Florencio Benson

Built during the Great Depression, Hoover Dam is one of America's great historical landmarks. Security officials from Reclamation gave CSOonline a tour of the facilities in mid-September, showing us highlights of the various security programs. Securing the dam and providing a safe experience for the many visitors requires a robust security program.

SEE IMAGES FROM INSIDE THE HOOVER DAM The Art Deco concrete structure, located about an hour outside Las Vegas in the Black Canyon of the Colorado River, straddling the Nevada-Arizona border, was the largest hydroelectric generating station, and the world's largest concrete structure when completed in 1936. Over 75 years later, Hoover Dam continues its multiple roles in flood control, power generation, and as a major supplier of water in the Southwestern U.S. See also: New Cyber-Security Standards for N. American Power System The site is practically a city in itself, with its own police department and other security services. Guiding us was Peter Gregson, regional security officer for Reclamation's Lower Colorado Region. Some security procedures and systems, designed to deter, detect, and defend the facility were visible; however, much of the security activity is hidden. The tour began at the Hoover Dam Police Department in the Security Command Center, where the security staff monitors the various security, access control, and communications systems on a 24/7 basis. Gregson said many of the security controls, including such things as the checkpoints and command center, were instituted in direct response to the 9-11 terrorist attacks. In addition to the Hoover Dam police force, the dam employs additional contract security personnel to man vehicle checkpoints on the Nevada and Arizona entrance points.

Commercial vehicle traffic across the dam is restricted. Security training and exercises for the police and security officers is conducted frequently often with other federal and local law enforcement agencies to provide them with familiarity of the facility. At the checkpoints U-Haul-type vehicles are allowed after a search is conducted, while semi-trailer trucks, buses carrying luggage, and enclosed-box trucks are prohibited from crossing the road atop the dam (That traffic is diverted south to a Colorado River bridge at Laughlin, Nevada). "Cars are searched on a random basis or if there is a reasonable suspicion," he said. The Hoover dam police department partners with many of the neighboring law enforcement agencies. "They conduct joint training with us," Gregson said. It will divert U.S. 93 traffic downstream from the dam.

Meanwhile, a new Hoover Dam Bypass and bridge is under construction, scheduled for completion next year. Once the bypass is completed, the road atop the dam will no longer be a direct route between Nevada and Arizona. The following slideshow shows various areas, from the road over the dam to the surrounding buildings and tunnels within the dam itself, as well as the energy-producing machinery and surrounding work spaces, a small representation of the diverse spaces that the Hoover Dam Police Department and security staff protect. Those managing dam security are bound by a host of government regulations and security standards including Homeland Security Presidential Directives and regulations and standards enforced by the North American Electrical Reliability Council (NERC). Under Presidential Directive 12, employee and contractor identities and suitability must be confirmed through background checks. "Everyone undergoes some form of identity verification and must display their identification badge when they are on the facility," Gregson said.

China's state-run news agency Friday started collecting questions from local Internet users for U.S. President Barack Obama, who is slated to speak to Chinese youth next week during his first visit to the country. Obama is scheduled to hold the session in Shanghai next Monday as part of a three-day visit to a country of rising economic and political influence worldwide. China and the U.S. have appeared to wrangle over the details of the dialogue session, such as whether it will be broadcast live.

China's Xinhua News Agency opened an online forum for users to submit questions and said the Web site would broadcast the event. Chinese officials often portray the Dalai Lama, Tibet's exiled spiritual leader, as a dangerous separatist, while he is usually seen as a peaceful religious activist in the West. "Do you really understand our China?" another question read. Questions that appeared in the forum ranged in tone from innocently curious to accusatory and nationalistic. "China's total elimination of serfdom [in Tibet] in 1959 was identical in nature to Lincoln's abolition of slavery in the U.S.," one post in the forum read, repeating a comparison made by a Chinese foreign ministry spokesman at a press briefing the previous day. "Mr. Obama, do you plan to meet with the Dalai Lama after leaving China?" Demands for greater religious and political autonomy in Tibet are among the most hot-button issues in China. Other questions were more personal. "What kind of Chinese name would you pick for yourself?" one post read. A representative at the U.S. Embassy in Beijing said a final decision on the format of the event still had not been reached.

Xinhua did not say if the event would also be broadcast on other Web portals or on TV. When asked earlier this week if the event would be broadcast, Ben Rhodes, a U.S. deputy national security advisor, told reporters that Obama hoped to reach as wide an audience as possible at the session but that details remained to be worked out, according to a transcript of his comments. Chinese leaders including President Hu Jintao have held rare online chats with Chinese Internet users in an apparent attempt to boost the government's image. Local Internet companies are expected to erase sensitive comments that appear on blogs or other parts of their Web sites and can face punishment for failing to do so. Chinese authorities heavily police the Internet for sensitive political content, pornography and other material deemed harmful.

