Here are a couple of items of possible interest to some of you.
First, a group of companies, organizations, and notable individuals signed on to a letter to President Obama urging that the government not mandate “back doors” in computing products. I was one of the signatories. You can find a news account about the letter here and you can read the letter itself here. I suggest you read the letter to see the list of signers and the position we are taking.
Second, I’ve blogged before about the new book by Carey Nachenberg — a senior malware expert who is one of the co-authors of Norton Security: The Florentine Deception. This is an entertaining mystery with some interesting characters and an intricate plot that ultimately involves a very real cyber security threat. It isn’t quite in the realm of an Agatha Christie or Charles Stross, but everyone I know how has read it (and me as well!) have found it an engrossing read.
So, why am I mentioning Carey’s book again? Primarily because Carey is donating all proceeds from sale of the book to a set of worthy charities. Also, it presents a really interesting cyber security issue presented in an entertaining manner. Plus, I wrote the introduction to the book, explaining a curious “premonition” of the plot device in the book. What device? What premonition? You’ll need to buy the book (and thus help contribute to the charities), read the book (and be entertained), and then get the answer!
You can see more about the book and order a copy at the website for The Florentine Deception.
Dear Friends of CERIAS
This Wednesday, April 29, will be the second annual Purdue Day of Giving. During this 24-hour online event, CERIAS will be raising awareness and funds for infosec research, security education, and student initiatives.
Plus, through a generous pledge from Sypris Electronics, every donation received this Wednesday will be matched, dollar-for-dollar! So, whether its $10 or $10,000, your donation will be doubled and will have twice the impact supporting CERIAS research, education, and programs (i.e. Women in Infosec, student travel grants, student conference scholarships, the CERIAS Symposium, …)
Make your donation online here (CERIAS is listed in the left column, about 1/3 down).
Now through Wednesday help us spread the word by tagging your Twitter and Instragram posts with BOTH #PurdueDayofGiving and #CERIAS., and sharing our message on Facebook and LinkedIn. You can post your thoughts, share the Day of Giving video, or encourage others to donate.
Thank you for your continued support of CERIAS and for considering a Purdue Day of Giving donation this Wednesday (April 29).
One again I have submitted myself to a week of talks, exhibits, walking, meetings, drinking, meetings, and more with 40,000 close associates (with one more day of it tomorrow). It’s the annual RSA conference in San Francisco. I’ve been to about 8, including the last 5.
Prior to starting this entry, I reread my blog post from after the 2014 RSA Conference. Not a lot has changed, at least as far as talks and exhibits. Pretty much everything I wrote last year is still accurate, so you can read that first. There were a few differences, and I’ll describe the prominent ones below.
Once again, I got pulled into meetings and conversations, so I didn’t attend as many of the talks as I really wanted. I caught portions of several, and I was impressed with more this year than last — I sensed less marketing. Thus, kudos to the program committee (and speakers). I am sorry I didn’t get to hear more of the talks. I hope they were recorded for us to view later.
Foremost differences from last year occurred outside the Moscone Center and on the exhibit floor — there was no boycott against RSA about alleged NSA collaboration, and the conference organizers adopted a policy against “booth babes” — yay! I don’t think I need to write about things that weren’t there this year, but I will say a big “thank you” to the RSA Conference team for the latter — it was a very welcome change.
I still did not speak in a session (even as a fill-in), it still costs quite a bit to attend, I still didn’t see many academics I knew,
I saw only 3 products that were devoted to building secure systems — everything else was patching, monitoring, remediation, and training. That continues to be depressing.
Still the case there was limited emphasis on or solutions for privacy.
Andy Ellis provided me shielding for my badge so I could avoid being scanned onto mailing lists. I told people at most booths, but they tried anyhow. Some would try repeatedly, then tell me they couldn’t scan my badge. Duh! I just told you that! However, in every case, they still gave me a T-shirt or other swag.
Speaking of swag, this year, the top 3 raffle items were drones, Go-Pro cameras, and iWatches.
A few booths were very aggressive in trying to scan people. It almost felt like desperation. I had to duck and weave (not easy with a cracked rib) to avoid a few of those people and get past their booths. It felt like being in a video game.
This year, more vendors seemed willing to talk about donating their products to our (CERIAS) teaching and research labs. That is really promising, and helps our students a lot. (And, hint — it provides great visibility for the products, so you vendors can still do it!)
