Zuhair Matin's weblog

So I do have an interest in the way that SCADA systems and various infrastructure systems are implemented, networked, and protected. My overall understanding of things is that while much of the critical infrastructure is maintained and updated, there are older systems that have been kind of bootlegged into the current control network, leaving them quite vulnerable and exposed to anyone with knowledge of the older language schemes that these control systems were programmed in.

This article talks about the pros and cons of the DoE and NIST upgrading systems for interoperability and consistency, with an interesting point being made that the uniform system is actually potentially more vulnerable because once someone figures out (not if, but when) a security hole, they will know how to manipulate any of the utilities/infrastructure secured by the system.

Not a whole lot else to say about it. Kind of boring, but definitely a national security issue.

Posted by Zuhair Matin at 08:48 PM | Permalink | Comments (0) | TrackBacks (0)

So how does the Big G Federal Government garner the support and interest of the generally anti-establishment hacker community to rally to the cause of national security and defense of American interests and assets? Do you lure them in with bait like the implied promise of open access to government server banks and resources? How do you deal with the major culture gap?

This article really comes to the point saying:

The hacking culture is antiestablishment, and the United States is the establishment, the Microsoft of geopolitics. That’s a boon to Russian and Chinese government efforts to recruit hackers to their side, but it will hurt the United States, Carr says. A hacker wants “to align with the underdog against the big, bad U.S., and it’s going to be hard to reverse that,” he says.

The Department of Defense trains only about 80 cybersecurity experts a year, far fewer than what are most likely needed. “People in the Pentagon know that the guy who looks good in a flight suit and can do 100 push-ups isn’t necessarily the guy who will be the world’s best hacker,” says Noah Shachtman, editor of Wired magazine’s Danger Room blog, who has briefed Pentagon officials on cyberwarfare. “So they know they have to reach out beyond traditional military recruiting models to find the top people. They’re not sure exactly how to do it, though, and this is one attempt.”

I call it a good bid.

Posted by Zuhair Matin at 09:07 PM | Permalink | Comments (0) | TrackBacks (0)

Interesting article here talking about the implications of the DoD writing its own software. Doubtful it would be for cost or lack of solutions. But would this proposed notion really speed along the process for various software packages to be tested and cleared for secure government use?

I’ve heard from friends in various agencies and departments of the federal government that they just got up to Internet Explorer 6 (exaggerated, I hope - 7 is passable at least), and Windows Vista is just beginning to get rolled out (who knows why - I use Vista daily and really don’t notice any major difference in usage from my years spent on WinXP, other than glossy transparency transitions and effects).

Commercial Off The Shelf Software isn’t the problem, IMO. If the government is really just checking for security holes, backdoors, and vulnerabilities, why does it take so long? Is it just another constantly repeating example of the slow-moving government inefficiency that everyone has come to expect?

Not exactly the intent of the original article that the first article I linked is responding to, but it’s just something that’s weighed on my mind the more I hear about how the government deals with its software solutions. Interestingly enough, the original article is dealing with the notion of agencies and departments rewriting and customizing various open source software packages that have been put together by the DISA.

In this case, in regards to the multiple times the issue of more conventional open-source software’s usage in the government, would this address the issue of needing someone to go to and yell at specifically when things go awry? What would be the procedure if the software was being produced/customized by the government itself? The possibilities are interesting, at best, with execution sure to be complicated and mired in bureaucracy and liabilities.

Posted by Zuhair Matin at 08:10 PM | Permalink | Comments (0) | TrackBacks (0)

There is a growing trend of governments setting up their own dedicated cyber-security centers and colleges under various titles, with massive amounts of funding. Granted, it is becoming necessary but one has to wonder why it’s happening in such an obvious trend wave when cyber-security has been an issue for at least the past 5-10 years?

Heck, even the Saudis are building a shocking secular High-Tech Science Oasis campus housing one of the world’s fastest supercomputers. Its purpose is not solely cyber-security, but I assure you, it’s in there. Similar efforts are being made in Singapore, Belfast in the UK, and Korea, among others. It’ll be interesting to see if these dedicated efforts will yield different results against the rising tide of transnational cyber-crime as technology progresses and criminals get more creative.

