Cyber Security R&D Needs for DOE

In 2008 about 100 experts (computer scientists, technologists, cyber security practitioners, etc.) from Department of Energy (DOE) Laboratories, other Federal agencies, universities, and industry met in a series of public (and some classified, smaller) workshops to look at long-term research and development that would be useful to DOE (and ideally others), would harness unique DOE strengths and resources, and would "change the game" in terms of protecting information and infrastructure.

The report, A Scientific Research & Development Approach to Cyber Security, was presented to DOE's Office of Science in mid-December and published on their Advanced Scientific Computing Reserach website. We had it reviewed by smart people from industry, universities, and other agencies and there was strong consensus regarding the importance and quality of the plan. 

The plan lays out three focus areas in reasonable depth:

1. Mathematics: Predictive Awareness for Secure Systems.

Goal: Provide capabilities to examine system or network behavior to anticipate failure or attack, including real-time detection of anomalous activity and adaptive immune-system response.
Research: Develop mathematical modeling techniques for complex information applications and systems, enabling data-driven modeling, analysis, and simulation of architectures, techniques, and optimal response to threats, failures, and attacks.

2. Information: Self-Protective Data and Software.

Goal: Create active data systems and protocols to enable self-protective, self-advocating, and self-healing digital objects.
Research: Develop techniques and protocols to provide data provenance; information integrity; awareness of attributes such as source, modification, trace back, and actors; and mechanisms to enforce policy concerning data confidentiality and access.

3. Platforms: Trustworthy Systems from Untrusted Components.

Goal: Develop techniques for specifying and maintaining overall trust properties for operating environments and platforms.
Research: Develop approaches for quantifying and bounding security and protection, integrity, confidentiality, and access in the context of a system comprising individual components for which there are varying degrees of trust.

There is also (among other things) a table toward the end of the plan that compares various Federal agencies in terms of where one might optimally do this sort of research and where there might be good synergies between agencies.  I was a little nervous that our colleagues from those other agencies might feel slighted, but those I spoke with said it was a pretty fair summary.

CTOVision.com this week posted a thoughtful update on cyber security, The Future of Cyber Security and Cyber Conflict, with some useful links - it's worth reading for more information.

The Early Worm Gets the Bird

There is a pretty nasty worm going around and several folks have put excellent information out about it.  The worm exploits a problem Microsoft announced, releasing an update to fix it, several months ago. Some good information is available on this, so I won't duplicate it here.  Check these out for starters:

Quick overview - tech.yahoo   (Christopher Null)
Big Picture, thoughtful analysis, lots of links -   Gary Warner
Cleaning up -   eWeek (Brian Prince)

Argonne's Deputy CIO, Mike Skwarek, sent a note around to Argonne employees reminding them of best practices for keeping their home PC's safe - it's worth repeating.  It's pretty straightforward but sadly there are many (9 million and counting?) who don't practice even these simple steps:

As you may have heard in the news recently, the "Downadup/Conflicker"
virus has spread to over 9 million Microsoft based computers on the
Internet in the past couple of weeks.  This virus is very real, and has
the potential to spread even further if mitigations are not put into
place to stop the spread.  Systems at the Laboratory, are already
patched and well protected from this virus.  I would like to take this
opportunity to offer advice to each of you on actions that you can take
with your home Microsoft systems to protect yourself from possible
infection.

* Ensure that you are running up-to-date virus protection. 

* Ensure that you have Windows Update configured to automatically
install patches on your system.  The current virus spreads via a
vulnerability that was discovered in November of 2008.  Systems that
have not been patched are highly vulnerable.  You can manually run
Windows Update by clicking on Start -> Windows Update.

* It is recommended that home systems connected to either a Cable Modem
or DSL service be connected to a hardware firewall/router device.  These
firewall devices are often embedded in the device provided by DSL
providers, but in many cases are not with cable modems.  A
firewall/router can be purchased at any computer/electronics store for under $50.
Protections provided by the firewall/router mitigate the spread of this
virus as well as other network based attacks that are common place on
the Internet.

The recommendations provided above are just pieces of the layered
approach to Cyber Security.  If you have any questions, please do not
hesitate to contact <your friendly neighborhood cyber security team>.

