SECURITY - Software Code Cribbing

"Programmers are copying security flaws into your software, researchers warn" by Laura Hautala, CNet 6/23/2015

Many software developers are cribbing code, and its flaws, that someone else created. And the problem is only getting harder to keep up with.

It's easy to assume that hackers work way above our pay grade.  Electronic intruders must be able to exploit vulnerabilities in the software we use because they're evil geniuses, right?

That may be the case in some very sophisticated attacks, experts say, but in others, not so much.  Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work.  The problem: they're not vetting the code for security problems.

Working more as code assemblers than as writers, programmers are sourcing about 80 percent to 90 percent of the code in any given software application from third parties, many experts estimate.  Sometimes programmers buy code from other companies, and sometimes they use open-source code that's free for anyone to use.

The problem affects all software, which means everything from the mobile apps on your smartphone to your favorite website to the programs you run on your computer.  Everything except for the operating system on a device or computer is likely composed of building blocks of code rather than created wholly new, said Chris Wysopal, co-founder and executive at software security company Veracode.

The priority for all those highly paid programmers is speed, not security, Wysopal said.  His company, which assesses software for businesses, released a report Tuesday analyzing its own clients' habits when it comes to software use.

Veracode found 6.9 million flaws in more than 200,000 inspections of code used by its clients over the last year.  Those clients fixed 4.7 million of the flaws.  While in-house programmers likely wrote some of that code, industry numbers suggest the vast majority of it came from elsewhere.

"That's the trend -- to reuse as much code as possible," Wysopal said.  It speeds up production time and lets software programmers work on solving new problems instead of reinventing the wheel.

"Everything is good about that except for the inheriting-vulnerabilities part," Wysopal said.

Feds and flaws

Lowest ranking among the industries Veracode checked for security flaws was the federal government.  "Part of the reason for this is that the government still uses older programming languages," Veracode researchers wrote in the report.

That might not come as a surprise to those following news of multiple breaches of federal government workers' personal records, which compromised the Social Security numbers of millions of current and former federal workers and revealed sensitive personal information on everyone who has applied for a security clearance.

The problem of flawed source code is bad enough that Veracode has made a business out of checking software components for problems, and other companies are similarly offering to vet software components for those speed-hungry programmers.

One of those companies is Sonatype, and its chief technology Joshua Corman says he's on the side of the programmers hitting Ctrl-V, the keyboard shortcut for "paste."

Are programmers lazy?  No, Corman says, just efficient.

"The best way to put this is the time value of money," he said.  "You want to spend your unique talent pool on different problems."

Some companies are using services like Sonatype and Veracode, and some are hiring security "fellows" whose paychecks are dependent on finding security flaws in code.

Corman's company provides a repository of open-source code, but it also focuses on finding and eliminating problems in the code.  In fact, Corman went so far as to check out a major government project for flaws to see if it was vulnerable to hackers.

That project was Healthcare.gov, the website rolled out by the Obama administration to get people signed up for the health insurance mandated by the Affordable Care Act.

The website was notoriously buggy when it first went live, and Corman decided to look at the building blocks used by the government contractors who built it to see if hackers might have an avenue into it.

He looked at the third-party code accessed by the developers and concluded it contained some vulnerabilities.  But he wasn't sure if those flaws made it into the website's final code.  Nonetheless, this news alarmed lawmakers, Corman said.

Eventually, those lawmakers learned that federal law doesn't explicitly require software programmers contracted by the government to vet code they didn't write themselves.  A proposed fix to the problem-- a bill called H.R. 5793 -- would have required software developers to give the government a list of third-party code, assurance that all the code was free of known flaws, and a guarantee to fix any vulnerabilities that come up later.

Rep. Edward Royce (R-Calif.) introduced the bill in December at the end of the congressional session.  The bill never made it to a vote, and Corman said he thinks it might be better suited for an executive order.

Other industries have problems with faulty source code, too, according to Veracode's research.  Retail and hospitality companies that use Veracode to vet their software had a poor track record with their efforts to encrypt data, for example.  Again, this isn't surprising news given the breach of customer information at major retailers like revealed by Target and the Home Depot over the past year.

The pace of software development is only speeding up, meaning the problem is harder to keep up with, Wysopal said.

"New languages and new environments to write code in are continuously being invented, and companies want to push software out the door as quickly as possible," he said.  But speed doesn't have to sacrifice security, he argued.

"They don't need to be mutually exclusive.  If you build security processes in or if you require vendors to build it in, you can still go fast," Wysopal said.  But, he noted, "It can't be an afterthought."

CYBER WARS - China vs U.S.

"With a series of major hacks, China builds a database on Americans" by Ellen Nakashima, Washington Post 6/5/2015

China is building massive databases of Americans’ personal information by hacking government agencies and U.S. health-care companies, using a high-tech tactic to achieve an age-old goal of espionage:  recruiting spies or gaining more information on an adversary, U.S. officials and analysts say.

Groups of hackers working for the Chinese government have compromised the networks of the Office of Personnel Management, which holds data on millions of current and former federal employees, as well as the health insurance giant Anthem, among other targets, the officials and researchers said.

“They’re definitely going after quite a bit of personnel information,” said Rich Barger, chief intelligence officer of ThreatConnect, a Northern Virginia cybersecurity firm.  “We suspect they’re using it to understand more about who to target [for espionage], whether electronically or via human ­recruitment.”

The targeting of large-scale data­bases is a relatively new tactic and is used by the Chinese government to further its ­intelligence-gathering, the officials and analysts say.  It is government espionage, not commercial espionage, they say.

“This is part of their strategic goal — to increase their intelligence collection via big-data theft and big-data aggregation,” said a U.S. government official who, like others, spoke on the condition of anonymity to discuss a sensitive topic.  “It’s part of a strategic plan.”

One hack of OPM, which was disclosed by the government Thursday, dates at least to December, officials said.  Earlier last year, OPM discovered a separate intrusion into a highly sensitive database that contains information on employees seeking or renewing security clearances and on their background investigations.

Once harvested, the data can be used to glean details about key government personnel and potential spy recruits, or to gain information useful for counter­intelligence.  Records in OPM’s database of background investigations, for instance, could contain a complete history of where an individual has lived and all of his or her foreign contacts in, say, China.  “So now the Chinese counterintelligence authorities know which American officials are meeting with which Chinese,” a China cyber and intelligence expert said.

The data could help Chinese analysts do more effective targeting of individuals, said a former National Security Agency official.  “They can find specific individuals they want to go after, family members,” he said.

The trend has emerged and accelerated over the past 12 to 18 months, the official said.  An increase in Chinese capability has opened the way “for bigger data storage, for bigger data theft,” he said.  “And when you can gain it in bulk, you take it in bulk.”

The Chinese government, he said, is making use of Chinese companies that specialize in aggregating large sets of data “to help them in sifting through” the information for useful details.  “The analogy would be one of our intelligence organizations using Google, Yahoo, Accenture to aggregate data that we collected.”

China on Friday dismissed the allegation of hacking as “irresponsible and unscientific.”

Chinese Foreign Ministry spokesman Hong Lei said Beijing wanted to cooperate with other nations to build a peaceful and secure cyberspace.

“We wish the United States would not be full of suspicions, catching wind and shadows, but rather have a larger measure of trust and cooperation,” he told a regular news briefing,

OPM disclosed that the latest hack of one of its systems exposed personal data of up to 4 million current and former employees — the largest hack of federal employee data in recent years.

It is possible that officials as senior as Cabinet secretaries had their data exposed, a congressional aide said on a briefing call with government officials Friday.

U.S. officials privately said China was behind it.  The stolen information included Social Security numbers and performance evaluations.

“This is an intelligence operation designed to help the Chinese government,” the China expert said.  “It’s a new phase in an evolution of what they’re doing.  It certainly requires greater sophistication on their part in terms of being able to take out this much data.”

Barger’s firm has turned up technical evidence that the same Chinese group is behind the hacks of Premera Blue Cross and Empire BlueCross, which were discovered at roughly the same time earlier this year.

The first OPM incident has been linked to the health-care hacks by Barger and another security researcher, John Hultquist, senior manager for cyberespionage threat intelligence at iSight Partners.  Hultquist said the same group is responsible for all of them, and for other intrusions into commercial databases containing large sets of Americans’ personal information.

“They would leverage this data to get to diplomatic, political, military and economic intelligence that they typically target,” said Hultquist, who declined to comment on who was behind the attacks.

Though much Chinese cyber­espionage is attributed to the People’s Liberation Army, these hacks, Barger said, appeared to be linked to the Ministry of State Security, which is a spy agency responsible for foreign espionage and domestic counterintelligence.

Other Chinese entities, including the military, may also be involved in the campaign, analysts said.

Chinese government hackers “are like a vacuum cleaner” in sucking up information electronically, said Robert “Bear” Bryant, a former top counterespionage official in the government.  “They’re becoming much more sophisticated in tying it all together.  And they’re trying to harm us.”

Security researchers have pointed to a cyber tool or family of malicious software called Derusbi that has been linked exclusively to Chinese actors.  One group that has used Derusbi is Deep Panda, a name coined by the firm CrowdStrike, which has linked that group to the Anthem hack.

Disclosed in February, that incident exposed the Social Security numbers, addresses, phone numbers, e-mail addresses and member IDs of tens of millions of customers.  No medical data such as diagnosis or treatment information was compromised, the company said.

Researchers note that in contrast to the hacks of Home Depot and Target, personal data that might have been stolen from OPM, Anthem and the other companies has not shown up on the black market, where it can be sold to identity thieves.  That is another sign, they said, that the intrusions are not being made for commercial purposes.