So, if I find the conference a little depressing, why do I still go? As I noted last year, besides hearing about trends and getting a stock of T-shirts, it is a great opportunity to see friends and acquaintances I don’t get to see that often otherwise because I have limited time and funds for travel. (And yes, Indiana is at the center of the known universe, but few flights stop here.) I have had some great conversations with these people — thought leaders and deep thinkers across the spectrum of infosec/cyber/etc.
Actually, it occurred to me over drinks that if I wanted to cause maximum disruption, I could have infected these highly-connected people with some awful disease, and within 72 hours they would have infected almost everyone in the field who have some level of clue. Luckily for the world, they only had to put up with my presence for a few minutes or so, each, and that isn’t contagious.
Here’s a partial list of the people I was happy to see (there were more, but this is who I can remember right now — my apologies for anyone I missed; plus, I may see more in the closing session tomorrow): Candy Alexander, Becky Bace, Robert Bigman, Bob Blakely, Josh Corman, Sam Curry, Jack Daniel, Michelle Dennedy, Matt Devost, Whit Diffie, Andy Ellis, Karen Evans, Dickie George, Greg Hogland, Brian Honan, Alex Hutton, Andrew Jacquith, Toney Jennings, John Johsnson, Gene Kim, Brian Krebs, Penny Leavy, Martin Libicki, Rich Marshall, Gary McGraw, Martin McKeay, Carey Nachenberg, Wendy Nather, Davi Ottenheimer, Andy Ozment, Kevin Poulsin, Paul Rosenzweig, Scott Rotondo, Marc Sachs, Howard Schmidt, Bruce Schneier, Corey Schou, Winn Schwartau, Chenxi Wang, Mark Weatherford, Bob West, Ira Winkler, and Amit Yoran.
Yes, I do know a rather eclectic set of people. Their karma must be bad, because they also know me.
Speaking of karma, I’m already planning to go to RSA 2016.
I’ve known Carey Nachenberg, a Fellow at Symantec, for many, many years. He’s one of the driving forces behind Symantec’s anti-malware software. He’s creative and passionate about cyber security. He’s also an avid rock climber, a teacher, and several other things that make him an interesting person to know.
Now Carey is also a published author of fiction: the adventure novel The Florentine Deception.
I can recommend the book for several reasons. First, it’s an engaging story, with several convincing core plot devices — Carey has taken several of his passions and woven them together into the story. Second, all the proceeds go to charities. Carey has selected several worthwhile causes, and the more books people buy, the more the charities benefit. And third, there is this really odd coincidence that ties Carey’s plot to something a cyber security hack researcher actually wrote about 20 years ago and describes in the Foreword. Carey intended the book as fiction, but it could also be a cautionary tale…or a somewhat embellished version of something frightening that really happened?
As a freshman outing in fiction, the book could have used a little more editing, but still provides a good read. As a tale of unexpected consequences, it really nails one of several cyber issues that has received insufficient consideration. And as an effort to support some worthwhile causes, how can it possibly be ignored?
I encourage you to visit the website for the book, and follow one of the links to purchase a copy. Then enjoy the read, and think about what The Florentine Deception might really mean.
The 2015 CERIAS symposium — held March 24 & 25, 2015 — was wonderful! We had a great array of speakers and panels, and one of our largest audiences in years. The talks were fascinating, the panels provocative, and the student research exciting (as usual).
If you were there and want to hear a repeat of a talk, or if you didn’t make it to the symposium and want to hear what went on, visit our website. We have videos of all the talks and panels plus links to the student research posters and other materials. Similar materials from our 2014 symposium are still online, too!
We haven’t yet set the dates for the 2016 CERIAS Symposium, but stay tuned for that.
.Over the last few days we have seen a considerable flow of news and social media coverage of untended exposure of celebrity photographs (e.g., here). Many (most?) of these photos were of attractive females in varying states of undress, and this undoubtedly added to the buzz.
We have seen commentary from some in the field of cybersecurity, as well as more generally-focused pundits, stating that the subjects of these photos “should have known better.” These commentators claim that it is generally known that passwords/cloud storage/phones have weak security, so the victims only have themselves to blame.
We find these kinds of comments ill-informed, disappointing, and in many cases, repugnant.
First, we note that the victims of these leaks were not trained in cyber security or computing. When someone falls ill, we don’t blame her for not having performed studies in advanced medicine. When someone’s car breaks down, we don’t blame him for failing to have a degree in mechanical engineering. Few people are deeply versed in fields well outside their profession.
The people involved in these unauthorized exposures apparently took prudent measures they were instructed to on the systems as they were designed. As an example, the passwords used must have passed the checks in place or they would not have been able to set them. It doesn’t matter if we approve of the passwords that passed those automated checks -- they were appropriate to the technical controls in place. What the people stored, how they did it, or the social bias against their state of dress has nothing to do with this particular issue.