It's also hitting just when Microsoft announced a layoff of 5,000 employees (about 5%) - let's hope they are not losing folks who are working to keep Windows secure...

Remote Monitoring

This is a sort of geek do-it-yourselfer post, amounting to a lot of tinkering that could be avoided if I were not so cheap, i.e. you can buy remote monitoring systems for a few hundred $.  But what's the fun in that?  (if you don't resonate with that question you can stop reading now!)

I've got a weekend house on a lake 2 hours from my home and need to monitor it in the wintertime because I don't want to turn off the water, drain the pipes, etc.  Partly this is because we do use it in the wintertime and don't want to have to spend a couple of hours each time unwinterizing/winterizing things.

Objective:  Find out (before the pipes freeze) that the furnace has gone out. 

Assumption:  The furnace will go out due to a power outage or furnace problem.

I've got good Internet connectivity but turned the wired phone off years ago (I had a nice solution with a radio-shack alarm dialer connected to a thermostat). I was checking on this place last weekend and when I arrived the outside temp was +15F and the furnace was acting up, so the inside temperature was +40F.  Time to restore remote monitoring capability. (here is photographic record of that cold night, during which Jonathan and I really wish we had had our sleeping bags)

I installed a self-contained webcam (not one hooked to a separate computer) that can tilt and pan.  More importantly, it can be set up to send email on a schedule or if it senses motion.  It's also got a GPIO interface and can do audio, which will provide for more fun tinkering later.  I plugged this into the LAN port in the back of my Apple Airport in the main area of the lake house and set some preset camera angles (you can also manually pan/tilt it).  One of the presets points at a heating vent in the ceiling, from which I hung a ribbon so I could tell if the furnace blower was on in case I saw the temp go down and wanted to do a bit of remote debugging.  Another preset points to a big, easy-to-read thermometer.

The cable modem, Apple Airport, and webcam are on a battery backup sufficient for, by my rough calculations, a couple of hours of operation. This is long enough to alert me if there is a problem.  

Now, it's been a cold winter and I didn't want to always be checking a webcam.  I want to get regular text messages with a link to a picture (and that would serve as a heartbeat telling me things are working).

So I set up an account at Mobypicture, a service I use to post pictures to twitter.  I created a twitter account for the lake house as well, linked to Mobypic. I have the camera email Moby every hour.  I'll adjust that later - but for now I want a fairly frequent heartbeat, especially given the outside temperature at this moment is +14F and not projected to stay above freezing more than momentarily over the next few months.

The webcam can't do SSL, so I could not use my gmail or mobileme accounts to send email from the camera.  Thus I created a free email account with a provider that doesn't require SSL (there are multiple; I used GMX, a German provider with huge customer base, i.e., stable).  So I email Moby as well as my gmail account.

So I can drop in and look around, given I don't have a persistent IP address from my service provider, I set up a dynamic DNS host for the camera using one of the free services (dyndns.com).

It's a pretty boring picture stream (especially with 2 copies of everything for the past day due to debugging, now turned off), but for completeness here is a link to it at Moby. 

I suspect by next winter I'll just buy a remote temperature sensor or something better (recommendations welcome), but this was a fun project to do with my 13 year old over the weekend.

Adoption Rates

I was trying to figure out how to explain what seems to be an increasing need for agility in terms of information infrastructure.  It feels like the arrival rate of new technologies, services, etc. is greater than it was a few years ago, even by post-web-explosion standards.

Searching some of my old presentations (like, 10 years old)  I found a slide, circa 1999, I had entitled "accelerating technology adoption."  The slide had a graph from "The Silent Boom" by Peter Brimelow that was published in the July 7, 1997 issue of Forbes Magazine.  My slide had a bad quality scan of Brimelow's graph, and the Forbes archive was text only, so I searched around and found something more up to date at Visualizing Economics (making a mental note to go back and explore that site in the near future as it looks very interesting!).

Take a look at a really cool graph of technology adoption in the US over the past century. (It would be very interesting to see a graph with curves for the rest of the world, such as regions where mobile communication leapfrogged laying down wires for electricity and telephony.)  At first I thought "oh, adoption rates are accelerating" but then I noticed that radio took off in the 1920's and 30's on an exponential that is clearly in the same league as the Internet.  It looks like electricity (and other things like mass production capabilities) was an enabler for rapid adoption of various technologies. For the next 75 years a number of technologies achieved exponential adoption rates similar to radio - not just the Internet but the VCR, color TV, microwave, or mobile phone.

