Google attacks, Web 2.0 fuel FUD at RSA

Analysis: Both themes attract a lot of attention at annual security trade show

SAN FRANCISCO -- Fear, uncertainty and doubt is an integral part of the security industry. Vendors sell FUD, the media loves reporting it, and trade shows thrive on it.

So it's not surprising that the RSA Security Conference held here this week had vendors, analysts and assorted others serving up huge dollops of FUD.

But two themes in particular appeared to be fueling much of the trepidation at this year's show: the recent attacks against Google, and the change being forced on enterprise security models by the increasing adoption of mobile and Web 2.0 technologies by end users.

The attacks on Google and dozens of other high-tech companies, including Intel and Juniper Networks, by operatives apparently based in China have stirred a lot of emotions. Although there has been some discussion on exactly how sophisticated (or not) those attacks really were, the mere fact that even such technology-savvy companies could be compromised for an extended period of time is stirring considerable anxiety.

The attacks clearly appear to have convinced many in the industry that U.S. government, commercial and military networks are being systematically targeted in an escalating campaign to steal trade secrets and intellectual property. Many see the attacks as being state-sponsored and increasingly focused.

Off the record, some say that the attacks against Google were not really about merely stealing e-mail accounts. Rather, they see a more fundamental compromise of the company's networks at a time when it is migrating more corporate and government accounts to its cloud infrastructure. The fact that the company has asked for the National Security Agency's help and has threatened to walk away from China are indicative of a far more serious problem than has been acknowledged.

FBI director Robert Mueller gave voice to some of those concerns during a keynote address at RSA, where he warned about hackers making subtle changes to software source code in order to create a "permanent window" into a company's operations. Such changes, he said, were resulting in a bleeding of data and intellectual property.

Tom Kellerman, vice president of security awareness at Core Security Technologies and a member of a commission that developed a set of cybersecurity recommendations for President Obama last year, said it's time for the government to regard the problem with the seriousness it deserves.

Over the past two years, there has been a 200% increase in attacks against government targets. Global supply chains and the virtual networks behind them are also under constant attack, Kellerman said. Although the U.S continues to host the greatest number of bot-infected computers, almost all of the servers controlling them are based overseas, he noted.

Dealing with the issue will require concerted action on the part of the U.S government, and cybersecurity needs to be to become an item on the agenda at the next G20 summit, Kellerman said. The U.S also needs to raise the issue at the World Trade Organization under the premise of IP theft, he contended.

It's crucial to stop thinking only in terms of deterrent action when it comes to eliminating hacker havens, Kellerman explained. Instead, a focus on using economic aid to help hacker-friendly countries improve their abilities to go after cybercriminals is also needed.

Robert Rodriguez, a former Secret Service special agent and founder of the Security Innovation Network, said it's time for the Department of Defense and the NSA to take a broader role in responding to such attacks. He said he suspects that there is no longer such a thing as a trusted supply chain and that many commercial and government networks are already penetrated and ready to be exploited.

It's important not to make any assumption about the real motivations behind such attacks just by looking at what's going on at the surface, Rodriguez warned. "Like the Statue of Liberty play in football, [these attacks] could be a kind of trick play," Rodriguez said. "We have to take the position that we are already compromised [when formulating a response.]"

Meanwhile, the growing ubiquity of mobile devices and the increasing adoption of Web 2.0 tools and social networking sites such as Facebook and YouTube also appeared to be fueling much of the FUD at this year's RSA. The main concerns appeared to be focused on the issue of users getting control over enterprise data in ways that were not anticipated a few years ago.

The growing use of smartphones and other mobile technologies -- some enterprise-owned, but many of them not -- to access and store enterprise data, for example, appeared to be a major concern. So too is the trend by many to use tools such as Gmail and Google Voice to access and store enterprise data.

There are considerable fears also of enterprise data being leaked via sites such as Facebook, LinkedIn and YouTube by users indiscriminately posting sensitive material there. "You need to be aware of the fact that users have more control over data," said Asheem Chandna, a partner at venture capital firm Greylock Partners.

Increasingly, "enterprise data is going where your users are going," Chandna said. Many of the tools that are being used to store and access corporate data don't support robust security features such as remote wipe technologies and data encryption, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon