Schneier on Security

X-Ray • February 2, 2016 4:43 PM

Very good bullet list, nice to see this getting such coverage.

Also can be noted, that corporations and other entities need inspection not just for usability, but also for security.

Tor is a good example of a system that does not even implement anonymous security mechanisms and suffers significantly for it. Endpoints get “known” everywhere, and banned. Not because of the many legitimate users, but because of abusers relying on the anonymity of the system.

If you pay a little bit of money for a professional vpn system, that won’t come into play. And they are very likely to have at the least some manner of IDS to detect their system being used for attacks.

Same principle applies anywhere, and certainly not just with literal hacking. Voice and other communications systems can allow for “verbal” attacks. True end to end corporate encrypted communication systems can be used by outside attackers, or inside abusers. Relying on Amazon vpn on your company system to stream television to home system, for instance.

@Matt

There’s always going to be people who make mistakes, or deliberately leak info; you’ll always be able to plant a mole or find a traitor.

I like seeing someone else saying that.

For code systems, there is open source. Anybody who qualifies and contributes can join in.

http://arstechnica.com/security/2016/02/crypto-flaw-was-so-glaring-it-may-be-intentional-eavesdropping-backdoor/

For corporate, companies will hire anyone from anywhere.

They have zero knowledge on their real background, especially if they are sponsered by an intelligence agency.

Cheap is important and good.

Then, there is the possibility for intel agencies recruiting developers. Probably even under a secondary context. Pay them to write such and such code. Or simply gain access to their development system — or, as one of the first backdoors did, to the build system.

X-Ray • February 2, 2016 11:43 PM

@Sancho_P

Come on, that is a little harsh…

The statement is correct, if the data were properly encrypted, the attackers would not have been able to make off with it.

Removing the word “properly” hardly means it is not there.

And he did state “probably” in fingering China. Considering that the US Government very strongly has implicated China in that attack, it is certainly well worth noting that “probably China did it”.

We do know that hack was tied to Anthem, and together, they probably did have substantial evidence to go by.

Not many parties would be capable of such things. Even fewer would have motive. I don’t think France would have hacked Anthem and OPM.

I also do not think Russia did it. Russia likes to hack oil and gas companies and VIPs.

China is a guzzler for all kinds of information from everywhere.

There could be some really far fetched truth behind it all. But, certainly, “probably” more then generously covers such incredibly unlikely scenarios.

X-Ray • February 3, 2016 9:57 PM

@Sancho_P

First, Bruce’s statement is incorrect (or incomplete / oversimplified).
If the data were “properly” encrypted the attackers may have obtained them anyway just to try to break the encryption at home.

Yes, it is oversimplified, but he is talking to the masses there. That is the NYTimes.

You surely work in a related field and know how difficult it is to talk about work.

Really serious oversimplification.

So these are different shoes, access and encryption.And for the OPM, let me ask how someone who has access to the system would have a problem with properly encrypted data?

Yes you certainly can have encrypted data on a system, have that system compromised, and the data not broken. You know this. Everyone knows this.

Sure, there are caveats, like “if the attacker sees you decrypt it, they can they grab the encrypted data”, but those are caveats and this is OPM we are talking about and the whole SF-86 database going back over a decade and a half, at least.

We don’t know much about the OPM hack, but we do know the remote attackers absconded with that entire database either in the plaintext or in some other weakened state – such as having a key that could unlock the entire database – and that certainly could have been prevented.

Probably, the data was not encrypted at rest.

Ultimately, however the attackers got in and stayed in, they were able to get access to that whole database, unencrypted. So, ultimately, it was an encryption problem. Maybe key management, maybe bad access implementation or controls, and so on.

Who did it? Probably it was done by the communists?

It is more complicated then that, as are probabilities and statistics one uses when considering various theories. This is what we do all the time in security. (Some fields more then other, many of the tech fields very much moreso even then what detectives or analysts would have to deal with.)

Definitely, one can say “probably China did it”. You can even pull off the cuff some truly abstract figure, like “eighty percent chance China did it”. Ultimately, if China did not do it, that is meaningless. 100% chance China did not do it.

