Quotulatiousness

June 19, 2011

Cyber-espionage in theory and practice

Filed under: China, Government, Military, Technology, USA — Tags: , , , — Nicholas @ 09:50

An interesting article at Strategy Page discussing online espionage:

Firms with the most to lose, like financial institutions, guard their data most successfully. They do this the old-fashioned way, with layers and layers of security, implemented by the best (and most highly paid) people and pushed by senior managers who take the time to learn about what they are dealing with, and what it will take to stay on top of the problem.

It’s different in the defense business. If the Chinese steal data on some new weapon, there might be a problem years down the road, when the Chinese offer a cheaper alternative to an American weapon, for the export market. But even that problem has a silver lining, in that you can get away with insisting that those clever Chinese developed your technology independently. Meanwhile, everyone insists that there was no espionage, cyber or traditional, involved. As a further benefit, the American firm will get more money from a terrified government, in order to maintain the American technical edge. It’s the same general drill for military organizations. But for financial institutions, especially those that trade in fast moving currency, derivatives and bond markets, any information leaks can have immediate, and calamitous consequences. You must either protect your data, or die.

It’s not exactly a secret that China has been active in this area, but the extent of their official activity is hard to state. However, just as non-state actors take advantage of individuals who fail to use anti-virus software on their computers, ignorance and apathy are tools for state actors:

But the biggest problem, according to military Cyber War commanders, is the difficulty in making it clear to political leaders, and non-expert (in Internet matters) military commanders, what the cyber weapons are, and the ramifications of the attacks. Some types of attacks are accompanied by the risk of shutting down much, or all, of the Internet. Other types of operations can be traced back to the source. This could trigger a more conventional, even nuclear, response. Some attacks use worms (programs that, once unleashed, keep spreading by themselves.) You can program worms to shut down after a certain time (or when certain conditions are met). But these weapons are difficult, often impossible, to test “in the wild” (on the Internet). By comparison, nuclear weapons were a new, very high-tech, weapon in 1945. But nukes were easy to understand; it was a very powerful bomb. Cyber weapons are much less predictable, and that will make them more difficult for senior officials to order unleashed.

So the first order of business is to develop reliable techniques to quickly, and accurately, educate the senior decision makers about what they are about to unleash. This would begin with the simplest, and cheapest, weapons, which are botnets, used for DDOS attacks. In plain English, that means gaining (by purchase or otherwise) access to hundreds, or thousands, of home and business PCs that have had special software secretly installed. This allows whoever installed the software that turned these PCs into zombies, to do whatever they want with these machines. The most common thing done is to have those PCs, when hooked up to the Internet, to send as many emails, or other electronic messages, as it can, to a specified website. When this is done with lots of zombies (a botnet), the flood of messages becomes a DDOS (Distributed Denial of Service) attack that shuts the target down. This happens because so much junk is coming in from the botnet, that no one else can use the web site.

June 17, 2011

DARPA’s “National Cyber Range” on schedule

Filed under: Government, Technology, USA — Tags: , , , , — Nicholas @ 10:07

In order to determine ways to fend off or prevent attacks on the internet, DARPA is hoping to have their scale model of the internet ready sometime next year for testing:

The US defence agency that invented the forerunner to the internet is working on a “virtual firing range” intended as a replica of the real internet so scientists can mimic international cyberwars to test their defences.

Called the National Cyber Range, the system will be ready by next year and will also help the Pentagon to train its own hackers and refine their skills to guard US information systems, both military and domestic.

The move marks another rise in the temperature of the online battlefield. The US and Israel are believed to have collaborated on a sophisticated piece of malware called Stuxnet that targeted computers controlling Iran’s nuclear centrifuge scheme. Government-authorised hackers in China, meanwhile, are suspected to have been behind a number of attacks on organisations including the International Monetary Fund, French government and Google.

[. . .]

Darpa is also working on other plans to advance the US’s cyber defences. A program known as Crash — for Clean-slate design of Resilient, Adaptive, Secure Hosts — seeks to design computer systems that evolve over time, making them harder for an attacker to target.

