Schneier on Security
A blog covering security and security technology.
« How did the CIA and FBI Know that Australian Government Computers were Hacked? |
| Euro Coin Recycling Scam »
April 12, 2011
Israel's Counter-Cyberterrorism Unit
You'd think the country would already have one of these:
Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks.
The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks.
Posted on April 12, 2011 at 2:06 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Agreed. Not sure what to make of that. We know Israel is hotbed of independent hacking as well as computer security technology companies, many funded by the military.
Apparently they've been mostly interested in exporting that technology and spying on the rest of the world so much they didn't think they could be the victims.
Probably someone pointed this out as a result of the Stuxnet attacks and then the Iranian compromising the certificates. "Oh, wait a minute! Iran has hackers, too! We need a counter-cyberterrorism unit before they retaliate against us for Stuxnet!"
Not sure how they intend to stop/fight a DoS. In the case of a DDoS attack the likes of what Anonymous unleashes, how would they be able to go after every attacking system/network? Retaliation is more likely in this situation.
I would assume that those govt. agencies already would work on any significant private attacks. This could just be the sort of bureaucratic sniping that we see here.
I'd say it's an effort to say "look over here" while the real and pre-existing cyber unit keeps doing its work as normal.
Isn't that what you'd do yourself?
Any sniper creates a fake, and more easy to spot hide, than the one he shoots from to give the enemy the satisfaction of something to shoot back at, and the fact that the fake hide doesn't shoot back at the enemy anymore makes them think they killed the sniper.
That's pretty basic. Capt McBride wrote about in WW I, and it's part of the basic training even for spec ops grunts, much less the hyper secret types.
A more acceptable front-end for existing Mossad operations ? With an increasing number of actors establishing such agencies, some may have (political) issues collaborating directly with a shady and ill-reputed organisation such as Mossad. A comparison with IRA and Sinn Féin comes to mind.
Another reason could be some internal Israeli c*ck fight with certain factions not being happy with the current Mossad strategy and operations in this domain.
Of course they already had one, this probably just means they're now big enough to need an official budget or some other financial/legal consideration.
UK created Stuxnet to support Cybersecurity in the Strategic Defence and Spending Review of 2010.
It seems certain commenters here think Israel is some kind of cult where everything is done under the surface and appearances are just to deceive.
Israel is a parliamentary democracy, and as such has its fair share of bureaucracy. Couple that with a vigorous private and public sector, and you have an environment that, if you want to cyber-protect at a national level, you need a specialized agency, and not just a Mossad, Shabak or whatever unit.
Is anyone here experienced with online secure data room hosting, specifically with secure data rooms hosted for M&A activities?
They make a big deal out of their data security, but what about the meta data, such as, temporal pairing of IP addresses accessing the site?
Sounds like a veritable gold mine for those even marginally skilled in the art of information inference!
I guess it's just the season to launch these things:
When I read about the new (2011) German “National Cyberdefence Centre” I thought, hey, isn't the “Federal Office for Information Security” supposed to do that kind of stuff since 1991?
On a related note, does anyone still use the term “cybernetic” without relaying it to crime and terrorism?
@Ran: "and you have an environment that, if you want to cyber-protect at a national level, you need a specialized agency, and not just a Mossad, Shabak or whatever unit"
Coming from someone with an Israeli name, that comment strikes me as naive in the extreme. Being secure against a threat which most Israelis currently do not think is serious is going to be impossible, considering that Israeli culture is such that in this situation, the average Israeli will most likely totally ignore (or even, actively bypass) any security advice or infrastructure which this unit dishes out.
"Not sure how they intend to stop/fight a DoS. In the case of a DDoS attack the likes of what Anonymous unleashes, how would they be able to go after every attacking system/network? "
Depends on the target. This isn't Hostgator we're talking about... many machines can afford to plain disappear off the public web (even if, for some obtuse reason, they haven't already).
Secure computing needs to start at the foundation with companies such as Microsoft and Cisco. By the time the problem goes to a cyberterrorism agency at best it's like installing a patch and at worst it provides an illusory sense of security.
"many machines can afford to plain disappear off the public web"
That isnt a defence against a DoS attack, its the effect of it.
"Secure computing needs to start at the foundation with companies such as Microsoft and Cisco."
You are missing a lot, once long ago befor the chips in COST were made in China etc then yes.
However if you are looking for real APT you are going to have to not just lift the bonnet to see what's wrong, but tke the top ot the engine and get a real close look at the crank and rods.
The simple fact is as bad as it sounds all the bugs in the Software are just low hanging fruit that are primarily used by various Eastern European and Russian Cyber Criminals to make money.
We can infer from other information and a downd US aircraft that the Chinese realy do know how to do chip level exploits for real.
Most of the software side probes and attacks originating from that direction can be atributed to oportunistic activity by individuals who may or may not be Chinese.
Just remember, that phone in your pocket, the chips in it were made in the Far East, where China has real influance both via direct and indirect means. As has been noted, even if you took the lid of the chip could you tell if it had a hardware back door added?
Simple (and very nearly accurate) answer is not a chance...
As others suggested, this is a public-side organization with grunts they can show people. They don't want to show the existing organization to the public.