Sorry for the lack of an actual link (I assure you that this quote can be corroborated) but it has been stated fairly recently that cyber-crime and fraud has surpassed drug and weapon trafficking in earnings (or losses, depending on how you look at it) in the international crime scene. Clearly, this is an issue, but what is actually supposed to be done about this? How do you educate consumers who are too naive and trusting (some would say stupid, ignorant, and just plain deserving of what they get) to understand that the email you get from someone you don’t recognize telling you to click on that link and put in your PRIVATE CONFIDENTIAL INFORMATION is probably not trust-worthy. Seriously, I mean when the head of the FBI is getting tricked by phishing emails only to be saved by his wife telling him that he shouldn’t be banking online anymore, where is the hope. (Here’s the actual transcript of the speech where he revealed himself as an almost victim to phishing)

Anyway. I feel like I’m falling into the classic blogging mentality of every post being a rant about all the idiots out there. I genuinely hope that this whole issue of the internet being a super-scary place is a generational issue, but with the stuff I see people putting on their facebook and youtube for everyone to see (yes, facebook info showing up in Google for everyone to see because your profile is set to full on public), the glimmer of hope is dwindling.

Posted by Zuhair Matin at 07:48 PM | Permalink | Comments (0) | TrackBacks (0)

Honestly? In order:

1. A dinosaur (A Triceratops, specifically)
2. An inventor/mad scientist (still working on the mustache)
3. That old guy on the PBS show Frugal Gourmet (ok, so the mustache thing is a recurring theme. So shoot me.)

Then I discovered Cheetos , Mountain Dew , and computers when I was a teenager and I wanted to be a hacker. I was so naive and earnest in my desire to become a hacker that my very first website was an AOL member’s page that I made from basic HTML begging some benevolent elite master hacker to take me on as an apprentice to educate me in the ways of hackerdom. I was clearly operating under the fantasy of masterful movies such as Hackers, and far too much caffeine.

Ok, so had enough quirky images pulled from the Google’s image search? Well then let’s talk about how easy kids have it nowadays shaking my old man cane ! The other day during my internship, I was looking for a lead on a story on a recent trend of botnets and clickfraud and all sorts of riveting internet deception. Me, being the subtle and sneaky individual that I am googled “hacker forum” and came up with this surprisingly active gem: Hack Forums. The color scheme of acidic purple and green reeks of script kiddies and black lit posters of The Matrix. You can practically smell the teenage angst.

However, lo and behold, there is actually a treasure trove of active how-to’s and tutorials for the average idiot teenager to go wreak havoc on whatever poor local system administrator of choice in their local high school or library! For example:
* Botnet Q&A
* The Absolute Basics of Hacking
* Professor 0110’s Web Hacking Class: An Exploit for Beginners Class 1

Seriously? SERIOUSLY? Where was this when I was trying to get arrested in high school? Oh well. The point is that this information is just sitting out there open for anyone to find, play around with, and get into trouble. The ease with which one can apparently build a botnet is shocking, let alone that there are people actively selling their services with pre-packaged botnets sitting on the store shelves ready for activation. There are more benign and informative threads such as “The Ultimate Guide to PC Security”, but frankly these are few and far between, with much of the forums dedicated to digital mischief and virtual mayhem.

The honest truth is that the site is largely dedicated to the demographic of skiddies, but a small percentage of these confused hormone riddled terrors are going to end up doing some real damage and getting into some serious stuff if they end up really having the chops to code in C, SQL, etc. I had a friend get arrested and charged for playing around with Back Orifice back in high school, and from what I hear he’s selling stolen laptops somewhere in East Bumf*ck. And this kid has a bachelor’s degree in Computer Science! Anyway.

