Schneier on Security
A blog covering security and security technology.
« XKCD on the CIA Hack |
| Business Week on The Cyberwar Arms Race »
August 5, 2011
Friday Squid Blogging: Severed Hand is Actually A Dried Squid
I just can't make this stuff up:
A report of a severed hand found at an Oahu seabird sanctuary has turned out to be dried squid.
Remember: if you see something, say something.
Again this week, please use the squid post to talk about the security stories in the news that I didn't cover.
Posted on August 5, 2011 at 4:24 PM
• 59 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm really glad she said something.
Bruce, the day you do start making stuff up is the day our heads explode.
I don't get the squid stuff...
Is it part of some stego exercise?
@TimH -- It started in the blogosphere with "Friday Catblogging", which led to Pharyngula's Friday Cephalopod filler posts, which propagated through various science blogs. Schneier's been doing it since 2006.
Oh my god. Great button on this story. I laughed really hard.
Expert hacks car system, says problems reach to SCADA systems
Researcher Don A. Bailey will be showing at the Black Hat security conference next week how easy it is to open and even start acar remotely by hacking the cellular network-based security system. Even more disturbing is the message that demonstration brings, that cars aren't the only things at risk.
Read more: http://news.cnet.com/8301-27080_3-20083906-245/...
Amazing. We finally have a Friday squid topic that's related to security? What is the world coming to?
"Amazing. We finally have a Friday squid topic that's related to security? What is the world coming to?"
It's happened before. It's not common, but this isn't the first time.
It looks like Anonymous released a huge amount of personal data and e-mails from hacked law enforcement sites this morning. They claim it's mostly out of spite for the people who were arrested in the last month.
I think they're going to lose a lot of public support after this. Most people won't look favorably on releasing the names/SSNs of informants or police officers that are completely unrelated to the arrests.
Link to full story
The most amusing security-related part of the story is that apparently several of the police departments moved to new servers last week after the hacks were announced but they moved the same security holes along with them.
Titled "Getting Root on the Human Body" covers an area of security that at present is non existant.
For varrious reasons (including US Health Insurance company policy) the number of implants going in people is rising rapidly.
Many of these devices have open (wireless of various forms) communications channels with full control on the implants behaviour and long term settings.
There is already considerable concern by A+E / First responders as there are well over 150 different protocols, which is driving calls to have a one size fitts all standard. However I've not seen any sign that those calling for such compatability standards have even considered let alone paid attention to the issues of security.
This problem of "change to kill/maim" might sound a little like a movie plot but the lack of both security and reliable auditing in implanted medical electronics means that it is actually not that difficult to do currently.
@ A Blog Reader:
Easily defeated by searching through https://ssl.scroogle.org.
For those who for some reason have problems with Scroogle, https://encrypted.google.com also provides a certificate and, unless your ISP is *very* corrupt and doing MITM attacks on its customers, should avoid the issue.
Re: LE sites hacked by Anonymous:
"The most amusing security-related part of the story is that apparently several of the police departments moved to new servers last week after the hacks were announced but they moved the same security holes along with them."
IMHO, the most amusing part was
"Tim Mayfield, a police chief in Gassville, Ark., told The Associated Press that some of the material posted online — including pictures of teenage girls in their swimsuits — was sent to him as part of an ongoing investigation. He declined to provide more details."
Aside from the name of the town, how exactly are teen girls in swimsuits "part of an investigation"? ... there's no implication of kidporn. Perhpas the Chief himself was doing his own, uh, "investigations"? lol
One of the ars writers lost hid droid and found it using location software. The thing is, it didn't have that software when he lost it. He remotely installed it while a cabbie that took it was trying to reactivate it. The android market let's you remotely install, a convenience. So imagine the fun one can have with all the android users whose password is password. Easy enough for the kids to do, just get into their gmail account. Gotta love single sign in.
"“We hope that not only will dropping this info demonstrate the inherently corrupt nature of law enforcement using their own words, as well as result in possibly humiliation, firings, and possible charges against several officers, but that it will also disrupt and sabotage their ability to communicate and terrorize communities...” a note outlining the leak said.
“We have no sympathy for any of the officers or informants who may be endangered by the release of their personal information… we want them to experience just a taste of the kind of misery and suffering they inflict upon us on an everyday basis. Let this serve as a warning to would-be snitches and pigs that your leaders can no longer protect you: give up and turn on your masters now before it's too late.”
I love these guys! They're absolutely right on all counts with this release.
What interests me is apparently these emails come from FIFTY SIX separate departments. If that isn't a wakeup call for cops to improve their IT security, I don't know what is. Clearly they have none at the moment.
Tommy: This wouldn't be the first time a Chief of Police went down for child porn claiming it was "part of an investigation". It's happened before.
AntiSec hit the jackpot with that one. I'm sure there will be more reveals.
Heh, heh, I like this quote from Antisec's Pastebin:
// NOW THIS LOOKS INTERESTING
// YOU BETTER BELIEVE WE CALLED release_inmate() MORE THAN A FEW TIMES
$date = date("Y-m-d");
$time = date("Hi");
$query = "update dymin_jail_roster set release_date = '$date',
release_time = '$time' where booking_num = '$booking_num'";
Science project briefly shuts down Omaha airport terminal: http://overheadbin.msnbc.msn.com/_news/2011/08/...
As the device was in his carry on bag he most certainly was right there. It baffles me as to why the terminal had to be shut down to determine it was a benign object.
@ RSH on LulzSec
Not sure if I want to download that. Risks and all. ;) But here's an entertaining part of LulzSec's press release showing just how untrustworthy & incompetent these cops were. Happy reading all!
"// A TALE OF TWO OWNINGS
It took less than 24 hours to root BJM's server and copy all their data to our
private servers. Soon after, their servers were taken down and a news article
came out suggesting they received advance FBI "credible threat" notice of a
"hacking plot". At this point it was too late for them because the stolen files
were gonna get leaked regardless. However we were surprised and delighted to see
that not only did they relaunch a few sites less than a week later, but that
their "bigger, faster server that offers more security" carried over our
backdoors from their original box. This time we were not going to hesitate to
pull the trigger: in less than an hour we rooted their new server and defaced
all 70+ domains while their root user was still logged in and active.
We lol'd as we watched the news reports come in, quoting various Sheriffs who
denied that they were ever hacked, that any personal information was stolen,
that they did not store snitch info on their servers. Many lulz have been had as
we taunted the sheriffs by responding to their denials by tweeting teasers
exposing their SSNs, passwords, addresses, and private emails. We also took the
liberty to backdoor their online store and capture a few credit card numbers,
which were used to make involuntary donations to the ACLU, the EFF, the Bradley
Manning Support Network, and more. Despite active FBI investigations and their
additional security measures, they could not stop us from owning their servers,
stealing their identities, and dropping all their data. Two weeks later only a
few of the sites are up with limited functionality as we scared them into
removing any dynamic PHP scripts, forcing them to use static HTML content.
A recent DHS bulletin has called us "script kiddies" that lack "any capability
to inflict damage to critical infrastructure" yet we continue to get in and out
of any system we please, destroying and dropping dox on the mightiest of
government systems that are supposed to be protecting their sick nightmare of
"law and order". GIVE UP. You are losing the cyberwar, and the attacks against
the governments, militaries, and corporations of the world will continue to
Hackers, join us to make 2011 the year of leaks and revolutions."
Nick P: It does raise the interesting question: If they actually do get enough hackers working overtime on breaking into government systems, cop systems, and corporate systems, at what point will the FBI be so overworked chasing each and every individual hacker down that it becomes impossible to stop the leakage?
