Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Cartoon |
| Yet Another Way to Evade TSA's Full-Body Scanners »
June 13, 2011
Why it's So Difficult to Trace Cyber-Attacks
I've been asked this question by countless reporters in the past couple of weeks. Here's a good explanation. Shorter answer: it's easy to spoof source destination, and it's easy to hijack unsuspecting middlemen and use them as proxies.
No, mandating attribution won't solve the problem. Any Internet design will necessarily include anonymity.
Posted on June 13, 2011 at 6:52 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I think that matters arent helped by people screaming out for punishments when ever anything goes wrong (or even a near miss).
Despite the rise of a "no blame" culture in various workplaces, it strikes me that as soon as ANYTHING goes wrong (internet or IRL), the first thing the public scream for is someone (or thing) to blame. Politicians are never going to ignore this (who wants to look "soft on crime" even when its the right policy and it isnt soft), so we will always have a public need to be able to track down who did what.
With ever hack, one of the first thing that people want to know is where did it come from - they dont want to hear that the Chinese IP it appears to come from could be spoofed, they want to hear the drone of rockets being launched at Beijing.
As a "ps" - have you read the comments on that article.....
@GreenSquirrel You better not be on Facebook while at work, not EVEN with the LATEST anti-virus.
"will increasingly need to be backed up by the sort of real-world police-state measures that the entertainment industry is demanding in order to make copy-protection work."
The entertainment industry wants a police state.
"it's easy to spoof source destination"
I thought it is not easy to spoof source address, considering that it is tied to your ISP, and the ISP normally has a record of it? There should be trails even with hijacking unsuspecting middlemen, unless it is easy to clean those trails?
Difficult to trace attacks on cybernetics? Oh, the SA editors made a rare mistake: It seems to be about attacks on computer systems and networks. That's something different.
Spoofing means you change the source IP address in your packets. It's ridiculously easy to do, but it has a serious drawback: all communications have to be one-way, since the destination computer will send its response packets to the spoofed address. There will be no trace of the source actually being you at the destination network, but hacking in this way isn't easy because you never get to see the results of what you're doing. You have to visualize it and hope that it works the way you expect it to.
I naively assume that ISPs do egress filtering, where packets not generated from their network are not sent on :) I thought this is sensible for them to do! I guess it's the same as spam emails, where some ISPs are not fuss about you sending out emails that are not associated to their domain...
It's just another example of the Patrick Gray vs. Adam Shostack problem. Attribution on the Internet isn't possible, and all the engineer's know that. When we tell legislators or other "folks in charge", they simply ignore us because "lying scoundrels with agenda" tell them what they want to hear in hopes of duping them out of money.
Hacks that point out the total ineffectiveness of this "folks in charge"/"lying scoundrels with agenda" complex are not unlikely, they are hilarious "I told you so" moments for all the engineers.
We're not going to stop laughing until they stop being funny.
While there are significant differences in implementation, it is (theoretically) possible to perform man-in-the-middle attacks on physical postal service, AKA 'snail-mail'.
A fictional example of an attempt at this is seen in John Grisham's novel "The Brethren".
I thought of this while attempting to think of real-world examples that can be used to clarify the lack of identity of both sender and receiver of data packets. While physical mail is subject to other forms of verification, the final result is that both 'snail-mail' and 'email' are not inherently trustworthy.
However, most of the problems with snail-mail have been worked out socially. It remains to be seen when that will be the case for email.
But I'm sure that if we had mandatory attribution, the Chinese agency in charge of providing credentials to its citizens would be entirely trustworthy and would never create fake credentials to hack American infrastructure networks.
Isn't the existing DNS infrastructure already setup for this?
All we need is a rotating "enemy of all we hold dear" MX record which can change between Iraq/China/Al-Queda/Anonymous/The WI as the circumstance and the Daily Mail demands.
For your snail-mail MITM, the MITM is the person at the postal service. Your data/information is the stereotypical "postcard written in pencil". You send your "data" (the postcard). The MITM (postal worker) changes your message and sends it on to the recipient. The recipient is none the wiser.