The Visualizing Economics graph only goes to 2005 so it's just hinting at the conditions for the Internet-era of adoption that we see today, which I think is another shift in adoption rates.  The widespread availability of computers, mobile application platforms (G1, iPhone, Blackberry...), and Internet access means that one can adopt a new "technology" with a few points and clicks.  Using the same set of enabers word can spread much more quickly than in the previous era (I don't know how not to say that without understating it!).  I think we are seeing evidence of this new rate of adoption with social networks (and with stories like Animoto this adoption rate is fueling a whole new industry of various types of clouds). 

From what I can see searching (anyone got real data?) around for numbers, the largest and/or fastest growing social network services (including, not limited to, Facebook, Myspace, Linkedin, Plaxo, Twitter....) have grown to over 400M participants in under five years. 

I can't map this to "% of US households" to place it on the graph linked above because these are worldwide numbers.  The US Census bureau estimates just over 112M households in the US in 2009 .  It's hard to noodle around on the back of an envelope without concluding that the US portion of that 400M social network users has to be a big % of US households. 

Certainly the curve would be the steepest one on our graph.  That kind of adoption means you have to be pretty agile.  It makes even Moore's Law depreciation rates seem slow.

14-January-2009 - An update with some more data

According to Netpop Research, about 40 million people in the US are regular participants in social networks, where about 100 million people in the US are participating in some form of social network activity.  Their report is summarized at Marketingchards.com and includes a number of nice graphs.

This article from Techcrunch also has some good (albeit 6 months old thus quite dated!) data on both worldwide and US participation in social networks.

Phishing

Phishing is a common social engineering attack that attempts to trick a computer user into revealing his or her password, a credit card number, or other personal information.  Warnings about phishing mostly emphasize protecting your password (a good warning!) but there are important precautions you need to take before you get to the point of being prompted for a password.

Back up a step with phishing email.

Is this link legitimate?   If you get email claiming to be from your bank, an online vendor, or other institution and asking you to log in, make the assumption that it's bogus.  If you want to double check, then type the address for your institution into your browser - don't use the link in the email. (and if you take one of the web-based tutorials below you'll spot an attack and won't bother going to the site at all!)

Is this attachment safe? Even if you get an attachment (that appears to be) from someone you know, it can be a counterfeit.  Were you expecting an attachment from this person?  Is the email address for the sender correct?  Does it seem like an email you'd get from this person?  If you're not sure, then contact them before opening the attachment.

There are some very good, quick, and entertaining tutorials on phishing that I recommend you check out:

There is a Federal project called OnGuard Online that has excellent information and in particular a good primer on phishing at http://onguardonline.gov/quiz/phishing_quiz.html

Carnegie Melon University's Usable Privacy and Security (CUPS) Laboratory has a clever web-based training game, Anti-Phishing Phil, at  http://cups.cs.cmu.edu/antiphishing_phil/

Opening an attachment, or clicking on a link that downloads a virus to your machine, will not only put your computer and your information at risk but those of your coworkers as well.  Don't take the chance. 

Be paranoid.

Postscript 4/4/08: Interesting report at Ars Technica on an analysis by Symantec of targeted phishing/spam.

Postscript 4/7/08: A good set of links provided in a Wired How To article. If you are not shredding those free credit card applications you should!

Postscript 4/24/08: A Wired article on Trojan Horses.  "...While online criminal gangs are still seeking out suckers on the net with e-mail blasts to millions of addresses, the newest tactic is to send more targeted Trojans to a more limited audience."

Information Pollution

I've written about email filters in a previous post, but here I want to dig a bit deeper into the problem of information pollution.   At many organizations, including the Lab, email has become the default delivery mechanism for, well, everything.  Empowering employees is a good thing, and email does that.  But it has a dark side as well.  I find myself on hand-crafted mailing lists with 100 or more other employees, receiving frequent notices from people I've never met, about events that have no obvious connection to my work.  It's analogous to having an open mike policy on the PA system, at times bordering on Karaoke.