The hidden side also has grunts. Talented ones. But they need something else for people who like to put important-sounding stuff on their resume.
"Secure computing needs to start at the foundation with companies such as Microsoft and Cisco."
You are missing a lot, once long ago befor the chips in COST were made in China etc then yes."
The problem is not really new, it has been with us for at least 15 years. Ever since TI decided to outsource cell phone chip "Metalization" to SMIC on the 180nm node, chip level hardware backdoors, added after the chip design / layout was finished, have been a real threat possibility. This means that practically every Nokia phone in existence, could have been compromised, and from a practical perspective, there is ABSOLUTELY no way to tell if the chip is compromised.
No anti-virus can possibly find this nor is there any physical measurement of the phone to detect these changes. In many ways this is a chicken and egg problem, because until you know the exact nature of the intended compromise (if one exists), you don't even know what anomalous behavior to focus on. And there is plenty of non-ideal behavior in a cheap cell phone.
I had an interesting conversation, the other day, on embedding undetectable comms channels within a chip. The gist of the conversation is that it is easy to build a very efficient burst mode RF transmitter for the 60Ghz band, using only chip bond wires. If the data rate is low than you can get good line of sight transmission over several hundred meters. What's better is that even experienced chip design engineers looking directly at the offending circuit did not understand that the circuit, had not only it's normal function but was also an efficient 60 Ghz band RF transmitter.
So don't listen to anyone who tells you that they can prevent this level of on-chip compromise, just excuse their ignorance and move on.
Bingo. What we need is sw that doesn't have to trust it's hw.
@ BF Skinner,
"Bingo. What we need is sw that doesn't have to trust it's hw."
Yup the questions are firstly 'is it possible' and secondly 'how'...
It's something I've been thinking about for a number of years.
For instance, ask yourself what the advantages are of a computer that can process encrypted data without having to decrypt it....
If you think about it the basic logic rules an ALU of a CPU has to do are,
AND, NOT, OR, XOR and EQU
But you probably know EQU=NOT(A XOR B), OR=NOT((NOT A) AND (NOT B)) and XOR = NOT( NOT(A AND (NOT(A AND B))) AND (NOT(B AND NOT(A AND B)))), so all that is actually required is NOT and AND.
Likewise the mathmatical fuctions are,
ADD, COMP, DEC, DIV, EQU, INC, MUL, SHIFT and SUB.
It is easy to see that MUL can be done by multiple ADDs or ADDs and SHIFTS, INC is simply ADD1, DEC is SUB1 and A SUB B = A ADD ((COMP B)ADD 1). Less clear is a positive shift can be done by multiple ADDs that is SHIFT LEFT= A ADD A.
Although SHIFT RIGHT is DIV2, DIV requires a SHIFT RIGHT as well as a SUB
If the base primitives could be found efficient encrypted forms then it would be possible to write some software that could as a first aproximation run on untrusted hardware.
In the case of ADD this can be done with a stream cipher without to much diffficulty and thus with some hocus pocus in a multi CPU system integer multiplication can as well. So with appropriate scaling it is possible to do some limited functions such as some DSP primatives (ie MAD instructions). But the complexity is quickly overwhelming.
Further it can be quickly realised that even if the data was encrypted branch operators would leak information as a side channel, thus general purpose oblivious computing may not be possible.
However side channels can also be used to check if hardware is providing correct computation (although they cannot say if it is leaking information or not). This can be done by getting say three entirely different hardware platforms to do the computations, provided all agree it is highly likley the hardware is not "lying.
But when all is said and done it looks like it is always going to be not quite possible for one reason ar another.
Clive: Intel has plants in Israel.
Are we sure China is the only expert at chip-level espionage?
Israel has made a policy out of being the country that supplies security technology to the rest of the world. As the CALEA debacle proved (Israeli company caught handing wiretap data to LA drug gangs, FBI seriously upset), they then use that technology to spy on the rest of the world.
Extending that to chip level espionage would be a no-brainer.
Lets be clear: I have never actually heard of anyone hacking a chip database, to corrupt it in such a manner that the chip security is compromised.
The closest case, that I have ever heard of, relates to 3rd party IP incorporated as what we call a "Hard macro". The block apparently had some undisclosed functions, which rumor has it, bypassed the encryption engine in such a manner that a side-channel version of the plain text accompanied the cypher text. From a logic perspective it did what it was supposed to do, it just had some extra functions.
Since it is a "hard macro" it is the software equivalent of a block of precompiled code (for some unknown processor)that you just blindly link into your application program. You don't own this IP and you're are not suppose to be even able to access it. The linking is often done at the foundry.
Examples of typical "hard macro" IP on chips are:
- Analog functions
- ARM processors
- AES encryption engines
- fast multiplier blocks
- I/O and ESD blocks
- Clock generators
- DSP cores
- SRAM blocks
@ Robert T,
"... you just blindly link into your application program. You don't own this IP and you're are not suppose to be even able to access it. The linking is often done at the foundry."
Thus even if you did have the applity to pop the lid off your chip and zoom down to gate level examination, the chances that you would recognise how it functions both overtly and covertly are minimal at best.