If the Chinese want to jump in, that's about three hundred thousand hackers right there. Between the other four continents and Australia, you could probably raise a "hacker army" of an equal number.
Or are we already at that point? :-)
@ Richard Steven Hack
It's already impossible to stop the leakage. The best the governments can do is reduce opportunities for leakage, increase monitoring to reduce impact of compromises, take down sites hosting leaked material, and go after high value targets. This is the least they can do. They aren't doing it to any serious degree. So, they won't make a dent on the situation.
In other news, Australia's Defense Signals Directorate (i.e. Aussie NSA) posted a set of best practices for securing networks. The guidelines were based on an analysis of many compromises of government networks. Each guideline is rated with metrics like how much damage it usually prevents, how costly it is, and how hard it is to set up and maintain. The metric breakdowns are excellent. They found that just four easy practices prevent the vast majority of compromises. That FBI and company aren't even good at these four says a lot.
DSD Top 35 strategies to mitigate targets cyberintrusions
The guys on this panel just don't get it:
Researchers: Anonymous and LulzSec Need to Focus their Chaos
"But Corman said the groups would be better off focusing their energy on more significant things like taking down child-exploitation sites."
He's an idiot. These hackers don't care about that stuff, that's simple law enforcement. These hackers are anarchists - or trying to be, anyway. Their targets are, correctly, government, law enforcement, the military industrial complex and the security industrial complex - precisely the sources of the nation's woes.
Another panelist said, "“If you’re going to do this, then find the real dirt". That does make some sense. But that doesn't mean that the other methods these groups are using aren't useful as well. To a computer security expert, they may not be impressive attacks. But the impression made on the public at large is also valuable. Terrorism has to play to the media and it has to explain itself or else the public will turn against it and make it harder to be effective.
"Krypt3ia accused the groups of not having real goals but of simply wanting “to smash things” and then coming up with a cause for their hacks afterward to defend their actions."
This is probably true for a number of these individuals, but it's also irrelevant.
"He noted that due to the nebulous nature of Anonymous and LulzSec that allows any hacker to claim he’s a member of the groups, corporate spies and nation-state actors can now hide their activities under the umbrella of Anonymous to draw suspicion away from them."
This is just BS. It's an attempt to tar and feather these groups by association. Of course, others can hide in the general wave of hacking. But does he think those other actors AREN'T acting anyway? It's idiotic.
"Jericho called on the community to “build a better Anonymous” to create one that wouldn’t cause as much collateral damage from its actions and could have a beneficial effect on the security industry. He suggested that Anonymous and LulzSec might have a role to play in improving computer security by hacking companies that fail to secure their systems despite repeated warnings that they’re vulnerable."
And he doesn't get it either. The goal isn't to "improve computer security" - at least not for most of these hackers. Why would they put themselves out of business (assuming that's even possible, which it isn't?) The goal is to use the sad state of computer security - in fact, the impossibility of computer security - to rock the boat more generally in social terms.
This panel in my view was composed of people who are just jealous that Anonymous gets more press than they do.
Nick P: Just read that Australian page. I have a couple comments.
First, this statement:
"While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010."
These are the top four strategies they're talking about:
:1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
2) Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
3) Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
4) Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker."
With the exception of the latter, I find it interesting that, combined with their statement that doing these would have prevented most of their incursions in the last two years, it pretty well establishes that they WEREN'T doing those four things.
And those four things are the VERY LEAST any organization should be doing, no matter how small, let alone the other listed measures.
So all that does is reinforce the fact that their security sucks.
The rest of the list is more interesting in terms of effectiveness at actually mitigating a determined, competent attacker. But it also illustrates just how much WORK has to go into doing so - and thus why so few organizations do it all. It's bloody hard - and bloody hard to do it sufficiently correctly that there aren't implementation failures.
To expect smaller organizations to do all this stuff is utterly unrealistic, if even major corporations aren't willing to bite the bullet and do them all.
And if you leave just ONE of those things out, you're screwed. Because a determined, competent attacker will find it.
And even if you do ALL of those things, it's still possible for a determined, competent attacker to get in. It's just harder.
Basically, all this stuff does is "keep out the riff-raff". Which is valuable, of course.
On the Panel
Yeah, they do appear to be mostly misguided. My take on Anonymous & AntiSec are that they are primarily a social phenomenon with social goals. In any, you'll have the people who just want to be part of the group (cool factor), the people who like the activities, the somewhat ideological ones and the zealots. These distinctions are evident in both Anonymous and AntiSec groups. So, an analysis is ridiculous when it starts with notions like getting better dirt or they all just want to smash things.
I think Jericho's got a nice view. He's just got the wrong crowd. Like you said, these groups are trying to get press and make a statement. Be it social or political, it's obvious that taking out corrupt or shoddy organizations is just a side effect, sometimes an intentional secondary goal. I do think an organization like Jericho is fantasizing about could spring up and would certainly be useful. Basically, the breaches and bad publicity that comes with being targeted by such a group puts a price on insecurity. RSA's breach cost $50+ million. You can bet they've significantly improved their security practices. Like Jericho, I see a use for such a group. It's irrelevant to a discussion on motivations of AntiSec and hacktivism, though.
On DSD Guidelines
"With the exception of the latter, I find it interesting that, combined with their statement that doing these would have prevented most of their incursions in the last two years, it pretty well establishes that they WEREN'T doing those four things."
My thoughts exactly. Hopefully, the compromised systems they studied that didn't use Rules 1-4 weren't located within the DSD. Their reputation might start looking like certain American security-focused agencies.
"But it also illustrates just how much WORK has to go into doing so - and thus why so few organizations do it all. It's bloody hard - and bloody hard to do it sufficiently correctly that there aren't implementation failures."
Certainly. That's why I advocate using alternative approaches to delivering many services and solutions that totally mitigate certain attacks & reduce the risk of others. For instance, deploying an OpenBSD based web server & following online secure configuration guides (even lay people can do step by step instructions) would often prevent a defacement of a web server. Hell, the OpenBSD team even removed the DNS vulnerability from BIND months before it was even "discovered" and all over the news. Managed platforms with baked in security and dedicated [hardened] appliances for critical applications also improve the security stance of the infrastructure.
The point is that you're certainly right that following all of these guidelines is hard. The reason is that the guidelines are designed to try to duck tape together many pieces of software (read: garbage) that were never properly engineered to hold up to the stresses of the environments they're deployed in, much less malicious users. Ditching all the garbage like HTTP stacks, Samba, and SOAP/XML whereever possible makes it much easier to build robust and secure networks.
It actually doesn't take a lot of work to remove the low hanging fruit. It just take some effort, common sense & awareness of proper approach to builing rock-solid infrastructure. Example: The more complex & bloated the product, the more bugs will be there.
"He's an idiot. These hackers don't care about that stuff, that's simple law enforcement. These hackers are anarchists - or trying to be, anyway. Their targets are, correctly, government, law enforcement, the military industrial complex and the security industrial complex - precisely the sources of the nation's woes."
When people make comments like the one you refer to I'm never sure if the person themselves are an idiot or whether the comments are directed at people who they think are idiots and will swallow the line.
In any event, I don't think the proper analogy for the recent hacker groups is anarchy in the way that term is used today. It reminds me more of abolitionism. That was a significant social movement that never had a figurehead and was more a series of loose social grouping made up of "fellow travelers" than an organized structure. And I'd argue that fact was precisely what made the abolitionist movement in the long run so effective. If there is no head, you can't behead it. You kill a cell, it just recombines quickly into another cell. It almost functions like a cancer with the understanding that I use that word in a descriptive and not a pejorative sense.
