Security roundup: Security concerns slam Google Apps rollout in LA; 760 companies and research institutions hacked?

The Los Angeles City Council has voted to halt efforts to bring the Los Angeles Police Department (LAPD) into the Google Apps services used by 17,000 other Los Angeles employees.

The LAPD portion of the $7.25 million contract with the city had been contentious for quite a while, with CSC, Google and the city of Los Angeles going back and forth on what security requirements there would be for law enforcement. Specifics were never laid down in the original contract, which didn't envision sensitive criminal justice information being sent though Google's cloud system.

MORE NEWS: The weirdest, wackiest and coolest sci/tech stories of 2011

But Google and the city couldn't agree on the additional security plans for the LAPD, and then the Los Angeles City Council, during its meeting the week of Dec. 12, "abandoned plans to move 13,000 law enforcement personnel to the Internet company's cloud-based messaging systems," according to the Los Angeles Times.

The LA Times writes that the council agreed "with staff analysis that the company's technology could not meet the security needs of crucial departments including police and the city attorney's office." In addition, city officials are quoted as saying Google "does not have the technical ability to comply with the city's security requirements" and that those requirements are "not currently compatible with cloud computing."

Google spokesman Andrew Kovacs told the LA Times that although Google committed considerable resources and "made a lot of progress," its proposed plan for security related to the LAPD didn't entirely meet with the approval of city managers. "They didn't accept our plan," he acknowledges. "We're disappointed that the City introduced requirements for the LAPD after the contract was signed that are, in its own words, 'currently incompatible with cloud computing.'"

He wouldn't elaborate further except to say that policies related to criminal justice information security, which generally are not made public, vary by jurisdiction and are subject to interpretation -- and LA had an interpretation that differed from Google's.

This is all certainly a blow for Google and it will certainly raise questions in other places considering cloud computing for law enforcement. But it's not that Los Angeles is unhappy in general with the CSC contract for Google Apps -- just this September it renewed the contract for the 17,000 city employees for another year, with an option for two additional years.

MORE SECURITY NEWS: From Anonymous to Hackerazzi: The year in security mischief-making

The lesson in all of this, says Gartner analyst John Pescatore in the LA Times article, is "look before you leap" and "buyer beware" and "you get what you paid for." Pescatore says, "LA should have asked about CJIS [criminal justice information services] compliance/certification before jumping onto Google mail."

760 companies and research institutions hacked?

It was a stunning declaration: 760 companies, ISPs and research institutions have been hacked by cyberspies from China during the past decade. That was according to a Bloomberg story out last week, which cited little more than "intelligence sources." The report cites a laundry list of targets allegedly hit, including iBahn, Intel, HP, Yahoo, Volkswagen, Boston Scientific and many more, plus Google, which in 2010 had disclosed it had been hacked and sensitive information stolen by an attacker that appeared to be in China. But is the Bloomberg article entirely accurate? One company, iBahn, responded to the Bloomberg story by saying it had "not found proof of any breach on the iBahn network," but it is "gathering all relevant information regarding this matter and will provide updates as soon as we learn more."

Meanwhile, The Wall Street Journal in its article "U.S. Homes In on China Spying" wrote, "U.S. intelligence agencies have pinpointed many of the Chinese groups responsible for cyberspying in the U.S. and most are by the Chinese military, according to people who have been briefed on the investigation." The WSJ goes on to say, "Armed with this information, the U.S. has begun to lay the groundwork to confront China more directly about cyberspying."

That article touched off a Washington Post editorial entitled "China's Cyberwar," which said, "Hackers mostly backed by the People's Liberation Army are daily trying to penetrate the computer systems of U.S. government agencies, defense contractors, technology firms, and utilities, such as power and water companies -- not to mention the private e-mail accounts of thousands of Americans." What to do? "This should provide an opportunity for the Obama administration to more directly confront the problem. It should demand that Beijing shut down military-backed groups; if it does not do so, they could be subjected to countermeasures, including sanctions against individuals," the Washington Post suggested. Also, Congress could consider legislation.

The only sanctions we heard about this week were coming from the Chinese government aimed at its own citizens on the 'Net. The WSJ reports the Beijing city government published rules Friday requiring users of popular Twitter-like microblogging services in China to register their real names with service operators, according to state-run media. The WSJ says the new requirement appears to impact Sina Corp.'s Sina Weibo service, with 230 million registered users. The new rules are said to ban material that might "disrupt social order," among other things. And in Moscow, where there have been massive protests by Russians accusing the Russian government of fraud in the last election, there are now suspicions that "Kremlin-affiliated technicians jammed the airwaves" during a rally to stop mobile Internet service, a charge denied by the Kremlin, according to the WSJ.

Ubiquitous surveillance from Big Brother

As the price of digital storage drops and the technology to tap electronic communication improves, authoritarian governments will soon be able to perform retroactive surveillance on anyone within their borders, according to a Brookings Institute report. These regimes will store every phone call, instant message, email, social media interaction, text message, movements of people and vehicles and public surveillance video and mine it at their leisure, according to "Recording Everything: Digital Storage as an Enabler of Authoritarian Government," written by John Villaseno, a senior fellow at Brookings and a professor of electrical engineering at UCLA.

In other security news

- Microsoft announced it will begin automatic upgrades of Internet Explorer next year in a way that doesn't ask the user's permission as is the current procedure. This new IE automatic update process, which will start next year, is likely to impact consumers more than business, which often have their own software-update process. Microsoft argues its new IE automated update will be beneficial to security.

- Symantec was raising an alert about a cybercrime gang that primarily targets companies from the chemical industry by carrying out a series of attacks that involve malware-laden emails purporting to be from Symantec. Despite being publicly exposed by Symantec in October, the gang didn't give up on its plans, which have been dubbed the "Nitro attacks." The group's goals are to steal domain administrator credentials and gain access to systems that contain intellectual property. Although Symantec managed to take down the domain name used by the new command-and-control server and alerted the hosting provider, there's still expectation the attacks will surface again.

- Do we need data-loss prevention for printers and copiers? Canon U.S.A. argues that we do, and says it has devised a DLP and audit system for its multi-functional peripherals.

- When a New York City college preparatory school made the switch from Apple servers to Windows to support its base of 450 Macintosh computers used in classrooms, there were special security considerations related to authentication it needed to address. Our story about that here.

- Adobe released updates that it promised on Dec. 6 to fix software vulnerabilities identified by Lockheed Martin as a cause of zero-day attacks.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark