Saturday, December 11, 2010

Wikileaks, Assange, Cyberwar and the Real Information Security Story

Time for some perspective on Wikileaks, the cyber attacks against it, and for it, and the real informaton security story that may get lost in the mix. (Note: I am not under any illusion that the world has been holding its breath waiting for me to weigh in on this subject, this is more of a "memo to the file" undertaking).

For me, the real meat of the Wikileaks story is the content of the documents that are being leaked. Coming a close second is the pathetic state of information security within the US government in general and military/intel systems in particular.

(BTW, I commented on this in the context of a Danger Room story on Wired which apparently was not deemed worthy of approval--one reason I am repeating myself here: American taxpayers have been thoroughly ripped off when it comes to the money spent protecting state secrets.There used to be policies and procedures in place to prevent something like Pfc Manning recording secret documents on a CD-RW labeled Lady Ga Ga, but the army brass likes its tunes too much to put up with that kind of inconvenience, part of the same mindset that leads so many of them to use the same lame password for everything).

However, the BIG story may be the implications of hactivists taking up cyber-arms against the perceived foes of Wikileaks. It reminded me of a Network World column by my friend Mark Gibbs in 2005 titled "The selfish 'Net and the Big One." In that piece I reiterated my longstanding opinion that "the Internet continues to function at the whim of those who know how to bring it down."

As the hactivist fans of Wikileaks tone down their attacks on dot com sites there may be a temptation to dismiss them as a sideshow. However, it would be a big mistake to just say "Those guys couldn't take down" and leave it at that. I would argue that the only reason or any other website is still online is that the people who know how to take it down have decided not to do so. Remember: "the Internet continues to function at the whim of those who know how to bring it down."

To put it another way, the world's virtual economy is built upon a web of trust and mutual self interest, not a bullet-proof framework of resilient technology. To think otherwise is to risk massive losses should a real cyberwar break out.

Saturday, October 23, 2010

Of Satellites and Zombies and Recurring Security Themes

I recently came across some archival security wordage while writing a whitepaper about satellite Internet service. Because it still seems relevant, I thought I would reprint it. But first, some background on satellite Internet. America's telecom companies are fending off demands for universal broadband service requirements by telling politicians that satellite Internet is broadband. It most certainly is not.

Satellite Internet does provide an “always on” connection that is faster than dialup, but one problem with this service is that you have to turn off those automatic software updates that sometimes patch security holes in applications and operating systems (this is because of tight bandwidth caps, as low as 300 megabytes a day, with penalties for going over your limit). So you have these “always on” connections that are not getting patched promptly.

A few years back in the history of computer security it emerged that "always on computing" in the form of consumer computing devices connected to high speed Internet connections created the potential for large-scale attacks on corporate and government systems through compromised hosts (zombies) organized into malicious networks (botnets) by criminal hackers or cyber-terrorists. A prime strategy for turning personal computing devices into zombies is to exploit software vulnerabilities before they are fixed or “patched” by users downloading and installing updates.

Software companies responded to this threat by developing automated distribution systems for security updates. Turning off these automated patching systems increases the risk that consumer Internet devices will be compromised and used in botnet attacks. This threat appears in government reports as early as 2004 (National Infrastructure Advisory Council, Hardening the Internet: Final report and Recommendations by the Council, October, 2004).

I know that it was openly discussed during FTC hearings on computer security in 2002 because I was part of the discussion. The Consumer Information Security Workshop, held May 21-22, 2002, in Washington was addressed by Dick Clarke, then the President's special advisor on cyber security issues and chair of the President's commission on critical infrastructure protection. At that time he was formulating the national strategy for cyber security, a multi-pronged strategy to improve the security of government agencies, businesses and consumers.

