[ISN] Software, Security, and Ethnicity

From: InfoSec News (isnat_private)
Date: Wed Dec 18 2002 - 01:45:37 PST

  • Next message: InfoSec News: "[ISN] Researchers Warn of Serious SSH Flaws"

    DECEMBER 17, 2002 
    By Alex Salkever 
    The U.S. government's probe at software maker Ptech, owned by a 
    Lebanese, has lots in common with the 1998 Wen Ho Lee case.
    The 2,000-mile distance from the stark high desert of Los Alamos,
    N.M., to the high-tech office parks of Boston's suburbs appears to
    have shrunken dramatically in the past two weeks. I'm referring to the
    cases of Wen Ho Lee and Oussama Ziade. Both represent the federal
    government's fears that moles could work their way into the U.S. and
    achieve positions of trust that they later use to harm national
    interests. Whether Ziade is in fact such a mole seems unlikely, but
    expect the scenario playing out in Quincy, Mass., where his company,
    Ptech, is based, to be often repeated as the war on radical Islamic
    terrorists ramps up.
    The connection between Lee and Ziade? Call it the ghost of Christmas
    past. On Dec. 23, 1998, Lee, then a computer scientist at Los Alamos
    National Laboratory, failed a polygraph test. He had been working on
    semisecret nuclear weapons programs, and the lie-detector results
    sparked FBI concerns that China had used Lee to steal sensitive U.S.  
    bomb plans. The scientist's eight-month incarceration left a noxious
    taste in the mouths of thousands of U.S.-based researchers of Chinese
    nationality or Chinese descent who had to take polygraph tests at the
    U.S. government's behest. Lee walked free in the end, but the specter
    of electronic espioniage by foreign nations and terrorist groups has
    loomed large ever since.
    COLLATERAL DAMAGE.  This holiday season, the FBI is on the case again,
    this time investigating Ptech, which makes software used to organize
    information by a host of clients including the U.S. Navy, the IRS, and
    many companies in the private sector. Ptech's CEO is Ziade, a Lebanese
    who has held U.S. citizenship for four years. Ziade, a
    Harvard-educated physicist, has a handful of employees of Middle
    Eastern ethnicity or family ties to predominantly Muslim countries,
    including Egypt.
    On Dec. 6, agents from the U.S. Customs Service and the FBI raided
    Ptech's offices as part of an investigation into whether the company
    has been used by a Saudi businessman now on the terrorism watch list
    to channel funds to al Qaeda. Although Ptech's software was not the
    initial target of the inquiry, as allegations built, Ziade found
    himself defending his product's integrity. Thus far, nothing untoward
    has been found in the software despite rigorous audits, and most
    experts discount any possibility that Ptech's code holds dangerous
    back doors that would allow unauthorized access to computer systems.
    As Lee found himself out of a job days before Christmas, Ziade may
    find himself in a similar situation. Two banks have closed Ptech
    accounts, the company claims. Several customers that were in the
    pipeline have told Ptech they would take a wait-and-see approach.  
    "That's very difficult for a company trying to grow," says Greg White,
    an attorney representing the software maker.
    "CONTINGENCY PLANS."  To boot, influential information-technology
    consultancy Gartner sent out a note warning its clients to steer clear
    of Ptech software due to concerns that it might not survive the
    fallout from the publicity. Wrote Gartner on Dec. 9: "Regardless of
    the eventual outcome, the federal investigation will strain Ptech's
    finances and divert its management team. Ptech customers should
    prepare contingency plans, such as obtaining escrow rights to the code
    and evaluate other vendors."
    Of course, neither situation represents an entirely black-and-white
    case of overzealous government paranoia. Lee brought classified files
    home against Los Alamos' and Energy Dept. rules. And while U.S.  
    Justice Dept. investigators have said Ptech's software holds no back
    doors or other intentional security flaws tailor-made for spying, the
    Saudi Arabian businessman now on the Treasury Dept.'s watch list may
    have had some ties to funding that Ptech recieved for its operations
    in 1994. White points out that the Saudi man wasn't on any published
    lists of people financing terrorism at the time of the investments.
    Washington now finds itself in a familiar but uncomfortable position.  
    The Lee case upset many talented researchers of Chinese ancestry or
    citizenry who were working for the U.S. government. Demoralized by the
    scrutiny, many of them left jobs at federal labs rather than undergo
    polygraph tests.
    CREDIBLE THREAT.  By the same token, the Ptech affair has already cast
    a dark light upon the wide activities of Middle Eastern or Muslim
    computer programmers and software executives, many of whom are
    providing useful innovation to the U.S. and its allies. Witness
    Hossein Eslambolchi, the CTO of AT&T and holder of 87 patents who has
    played a key role in developing advanced fiber-optic data links.
    Still, the possibility of an insider threat is credible on multiple
    levels. Israeli software programmers, most of whom learned their trade
    while serving in the military, occupy high-level positions at numerous
    computer-security software concerns in the U.S. Gil Shwed, one of the
    most influential people in the firewall business and the founder of
    industry leader Check Point Software (CHKP ), learned his trade in the
    Israeli Defense Force, and the company maintains research labs in
