Schneier on Security

Scott "SFITCS" Ferguson • August 19, 2014 7:30 AM

@Clive Robinson

@ Tim,

Whilst an IDS should see the individual scans, it won’t recognise a pattern unless it is programed to do so.

So if you programe an IDS to use IP addresses as it’s main pattern recognition component then no it’s not going to recognise the pattern.

If however you program it to recognise events in time irrespective of IP address then yes it could recognise the attack via a time signiture.

However such recognition would require what is in effect a fourier analysis of the event time line trying to pull out the signal it creates.

The downside for the defender is that for some types of signal the attacker can exchange time for sequence making the detection very much more difficult.

Agreed on all those points – except the timing, which I don’t understand well enough to have an opinion on.

With reference to SNORT, the main problem is not being unable to use pattern recognition (or behaviour analysis) to detect these sorts of attacks – as it most certainly can. It’s dealing with the large number of false alarms, and, SNORT’s ignorance of the network itself. One approach to dealing with these problems (and their are others) is to feed the results to NEFCLASS and JRIP.

Nothing to do with any assertions you’ve made Clive, but others, sometimes, refer to “stealthed” ports… with the greatest respect to Steve Gibson, stealthed ports provide no real security. They offer the illusion of security by obscurity, and that obscurity is pure illusion.
If you want to secure ports – close them. If you want to limit access to certain ports (i.e. ssh) use portknocking in combination with fail2ban. Sure – it could be used against you for DDOS, but the alternative is to allow unlimited attack attempts.

Scott "SFITCS" Ferguson • August 20, 2014 3:55 AM

@Sancho_P

I’m afraid we are barking up the wrong tree: Portscanning.
But probably I’m wrong?

That depends on the legal jurisdiction. In some cases, yes.

a)
– Port scanning is perfectly legal.

No.

– Port scanning is morally OK.

Perhaps in some circumstances – but not on my servers without permission.

– Port scanning is sometimes necessary.

Yes. Emphasis on sometimes.

So we could probably complain if IP.X.Y.Z does it twice a day to our server.

Absolutely. But…. depending on your legal jurisdiction it may not be a crime (though there may be civil remedies) – and even if it is illegal, there’s no guarantees that you will get action (how much weight does your company carry?).

b)
Port knocking, as mentioned here, will help against the bad boyz but not against a national player like NSA.
They just look up their intercepted traffic database for any traffic and how it was established (and from whom and why and how often and …).
The database will also reveal details like advertised versions and so on.

Perhaps you should read Moxies documentation (the link you posted)? It contradicts your statement.

Note that it’s not the only portknock system designed to prevent “playback” attacks.

Port knocking (even knockknock) to a server will be their first interesting finding,
long before injecting their data into your connection.

Please read my previous comment. There are several flaws in your logic.

I still don’t get it how “play that youtube-video” can lead to any other action as to
“play that damned video” (I could accept to play a different content, though …) or “error while receiving stream”.

• Your version of x is too old to view this video. Download the update here (link to trojan)
• Exploit auto-update of flash/silverlight
• Exploit Flash/Silverlight/webm(?) vulnerabilities

Back to the (Bruce’s) topic,
the hidden / secret use of third party equipment is immoral, an offense and dangerous.
We must not accept that to be “the law”.
It does not matter whether it’s US or foreign property, morals don’t have borders.

Apropos of little – morals have no weight or measure.
The problem is that morality has very little realistic influence on legislation (as opposed to justification for legislation). Money does. Bad for business is likely a more powerful incentive for change.

