SC Magazine recognizes five individuals for their tireless contributions to the IT security field in 2010.
The list is comprised of researchers from two academic institutions, a CISO for a chain of colleges in Georgia, a nonprofit executive who wants to secure software code and a 39-year-old who found happiness again in securing charities in Africa. Plus, three honorable mentions.
The Munk School of Global Affairs at the University of Toronto
Occupation: lead investigator, SecDev Group; senior research fellow, Citizen Lab, Munk School of Global Affairs
College: University of Toronto
Personal: married, one child
Accomplishments: technical investigations that led to the discovery of two cyberespionage networks, GhostNet and the Shadow Network
Ron Deibert and Rafal Rohozinski met 10 years ago at a Canadian intelligence conference at which the former was giving a speech. Six months later, the Ford Foundation funded their work. At the same time, Nart Villeneuve was one of Deibert's students at the University of Toronto, a rising star and technical wizard.
The three men forged a partnership that has prospered over the last decade, culminating with this year's eight-month-long investigation into the Shadow Network, a China-based spying operation that systematically hacked into personal computers in government offices, on several continents. They appeared on the front page of the New York Times in April and dramatically uncovered “the blurring of the line between cybercrime and cyberespionage,” Deibert says. Their investigation was a joint collaboration between several groups they have started and/or lead – Citizen Lab, a cybersecurity research group at the Munk School of Global Affairs at the University of Toronto; the SecDev Group, a computer security consulting and research firm; and the Information Warfare Project.
They were also joined by the Shadowserver Foundation, a volunteer group of security experts in the United States. The two other principals were Steven Adair, of Shadowserver, and Greg Walton, a former SecDev fellow at the Citizen Lab.
Over the years, Deibert, Rohozinski and Villeneuve have moved from issues, such as freedom of expression and controls placed on the internet, to how cybercrime, malware and botnets are now used by global criminal enterprises as acts of cyberespionage and cyberwarfare.
“We're not just specialists in technology,” Rohozinski says. “Our value-add has always been on the field research and contextual side.”
The Shadow Network report came out of their 2009 investigation of GhostNet, another alleged Chinese spy ring, which seemed to be using computer servers based largely on the island of Hainan to steal documents from the Dalai Lama, as well as corporations and government in more than 103 countries.
They had tracked several other vectors during the GhostNet investigation, and the second one was the Shadow Network. GhostNet released IP addresses and domain names, and as these were ready to expire, Villeneuve registered them, a process known as “sinkholing.” Put another way, Villeneuve followed “the rabbit hole” to its logical end.
“The trick is you can't control the information the attackers are going to give you,” Villeneuve says. “You have to wait for them to make a mistake.”
In this case, they did. The researchers suspected the new spy ring would again go after the Dalai Lama. Walton traveled to India and connected the network traffic from computers there with what was going through the sinkhole. They found where the attackers were storing what they were seeing. Villeneuve was able to access a temporary drop zone where he copied the files going through without the attackers noticing.
What was remarkable, and perhaps menacing in today's climate of advanced cybercrime, is that the spy ring's methods were not high tech, but relatively simple, says Rohozinski. “And yet it could generate such classified and sensitive information.”
By gaining access to the command-and-control servers, not only were the researchers able to know what kinds of materials were being stolen, but also to see their content.
They found classified documents from the Indian government and reports taken from Indian military analysts and corporations, documents from agencies of the United Nations and other governments, and a year's worth of the Dalai Lama's personal emails. Reports on Indian missile systems and the travel of NATO forces in Afghanistan were also among the documents stolen.
The investigators traced the attacks to hackers who appeared to be based in Chengdu, China. Even after eight months, they could not determine exactly who was trying to infiltrate the Indian government, though they suspected the Chinese government approved the spying.
Following the investigation, Villeneuve reported the botnets and locations of the servers to China's CERT, as is the protocol. Shortly thereafter the servers were shut down, though Villeneuve says they don't know who made the decision.