There are arguments for the necessity of these people operating on the fringes of internet morality to test systems and keep system administrators from getting to lazy and lax and prevent them from resting on their laurels presuming that everything is fine. However, what’s the deal with having technical schematics and plans for building IEDs on the internet for terrorists (domestic or foreign) to access? I’m pretty sure that’s pretty tightly controlled and regulated. Actually, I take that back. I just did a test query through everyone’s favorite search engine (that’s right: altavista!) and came across pretty detailed instructions (no pictures, but honestly I wasn’t looking that hard) on how to make a pipe bomb. Free speech, like it or not. Actually, I do remember it being a pretty cool thing to find copies of the Anarchist’s Cookbook online back in the day. (Wow this blog post is getting way nostalgic and personal)

However, hacking is the original sub-culture of the internet. Cyberpunks, honestly, have a special place in my nostalgic geek heart. They are the evil geek mythology of the computer world, where there are not dragons or ghouls, but caffeine junkies with orange stained finger tips and greasy glasses lurking in the dark corners of your nightmares. So, to get a bit more back on point: How many of these newbie hackers and skiddies actually turn into defenders against acts of virtual turpitude? Is it just some phase that they’ll pass through? Honestly, I believe (and am proof) that most never forget it and maintain this taste of the underbelly of the internet. Don’t get me wrong: I do not hang out on 4chan’s /b/ channel (though I do sometimes poke my head in to see what the most depraved minds allowed internet access in the world are coming up with, just to see what the atmosphere is in there).

It is entirely unacceptable that our security services and our government are broadcasting the message that the only qualification necessary for a job in MI5 is being a hacker (one bad enough to have got caught).

Alright. I’ve ranted at you for long enough. Go on your merry way and I’ll have something else completely asinine and rambling for you to stare at in a couple of days, making you wonder why you keep coming back around here, and seriously, what is that awful smell?

Posted by Zuhair Matin at 06:58 PM | Permalink | Comments (0) | TrackBacks (0)

So I have unfortunately run into a bit of a wall on the whole policy ramifications surrounding cloud computing. I guess I thought that there was more to the whole thing than there actually is for non-computer science system administrator types. Not to say that it’s not interesting, but honestly, I consider myself fairly geeky and I don’t care much for the material right now.

That being said, I’m going to sort of lay off the cloud computing stuff and try posting just things that pique my interest as I come across them, and see if anything sticks when I throw it against the wall. No guarantees about the sophistication of what I bring up, but hopefully it’ll all be amusing to the 2 people who actually look at this blog (it would be a higher number, but I haven’t told my mother that I have a blog, nor do I intend to).

Posted by Zuhair Matin at 06:47 PM | Permalink | Comments (0) | TrackBacks (0)

For clarification on any terminology come across thus far, (SaaS, Virtualization, etc), I will refer you to this handy glossary of definitions in relation to cloud computing. Actually, read from top to bottom, it’s pretty informative, but by no means is it a full resource of information.

Interesting tidbit from the glossary: “The World Wide Web is the largest abstraction layer in IT — hiding the complexity of a global network with hundreds of thousands of specialized servers and arcane data behind search engines and hotlinks” I don’t want to be jumping too far all over the place, but this definitely gets at some conversations we’ve had in various classes about the power of the internet and how most users don’t even know how it works, let alone that it isn’t some form of magic. Anyway, back to the cloud!

So, in a previous post I discussed the notion of public vs private clouds with the analogy of owning one’s own home versus renting an apartment in a high-rise building. There are of course advantages to both situations, but the overall perspective is that owning ones own home is more preferred, due to perceptions of privacy, security, and control. However, there is much to be said about an apartment situation where one shares common resources, maintenance costs are covered by the property management, and access and flexibility are greater than that of a private home in the suburbs. I don’t know why I like this analogy so much, but I feel like it is an apt model for describing the advantages of public vs private clouds, or more accurately, multiple-tenant versus single-owner models.