The biggest issue currently is the woeful nature of security itself. If security was tight and it took an expert to get in then arresting a few of those experts and throwing them in prison might put a damper on things. But when security is so bad that any script kiddie can download Backtrack and be in the front door of an LEA in an hour or two there is a limitless supply of recruits out there. The same thing that made the Civil War so deadly was the same thing that allowed Grant to win the war. Technology changed so that any idiot could pick up a gun and shoot it. The south was better armed and better trained but Grant just overwhelmed them by sheer force of numbers.
The point being is that if you give me 15,000 random script kiddies up against 1000 NSA computer experts the kiddies are going to win that war over the long term. There are too many different avenues of attack, too many vulnerabilities for the LEA's and spy agencies to cover them all. IMO the day when cyber warfare was waged by set pieces of expert vs expert is quickly going the way of the dodo bird in the same way the Civil War saw the end traditional battle formations.
One way or the other America is in the throes of significant social change. The motive for the change is ultimately generational---the passing of the Boomers that have dominated public life for the last 30 years. The tactics and the strategy might be old but the battlefield--cyberspace--is new. Right now, the hackers (loosely defined) are showing an energy and spirit that the establishment has yet to articulate a counter too. Saying that this movement should go after child porn is such a feeble response it's pathetic.
"When people make comments like the one you refer to I'm never sure if the person themselves are an idiot or whether the comments are directed at people who they think are idiots and will swallow the line. "
It's your comment that concerns me. RSH's comment is very consistent with the statements and actions of both Anonymous and AntiSec groups. They typically act self-centered, act in the interest of their group, and attack the establishment and power figures. Anti-government and individualist statements are common. (The statements on the Sheriff leak come to mind.) This jives with RSH's claim nicely. I think his claim is overly broad and simplistic, but it covers much of the groups & their behavior. Does that sound idiotic to you?
"Technology changed so that any idiot could pick up a gun and shoot it. The south was better armed and better trained but Grant just overwhelmed them by sheer force of numbers. "
It's a nice analogy for COTS security. It's incomplete though. The attackers have one weapon that is easy to operate and maims/kills what's in it's path. In the IT security situation, there's many weapons, defenses, tactics & even guards so to speak. Additionally, the targets walk openly in no-man's land in front of the shooters, take risky practices for convenience, & even continue to expose themselves even while being shot at. The situation could be said to be both more complex & damaging than the Cold War.
"The point being is that if you give me 15,000 random script kiddies up against 1000 NSA computer experts the kiddies are going to win that war over the long term. "
If it's mandated that the expert advice is followed, I totally disagree with you. There are known, workable strategies for eliminating entire classes of attack & producing low-defect, high security systems. Give me 100 NSA experts & I can produce frameworks/tools/whatever across the board to force attackers to use physical presence, social engineering or extreme sophistication to get anywhere. (Many already exist, like Aesec's GEMSOS, making the job easier.) Then, you have to hire the equivalent of 100 NSA-grade black hats, enlist black bag operators, and buy expensive espionage gear to accomplish feats similar to those on the news today.
The ease of exploiting systems remotely via software is an issue that arises from phsycological, market and legal forces. Invulnerable, or nearly so, systems have been built in the past and many continue to operate. A similar approach to areas other than firewalls, email & trusted OS's would likely achieve similar results. We can build systems good enough to stop the best of Anonymous & LulzSec, even 15,000 of them. (DDOS excluded ;) It's just not happening.
"Right now, the hackers (loosely defined) are showing an energy and spirit that the establishment has yet to articulate a counter too."
This much is true. Press releases, sporadic investigations, NSA "secure configuration guides", and DSD mitigation guidelines aren't even a parry to the recent blows of the AntiSec movement. Due to the factors I mentioned previously, the establishment won't win unless they force all citizens & companies to use high assurance products, the cost of which is unthinkable. Even forced use of high assurance in just the most critical areas in typically inexpensive products would be met with huge political resistance. So, over the long run, there will be no counter. The AntiSec movement are unstoppable mosquitos, both in numbers and effect.
"Saying that this movement should go after child porn is such a feeble response it's pathetic. "
See why we call them morons? :)
Pardon my blathering here...
One thing about Anonymous, they keep being called 'script kiddies'. That implies a kind of ability and mentality that deeply underestimates them. From what they say, they don't like that very much.
I think Anonymous actually seemed to 'become' who they are when they went after the Church of Scientology.
Now, some authorities keep insisting that Anonymous are actually Chinese spies. But that doesn't explain an interest in Hubbard's religion. When they went after them, like they did the Westboro Baptist Church, they were interested in what the Scientologists had done to someone's kid ( I think...).
So far, whatever anyone says about their abilities on a keyboard, they have already got a long list of fairly large and well known entities. They claim, even, to have attacked NATO's db.
They've made some social rebellion moves over the last year. SOME part of Anonymous is only interested in that kind of thing. And the more they are insulted, ( baited really ), by various 'authority' agencies, the more Anonymous does.
To me, the rise of hacktivism has a lot to do with how most people feel about openly protesting about what's bothering them. They're afraid to. The WWW provides the mask, and the means, to get traction against percieved or real abuses. It's kind of sad in a way, because it means, by and large, that people really DO believe that the days of being an open activist are over. The feeling that one cannot exercise a right to object openly without fear of serious reprisal, kind of adds weight to Anonymous' arguments. ( I mean a lot of this from an American perspective btw...).
Here in America, we're supposed to be able to do that but hardly do. Then you've got people under extremely repressive governments who ARE willing to hit the streets. I can see where the core 'maintainers' would be, then, Americans or people living in more liberal environments.
Anyway, Anonymous' targets aren't exactly lightweights so blowing them off as 'script kiddies' or something like that seems silly.
The same tool has many different uses. If Facebook were only being used for revolutionary means, it would be easy to shut down. But it's also used by people who post pictures of their cats. I think that's part of the problem for people trying to enforce network security.
The more governments try to prevent people from shouting, especially right now, the more trouble they're going to have I think. If the protests, such as Anonymous', get bigger and become more important in the meat world ( as they seem to be spreading now ), then Anonymous might feel less insistent.
Besides, if you look at some of the YouTube vids of Anon, unless someone's fudging the numbers, they don't get all that many views as compared to say, Lady Gaga's meat dress does.
Chasing after Anonymous, to me, only makes sense if it is a case of actual foreign espionage. I've heard we're so far behind the Chinese on this that it's beyond embarassing. So, why not focus resources on spying back, rather than insulting and ticking off these hacktivists all the time and then chasing them down? The manpower and money spent arresting them, putting them up, ( and damaging them if they're innocent btw ), and then trying to prosecute them would be better spent spying back on the people who've been stealing info on nuclear programs, wouldn't it??
I wonder what would happen if the FBI came out and said,"Anonymous, we're not coming after you anymore. We agree with everything you say. Consider this a ceasefire on our part. Take care." ?
But, it might turn Anonymous' attentions to squids, which would suck.
Nick P/Daniel: I think you're both right.
If the government and corporations developed and used the kind of high-security products Nick talks about, sure, they could stop the CURRENT crop of Anonymous types.
But then: "you have to hire the equivalent of 100 NSA-grade black hats, enlist black bag operators, and buy expensive espionage gear to accomplish feats similar to those on the news today."
I don't think so. What would happen is that the Anonymous types would just get better. Those 15,000 "script kiddies" would whittle themselves down to those 100 (or 1,000) NSA-grade black hats.
And you'd be right back where you started - at my meme.
Which is a result of the impossibility of either governments or corporations fulfilling my list of requirements for anything resembling "security", i.e. 1) no one knows who you are, 2) no one knows where you are, 3) no one knows your motivation or purpose, 4) you are mobile, and 3) you have overwhelming local firepower.
