Internet Dictatorship Begins in Singapore

A “new” system that records every move, stores all passwords and homogenizes software and that will control the net from 3 major hubs.

by John Markoff
NYTimes
June 25, 2011

A small group of Internet security specialists gathered in Singapore this week to start up a global system to make e-mail and e-commerce more secure, end the proliferation of passwords and raise the bar significantly for Internet scam artists, spies and troublemakers.

“It won’t matter where you are in the world or who you are in the world, you’re going to be able to authenticate everyone and everything,” said Dan Kaminsky, an independent network security researcher who is one of the engineers involved in the project.

The Singapore event included an elaborate technical ceremony to create and then securely store numerical keys that will be kept in three hardened data centers there, in Zurich and in San Jose, Calif. The keys and data centers are working parts of a technology known as Secure DNS, or DNSSEC. DNS refers to the Domain Name System, which is a directory that connects names to numerical Internet addresses. Preliminary work on the security system had been going on for more than a year, but this was the first time the system went into operation, even though it is not quite complete.

The three centers are fortresses made up of five layers of physical, electronic and cryptographic security, making it virtually impossible to tamper with the system. Four layers are active now. The fifth, a physical barrier, is being built inside the data center.

The technology is viewed by many computer security specialists as a ray of hope amid the recent cascade of data thefts, attacks, disruptions and scandals, including break-ins at Citibank, Sony, Lockheed Martin, RSA Security and elsewhere. It allows users to communicate via the Internet with high confidence that the identity of the person or organization they are communicating with is not being spoofed or forged.

Internet engineers like Mr. Kaminsky want to counteract three major deficiencies in today’s Internet. There is no mechanism for ensuring trust, the quality of software is uneven, and it is difficult to track down bad actors.

One reason for these flaws is that from the 1960s through the 1980s the engineers who designed the network’s underlying technology were concerned about reliable, rather than secure, communications. That is starting to change with the introduction of Secure DNS by governments and other organizations.

The event in Singapore capped a process that began more than a year ago and is expected to be complete after 300 so-called top-level domains have been digitally signed, around the end of the year. Before the Singapore event, 70 countries had adopted the technology, and 14 more were added as part of the event. While large countries are generally doing the technical work to include their own domains in the system, the consortium of Internet security specialists is helping smaller countries and organizations with the process.

The United States government was initially divided over the technology. The Department of Homeland Security included the .gov domain early in 2009, while the Department of Commerce initially resisted including the .us domain because some large Internet corporations opposed the deployment of the technology, which is incompatible with some older security protocols.

Internet security specialists said the new security protocol would initially affect Web traffic and e-mail. Most users should be mostly protected by the end of the year, but the effectiveness for a user depends on the participation of the government, Internet providers and organizations and businesses visited online. Eventually the system is expected to have a broad effect on all kinds of communications, including voice calls that travel over the Internet, known as voice-over-Internet protocol.

“In the very long term it will be voice-over-I.P. that will benefit the most,” said Bill Woodcock, research director at the Packet Clearing House, a group based in Berkeley, Calif., that is assisting Icann, the Internet governance organization, in deploying Secure DNS.

Secure DNS makes it possible to make phone calls over the Internet secure from eavesdropping and other kinds of snooping, he said.

Security specialists are hopeful that the new Secure DNS system will enable a global authentication scheme that will be more impenetrable and less expensive than an earlier system of commercial digital certificates that proved vulnerable in a series of prominent compromises.

The first notable case of a compromise of the digital certificates — electronic documents that establish a user’s credentials in business or other transactions on the Web — occurred a decade ago when VeriSign, a prominent vendor of the certificates, mistakenly issued two of them to a person who falsely claimed to represent Microsoft.

Last year, the authors of the Stuxnet computer worm that was used to attack the Iranian uranium processing facility at Natanz were able to steal authentic digital certificates from Taiwanese technology companies. The certificates were used to help the worm evade digital defenses intended to block malware.

In March, Comodo, a firm that markets digital certificates, said it had been attacked by a hacker based in Iran who was trying to use the stolen documents to masquerade as companies like Google, Microsoft, Skype and Yahoo.

“At some point the trust gets diluted, and it’s just not as good as it used to be,” said Rick Lamb, the manager of Icann’s Secure DNS program.

The deployment of Secure DNS will significantly lower the cost of adding a layer of security, making it more likely that services built on the technology will be widely available, according to computer network security specialists. It will also potentially serve as a foundation technology for an ambitious United States government effort begun this spring to create a system to ensure “trusted identities” in cyberspace.