[1] http://www.thoughtcrime.org/software/knockknock/

Perhaps you conflated the problem (see quote below) Moxie saw, with his solution?
“The problem with the original(emphasis mine) concept was that if your port sequence was observed by passive eavesdropping, it was easily replayable. The obvious solution was to develop a port knocking system that did not allow for replay attacks. Such a solution suggests the use of cryptography.”
Also:-

• C¨OK – Cryptographic One-Time Knocking
• Port Knocking: Beyond the Basics
• SIG^2 Port Knocking Project
• A critique of port knocking
• Single Packet Authorization with Fwknop
• knockd – read the section on one-time sequences

Kind regards

Scott "SFITCS" Ferguson • August 21, 2014 5:46 AM

@Sancho_P

Apologies to the whose lips get sore reading long posts. All truths are simple so if the length of this bothers you, you can safely regard it as information free.

@ Scott:

Thanks for your reply.

Thanks for the interesting post.

[snipped]

I’m not aware of any legal restriction explicitly to port scanning in my jurisdiction (EU) until there is some prove of severe damage or “bad intent” (very blurry jurisdiction right now, they want to fix it of course …).

You may wish to reassess that opinion after reading the following. NOTE: IANAL (standard disclaimer meme). Don’t forget – “ignorance is not grounds for mitigation (unless you are a member of the bar)”.

Links to internation laws on portscanning:-

• General overview of international laws about portscanning
• International conventions
• US cybercrime legislation
• Wikipedia reference on international portscanning legislation
• UK portscanning legislation

And that’s just the first few results 😉

For the port knocking itself I’m not talking about the intent of playback attacks. I think silently watching the traffic would reveal everything?

No. All it will reveal is a stream of data. Data without context is not information (it’s encrypted).

Say I’m interested in the activity of a news agency (e.g. Al Jazeera) and their server (ports), the question to the database would be “timeline of connection attempts with data volume by port (except 80…), sorted by “dissident” IP’s (= connecting also to NYT on strange ports)”.
Spooks will have better ideas, but everything is already there in their “collection”, there is no data transmission without connection.
Now they set up a rule for an automated action.

That entails a number of presumptions:-

• that connections from “dissidents” are direct to the Al Jazeera server
• that “dissidents” can be identified
• that the origin of the “dissidents” connection can be identified – and that that origin is useful (e.g. not a cron trigger connection from an innocent third-parties internet connection)
• that useful information can be gleaned from the transmission (information not data)

Simply being able to unencrypt the data at some time in the future may be of historical value only. Without specifying what the “automated action” is the question is analogous to “what will we do when Martians invade?”.

So Moxie (… sorry for that 🙂 ) may later cryptographically knock, authenticate and open that (other) port for transmission but then they (their automated system) will use it (inject their exploit) because of their better networking connection / position,

If the opponents of privacy have the means of doing that – then much of their catalogued abilities are redundant. I think you can safely presume they don’t have that ability.

[snipped]

Seems I do not understand why one needs a secure port knocking request to open an insecure / vulnerable port?

Firstly, I have a problem with the assumption that those, unspecified, ports are insecure/vulnerable.
Secondly, perhaps a crude analogy may help explain:-

<

ul>

”… An observer watching packets is not given any indication that the SYN packet transmitted by ‘knockknock’ is a port knocking request, but even if they knew, there would be no way for them to determine which port was requested to open.” (Moxie Marlinspike)

Is this correct also in case of querying a (e.g. NSA) traffic database?

Who knows? Certainly I have no understanding of the “NSA traffic database”. Would their information be any more useful than that of my ISP?

Regarding the video:

Video? I must of missed that meeting 🙂

Your first point seems to be the category “social attack” which I’d probably fall into at my home PC.
At the company’s server I may see that “Download the update” and click it, but then I could prepare two coffees because one of our IT guys will show up within five minutes, together with my boss (no coffee for my boss in this situation).

It doesn’t have to involve social engineering. NOTE: we are postulating from an information poor position – it has it’s limitations.
I doubt your network or system administrator is going to notice. Do you keep MS Updates from automatically running? It’s very unlikely your antivirus system will notice any malware (dig through these forum postings to see why). If you run any version of Windows I can think of several methods of bypassing your security without social engineering (no, I’m not posting those methods here). Aside from that – there is a high probability that if I can access your home computer – or any of your private accounts (e.g. email) I could (as an attacker) gain access to your work place. I could also guess that your workplace is statistically likely to have several failing in security (does your network administrator believe NAT is some kind of security? do you have networked printers? etc). Your weakest link is your biggest problem.