For Villeneuve and his colleagues, one major takeaway from their investigation was how the spy ring's malware networks were organized and operated through Web 2.0 programs, like Twitter, Google Groups, Blogspot and Yahoo! Mail. The attackers used the trust people have in social networking against them.
“As a collective society, we have backed into modes of communication that have a dark underbelly to them,” Deibert says.
In response to their investigations, the three men say they receive emails from other groups in the field of civil liberties whose computers are being attacked. As a result, they're in the early stages of a project to work with such groups as they had in Tibet. The New York Times called them “spy hunters,” and they agree there are more perps to go after.
Working on behalf of the censored and oppressed is a familiar refrain. In addition to their research, two years ago they spun out of the Citizen Lab a now-commercialized software called Psiphon that allows people to evade state internet censorship.
In the future, much of their work will have a home within the Munk School. The new Canada Center for Global Security Studies allocates large funds toward cyber research. Deibert is the director, and Rohozinski the first senior fellow.
“The three of us have had a great partnership,” Deibert says. “These new opportunities are very exciting.” – Ryan Goldberg
Occupation: chief information security officer at University System of Georgia
Accomplishments: former president, ISSA-LA; customer advisory board member, Symantec, Sun Microsystems and Absolute SW; expert witness, computer and data forensics
Higher education requires the free flow of information and ideas on some of today's fastest networks and servers. All too often, this intellectual exchange threatens the integrity of schools' computers and databases. But, the pursuit of knowledge fostered by higher-ed institutions still frequently trumps information security.
“We have some of the most sensitive information that any corporation or any military has,” says Stan Gatewood, the chief information security officer of the University System of Georgia (USG). At the same time, “You have to strike a balance,” he says. “Faculty understands things like knowledge transfer, rights to privacy, academic freedom.”
Gatewood has been like an Olympian gymnast in the ways he has balanced those often contradictory goals of information exchange and security. When he started his job, in August 2008, he inherited a disjointed security plan for the 35 public colleges and universities within the Peach State's system, all with varying degrees of risk and need. He righted the problem by implementing a centrally managed strategy.
“There was security before, but no one took the lead, no one shared the vision, no one understood the governance in the thing,” says Gatewood. “I became the glue and I brought it all together.”
Owing to its proclivity to remain as open as possible, academia is the sector most vulnerable to data breaches. According to Gatewood, about 20 percent of all breaches occur at institutions of higher education. In 2009 alone, there were 57 reported breaches, and through July, there have already been 32, according to Team SHATTER, a group of researchers at security vendor Application Security.
Like other major university systems, Georgia's institutions store millions of records of personally identifiable information (PII) and also highly sensitive faculty research for government, military and medicine.
With so much at stake, Gatewood takes a holistic approach to security. He says that he regularly is “building a culture of preparedness and awareness.” That's even the tagline of his emails. He has no shortage of metaphors to describe his job: evangelist, facilitator, teacher, researcher, leader, maestro. None of these are technical.
“Stan tends to be more strategic in how he views security,” says Larry Ponemon, who recently invited Gatewood to become a fellow at his Ponemon Institute. “He sees it as about trust and confidence. He basically works with the leaders in the university system so he's not just seen as a technical person.”
Gatewood was the CISO of the University of Georgia for five years before he was promoted to the top position of overseeing the state's entire higher educational system. His familiarity with the overall organization led him to call for an immediate inventory and evaluation of security policies. He sought executive support within the business, academic and institutional sides of the university system.
The first policy he developed was an appropriate-use policy (AUP), which notified staff of what is and is not allowed. He followed with password authentication, risk management and privacy policies. Then he instituted a security awareness program that requires all users on the system – other than students – to go through training at least once a year. In January 2009, the USG's Board of Regents passed additional computer-security policies.
Gatewood also took his message to campus. He gave lectures, multimedia presentations and podcasts, as well as handed out flyers, banners and buttons. His office now sends out a monthly newsletter meant to keep all USG employees informed of information security news in the organization and beyond. He has harnessed technology to educate students and staff about the risks and threats associated with that same technology.
“My job is to approach them with this risk and then step back and let them make an informed decision,” he says.