The Cyber Insider Threat program, or Cinder, would help monitor military networks for threats from within by improving detection of threatening behaviour from people authorised to use them. The problem has loomed large since Bradley Manning allegedly passed confidential state department documents to WikiLeaks, the anti-secrecy website.

Another is a Cyber Genome, aimed at automating the discovery, identification and characterisation of malicious code. That could help figure out who was behind a cyber-strike.

May 11, 2011

How resilient is the internet?

Filed under: Economics, Media, Technology — Tags: , , , — Nicholas @ 09:57

Richard Clayton summarizes a recent study by European Network and Information Security Agency (ENISA) on the internet’s ability to cope with disruptions. Among the ways the internet is vulnerable are:

First, the Internet is vulnerable to various kinds of common mode technical failures where systems are disrupted in many places simultaneously; service could be substantially disrupted by failures of other utilities, particularly the electricity supply; a flu pandemic could cause the people on whose work it depends to stay at home, just as demand for home working by others was peaking; and finally, because of its open nature, the Internet is at risk of intentionally disruptive attacks.

Second, there are concerns about sustainability of the current business models. Internet service is cheap, and becoming rapidly cheaper, because the costs of service provision are mostly fixed costs; the marginal costs are low, so competition forces prices ever downwards. Some of the largest operators — the ‘Tier 1′ transit providers — are losing substantial amounts of money, and it is not clear how future capital investment will be financed. There is a risk that consolidation might reduce the current twenty-odd providers to a handful, at which point regulation may be needed to prevent monopoly pricing.

Third, dependability and economics interact in potentially pernicious ways. Most of the things that service providers can do to make the Internet more resilient, from having excess capacity to route filtering, benefit other providers much more than the firm that pays for them, leading to a potential ‘tragedy of the commons’. Similarly, security mechanisms that would help reduce the likelihood and the impact of malice, error and mischance are not implemented because no-one has found a way to roll them out that gives sufficiently incremental and sufficiently local benefit.

Fourth, there is remarkably little reliable information about the size and shape of the Internet infrastructure or its daily operation. This hinders any attempt to assess its resilience in general and the analysis of the true impact of incidents in particular. The opacity also hinders research and development of improved protocols, systems and practices by making it hard to know what the issues really are and harder yet to test proposed solutions.

H/T to Bruce Schneier for the link.

May 2, 2011

I think I’ll hold off on buying a PlayStation for a little while longer

Filed under: Gaming, Technology — Tags: , , , — Nicholas @ 09:17

I actually was considering buying a PS3 in the near future, as our existing Blu-Ray player doesn’t play nicely with Netflix, while my domestic gaming advisor tells me that PS3’s do. Sony’s security problems are enough to give me pause:

“It’s really scary,” said Marsh Ray, a researcher and software developer at two-factor authentication service PhoneFactor, who fleshed out the doomsday scenario more thoroughly on Monday. “It’s justification for Sony freaking out. They could lose control of their whole PS3 network.”

Ray’s speculation is fueled in part by chat transcripts that appear to show unknown hackers discussing serious weaknesses in the PSN authentication system. In it, purported hackers going by the handles trixter and SKFU discuss how to connect to PSN servers using consoles with older firmware that contain bugs susceptible to jailbreaking exploits, even though Sony takes great pains to prevent that from happening.

“I just finished decrypting 100% of all PSN functions,” SKFU claimed.

There’s no evidence the participants had anything to do with the massive security breach that plundered names, addresses, email addresses, passwords and other sensitive information from some 77 million PSN users. But the log did raise questions about the security of the network, since it claimed it was possible to fool the PSN’s authentication system into permitting rogue consoles.

On this reading, arrogance on the part of Sony executives, and complacency on the part of developers and testers are key elements of the security failure:

“If you can’t jailbreak it, then I can see a developer assuming that they don’t need a particular authorization check on what’s coming across the wire because a user can’t do that,” said WhiteHat Security CTO Jeremiah Grossman, an expert in web application security. “So if somebody managed to jailbreak their device and pop a flaw, I can see something major happening there.”

