Schneier on Security

Nick P • August 7, 2011 11:20 AM

@ RSH on LulzSec

Not sure if I want to download that. Risks and all. 😉 But here’s an entertaining part of LulzSec’s press release showing just how untrustworthy & incompetent these cops were. Happy reading all!

“// A TALE OF TWO OWNINGS

It took less than 24 hours to root BJM’s server and copy all their data to our
private servers. Soon after, their servers were taken down and a news article
came out suggesting they received advance FBI “credible threat” notice of a
“hacking plot”. At this point it was too late for them because the stolen files
were gonna get leaked regardless. However we were surprised and delighted to see
that not only did they relaunch a few sites less than a week later, but that
their “bigger, faster server that offers more security” carried over our
backdoors from their original box. This time we were not going to hesitate to
pull the trigger: in less than an hour we rooted their new server and defaced
all 70+ domains while their root user was still logged in and active.

We lol’d as we watched the news reports come in, quoting various Sheriffs who
denied that they were ever hacked, that any personal information was stolen,
that they did not store snitch info on their servers. Many lulz have been had as
we taunted the sheriffs by responding to their denials by tweeting teasers
exposing their SSNs, passwords, addresses, and private emails. We also took the
liberty to backdoor their online store and capture a few credit card numbers,
which were used to make involuntary donations to the ACLU, the EFF, the Bradley
Manning Support Network, and more. Despite active FBI investigations and their
additional security measures, they could not stop us from owning their servers,
stealing their identities, and dropping all their data. Two weeks later only a
few of the sites are up with limited functionality as we scared them into
removing any dynamic PHP scripts, forcing them to use static HTML content.

A recent DHS bulletin has called us “script kiddies” that lack “any capability
to inflict damage to critical infrastructure” yet we continue to get in and out
of any system we please, destroying and dropping dox on the mightiest of
government systems that are supposed to be protecting their sick nightmare of
“law and order”. GIVE UP. You are losing the cyberwar, and the attacks against
the governments, militaries, and corporations of the world will continue to
escalate.

Hackers, join us to make 2011 the year of leaks and revolutions.”

Nick P • August 7, 2011 1:18 PM

@ Richard Steven Hack

It’s already impossible to stop the leakage. The best the governments can do is reduce opportunities for leakage, increase monitoring to reduce impact of compromises, take down sites hosting leaked material, and go after high value targets. This is the least they can do. They aren’t doing it to any serious degree. So, they won’t make a dent on the situation.

In other news, Australia’s Defense Signals Directorate (i.e. Aussie NSA) posted a set of best practices for securing networks. The guidelines were based on an analysis of many compromises of government networks. Each guideline is rated with metrics like how much damage it usually prevents, how costly it is, and how hard it is to set up and maintain. The metric breakdowns are excellent. They found that just four easy practices prevent the vast majority of compromises. That FBI and company aren’t even good at these four says a lot.

DSD Top 35 strategies to mitigate targets cyberintrusions
http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm

Nick P • August 7, 2011 2:17 PM

On the Panel

Yeah, they do appear to be mostly misguided. My take on Anonymous & AntiSec are that they are primarily a social phenomenon with social goals. In any, you’ll have the people who just want to be part of the group (cool factor), the people who like the activities, the somewhat ideological ones and the zealots. These distinctions are evident in both Anonymous and AntiSec groups. So, an analysis is ridiculous when it starts with notions like getting better dirt or they all just want to smash things.

I think Jericho’s got a nice view. He’s just got the wrong crowd. Like you said, these groups are trying to get press and make a statement. Be it social or political, it’s obvious that taking out corrupt or shoddy organizations is just a side effect, sometimes an intentional secondary goal. I do think an organization like Jericho is fantasizing about could spring up and would certainly be useful. Basically, the breaches and bad publicity that comes with being targeted by such a group puts a price on insecurity. RSA’s breach cost $50+ million. You can bet they’ve significantly improved their security practices. Like Jericho, I see a use for such a group. It’s irrelevant to a discussion on motivations of AntiSec and hacktivism, though.

On DSD Guidelines

“With the exception of the latter, I find it interesting that, combined with their statement that doing these would have prevented most of their incursions in the last two years, it pretty well establishes that they WEREN’T doing those four things.”