But, he didn't always have this tactful approach. In 1998, he became the University of Southern California's first CISO. Before that he had been an Air Force flight engineer in cryptography, followed by positions at AT&T and Bell Labs, where he worked on UNIX.
At USC, he learned that in higher education, a security officer doesn't carry a big stick. For example, he remembers a time that he warned a professor about security risks. “The professor undressed me in front of my colleagues,” he recalls. “‘Mr. Gatewood, let me remind you. I bring in excess of $75 million to this university every year in my research, my grants, my word. How much do you cost this institution to be here?,' he asked, rhetorically. ‘Who do you think they will let go first?'”
Gatewood learned that he can only recommend that a faculty member or student do something. His goal instead has become to educate. In January, he will launch his most ambitious idea yet: six information security courses required of the ISOs from all 35 colleges and universities. Gatewood also has invited the 88 ISOs from 119 state agencies, as well as others from 159 counties and municipalities in Georgia.
The two- or three-day courses include such topics as “information security and electronic privacy for state and local government” and “building an information security program in the public sector.” Gatewood designed the classes and will teach them. He hopes to mold a new generation of CISOs.
“This is what I've moved toward all my life,” he says. “I want to let them have what I know. I'm ready to give this to somebody else.” – Ryan Goldberg
Occupation: associate professor, University of California, Berkeley
Accomplishments: National Science Foundation CAREER award, MIT Technology Review award, Guggenheim fellowship, Alfred P. Sloan research fellowship, IBM Faculty award
When chip giant Intel dipped into its coffers in August and pulled out $7.6 billion to buy McAfee, a deal that bow-tied a flurry of acquisitions in 2010, analysts opined that future innovation in the security industry is at serious risk.
As the theory goes, the best innovation happens at the smaller IT companies, which have something to prove, favor quality over quantity and are not as beholden to boards of directors and shareholders. Now, one by one, these best-of-breed security firms seem to be falling by the wayside, eaten up by cash-rich tech stalwarts.
But one thing is for sure: Innovation is not dead yet. For proof, just drive an hour north from Intel and McAfee's corporate headquarters in Santa Clara, Calif., to the campus of the University of California, Berkeley, where Dawn Song and her team are hard at work developing advanced technology to protect computer users from the most sophisticated threats.
Song, an associate professor in the university's department of electrical engineering and computer sciences, recently was one of 23 people nationwide to earn the prestigious MacArthur “genius grant,” worth a cool $500,000. Best of all, it comes with no strings attached.
Song joined a sculptor, an astrophysicist, an American historian, a stone carver, a marine biologist, an indigenous language preservationist, a theater director, a jazz pianist and 14 others as MacArthur Fellows Program winners. The most famous among the elite bunch was television screenwriter David Simon, best known as the creator of The Wire and Homicide.
But if Song, who received her Ph.D. in computer science from UC Berkeley in 2002, has her way, her efforts may touch far more people than a TV program ever could.
Put simply, Song wants to design and develop technologies that augment computer security and privacy. But it is a little more complicated than that. Song seeks greater intelligence into the underlying behavior of computer systems, which enable her and her team to identify vulnerabilities, beyond specific programming flaws, to build defenses.
“It is deeper analysis,” she says. “We try to understand the semantics of the problem. The more you know about the systems, the more vulnerabilities you will be able to uncover. This will allow us to know much better the consequences of certain actions.”
Her signature project is BitBlaze, a part-open source suite of technologies that “enables a fusion of static analysis, dynamic analysis and symbolic reasoning techniques to provide a deep understanding of security-related properties of program executables.”
The platform permits the detection and diagnosis of bugs. “For example, the vulnerability in [a] system may only be triggered under certain conditions and you may not have seen this condition in the past,” she explains.
BitBlaze also can be applied to the analysis of and defense against malware, Song says. “BitBlaze pioneered the
area of automatic generation of vulnerability signatures, generating filters and protecting vulnerable programs against exploits even when they morph,” she says.
BitBlaze also develops new methods to combat malicious code, she adds.