Hotz, the PS3 jailbreaker who recently settled the copyright lawsuit Sony brought against him, said in a recent blog post that the theory is plausible and that responsibility for the hack lay squarely on the shoulders of Sony executives who placed too much trust in the invulnerability of the PS3.

“Since everyone knows the PS3 is unhackable, why waste money adding pointless security between the client and the server?” Hotz, aka GeoHot, wrote. “This arrogance undermines a basic security principle, never trust the client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you.”

April 28, 2011

Want a secure home? Even want it zombie-proof? Here you go

Filed under: Randomness — Tags: , , , — Nicholas @ 12:12

The first house to be certified as Zombie-proof:

“The most essential item for our clients was acquiring the feeling of maximum security,” begins the designers’ website in the summary of the structure. Who wouldn’t feel safe in a concrete rectangle that folds in upon itself to become completely sealed? Even the windows are covered with a slab of concrete when the structure is on nap time.

The house, with its movable walls, has only one entrance, which is located on the second floor after crossing a drawbridge. Seems like the perfect opportunity to use a flamethrower and defend the life of your family, while stylishly nesting in a piece of architectural elitism.

Lots of pictures at the original post. Here’s your drawbridge:

Here are the upper-story “shutters” swinging shut and the roll-down partially deployed:

And finally, your nice, safe, snug zombie-proof home all tucked in for the assault:

H/T to Markus Baur for the link.

April 27, 2011

Syrian update

Filed under: Liberty, Middle East — Tags: , , , — Nicholas @ 07:43

With attention focused on Libya, the Syrian situation is still highly volatile:

Bashir Assad clings to power by manipulating the fear within the many factions supporting him that they would have to flee the country, to avoid death or prison, if the current government fell. Then there is the threat that the security forces would use extreme violence to suppress the demonstrations. This, however, could enrage the general population and trigger a bloody civil war. The only thing everyone can agree on is a desire for peaceful resolution of the crises. But Assad and his cronies don’t want to give up power, and they may have to risk everything to find out how far most Syrians are willing to go to force big changes.

Five weeks of escalating violence have left over 200 dead, and over a thousand arrested (and hundreds later released). While nearly all the dead are protestors, more security forces personnel are getting killed. The government is using armed militias (from the groups that have always supported the Assad dictatorship) as well as the police and “special” (secret) police to try and control or terrorize the growing number of demonstrators. There are also said to be small numbers (hundreds) of “security specialists” from Iran. Some Hezbollah gunmen are believed involved as well, and Syrians are accusing these “foreigners” for many of the killings. While most of the leadership posts in the police and army are held by minorities (like the Alawite sect the Assads belong to), most of the troops are majority Sunni Arab. Thus Assad controls management, but has to be careful with the rank and file.

If enough civilians hit the streets, there won’t be enough security forces to confront them, and the entire structure of the Assad police state will start coming apart. Iran might try to stop it, with a massive transfer (by air) of security personnel, and many more from Hezbollah entering by land. Hezbollah loses a lot if it no longer has those land supply routes from Syria. Meanwhile, each Friday (the Moslem Sunday), the demonstrations get larger. The way things have been going, it won’t be many more Fridays before Assad and his crew are gone, or the country is getting blown apart by civil war. It’s unclear if democracy or a new dictatorship will replace the old government. There are many tribes and factions in Syria, and predicting how they will all shake out is not possible.

Update: Just so you don’t forget, at the same time the Syrian government is attempting to suppress the demonstrations, it is running (unopposed) for a seat on the UN Human Rights Council.

April 14, 2011

DANE to address weaknesses in internet security?