My thoughts exactly. Hopefully, the compromised systems they studied that didn’t use Rules 1-4 weren’t located within the DSD. Their reputation might start looking like certain American security-focused agencies.

“But it also illustrates just how much WORK has to go into doing so – and thus why so few organizations do it all. It’s bloody hard – and bloody hard to do it sufficiently correctly that there aren’t implementation failures.”

Certainly. That’s why I advocate using alternative approaches to delivering many services and solutions that totally mitigate certain attacks & reduce the risk of others. For instance, deploying an OpenBSD based web server & following online secure configuration guides (even lay people can do step by step instructions) would often prevent a defacement of a web server. Hell, the OpenBSD team even removed the DNS vulnerability from BIND months before it was even “discovered” and all over the news. Managed platforms with baked in security and dedicated [hardened] appliances for critical applications also improve the security stance of the infrastructure.

The point is that you’re certainly right that following all of these guidelines is hard. The reason is that the guidelines are designed to try to duck tape together many pieces of software (read: garbage) that were never properly engineered to hold up to the stresses of the environments they’re deployed in, much less malicious users. Ditching all the garbage like HTTP stacks, Samba, and SOAP/XML whereever possible makes it much easier to build robust and secure networks.

It’s not like it hurts development time that much to use a REST/TCP/UDP/IP Java thin client app rather than a HTML/JavaScript/HTTP/TCP/UDP/IP broswer app. IDE’s like Netbeans let you literally fling one together thanks to robust GUI code generation. Making choices like these throughout the infrastructure give attackers little to work with and security administrators a more narrow (hence effective) focus.

It actually doesn’t take a lot of work to remove the low hanging fruit. It just take some effort, common sense & awareness of proper approach to builing rock-solid infrastructure. Example: The more complex & bloated the product, the more bugs will be there.

Nick P • August 7, 2011 3:47 PM

“When people make comments like the one you refer to I’m never sure if the person themselves are an idiot or whether the comments are directed at people who they think are idiots and will swallow the line. ”

It’s your comment that concerns me. RSH’s comment is very consistent with the statements and actions of both Anonymous and AntiSec groups. They typically act self-centered, act in the interest of their group, and attack the establishment and power figures. Anti-government and individualist statements are common. (The statements on the Sheriff leak come to mind.) This jives with RSH’s claim nicely. I think his claim is overly broad and simplistic, but it covers much of the groups & their behavior. Does that sound idiotic to you?

“Technology changed so that any idiot could pick up a gun and shoot it. The south was better armed and better trained but Grant just overwhelmed them by sheer force of numbers. ”

It’s a nice analogy for COTS security. It’s incomplete though. The attackers have one weapon that is easy to operate and maims/kills what’s in it’s path. In the IT security situation, there’s many weapons, defenses, tactics & even guards so to speak. Additionally, the targets walk openly in no-man’s land in front of the shooters, take risky practices for convenience, & even continue to expose themselves even while being shot at. The situation could be said to be both more complex & damaging than the Cold War.

“The point being is that if you give me 15,000 random script kiddies up against 1000 NSA computer experts the kiddies are going to win that war over the long term. ”

If it’s mandated that the expert advice is followed, I totally disagree with you. There are known, workable strategies for eliminating entire classes of attack & producing low-defect, high security systems. Give me 100 NSA experts & I can produce frameworks/tools/whatever across the board to force attackers to use physical presence, social engineering or extreme sophistication to get anywhere. (Many already exist, like Aesec’s GEMSOS, making the job easier.) Then, you have to hire the equivalent of 100 NSA-grade black hats, enlist black bag operators, and buy expensive espionage gear to accomplish feats similar to those on the news today.

The ease of exploiting systems remotely via software is an issue that arises from phsycological, market and legal forces. Invulnerable, or nearly so, systems have been built in the past and many continue to operate. A similar approach to areas other than firewalls, email & trusted OS’s would likely achieve similar results. We can build systems good enough to stop the best of Anonymous & LulzSec, even 15,000 of them. (DDOS excluded 😉 It’s just not happening.

“Right now, the hackers (loosely defined) are showing an energy and spirit that the establishment has yet to articulate a counter too.”

This much is true. Press releases, sporadic investigations, NSA “secure configuration guides”, and DSD mitigation guidelines aren’t even a parry to the recent blows of the AntiSec movement. Due to the factors I mentioned previously, the establishment won’t win unless they force all citizens & companies to use high assurance products, the cost of which is unthinkable. Even forced use of high assurance in just the most critical areas in typically inexpensive products would be met with huge political resistance. So, over the long run, there will be no counter. The AntiSec movement are unstoppable mosquitos, both in numbers and effect.