No fixed organization or facility can achieve that. And that is why "security" for such as an absolute is an impossibility - or close enough to it for horseshoes or government work. The best they can achieve is to keep out the "riff-raff" - which would probably include these Anonymous types AS THEY ARE TODAY - but not as they would evolve tomorrow in the face of such an attempt at achieving security.
Me2: You might be right about the motivation being the inability of anyone to effectively protest the state of the US society and government.
Unfortunately, these groups efforts won't do anything to change that. Which is why they should make an effort to get the really serious dirt on the government rather than the low-hanging fruit. Like Gary McKinnon, who was trying to find out if the US government was covering up UFO information. Imagine what would have happened HAD HE FOUND IT!
Imagine if Anonymous found a "smoking gun" document that proved Dick Cheney was involved in 9/11? That would shake things up, at least a little bit.
Right now, Anonymous tactics are fairly broad and loose. Hitting a bunch of cops is nice propaganda, but it doesn't do much more than make a bunch of idiots go "tsk-tsk" and the cops to tighten up their Web sites. Anonymous needs to do what I intended to do (physically) back in the day: hit the top ten thousand people running this country and expose their backroom dealings and the consequences in terms of war, economic problems, etc.
Exposing the System's security weaknesses is not the same as exposing the System. If Anonymous really want to be "hacker anarchists" (or "anarchist hackers"), they need to go after the System and its rulers, not just the grunts in it.
@ Nick P,
"My take on Anonymous & AntiSec are that they are primarily a social phenomenon with social goals... ...an analysis is ridiculous when it starts with notions like getting better dirt or they all just want to smash things."
It is also unnecessary, what we need to do is regard "Anonymous & AntiSec" in a more biological sense such as an irritant wich carries a potential lethal parasite. Such examples being rats and "the black death" and mosquitoes and malaria, but remembering that on the Internet every where is local, so distance prevention does not work as a strategy.
The political fraternity don't realy care about specific organisations or actions it's the whole "Internet" that scares them because they neither understand it or can currently control it. They actually live in dread of saying anything meaningful because somebody will either remember previous words or deliberatly mis interpret previous words to push a different agender (I'm sure the recent debacle over budget setting in the US will give enough examples of how a very minority view can be pushed to the fore, without getting into a partisan debate on them on this blog).
When it comes to non political or federal government and below it is a similar "fear" that drives them as well as a greed to capitalise on others misfortunes and others fears (such as those of the appropriating politicos).
Likewise with corporate entities.
It is all about controling "image" and concealing the "excesses" carried out at the expense of others. George Orwell has given us appropriate names and mems for the attendent behaviours.
Knowing this we can to a certain extent predict what the response to the irritant is going to be, as they are easier to see than the potentialy lethal parasite they carry.
Thus I predict that the response will be against the organisations carrying out the attacks not the potentialy lethal parasites of the attack vectors used.
History tells us that the solution to the Black Death was not trying to eradicate the rats but other health care issues culminating in the antibiotics that rendered the plague ineffective.
History further teaches us what happens when you do only a half (at best) job, the parasites evolve and become stronger, they appear to develope "a will to survive". We have seen this with Malaria, where unlike smallpox the desire to eradicate it has never been up to the task. Thus the medication becomes ineffective and considerably more difficult to develope as the parrasite gains strength.
Back in 2000 I made it fairly clear that the aproach to online security the banking industry was taking was self defeating because they were "teaching the attackers to climb mountains", by only making minor increments in security. And a decade or so later history has proved me right, in that some of the "impossible at the time" ideas such as driver shims I predicted have become not just possible but normal...
We have two solutions to the parasite of attack vectors, we can out evolve them or develop effective antibiotics. Of the two only the former will be effective in the online world. Because unlike a biological parasite which does not have a directing mind the parasites of the atttack vectors are found by enquiring minds that pass the knowledge to the directing minds one way or another and further the internet is "local" in that there is effectivly no distance metric by which you can move away from the parasites.
However I feel confident in predicting that those with a vested interest will use the various Orwellian methods of persuasion to ensure that the course of action taken by the Politiccos etc will not be the one that is effective, mearly profitable for them.
Thus we will not bite the bullet and go down the "Secure by design" path for OS and Apps, just the "sticking plaster for broken bones" methodology which has failed us so well for more than twenty years.
And obviously this means that the Feds and LEO's "must be seen to act" and will thus continue to round up the more "obvious members" of the various "hacktavist" organisations rather than those who are more skilled at being "less obvious"...
As for the politicos they will demand "action this day..." without any knowledge of what should be done and the likes of the DHS will happily invent new forms of "Security theater" to further their own aims, just as J Edgar Hoover did for half a century with the FBI all those years ago. The face may have changed but the puppeter game is still the same one.
@ Nick P.:
"Two weeks later only a few of the sites are up with limited functionality as we scared them into removing any dynamic PHP scripts, forcing them to use static HTML content."
Wow, what a brilliant counter-strategy! Let's *all* go back to static HTML content, or even better, plain text and still image content, other than for dedicated video sites. Savings in bandwidth for server, ISP, and user. Faster-loading pages. *Far* fewer opportunities for exploit.
Get rid of all this executable-code-running-in-browsers stuff. Go back to the concept that a browser is an app running on top of an OS platform, and scrap this stupid idea that a browser *is* a platform for running apps, which it was never designed to be.
When I first started using Yahoo mail, uploading and downloading attachments was done directly from the GUI of the existing message. A few years ago, they changed that to requiring the loading of a separate code object, one for uploads and one for downloads. Being naturally paranoid (read, "least privilege necessary"), that's an extra few steps to attempt an attachment so as to call the object to try to load, then allow it in NoScript, then go back to the original e-mail and do the d/l or u/l.
What bugs me is that the previous system worked just fine, and I cannot picture any benefit to *anyone* for the new system. One hates to trot out clichés like, "If it ain't broke... ", but if the shoe fits ... oh, wait, that's another cliché... Well, anyway, this is a prime example of tinkering for no benefit, at increased complexity, with all the attendant costs and risks of complexity.
Sometimes I think sw engrs do this kind of stuff merely to justify the continued existence of their jobs.... naah, they wouldn't do that ..... would they? ;)
I think you misunderstood the first paragraph I wrote. It's comforting to think that people like Josh Corman and the other panelists are "idiots" or "morons". But maybe they are not. Maybe they are saying things which are stupid because they think their audience is stupid. Since I don't know any of them professionally I won't judge. That's all I was trying to say.
"Anyway, Anonymous' targets aren't exactly lightweights so blowing them off as 'script kiddies' or something like that seems silly."
I was using the term 'script kiddies' to make a general point about technological diffusion to the masses and not as a pejorative term targeting any specific group. The point being that taken as a whole the generation that is in their teens today is far more technologically sophisticated than their Boomer grandparents who are running the 'establishment'. That fact alone has consequences.
"Exposing the System's security weaknesses is not the same as exposing the System."
This is a fair comment to which my response is to give it a chance. The social organism evolves. People are radicalized by events. Not everything happens all at once. Time will tell which way it moves.
@ Richard Steven Hack
"I don't think so. What would happen is that the Anonymous types would just get better. Those 15,000 "script kiddies" would whittle themselves down to those 100 (or 1,000) NSA-grade black hats."
It's possible, but I doubt it. The reason is that preventative architectures make it difficult to exploit remotely. It becomes so hard that physical presence is needed for part of the attack, either a physical attack or physically assisted subversion. Hence, black bag job. If the organizations are practicing decent personnel and physical security, the sophistication and efforts increases. An insider (or infiltrator) would be needed to enable a remote attack. Hence, 100 NSA-grade black hats wouldn't be good enough. (After all, every A1 or EAL7 class system resisted NSA's best efforts for years.)
