Posts in General

Who is Hacking Whom? [Updated]

Friday, September 14, 2007 by spaf in General,

[tags]hacking, national security, China, cyber espionage[/tags]
Over the last week or two there have been several news items based on statements and leaks regarding on-going cyber espionage. For instance, two articles, one in the British Financial Times and another on CNN allege that Chinese agents had successfully broken into systems at the Pentagon resulting in a shutdown of unclassified mail systems. The London Times had an article on the Chinese Army making preparations for “Cyber War” and in New Zealand an official indicated that government systems had been hacked by foreign agents, implying Chinese involvement. An article in today's Christian Science Monitor noted that China has been attacking German and British government sites and industry, and another article in the Asia-Pacific news mentions France and Australia as targets.

Of course, these kinds of stories aren't new. There was a story in the Washington Post back in 2005 about alleged Chinese hacking, and another set of stories this past March including one in USA Today, There seems to be a thread going back to at least 2003, as reported in Time magazine.

Not to be outdone, and perhaps in a classic “Spy vs. Spy” countercharge, a Chinese official complained that their systems had been hacked into and damaged by foreign agents. That could very well be true, but the timing is such that we should be rather skeptical of these claims.

So, what is really going on? Well, it probably is the case that few people know the whole, real story -- and it is undoubtedly classified within each country where any part of the story is known. However, there are a few things we know for certain:

Most government agencies and companies around the world use common products -- the same products that are so frequently penetrated by criminal hackers and malware. We have years of evidence that these systems are easy to hack and hard to defend. Furthermore, those systems are often not kept up-to-date with patches because they are mission-critical and patches can break existing applications.
The Chinese have publicly stated that they are pursuing activities in the cyber espionage and warfare arena. Given the world situation, the US, Brits, Germany, and several other countries are likely targets -- not only for political and military espionage, but for economic and technical espionage. (The Chinese could certainly benefit by stealing plans on how to make lead-free toy coloring and toxin-free toothpaste, for instance. :-)
The Chinese are almost certainly not the only country with resources, talent and motives to commit cyber espionage.
It's possible (sometimes) to trace connections back to particular networks and machines, but it is difficult to know if those are the “final” machines in a chain. It is even more difficult to determine who is running those machines and whether those individuals are motivated by government orders, criminal intent, or simply a hobbyist's interest. All three groups are likely to be interested in access to the kinds of information that appear to be involved in these incidents; in some cases, there may be ties between organized crime and governmental entities, so activities of one benefit the other.

Given those 4 observations, we can be reasonably sure that not all the events being discovered are actually government sanctioned; that not all the actors are being accurately identified; and probably only a fraction of the incidents are actually being discovered. The situation is almost certainly worse in some ways than implied by the newspaper accounts.

Some of us have been warning about lax cyber security, especially coupled with poorly designed COTS products, for years. What is surprising is that authorities and the press are viewing these incidents as surprising!

It remains to be seen why so many stories are popping up now. It's possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved. However, that kind of behavior is normally kept under wraps. That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on -- the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose. And once again, people will act surprised. If government and industry were really concerned, we'd see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders. But it appears that the President is going to veto whatever budget bills Congress sends to him, so no help there. And the stories of high-tech espionage have already faded behind media frenzy over accounts about Britney being fat, at least in the US.

So, who is getting violated? In a sense, all of us, and our own governments are doing some of the “hacking” involved. And sadly, that isn't really newsworthy any more.

Updated 9/14
And here is something interesting from the airforce that echoes many of the above points.

[posted with ecto]