“Saying that this movement should go after child porn is such a feeble response it’s pathetic. ”

See why we call them morons? 🙂

Nick P • August 7, 2011 7:57 PM

@ Richard Steven Hack

“I don’t think so. What would happen is that the Anonymous types would just get better. Those 15,000 “script kiddies” would whittle themselves down to those 100 (or 1,000) NSA-grade black hats.”

It’s possible, but I doubt it. The reason is that preventative architectures make it difficult to exploit remotely. It becomes so hard that physical presence is needed for part of the attack, either a physical attack or physically assisted subversion. Hence, black bag job. If the organizations are practicing decent personnel and physical security, the sophistication and efforts increases. An insider (or infiltrator) would be needed to enable a remote attack. Hence, 100 NSA-grade black hats wouldn’t be good enough. (After all, every A1 or EAL7 class system resisted NSA’s best efforts for years.)

Of course, that assumes high assurance. If we go medium robustness, then there is potential for high grade attackers to find and exploit flaws. However, if the protocol stacks, networked devices, software, etc. are designed to this level, many different flaws might be needed for a successful hack. Most successful remote attacks would be very esoteric and require a thorough understanding of the target’s internal systems and their configuration. So, even with medium robustness, just throwing brains and bodies at the problem won’t be good enough at a site with decent security. Social engineering, covert channels, stealth rootkits and physical compromises would be combined to create major breaches. This is more risk & effort than most people like Anonymous would be willing or capable of pulling off, even a sophisticated future Anonymous.

Nick P • August 8, 2011 5:00 PM

“As Dick Marcinko said in his books and those videos, you have a high security system facing you, you just “pulse” it until they think it’s defective and turn it off. Total bypass without any technical sophistication at all. ”

That’s a very flawed analogy. Marcinko used this technique on electronic monitoring systems. There’s a difference between total prevention systems and monitoring systems. You can send bad packets at a firewall all day but the users on the inside wont even know. Second, your idea that they will turn it off is flawed & only applies to things like monitoring & pattern-matching systems. Will PGP use stop if some spam emails don’t open? Will Google turn off its default SSL if a bunch of forged connection attempts are made? Will people abandon Medeco locks if intruders shake the door or make picking attempts? I think not!

“I say what Clive said: “And in some cases you might add further avenues of attack…” The more “security” you add to a system – and I know, a lot of high assurance systems are that way because they take OUT a lot of insecure stuff – the more avenues of attack you get.”

He was refering to features & complexity, not really supporting your point. Previous discussions show Clive agrees that we already have the capability to build software that’s immune to compromise. He also agrees with me that once we get rid of all the bugs, the remaining vulnerabilities will be covert/side channels & hardware issues. High assurance design minimizes complexity. Applying an EAL7-like development process is proven to improve the quality & security of a system across the board, even resisting malicious developers. Hence, replacing critical infrastructure & software components with high assurance equivalents will only reduce vulnerabilities.

@ Clive Robinson

Actually, I found your NERC link more interesting. Just got to love reading things like this:

“The ES-ISAC was recently contacted by a security researcher who has discovered a potentially broad vulnerability where cellular messaging is used to attack embedded systems architecture control networks. Clear text messaging protocols can be intercepted and reverse engineered to enable an attacker to inject commands or implement attacks on critical systems which rely on embedded microprocessors.”

Nick P • August 9, 2011 12:01 PM

@ Richard Steven Hack

“He may agree. I don’t as a matter of absolutes. Sure, you can minimize complexity, reduce functionality, distribute functionality to minimize complexity, and reduce the attack surface to some degree. ”

In our previous discussion, I told you I don’t believe in perfect security & I’m never refering to absolutes. The field of skepticism has shown us we can never truly know anything 100% & even statistical approaches usually max out at 99% “confidence intervals.” My previous definition of high assurance is that it accomplishes its security goals with high confidence that it won’t fail for perhaps years on end.

“Of course it will REDUCE vulnerabilities. That’s not the same as being “immune to compromise”, and that isn’t even relevant to my overall point that such security can be bypassed in other ways.”