You could look on those macros like the MS Foundation Class library, you get to see only some of the inputs and only some of the outputs, what you don't get to see is how it can leak data.
Even Open Source code can suffer from this problem, and even if you do find an exploitable side channel, who's to say if it is deliberate or accidental.
It's one of the reasons I don't like the way most code/engineering reviews are carried out in the comercial domain. Usually those doing the review don't have the chops the developers do, and even if they do they generally don't have the time to realy get into all the subtleties of what they are reviewing....
@ Richard Steven Hack,
"Israel has made a policy out of being the country that supplies security technology to the rest of the world."
It also appears to be the country to take over from Taiwan to make "Chinese knock offs". I know of many many examples where they have stolen other peoples designs and gone into business against them usually in third world and other places where international IP law has little effect.
If you have the brains as a nation to reverse engineer other peoples proprietary designs and marginaly adapt them, then you very probably have the ability to put in "extras" that the customer would not want to have let alone pay for.
Also don't forget that most of the comms software and hardware that the likes of Motorola put on the market were actually either designd in Israel or by people who are either Israeli or have close Israeli relatives etc.
So no I would not rule Israel or for that matter a number of other Nations out of the APT business. The focus on the Chinese and APT is very much a US political one and not in any way representative of the way the world works.
Lets be honest certain parties in the US need the conveniance of enemies, China in that respect is the New Russia and so "the great game" continues, this time instead of being Afghanistan & Russia, it's North Korea & China.
Whilst the Middle East is fine for "drugs & terrorism" as "think of the children" threats, few people would take those living in the currently televised parts of the Middle East as being technical sophisticates capable of APT.
However as we know Israel made this mistake with Hammas, and there realy are a lot of people from the Middle East working in engineering of all forms all over the globe (Yup even OBL was an engineer) just as there used to be Chinese students etc working in the West (and supposadly siphoning technology back to China and Taiwan).
"Thus even if you did have the applity to pop the lid off your chip and zoom down to gate level examination, the chances that you would recognise how it functions both overtly and covertly are minimal at best."
Today a typical SoC chip might contain between 20M and 60M transistors. You would need to somehow accurately extract this mess, which is possible but not easy. and than you'd need to figure out what each of the processor blocks did (basically build yourself a complete data base and tool set for the DSP cores FFT's comms engines. Doing this is usually more work than simply designing the function yourself, so reverse engineering Digital macro functions, is not that common anymore.
All this ignores the complexity of recognizing intentional side-channels or even sometimes seeing deliberate blatant security compromises.
So bottom line is that the current big chip IP based SoC assembly process is completely broken from a security "high assurance" perspective.
Companies like Intel still have their own fabs and do all the block design in house, so it is a little better. But think about the value for some state security agency of sneaking a mole into the Intel core (or Arm core) processor design teams.
if I were asked to do this I would probably focus on the testability, my reason being that IC test is completely un-respected, so lots of eyes will be on the functionally critical blocks like ALU's an instruction pipes, but very few will ever spend the same time to inspect the database post test scan path insertion. The test scan path can link (and does typically) link all internal registers into big series / parallel arrangements of register cells. As a consequence ALU security critical nodes can be connected to completely unrelated functions. (because of the order of the test scan chain) and nobody will ever question (or probably even look at the database post test insertion)
No. You are assuming the service affected is intended to be public.
One significant problem many web presences 'significant to national security' have is many of them don't need to be public facing at all, they just do it for convenience.
A Denial of Service against a public-facing server can prevent access unnecessarily to functionality that doesn't have to be public-facing at all. Separate public functions from private ones (and any other appropriate levels of authorisation) and you mitigate the risk of the private functions being affected by a DoS.
Lower surface area, better protection. It's a staple - but cyberterrorism presently exploits the fact it isn't being done properly in the field.
@ Danny Moules
I am assuming that a public facing webservice is designed to be public facing. Taking it offline is not a defence against Denial of Service.
If a service has been built around a public facing connection for convenience or any other reason (and convenience is just as legitimate a reason as anything else), then it is likely that the public facing connection is important to the service.
I totally agree that designing the service so that there are no unnecessary public web connections is by far the best way to do it. However once a system is built using the public web it is neither cheap nor easy to re-engineer things.
To this end, the big bad h4xxor running a DOS attack has scored a win if the intended target has to expend resources to reconfigure their systems. While this is going on, the effect is identical to the DOS even if in the long run the system becomes more resilient.
Once a web based system is built, there better be other protections against a DOS than simply re-engineer the system.
I would suggest restraint on use of blanket generalities like " Israelis totally ignore security advice " or "Israelis spy on the world" or "Israeli policy is to develop security technology".
Israel is small free market democracy in the Middle East, under attack from a fair number of governments and non-government actors.
Israel has it's own, fair share of bureaucracy, government incompetence and private ignorance.
Having said that - Israel's key natural resource is brain power, and the result is basic science and applied innovation in many fields, not just data security, significantly in the life science space.
A move to consolidate cyber counter terrorism activities makes sense just as not underestimating your enemies and publicizing your capabilities (to a certain degree) make sense.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.