(Before his appointment as special advisor to the President, Clarke served as national coordinator for security infrastructure protection and counter-terrorism on the National Security Council. As national coordinator, he led the U.S. government's efforts on counter-terrorism, cyber security, continuity of government operations, domestic preparedness for weapons of mass destruction and international organized crimes. In the George H. W. Bush Administration, Clarke was the assistant secretary of state for political military affairs. In that capacity, he coordinated State Department support for Desert Storm and led efforts to create post war security architecture. In 1992, General Scowcroft appointed Mr. Clarke to the National Security Council staff.)

So here's what Clarke said about the 2002 FTC Consumer Information Security Workshop:

"We see this two-day workshop as part of the national outreach effort that we are making as we develop the national strategy to secure cyberspace. How can the home user, without knowing it, hurt other people? Tim mentioned distributed denial of service attacks, and we've seen that happen already. This is not a theoretical possibility where the home user, without knowing it, has their computer attacked. A part of their computer is then covertly taken over by an automated program, and it sits waiting for instructions or it sits waiting for a time, and then when that time comes, it launches what's called a distributed denial of service attack, firing messages out many times a second, and it does it in concert with hundreds or thousands of other computers, and those messages from all of those computers are aimed at one site on the Internet. The effect can be that the site closes down under the volume, that the routers and the servers crash under the wave.

"...In point of fact, denial of service attacks occur every day. There are hundreds a month aimed at all sorts of different sites all over the Internet and all over the world, and many of them are happening because the home consumer hasn't been told how to prevent his or her computer from becoming a zombie. Many people don't even know when their computer has become a zombie."

Later, the same FTC workshop heard from Tatiana Gau, Vice President of Integrity Assurance at America Online about "one of the approaches that we took earlier this year with the National Cyber Security Alliance."

This was a Call to Action that went like this:

"As a citizen of the United States it is your duty to do your part in trying to protect the nation's infrastructure. Yes, there's other elements that need to play a role in protecting our nation's infrastructure, but you as a consumer need to make sure that you don't unwittingly become the mechanism through which an organized group or a disorganized group could, in fact, attack a government web site or some other system in our country by having your computer become a robot simply because you had a password that was too easy to guess."

So, here we are, eight years later. The average consumer is probably a little better informed about cyber security than they were back then, but not much. And America's telecomm companies are trying to avoid serving rural areas by touting an "always on" consumer Internet service that arguably has a higher risk profile than cable, DSL, or fiber optic. Good job we're less reliant on computers these wait, we're a lot more reliant, pity we're not a lot more aware of the risks.

Wednesday, June 16, 2010

Enterprise PDF Attack Prevention Best Practices: As commended by SANS

"According to McAfee Avert Labs, as of Q1 2010, malicious malformed PDF files are now involved with 28% of all malware directly connected to exploits." So states Mike Cobb in this very handy article on Enterprise PDF Attack Prevention Best Practices (free registration may be required but is totally worth it).

Of course, you may be thinking: Stephen Cobb says it's worth reading because Mike Cobb wrote it. So here's an objective opinion: "very good refresher on best practices for protecting against any malware spread by using any number of compromised attachments." That's Deb Hale of Long Lines, writing in SANS Internet Storm Center Diary.

True, Mike Cobb is my brother, but he is also Mike Cobb, CLAS, CISSP-IASSP, MCDBA. (BTW, for the acronymically-minded, CLAS = CESG Listed Adviser Scheme. CESG is the Communications-Electronics Security Group, which describes itself as the Information Assurance (IA) arm of GCHQ (as in Government Communications Headquarters) which is basically the UK equivalent of the USA's NSA/NRO). In other words, Mike knows quite a bit about security, as well as initials and acronyms.

Friday, April 23, 2010

The Feed to Read When You Need Cyber-Security Info

I think I have mentioned David Kennedy's information security updates before. I get them on FriendFeed but you can read them on Google as well (and that might be more convenient for some people).

David consistently flags the most interesting cyber-security stories out there and is a great resource if you want to stay current. Here's just one example, a very elaborate phishing scam recently perpetrated via Gmail, as written up by Cyveillance.