I think that was a typo on my part. I meant to say vulnerability, as in “across the board.” The idea is that most remote attacks can only come through certain points. Putting high assurance components there settles that entire issue. When remote software attacks are unavailable, hackers have two options: physical presence for hands-on attack or social engineering to convince users to bypass security.

Most hackers will not travel to a site for physical presence, even nation states because the main reason they are hacking is its deniability & often untraceability. Having a previously identified Israeli agent turn up dead in a gunfight during an attempted physical compromise is too risky. Having an IP packet traced to Israel is 99% deniable. “It must have been malware. A relay. Tor.” So, using high assurance prevents the remote software attacks & doesn’t leave most targets vulnerable to these physical attacks as the cheap, low-risk crime opportunity is no longer there.

Now, the social engineering attacks will be an issue. The question is how much of an issue? Good considerations of policy and security awareness will determine this. For instance, if a nuclear control system is attached to the internet, the hacker might take remote control. Put a high assurance guard there & suddenly the hacker has to try to do a phone call & convince workers to shut off the plant or overload it… while the workers are looking at the guages and seeing “all good”. It’s unlikely to work. This same principle will apply at many sites, which means the few high assurance components effectively make them safe from remote or non-physical attacks. That’s a plus over our current situation.

Other organizations (majority probably lol), especially in business sector, will be different. They will still succumb to social engineering techniques. As I’ve told tommy, I’m not really designing them or promoting them for those businesses. I’m promoting them for organizations that will use them right or can be made to with regulation (safety-critical, mostly). A large number of companies have strong security policies & investments. Unfortunately, their OS’s and key protection components are low assurance and will be bypassed overtime. High assurance components across the board means they only need to worry about employees, intruders & the effects of operational policy. That’s a HUGE reduction in risk over having to worry about that stuff plus the entire IT infrastructure.

“And someone will still beat it by some other means.”

Incorrect. This is a false assumption you often make, along with not attaching a severity rating to “beat it.” They may beat it by some other means. And this may cause anything from annoyance to devastation. The sheer number of companies that have existed for years without very costly security breaches proves my point. Each security or risk reduction strategy strengthens a link in the overall chain. Most crooks are opportunists & avoid the high hanging fruit when low hanging fruit abounds. Even most hackers trying to make a name for themselves go for easy targets with big names. ZF0, for instance, hacked a bunch of security writers’ web sites… people too busy doing important things to focus on their web site security.

Remove the low-hanging fruit & make compromising organizations truly hard, the number of compromises & their severity will plummet. That’s my prediction. That’s the point of high assurance and pervasive embedding of security in an organization. It’s not about absolute security: it’s about being reasonably sure you will be secure & make it through whatever happens. Commercial standards don’t allow this. Only high assurance does.

Nick P • September 26, 2011 3:36 PM

“Thanks very much. You must be one of the wise men that were Dr. Schneier alternatives.”

I appreciate the complement. I’d call myself wise in that my successes and foolish mistakes over the years have taught me well. 😉

“I assumed the second since any hacker worth his salt (or chop suey) would be putting false IP source addresses in his packets (isn’t that what spoofing is all about”

Well, not really. Especially in the 90’s, movies like to push this idea that hackers had tools that just magically anonymized them (or govt’s could magically trace their exact location). The problem is that putting a false return address on a packet means any return packets go to the false address. A hacker interacting with a machine must receive those packets. Hence, they have to go in his direction. The data might go through relays, different protocols, whatever. But, it ends up at a computer with the IP address of an attacker. Everything in between is breadcrumbs.

The most popular schemes for anonymity are using others’ WiFi, SOCKS-style proxies, Tor, and botnets. SOCKS and Tor have serious trust issues. WiFi and botnets are safer, especially if they are in China & the US is asking for access. (Sending data through opposing or politically volatile countries is a trick I came up with a decade ago to prevent police cooperation.) Each anonymity method requires different tracing strategies. However, it’s likely that the attackers were using the public end of the University’s Internet connection (maybe with relays) & were therefore easy to trace. They can get away with not investigating the students because (1) they can say it was a relay, (2) the students computers were botnet-controlled, or (3) the NSA’s investigation was accidentally or deliberately flawed.

“2. Next, if there’s a problem with this why aren’t the perps using a safe house in, say, Kiev–or Santiago Chile or Capetown SA? Does it make any difference?”