Unisys is introducing a new service on Wednesday that will allow its customers to better manage, secure and support mobile devices carried around by employees, company executives said on Tuesday. CIOs are concerned about corporate data "roaming the streets," he added. Staff now expect to use their choice of devices anytime and anywhere, and this causes problems for CIOs around cost, the cost of support, and the security of applications and data, said Tony Doye, president of Unisys' Global Outsourcing and Infrastructure Services group, in a telephone interview.

The service framework for the new end-user productivity services will support Windows Mobile phones and BlackBerry devices, with support for the iPhone and other devices available in later releases. Some early-adopter customers, mainly in Central Europe, are already using the mobile-device management framework, he said. Currently organizations generally manage devices with specific technologies that only work with a specific platform, rather than with a consistent framework across a variety of devices, said Sam Gross, Unisys' vice president for global IT outsourcing solutions. The framework is managed by Unisys for customers, and the management and support of the devices is also done from the company's services delivery centers around the world, he added. Unisys is also offering access to standard office suites by subscription through a service called Virtual Office as a service from the Unisys Secure Cloud.

The new service will enable CIOs to reduce end-user costs by providing support for different devices, desktop PCs, applications and mobile data access through a mix of traditional, virtualized and secure cloud-based service delivery models, Unisys said. The Unisys Secure Cloud has technology that protects both data in mobile devices and in storage, using a combination of encryption and dispersion of data. "The model that we are delivering is server-side virtualization services, and in this situation the data never ends up on the end-point," Gross said. Unisys' Unified Communications as a Service, also delivered through Unisys Secure Cloud, offers Microsoft Exchange, Microsoft Office SharePoint Server and Microsoft Office Communicator applications in a multi-tenant environment. Unisys is also offering generic services such as the ability to destroy the image on a device if it is reported lost, he added. Besides offering these productivity applications, customers can also provide their employees with access to other applications running at the company, through the Unisys cloud, Gross said.

Google confirmed today that passwords for its free Gmail online e-mail service had been harvested by hackers, but downplayed the phishing attack as involving just a "small number" of accounts. We will continue to force password resets on additional accounts if we become aware of them." Like Microsoft on Monday , Google today denied that Gmail had been hacked, and Gmail usernames and passwords stolen because of a lapse on its end. "This was not a Gmail security issue, but rather a phishing scheme," said the Google spokesman. Earlier Tuesday, the BBC reported that both Gmail and Yahoo Mail had been targeted by a large-scale identity theft scam, perhaps the same one that collected between 10,000 and 20,000 passwords from those services as well as from Microsoft's Windows Live Hotmail, Comcast, Earthlink and others. "We recently became aware of a phishing scheme through which hackers gained user credentials for Web-based mail accounts including a small number of Gmail accounts," a Google spokesman confirmed today in a reply to questions from Computerworld . "As soon as we learned of the attack, we forced password resets on the affected accounts. Google told Gmail users to change their passwords if they suspected that their accounts had been compromised. "If you can no longer sign into your account, you can regain access by answering security questions," the company added, referring to Gmail's single-question automated password reset function . Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin's Yahoo Mail account by abusing Yahoo's similar reset tool.

Neither Google or Microsoft, however, has directly alerted users to the possible danger by sending messages to Gmail or Hotmail accounts, respectively, or by posting a warning on those services. Shortly after Palin's account was hijacked, Computerworld confirmed that the reset mechanisms used by Hotmail, Yahoo Mail and Google's Gmail could be exploited by anyone who knew an account's username and could answer a single security question . Microsoft, which acknowledged late Monday that passwords for "several thousand" Hotmail accounts had been hijacked by criminals, has blocked access to those accounts, and has made tools available to users who have lost control of their Hotmail inboxes. Phishing attacks are on the rise, according to the Anti-Phishing Working Group (APWG), an industry association dedicated to stamping out online identity theft. The APWG's most recent data ( download PDF ), reported that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since it started keeping records.

The use of virtualization by cloud service providers to host virtual machines belonging to multiple customers on a shared physical infrastructure is opening up fresh data leak risks, a research report warns. The use of virtualization by cloud service providers to host virtual machines belonging to multiple customers on a shared physical infrastructure is opening up fresh data leak risks, a research report warns. The report by four researchers at MIT and the University of California at San Diego shows how vulnerabilities in cloud infrastructures could allow attackers to locate and eavesdrop on targeted virtual machines (VMs) anywhere in the cloud.