Quite simply, the protection mechanisms were not up to the level of the information being protected. That is not the users’ fault. They were using market standards, represented as being secure. For instance, it is admitted that Apple products were among those involved (and that is the example in some of our links). People have been told for almost a decade that the iOS and Apple ecosystem is much more secure than other environments. That may or may not be true, but it certainly doesn’t take into account the persistent, group effort that appears to have been involved in this episode, or some of the other criminal deviants working in groups online. We have met a few actresses and models, and many young people. They don’t think of risk in the same way security professionals do, and having them depend on standard technology alone is clearly insufficient against such a determined threat.
Consider: assume you live in a nice house. You’ve got windows, doors, and locks on those windows and doors. You likely have some kind of curtains or window coverings. If you live in a house, even a house with no yard, if you close your curtains we accept that as a request for privacy. If I walk up on the sidewalk and attempt to peer into your windows, that is being a “peeping tom.” Even though I might have every right to stand on the sidewalk, face the direction I’m looking, and stop or pause, I do not have the right to violate your privacy.
Consider: Your house has a nice solid door with a nice lock. That lock likely has orders of magnitude less entropy than a password. Every night you walk through your house, lock your doors, and you go to sleep believing you are likely safe. Yet, that lock and that door will not stop a group of determined, well-equipped attackers or likely even slow them down. The police will not arrive for some amount of time and effective self-protection against unexpected provocation by a gang is uncertain, at best. As a polite and law-abiding society, we respect the door and the lock, and expect others to do the same. We understand that the door and lock keep honest people honest. They set a barrier to entry for criminals. Burglaries still happen and we use the power of law to enact punishment against criminals, although many crimes go unsolved.
If an unauthorized entry to your house occurs, whether by picking the lock, climbing through the window, or discovering a loose set of boards in the wall, we would never blame you, the victim — it is clear that the person who entered, unbidden, was to blame. Some of our peers would try to blame the companies that made the locks and windows, rather than acknowledge the bad intent of the burglar. Too many people in information security tend to think we can always build better locks, or that having “white hats” continually picking locks somehow will lead to them being unpickable. Many are so enamored of the technology of those locks and the pastime of picking them that they will blame the victim instead of anything to do with the production or design of the locks themselves. (This is not a new phenomenon: Spafford wrote about this topic 22 years ago.)
One fundamental error here is that all locks are by design meant to be opened. Furthermore, the common thinking ignores the many failures (and subsequent losses) before any "super lock" might appear. We also observe that few will be able to afford any super-duper unpickable locks, or carry the 20-pound key necessary to operate them. Technological protections must be combined with social and legal controls to be effective.
This leads to our second major point.
Imagine if that burglary occurred at your house, and you suffered a major loss because the agent of the crime discovered your artwork or coin collection. We would not dream of blaming you for the loss, somehow implying that you were responsible by having your possessions stored in your house. If somebody were to say anything like that, we would reproach them for blaming/shaming the victim. Society in general would not try to castigate you for having possessions that others might want to steal.
Unfortunately, many computer professionals (and too many others, outside the profession) have the mindset that crimes on computers are somehow the fault of the victim (and this has been the case for many years). We must stop blaming the victims in cases such as this, especially when what they were doing was not illegal. We see criticism of their activities instead of the privacy invasion as blaming/shaming no less atrocious as that of how rape victims are treated — and that is also usually badly, unfortunately.
If we give users lousy technology and tell them it is safe, they use it according to directions, and they do not understand its limitations, they should not be blamed for the consequences. That is true of any technology. The fault lies with the providers and those who provide vague assurances about it. Too bad we let those providers get away with legally disclaiming all responsibility.
We are sympathetic to the argument that these exposures of images should perhaps be considered as a sex crime. They were acts of taking something without permission that violated the privacy and perceptions of safety of the victim for the sexual gratification and sense of empowerment of the perpetrator (and possibly also other reasons). Revenge porn, stalking, assault, and rape are similar...and we should not blame the victims for those acts, either. The sexually-themed abuse of female journalists and bloggers is also in this category -- and if you aren't aware of it, then you should be: women who write things online that some disagree with will get threats of violence (including rape), get abusive and pornographic messaging and images (deluges of it), and called incredibly offensive names...sometimes for years. It is beyond bullying and into something that should be more actively abhorred.
Some male members of the cyber security community are particularly bad in their treatment of women, too.
