U.S. Seeks to Shut Backdoors in Tech Products
As part of a comprehensive cybersecurity push, the U.S. government will focus on improving its network defense capabilities
and revamping acquisition rules to protect against malicious code installed during the manufacturing process of electronic
I.T. Costs Under Control?
Tell us how you’re keeping the lid on expenses by participating in an IT cost-control study sponsored by CIO, in partnership
with The Hackett Group.
The deadline to take the survey is November 7. Participants receive the final report and may attend a
webcast presentation of the results in December.
To register and participate, click here.
The National Cybersecurity Initiative, announced in January, will replace the government’s outdated network perimeter defense
system, officials from the U.S. Department of Homeland Security (DHS) and other agencies said at the cybersecurity conference
held last month by the Information Technology Association of America.
Cyberattacks have grown more sophisticated in the past year, says Melissa Hathaway, senior advisor for cybersecurity at the
Office of the Director of National Intelligence (DNI).
“We are faced with a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities and very weak
situational awareness at this time,” she says. “We see this as a growing economic and national security crisis.”
Government officials are increasingly concerned about hidden vulnerabilities and Trojan horses in commercial technology
products, says Paul Schneider, deputy secretary at DHS. The U.S. government needs to better protect its supply chain,
particularly when a growing number of tech products are produced overseas.
The U.S. government will work with private vendors to address those supply-chain concerns, he says. DHS is also looking at
implementing stricter acquisition rules for tech products.
There have been examples of credit-card point-of-sale machines stealing credit card numbers and passwords, Hathaway notes.
“We need to be more concerned about backdoors in the supply chain,” she says.
Another major concern is the U.S. government’s perimeter defense, officials say. The current perimeter defense scanner,
nicknamed Einstein, was launched in 2004 and is a largely passive monitoring system, Schneider says.
“Simply put, [Einstein] is a flow-management system that lets us know after we’ve been attacked,” adds Neill Sciarrone,
special assistant on cybersecurity in the White House.
Einstein protected a small percentage of the access points to the federal government’s networks, adds Robert Jamison,
undersecretary for national protection and programs at DHS. His agency is currently testing a new version of Einstein that
would protect all of the government’s networks, he says.
The long-term cybersecurity initiative will focus on several other issues, including better sharing of information about
cyberattacks and sharing government defense capabilities with private companies, officials say. The government also will work
on recruiting more cybersecurity experts to work for U.S. agencies and educating Internet users about vulnerabilities, they
Can’t Recall Your Password? Try This.
Our brains are littered with passwords from bank accounts, PINs, work e-mail, network log-ons, e-commerce and social
How bad is the alphanumeric clutter in our heads? The average person now must remember five passwords, five PIN numbers, two
number plates, three security ID numbers and three bank account numbers, according to research from Ian Robertson, professor
of psychology at the Institute of Neuroscience and School of Psychology at Trinity College in Dublin, Ireland. His research
found that nearly 60 percent of those studied felt they couldn’t remember all these numbers and letters. As a result, most
users create weak passwords or rely on technology to create or store alphanumeric data.
Robertson says that people can remember more information if they practice visualizing it. “We could happily remember two
dozen passwords using some fairly standard memory methods,” he says
He points to one long-standing way to recall numerical-based passwords: visual imagery. First, create an easy-to-recall
rhyming word for each number of your password, one through 10. “One is bun, two is shoe, three is tree, four is door, five is
hive, six is sticks, seven is heaven, eight is gate, nine is wine and 10 is hen,” Robertson suggests. So if, say, your code
is 6329, you would first visualize a pile of sticks (for six), spread all around a tree (three), where a shoe (two) is
hanging on the tree, and a glass of wine (nine) is pouring over the tree. The same approach works for alphanumeric passwords.
“The first few times will be time consuming,” says Robertson. “But if you get into the habit, you could remember two or three
dozen visual images.”
Most IT Teams in Need of a Culture Overhaul
If it seems like your IT team works on an island all of its own making, a recent report by Forrester Research may
explain why. As many as 85 percent of those surveyed believe a firm’s IT’s culture differs from its overall culture.
Forrester analyst Marc Cecere estimated that IT department culture fails to jive with overall corporate culture in about half
of all businesses. A distinct IT culture may evolve due to different ways of measuring success. However, Forrester says
problems can arise when the IT culture strays too far in three directions:
» Too IT-Centric or Fearful | When IT doesn’t have a healthy relationship with the business, it’s in danger
of forming an us-versus-them culture where IT hunkers down behind the technologies it manages and the problems it solves.
» Too Heroic or Autonomous | The danger here is a tendency to firefighting and working extreme hours to
solve problems. This can also lead to developing workarounds, rather than fixing the underlying issues.
» Too Bureaucratic | IT can isolate itself if it sets up too many formal processes for customers to follow.
Overly complex requirements can create unnecessary barriers between business needs and IT solutions.
So, how does a CIO go about overhauling IT culture? Cecere says identify the cultural gaps, examining differences in decision
making styles and levels of risk. Strong leadership and clearly defined metrics will help close those gaps, as will a network
of people within IT who regularly share information with the CIO.
“It’s what I call ‘institutionalizing communication,'” he says. “It’s more than just communicate, communicate, communicate.
It’s actually being very disciplined and very organized about it.”