“Its technology is one of the first to enable automatic discovery of vulnerabilities in botnet programs and protocols, providing a new arsenal to combat malicious code.”
One of Song and her team's next missions is to extend the BitBlaze functionality to medical devices and systems, which are becoming increasingly connected to corporate networks and the internet, thus opening them up to the same threats that traditional computers have been dealing with for years.
A sister project to BitBlaze is WebBlaze, which includes technologies that model and analyze the interactions of web application and protocol components with the goal of understanding their security.
“A lot of security issues come from the complex interactions,” Song says. “Anything you do, like loading a web page, there are so many steps involved.”
Meanwhile, privacy on the internet remains a hotly debated and still unsettled issue – from Silicon Valley all the way to floor of Congress. As users continue to hand over their confidential data to the custodianship of third parties, Song believes technology must be developed to safeguard users.
“In the past, I have worked on new cryptographic algorithms to enable search on encrypted data,” she says. “We are now designing and developing techniques that combine new cryptographic algorithms, privacy-preserving statistical methods, and trusted computing technologies to protect users' privacy and, at the same time, provide rich services to users.”
Song's MacArthur grant is not the first funding support she has received. Since 2003, she has been the principal recipient of $3.4 million in grants from the National Science Foundation (NSF), an independent government agency that promotes science and engineering.
“I think she's certainly been a stellar performer in her space,” says Carl Landwehr, program director for trustworthy computing at the NSF.
Song, whose undergraduate work focused on physics, says she was drawn to computer security because its impact is so broad and requires an understanding of many disciplines, including economics.
“And you have those creative attackers that keep your job interesting,” she says.
Song wouldn't comment on potential buyers of the technology, but admitted, “There's a lot of commercial interest in what we do.” Still, she has no plans to cease making a difference in the security space.
“I love my work and to me, life is about creating something beautiful,” she says. “So I will continue to innovate and create beautiful things.” – Dan Kaplan
Occupation: founder, Hackers for Charity
Personal: married, four children
Accomplishments: oversaw the creation of three computer classrooms and a community training center in Africa
By his mid-30s, Johnny Long was at the top of his career. He was a celebrated computer security expert, had written several notable hacking books, and was a sought-after speaker for TV and conferences. The only problem: He was miserable.
“There literally was nothing left,” he says. “I worked all over the world, got all the recognition and had hit the ceiling. I was scratching my head thinking ‘What do I do next?'”
Long, a vocal Christian, says his life changed after a two-week trip in 2007 to the east African country of Uganda. Children of the country made the biggest impact, he recalls. Many of Uganda's children are orphans who have AIDS and lack adequate food, clothing or shelter. Despite the incredible hardships they face, Long says that the children are genuinely happy and full of life.
During the trip, Long worked with the Ugandan charity organization AOET (AIDS Orphans Education Trust), where he helped with basic computer work – repairing machines, cleaning viruses and setting up a network printer.
At the end of the two weeks, he was told that his work would help save children's lives. The computers he fixed were used to store sponsorship information about donors who pay for schooling and medical care. Without those computers running properly, the children do not eat.
When he returned back to the states, Long couldn't get the faces and smiles of the children back in Uganda out of his mind. Wanting to be a part of something bigger than himself, he launched Hackers for Charity (HFC), a nonprofit organization focused on connecting those in the hacking community with charities that need technical computer skills.
“I started Hackers for Charity as a way to get people like me working on projects that could make a difference,” he says.
Over time, Long and his wife Jen's passion for the vulnerable east African region grew. Last year, they relocated their family to Uganda to focus on HFC full-time.
Over the past year, members of HFC have built three computer classrooms in African schools that normally would not be able to afford such resources. The computer labs have served hundreds of students throughout Uganda and Kenya, Long says. To expand their reach, members of HFC recently opened a community training center that allows individuals to receive free and low-cost information and communication technology training.
As high-speed internet spreads throughout the African continent, the demand for individuals with computer skills and training is becoming greater than ever, Long says. But many in the region do not have access to computers, let alone the resources for expensive training. HFC's mission is to provide those in underdeveloped countries with the relevant computer training and practical experience to climb out of poverty and support their families, Long says.