The attack described in the report was conducted against Amazon's Elastic Computer Cloud (EC2) service. The report is scheduled to be presented at the Association for Computing Machinery (ACM) Conference on Computer and Communications Security next month. But the vulnerabilities that enable it are generic and would likely affect other cloud providers, said Eran Tromer, a post-doctoral researcher at MIT's Computer Science and Artificial Intelligence Laboratory and one of the authors of the report. The research raises questions about a fundamental assumption about cloud computing which says that data hosted in a cloud is relatively safe from targeted attacks because it's hard to know where in the cloud the data is located. According to Tromer, the research shows that it is possible for attackers to identify the physical server on which a targeted virtual machine is hosted in the cloud. The reserach also comes at a time when concerns are high about security and privacy issues related to cloud computing.

The attackers can then establish a rogue virtual machine on the same machine to go after the victim. A VM acts as a self-contained computer within a larger server, with virtual boundaries separating each VM from the other. A virtual machine is an operating environment created within another larger environment. Multiple VMs can run within one physical server. In the case of Amazon's EC2 infrastructure, for instance, analyzing the IP address of a VM can reveal details such as geographic region, as well as the availability zones or specific infrastructure segment it is on, he said. The multi-stage attack starts with mapping the internal cloud infrastructure to locate the physical server hosting a target VM. Much of the information needed to glean the location of a target VM hosted in a cloud is contained in the IP address and domain name for that particular machine, Tromer said.

The IP address also specifies an instance type, indicating the amount of computational power, memory and persistent storage that is available to the virtual machine. The data gives attackers an idea of the parameters needed to establish a rogue VM on the same physical server as the target VM. They can then proceed to do this by instantiating new VMs until one is placed "co-resident with the target server," Tromer said. In addition, VMs located on the same physical server also tend to have IP addresses that are close to each other and are assigned at the same time. Attackers can significantly boost their chances of achieving "co-residency" by launching a denial-of service-attack against the target server and forcing it to expand capacity by adding new VMs. If the hackers simultaneously request new VMs of their own, their chances of getting one on the same physical machine as the target, is significantly increased. These "side-channel attacks" have proved highly successful in non-cloud contexts so there's no reason why they shouldn't work in a cloud environment, he said. "The basic vulnerabilities, such as architectural side-channels, are inherent to virtualization technology used by all infrastructure-as-a-service cloud providers," Tromer said. According to Tromer, once an attacker gains access to the same physical server as the target VM, the attacker can monitor shared resources on the server to make highly educated inferences about the target VM. For instance, by monitoring CPU and memory cache utilization on the shared server, an attacker could determine periods of high activity on the target servers, estimate high-traffic rates and even launch keystroke timing attacks to gather passwords and other data from the target server, Tromer said.

What the research shows is that until cloud providers can guarantee impermeable partitions between virtual machines on a single server, customers should try as much as possible to avoid sharing physical servers with others in the cloud, he added. But in comments made to the MIT Technology Review , a spokesman said that Amazon has already rolled out safeguards to protect against the mapping techniques described in the research paper. Amazon did not respond to requests for comment. The company also refuted the notion that side-channel methods could be used to steal information from a VM on a shared physical server. In comments to the MIT Review, the Amazon spokesman said the researchers had tested such attacks in a "carefully controlled lab configuration that do not match the Amazon EC2 environment."

Symantec has updated its Data-Loss Prevention Suite so that if the software finds a data issue that needs fixing, it can apply third-party encryption and digital-rights management controls to the problem. Announced today, Symantec DLP Suite v. 10 adds what's called the "Flex-Response" capability to find sensitive data that has been left unprotected in the enterprise and apply security controls through encryption and DRM products from vendors such as PGP, Oracle, GigaTrust, Liquid Machines and Microsoft. Watch a slideshow of this product.

Symantec is also publishing a set of open APIs and a software development kit (SDK) to facilitate support for security controls through additional products, says Rob Greer, senior director of product management at Symantec. "Suppose I scan a file server, finding information not secured, not encrypted. The data can also be brought under the control of various DRM products so there can be controls placed on viewing, printing or adding to content.  Symantec DLP v.10, expected to ship in December, will have a workflow process that can alert managers to data that's out of compliance with corporate DLP policies; let them choose to apply encryption and DRM; and confirm that security policies have been enforced. For remediation I could apply PGP encryption," Greer says. Other changes in DLP Suite v. 10 are expected to tighten ties with other Symantec products. There will also be integration with Symantec's Control Compliance Suite for risk assessment of operating systems and applications. "You will get a full risk position view," Greer says. For instance, the updated version will be integrated with Symantec Security Information Manager for centralized collection and correlation of event and log data to determine security status.

Symantec has already begun adding ways to trigger policy-based DLP actions on its Symantec Endpoint Protection security software, such as "making [a desktop] a brick" if it's determined sensitive data is at high risk, Greer says. Symantec DLP v.10 starts at $25,000. Other automated actions are also being added to DLP v. 10 to allow interaction between Symantec's DLP and its flagship security software.