Filed under: Technology — Tags: , — Nicholas @ 12:05

The Economist looks at a possible way to address the known weaknesses of the current internet security defaults:

[A] comprehensive solution would let domain owners confirm that the names and machine numbers issued by a given CA are kosher. Under DNS-based Authentication of Named Entities (DANE), a standard being developed by Mr Schultze and others at the Internet Engineering Task Force, a browser retrieves a certificate from a web server, but checks with the DNS whether the certificate is in fact the one that was issued to a given domain owner. So, though a CA will still provide a validation step, the domain owner will have had to give it the thumbs up first. To prevent malevolent fiddling the DNS infrastructure itself needs to be secured, too. A long-running effort to do this, known as DNSSEC, hit a key milestone in 2010 and may have enough pieces in place soon to be usable. This is important because DANE would be incomplete without it.

Whilst all current browsers must be updated to take advantage of DANE, the new system can coexist with the old, and a gradual transition can be made. Browser plug-ins could bridge the gap before browser makers build in DANE, too. Those that want the added robustness of the new system — whether individuals, companies, or governments — may accelerate the adoption of updated browsers as DANE becomes available.

These moves do not provide total assurance that what your browser is told about an internet site’s identity and security is true. Trust, but verify — and verify again.

April 11, 2011

SSL is “just an illusion of security”

Filed under: Technology — Tags: , , , , — Nicholas @ 10:09

SSL (Secure Sockets Layer) is critically important to safe communications on the internet. It may also be “hopelessly broken“:

SSL made its debut in 1994 as a way to cryptographically secure e-commerce and other sensitive internet communications. A private key at the heart of the system allows website operators to prove that they are the rightful owners of the domains visitors are accessing, rather than impostors who have hacked the users’ connections. Countless websites also use SSL to encrypt passwords, emails and other data to thwart anyone who may be monitoring the traffic passing between the two parties.

It’s hard to overstate the reliance that websites operated by Google, PayPal, Microsoft, Bank of America and millions of other companies place in SSL. And yet, the repeated failures suggest that the system in its current state is hopelessly broken.

“Right now, it’s just an illusion of security,” said Moxie Marlinspike, a security researcher who has repeatedly poked holes in the technical underpinnings of SSL. “Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems.”

Although SSL’s vulnerabilities are worrying, critics have reserved their most biting assessments for the business practices of Comodo, VeriSign, GoDaddy and the other so-called certificate authorities, known as CAs for short. Once their root certificates are included in Internet Explorer, Firefox and other major browsers, they can’t be removed without creating disruptions on huge swaths of the internet.

March 24, 2011

Online security: compromised HTTPS certificates

Filed under: Technology — Tags: , , , — Nicholas @ 09:25

Iranian hackers (or someone trying to cast blame on Iran) managed to get a number of HTTPS certificates issued under false colours:

On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into issuing fraudulent certificates that posed a dire risk to Internet security. Based on currently available information, the incident got close to — but was not quite — an Internet-wide security meltdown. As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems.

[. . .]

Comodo also said that the attack came primarily from Iranian IP addresses, and that one of the fraudulent login.yahoo.com certs was briefly deployed on a webserver in Iran.

March 11, 2011

Nothing to see here, citizen iPhone 3G user, move along

Filed under: Technology — Tags: , , , — Nicholas @ 12:31

An impertinent Apple iPhone 3G user risks becoming a non-person by asking why Apple’s latest security fixes exclude customers using earlier iPhones:

A Reg reader who brought up Apple’s decision to exclude the iPhone 3G and other older devices from its latest security update on an official forum has received a firm rebuke for his effort.

Apparently the post, which was quickly deleted, failed three separate rules of the Apple Discussions soviet, as a curt notice to our source explained (extract below):

Apple removed your post on Apple Discussions, titled “Please Apple, you cannot leave a major share of your customers vulnerable,” because it contained the following:

Speculation or Rumors Discussion of Apple Policies, Procedures or Decisions Petitions

Damn straight. Frankly our man can consider himself fortunate not to have his account deleted for suggesting Apple (at minimum) ought to release patches for Safari for the iPhone 3G. An iOS 4.3 update, released on Wednesday, which includes a number of critical security fixes, is incompatible with both the iPhone 3G and older versions of the iPod Touch. You need the iPhone 3GS, or later, or iPod Touch third generation to take advantage of the update, which includes a number of critical security fixes as well as performance and functionality improvements.

