For the past nineteen years, October has been Cybersecurity Awareness Month here in the US, and that event that has always been part advice and part ridicule. I tend to fall on the apathy end of the spectrum; I don’t think I’ve ever mentioned it before. But the memes can be funny.
Here’s a decent rundown of some of the chatter.
Racc • October 5, 2022 2:56 PM
… so why not ‘Cybersecurity Awareness’ year or decade or century ?
the whole concept of endless soft calendar additions for hundreds of special causes & commercial products is silly and ineffective — but our dopey D.C. politicians have plenty of interest in such theatrics:
“Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. “
Clive Robinson • October 5, 2022 5:20 PM
@ Racc, ALL,
“the whole concept of endless soft calendar additions for hundreds of special causes & commercial products is silly and ineffective — but our dopey D.C. politicians have plenty of interest in such theatrics:”
Those “dopey D.C. Politicians” may not be just dopey, they may be on the take from the greatings card industry 😉
Clive Robinson • October 5, 2022 5:35 PM
@ Bruce,
“that event that”
I think the second of those “that” is not ment to be.
It’s something I have a bad habit of doing and often miss even when proof reading some time after…
Ted • October 5, 2022 6:25 PM
Fun and/or informative tweets! I remember being really piqued by Cybersecurity Awareness Month when I first started exploring the field.
The National Cybersecurity Alliance had a series of Twitter chats where lots of groups participated. It was a really cool way to see how everyone was involved.
Now, if you all don’t mind, I am going to go down to the cafeteria to grab a piece of chocolate out of a Halloween pumpkin 🙂
ResearcherZero • October 5, 2022 11:38 PM
It’s an excellent time to donate resources and hardware to various projects. boom-tish [DRUM SOUND]
“In the case of Rob Thomas’s work with Team Cymru, the Tor Project staff and volunteers expressed concerns to me at the end of 2021, spurring internal conversations. …During these conversations, it became clear that although Team Cymru may offer services that run counter to the mission of Tor, there was no indication that Rob Thomas’s role in the provision of those services created any direct risk to Tor users, which was our primary concern. This was also discussed by the Board in March and the Board came to the same conclusion.”
“Rob Thomas’s reasons for choosing to resign from the board are his own, but it has become more clear over the months since our initial conversation how Team Cymru’s work is at odds with the Tor Project’s mission.”
“Team Cymru has donated hardware, and significant amounts of bandwidth to Tor over the years. These were mostly web mirrors and for internal projects like build and simulation machines. As we would with machines hosted anywhere, the machines hosted at Cymru were cleanly installed using full disk encryption. This means that the set up with Team Cymru was not different from any other provider we would be using. So the level of risk for our users was the same when we used other providers.”
https://blog.torproject.org/role-tor-project-board-conflicts-interest/
ResearcherZero • October 6, 2022 12:42 AM
It’s always wise to download software from legitimate sources, rather than a link from a Youtube video.
“The installation of the malicious Tor Browser is configured to be less private than the original Tor. Unlike the legitimate one, the infected Tor Browser stores browsing history and data entered into website forms. More importantly, one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command and control server. The spyware also provides the functionality to execute shell commands on the victim machine, giving the attacker control over it.”
“Curiously, unlike common stealers, OnionPoison implants do not automatically collect user passwords, cookies or wallets. Instead, they gather data that can be used to identify the victims, such as browsing histories, social networking account IDs and Wi-Fi networks.”
https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/
Sumadelet • October 6, 2022 8:55 AM
@ResearcherZero
It does not matter where you download software from.
Really.
What matters is if the software is signed with a key you trust. There are no legitimate or non-legitimate websites or software repositories. Unless someone has managed to compromise the software producer’s private signing key, you are good to go with downloading it from anywhere*.
Some sources might do their best to compromise you with associated malware etc., but that is a different issue.
Of course, if you are downloading software without checking it is signed with a key you trust, then it is possible that the site you are downloading it from has a bearing: but that is hardly good practice.
Determining whether keys are trustworthy is another, and more interesting problem.
*This assumes public/private key signing mechanisms have not been compromised. If they have, it would be newsworthy.
Clive Robinson • October 6, 2022 9:46 AM
@ Sumadelet, ResearcherZero, ALL
Re : Code Signing falsifiability.
“What matters is if the software is signed with a key you trust.”
That sort of “trust” is a big security “no no”, major human failing, and has not so long ago been a major embarrassment.
There are two basic ways as an outsider you can get your code appear to be legitimately signed,
1, Get a copy of the signing key.
2, Work from the ends into the middle, to get your code to match an existing signiture.
The first can be trivially easy and known as a “black bag job”. The second is currently computationaly intensive for all but a few with certain hashes. But we have reason to believe that certain SigInt Agencies are ten to fifty years ahead of certain parts of academia.
Importantly both methods have been demonstrated in the past, perhaps the most notable was stuxnet. But when that happened how to beat code signing in various ways was quite old news on this blog, it having being discussed many moons before that.
What was also discussed back then were the insider attacks of,
1, Putting code in the source tree.
2, falsly signing code.
3, Duplicating the key.
And a few others such as making a false signing key that appears or is signed by some other key signing key to legitimize it.
So well more than a decade ago readers here and since have been made aware that code signing is actually a very poor security mechanism that uses the wrong form of trust models.
I’m aware from previous postings that @ResearcherZero is familiar with some if not all of these code signing failings.
MikeA • October 6, 2022 10:28 AM
” a key you trust ”
Or perhaps more truthfully:
” a key that is trusted by software ‘updated’ via whatever possibly backdoored process, as far back as the original OS on your machine “
iAPX • October 6, 2022 11:32 AM
@MikeA, ALL
Trust. The fundamental sin.
Good software is no software. (yes I know)
All the foundations of my work, and everything “electronic” or IT I use are all based on trust, and they are all totally flawed.
Could we at some point recreate a new IT sub-world with simple secure pieces?!?
At that point, I don’t understand anyone trusting any final product, computer, smartphone or server.
lurker • October 6, 2022 11:33 AM
@ResearcherZero
Installing Tor on Windows? Yes, it’s possible, but surely not advisable …
Winter • October 6, 2022 11:52 AM
@iAPX
Trust. The fundamental sin.
Trust is a sin like eating is a sin.
Eat too little or to much, or the wrong things, and you get sick or even die.
Trust the wrong people, or trust too few or too many people, and you will suffer or even die.
Ken • October 6, 2022 1:16 PM
Fire all these unqualified Cybersecurity executives in the USA who are mostly a joke. Especially, these CISOs. Some of these CISOs are attorneys! Can you believe? Whichever profession (like legal) has least opportunities in their domain, come to Cybersecurity with some useless 2 weeks or 2 month training.
Create the awareness by firing these.
Same with Crypto currency jokers who think they invented Cryptography!!
Clive Robinson • October 6, 2022 3:22 PM
@ Ken, Bruce, All,
Re : CISO proliferation
“Fire all these unqualified Cybersecurity executives in the USA who are mostly a joke. “
A joke no, a fraud or scam yes.
For a while now there has been an upswell of people claiming CISO etc on their public facing C.V.s, and some have used this as a metric to say it’s a growth enployment sector…
Well it may be the chicken or it may be the egg, but Brian Krebs has just highlighted another effect people might want to consider,
https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/
Sumadelet • October 6, 2022 5:29 PM
@Clive Robinson
Well, I guess you were triggered there.
By what means would you assure that software you download by way of the Internet is authentic and retains its integrity?
Taken to extremes (which some people need to), you need to personally validate the code, the compiler, any other required software (such as the Operating Systems) and the hardware it runs on. This is a tall order.
However, on the basis that you assume the trustworthiness[1] of the original writer and distributor of the code, how do you obtain a copy of their code that can be demonstrated to be an exact copy of the original code produced by the author?
Normally, you demonstrate that you have an exact copy by running one or several hashes – SHA256 is pretty standard these days, and as far as I know, no deliberate hash collisions have been generated for that hashing mechanism. Yes, MD5 and SHA-1 are broken, but you can use more and different hash functions.
If the hash is signed using the signing key of the code’s author, then government agencies and large criminal organisations aside, you are can be reasonably well assured that the copy of the code you have is identical with the code on the download site (to the degree of probability defined by the hash function) and that the code has been signed by someone who controls the signing key, which is usually, to a reasonably high degree of probability, the actual owner/author.
Stuxnet preyed upon failures of several validation processes, not the underlying mechanism. It underlines the inadvisability of trusting Microsoft Windows to act in your best interests, especially when doing stuff like automating validation of signing certificates.
If you use a ‘web of trust’ model rather than a centralised root-of-trust model, the problem becomes one of assuring that the public key of the code author is the right one, for which there are multiple approaches, none of which are ideal.
Trust models[2], and key distribution/management[3] are areas where there is great potential for improvement.