But, that is not how probabilities work.

Personally, I think China probably did do it. I have seen China hacking left and right across the country in every quarter for the past fifteen years. All across business, government. I have known Chinese researchers and talked to them. I have talked to these business and government folks. I have even worked with organizations that have been hacked by them.

I doubt this was England or France or Israel, seriously.

Maybe Iran, maybe North Korea.

Russia, probably not.

Very unlikely, but possible, some smaller group, or organized crime, or even a very talented singular individual. Why on that last part? Besides the fact that there would be no money involved (unless they sold to a nation state, and then you are back to the above equation), nobody has said anything. They would if they did this privately. That is the main motivator for such hackers.

But, intelligence, and very professional intelligence, you won’t ever hear a peep.

Which leaves us with the usual suspects.

England, France, Israel, etc… these countries would have way too much to lose if they did this.

Russia, just hasn’t been their style of late.

North Korea, frankly? They like to talk, just like little guy hax0rs.

So, China is the most likely suspect from those very ad hoc levels.

But, then you have the NSA and FBI, and some other organizations swearing they found evidence, on top of all of that.

Could they be lying or wrong? Sure. Unlikely, however. What is it to gain?

You can walk through the possibilities there, and the cards are small and poor.

X-Ray • February 4, 2016 8:03 PM

@Sancho_P

Seems you live in a funny world where the lawfareblog is the NYTimes (audience), and a compromised system (unauthorized access) is ultimately called an encryption problem.
But as I wrote above, here you may call it whatever you like, no one will care.

Nope, just didn’t care enough to follow all of the links and so make clear as to what the NYTimes coverage link pointed to.

Lawfareblog, I know a lot of lawyers, and they very usually tend to not know much of anything about information security.

Really, very same difference…

Not sure what the big deal is. We agree to disagree. I see and participate in a lot of oversimplifications.

’m not interested who could “probably” have done it because I know it:
NOBUS. In town, place your wallet onto the cowling of your car and leave for a stroll. Blame the bad people if it’s gone when you’re back. Allow “admin” as secret (!) super-password and blame Russia for that backdoor. -> I’m tired of people blaming others for their own incompetence. They will never encounter, let alone fix, the source of a problem.

That is a different issue, and you are preaching to the choir there.

Also, I personally would not have put OPM in the context of a proof against the dangers of bad encryption.

As I just mentioned to Buck, my major blame, I give in that, is at ALL the departments who sent in records to OPM, trusted OPM, and never did due dilligence to check up on how their records were stored.

I did not and do not like the blame OPM got. Not because they did not deserve it. Yes, the head should have been fired. But who hired her? Who was sustaining her and their organization and teams?

And their main fault, from my opinion? Besides clearly being very unaggressive about seeking proper budget, being so uneducated about their job — they clearly did not even know they should have!

So, no. I am covered there.

Blaming others is a major pet peeve of mine, in fact. Usually, it is absolutely worthless, very often it is an excuse for personal failure. In security, very often you can blame those who do not do what you want them to do. But, you have to get them to do what you want them to do. So, you work until you get a success at that.

Those who get the same results using the same tactics, are entering into the Einsteinian definition of insanity.

And yes, I believe the US has probably scapegoated China in this. I do doubt their evidence. I am suspicious, frankly, of anyone who says that “if the NSA attributes something, believe it”. Even if they appear to be a hippy SF’r. Lol. Sorry. (It was the NSA engaged in the Gulf of Tonkin event, later found out to have been an effective false flag operation which legitimized and effectively started the Vietnam War.) [Reference, to other recent thread with the head of TAO speaking issue.]

Error is a condition to approach with cold neutrality, not disgust or revulsion — unless disgust or revulsion helps change! If any emotion, mercy.

If you sincerely deal with carefully correcting errors all the time, you know this. Otherwise, you are just going about being a part of the error feed.