China is the safest place for a Chinese perp to be, especially if they’re still working for the Chinese.

“3. Yes, the Stuxnet hit was professional, but the requirement, if we assume that the main initial vector was USB sticks and that the SCADA mapping didn’t happen through initial penetrations of the network, was for inside humint. Someone was compromised.”

Indeed. The Russian contractor is the most likely. And Siemens had let NSA pentest their equipment. I prefer not to repeat things like this so Google the Schneier articles on Stuxnet and look at discussions between Clive Robinson and I.

“4. With respect to China’s stealing intellectual property for decades, isn’t the downside risk for the Chinese that they steal a poison pill that literally or figuratively blows up in their faces? That’s the famous Russian gas pipeline blow all over again. How would they take such a thing into account? Theoretically the only way would be to redo all the research to check it, all the development, all the engineering specifications.”

In practice, they are rarely subverted and validation hasn’t been too costly. The fact that they keep doing it shows it’s cost-effective for them. They also have required companies to give the government access to their source code, IP, etc. to operate in their country. Even Windows’ veil was lifted this way. Repeatedly, Chinese companies will spring up with similar products or services. It’s their M.O.

“5. What’s the significance of timing issues when you use multiple relays–so the packets arrive in the proper order?”

The user’s end is what it appears to be: it slows their pages down to something like AOL dialup in 1998. Many specific types of applications (and popular sites in general) are totally unusable with that much slowdown. On the security side, the protocol tries to constantly swap things between nodes in a way where someone watching all nodes can’t tell whose talking. This can require intentional delays on specific packets (or groups of them) at each node. Delays can build on delays. You also need a significant number of computers connected to these relays following the timing discipline on a constant basis so you can make the deniability argument: other people were doing similar-looking things at the same time, so it could have been someone else. AKA: reasonable doubt. And to be clear, I don’t trust Tor & would only use it through an open wifi.

“Why are they doing it in such an ‘in-your-face’ way? Why don’t the Americans stop them? Surely there are ways to monitor suspect IP addresses–since the Chinese evidently don’t bother to cover their tracks–and to block them. Is it that the Americans are doing the same thing to the Chinese?”

Well, we can’t exactly stop them. We do ban IP’s we trace. They just change them. There’s political reprucussions to physically going there to stop the hackers or banning IP ranges of important institutions or ISP’s. There’s also financial consquences for all the US companies that do business there. Look at how Google backed down on the censorship issue. It might also be hard for them to get all the ISP’s and backbone groups to do a ban, as they have a flood of data going through their pipes. And, yes, we’re hitting them (and others) with the same stuff. We just do it less because we’re the ones with Fort Knox (intellectual property, nuclear secrets, etc.) and they’re trying to get the gold.

“8. It is said that the Russians, French and Israelis also have major campaigns of cyber espionage. Why is it that only the Chinese are singled out? Is this the marketing of big contracts all over again?”

Well, the Chinese are the primary threat. We stomped the Soviet Union into the ground. The last country as powerful and influential as us is China. They’ve displayed it by stating they don’t rely on us much for imports, they rarely visit us, and they don’t tie their currency to ours anymore. They also have hit us with the largest espionage campaigns at every level of government and industry. They also have a very strong military presence thanks to good old fashioned Russian engineering. This makes them superpower No. 2 and opponent No. 1.

Now, the next biggest enemies are Russia and Israel. Yes, you read that right: Israel. The leaked British MOD Security Manual put that country in the top 3 of threats due to how much espionage Israeli’s target them with & its sophistication. Mossad targets us to take what they want while simultaneously helping us in the middle east. You should know they’re are highly trained & well-equiped: your tax dollars paid for it. (lol)

As for Russia, the FBI has said in press releases that they’ve got more spies here now than during the Cold War. Additionally, the MOD manual said Russian intelligence could get you in a bugged room even if you booked a new room at the last minute. As for the rest, not including enemies of the US, they are lower priority: intelligence is mainly used to get critical information from them & give us an edge during contract/treaty negotiations.

It helps to remember that it’s all a game. Every country is using every other one for their own benefit. Most of the time, everyone benefits to some degree. Some countries win or lose often. Some loose everything. “Cyberweapons” are just newer toys they will use in the game they’ve always played. Deniability, low cost, ease of use (i.e. exploit kits), and gains from theft of information are what make them so appealing.