Purchasing Policies That Create a Barrier to Computing Diversity

Wednesday, September 05, 2007 by Pascal Meunier in General,

The role of diversity in helping computer security received attention when Dan Geer was fired from @stake for his politically inconvenient considerations on the subject. Recently, I tried to "increase diversity" by buying a Ubuntu system -- that is, a system that would come with Ubuntu pre-loaded. I have used Ubuntu for quite a while now and it has become my favorite for the desktop, for many reasons that I don't want to expand upon here, and despite limitations on the manageability of multiple monitor support. I wanted a system that would come with it pre-loaded so as not to pay for an OS I won't use, not support companies that didn't deserve that money, and be even less of a target than if I had used MacOS X. I wanted a system that would have a pre-tested, supported Ubuntu installation. I still can't install 7.04 on a recent Sun machine (dual opteron) because of some problems with the SATA drivers on an AMD-64 platform (the computer won't boot after the upgrade from 6.10). I don't want another system with only half-supported hardware or hardware that is sometimes supported, sometimes not as versions change. I suppose that I could pay up the $250 that Canonical wants for 1 year of professional support, but there is no guarantee that they would be able to get the hardware to play nicely with 7.04. With a pre-tested system, there is no such risk and there are economies of scale. Trying to get software to play nicely after buying the hardware feels very much to me like putting the "cart before the horse"; it's a reactive approach that conflicts with best practices. So, encouraged by the news of Dell selling Ubuntu machines, I priced out a machine and monitor. When I requested a quote, I was told that this machine was available only for individual purchase, and that I needed to go on the institutional purchase site if I wanted to buy it with one of my grants. Unfortunately, there wasn't and still is no Ubuntu machine available for educational purchase on that site. No amount of begging changed Dell's bizarre business practices. Dell's representative for Purdue stated that this was due to "supply problems" and that Ubuntu machines may be available for purchase in a few months. Perhaps. The other suggestion was to buy a Dell Precision machine, but they only come with Red Hat Linux (see my point about supporting companies who deserve it), and they use ATI video hardware (ATI has a history of having bad drivers for Linux). I then looked for desktops from other companies. System76, and apparently nobody else (using internet searches), had what I wanted, except that they were selling only up to 20" monitors. When I contacted them, they kindly and efficiently offered a 24" monitor for purchase, and sent me a quote. I forwarded the quote for purchasing. After a while, I was notified that System76 wasn't a registered vendor with Purdue University, and that it costs too much to add a vendor that "is not likely to be much of a repeat vendor" and that Purdue is "unwilling to spend the time/money required to set them up as a new vendor in the purchasing system." I was also offered the possibility to buy the desktop and monitor separately, and because then the purchase would be done under different purchasing rules and with a credit card, I could buy them from System76 if I wanted... but I would have to pay a 50% surcharge imposed by Purdue (don't ask, it doesn't make sense to me). Whereas Purdue may have good reasons to do that from an accounting point of view, I note that educational, institutional purchases are subject to rules and restrictions that limit or make less practical computing diversity, assuming that this is a widespread practice. This negatively impacts computing "macro-security" (security considered on a state-wide scale or larger). I'm not pretending that the policies are new or that buying a non-mainstream computer has not been problematic in the past. However, the scale of computer security problems has increased over the years, and these policies have an effect on security that they don't have on other items purchased by Purdue or other institutions. We could benefit from being aware of the unfortunate effects of those purchasing policies; I believe that exemptions for computers would be a good thing. Edit: I wrote the wrong version numbers for Ubuntu in the original. Edit (9/14/07): Changed the title from "Ubuntu Linux Computers 50% More Expensive: a Barrier to Computing Diversity" to "Purchasing Policies That Create a Barrier to Computing Diversity", as it is the policies that are the problem, and the barriers are present against many products, not just Ubuntu Linux.

Fun with Internet Video

Wednesday, August 29, 2007 by spaf in General, Secure IT Practices,

[tags]network crime, internet video, extortion, streaming video[/tags]

Here's an interesting story about what people can do if they gain access to streaming video at a poorly-protected site. If someone on the other end of the phone is really convincing, what could she get the victims to do?

FBI: Strip Or Get Bombed Threat Spreads - Local News Story - KPHO Phoenix:

Cyberwar

Friday, August 24, 2007 by spaf in General, Kudos, Opinions and Rants, Reviews,

[tags]cyber warfare, cyber terrorism, cyber crime, Estonia[/tags]
I am frequently asked about the likelihood of cyber war or cyber terrorism. I'm skeptical of either being a stand-alone threat, as neither is likely to serve the goals of those who would actually wage warfare or commit terrorism.

The incidents in Estonia earlier this year were quite newsworthy and brought more people out claiming it was cyber terrorism or cyber warfare. Nonsense! It wasn't terrorism, because it didn't terrorize anyone -- although it did annoy the heck out of many. And as far as warfare goes, nothing was accomplished politically, and the “other side” was never even formally identified.

Basically, in Estonia there was a massive outbreak of cyber vandalism and cyber crime.

Carolyn Duffy Marsan did a nice piece in Network World on this topic. She interviewed a number of people, and wrote it up clearly. I especially like it because she quoted me correctly! You can check out the article here: How close is World War 3.0? - Network World. I think it represents the situation quite appropriately.