U.S. Intelligence Weakening Internet for Takeover

As in other occasions, exercises are being conducted before full a takeover.  Will the next false-flag attack come to fruition on the net? The Cybersecurity Bill gives Obama the power to shut down companies and the World Wide Web as a whole.

1500 AM

In places like Arlington, Va.; Washington, D.C.; across the U.S. and around the world, a global cybersecurity exercise is underway designed to test the limits not only of the “network of networks,” but the ingenuity of the people charged with protecting it.

Welcome to Cyber Storm III.

This is the third time that the Department of Homeland Security, in conjunction with other federal agencies, is holding this global cybersecurity exercise. Previous Cyber Storm exercises were conducted in 2006, and again in 2008. For the first time, DHS will manage its response to Cyber Storm III from its new National Cybersecurity and Communications and Integration Center.

Normally, this facility, located in a nondescript office building in Arlington is classified and closed to the public. But the NCCIC recently opened its doors for an inside look to let DHS officials brief the media on Cyber Storm III, a worldwide cybersecurity response exercise that has been underway since late Monday.

Brett Lambo, the director of the Cybersecurity Exercise Program with DHS’s National Cybersecurity Division, is the architect, or game master for this global cybersecurity exercise.

“The overarching philosophy,” he told reporters in a recent briefing at the NCCIC, “is that we want to come up with something that’s a core scenario, something that’s foundational to the operation of the Internet.”

Cyber Storm III includes many players in places across the U.S. and around the world:

  • Seven federal departments: Homeland Security, Defense, Commerce, Energy, Justice, Treasury and Transportation.
  • Eleven states: California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, plus the Multi-State Information Sharing and Analysis Center (ISAC). This compares with nine states that participated in Cyberstorm II.
  • Twelve international partners: Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (up from four countries that participated in Cyber Storm II).

DHS officials also say 60 private sector companies will participate in Cyber Storm III, up from 40 who participated in Cyber Storm II. Firms include banking and finance, chemical, communications, defense industrial, information technology, nuclear, transportation and water.

Lambo said to preserve the exercise’s value as a vigorous test of cybersecurity preparedness, exact details of the scenario which participants will deal with over the next three days are secret. However, he did share some of the broad parameters of the scenario he helped write, and which he will administer.

“In other exercises, you do have specific attack vectors; you have a denial of service attack, you have a website defacement, or you have somebody dropping a rootkit,” he said. “But we wanted to take that up a level to say, ‘All of those things can still happen, and based on what you do, if you’re concerned about the availability of infrastructure, we can look at what happens when the infrastructure is unavailable.'”

Lambo said another way to look at the scenario is that it builds upon what they learned from previous exercises.

“In Cyber Storm I, we attacked the Internet, in Cyber Storm II, we used the Internet as the weapon, in Cyber Storm III, we’re using the Internet to attack itself,” he said.

Lambo added under normal circumstances, the Internet operates based on trust that a file, or a graphic, or a computer script is what it says it is, and comes from a trusted source. But what if that source was not what it said it was, or the source has a malicious intent?

“What we’re trying to do is compromise that chain of trust,” he said, in further explaining in broad strokes of the Cyber Storm III exercise scenario.

Lambo and his colleagues at the Cyber Storm control center also will introduce new, and hopefully unexpected conditions to the scenario to further test participants.

“We have the ability to do what we call dynamic play,” he said. “If we get a player action coming back into the exercise that is either different from what we expected it to be, if it’s something we’d like to chase down further, or if it’s something we’d like to pursue, we have the ability to write injects on the fly.”

He said those injects could include new attacks.

The Cyber Storm exercise will be conducted primarily using secure messaging systems like e-mail or text messages to relay intersects to participants and that the simulated attacks are not being conducted over a live or a virtual network now in operation on the Internet, he said.

For the U.S. government, Cyber Storm III also offers the opportunity to test the DHS’ National Cyber Incident Response Plan.

“We want to focus on information sharing issues,:” he said. “We want to know how all of the different organizations are compiling, acting on, aggregating information that they’re sharing, especially when you’re thinking about classified lines coming into the unclassified domain. There’s a concept called tearlining, in which we take classified information, and get it below the tearline, so that those without security clearances and get it, and act on it.”

The Cyber Storm III exercise is expected to conclude by Oct. 1.