    Israel. Check Point declined to comment for this story.
    Likewise, former or current citizens of China have helped build some
    of the most sensitive information-security software in use today --
    such as Feng Deng and Yan Ke, the founders of red-hot
    security-appliance maker NetScreen (NSCN ).
    HERCULEAN TASK.  Could some of these coders be operatives for their
    respective intelligence services and be willing to plant back doors in
    software? To date no such cases have been reported at Check Point,
    NetScreen, or any other company. And any smart CIO who buys big,
    custom software projects requests the source code before installing
    such products. But auditing the source code of any significant piece
    of software is now an expensive, Herculean task.
    The likelihood of back doors inserted somewhere for spying purposes
    will only grow as the U.S., Israel, China, India, and a host of other
    countries both friend and foe expand their digital information-warfare
    operations. These operations aim to exploit technological weakness of
    opponents to gain military or economic advantage, and might include
    hacking into secret systems or economic espionage. "Any sort of
    vulnerability that has been implanted purposely in software can be
    exploited by a foreign adversary with very broad and potentially
    significant consequences," says Michael Vatis, the head of Information
    Security Technology Studies at Dartmouth College in Hanover, N.H.
    Adding to the risk is the increasingly blurry geography of software
    development. In recent months, several leading tech companies --
    including Hewlett-Packard (HPQ ), IBM (IBM ), and others, have
    announced they would move more research and software development
    offshore to India, China, or elsewhere. This compounds the existing
    problem in vetting the billions of lines of code that now make up the
    digital guts of the global economy. After all, few companies have the
    resources to do any serious background checks of employees outside the
    U.S., especially in countries where the reliability of government
    records is suspect, and the information often incomplete.
    TRUSTWORTHY CODE.  Also, while the U.S. government uses far stricter
    controls on software code in the military and other classified units,
    the boundaries between what's classified and unclassified are
    shrinking. To save money, the government is buying more off-the-shelf
    products. And info tech has standardized around the Internet and its
    XML protocols used to manipulate data. That means the differences
    between a word processor and a trusted security application are
    becoming less and less pronounced, making vetting issues all the more
    daunting. "The reality is the only code you can trust completely is
    code you wrote yourself," says Gary McGraw, chief technology officer
    of software-quality research company Cigital and author of the book
    Building Secure Software.
    That said, excessive paranoia on this issue could prove incredibly
    destructive to the U.S., chasing away valuable intellectual capital
    that the country sorely needs. The pendulum swung too far in that
    direction during the Lee case. And it appears to be swinging that way
    again with Ptech, given media coverage that has stoked fears of Al
    Qaeda software moles, even though Justice has said no evidence for any
    exists at Ptech.
    So how to strike a balance without striking a chord of McCarthyism and
    rolling out the polygraphs? For starters, a priority must be placed on
    building automated tools to audit code for possible back doors. That's
    a major challenge, considering the amazingly complex algorithms
    involved in most software today, and no tools that can rapidly handle
    large volumes of sophisticated code exist today. However, researchers
    are looking at ways to build such tools, according to Dartmouth's
    Vatis, and progress could come quickly in the near future, thanks to
    additional dollars now being thrown at the cybersecurity effort.
    HUMANS NEEDED.  Another key step is not relying on any one company or
    product to protect computing infrastructures, according to Carl
    Landwehr, director of the Trusted Computing Program at the National
    Science Foundation. That runs somewhat counter to the trend of buying
    so-called security appliances that combine multiple programs on a
    single machine. But running several appliances should become less
    costly in the near future, and the basic security saw of "don't put
    all your eggs in one cyberbasket" is eminently sensible.
    Here's another key area that needs big improvements: actual
    on-the-ground intelligence. In a digital haystack, the dangerous
    needles may be more apparent to human brains that can follow a hunch
    and sift the information more effectively than even the slickest
    software tools.
    While Wen Ho Lee and now Oussama Ziade may shape the national security
    consciousness, the reality is that FBI mole Robert Hanssen, a
    seemingly normal U.S. citizen, did the most damage of any insider to
    date. For 15 years Hanssen turned over key U.S. intelligence
    information to the former Soviet Union and later to Russian
    operatives, exposing huge swathes of America's secret spying
    The inherent lesson is that high-tech spying, be it by foreign
    nationals or natives, will likely become a bigger problem. What's
    needed are better tools to detect these instances before they happen
    -- and less invasive ways to check the veracity of the code without
    singling out large groups of tech innocents who happen to have the
    wrong last name.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:38:07 PST