The cost advantages to not having to pay for your own infrastructure, flexibility/scalability on demand, and not having to maintain your own IT staff are highly attractive, and will continue to crop up as a benefit. However, a con to cloud computing that keeps cropping up aside from security concerns is the issue of “virtualization”. According to the handy-dandy glossary article:

Virtualization — as well as the cloud computing model within which it often runs — answer much of that need, by giving CIOs the ability to cover a week-long spike in demand by turning up the spigot on the computing power a business unit gets. A layer of virtualization software allows a bank of servers to share the available workload, and lets the CIO give a business unit 10% more storage capacity or compute power, rather than having to go buy completely new servers that add 10 times the required capacity. The mainframe-like miracle is abstraction — the ability to hide the complexities of a system from the end user while providing all the power and capabilities the user requires.

“We say about virtualization that it’s hard to manage an environment where your applications are playing hide and seek and your hardware is lying to you,” Laliberte says. “It’s even more with clouds. You’re having to try to manage someone else’s hardware that’s lying to you.”

From a technical perspective, virtualization is a very complicated matter, I’m sure. However, the issue seems to be that of the technology just simply not being mature enough yet. With a few more generations, there really doesn’t appear to be any major obstacle to cloud-computing to being the dominant IT infrastructure for the majority of corporations and government offices. It is, if anything, the change from the rural model of society to the population shift to cities and urban areas.

I know I keep drawing parallels between rural/suburban and urban/metropolitan living situations and the shift to cloud-computing, but the fact is that it is a better use of resources (both energy/eco as well as financial) for many companies, the same way that many see urban living to be. Of course, city/urban areas are known for increased crime due to population density, but this is something that can be mitigated by security standards and development. And as far as the commercial end-user, I don’t see why most anyone would need massive personal storage ever again once the cloud system has had the time to fully mature. Personal storage will be solely for personal copies of files to keep in safe-deposit boxes, much the same way that many conduct their financial transactions mainly through the internet. This post got kind of randomly rambly, and I apologize for that.

Posted by Zuhair Matin at 06:46 PM | Permalink | Comments (0) | TrackBacks (0)

In this article from September, the issue of control versus ownership is examined with respect to information in the cloud. The author makes the following point:

Traditionally, control of information flows directly from ownership of the underlying platform. In the traditional security model location implies ownership, which in turn implies control. You build the layers of trust with the root of trust anchored to the specific piece of hardware. Virtualization breaks the link between location and application. Cloud (at least “public cloud”) further breaks the link between ownership and control.

Basically, the author’s main issue is that physical control over the location of the data is no longer synonymous with security with public cloud-computing (the word public in relation to cloud systems is one that we will discuss next). Sure, data is intangible, but at least we used to know that the location of that really important Excel spreadsheet on you computer’s hard disk drive meant that was where it actually was. However, now that all that data is in some Google Docs spreadsheet up in the cloud, who knows where it actually is and how secure it is?

The main issue is that with public cloud computing, the user is not in ownership, and therefore not in control, of the infrastructure on and over which data lives and travels. Public indicates that the cloud service provider is a multi-tenant solution (as is the case with the major players of Microsoft, Google, Yahoo, Amazon, etc) and therefore you are essentially dealing with the difference between being a private home-owner with a nice yard and driveway versus owning a sleek condo in a high-rise building downtown that offers great accessibility but you still do share a building, lobby entrance, and security guard with a bunch of unknown weirdos.

We can exert control and secure the information through a combination of encryption, contracts with service-level agreements and by (contractually) imposing minimum security standards on the providers

So as my rough analogy sort of gets at, there is no reason that a condo in a high-rise is any less secure, but it definitely isn’t more secure than a private home, is it? I supposed that all remains to be seen.

In a related article that is linked through the opening paragraph, it is discussed how security is (maybe was, since the article is from April of this year?) one of the major issues delaying widespread adoption of cloud computing systems,

“One of the biggest security concerns about cloud computing is that when you move your information into the cloud, you lose control of it. The cloud gives you access to the data, but you have no way of ensuring no one else has access to the data. How can you protect yourself from a security breach somewhere else in the cloud?”

I hope to address this issue as we get deeper into the semester, but the overarching issues of cloud-computing seem to be that while it is cheaper to move into the cloud (no more owning infrastructure and paying the relevant IT staff associated with it), it offers less control and increases abstraction. It seems that until there is a unified system of security measures and process audits, there will be many CIOs ill-at-ease with the notion of cloud computing.

