IT Security Needs More Than English

A New York Times article on the DDOS attacks on Estonia earlier this month includes this paragraph. The attacks, of course , appear to have been launched by Russians in reaction to the removal of a statue of a Soviet solder.

Though Estonia cannot be sure of the attackers’ identities, their plans were posted on the Internet even before the attack began. On Russian-language forums and chat groups, the investigators found detailed instructions on how to send disruptive messages, and which Estonian Web sites to use as targets.

This underlines a point I made in a paper last year about the discovery of the WMF vulnerability in December 2005. The discovery and exploits of the vulnerability appear to have been made by Russians, or at least Russian speakers, about two weeks before they became known in the West. What I wrote then remains pertinent:

Most of the discussion about WMF took place in English. Some of it was translated, but translation, understandably, took a back seat to ascending the learning curve—in English—and getting the information out in the easiest form possible, which meant English. This may have hindered the ability of users and sysadmins whose speak English poorly or not at all to get the information they need. Given the growing number of users who do not speak English, that is a topic worthy of research on its own.

But another implication of this is that the blackhats can operate under the radar. Exploits of the WMF vulnerability were extant for about two weeks before they were made public—leaked—in an email message to an English language list. What if the leak had not been made? Websense may have been on the verge on discovering the vulnerability that the exploits it saw was exploiting, but few others began to move until they saw that email and the Metasploit module was released. It could easily have been several days before the vulnerability was recognized. Almost assuredly, Microsoft would have held off a patch until the January 10th, assuming that it knew enough to make one even then.

More broadly, how much is going on that we do not know about because the whitehat community as a whole has neither the language skills nor the predisposition to linger where blackhats talk in languages other than English? There are regions of the world where blackhats are developing exploits—writing them, testing them, using them—that may easily become global threats.

Businesses and governments in Europe and North America will be targeted by such exploits. We have some capability to create an early warning capability that can try to learn about what is happening in hidden hotbeds of blackhat activity like Brazil, China, and the former Soviet empire. WMF showed a little about what can be done, with iDefense and Kaspersky in particular producing essential information about the origins of the exploits. But it also showed that a stronger capability is needed, either from companies like iDefense and Symantec, or from government. Unfortunately, the required combination of skills—linguistic and technical—is scarce.

FBI Network Insecurity

The Government Accountability Office (GAO) released a report on an audit it conducted of security on one of the FBI's networks earlier this year. It found a number of problems, which is not surprising. The Bureau has made a significant effort to improve network security in the last few years, just as it has worked hard to improve its computer operations in general. To the Bureau's credit, the CIO. Zalmai Azmi, concurs with much of what GAO wrote. His disagreement with the report can be regarded as a matter of interpretation: "The FBI does not agree that it has placed sensitive information at an unacceptable risk...." The key word is "unacceptable," which is one of those words that looks different in the eye of each beholder.

The reaction of the FBI Public Affairs Office is another matter. The press release gives the impression that the GAO ignored vigorous efforts by the FBI to fix the problems. Indeed, the first paragraph gives the impression that the FBI was on top of the problems even before GAO looked at them. It was not. The awareness of security is growing at the Bureau, but the bureaucracy--renowned even in the Federal government for moving like sludge--makes it difficult to make bureau-wide improvements. Security policies are incomplete or poorly enforced. As the report states, patch management is ineffective. Again, as the report states, some of the prerequisites for effective security are not in place. A prime example is the absence of either an up-to-date risk assessment or a complete inventory of what is on the network. In short, the FBI knows neither what it needs to protect nor what it needs to protect itself from. Moreover, the monitoring capability, cited by the CIO as one of the improvements made in the last few years, is being dismantled. That is hardly the sign of an agency taking proactive steps to improve network security.

The progress the Bureau has made in recent years to secure its networks has been significant. Some strong measures have been taken; awareness of the need for security has spread, most significantly, among people working on the networks. What the GAO report points out is that much remains to be done. The risk may or may not be unacceptable. It is higher than it should be, particularly for an agency like the FBI.

The Hopes and Dangers of Talking to Teheran

The ambassador to Iraq will meet with Iranian officials sometime in the next several weeks. It's about time. This was a recommendation made by the Iraq Study Group that should have been adopted long ago.

It shows that the administration recognizes that the United States and Iraq may well have common interests in Iraq. It is not in Iran's interests, after all, to have chaos reign on its borders. There is a potential, therefore, for an agreement of some kind, an informal one, perhaps, that would have Iran help make the Maliki government stable rather than undermine it through aid to the militias of its Shiite allies.

Such an agreement is only possible, however. One can hope for it; one cannot expect it. There are three reasons for caution.

First, the talks discussed, if they are held, will be held at a low level with an agenda that has yet to be determined. The question of the agenda is one of the things that has held up talks so far, and the range of issues that divide Iran and the United States is wide. The ambassador, and his Iranian counterparts, one presumes, will have to bow to the dictates of more senior officials. Both the agenda and the seniority of the people at the table (or within earshot of it) can change if the talks continue. The point here is just that they add uncertainty to the matter.

Second, the interests of Iran and the United States are similar, but they are far from congruent. Iran would probably prefer that its Shiite allies rule in Baghdad. The United States should see that a government of all parties in Iraq would be more likely to last. The United States would be less likely to oppose allowing Kurdistan to be strongly autonomous or even independent than Iran would. Iran, after all, does have a significant Kurdish minority. But these are the kinds of things one has talks to find out.

Third, and most important, the United States has to assure the Kurds, the Sunnis, and the Sunni states of the Middle East that it will not acquiesce to a government dominated by Iran or its allies. That may be the greatest danger that these talks open up, particularly as the Maliki government has shown on many occasions that it as a proclivity to favor the Shiites over the Sunnis.

To avoid this, the United States will have to communicate clearly with the Saudis, the Egyptians, and others. It will even have to consult with them. And its actions inside Iraq, Baghdad in particular, will have to be perceived as even-handed. Achieving that perception is no easy task; efforts to achieve it may be perceived as favoring the Sunnis over the Shiites. That in itself could jeopardize the talks.

So, we have a welcome beginning, but the ending is not yet in the script.