So remain the vulnerabilities.
That’s a sad chapter, as I’d see the sense of national security in securing the national assets.

I see the biggest revelation from Snowden is what the NSA has very effectively removed from any discussions – all this information (not data, information) is being gathered and processed by third parties. e.g. what security measures do you believe the NSA has in place to prevent Dell from using that information to their business advantage?.

Note: I am absolutely opposed to national thinking. Nation states are global enemies.

I strongly believe Oscar Wilde was wrong – patriotism is not the last refuge of scoundrels – nationalism is.

[ At vulnerabilities … There is also the issue with what is called the “OS”:
I think an Operating System should have a close look to what’s happening inside the machine. Applications must remain below the OS, closely watched in their behavior.
I’m afraid there is no such OS available today – probably never will be. ]

The solution you seek would seem, from my non-expert view, impossible – userland below kernel. Microkernels, application whitelisting, and an integrity shell – coupled with careful separation of risk (not one connection, one encryption key pair, and one OS for everything) is a possible alternative solution.
[snipped]

Interesting stuff. Please regard my posts are opinion only – only time will tell how useful that opinion is. I’ve never had a server or workstation compromised – I do my best to keep them properly secured but I still know my security is little more than a cup of spit and a few twigs. If the world was software it’s be destroyed in the first mild breeze. Proper risk management accounts for that – the vast majority of what people wish to secure falls under the risk management category of, um, dangerously naive and highly unlikely. But the psychology behind it is not dissimilar with that of those that buy lottery tickets – or drive hybrid cars for the sake of their health (.22 is healthier than .50 only if you confuse migitation with solution).

Kind regards

Scott "SFITCS" Ferguson • August 22, 2014 6:31 PM

@Sancho_P

Hmm, here’s my problem:
What is our “home or place of business” in the immaterial / not physical world of information?
Where is the border exactly, thinking about an email to a business friend in Tunisia, which paragraph / sentence would be public or “without rights” and which part would be protected?
Should I write two messages, one from my work and the other from my – ups, private – home?
And the “metadata” of both, are they protected (not to think about my friend’s privacy)? Are we all supposed to have private and business accounts and identities?

Home and work (your business, not the business of your employer) is a physical location. Why make a new set of rules for a circumstance that is just a variation on an existing circumstance (not some paradigm)? In engineering it’s generally accepted that if you have a system that 90% “works” that the most likely way to successfully “make it work” 100% is to improve it – and that trying to redesign the system from scratch is unlikely to result in a 100% working solution.
We expect that our postal and telecommunications system has controls on who can intercept the information being moved across it. We accept that the courier can exert some control over the contents, and inspect the information being transferred to insure that we comply with the rules. e.g. that post be inspected to ensure it doesn’t contain explosives or toxic chemicals. We expect that the postal system doesn’t allow others willy-nilly access to our post. But we know postal staff are human – so do we stop sending mail because we can’t guarantee the transit of mail without people other than the intended recipient reading it? Or do we employ encryption?
The 3^rd type of surveillance that Bruce describes is the problem that needs to be solved – how do we stop the NSA from preventing us from employing encryption when sending and receiving information? I’m not talking about preventing legal authorities from doing their job any more than the ability to own a safe, or create your own code for keeping your diary does – just preventing the situation that is bad for business. Why “bad for business” rather than bad for the individual? For the full answer read Adam Smith, the short answer is that all individual rights derive from free trade, the division of labour, and the pursuit of self-interest. Any restriction on those things restricts individual rights. What’s good for a few business is not good for individuals, what’s good for many businesses, is. Fascism and dictatorship do best with fewer and larger business – that can only occur when the business of the many is constrained. Not a popular point of view – a multitude of small business doesn’t employ as many lobbyists as a few large ones.