Of course, that assumes high assurance. If we go medium robustness, then there is potential for high grade attackers to find and exploit flaws. However, if the protocol stacks, networked devices, software, etc. are designed to this level, many different flaws might be needed for a successful hack. Most successful remote attacks would be very esoteric and require a thorough understanding of the target's internal systems and their configuration. So, even with medium robustness, just throwing brains and bodies at the problem won't be good enough at a site with decent security. Social engineering, covert channels, stealth rootkits and physical compromises would be combined to create major breaches. This is more risk & effort than most people like Anonymous would be willing or capable of pulling off, even a sophisticated future Anonymous.
@ Clive Robinson
"what we need to do is regard "Anonymous & AntiSec" in a more biological sense such as an irritant wich carries a potential lethal parasite. "
Actually, we're on the same page here: my mosquito analogy was intended to convey that. I used mosquito because Anonymous is just a nuisance that causes little harm, with occasional potential for major harm. But the effect they had on HBGary Federal shows that they can be "lethal" in a sense. ;)
"Maybe they are saying things which are stupid because they think their audience is stupid. Since I don't know any of them professionally I won't judge."
Perhaps I did misjudge your comment. Now that you've elaborated, I'll rephrase mine: they're idiots, they're being unethical by treating their audience like idiots, or their sacrificing professional integrity by peddling foolish nonsense. No matter how I look at it, their panel made no real effort to understand the motives of the antisec groups, nor determine strategies for deterrence. The panel was useless. (Although, it did reveal one coward. ;)
"Wow, what a brilliant counter-strategy! Let's *all* go back to static HTML content, or even better, plain text and still image content, other than for dedicated video sites. Savings in bandwidth for server, ISP, and user. Faster-loading pages. *Far* fewer opportunities for exploit."
It's a good start. However, dynamic web applications are a useful innovation. We can't ditch all that. We've gotten too far enjoying their benefits and industry as a whole has decided the potential risk is a good tradeoff. So, what we'll have to do is replace insecure or shoddy methods of "developing web applications" (read: massaging cow paddies into bigger ones) with strong web engineering frameworks. Safer development tools & security-aware code generators, at the least. Fortunately, some exist and others are in development. Err, being engineered. Well, let's hope so.
"Get rid of all this executable-code-running-in-browsers stuff. Go back to the concept that a browser is an app running on top of an OS platform, and scrap this stupid idea that a browser *is* a platform for running apps, which it was never designed to be. "
Now, THAT is a good idea. One we've discussed before. That I recall, it got its start with the "Agent-Oriented Programming" concept whereby code would be swapped between client and server to make the static web dynamic and smart. At the time, we were using "DHTML" tricks and complex CGI scripts to create an approximation of what became "Web 2.0." The key enabling technologies for Agent-oriented Programming were Compaq's Obliq, Telescript (a true AOP platform), Tcl/Tk/SafeTcl, and Java applets. Most people were betting on Java or Tcl, with some fanatics thinking Telescript would take over.
Surprise surprise when they all failed at the goal and the web community reacted by making browsers smarter, standards richer & the web platform more OS-like. The first time I saw the ECMAScript standard I thought to myself: "We're going to basically let strangers execute arbitrary code invisibly with the user's privileges (often admin back then) & no auditing?" That's f***ing INSANE! Most of the WWW promoters thought otherwise. Kind of like Marcus said about HTTP/FTP & DJB said about Qmail OS issues, they didn't just fix the problem where it existed (OS or presentation layers): they just kept adding layers of work-arounds on top of faulty or inadequate layers. This layering process has happened across the entire OSI layers so much that a major positive change, like maybe Google's SPYD, could break the Internet or prove nearly unworkable from a cost perspective.
Yeah, we must abandon the everything in the browser model. Much effort was put into it. It's like the Titanic after it hit the iceberg, except the people onboard think they can bail their way out when they really need to just BAIL. :)
Marc Tobias, lock picker extraordinaire, makes a DefCon and picks a Kaba 5800 with a wire.
The Kaba 5800 was described as the first lock certified as meeting new US Department of Homeland Security requirements for coded access...The lock is designed to be opened by swiping a key card and then entering a long number code.
"Marc Tobias, lock picker extraordinaire, makes a DefCon and picks a Kaba 5800 with a wire"
I'm not surprised.
I used to design electronic locks back in the 1980's, and you have to realise that an electronic lock consists of two parts,
1, The mechanical locking mechanism.
2, The electronics and actuator.
Thus underneath the elaborate electronics you still have the same old mechanical lock that has not changed much in over a hundred years and in some cases the basic design goes back atleast as far as the pyramids if not a lot further.
One of the problems with mechanics is "slop" or "play", mechanical locks need to be made to a lower tolerance than you would think. This is because of such things as sunshine which changes the temprature of parts of a lock more rapidly than others thus causing different rates of thermal expansion, which if the lock were made to too tighter tolerance would cause it to bind and thus be unreliable in operation. Then of course as it's a mechanical item there is also wear which makes the slop / play worse with time.
Where ever there is slop there is "wriggle room" the question then becomes is there sufficient wriggle to activate the mechanical lock independent of the lock?
If not take one step back up the chain, and ask is there enough slop or play in the actuator or does it have some other weakness that alowes it to be triggered?
In electronic locks all the actuators are actually transducers and transducers are bi-directional. For instance a DC motor is also a DC generator, a microphone is also a miniture speaker etc etc.
Importantly not only are they bi-directional they are inefficient. In most cases the inefficiency is caused in part by radiation of energy in their major mode of operation. Anything that radiates energy is susceptable to the same energy it radiates.
For instance a simple actuator like a solonoid radiates a magnetic field when operated. Which means if you generate a sufficient magnetic field in the right way the solonoid will be susceptable to it and you can open the lock...
Obviously you can passivly sheild against or activly detect the external radiation and provide a lock out mechanism but both add cost and complexity as well as reducing reliability.
And in some cases you might add further avenues of attack...
Assuming that the lock designer has done everything right in the lock and actuator you then have the electronics to play with and the logic / software by which it works.
The major reliability issue with electronics is power, and where do you get it from... and what do you do when the power runs out as it will eventually...
The average mechanical house lock gives fault free behaviour for well over ten years, we don't yet have a reliable battery / electronics solution that will reliably last half that long. Thus the chances are an electronic lock will have easily available contacts were power can be applied so the lock can still be opened...
And this is where the fun starts some early locks could be opened simply by turning the battery around, or by upping the supply voltage such that the "protection circuitry" around the actuator would cause the actuator to be activated.
Over and above this most electronics are suseptable to external electrical fields. If you know sufficient about what you are doing then you can using RF generators inject fault signals into the electronics...
These faults don't of necessity have to affect the electronics, they can just effect the software.
Fault injection via modulated RF carrier was something I was playing with back in the 1980's and nobody appeared even remotly interested. I even emailed the authors of the original DPA paper and they were not interested. I even emailed Ross Anderson when I heared about his self clocking logic as an attempt to get around DPA issues. It has only been in the past couple of years that the academic side has taken any interest.
So I suspect that the majority of electronic locks will be susceptible to all kinds of new and interesting tricks for a long time yet, over and above those of basic lock picking...
@ Nick P,
It appears that Apple's new OS Lion, has, despite the fanfare on it's MSOS slaying security improvments,
some nasty vulnerabilities due to some major Opps by the developers. Worse they are based on attack vectors that are well known...
First up your favourite "fire wire",
Second up what appears to be a simple "replay attack" based on the description,
Additionaly what is of quite a bit of interest to Apple OS users is the downgrading of the server product in that they have removed MySQL and the server tools...