“Usually if there’s a criminally or financially motivated breach like that, we see the data making its way into the black market soon after that,” Barger said.

The big-data approach being taken by the Chinese might seem to mirror techniques used abroad by the NSA, which has come under scrutiny for its data-gathering practices under executive authority.  But in China, the authorities do not tolerate public debate over the proper limits of large-scale spying in the digital age.

“This is what all intelligence services do if they’re good,” said the China cyber expert.  “If you want to find a needle, first you have to gather a haystack of needles.”

The massive data harvesting “reflects a maturity in Chinese” electronic intelligence gathering, the expert said.  “You have to put in place structured data repositories.  You have to have big-data management tools to be able to store and sift and analyze.”

Barger said that “with a large pool of data, they can prioritize who is the best to target electronically and who is the best to target via human recruitment.”

The U.S. official noted that the Chinese “would not take [the data] if they did not have the opportunity to aggregate it.”  And, he added, “they are taking it.”

How the Internet became so vulnerable

TECHNOLOGY - Google's Gesture Control

"How Google's gesture control technology could revolutionize the way we use devices" by Conner Forrest, TechRepublic 6/3/2015

Soli, Google's new gesture technology, would allow users to interact with their devices without ever touching the device itself. Here's how it's poised to make an impact.

It seems like pop culture is obsessed with the idea of interacting with technology without actually touching a device to do so.  Movies such as Minority Report and Iron Man are the frontrunners in this -- the idea that the future of technology will be decidedly "hands-off."

That future could be coming sooner than we think.  Last week, at its annual I/O developer conference, Google announced Soli, a project that would allow users to interact with their devices using hand gestures performed near the device, without requiring contact with the device.

"Project Soli is the technical underpinning of human interactions with wearables, mobile devices as well as the Internet of Things," a Google ATAP (Advanced Technology and Projects) spokesperson said.

Soli was born out of Google's ATAP group.  It's a fingernail-sized chip that uses radar to read hand gestures and convert them to actions on the device.

So if a user was to touch his or her thumb to their forefinger, Soli would read that as a button being pressed.  Or, the user slides his or her forefinger back and forth on the pad of their thumb, that could operate a slider to adjust volume.

Unlike cameras, which are used in other motion sensing technologies, radar has a high positional accuracy, and thus works better in this context than cameras would.  It's able to pick up on slight movements better.

"Radar is a technology which transmits a radio wave towards a target, and then the receiver of the radar intercepts the reflected energy from that target," lead research engineer Jaime Lien said in a video about Soli. (below)

The radar waves bounce off of your hand and back to the receiver, allowing it to interpret changes in the shape or movement of your hand.  Radar is also important to the project, according to Soli team lead Ivan Poupyrev, because it can work through materials or be embedded into objects.

The technology is vaguely reminiscent of the theremin musical instrument developed in the 1920s by Léon Theremin, but much more intricate.  In the Soli video, Poupyrev mentioned that the technology could be used interact with "wearables, Internet of Things, and other computing devices."

The potential for Soli in wearables is perhaps the most obvious use case so far.  Small screens make it difficult to select certain apps or features, and being able to perform gestures next to the device might make navigation easier and intuitive.

According to 451 analyst Ryan Martin, it is important that a company like Google gets involved in this space because a project like Soli is important to the wearable and IoT ecosystems as a whole and it's important that it "be approached from a technology perspective, not a product perspective."

There are companies that focus solely on gesture-based interactions, but that can be risky and volatile as it will likely just be integrated as a feature.  Martin said that wrist-based wearables are actually less efficient if users actually have to touch them, and Soli could be a step forward in making them more efficient and usable.

Other potential use cases could be within connected cars or in the augmented reality (AR) or virtual reality (VR) spaces.  Imagine your Oculus Rift or Gear VR could support virtualized "hands" as another input without a third-party accessory.  Although, Martin said, it would probably work better as a complement to another input such as voice or touch.

Using Soli as an input tool is the glaring use case for now, but the project could provide value as an output technology as well.

"I think the killer application, or use case, long-term is going to be how to take this technology and have it be scanning around to provide context and enable automation that might not even necessitate gesture-based interaction, it might just happen," Martin said.

Gillette is one of many companies whose factories utilize high-speed cameras to analyze manufacturing processes and equipment to better understand when maintenance or repair is needed.  Soli could provide a similar service to advanced manufacturing facilities by consistently reading the machines and documenting their performance.

Time to market will depend on user experience.  As a device feature, Soli needs to be reliable and consistent or it will be detrimental to the partner brand or OEM that integrates it.

"Once the technology is able to meet that end, I think that's when we'll start to see it baked into products, but right now it's definitely in its development phase," Martin said.

According to the Google ATAP spokesperson, the company will be releasing a hardware and software development kit to developers soon.  If you want more information about Project Soli, you can contact the team at projectsoli@google.com.