“It is about using technology as an empowerment tool,” he adds. “We are trying to raise the bar to give people technology and business skills that make a difference in their lives.”
For at least one young man, HFC has done just that. A few months after moving, Long met a 25-year-old Ugandan named Fred Mugisha who said he loved computers, but did not have one of his own. Mugisha said he taught himself how to repair laptops and would fix other people's machines for free in exchange for being able to borrow it for a week. Feeling compelled to help Mugisha, Long bought him a new computer with money from HFC donors. When Long got to Mugisha's house to deliver the computer, he discovered that the young man and his family did not have power.
Instead of giving him the computer, Long hired Mugisha as an HFC employee. “Today, he is the highest manager for HFC,” Long says. “He oversees all our programs and training and is a full-time employee in a field he absolutely loves.”
The work of HFC has, for the past three years, been funded by donations from corporations and individuals, Long says. Many within the information security community sung the praises of its leader.
“I view Johnny as one of us information security people that [is] doing good things,” says Jeremiah Grossman, founder and CTO of WhiteHat Security.
In addition, Stephen Northcutt, president of the SANS Technology Institute, says he is “amazed” by the work of HFC.
“We are at great risk of Africa being the lost continent,” Northcutt says. “The problems they have to deal with are over the top, and education is clearly one of their best survivor potentials.”
Although HFC has made great strides in Africa, more help is needed around the world and in the United States, Long says. “The hope is that this thing is just going to outgrow us,” he says. “I would love for this thing to take off and the security community to be able to say they had a hand in that.” – Angela Moscaritolo
Occupation: executive director of SAFECode and a partner at Good Harbor Consulting
Family: married, one daughter
College: Bachelor's degree from Holy Cross College and Master's degree in international public policy from Johns Hopkins University's School of Advanced International Studies
Accomplishments: facilitated the creation of the report An Overview of Software Integrity Controls
With the threat of cyberespionage often taking center stage these days, companies are growing increasingly concerned about the integrity of the software and hardware they procure.
The supply chain for information and communications technology is truly global, relying on parts and pieces from all over the world, says Paul Kurtz, executive director of the Software Assurance Forum for Excellence in Code (SAFECode) a nonprofit, industry-led effort to identify and promote best practices for more secure software, hardware and services. One weak link in the global supply chain could result in malware being installed on a widely deployed product.
SAFECode represents the first serious effort for companies to come together and be transparent about what they are doing to produce more secure code, says Kurtz.
“This topic is of interest to customers,” he says. “Government and enterprises want to understand how the industry is approaching this.”
As a former special assistant to the president and senior director for critical infrastructure protection on the White House's Homeland Security Council, Kurtz is widely known and respected within the cybersecurity industry. Because of his leadership with SAFECode, he is well-versed in software assurance best practices, enabling him to be an effective spokesman to industry and government, as well as advance the discussion about software assurance.
Last July, SAFECode released The Supply Chain Integrity Framework, a groundbreaking document that defines software integrity, chronicles its challenges and provides a comprehensive list of principles that should be applied to the commercial software supply chain process. The framework, which can be freely downloaded, addresses the sourcing (acceptance of code), in-house development and ultimate delivery of software.
Then this June, the group released a new report that offers recommendations for avoiding vulnerabilities in the software development process. The free report, titled An Overview of Software Integrity Controls: An Assurance-based Approach to Minimizing Risks in the Software Supply Chain, provides best practices for areas such as contract agreements with suppliers, source code repositories and confirming received goods are not counterfeit.
The documents were developed by SAFECode members, which include technology companies, such as Adobe, EMC, Juniper Networks, Microsoft, Nokia, SAP AG and Symantec. SAFECode is unique because its members are under a joint nondisclosure agreement, which enables them to share details of their software assurance efforts and then identify common approaches and themes that are industry best practices, says Steve Lipner, chairman of SAFECode.