"they dont want to hear that the Chinese IP it appears to come from could be spoofed, they want to hear the drone of rockets being launched at Beijing"
Yup the drum bangers and sword rattlers stiring it up with their rhetoric, and those stupid enough to fall such idiocy standing there shouting words of hate and destruction.
The thing is those "calling to the flag" are not the ones getting bit's of them blown off, nor are their friends or children, no that honour is reserved for the dirt poor and gullible folks. After Vietnam I would have thought the US and other WASP nations would have wised up to the way such lunacy proffit's only a few.
Get a map of the US states with a map of how they voted, then get a map of where most of the "grunt" military personnel where recruited from.
Then have a long quiet think about the cruel nature of life in those areas.
In some ways, I agree and in some ways I disagree with you, Schneier. Why and How?
Because, according to internet addressing scheme each device connected on internet must have an IP address. Although, due to shortage of internet IP address (IP v4), a new scheme was introduced which was called IP v6. IP v6 is not fully operational otherwise it would be easy to catch cyber crime. With IP v6 imagine an ideal world of billions of devices (servers, computers, peripheral devices, tablets, mobile phones etc), where each device has an distinct IP address (there would be no shortage of IP addresses in that scenario).
Schneier, with anonymity, I understood that Person A or device A can use Person’s B or device B IP address and commit cyber fraud and/or crime. This is what may have happened in recent attack on Sony, Citibank and IMF.
How cyber crime of Sony/Citibank/IMF was committed?
Consider entities of above organizations.
1. Server Hardware.
2. Network Infrastructure.
3. Softwares (Operating Systems, Application Softwares, Databases)
4. Cloud Services / Web services to collect data from customers.
5. Human Element (Weakest element of above system).
Please note the point that all of these companies/organization uses same sort of server and there is one thing common in those attacks, that is, IP addresses of their servers. In recent years, there are incident of server security failures. Either there is problem with server operating system that is server operating system is vulnerable to attack in presence of cyber attack.
Conclusion and recommendations:
1. It is server hardware which is responsible to create things like sessions / public key encryption. Although, with software they generate a distinct sessions/public/private keys but it is dependant on architecture of servers. When it comes to hardware, we have server’s processors/motherboards/rams etc. A study is required to see similarities of using same type of hardware at same time at same date and same hardware. I guess there would be above 50% similarities depending on the algorithms.
2. Problem is with Internet Addressing System (Although we have classes in IP v4 and IP v6). I think we need another tier based Internet Addressing System, that is Financial Institution like Banks, IMF etc should use a unique Addressing Scheme which cannot be used by other Internet Stakeholder like Grid Houses, schools, secret agencies etc.
Military/ Defence organization should use another unique addressing scheme which cannot be used by other Internet stakeholders.
3. I think a study is required to point out the threat, vulnerabilities and risk associated with Server Operating system. Furthermore, there is a point to note that it is people who leaked out the weaknesses of Operating System. So, to keep story short a trial and audit is needed for those companies who develop operating system with their key staff.
4. A new series of secure protocol are required to gather and save customers data over the internet cloud.
5. Companies should keep an eye on their key staff specially those who were involved in the development of operating system, application, databases etc.
P.S. I want to write more but time is problem for me.
"I guess it's the same as spam emails them to do! ISPs are not fuss about you sending out emails that are not associated to their domain.."
For a number of reasons some technical many legal ISP's don't want to be "filtering" traffic. One simple reason is that once they start they effectivly lose the common carrier defence and become publishers and thus legaly responsable for all that leaves their network no matter how difficult it is to filter out.
You as a consumer would also not like it as the delay through the ISP would be significantly increased and very expensive.
Well said, the time that the man at the top led the charge is long past.
Using ISP's SMTP server as a service to send emails that are not associated to the email domain provided by the ISP is different from the network connectivity service provided by the same ISP isn't it? The common carrier defence shouldn't apply to such email service?
As for egress filtering on packets generated from the ISP's network, maybe you are right that the ISP doesn't want to be legally responsible. I just thought that filtering out packets at the border before they enter the ISP's core network can be easily done and might be able to help fight packets with spoof source IP address.
"Shorter answer: it's easy to spoof source destination..."