SSDs Are hot, But Not Without Security Risks
Solid-state drives (SSDs) are becoming popular replacements for hard drives, especially in laptops, but experts caution that
SSDs aren’t as secure as commonly thought.
SSDs offer better data security than traditional hard drives but they do not completely erase data and are vulnerable to
physical hacks. The drives are gaining in popularity, particularly for use in laptops, because they consume less power and
access data more quickly.
But many SSDs use industry-standard NAND flash chips designed for cameras and MP3 players, so they have no physical security
hooks that prevent them from being removed from enclosures, says Jim Handy, director of Objective Analysis, a consulting
firm. A hacker could unsolder NAND chips from an SSD and read the data using a flash chip programmer. Once the data is read,
the files could be reassembled using data-recovery software. “There’s really nothing sophisticated about this process,” he
Another hack involves using an ultraviolet laser to wipe out lock bits—or encryption locks—from fuses on chips that secure
SSDs, says a chip hacker who prefers to be called Bunnie and runs the blog site Bunnie Studios. Data arrays from SSDs can be
read using standard means after the lock bits are wiped.
To lessen chances of hackers stealing data, encryption keys could be integrated inside the SSD controller device to handle
disk encryption at the hardware level, says Craig Rawlings, marketing director at Kilopass, a vendor of products using extra
permanent memory technology that stores keys in system-on-chip devices.
U.S. Border-Crossing Database Raises Concerns
A plan by U.S. Customs and Border Protection (CBP) to collect personal information on travelers coming into the country and
keep it in a database for 15 years could have huge privacy implications for U.S. residents, one privacy group says.
The Center for Democracy and Technology (CDT) says the plan raises serious privacy concerns. The proposal represents a “vast
scope of data collection,” because data wasn’t formerly kept for U.S. citizens crossing into the country by land, the CDT
In addition, the 15-year retention period for the data is “excessive,” wrote Gregory Nojeim, senior counsel at CDT. “It
cannot be justified as necessary for determining whether the record subject is admissible, or is dangerous or is the subject
of an outstanding criminal warrant,” he wrote in comments filed by the CDT.
The plan allows for the agency to share the information with other government agencies for a wide variety of reasons. In the
past, CBP could only share information when it became aware of a violation or potential violation of laws or regulations.
A DHS spokeswoman discounted the privacy concerns, saying the traveler database is not new. Border officials have collected
information on some travelers in the past, and this is an attempt for CBP to be more transparent about its
information-collection practices, says spokeswoman Amy Kudwa. “This is not something new,” she says. “We are not using the
information in a new way.”
CBP has also come under fire by privacy advocates in recent months for searches of laptops at U.S. borders without having
specific suspicions of criminal behavior. CBP and DHS officials have defended the practice of searching a small number of
laptops by saying it helps catch terrorists and other criminals.
What the New HP-EDS Means for You (and IBM)
Hewlett-Packard recently unveiled its multiyear plan to assimilate its purchase of IT outsourcing powerhouse EDS, which
involves 250 integration projects, nearly 10,000 integration milestones and the elimination 24,600 jobs. The moves, HP
Chairman and CEO Mark Hurd says, will save the combined company $1.8 billion.
But what does it mean for customers of HP, EDS—or both?
Most layoffs will occur in EDS support positions, not customer-facing roles, the company claims. “The main concern for
potential customers is whether an announcement like this will have a chilling effect on the workforce that would normally
transfer from the customer to the provider,” says Edward Hansen, a partner in the business and finance practice of Morgan
Lewis & Bockius.
As a result, “Many clients will be asked to accept changes to elements of their service, be it personnel or delivery
location, advises Mark Robinson, an executive director of outsourcing consultancy EquaTerra. “They should be mindful of the
contractual protections they have that will allow them to remain in control.”
Only time will tell if HP can successfully sync these two distinct corporate cultures. “With some 30-plus acquisitions under
its belt in the past three years, HP is treading on familiar ground,” says John Madden, research director for IT consultancy
Ovum. But “it will take six to nine months for the first real signs of progress from the integration to emerge.”
If the HP-EDS marriage lives up to its on-paper promise, the new company could offer outsourcing customers their first real
alternative to IBM Global Services. “IBM, for the first time, is facing a global competitor that will be able to match it for
both infrastructure and service capabilities in most, if not all, categories and geographies,” says Robinson.
However, an integrated HP-EDS may be bad news for customers who used both companies as competing service providers. “Those
customers will have to migrate over time to one or more other suppliers,” says Lowell Williams, EquaTerra’s head of human
resources advisory services, “to ensure this new 800-pound gorilla plays nice.”
Web Founder Aims for Truly Global Internet
Tim Berners-Lee, the inventor of the World Wide Web, plans to launch a new foundation focused on extending the capabilities
of the Web and bringing the Internet to all the world’s people.
The World Wide Web Foundation, scheduled to launch early next year, will “advance a Web which is open and free,” Berners-Lee
said at a Washington, D.C., event. The foundation will promote democracy, free speech and the freedom of users to access the
online content they want, he said. It will also push Web standards and interoperability.
A major focus of the foundation will be to provide Web access to the 80 percent of the world’s population that is not
currently online, said Berners-Lee, now a professor at the Massachusetts Institute of Technology. He acknowledged that the
goal is a “very big undertaking,” but said it’s important for the Web to benefit all of humanity.
The Knight Foundation will provide $5 million in seed money to help launch the foundation.