Because of the (Tunisian) recipient both my messages will be flagged, the processing is probably outsourced to the single competitor I have in that business and country???

coughCiscocough(??)

[snipped]

However, your ”Would their information be any more useful than that of my ISP?” made my perplex.

Granted, we have little knowledge about “their” database. So I (Joe Average) can only fantasize what I would expect from a several billion dollar project driven by hundreds of professionals. Your ISP will know “the [single] point of origin” but this is less than one single pixel in the picture, they can’t answer the question “who is behind that point, the social background, whereabouts of last two years, friends, business and international contacts, how relevant is this endpoint, whom will this person meet next week, mindset, where is the weakest spot, …”.

Then we don’t need unique keys for database tables? ;p IANAIA

Kind regards

“The pure and simple truth is that the truth is rarely pure and never simple”
~ some dead guy

“Science is the great antidote to the poison of enthusiasm and superstition”
~ Adam Smith, The Wealth of Nations: An Inquiry into the Nature & Causes of the Wealth of Nations

Scott "SFITCS" Ferguson • August 24, 2014 12:14 AM

@Sancho_P

@ Scott:

”… But we know postal staff are human – so do we stop sending mail because … ?”

Your analogy is not true anymore.

Times have changed, and so have the methods used to inspect mail (freon spray, optical scanners, and pattern recognition software) – but the analogy still stands. You are still going to be disappointed if you expect your mail cannot/will not be inspected. And you can still employ encryption to safeguard it’s content.

[snipped]

Yes, they were humans, but there was trust – also from them in their employer!

I know nothing of your postal systems history. AusPost has postal inspectors since the PMG days. Even in the times of the Black Penny stamp there were postal deliverers who pilfered, purloined and read mail – and postal inspectors to catch them and/or inspect the mail. Likewise government departments and other interests (including private) that secretly intercepted mail to view or change the contents.

[snipped]

I have no problems with my postman knowing I got mail from someone in the UAE (he used to ask me for the stamps), but I can’t stand the feeling that several people, including Mossad and MOIS, make a living from dutifully noting “Sancho got perfectly encrypted data from Ibrahim”.
And knowing what terrific consequences can result from brainless processing database “knowledge” (which DB doesn’t include errors?) brings my blood to the boil.

Misunderstandings we all have to learn to live with. Worrying about it is counter-productive, it’s just one of the many things that appear unfair if you have unrealistic expectations.

Perfect technics is never the answer for mankind’s issues.

I’m not suggesting it is. Rather it’s the perfect operation of perfect “technics”. Too many people ask what tool will make me an expert? – which, effectively, is the question they are asking when they say “what should I use to do “it”?

But this takes us far OT and I think we shouldn’t further stress Bruce’s hospitality 😉

I don’t know. I think we’ve more than covered the subject – which has been extensively covered before for those willing to search. Be assured the moderator will let us know.

Thanks for “Adam Smith”, I love what he wrote in book V “Of War and Public Debts”.
Good he couldn’t write about the real costs of modern war and who supports it.

It’s a book that took me many reading and much thought to begin to comprehend. I didn’t find it lacking in an explanation of the current situation.
War is the mercantilists’ best excuse for curtailing imports and limiting foreign debt
Perhaps you failed to adjust the geopolitical boundaries to account for international business interests e.g. American business in China, Chinese business and investment in America. He had a great deal to say about credit and fiat economies – did you factor that in?

Kind regards

“The sovereign, for example,” wrote Smith, “with all the officers both of justice and war… the whole army and navy, are unproductive labourers…. The protection, security, and defence of the commonwealth, the effect of their labour this year, will not purchase its protection, security, and defence for the year to come.” In other words government is a service, and it should never be mistaken for a factory that furnishes us with all our jobs, homes, and discount blood pressure pills. Whenever a politician is heard to say that government spending is “an investment,” he should be told to get a job.