwork," which can be heard through the same link. The audience protested when the Pwnie judges went to turn off the clip, and when they played it longer, one audience member got up to dance.

Security Flaw Found in Linux

A bug found in Debian Linux, from which the popular Linux version Ubuntu is derived, puts at risk a number of cryptographic keys generated on Debian systems between September 2006 and May 13, 2008, according to security researcher H.D. Moore. The keys placed at risk include the type typically used to protect e-commerce transactions. The bug resulted from the deletion of a section of code that was responsible for providing the random numbers that are the foundation of the keys. As a consequence, keys generated could be vulnerable to attackers.

Adapting Virtual Worlds for Business

At the Virtual Worlds Conference 2008 in New York City, I see a lot of interest in using virtual worlds for more than just games. Yesterday, for example, Linden Lab and IBM announced that IBM is now hosting the Second Life Grid--a virtual-world platform based on Second Life--behind its firewall. The grid allows businesses to build their own virtual worlds using the foundations that have already been created for Second Life. Hosting the grid behind the firewall greatly improves security, making Second Life a much more attractive place to hold meetings involving sensitive corporate information or to build protected prototypes. At the same time, avatars can travel easily from IBM's secure grid to the larger, public version of Second Life.

Ginsu Yoon, Linden Lab's vice president for business affairs, says that protecting the grid required careful structuring of servers. "The easy part is putting it behind the firewall, and the hard part is making it connect to the larger world," says Yoon. Servers can host corporate data securely, he says, but software also has to watch avatars to make sure they don't carry protected data out into the public space. IBM and Linden Lab worked together to find a way to host the grid that measured up to IBM's standards for corporate security.

This is the latest of IBM's many forays into virtual space. In addition to the company's existing presence in Second Life--both in public and on a private island--IBM is conducting virtual-world experiments using Forterra, Qwaq, and its own internally built Metaverse. So far, these efforts are young and uncertain. While the company is actively researching ways to use virtual worlds in conjunction with business software, canvassing its own massive base of employees for information about the needs of today's corporations, it's still not clear what will come of its efforts.

I think that this is largely because many businesspeople don't yet see a need for virtual worlds. They feel that, while they do need to deal with colleagues remotely, 2-D tools such as Web-conferencing software and instant messaging do well enough.

Tools like instant messaging and social-networking sites have become common in businesses in part because of their deep connection to people's personal lives. People who are used to keeping track of friends on Facebook are likely to also keep track of business contacts in LinkedIn, or even Facebook itself. The IBM Lotus development group, with its Connections software, has worked to create secure social-networking sites that can run behind a firewall and serve as a medium for confidential corporate communications. I see IBM's research in virtual worlds as a similar phenomenon: the company is hunting for a way to catch hold of a popular phenomenon and adapt it for business.

As things currently stand, however, I see a few obstacles in the way:

Immersion
Immersion is both a blessing and a curse for virtual worlds. Remy Malan, vice president of enterprise for Qwaq, talked with me here about how compelling 3-D is for people. We talked about how people can learn their way around a real-world location without setting foot in it, just by navigating it in 3-D. However, immersion has a drawback, in my view. The tools that work best for many people in business are those that allow rapid switching. For example, as I write an article, I may flip between an instant-messaging conversation with my editor, the program in which I'm writing the article, my Web browser, and my e-mail client. An immersive virtual world doesn't allow for the same kind of multitasking.

Integration
The multitasking problem I just mentioned could be solved if word processing, e-mail, and other business tools were integrated into virtual worlds, the way instant messaging has been in most of them. This would mean effectively replacing a 2-D operating system with a 3-D, graphics-intensive operating system. Companies have moved in this direction already. Qwaq allows everything from documents to Web pages to be imported into a virtual meeting space, where they can remain for all to see for the duration of a project. IBM has connected its Metaverse to some of its existing business software, such as its Sametime instant messenger. The benefit here is that the integrated environment provides a persistent home for a project, which can be especially nice if people from many states or countries are working together. However, I'm not sure that this outweighs the significant drawbacks of going 3-D. The environment is hard for new users to navigate, requires heavy computer resources, and hogs bandwidth.

Fun
Fun is another blessing and curse for virtual worlds. Companies that specialize in virtual worlds for enterprise tend not to stress fun very much. I think that this is because they're working to avoid being labeled as purveyors of toys rather than tools. However, if we do need virtual worlds in business, it may be precisely because of fun. In their consumer incarnations, virtual worlds have an incredible ability to suck some users in. I have stayed up until 2:00 a.m. harvesting materials in a virtual world--which I can tell you feels suspiciously like work--simply because I wanted to finish building a virtual object. If employers could engage employees the same way game designers can engage players, exciting yet frightening possibilities open up. However, not only is this a delicate issue for many reasons, but it's unclear that virtual worlds will have the same effect when used for professional work rather than gaming.

I started this post by talking about how companies are addressing questions of the security of virtual worlds. Answers to those questions are clearly required before businesses can rely very much on virtual worlds. I'm confident that security won't remain a barrier. However, I think that the questions of immersion, integration, and fun will remain thorny issues for some time to come.

Hardware Insecurity

Today at the computer security conference Black Hat 2008, in Washington, DC, several impressive displays made clear that embedded systems, such as those used for keyless entry to cars or garage-door openers, could be an important security battleground in coming years. Breaking into embedded systems requires a different set of skills than those needed to crack websites. Instead of breaking in by using code written in computer languages that are relatively widely known, getting access to embedded systems can call for hands-on techniques, such as exposing a chip to ultraviolet light or probing it with needles.

Christopher Tarnovsky of Flylogic Engineering gave a virtuosic presentation in which he showed how he had taken over chips made by major manufacturers including Atmel, Motorola, and Infineon. Tarnovsky emphasized that, although the manufacturers stress the security features of their devices, he often finds it relatively easy to circumvent the very features that are being touted.

Later, Job de Haas, a senior specialist at Riscure, showed how he could extract keys from embedded devices without needing to open them up. The technique relies on measuring the electromagnetic field surrounding a device and analyzing patterns to make guesses at the processing going on within the system.

While in both cases, specialized skills and equipment are needed to pull off the attack, embedded systems are increasingly being used to guard access to valuable information or equipment that could make it worth the effort to break into them.