For general day-to-day stuff, I’m happy to use SHA256 and a selection of public keyservers, but I’m not, as far as I know, more of a target for compromise than any other member of the general public in Western Europe. Other people may need to be more circumspect.
[1] The original author can be compromised by unnoticed theft of the private signing key, or by the $5 wrench method, or indeed by human failings. Shrug. That’s outside the context of ‘downloading software on the Internet, and while it is security relevant, is not easily solved by technical means.
[2] What procedure do you follow to evaluate the trustworthiness of a person[2a], an organisation, some software, some hardware? How does a trustworthiness score get increased?
[2a] Intelligence agencies, with all the resources of a state to use, get it wrong. Anthony Blunt. Aldrich Ames. Robert Hanssen. And many, many others.
[3] How do you know you have an authentic valid copy of the (public) key of a person or organisation you have never met? How can you validate peer-to-peer identity?
JonKnowsNothing • October 6, 2022 6:12 PM
@ Sumadelet , @Clive
re: Stuxnet preyed upon failures of several validation processes
iirc(badly) Stuxnet relied on the manual installation of software by a “certified approved vendor” technician. In theory that tech was supposed to be legit but was in fact NoSo.
The installation inserted bogus software into the centrifuge speed controls. Over writing the correct behavior with Intentional Damage modules.
The modules where highly tailored to that specific system. It used all the correct driver mechanisms and was designed to pass all “checks and validations”.
It passed those checks so well, it has now propagated to nearly every system that uses that controller. In theory, the Intentional Damage modules won’t get triggered because they are now in the wrong target system.
All of the precursors and variants use similar techniques.
When facing an adversary, the only one you can trust is yourself. Sometimes not even then.
SpaceLifeForm • October 6, 2022 7:14 PM
@ Sumadelet, Clive
Excellent points and questions.
My conclusion is that to do this properly, it must be web of trust.
Face to face communication to bootstrap so that Alice can tell Bob, that they know that Charlies, Daves, and Franks Public Keys are trustable. And then you bubhle it up to others. You may have noticed that Eve was not invited to participate in this scenario.
You do not need a large group meeting in a signing key session like was done with PGP back in the olden dazes.
It is important that the Public Keys are permanent.
It is about Reflections on Trusting Trust.
BTW, I concluded long ago (back in the naughties), that LinkedIn is a TLA op.
ResearcherZero • October 6, 2022 9:18 PM
@Sumadelet
It is much easier to bypass security and retrieve a signing key than one might imagine. If you read the article OnionPoison clearly looks like government spyware.
–
“Foreign actors may intensify efforts to influence outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure.”
“Additionally, these foreign actors may create and knowingly disseminate false claims and narratives regarding voter suppression, voter or ballot fraud, and other false information intended to undermine confidence in the election processes and influence public opinion of the elections’ legitimacy.”
https://www.ic3.gov/Media/PDF/Y2022/PSA221006.pdf
Clive Robinson • October 7, 2022 4:31 AM
@ Sumadelet, JonKnowsNothing, SpaceLifeForm, ALL,
Re : Trusting Trust systems.
“By what means would you assure that software you download by way of the Internet is authentic and retains its integrity?”
I would first ask the foundation issue question,
“Is there any means that can be trusted to exchange a ‘Root of Trust’?”
Sadly after years of looking at the problem the answer is a resounding
“NO!”
That’s true even for “face to face” meetings, you can not prove who you are… This is much to the anoyance of Politicians and the rather unpleasent “Guard Labour” types[1] that back some of the worst types of politician.
But it has implications, take your,
“Taken to extremes (which some people need to), you need to personally validate the code, the compiler, any other required software (such as the Operating Systems) and the hardware it runs on. This is a tall order.”
Yes it’s a tall order, and it’s not extream enough.
We’ve known from the early 1930’s before electronic computers were possible, that any system of logic sufficiently capable of supporting basic mathmatics is incapable of describing it’s self, let alone proving it’s self sound.
So you get into a problem no matter where you are in the computing stack from quantum physics upto the peak of human philosophy there will always be another layer that,
“You can not verify therefor trust”
That can attack upwards or downwards. I’ve talked about this before in some depth and the solution is that you have to “take a chance” that is there is always going to be some probability you will not detect an attack.
So knowing what you can not do provides you with a starting point for what you can do and the answer as far as long term security is,
“Not a lot”
Look at it this way, you write a book on your computer. I come along and make some changes. If I introduce a spelling mistake, that can be detected by sufficiently trust worthy tools. But what if I change say two words to their synonyms but take care to ensure the total character count has not changed the file would get through the spell checker, the paragraph, word and character counts. Yes there are other tools that could find the word changes but do you have access to such tools? And even if you did, what would those tools miss?