Obviously it was designed by the arch enemy, the communists,and if you promise to keep it secret I can tell you:A friend of mine, ex-official in the Cuban gov, speaking in condition of anonymity, told me that some of the US IT design details were obtained from honeypots (due to an “encryption error”) placed by Russia and Fidel Castro (a bad hacker at his time btw.) to stop imperialism and to destroy America.

Right. You are in the “in” club. You have some secret. Obtained with difficulty. Why would you lie? So, it is more plausible.

You do have one problem on this OPM issue, one of the intel heads (I do not keep track of their names) praised China for the hack, and said that was cowboy badass.

In whatever his weird language was. I am paraphrasing.

Albeit, that little devil, you know he smiled about how smart his statement was later. See how the joke and unexpected praise misdirected from the fact he was injecting a truism to the audience? Ala, implicit message, underneath the horseshit, “China did it”.

And why? I said there was little motive. Sure, for going ALL out. They are guessing. But why guess with such assurance? I don’t think they want it to have been China so badly. They can’t go to war with China. But, it can be used for impetus, internally, to pad budgets and keep up operations against China. And it can be used for diplomatic fuel.

So why not China.

But, then, I kind of don’t think Iran or North Korea would come forward and say, “We did it”. Or pull a Sony with all that data.

Fact is, both hacks were very severe. Anthem and OPM. And, if they really know “China did it”, what are they doing about it?

Both Anthem and OPM are acting as if it may have been everyday criminals, both have spent enormous sums to give the tens of millions (is it hundreds) of victims various services that costs quite a bit of money. I have seen estimates well into the billions for overall costs — costs related to taking it for granted that PII might be being used in credit card fraud and other forms of criminal fraud.

Never mind that multiple US officials came out to the press to say both Russia and China are using the OPM data:

http://arstechnica.com/security/2015/08/china-and-russia-cross-referencing-opm-data-other-hacks-to-out-us-spies/

Problem is, if China stole the data, no way would they share it with Russia. Which means that the attribution of China is quite possibly a guess.

But, in terms of valueless words, perhaps. Anyone here, probably is already well sold on negligence on the issue.

Quite a few probably think the collective US intel heads should be jailed for all sorts of reasons. Quite a few probably think they should be sent to the Hague for war crimes. Quite a few, like myself, think they should have all be fired long ago.

Probably anyone this deep in the thread has read all of the ars articles on the topic, so they know just how terrible their security was.

X-Ray • February 5, 2016 8:57 AM

@Sancho_P

@Sancho_P

You had a good point in your response, I did not address:

No one will care, no one will trust. We are null and void, anonymous, irrelevant.It’s absolutely not important what you and I think or not, as bright as it may be.

But as I wrote above, here you may call it whatever you like, no one will care.

Noting, your comments accompanying, ‘even if we are the bright and brightest in IT’.

This is potentially a mystery as to ‘why’ anyone would ever post anywhere. With one’s real name, or otherwise. I certainly have respect for the power of the word. I have respect for truth, even if that truth is set on vagaries. Indeed, often the most powerful truth is that truth which destroys the arrogance of the presumption of knowledge.

Patient Zero, people like to talk about. With virii. My belief is, in the viral instrumentation of truth, patient zeroes are very often entirely unknown. With serious diseases, it is critical to figure out who Patient Zero was or is. But, with trends, fads, opinions, this is impossible for people to know, and they do not even try. No small reason for this is, we are all ultimately much more controlled by our unconscious processes, then our conscious ones.

However, this is not why I bother to form opinions, and not why I ever post anywhere.

I have my own reasons for that which are not guessable.

I know them. And I will tell people I am close to I know them. But it is certainly not the sort of material to state widely, it is private.

I will point out, at times in my life, I often felt as if I was “doing something” for audiences in my past. For instance, the delusion of returning to my hometown, and thinking how it would be if some girl saw how well I had done. Some invisible audience one is startled to find has actually always been in one’s mind, all along. And motivating to “do something”.

Quite odd, how people work sometimes.