As part of the Digital Culture component of Argonne's Digital Laboratory Initiative (see the "DLI?" post) we've identified the management of information flow as one of the highest priority areas to improve digital life at the Laboratory.  By management I actually mean two things.  First, creating a discipline on the sending side of the equation in order to make it easier for the receivers to manage the information flow.   More importantly, I mean putting the control and management of information delivery into the hands of the receivers, including options for getting notification in other ways rather than email.    We can do this with existing technology, and it will start (perhaps in a counter-intuitive sort of way) by expanding the ways that you can choose to be notified! (the operative word is choose)

Channel 1: Email
The volume of email is too large to read each message carefully each day, or even to let them pile up and then catch up later.  We must make it easy for people to sort and scan email, dispatching some things while focusing on others.  As a receiver, I should be able to have a small number of rules/filters that assist me in sorting things by topic, source, importance, and urgency.  I should not have to add a new rule/filter each time I start receiving another set of notifications from the Lab.  Several things on the sender side will enable this:
    a) format the FROM and SUBJECT lines by function (e.g. "Training") and to enable sorting on a given incident, purchase order, travel request, etc.
    b) tag messages in a standard fashion to enable sorting according to 3-4 categories, ranging from "informational, no action required" to "immediate action required"
    c) message content (and subject) that is clear on the context of the message, without relying on acronyms or item numbers, and with web links for more information and for any action required.

Channel 2: Calendar
"Web 2.0" technology enables two essential calendar functions.  The first is that (using email or a web link) appointments, due dates, or To-Do items can be sent to an individual's calendar. Similarly, it is possible to construct topical and/or user-specific calendars that are accessed by "subscribing" to those calendars from Outlook or other calendar clients.  Many people prefer to have events or deadlines placed into their calendar, or would opt for a "work calendar" to which they subscribe.  Others would prefer to subscribe to a Lab-wide "important dates" calendar rather than getting email.  We must provide these options.

Channel 3: Really Simple Syndication (RSS)
Yahoo, Microsoft, Google, and others allow users to customize a web browser startup page with content from hundreds of available sources ranging from news headlines to local weather.  Each of these sources are "RSS feeds."  This is how many users keep up with the information that is important to them, and thus an RSS feed into their browser start-up page is the best way to reach these users.  It's trivial to convert a mailing list (such as we use to email a daily newsletter, periodic event announcement, etc.) into an RSS feed, opening up the possibility for these users to receive their Lab news where it is most convenient for them, and without cluttering their email inbox.

These options begin to put control into the employee's hands to ensure that information reaches them in the way that is best for them, which may or may not be email.  For those employees who are happy to receive their notifications only in email, the standardization of message formats in that channel will make it easier for them even if they do nothing, and especially if they can implement a few simple filters.

Our goal is to begin rolling out these options in the Spring of 2008.  Stay tuned.

Sending BIG files

Most email services, including the Lab, have a limit on the size of an email message that you can send.  Typically it's about 10 MB, though the Lab limit is currently higher than that.   But occasionally you may need to send a file that is, say, 200MB in size.  We have a service that lets you upload your file, then specify who you want to receive the file.  An email message with a unique URL is sent to the recipient, who can download the file by following the link.

You can send files to anyone (not just within the Laboratory).  There are of course other services like this on the Internet, but you may or may not want to entrust your files to a random website...

https://webapps.anl.gov/filetransfer/

DLI?

Argonne is pursuing something called the Digital Laboratory Initiative, or DLI.  Simply put, DLI is about applying information technologies to strategically enable the work of the Laboratory.  It's also about understanding how information technology might do more than enable, but actually shape the science and engineering that we can do at the Laboratory.

If you look on the back of an Argonne business card you read that we strive to be a place "where scientists and engineers come together to open up new possibilities for the future."  To be that kind of place requires many things, but a few stand out.   Very good people, efficient and customer-driven business processes, state-of-the-art infrastructure, and an environment that supports collaborations (coming together) and creativity (new possibilities).

We're approaching DLI in three main areas with these requirements squarely in mind, and with obvious synergy and overlap.  For each of the areas we've created a working group of individuals from around the Laboratory who can help evaluate opportunities and needs in order to set priorities.  In subsequent posts I'll detail each of the areas but here's the big picture.