[As a humorous aside, I happened to do a search on the Network World site to see if another interview had appeared without me hearing about it. I found this item that had appeared in December of 2006 and I didn't know about it until now! Darn, and to think I could have started recruiting minions in January. :-)]

8 Security Action Items to Beat “Learned Helplessness”

Tuesday, July 24, 2007 by Pascal Meunier in General,

So, you watch for advisories, deploy countermeasures (e.g., change firewall and IDS rules) or shut down vulnerable services, patch applications, restore services. You detect compromises, limit damages, assess the damage, repair, recover, and attempt to prevent them again. Tomorrow you start again, and again, and again. Is it worth it? What difference does it make? Who cares anymore? If you're sick of it, you may just be getting fatigued. If you don't bother defending anymore because you think there's no point to this endless threadmill, you may be suffering from learned helplessness. Some people even consider that if you only passively wait for patches to be delivered and applied by software update mechanisms, you're already in the "learned helplessness category". On the other hand, tracking every vulnerability in the software you use by reading BugTraq, Full Disclosure, etc..., the moment that they are announced, and running proof of concept code on your systems to test them isn't for everyone; there are diminishing returns, and one has to balance risk vs energy expenditure, especially when that energy could produce better returns. Of course I believe that using Cassandra is an OK middle ground for many, but I'm biased. The picture may certainly look bleak, with talk of "perpetual zero-days". However, there are things you can do (of course, as in all lists not every item applies to everyone):

Don't be a victim; don't surrender to helplessness. If you have limited energy to spend on security (and who doesn't have limits?), budget a little bit of time on a systematic and regular basis to stay informed and make progress on tasks you identify as important; consider the ones listed below.
Don't be a target. Like or hate Windows, running it on a desktop and connecting to the internet is like having big red circles on your forehead and back. Alternatives I feel comfortable with for a laptop or desktop system are Ubuntu Linux and MacOS X (for now; MacOS X may become a greater target in time). If you're stuck with Windows, consider upgrading to Vista if you haven't already; the security effort poured into Vista should pay off in the long run. For servers, there is much more choice, and Windows isn't such a dominant target.
Reduce your exposure (attack surface) by:
- Browsing the web behind a NAT appliance when at home, in a small business, or whenever there's no other firewall device to protect you. Don't rely only on a software firewall; it can become disabled or get misconfigured by malware or bad software, or be too permissive by default (if you can't or don't know how to configure it).
- Using the NoScript extension for Firefox (if you're not using Firefox, consider switching, if only for that reason). JavaScript is a vector of choice for desktop computer attacks (which is why I find the HoneyClient project so interesting, but I digress). JavaScript can be used to violate your privacy* or take control of your browser away from you, and give it to website authors, advertisers on those sites, or to the people who compromised those sites, and you can bet it's not always done for your benefit (even though JavaScript enables better things as well). NoScript gives you a little control over browser plugins, and which sources are allowed to run scripts in your browser, and attempts to prevent XSS exploits.
- Turning off unneeded features and services (OK, this is old advice, but it's still good).
Use the CIS benchmarks, and if evaluation tools are available for your platform, run them. These tools give you a score, and even as silly as some people may think this score is (reducing the number of holes in a ship from 100 to 10 may still sink the ship!), it gives you positive feedback as you improve the security stance of your computers. It's encouraging, and may lift the feeling that you are sinking into helplessness. If you are a Purdue employee, you have access to CIS Scoring Tools with specialized features (see this news release). Ask if your organization also has access and if not consider asking for it (note that this is not necessary to use the benchmarks).
Use the NIST security checklists (hardening guides and templates). The NIST's information technology laboratory site has many other interesting security papers to read as well.
Consider using Thunderbird and the Enigmail plugin for GPG, which make handling signed or encrypted email almost painless. Do turn on SSL or TLS-only options to connect to your server (both SMTP and either IMAP or POP) if it supports it. If not, request these features from your provider. Remember, learned helplessness is not making any requests or any attempts because you believe it's not ever going to change anything. If you can login to the server, you also have the option of SSH tunneling, but it's more hassle.
Watch CERIAS security seminars on subjects that interest you.
If you're a software developer or someone who needs to test software, consider using the ReAssure system as a test facility with configurable network environments and collections of VMware images (disclosure: ReAssure is my baby, with lots of help from other CERIAS people like Ed Cates).

Good luck! Feel free to add more ideas as comments. *A small rant about privacy, which tends to be another area of learned helplessness: Why do they need to know? I tend to consider all information that people gather about me, that they don't need to know for tasks I want them to do for me, a (perhaps very minor) violation of my privacy, even if it has no measurable effect on my life that I know about (that's part of the problem -- how do I know what effect it has on me?). I like the "on a need to know basis" principle, because you don't know which selected (and possibly out of context) or outdated information is going to be used against you later. It's one of the lessons of life that knowledge about you isn't always used in legal ways, and even if it's legal, not everything that's legal is "Good" or ethical, and not all agents of good or legal causes are ethical and impartial or have integrity. I find the "you've got nothing to hide, do you?" argument extremely stupid and irritating -- and it's not something that can be explained in a sentence or two to someone saying that to you. I'm not against volunteering information for a good cause, though, and I have done so in the past, but it's rude to just take it from me without asking and without any explanation, or to subvert my software and computer to do so.

Recent Blogs

Blog Archive

Posts in General

Page Content

Who is Hacking Whom? [Updated]

Recent Blogs

Blog Archive