What is "source destination"? It sounds like an oxymoron!
last time I checked, the U.S. Military recruits come fairly evenly from all the major income groups. The general trend is slightly-better-educated and more-rural with respect to the general population.
Also see here, from 2005.
I'd forgotten the postcard example.
(The novel I referenced had a case of both spear-phishing and MITM...in smail-mail. It was conducted by a trio of judges who were in a low-security Federal Penitentiary, using their lawyer as a cut-out.)
@All Re: egress filtering
Egress filtering of spoofed packets is easy and not overly costly, but it does not solve the problem. Very few attacks involve source address spoofing and their scope is limited. Stopping these attacks would just make the attackers switch their tactic slightly. Therefore it does not make sense for the ISP to filter such packets, as it comes at cost: routers' CPU utilization and personnel cost to configure them. Why to sacrifice routers' capacity and personnel time - even if slightly - for no gain at all?
Yes, a lot of ISPs do filtering now... the thing is, they're a lot more likely to do filtering for 'business' reasons (like blocking BitTorrent or other Peer-to-Peer protocols at the request of the RIAA) than for 'security' reasons (like doing proper egress filtering to prevent spoofed attacks). See Comcast for one of the more blatant examples.
It's worth noting that, unlike when ISPs started up twenty years ago, most ISPs now are major cable/phone networks with their own content production. The arguments about network neutrality should show that a lot of them don't really WANT common carrier status anymore, they just want to keep the discussion confused enough that they can pimp their own services and block others without going quite far enough to actually bring down any legal challenges they can't fight off.
@ Dilbert (and others),
"Ingress/Egress filtering is a common/best practice at ISPs"
It might be for some, however in the UK a number of years ago an ISP (Demon) got taken to court over "common carrier / publisher" status and the outcome was not good for ISP's.
Whilst simple filtering on "malformed" packets might be easily possible, it's seen by many as dangerous. The reason is M'learned friends, their grasp on technology from a technical viewpoint is often laughable at best. Unfortunatly the prevailing view is a Judge see's no difference between filtering on a simple "non-match" of outbound addresss and matching of "data content" in human terms. Lawyers likewise play on this and say well you filter on X you should have filtered on Y...
It's seen in many places as "don't start unscrewing the lid on a can of worms".
There are still a number of hacker idiots who hack from their homes, but most hackers know enough to hack from a public wireless connection or through someone's zombie PC. Attribution is a complete waste of time in such a situation - unless the hacker is dumb enough to use the same one all the time.
That said, there are some basic facts that have to be acknowledged:
1) China, by one estimate, has at least 300,000 hackers, many of whom are associated with their universities which are in turn associated with the Chinese military establishment.
2) If you don't speak Chinese or can't find an English-language server or PC to work through there, it's a little hard to use China as a routing point if you're in the US or Europe. Not that hard, maybe, but it complicates things.
3) Most spam still originates in the US. I suspect most hacking attacks do as well, although I'm sure Eastern Europe, Russia and China (including Taiwan) are high up on the list if not overtaking the US.
So if someone tracks an IP address to China, my guess is ninety percent of the time the originating attack is from China.
That said, it doesn't mean that China's government is directly involved. Chinese hackers presumably are as patriotic as US hackers, and one cannot assume every Chinese hacker is hacking on command of the Chinese military. Given the numbers of Chinese hackers, this simply isn't feasible.
Given the profitability of computer crime, especially when you can extract valuable information and sell it or use it in another country's industry (such as China), I suspect many of the commercial attacks seen in the US have a commercial motive, not a state motive. Chinese hackers presumably can make some money by hacking US industry and selling or using the results in Chinese industry.
I actually have very little problem with that. It's a bit coercive, but hey, intellectual property is an oxymoron. The US government - and industry - is determined to keep China from ever competing with the US and the Chinese are determined that this shall not stand.
It's not a zero-sum game, but everyone is playing as if it is. That being the case, I have no problem with the Chinese "stealing" whatever they can from US industry. And it's not "stealing" any more than file sharing is - although the actual act of penetrating someone's network is, as I say, rather more coercive than just sharing a file. But the end result is not stealing, because the original party still has their IP. It's just their monopoly advantage that has been removed by such a hack.