There is a proof based on an interesting idea in set theory called “Cantor’s diagonal argument”, “diagonalisation proof”, etc. He published it in 1891 and it caused a bit of a ruckus for various reasons. It’s been ised by many people since including Alan Turing with regards “The Halting problem”. The point is it applys to security tests as well, in essence it says in the generalised case, no matter how many specific tests you run, you can not test everything.
The problem with hashes, even crypto hashes, they are built on two assumptions,
1, That there are genuine “One Way Functions”(OWFs).
2, That the resources required to find collisions is to large.
Neither assumption has been proved, and I’ve a fealing they never will.
Fundamentally then “code signing” is not a process that can be trusted in the computer security sense.
Thus we can only fall back on trust in the human sense. In essence you need to use a
“Reputation System”
The problem with these is the,
“Nobody is born a murderer”
Issue.
Because by definition you,
1, Have to plan to kill,
2, Then actuall kill some one,
3, Get investigated and caught,
4, Be convicted and sentanced.
All of which takes time and whilst an unknown number of people will start the process, it mostly does not get beyond first base.
Similar applies to any “intentional act” such as a crime, thus also to trust in the human sense.
You actually are only trustworthy prior to starting to plan, after that you are untrustworthy, but usually nobody knows it appart from you. You have the presumption of innocent untill proven guilty beyond doubt, at which point you are officially untrustworthy by record.
It’s this limbo phase between the start of planning and being proven guilty beyond doubt where the problem exists with “reputation systems” and “human trust”.
Also it’s important to remember that “human / social trust” is,
“Given untill broken”
And “Security / technical trust” has to be,
“Proven before given”
So can be seen as opposits of each other, but “reputational trust”,
“Is built over time and performance”
Which is a “resource use” view in which both the resources given and the level of trust given taper starting off small and building with time untill either a threashold is reached or the trust is broken in some way and the trust or resources given are diminished. It is important to note that the slope of the taper is based on the many things that establish the degree of experience the giver of trust and resorces has as well as the resources involved. There is a saying in the UK military of some types of people,
“I’d trust him with my life but not my wallet”
The fact that they are untrustworthy in some areas does not stop them being trustworthy in others.
Thus “reputation systems” are not just “probablistic” but “complex” as well.
It’s been established that “code signing” can not be proven secure in a technical sense as it is vulnerable to both insider and outsider attacks.
Importantly code signing does not in anyway attest to the quality of the code being signed, or very much of anything at all. In fact all it actually does is show at some point in time that can not be verified, a “bag of bits” archive comprised from other “bags of bits” was hashed and digitally signed. It is therefore in reality no more than a digital packing / contents list.
Therefore it is upto the person who takes the delivery of the archive to assess on probabilities that are mostly neither technical or measurable how much trust to give the archive.
Personally I used to trust the code given away on CD’s on the front of computer magazines more than I did that of Internet Repositories with signed code. A view that the likes of Apple and Google’s “walled gardens” have just strengthened with time as has Microsoft ownership of a public code repository, to name but three of many.
[1] The sort that like kicking front doors down in the early hours of the morning to drag people away to make them one of the “Disappeard” or equivalent. They want ways to prove who other family members are and this can not be currently done in most cases. Even in less authoritarian countries they are trying to change this by building ever larger DNA Databases. But the contents of all databases are no more reliable or trustworthy than those who would want the databases to contain false, misleading or otherwise fake information for various reasons. Or likewise those who can change the results of tests etc that go into the databases. That is the chain of trust can not be reliably established or maintained, and why there are people around the globe with pasports that are genuine and issued by the countries pasport authorities but the person is not who the passport says they are. This is a point the then head of the UK’s MI5 Stellar Rimington made publically to UK politicians under then PM Tony Blair who were incorrectly convinced a National ID Card could solve all sorts of problems, they can not.
Quantry • October 7, 2022 12:15 PM
re “An Act respecting cyber security…”
More sweeping powers
‘https://www.parl.ca/DocumentViewer/en/44-1/bill/C-26/first-reading
a review
‘https://iclmg.ca/groups-highlight-concerns-with-deeply-problematic-bill-c-26/
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
tim • October 5, 2022 2:45 PM
“cyber” security month is my yearly reminder of the uselessness of the word “cyber” and my relief I don’t work in industries that use it (e.g. government and people who sell security tools)