X-Ray • February 5, 2016 9:16 PM

@Buck

I bring up Target because you suggest the OPM data was not encrypted at rest (implying that having done so could have prevented such an attack). Not so. Supposedly Target never stored any credit card numbers unencrypted… The malware simply swiped them all as they were being used.

My real contention is just oversimplification is absolutely necessary in communication and certainly does not denote a malicious lie. And there is considerable, albeit circumstantial evidence China was behind the OPM attack, which certainly does allow for a “probably” — that is that it is certainly okay to speak in vagaries and probabilities when discussing such matters. Maybe poor taste if you are discussing a criminal case which is ongoing, but not poor taste on such a matter as this. Indeed, to even put a “probably” in the statement ‘China probably did it’ is extremely generous, as the audience probably has zero doubt in their mind.

I am aware of this possibility of the data being so frequently used by OPM, say via web searches, that, over time, the attackers were able to touch all of it. More likely, they could have gotten it in one fell swoop of an attack by compromising the entire database, or they gained a singular key which provided unlimited access to all of the data with zero limitation on sessions having ended or not.

Possibly, the data could have been encrypted at rest, and they simply found a sql injection flaw which would have allowed the web server application supplying the information to decrypt the information for them… as they purloined the entire contents across seas to China. Or wherever.

I did not recall enough specifics of the Target hack to recall the attackers had to put malware on – who knows how many pos terminals – and gather all of that data together. Had they been able to just waltz into the database server as admin, their job would have been far simpler, and far quicker. It would not have had to involve such a complicated plan as managing a distributed attack botnet living across the country on pos terminals.

I do recall that in the Heartland attack, and related attacks, they were fortunate enough to get on the wire, so they could slurp up all the records as they came across the wire. In which case, the traffic was improperly encrypted across the wire.

Ultimately, the attackers did get the data unencrypted, and that should not have been the case. Likely, the poor use of encryption, perhaps in implementation, surely played a role, overall, in the attack. As it usually, if not always, does.

At least in APT attacks.

Encrypting data at rest is not – at all – a cure all. Far from it. Especially considering the very real and often present danger of sql injection attacks. For instance.

But it is one important layer of security to have, especially when you have a very real threat from APT.

So maybe we could have outsourced any secure data processing to some company that specializes in this sort of thing… Cloudflare, Kaspersky, FireEye, FoxIT, Symantec , etc. Then, those new higher value data processing services wouldn’t have been similarly hacked, because — magic?

Actually, I was thinking in terms of far better resources then those companies have available. BBN level resources, dedicated resources of top engineers who are dedicated to the singular pursuit of specialized data protection in specialized circumstances.

Safenet, btw, would have been a more appropriate resource, in terms of database protection, btw.

I am not stating none of those companies do not have supergenius technicians working for them – I know people at some of those companies – they do. But, they tend to be going from ‘this to that’.

What we do know from the arstechnica report is they contracted out cheaply and horribly.

… actually, in looking up the attack, I found this detail, and while the title disagrees with the assessment that “encryption was broken”, I disagree with their assessment:

http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

No multifactor authentication, is bad implementation of encryption, especially in the case of exactly how critical that data was.

And, frankly:

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.

The DHS chief, no security specialist in the least, was guessing. “Likely through a phishing attack”. Usually, as far as people know from caught attacks, the entry way is through phishing. But once on a network, they look for as much information as they can going across the wires, or unencrypted anywhere.

You can teflon the shit out of your chest, but that doesn’t mean shit if someone shoots you in the head.

Or if there is a giant gaping bullseye hole right in the middle of that chestpiece.

Encryption is as a piece of very strong metal, if it is strong, but the implementation is where the grooves and cracks and fitting pieces are.

Improperly covering those cracks and crevices with rotten authentication and authorization systems ruins the whole thing.

X-Ray • February 6, 2016 2:07 AM

Honeztly and frankly, a core problem in technical security is we have way too many unprofessional chumps mouthing off in their ignorance, despite their glaring lack of knowledge, experience, or heart.

But the universal solomons baby problem.

Inpotent observers w/o hope.