As for Chinese hackers obtaining classified and military information from the US, I have no problem with that either. Given the disparity between US war spending (let's not call it "defense" spending because it's not) and Chinese war spending, you could essentially give the Chinese ALL the US military secrets and it would hardly give them a significant edge. Maybe it will in twenty years when the Chinese economy is bigger and the US has become a third-world broke debtor as it's on track to do, but for now the US is pretty safe from any significant attack from anyone except Russia.
While a lesser conflict between the US and China, say, over Taiwan, might be influenced in China had more US military secrets, the larger question is why the US is protecting Taiwan anyway. There's no good reason why Taiwan shouldn't be part of China, any more than Hong Kong is. So once again, it's the foreign policy of the US that is at odds with reality.
If the US had an intelligent military and foreign policy, it would have fewer national enemies and have less need to worry about where a hack comes from.
But now we're getting into the general problem of human relations, and you all know how pessimistic I am about that, so I'll leave it there.
Bottom line: People worrying about Chinese hacking just don't understand how the world works, let alone how an IP address can be obfuscated. They have bigger problems than a lack of computer security knowledge. I'm looking at you, Richard Bejtlich!
Real-time digital forensic systems is the key, cyberwarfare is only a fantasy without such technology.
@ Richard Steven Hack
"2) If you don't speak Chinese or can't find an English-language server or PC to work through there, it's a little hard to use China as a routing point if you're in the US or Europe. Not that hard, maybe, but it complicates things."
Not necessarily true. There are many SOCKS proxies, shady English-speaking IP's and easily hacked computers over there. Many American criminals have been using Chinese sources for years. I've also used Chinese relays in privacy schemes specifically because US/Chinese cooperation is so shaky. That many believe Chinese hackers or IP sources are connected to their military, reducing traceability, is a good reason in itself to use Chinese sources for the output or relays.
Allow me to get back to qualifying Bruce's answer. It seems to me that nobody really spoof source IP address in cyber attacks, except idiots/kiddies/amateurs hackers :) Hence there's no need to include that in the answer? If it is a problem then obviously this needs addressing, particularly if this can be done easily.
I think the main problem is it is difficult to deal with rogue states that don't cooperate. Hence knowing that attacks coming from a rogue state is not good enough. And there's little we can do about it regardless how much we shout about it...
IMHO the entire mandatory attribution thing is just as silly as the Chinese law that forbids reincarnation without government approval: a futile attempt at changing or distorting reality to serve no other agenda than that of the powers that be.
Perhaps Bruce can include in his upcoming book a chapter on the Packet Uncertainty Principle, in which, only vaguely analogous to Heisenberg, he explains that irrespective of a packet's current location, there is just no way to undubitaly determine it's true origin. You kinda never know when the usual suspects will start aiming their arrows at science and engineering and try to outlaw such speech for being unpatriotic, blasphemous and/or a threat to national security. Not that throughout history this has ever happened, of course.
sometimes i just want to "let go" and lay back, relax, and let my urine flow all over myself, and just wallow in it for hours, foaming at the mouth and singing somewhere over the rainbow, because there's nothing like the freedom to urinate and let it all just wash over you like a calm river.
i recommend it to everyone
@ Pirk Draet
Stay off the drugs and get some therapy instead, Anthony W. You're only making it harder on yourself. And get another pseudonym.
In a world where so many people use pirate/insecure sourced software it's pure folly to think you can manage attribution of source IP traffic. I live in Thailand where it's hardly possible to buy legit software in a store. I'd guess that 95% of all computers here run a pirated Windows OS and no one would have any clue about what may have been installed along with that, either by the dealer or at home. The same holds for many/most developing countries.
This is compounded by open wifi nodes everywhere. In my Kismet scans locally I see more than 50% APs are completely unsecured, and 30% more use WEP.
And I also forgot - most apartment buildings here use NAT and only have one or a few IPs for the whole building. I suspect this is true in China and elsewhere. Most of the population, even if they hack from home, are at best traceable to some large building complex.
Attributing back to some source IP is a fantasy of some clueless politicians sitting in their mansions in their police states expecting the world is just like home.