Posted by Zuhair Matin at 05:58 PM | Permalink | Comments (0) | TrackBacks (0)

More from the recent backlogs of Ars Technica, with some proof of how trendy and popular the nebulous cloud concept is. In this case, an antivirus system is being touted as a cloud-based solution. I personally interpret it as the Web 2.0 solution to antivirus, with the solution being a large server-side sampling system that checks running processes on users computers and then informs everyone across the network of anti-virus subscribers in real-time.

This “Immunet” product sounds neat, and does address some standard problems with traditional anti-virus solutions. The age-old problem of keeping virus definitions up-to-date, resource intensive applications, and the ever changing face of malware making it difficult to keep up with. Apparently this Immunet product will be able to not just compare viruses and malware against lists of known attributes, but will be able to check running processes good/bad characteristics. Who knows what this actually means, but the overall gist of the information I’m getting is that this is clearly an example of software trying to be sold utilizing the “cloud” buzzword. Especially when one sees that they still recommend running client-side anti-virus software, too.

Smells a little fishy.

Posted by Zuhair Matin at 05:38 PM | Permalink | Comments (0) | TrackBacks (0)

I was digging through some not-the-most-recent articles Ars Technica had on cloud computing, to see if there was anything that could help flesh out my understanding of what is in the clouds, and maybe to get an idea of where things were going. I came across this pretty interesting system being discussed, offering the benefits of Peer-to-Peer (P2P), distributed storage, raid redundancy, and encryption. There’s a nifty little simple demo that demonstrates the capabilities of this service, and the whole thing is open-source, to boot.

In short, the system/service takes data and encrypts it into a secure file. That file is then split distributed across 10 nodes (individual computers, in this case), where it is stored securely with the capability to reconstruct the data with only 3 of these individual files. The extra files are for redundancy and security, in a similar fashion to RAID storage arrays. It all sounds dreamy, but it is not a truly decentralized model that is dependent on a central node called the “Introducer”, which is how old nodes are connected to new nodes.

Anyway, thought this was neat, and a nice solution to the larger central cloud data centers, considering that there are lots of people out there who don’t necessarily need something as large as conventional cloud computing systems are offering. This file system can even be run on an internal network in what’s being called a “hivecache”, as well as the more conventional “friendnet” that allows 10 internet-enabled computers to comprise a network of secure storage with filesharing capabilities.

Posted by Zuhair Matin at 01:10 PM | Permalink | Comments (0) | TrackBacks (0)

Fred: Are you ok.
Johnny Five: Functioning 100%. Perfectly ko Derf.
Fred: It’s Fred.
Johnny Five: That’s what I said, Derf.
(courtesy of IMDB)

In released last November but overlooked by many until this September, it was reported that a Chinese network-analyst had discovered a major fault in the West coast’s power grid. This discovery of the potential for a cascading network failure was built on models utilizing publicly available data!!! I mean seriously, WHAT?

Of course, there is the obvious issue of national security with China being to the United States government what most teenage girls would call a “frienemy” (alternative spelling: frenemy - a portmanteau of friend and enemy) (Google Image search)

However, the bigger issue is why did no one else ever pick up on this, especially after the massive power outage that rolled through the Northeast a few years back? Also, consider that the areas of concern are major centers of American culture and innovation and technology. Pseudo-disclaimer: I am not an overt national security nut, but this just smacks of leaving the front gate open and the key in the safe’s door. If Chinese researchers can figure this out, and have major interests in American technology (whether it be IP theft, innovation, R&D, etc) and defending their citizenry against our capitalist media industry, what could be better?

Anyway, while it is not completely clear if this attack could be carried out by means of a cyber-attack or if it would necessitate physical sabotage, the threat is there and DHS is definitely interested and addressing the matter. From what I am aware of, many power grids and stations are running on relatively ancient and specialized computer systems that are programmed in code/language that you would need the original blueprints of the system to alter and manipulate. It’s not as simple as finding the website for some power substation in California and clicking “cascading power grid failure” and guessing a password. However, the point is that these systems are still inter-connected, and need to be brought up to current safety and security standards before we find ourselves caught in the dark.