Between the two of us, Sam and Spaf, we have served as professors, counselors, and one of us (Liles) as a law enforcement officer; we have well over 50 years combined professional experience with both victims and bad behavior of their abusers. We have counseled female students and colleagues who have been stalked and harassed online for years. They keep encountering law enforcement officials and technologists who ask "What are you doing to encourage this?" None of them encourage it, and some live in real terror 24x7 of what their stalkers will do next. Some have had pictures posted that are mortifying to them and their loved ones, they've lost jobs, had to move, withdraw from on-line fora, lost relationships, and even change their names and those of their children. This can last for years.
Sexual offenders blame the victim to absolve themselves of responsibility, and thus, guilt. "She was acting suggestively," "she was dressed that way," etc. If the people around them chime in and blame the victim, they are excusing the criminal -- they are reinforcing the idea that somehow the victim provoked it and the abuser "obviously couldn't help himself.” They thus add unwarranted guilt and shame to the victim while excusing the criminal. We generally reject this with offenses against children, realizing that the children are not responsible for being abused. We must stop blaming all adult victims (mostly female, but others also get abused this way), too.
Victim blaming (and the offensively named slut shaming -- these aren't "sluts," they are victimized women) must STOP. Do you side with privacy rights and protection of the public, or with the rapists and abusers? There is no defendable middle ground in these cases.
We are also horrified by the behavior of some of the media surrounding this case. The crimes have been labeled as leaks, which trivializes the purposeful invasion and degradation performed. Many outlets provided links to the pictures, as did at least one well-known blogger. That illustrates everything wrong about the paparazzi culture, expressed via computer. To present these acts as somehow accidental (“leak”) and blame the victims not only compounds the damage, but glosses over the underlying story — this appears to be the result of a long-term criminal conspiracy of peeping toms using technologies to gather information for the purpose of attacking the privacy of women. This has allegedly been going on for years and law enforcement has apparently had almost no previous interest in the cases — why isn’t that the lead story? The purposeful exploitation of computer systems and exposure of people's private information is criminal. Some pundits only began to indicate concern when it was discovered that some of the pictures were of children.
It is clear we have a long way to go as a society. We need to do a better job of building strong technology and then deploying it so that it can be used correctly. We need to come up with better social norms and legal controls to hold miscreants accountable. We need better tools and training for law enforcement to investigate cyber crimes without also creating openings for them to be the ones who are regularly violating privacy. We need to find better ways of informing the public how to make cyber risk-related decisions.
But most of all, we need to find our collective hearts. Instead of idealizing and idolizing the technology with which we labor, deflecting criticisms for faults onto victims and vendors, we need to do a much better job of understanding the humanity — including both strengths and weaknesses — of the people who depend on that technology. The privacy violations, credit card fraud, espionage, harassment, and identity thefts all have real people as victims. Cyber security is, at its core, protecting people, and the sooner we all take that to heart, the better.
We are now releasing videos of our sessions at this year’s CERIAS Symposium from late March.
We had a fascinating session with David Medine, chair of the PCLOB discussing privacy and government surveillance with Mark Rasch, currently the CPO for SAIC. If you are interested in the issues of security, counterterrorism, privacy, and/or government surveillance, you will probably find this interesting:
We are also making available videos of some of our other speakers — Amy Hess, Exec. Deputy Director of the FBI; George Kurtz, President & CEO of CrowdStrike; Josh Corman, CTO of Sonatype; and two of our other panel sessions: http://www.cerias.purdue.edu/site/symposium_video/
(You have to put up with my introductions of the speakers, but into every life a little rain must fall.)
That was the 15th Annual CERIAS Symposium. Planning for the 16th Symposium is underway for March 24 & 25, 2015: http://www.cerias.purdue.edu/site/symposium2015
A few weeks ago, I wrote a post entitled “Patching Is Not Security.” Among other elements, I described a bug in some Linksys routers that was not patched and was supporting the Moon worm.
Today, I received word that the same unpatched flaw in the router is being used to support DDOS attacks. These are not likely to be seen by the owners/operators of the routers because all the traffic involved is external to their networks — it is outbound from the router and is therefore “invisible” to most tools. About all they might see is some slowdown in their connectivity.