What people should be concentrating on is that the current flood of news stories is designed to instill the fear that will lead to how government/big business eventually locks down the net: public consent.
Remember what Cheney said when he found out the web was full of 911 Truth info - something like "This is very dangerous, we have to get control of this".
There's attribution, but there's also authority and intent.
If an attack comes from a Chinese University computer, who programmed the computer? Is it a bored student, a student working on a "lab project", or an academic moonlighting for the army? (Or is it just a virus-ridden proxy?).
Even narrowing it down to a person doesn't explain their motivations - the thought that a bored student could commit "acts of war" is terrifying, but how do you tell if he's a state-sponsored "cyber-warrior"?
"There's no good reason why Taiwan shouldn't be part of China" - I'm sure the Taiwanese could come up with some. But yeah, they're not necessarily reasons the US should automatically care about...
"So if someone tracks an IP address to China, my guess is ninety percent of the time the originating attack is from China."
I believe your guess is shared by 99.9% of cyber security gurus, which interestingly is exactly what makes Chinese Zombie PC's such a valuable "non-Chinese" hacking resource. There are a few well known regions around Chinese "centers for software excellence", where zombie PC's are particularly valuable because western security gurus will look no further.
This is the cyber equivalent of stamping the attack with the MO of "the usual suspects"
One of the common vectors for zombie PC's in China is to hack Internet cafe clusters. Internet Cafe's in China can have easily 200PC's, they are more like factories than cafe's and the rent by the 1/4 hour so these are great "end-points" for any adventuresome Internet activities.
RobertT: I wasn't aware that it was THAT easy, so perhaps I must reduce that 90 percent down to 50 percent. I guess I assumed that most Chinese PCs would be running a Chinese language version of Windows or the Chinese version of Linux or whatever. If they're all running pirated English copies of Windows, then that's it.
I just spent twelve hours recovering a Windows 7 PC for a client, so I'm seriously tired and ticked off at Bill Gates at the moment. It turns out Windows 7 can't keep track of its boot manager, worse than Windows XP. And if the Startup Repair can't find the OS for some reason, even if it's sitting there in the background selection box, then you can't even get to the command line tools. Shift F10 is supposed to work - it didn't.
AND you can't do a repair install except from a running Windows 7! Isn't that genius?! Ask Microsoft about that one - and many have - and they say, "Well, under XP, doing a repair install from outside the OS left it in an unstable state." And how the hell is that different from running it WITHIN the OS? It's the SAME OS!
It's a bullshit answer, like every other answer Microsoft gives to cover up their pig witless shoddy programming.
I am officially declaring Windows 7 just as big a POS as Windows XP.
@ Clive Robinson at June 13, 2011 2:05 PM
I have to disagree. The Demon case was not wholey about Ingress/Egress filtering. It was about the fact that Demon had been informed that their private message system has been compromised; that the messages were false and slanderous; and then did nothing about it.
What this discussion is (should be) about is whether there is any merit in Ingress filtering? If the ISP knows that the source IP address is different from the actual IP address, at the ibound router level, can and should they block the packet? Short answer: yes.
The argument that this costs router CPU is be littling the problem. Yes, you will use a couple of cycles to check an IPv4 address (add 4 more for IPv6, if that ever happens). For this you get the benefit of throwing away all the dross, spoofed packets that you no longer need to carry or route. So there is an ISP payback whilst spoofed packets are prevalent.
If you do this, then what point is there to egress filtering? Unless you assume that the ISP routers have been compromised and are themselves changing the source IP address. If thats the case, we are all truly fcked and may as well go home.
What would this solve? It would remove spoofed packets but only from trusted ISPs. Lets imagine that this was done by 99% of all ISP's worldwide. All this means this 1% of then become popular for hackers and terrorist cyber-attacks. Would our own services (CIA/SIS/MI5/Insert TLA here) want to have their ability to launch an anonymous cyber attack on their favourite target of the moment (insert rogue state here)? Probably not. So they would have an "exception". As soon as the system allows a single exception, either an ISP that does not follow good practice or a state organisation that has the ability to circumvent the good practice, then the system is broken.
If its broken, it can't be trusted and if there is one part that is not trusted its not worth it. All you find out is that the good guys are good, and you don't know who the bad guys are.