So why is there a Dilbert comic in this post? Well, reading a constant stream of breaches and scams and cyber-crimes is not much fun and can be somewhat overwhelming when you are responsible for fighting an uphill and inherently asymmetric battle to keep your systems safe.

But what else are you going to do? If you don't stay informed, you could fall prey to a "known attack" and that is no fun at all.

So I pasted in some Dilbert for light relief. I actually licensed this strip and several others for the 1996 edition of my guide to PC and LAN security. As I recall, Dilbert creator Scott Adams was a lot more helpful than some other cartoonists I contacted back then. Thanks Scott!

Sunday, February 21, 2010

Dumb and Dumber: School district spying, assisted burglary

This post was supposed to contain further details of the CAFE cycle that I outlined in my previous post but no, two dumb things cropped up this past week on which I feel obliged to comment.

First, we have the school district in Pennsylvania that gave all its high school students laptops with built in cameras that could be remotely activated by teachers to take pictures of the students without the students' knowledge. Sounds like a really dumb idea? Yes, it was a really dumb idea, particularly in light of the high statistical probability that at least one of those teachers is a paedophile (no, I'm not accusing anyone of paedophilia, but statistically I'm right--it was true in my high school and it is/was probably true in yours).

So yes, a dumb idea, and what makes it particularly shocking is that this school district is not in some backwater town. The Lower Merion School District is one of the most affluent in the country, located in an upscale suburb of Philadelphia (after all, it was rich enough to out 2,300 Apple laptops with built in cameras).

This monumentally dumb idea came to light when a student was upbraided by a teacher for inappropriate behavior. The evidence? A snapshot taken remotely by one of those laptops with a built in camera that could be remotely activated by teachers to take pictures of the student without his or her knowledge. Talk about the the beam in thine eye versus the mote in mine.  Here's more of what has been reported:
The Assistant Principal of Harriton High School reprimanded 15-year-old student Blake Robbins for "improper behavior in his home," according to the lawsuit. Matsko cited as evidence a photograph from the webcam on the boy's school-issued laptop. Harriton High School student Blake Robbins, claims that an assistant principal reprimanded the 15-year-old for "improper behavior in his home" that was captured by the embedded camera on Robbins' school-issued Apple MacBook. Robbins told reporters that the improper behavior he was cited for was eating Mike & Ike candies, which he said the school mistook for illegal pills.
Just how inappropriate was the assistant prinicipal's action? Well, the logic behind the remote picture taking was to aid in the recovery of a stolen laptop. In other words, it was a "security feature." There has been no claim that Robbins' laptop was stolen, but more importantly, one of the basics that any decent class in computer security teaches you is that all security features can be abused.

The example I normally use in my classes is a company deploying data encryption and a disgruntled employee encrypting company data, then demanding a ransom to decrypt it. That is why security features must deployed very carefully, with controls to prevent abuse, like a master key to the encryption scheme that prevents data ransoming.

In the case of Lower Merion School District the abuse was to invade the student's privacy and the point of failure was a lack of sufficient controls to prevent such abuse (i.e. a strong permissioning process for the use of the remote viewing capability, e.g. requiring two teachers and the principal signing off on the activation after a documented evidence of theft).

Part of the stupidity in Lower Merion School District was the commission of this particular act of privacy invasion within this particular demographic. This is a place where many parents are well-educated, tech-savvy, and probably more inclined to outrage than most. When you read the complaint filed by parents of the student you will know what I mean. Given the international attention this case has received, not to mention FBI involvement, I would say it is destined for the textbooks. It sure looks like omitting this security feature and taking the risk of losing a few laptops would have been a much better decision.