Here’s some of the details, courtesy of Brett Glass, the ISP operator who originally found the worm on some customer routers; I have replaced hostnames with VICTIM and ROUTER in his account:
Today, a user reported a slow connection and we tapped in with a packet sniffer to investigate. The user had a public, static IP on a Linksys E1000, with remote administration enabled on TCP port 8080. The router was directing SYN floods against several targets on the Telus network in Canada. For example:
10:00:44.544036 IP ROUTER.3070 > VICTIM.8080: Flags [S],
seq 3182338706, win 5680, options [mss 1420,sackOK,TS val 44990601 ecr 0,nop,scale 0], length 0
10:00:44.573042 IP ROUTER.3071 > VICTIM.8080: Flags [S],
seq 3180615688, win 5680, options [mss 1420,sackOK,TS val 44990603 ecr 0,nop,scale 0], length 0
10:00:44.575908 IP ROUTER.3077 > VICTIM.8080: Flags [S], se
q 3185404669, win 5680, options [mss 1420,sackOK,TS val 44990604 ecr 0,nop,scale 0], length 0
10:00:44.693528 IP ROUTER.3072 > VICTIM.8080: Flags [S],
seq 3188188011, win 5680, options [mss 1420,sackOK,TS val 44990616 ecr 0,nop,scale 0], length 0
10:00:44.713312 IP v ROUTER.3073 > VICTIM.http: Flags [S],
seq 3174550053, win 5680, options [mss 1420,sackOK,TS val 44990618 ecr 0,nop,scale 0], length 0
10:00:45.544854 IP ROUTER.3078 > VICTIM.http: Flags [S],
seq 3192591720, win 5680, options [mss 1420,sackOK,TS val 44990701 ecr 0,nop,scale 0], length 0
10:00:45.564454 IP ROUTER.3079 > VICTIM.http: Flags [S],
seq 3183453748, win 5680, options [mss 1420,sackOK,TS val 44990703 ecr 0,nop,scale 0], length 0
10:00:45.694227 IP ROUTER.3080 > VICTIM.http: Flags [S],
seq 3189966250, win 5680, options [mss 1420,sackOK,TS val 44990716 ecr 0,nop,scale 0], length 0
10:00:45.725956 IP ROUTER.3081 > VICTIM.8080: Flags [S], se
q 3184379372, win 5680, options [mss 1420,sackOK,TS val 44990719 ecr 0,nop,scale 0], length 0
10:00:45.983883 IP ROUTER.3074 > VICTIM.8080: Flags [S],
seq 3186948470, win 5680, options [mss 1420,sackOK,TS val 44990745 ecr 0,nop,scale 0], length 0
10:00:46.985034 IP ROUTER.3082 > VICTIM.http: Flags [S],
seq 3194003065, win 5680, options [mss 1420,sackOK,TS val 44990845 ecr 0,nop,scale 0], length 0
In short, the vulnerability used by the "Moon" worm is no longer being used just to experiment; it's being used to enlist routers in botnets and actively attack targets.
One interesting thing we found about this most recent exploit is that the DNS settings on the routers were permanently changed. The router was set to use domain name servers at the addresses
The "Moon" worm was completely ephemeral and did not change the contents of flash memory (either the configuration or the firmware). The exploit I found today changes at least the DNS settings.
Shame on Belkin for dragging their feet on getting a fix out to the public. But more to the point, this is yet another example why relying on patching to provide security is fundamentally a Bad Thing.
Over the past couple of months I’ve been giving an evolving talk on why we don’t yet have secure systems, despite over 50 years of work in the field. I first gave this at an NSF futures workshop, and will give it a few more times this summer and fall.
As I was last reviewing my notes, it occurred to me that many of the themes I’ve spoken about have been included in past posts here in the blog, and are things I’ve been talking about for nearly my entire career. It’s disappointing how little progress I’ve seen on so many fronts. The products on the market, and the “experts” who get paid big salaries to be corporate and government advisors and who get the excessive press coverage, also serve to depress.
My current thinking is to write a series of blog posts to summarize my thinking on this general topic. I’m not sure how many I’ll write, but I have a list of probable topics already in mind. They break out roughly into (in approximate order of presentation):
Each of these will be of moderate length, with some references and links to material to read. If you’re interested in a preview, I recommend looking at some of my recent talks archived on YouTube, some of my past blog posts here, and oral histories of various pioneers in the field of infosec done by the Babbage Institute (including, perhaps, my own).
I’ll start with the first posting sometime in the next few days, after I get a little more caught up from my vacation. But I thought I’d make this post, first, to solicit feedback on ideas that people might like me to add to the list.
My first post will be about the definition of security — and why part of the problem is that we can’t very well fix something that we can’t reliably define and thus obviously don’t completely understand.
I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.
This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.
But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.
In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.
Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."
Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.
Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.
I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).
At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?
Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.
Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?