The Register has an interesting take on the matter, saying:

The Chinese study comes at a time of heightened concern about the robustness of power distribution networks. Reports in April suggested that spies from China and Russia had infiltrated the US electrical grid and planted malware that could sabotage key components.

Recent generations of SCADA (Supervisory Control And Data Acquisition) systems - used by utilities and manufacturing plants to control systems - are internet enabled, creating additional attack scenarios against power-distribution systems outside of physical sabotage. For example, exploit code against a particular SCADA vulnerability was published as a module within the Metasploit penetration testing tool kit last September. Network worms also pose a risk.

Reports of cyber attacks on utility systems that actually cause any damage are infrequent but not unprecedented.

Sounds scary.

If you want to get super geeky and look into the paper directly, you can find it here.

(BTW, sorry about the Johnny 5-ness, but seriously, if you don’t sincerely enjoy, love, or get a giggle out of any of the Short Circuit series, well I would suggest some sort of drastic action but mostly I feel sorry for you.)

Posted by Zuhair Matin at 03:12 PM | Permalink | Comments (0) | TrackBacks (0)

Well first off, let me state that I have a pretty good idea of what cloud computing is. At least as far as their implementation in the Google infrastructure (that is to say, Google’s entire infrastructure), and services like Dropbox which offer cross-platform data synchronization the nebulous “cloud”. That is, of course, no indication that I am an expert and I have many questions about the future models of IT infrastructure.

So leave it to the obvious to say that the Government (yes, big G) is the last one to the tech table in most cases. However, the Obama administration has announced an initiative to start moving off of old redundant information infrastructure models over to a more dynamic, centralized, and green cloud computing model. The article linked above focuses on statements by the (federal) Government’s first CIO, or Chief Information Officer, a title given to the board-level head of IT in many companies who reports to the COO, or Chief Operating Officer. Vivek Kundra, the CIO of the Government, has indicated his backing of the cloud-computing initiative by pointing out that over $19 billion of approximately $76 billion allocated for federal IT expenditures is spent on infrastructure costs. He points out the typical redundant data-center model as the chief culprit of this high number.

Apps.gov, the GSA’s new online catalog for Government IT managers and CIOs to shop for cloud solutions, offers a neat little non-threatening flash video explaining cloud computing on its front page. The video mainly pushes the points of green/reduced carbon footprint, efficiency, and scalability yet states that cloud computing is still-evolving and may not be the solution for all government offices. This is of course a moderate approach to the revolution of a massive system of IT infrastructure, and honestly I’m sure that there are situations where a traditional cloud solution would not be appropriate.

Issues of security, accessibility, “sandboxing”, and many others are valid counter-points to the widely welcomed now-future of cloud computing. However, I do intend on examining both sides of the coin to be fair, and knowing weaknesses can strengthen anyone’s argument. Cloud computing is not without its failures, and one can easily imagine the small handfuls of times that cloud email systems have gone under or been compromised by hackers and nefarious cyber-crooks.

And, of course, when dealing with the big G federal Government, one can always account for bureaucracy for causing its own problems, too.

Posted by Zuhair Matin at 02:31 PM | Permalink | Comments (0) | TrackBacks (0)

I’m sure whoever is reading this now has anxiously been awaiting the onslaught of opinion that is to be the basis of my blog, and for that, I apologize. I have a backlog of, seriously, over 60 different articles that are all relevant, interesting, and sometimes just plain neat to think about. Overall, I intend to cover the broad topics of cloud computing and smart grid/infrastructure security relating to IT. There are major policy implications in both, with the former looking to the future and the latter being a legacy system that is being converted to the present. So without further ado, here are my first victims of opinion.

Posted by Zuhair Matin at 04:04 PM | Permalink | Comments (0) | TrackBacks (0)