Digital Science and Engineering - the work that we do.  This work requires state-of-the-art infrastructure, which combines high-performance (networking, computing, storage), persistence and reliability, and a commitment to anticipate demand in these areas as well as in capacity and functionality.

Digital Business and Leadership - facilitating the work we do.  The gold standard to which business functions are compared by end users (employees) is the Web, where services and products can be obtained easily, through intuitive applications, and with accountability for on-time fulfillment of requests.

Digital Culture - our work environment.  People do their best work when they can focus and this requires minimizing distractions from information pollution and ancillary (from the employee viewpoint) tasks.  Organizations do their best work when teams can self-assemble on timescales ranging from hours to months.  Catalysts for such self-assembly include an environment in which information, resources, and collaborators can be readily identified and accessed, along with flexible, intuitive collaboration tools and services.

More to come on these three components of the DLI.

How to save 30 minutes a week (or more)

I get about 200 email messages every day.   More than once in the past few months I've heard the question "didn't you see my email?"   Well, sure, probably....  but with the flow of information we all deal with every day it's a challenge to sift through to find the stuff I really need to read, and especially the messages that require me to actually do something, by a certain date.

I've been asking people around the Laboratory whether or not they "filter" their email, and it seems most people know that you can filter email, but few people (outside of technical staff) know how to set it up.

At the moment, I am using 36 filters, and I tend to update them a couple of times a year (it's been as high as 60 at times in the past, but I'm getting more efficient).   Eight of these filters just look at who the message is from and turn those messages a different color so they stand out in the crowd.  Most of the rest of the filters automatically place messages into folders.  I get lots of daily messages from various sources, and those go into a filter so that I can read them all at once.  When I get around to it.

You can save yourself a few minutes a day immediately with just two or three filters.   As you get more comfortable you can grow that and save more, but let me suggest two to get started.  These instructions are for Outlook 2003, which is the predominant email client at the lab.  Email me if you want help with another client!

Filter #1 - Move a newsletter into a folder.

1. While in Outlook email, find an instance of the newsletter.
2. Right-click on the message and select Create Rule from the menu that pops up.
3. In the dialog window, click the box at the top indicating that the filter should apply to all email messages FROM the sender of the newsletter.
4. In the dialog window, click the box in the bottom section indicating that the filter should move the message into a folder.
5. Press the "Select Folder..." button to the right of the checkbox and choose the folder you want to use to store the newsletter.

Filter #2 - put a red flag on messages from the Lab director.

1. While in Outlook email, find a message that comes from the Lab director.
2. Right-click on the message and select Create Rule from the menu that pops up.
3. In the dialog window, click the box at the top indicating that the filter should apply to all email messages FROM the email address of the Lab director.
4. Preess the "Advanced" button at the bottom of the dialog window.
5. There are many actions you can choose, one of which is "Flag the message with a colored flag."  Press the box for this choice.
6. In the bottom portion of the dialog window, click on the underlined text "colored flag" and choose the red colored flag.

The above filters are very simple, but if you've tried the instructions out you can see that you have lots of options and now can start filtering your email. You'll find good tutorials and help on the web for creating rules in Microsoft Outlook 2003 as well as other popular email clients such as Apple Mail and Thunderbird.

Be careful- the more rules you add the more complicated things get.  I'd like to strongly suggest three rule actions that you DO NOT want to take:

- Never use a rule to automatically throw a message away.
- Never use a rule to automatically mark a message as "already read"
- Never use a rule to automatically send a reply to a message

Need help?  Call the helpdesk- they can assist you. 

Be Yourself

Chances are your email address at the Lab was chosen by someone else when you were hired.  Did you know you can create email aliases, which are email addresses that deliver email to your lab email account?  This is handy if you want to tell people an easy to remember email address, i.e. your Lab login is  your last name, and no one can remember how to spell it.   My login (and thus main lab email address) is my last name, but you can also send me email as "cec" (which is easier to spell than my last name) or even "c" (which is perhaps not as easy, as you might think I mean "si!").

You can do this yourself- just head to this website:

     https://www.anl.gov/alias