An as Richard Steven Hack at June 13, 2011 2:09 PM said, a smart hacker will work from a public access point. (S)he will have a valid ingress address, all will fine, and the attack goes on.
Ergo, as in all security discussions, you have to really, really think the issue through. No security system is built on a good idea written on the back of the proverbial cigarette packet. And even when you believe you do have a water tight solution, you get someone else to check it and think it through again.
Ingress filtering? Ah, do you know how about that whole BGP thing?
Most inbound traffic an ISP sees is going to be from "the rest of the Internet". If they have one upstream or peer, that's the whole story right there. Even if they have more than one peer, it's still perfectly legitimate to get packets from a source IP that should usually have come in another way - one of the normal hops might have been down or overloaded. (Or someone in China published a bad route...)
Ingress filtering is only good for totally bogus IP addresses, like 10.1.1.1 or 127.0.0.1 or IP addresses assigned to the local network (but appearing on the external network). Or IP addresses assigned to an external network appearing on the local network - but that's *egress* filtering...
There are other technical issues with egress filtering however the technical argument was not realy the point.
As others have noted managment realy don't listen to technical arguments and neither do judges.
Managments interests are aligned with minimising the cost of profitable expendature and eliminating what they regard as unprofitable expendature. But importantly they are deaply uninterested in the majority of cases to anything with more than a year before it starts to show benifit no mater how large, as the shareholders judge them in that time period.
This means that as unrational as their behaviour to technical personnel may seem it has a very rational basis in managments reality.
When it comes to judges managment are going to look at any "get out of jail free card" they have and look at how the judiciary are currently viewing it.
One such card is "common carrier status" in many respects it's blanket immunity from what their users (or others) do with their network.
Further they are going to avoid anything that jeapodises such imunity or brings other problems. So even though something might in principle be technicaly easy, IF it provides a crack in the defences come litigation they are going to avoid it if they can.
What makes them so hard to catch?
One answer is the inability to track actions and prove the real human involved due to insufficient laws surrounding cyberspace.
What color are your bits?
A very good read for any tech types who've ever had to try and explain to a lawyer or other non-techie why bits are so easily tampered with.
Base 32, 0-16 data throught the internet, 17-32 code on the computer. Problem solved ;)
"I guess I assumed that most Chinese PCs would be running a Chinese language version of Windows..."
I don't understand why this is a problem, most are Windows Chinese edition so what, If you can't read simplified Chinese than just use Google translate.
The other nice thing about hacking using these "Chinese internet gaming barns" as cover, is that there are over 200 people present, at any one time, and in excess of 1000 unique visitors each week. So just use a Mac-changer to deliberately target other PC's at the establishment and you can see how the whole thing becomes an impenetrable web of misdirection. (equals investigators just give-up)
The problem with using Google translate is the impact on hacking efficiency. If you have to spend half your time reading a Google translation, how do you get anything done?
Still, I can see the advantages. When I get into hacking, I'll probably go that route too if it's that easy to evade a trackback. Maybe I'll download some Mandarin language training DVDs and a technical Chinese-English dictionary... :-)
One thing that struck me about the article is how it ended with the standard "blame the user" argument, even while quoting an expert saying something that directly contradicted that argument:
"Perhaps the most effective defense, however, is for computer users to demonstrate some cyber street-smarts. `You never know what tactic the attackers will take, especially when it comes to spear phishing,' Ghosh says. As a result, it is difficult to keep people from being duped into clicking on spam—thinking it is a message from their bank, a delivery service or someone else they think they can trust—and running the risk of infecting their computers with a virus. `You can train and train and train users but you're not going to get to zero percent,' he adds.
Notice the author says `the users need to get street-smart,' but Ghosh is actually saying that "getting street-smart" will never work. It's too much to ask: there's always going to be some spear-phishing attack that will get you, because they are too easy to spoof. Even if you could perfectly harden one user, that wouldn't be good enough, because you have to harden all users to be safe.
I'm not saying "go ahead and be stupid," but it's really annoying to read "fix the people" offered as a serious suggestion, especially in what should be a relatively sophisticated publication.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.