“The depth of collaboration is pretty unique in my experience and this enables us to come out with documents that are especially useful, I believe,” says Lipner, who is also senior director of security engineering strategy for Microsoft's Trustworthy Computing Group.
And, while Kurtz stresses that representatives from SAFECode's member companies have done the “vast majority” of the work to draft and develop the software assurance best practices documents, his role has also been integral to the success of the organization.
“I think Paul's strength is a combination of his long experience and commitment to cybersecurity and his ability to bring the SAFECode members together to help them get to common ground,” Lipner says.
Kurtz was instrumental in the development of SAFECode's most recent paper, which outlines an assurance-based approach to minimizing software supply chain risks, Lipner says. The topic was challenging to work through because it deals with not just the technical aspects of secure development, but controls and practices within member companies.
During the development of the paper, there was a lot of back and forth among member companies as they tried to come to a common position about issues, Lipner says. Kurtz was able to pick up on impasses and bring those issues back to the board members to help facilitate an agreement.
“We were able to wind up producing a successful document that has gotten a lot of positive feedback from industry and governments around the world,” Lipner says. “Without Paul's leadership, we would not have been able to come to closure nearly as quickly and successfully.”
SAFECode's work has received a great deal of praise among members of the information security community. Lipner says SAFECode's supply chain report has been cited as an example of industry leadership and best practices in several government meetings he has attended in the United States and Europe. In addition, Kurtz says individuals who are developing proprietary software for banking institutions have told him they are finding SAFECode's work helpful and valuable.
“I am really heartened by seeing people come around the table to get stuff done,” Kurtz says. “If we aren't working together to think about how the bad guys are trying to target our software, they will continue to make tracks and have the upper hand over time. If we can establish best practices to stay ahead of the bad guys by thinking innovatively together, we won't have the losses of information that we do today.” – Angela Moscaritolo
Here are three individuals who may have missed the final cut but are well worth honoring for their worthy and dynamic contributions to the field of information security.
director of the U.S. Cyber Challenge
It is no secret that government and private sector organizations are in desperate need of skilled cybersecurity professionals. As the former federal CIO, Evans recognizes the need for cultivating this precious human capital. She now heads the recently launched, nonprofit U.S. Cyber Challenge, a series of boot camps held in various U.S. cities that seek to identify mostly college- and high school-age students who can aspire to help protect the nation's critical infrastructure from attack. The stated goal is to reach a previously untapped or underappreciated pool of candidates who may not otherwise have considered a career in cybersecurity. Less publicized is that similar efforts have been underway for quite some time in other countries, such as China, so the United States is long overdue with such an initiative.
Ph.D. student, researcher at Indiana University
Soghoian is one of the most prolific internet privacy advocates on the scene today. Last year, he authored an open letter, signed by 37 noted security and privacy experts, to Google's CEO, urging the company to encrypt its most popular services. In January, Google enabled HTTPS by default for Gmail users. But Soghoian still has issues with the internet giant. In September, he filed a complaint with the FTC that objects to Google sharing search query data with third parties. He also remains outspoken about other privacy dangers on the internet, including Facebook applications, government surveillance through the cloud and behavior tracking. “People type the most intimate things into search engines and other websites primarily because they think they're anonymous,” he recently told CNN. “They type in things on WebMD that sometimes they wouldn't even ask their own doctors... And in fact, we are not anonymous, these sites are tracking us.”
activist, former chairman of Authentify
Woodhill has made it his personal mission to end Automated Clearing House (ACH) fraud, which has victimized scores of small and midsize organizations to the tune of millions of dollars. At the very least, though, he wants Congress to pass a law that would reimburse these businesses if their bank accounts, typically hosted by regional banks or service providers that lack robust authentication and fraud detection capabilities, are hijacked by criminals to illegally wire out money. Woodhill won a small victory in the fall when his lobbying efforts helped convince Sen. Chuck Schumer, D-N.Y., to propose an amendment to federal Regulation E that would give municipalities and school districts the same liability protection for cyber looting that consumers currently have. The banking industry opposes such a measure.