[tags]interview,certification[/tags]I was recently interviewed by Gary McGraw for his Silver Bullet interview series.  He elicited my comments on a number of topics, including security testing, ethical hacking, and why security is difficult.If you like any of my blog postings, you might find the interview of some interest.  But if not, you might some of the other interviews of interest – mine was #18 in the series.

[tags]hacking, national security, China, cyber espionage[/tags]
Over the last week or two there have been several news items based on statements and leaks regarding on-going cyber espionage.  For instance, two articles, one in the British Financial Times and another on CNN allege that Chinese agents had successfully broken into systems at the Pentagon resulting in a shutdown of unclassified mail systems.  The London Times had an article on the Chinese Army making preparations for “Cyber War” and in New Zealand an official indicated that government systems had been hacked by foreign agents, implying Chinese involvement.  An article in today’s Christian Science Monitor noted that China has been attacking German and British government sites and industry, and another article in the Asia-Pacific news mentions France and Australia as targets.

Of course, these kinds of stories aren’t new.  There was a story in the Washington Post back in 2005 about alleged Chinese hacking, and another set of stories this past March including one in USA Today,  There seems to be a thread going back to at least 2003, as reported in Time magazine.

Not to be outdone, and perhaps in a classic “Spy vs. Spy” countercharge, a Chinese official complained that their systems had been hacked into and damaged by foreign agents.  That could very well be true, but the timing is such that we should be rather skeptical of these claims.

So, what is really going on?  Well, it probably is the case that few people know the whole, real story—and it is undoubtedly classified within each country where any part of the story is known.  However, there are a few things we know for certain:

1. Most government agencies and companies around the world use common products—the same products that are so frequently penetrated by criminal hackers and malware.  We have years of evidence that these systems are easy to hack and hard to defend. Furthermore, those systems are often not kept up-to-date with patches because they are mission-critical and patches can break existing applications.
2. The Chinese have publicly stated that they are pursuing activities in the cyber espionage and warfare arena.  Given the world situation, the US, Brits, Germany, and several other countries are likely targets—not only for political and military espionage, but for economic and technical espionage.  (The Chinese could certainly benefit by stealing plans on how to make lead-free toy coloring and toxin-free toothpaste, for instance.
3. The Chinese are almost certainly not the only country with resources, talent and motives to commit cyber espionage.
4. It’s possible (sometimes) to trace connections back to particular networks and machines, but it is difficult to know if those are the “final” machines in a chain.  It is even more difficult to determine who is running those machines and whether those individuals are motivated by government orders, criminal intent, or simply a hobbyist’s interest.  All three groups are likely to be interested in access to the kinds of information that appear to be involved in these incidents; in some cases, there may be ties between organized crime and governmental entities, so activities of one benefit the other.

Given those 4 observations, we can be reasonably sure that not all the events being discovered are actually government sanctioned; that not all the actors are being accurately identified; and probably only a fraction of the incidents are actually being discovered.  The situation is almost certainly worse in some ways than implied by the newspaper accounts.

Some of us have been warning about lax cyber security, especially coupled with poorly designed COTS products, for years.  What is surprising is that authorities and the press are viewing these incidents as surprising!

It remains to be seen why so many stories are popping up now.  It’s possible that there has been a recent surge in activity, or perhaps some recent change has made it more visible to various parties involved.  However, that kind of behavior is normally kept under wraps.  That several stories are leaking out, with similar elements, suggests that there may be some kind of political positioning also going on—the stories are being released to create leverage in some other situation.

Cynically, we can conclude that once some deal is concluded everyone will go back to quietly spying on each other and the stories will disappear for a while, only to surface again at some later time when it serves anoher political purpose.  And once again, people will act surprised.  If government and industry were really concerned, we’d see a huge surge in spending on defenses and research, and a big push to educate a cadre of cyber defenders.  But it appears that the President is going to veto whatever budget bills Congress sends to him, so no help there.  And the stories of high-tech espionage have already faded behind media frenzy over accounts about Britney being fat, at least in the US.

So, who is getting violated?  In a sense, all of us, and our own governments are doing some of the “hacking” involved.  And sadly,  that isn’t really newsworthy any more.

Updated 9/14
And here is something interesting from the airforce that echoes many of the above points.

[posted with ecto]

[tags]news, cell phones, reports, security vulnerabilities, hacking, computer crime, research priorities, forensics, wiretaps[/tags]
The Greek Cell Phone Incident
A great story involving computers and software, even though the main hack was against cell phones:
IEEE Spectrum: The Athens Affair.  From this we can learn all sorts of lessons about how to conduct a forensic investigation, retention of logs, wiretapping of phones, and more.