@ Clive Robinson
Unsurprisingly, I'm unsurprised. Mac security has always been horrific. They've added a few nice features, but their software will have the same issues as other vendors. Especially considering they insist on using Objective-C instead of safer languages like C# or Java. Their programs are inherently less secure because they're vulnerable to classes of errors modern languages are immune to. And they STILL refuse to get rid of that horrific filesystem they use. Just to show you how backwards Mac development is...
What's wrong with HFS
In answer to your post about making it hard to break high-assurance systems, we've had this discussion before.
I say what Clive said: "And in some cases you might add further avenues of attack..." The more "security" you add to a system - and I know, a lot of high assurance systems are that way because they take OUT a lot of insecure stuff - the more avenues of attack you get.
As Dick Marcinko said in his books and those videos, you have a high security system facing you, you just "pulse" it until they think it's defective and turn it off. Total bypass without any technical sophistication at all.
As the KGB guy said, "The mind has no firewall."
Also as Mental Mouse said: "Never underestimate the ingenuity of a bored child...." Which is precisely what most of Anonymous are.
So despite your confidence in high-assurance systems resisting NSA-level attacks, I still put my money on motivated, competent - or just lucky - attackers who AREN'T the NSA...
Daniel: "This is a fair comment to which my response is to give it a chance. The social organism evolves. People are radicalized by events. Not everything happens all at once. Time will tell which way it moves."
All I can say to that is I'm sixty two years old and so far in my lifetime it's only gone one way - the wrong way. I do know that sooner or later it's going to come crashing down. But the longer it takes, the worse the crash is going to be. I'm reading a lot of scary stories just this past week about where the global economy is going. And as far as I can tell, it's all intended to go just as it is going.
Which is fine by me. I look forward to chaos as an opportunity to improve my fortunes in more fluid circumstances. That is, assuming I don't get killed in the first day... :-)
XKCD on the platform no longer mattering because of the browser:
Thanks for pointing out the mouse over, I didn't realize that. This one says:
"It's fun to watch browsers fumblingly recapitulate the history of windows management. Someday we'll have xmonad as a Firefox extension."
As you may be aware there was potentialy a legal punch up at Black Hat over the SCADA vulnerabilities talk.
However it kind of overshadowed another subject which could have a critical infrastructure impact.
As you are aware the cell phone grid is being used to control process and other equipment including traffic light controllers via SMS messages.
Well in most cases there is neither encryption or command authentication... and as these devices are starting to appear in the power industry the NERC has issued an advisory,
There was a second vulnerability with power networks that was pulled from discussion but currently it's being kept under wraps. Which sugests that it is significant and needs urgent resolution.
@ Nick P, Richard Steven Hack,
You might find the following of interest,
If you do download the free forensic tools for Android and iPhone let me know what you think of them.
"As Dick Marcinko said in his books and those videos, you have a high security system facing you, you just "pulse" it until they think it's defective and turn it off. Total bypass without any technical sophistication at all. "
That's a very flawed analogy. Marcinko used this technique on electronic monitoring systems. There's a difference between total prevention systems and monitoring systems. You can send bad packets at a firewall all day but the users on the inside wont even know. Second, your idea that they will turn it off is flawed & only applies to things like monitoring & pattern-matching systems. Will PGP use stop if some spam emails don't open? Will Google turn off its default SSL if a bunch of forged connection attempts are made? Will people abandon Medeco locks if intruders shake the door or make picking attempts? I think not!
"I say what Clive said: "And in some cases you might add further avenues of attack..." The more "security" you add to a system - and I know, a lot of high assurance systems are that way because they take OUT a lot of insecure stuff - the more avenues of attack you get."
He was refering to features & complexity, not really supporting your point. Previous discussions show Clive agrees that we already have the capability to build software that's immune to compromise. He also agrees with me that once we get rid of all the bugs, the remaining vulnerabilities will be covert/side channels & hardware issues. High assurance design minimizes complexity. Applying an EAL7-like development process is proven to improve the quality & security of a system across the board, even resisting malicious developers. Hence, replacing critical infrastructure & software components with high assurance equivalents will only reduce vulnerabilities.
@ Clive Robinson
Actually, I found your NERC link more interesting. Just got to love reading things like this:
"The ES-ISAC was recently contacted by a security researcher who has discovered a potentially broad vulnerability where cellular messaging is used to attack embedded systems architecture control networks. Clear text messaging protocols can be intercepted and reverse engineered to enable an attacker to inject commands or implement attacks on critical systems which rely on embedded microprocessors."
Nick P: "That's a very flawed analogy. Marcinko used this technique on electronic monitoring systems. There's a difference between total prevention systems and monitoring systems."
That wasn't the point. The point was that the technique attacks the user behind the system. Whether it's monitoring or prevention is irrelevant to that point.
"He was refering to features & complexity, not really supporting your point."
Yes, but MY point is that adding security frequently adds vulnerabilities. I recall a story about a door that was barred with a steel bar. Someone used an electromagnet on the other side of the door to remove the bar. Thus, the item that was intended to provide security became the means to evade security.
"Previous discussions show Clive agrees that we already have the capability to build software that's immune to compromise."
He may agree. I don't as a matter of absolutes. Sure, you can minimize complexity, reduce functionality, distribute functionality to minimize complexity, and reduce the attack surface to some degree.
And someone will still beat it by some other means.
We've had this discussion before. I'm talking about how security overall can be bypassed, you're talking about a specific security approach. So we're talking past each other.
"Hence, replacing critical infrastructure & software components with high assurance equivalents will only reduce vulnerabilities."
Of course it will REDUCE vulnerabilities. That's not the same as being "immune to compromise", and that isn't even relevant to my overall point that such security can be bypassed in other ways.
But even beyond that, I will still assert that whatever you or the NSA can come up with, someone else can beat. It may not be types like Anonymous, or even the all-powerful "NSA black hats" (I don't know them either, so why should I believe they're any better than any other top-notch hacker in China just because they have more expensive toys?), but someone can if they're motivated enough.
Not saying we shouldn't TRY, of course, or that, as you correctly note, private citizens and companies shouldn't have the same level of protection available to them as government. I'm just saying that in absolute terms there still is no security.
@ Richard Steven Hack:
"XKCD on the platform no longer mattering because of the browser:
Thanks for pointing out the mouse over, I didn't realize that. "
I always found the mouseover annoying, esp. on his longer subtexts, where the balloon would go away before it could be read. Solution: Use the mobile version,
This uses the "alt" tag as an actual text element in the page. Much better. You can add the episode number to the above URL; e. g., today's would be
@ Nick P.:
"The first time I saw the ECMAScript standard I thought to myself: "We're going to basically let strangers execute arbitrary code invisibly with the user's privileges (often admin back then) & no auditing?" That's f***ing INSANE!"
You tried to tell them that the Emperor had no clothes, but no one would listen ... and here we are. (sigh)
"Previous discussions show Clive agrees that we already have the capability to build software that's immune to compromise. "
The trick is getting people to actually use it. You can mandate things all you want but the user has a nasty habit of ignoring your mandate and writing down his password on a sticky note that he leaves on his monitor.
The issue is simply one of scale. The more people involved the more likely is that somewhere somehow that mandate will be violated, or ignored, or compromised by the people it's supposed protect: from the inside. Not maliciously but from laziness or ignorance or incompetence. You cannot mandate human imperfection out of existence.
"And someone will still beat it by some other means."
I agree. Too often security means designing the perfect lock for the door while leaving the proverbial window wide open. That's not to say that the perfect lock is inherently a bad thing. But it can be a bad thing if it causes you to misallocate resources. That was the major intelligence gathering lesson from 9/11: we spent too much money on technological dodads and made no investments in the old fashioned art of seducing the enemy's secretary.