So, there was one more stupid thing I wanted to mention, a web site created to show how stupid people can be. Yes, that's right. Some people in the Netherlands created a web site called PleaseRobMe that shows how you could target a home for low-risk burglary by monitoring social media sites where people mention their comings and goings. Talk about a pointless exercise, the only point apparently being media attention for the people who created the site (and yes, the media loved this story, playing it on the evening news along these lines: "Be scared oh you sheep, burglars can now use Facebook and Twitter to rob you!"

Well, let's see how that might work. I'm going out of town to a trade show tomorrow. I will be gone for several days. This is well known to my friends and family and colleagues. It can also be deduced from any number of web sites about the show, the company, or me. But you'd have to be an exceptionally stupid burglar to try robbing my place next week. Apart from the dog and the attack cats that will be in residence, there will be one heavily-armed lady at home who is an excellent shot. Do you feel lucky?

I will pick up the CAFE cycle next post.

Saturday, February 06, 2010

Do They Ride the Same Cycle? Criminal hacking, terrorists, and other security threats

I have written this post/article/paper because I see a pattern of human behavior, the understanding of which may have some potential to improve the security of data and data subjects in the virtual world, as well as the security of persons and property in the real world. Because my thoughts about this pattern came together while I was in my favorite coffee shop, I coined the term “CAFE cycle” to describe a cycle of behavior that goes like this:
I will describe the cycle in generic terms then present two examples. Generically, a person becomes motivated by a Cause and takes Action to achieve the goal of that cause. Frustrated by failure to achieve the goal through legal means, the person takes illegal action, exposing him or her to three potentially problematic experiences: illicit thrills, illegal gains, and group membership. Continued failure to achieve the goal leads the person to pursue extreme forms of these experiences until they become an end in their own right, an Extremism that supplants the original Cause for Action, essentially rendering it irrelevant.

For a basic example consider an adolescent male who wants to learn, through direct experience, the workings of large computer networks. He exhausts the limited avenues of legal access to a large network and so he makes repeated attempts to gain unauthorized access, breaking the law as he does so.

Thursday, February 04, 2010

2 Security Tips: David Kennedy and the Symantec Threat Forecast 2010 Webinar Recording

Just a quick post to point to the archived version of the Symantec MessageLabs Threat Forecast 2010 Webinar/webcast that I mentioned in my previous post: A Good Way to Start the Year. Definitely worth watching.

Also worth watching as we make our way forward into a fresh decade of information system security challenges, are the updates from David Kennedy. You can catch them on FriendFeed and for me they are just the right mix of security alert. Not too granular, but most likely to include the stuff you don't want to miss. David's been at this a long time and become wise in the ways of the security world (for a short time in the mid-nineties we were co-workers at NCSA, later ISCA Labs and TruSecure). You can also catch David's blog at Verizon Business.

Friday, January 15, 2010

Symantec Threat Forecast 2010 Webinar: A Good Way to Start the Year

Okay, so the year has already started, but how many hours have you spent pondering your information security strategy for 2010? If the answer is zero, then there's a webinar on January 19 you should sign up for here. If your answer was greater than zero then: a. Good for you, seriously! b. Ask yourself if you could use some well-informed speculation about what is coming down the pike in 2010, threat-wise, seriously. Consider:
"With compromised computers issuing 83% of the 107 billion spam messages distributed globally each day, the shutdown of botnet hosting ISPs, such as McColo in 2008 and Real Host in 2009, appear to have made botnets re-evaluate and enhance their backup strategy to enable recovery in just hours.

"It is predicted that in 2010 botnets will become autonomously intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival."
 *Source: MessageLabs Intelligence 2009 Annual Security Report

Not that all the threats to your data in 2010 are botnets, far from it, but the continued rise of botnets puts pressure on all levels of security, from end points to servers and even analog attack points like employee compromise. In 2010 we will continue to experience the knock-on effects of the marketization of compromised systems and personal data that can pry open system access. Register for the webinar now and you can get the MessageLabs Intelligence 2009 Annual Security Report. See you on the 19th.