Now, imagine VoIP and 802.11 networking and vulnerabilities in routers and…. —the possibilities get even more interesting.  I suspect that there’s a lot more eavesdropping going on than most of us imagine, and certainly more than we discover.

NRC Report Released
Last week, the National Research Council announced the release of a new report: Towards a Safer and More Secure Cyberspace.  The report is notable in a number of ways, and should be read carefully by anyone interested in cyber security.  I think the authors did a great job with the material, and they listened to input from many sources.

There are 2 items I specifically wish to note:

1. I really dislike the “Cyber Security Bill of Rights” listed in the report.  It isn’t that I dislike the goals they represent—those are great.  The problem is that I dislike the “bill of rights” notion attached to them.  After all, who says they are “rights”?  By what provenance are they granted?  And to what extremes do we do to enforce them?  I believe the goals are sound, and we should definitely work towards them, but let’s not call them “rights.”
2. Check out Appendix B.  Note all the other studies that have been done in recent years pointing out that we are in for greater and greater problems unless we start making some changes.  I’ve been involved with several of those efforts as an author—including the PITAC report, the Infosec Research Council Hard Problems list, and the CRA Grand Challenges. Maybe the fact that I had no hand in authoring this report means it will be taken seriously, unlike all the rest.   More to the point, people who put off the pain and expense of trying to fix things because “Nothing really terrible has happened yet” do not understand history, human nature, or the increasing drag on the economy and privacy from current problems.  The trends are fairly clear in this report: things are not getting better.

Evolution of Computer Crime
Speaking of my alleged expertise at augury, I noted something in the news recently that confirmed a prediction I made nearly 8 years ago at a couple of invited talks: that online criminals would begin to compete for “turf.”  The evolution of online crime is such that the “neighborhood” where criminals operate overlaps with others.  If you want the exclusive racket on phishing, DDOS extortion, and other such criminal behavior, you need to eliminate (or absorb) the competition in your neighborhood.  But what does that imply when your “turf” is the world-wide Internet?

The next step is seeing some of this spill over into the physical world.  Some of the criminal element online is backed up by more traditional organized crime in “meat space.”  They will have no compunction about threatening—or disabling—the competition if they locate them in the real world.  And they may well do that because they also have developed sources inside law enforcement agencies and they have financial resources at their disposal.  I haven’t seen this reported in the news (yet), but I imagine it happening within the next 2-3 years.

Of course, 8 years ago, most of my audiences didn’t believe that we’d see significant crime on the net—they didn’t see the possibility.  They were more worried about casual hacking and virus writing.  As I said above, however, one only needs to study human nature and history, and the inevitability of some things becomes clear, even if the mechanisms aren’t yet apparent.

The Irony Department
GAO reported a little over a week ago that DHS had over 800 attacks on their computers in two years.  I note that the report is of detected attacks.  I had one top person in DC (who will remain nameless) refer to DHS as “A train wreck crossed with a nightmare, run by inexperienced political hacks” when referring to things like TSA, the DHS cyber operations, and other notable problems.  For years I (and many others) have been telling people in government that they need to set an example for the rest of the country when it comes to cyber security.  It seems they’ve been listening, and we’ve been negligent.  From now on, we need to stress that they need to set a good example.

[posted with ecto]

[tags]biometrics,USB,encryption,hacking[/tags]
One of our students who works in biometrics passed along two interesting article links.  This article describes how a password-protected, supposedly very secure USB memory stick was almost trivially hacked.  This second article by the same author describes how a USB stick protected by a biometric was also trivially hacked. I’m not in a position to recreate the procedure described on those pages, so I can’t say for certain that the reality is as presented.  (NB: simply because something is on the WWW doesn’t mean it is true, accurate, or complete.  The rumor earlier this week about a delay in the iPhone release is a good example.) However, the details certainly ring true.

We have a lot of people who are “security experts” or who are marketing security-related products who really don’t understand what security is all about.  Security is about reducing risk of untoward events in a given system.  To make this work, one needs to actually understand all the risks, the likelihood of them occurring, and the resultant losses.  Securing one component against obvious attacks is not sufficient.  Furthermore, failing to think about relatively trivial physical attacks is a huge loophole—theft, loss or damage of devices is simple, and the skills to disassemble something to get at the components inside is certainly not a restricted “black art.”  Consider the rash of losses and thefts of disks (and enclosing laptops) we have seen over the last year or two, with this one being one of the most recent.

Good security takes into account people, events, environment, and the physical world.  Poor security is usually easy to circumvent by attacking one of those avenues.  Despite publicity to the contrary, not all security problems are caused by weak encryption and buffer overflows!

[posted with ecto]