@ Richard Steven Hack
"He may agree. I don't as a matter of absolutes. Sure, you can minimize complexity, reduce functionality, distribute functionality to minimize complexity, and reduce the attack surface to some degree. "
In our previous discussion, I told you I don't believe in perfect security & I'm never refering to absolutes. The field of skepticism has shown us we can never truly know anything 100% & even statistical approaches usually max out at 99% "confidence intervals." My previous definition of high assurance is that it accomplishes its security goals with high confidence that it won't fail for perhaps years on end.
"Of course it will REDUCE vulnerabilities. That's not the same as being "immune to compromise", and that isn't even relevant to my overall point that such security can be bypassed in other ways."
I think that was a typo on my part. I meant to say vulnerability, as in "across the board." The idea is that most remote attacks can only come through certain points. Putting high assurance components there settles that entire issue. When remote software attacks are unavailable, hackers have two options: physical presence for hands-on attack or social engineering to convince users to bypass security.
Most hackers will not travel to a site for physical presence, even nation states because the main reason they are hacking is its deniability & often untraceability. Having a previously identified Israeli agent turn up dead in a gunfight during an attempted physical compromise is too risky. Having an IP packet traced to Israel is 99% deniable. "It must have been malware. A relay. Tor." So, using high assurance prevents the remote software attacks & doesn't leave most targets vulnerable to these physical attacks as the cheap, low-risk crime opportunity is no longer there.
Now, the social engineering attacks will be an issue. The question is how much of an issue? Good considerations of policy and security awareness will determine this. For instance, if a nuclear control system is attached to the internet, the hacker might take remote control. Put a high assurance guard there & suddenly the hacker has to try to do a phone call & convince workers to shut off the plant or overload it... while the workers are looking at the guages and seeing "all good". It's unlikely to work. This same principle will apply at many sites, which means the few high assurance components effectively make them safe from remote or non-physical attacks. That's a plus over our current situation.
Other organizations (majority probably lol), especially in business sector, will be different. They will still succumb to social engineering techniques. As I've told tommy, I'm not really designing them or promoting them for those businesses. I'm promoting them for organizations that will use them right or can be made to with regulation (safety-critical, mostly). A large number of companies have strong security policies & investments. Unfortunately, their OS's and key protection components are low assurance and will be bypassed overtime. High assurance components across the board means they only need to worry about employees, intruders & the effects of operational policy. That's a HUGE reduction in risk over having to worry about that stuff plus the entire IT infrastructure.
"And someone will still beat it by some other means."
Incorrect. This is a false assumption you often make, along with not attaching a severity rating to "beat it." They *may* beat it by some other means. And this may cause anything from annoyance to devastation. The sheer number of companies that have existed for years without very costly security breaches proves my point. Each security or risk reduction strategy strengthens a link in the overall chain. Most crooks are opportunists & avoid the high hanging fruit when low hanging fruit abounds. Even most hackers trying to make a name for themselves go for easy targets with big names. ZF0, for instance, hacked a bunch of security writers' web sites... people too busy doing important things to focus on their web site security.
Remove the low-hanging fruit & make compromising organizations truly hard, the number of compromises & their severity will plummet. That's my prediction. That's the point of high assurance and pervasive embedding of security in an organization. It's not about absolute security: it's about being reasonably sure you will be secure & make it through whatever happens. Commercial standards don't allow this. Only high assurance does.
"The trick is getting people to actually use it. You can mandate things all you want but the user has a nasty habit of ignoring your mandate and writing down his password on a sticky note that he leaves on his monitor. "
Oh that's easy. Penalize them. Penalties like doing the job nobody wants to do that week, a cash fine, taking away privileges compliant employees get, a suspension or termination. I've worked for companies that had certain policies they took seriously & the few times people violated them they were fired. The rest of us simply followed those rules. Another large company I worked for used a thin client architecture for all their PC's at stores. Access to the company intranet featured access control, VPN's, and monitoring of activities. People had been fired for screwing around & for accessing things that they had no reason to access. Needless to say, people didn't screw around on that company's computers.
So, experience has shown me that negative incentives can work if done right. Also, the company should make the security usable to some degree. Positive incentives like extra privileges or a yearly bonus for well-performing employees helps a bit. I usually also say employees must be educated not just in security awareness, but the whole purpose of it: the business assets are the property of its owner(s) & security is about safeguarding those assets. The safety of the company's assets has a big impact on employee job security as well. So, we convince people that it's in their best interest to follow the security policies. A trickier issue is making sure management isn't bypassing them or encouraging employees to. Only random, surprise audits or monitoring can catch that. This is expensive.
"Too often security means designing the perfect lock for the door while leaving the proverbial window wide open. "
And like I said to RSH, we can't assume that a vulnerability = a compromise. Let's try my part of the analogy, closing the easy holes with high assurance measures. So, the crook goes up to see there's cameras on the house & motion lights. The windows are barred & impact resistant. The door has medeco knob lock, Assa deadbolt, & is made to be kick resistant. Sounds like there might be a Doberman in there as well. There's also an ADT sign. The crook can (a) try to bypass all this security or (b) pick a different house. They usually pick a different house.
Same principle works for most external attacks on business. Cover the major bases & close all the attackers best holes, then most attackers will ignore the business most of the time & the remaining will likely be caught in the act due to increased risk. This is true for most insiders, as there are mechanisms for dealing with them. Unfortunately, there are always certain people whose high level of access makes them essentially "trusted." Whoever physically maintains the computers is a key example, with some other types of control fraud possible at C-level. However, this level of security is far better than "anyone can get the stuff if they buy an exploit kit or make a few phone calls." And bypass usually WONT happen with very damaging results.
"writing down his password on a sticky note that he leaves on his monitor. "
no, i left those stickies all over the place. but the users and passwords are fake.
Cross post from new comments on older thread, http://www.schneier.com/blog/archives/2011/08/... perhaps will get more of a reply:
First Post: This is really a question for Dr. Schneier--and any other wise man out there. In the various articles about the Chinese Cyber menace, perhaps especially the Vanity Fair article, the message that comes across is that the Chinese are diabolically clever, except in one thing. They always forget to hide the breadcrumb trail over the Internet back to their computer in mainland China. Why are the Chinese so smart in everything except hiding their tracks?
Maybe it's not so simple?
Is it really possible, as in the case of Aurora 2010, for the NSA to do an ex-post-facto traffic analysis and follow the trail of breadcrumbs to two universities in China, with two possible suspects? Is this technically possible? How? Wouldn't it require thousands of terabytes of data to be stored from all over the Internet? Since the analysis was done months after the fact.
Why is there no discussion of false flag stuff when it comes to the breadcrumb trails leading back to China?
Moreover, just how easy/hard is it to spoof your trail so as to defeat traffic analysis?
The point of all this is that one of the pictures doesn't fit in the series, but I'm not too sure which picture it is. Too stupid. Wise man where are you to answer this question?
Second Post: @ Nick P
Thanks very much. You must be one of the wise men that were Dr. Schneier alternatives.
Some further questions, if you don't mind:
1. You say that in the notional NSA ex-post-facto traffic analysis you're really just looking at the IP's. Now, are these the IP's embedded in the packets, or are these taken from log files on various Internet nodes? I assumed the second since any hacker worth his salt (or chop suey) would be putting false IP source addresses in his packets (isn't that what spoofing is all about: please, be simple; I'm having trouble passing the which picture doesn't belong in the series test). But doesn't access to historical Internet node routing data imply gazillions of terabytes of data stored and mined? What am I missing?
2. Next, if there's a problem with this why aren't the perps using a safe house in, say, Kiev--or Santiago Chile or Capetown SA? Does it make any difference?
3. Yes, the Stuxnet hit was professional, but the requirement, if we assume that the main initial vector was USB sticks and that the SCADA mapping didn't happen through initial penetrations of the network, was for inside humint. Someone was compromised.
4. With respect to China's stealing intellectual property for decades, isn't the downside risk for the Chinese that they steal a poison pill that literally or figuratively blows up in their faces? That's the famous Russian gas pipeline blow all over again. How would they take such a thing into account? Theoretically the only way would be to redo all the research to check it, all the development, all the engineering specifications.
5. What's the significance of timing issues when you use multiple relays--so the packets arrive in the proper order?
6. As for Tor, if I were an intelligence service, I'd be a main provider of Tor nodes. Wouldn't you?
7. Let's assume that the Chinese are in fact doing the hacks and that they know that they're being traced back to China. They spend a lot of cleverness on getting data and assembling it and exfiltrating it. Why are they doing it in such an 'in-your-face' way? Why don't the Americans stop them? Surely there are ways to monitor suspect IP addresses--since the Chinese evidently don't bother to cover their tracks--and to block them. Is it that the Americans are doing the same thing to the Chinese?
8. It is said that the Russians, French and Israelis also have major campaigns of cyber espionage. Why is it that only the Chinese are singled out? Is this the marketing of big contracts all over again?
Thanks very much.
Third Post: @RSH & RobertT
RSH, most of what you are discussing assumes that the motivation is $. I was wanting to get enlightened concerning State-sponsored Cyber espionage. What's bothering me is the ease with which the hacks are definitively ascribed to China. For all I know the ascriptions are correct, but I was wanting to clarify how easy it is for
a. The Chinese to cover their tracks
b. Others to frame the Chinese.
Thanks. Hope you don't mind Moderator/Dr. Schneier. I would really like to get clear about some of these issues.
Lost in Darkness
"Thanks very much. You must be one of the wise men that were Dr. Schneier alternatives."
I appreciate the complement. I'd call myself wise in that my successes and foolish mistakes over the years have taught me well. ;)
"I assumed the second since any hacker worth his salt (or chop suey) would be putting false IP source addresses in his packets (isn't that what spoofing is all about"
Well, not really. Especially in the 90's, movies like to push this idea that hackers had tools that just magically anonymized them (or govt's could magically trace their exact location). The problem is that putting a false return address on a packet means any return packets go to the false address. A hacker interacting with a machine must receive those packets. Hence, they have to go in his direction. The data might go through relays, different protocols, whatever. But, it ends up at a computer with the IP address of an attacker. Everything in between is breadcrumbs.
The most popular schemes for anonymity are using others' WiFi, SOCKS-style proxies, Tor, and botnets. SOCKS and Tor have serious trust issues. WiFi and botnets are safer, especially if they are in China & the US is asking for access. (Sending data through opposing or politically volatile countries is a trick I came up with a decade ago to prevent police cooperation.) Each anonymity method requires different tracing strategies. However, it's likely that the attackers were using the public end of the University's Internet connection (maybe with relays) & were therefore easy to trace. They can get away with not investigating the students because (1) they can say it was a relay, (2) the students computers were botnet-controlled, or (3) the NSA's investigation was accidentally or deliberately flawed.
"2. Next, if there's a problem with this why aren't the perps using a safe house in, say, Kiev--or Santiago Chile or Capetown SA? Does it make any difference?"
China is the safest place for a Chinese perp to be, especially if they're still working for the Chinese.
"3. Yes, the Stuxnet hit was professional, but the requirement, if we assume that the main initial vector was USB sticks and that the SCADA mapping didn't happen through initial penetrations of the network, was for inside humint. Someone was compromised."
Indeed. The Russian contractor is the most likely. And Siemens had let NSA pentest their equipment. I prefer not to repeat things like this so Google the Schneier articles on Stuxnet and look at discussions between Clive Robinson and I.
"4. With respect to China's stealing intellectual property for decades, isn't the downside risk for the Chinese that they steal a poison pill that literally or figuratively blows up in their faces? That's the famous Russian gas pipeline blow all over again. How would they take such a thing into account? Theoretically the only way would be to redo all the research to check it, all the development, all the engineering specifications."
In practice, they are rarely subverted and validation hasn't been too costly. The fact that they keep doing it shows it's cost-effective for them. They also have required companies to give the government access to their source code, IP, etc. to operate in their country. Even Windows' veil was lifted this way. Repeatedly, Chinese companies will spring up with similar products or services. It's their M.O.
"5. What's the significance of timing issues when you use multiple relays--so the packets arrive in the proper order?"
The user's end is what it appears to be: it slows their pages down to something like AOL dialup in 1998. Many specific types of applications (and popular sites in general) are totally unusable with that much slowdown. On the security side, the protocol tries to constantly swap things between nodes in a way where someone watching all nodes can't tell whose talking. This can require intentional delays on specific packets (or groups of them) at each node. Delays can build on delays. You also need a significant number of computers connected to these relays following the timing discipline on a constant basis so you can make the deniability argument: other people were doing similar-looking things at the same time, so it could have been someone else. AKA: reasonable doubt. And to be clear, I don't trust Tor & would only use it through an open wifi.
"Why are they doing it in such an 'in-your-face' way? Why don't the Americans stop them? Surely there are ways to monitor suspect IP addresses--since the Chinese evidently don't bother to cover their tracks--and to block them. Is it that the Americans are doing the same thing to the Chinese?"
Well, we can't exactly stop them. We do ban IP's we trace. They just change them. There's political reprucussions to physically going there to stop the hackers or banning IP ranges of important institutions or ISP's. There's also financial consquences for all the US companies that do business there. Look at how Google backed down on the censorship issue. It might also be hard for them to get all the ISP's and backbone groups to do a ban, as they have a flood of data going through their pipes. And, yes, we're hitting them (and others) with the same stuff. We just do it less because we're the ones with Fort Knox (intellectual property, nuclear secrets, etc.) and they're trying to get the gold.
"8. It is said that the Russians, French and Israelis also have major campaigns of cyber espionage. Why is it that only the Chinese are singled out? Is this the marketing of big contracts all over again?"
Well, the Chinese are the primary threat. We stomped the Soviet Union into the ground. The last country as powerful and influential as us is China. They've displayed it by stating they don't rely on us much for imports, they rarely visit us, and they don't tie their currency to ours anymore. They also have hit us with the largest espionage campaigns at every level of government and industry. They also have a very strong military presence thanks to good old fashioned Russian engineering. This makes them superpower No. 2 and opponent No. 1.
Now, the next biggest enemies are Russia and Israel. Yes, you read that right: Israel. The leaked British MOD Security Manual put that country in the top 3 of threats due to how much espionage Israeli's target them with & its sophistication. Mossad targets us to take what they want while simultaneously helping us in the middle east. You should know they're are highly trained & well-equiped: your tax dollars paid for it. (lol)
As for Russia, the FBI has said in press releases that they've got more spies here now than during the Cold War. Additionally, the MOD manual said Russian intelligence could get you in a bugged room even if you booked a new room at the last minute. As for the rest, not including enemies of the US, they are lower priority: intelligence is mainly used to get critical information from them & give us an edge during contract/treaty negotiations.
It helps to remember that it's all a game. Every country is using every other one for their own benefit. Most of the time, everyone benefits to some degree. Some countries win or lose often. Some loose everything. "Cyberweapons" are just newer toys they will use in the game they've always played. Deniability, low cost, ease of use (i.e. exploit kits), and gains from theft of information are what make them so appealing.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.