You don’t question us, Apple customer. We question you.

March 8, 2011

Lastest boon to spammers? The move to IPv6, apparently

Filed under: Technology — Tags: , , , — Nicholas @ 08:50

John Leyden reports that with all the good things about moving to the vastly larger address space of IPv6, we can expect at least one negative:

The migration towards IPv6, which has been made necessary by the expansion of the internet, will make it harder to filter spam messages, service providers warn.

The current internet protocol, IPv4, has a limited address space which is reaching exhaustion thanks to the fast uptake of internet technology in populous countries such as India and China and the more widespread use of smartphones. IPv6 promises 3.4 x 1038 addresses compared to the paltry 4.3 billion (4.3 x 109) addresses offered by IPv4.

While this expansion allows far more devices to have a unique internet address, it creates a host of problems for security service providers, who have long used databases of known bad IP addresses to maintain blacklists of junk mail cesspools. Spam-filtering technology typically uses these blacklists as one (key component) in a multi-stage junk mail filtering process that also involves examining message contents.

“The primary method for stopping the majority of spam used by email providers is to track bad IP addresses sending email and block them — a process known as IP blacklisting,” explained Stuart Paton, a senior solutions architect at spam-filtering outfit Cloudmark. “With IPv6 this technique will no longer be possible and could mean that email systems would quickly become overloaded if new approaches are not developed to address this.”

February 19, 2011

When “hacker army” is not an exaggeration

Filed under: Britain, China, Government, Military, Russia, Technology — Tags: , , , , , — Nicholas @ 10:07

Strategy Page counts noses of the various semi-organized hacker armies out in the wild:

Despite spending over a billion dollars a year defending their government networks, Britain recently complained openly of hackers getting into the communications network of the Foreign Office. The government also warned of increasing attacks on British companies. The recent attacks government and corporations were all targeting specific people and data. While China was not mentioned in these official announcements, British officials have often discussed how investigations of recent hacking efforts tended to lead back to China. There is also a strong suspicion, backed up by hacker chatter, that governments are offering large bounties for information from foreign governments. Not information from China, but from everyone else.

China one of many nations taking advantage of the Internet to encourage, or even organize, patriotic Internet users to obtain hacking services. This enables the government to use (often informally) these thousands of hackers to attack targets (foreign or domestic.) These government organizations arrange training and mentoring to improve the skills of group members. Turkey has over 45,000 of hackers organized this way, Saudi Arabia has over 100,000, Iraq has over 40,000, Russia over 100,000 and China, over 400,000. While many of these Cyber Warriors are rank amateurs, even the least skilled can be given simple tasks. And out of their ranks will emerge more skilled hackers, who can do some real damage. These hacker militias have also led to the use of mercenary hacker groups, who will go looking for specific secrets, for a price. Chinese companies are apparently major users of such services, judging from the pattern of recent hacking activity, and the fact that Chinese firms don’t have to fear prosecution for using such methods.

It was China that really pioneered the militia activity. It all began in the late 1990s, when the Chinese Defense Ministry established the “NET Force.” This was initially a research organization, which was to measure China’s vulnerability to attacks via the Internet. Soon this led to examining the vulnerability of other countries, especially the United States, Japan and South Korea (all nations that were heavy Internet users). NET Force has continued to grow. NET Force was soon joined by an irregular civilian militia; the “Red Hackers Union” (RHU). These are nearly half a million patriotic Chinese programmers, Internet engineers and users who wished to assist the motherland, and put the hurt, via the Internet, on those who threaten or insult China. The RHU began spontaneously in 1999 (after the U.S. accidentally bombed the Chinese embassy in Serbia), but the government has assumed some control, without turning the voluntary organization into another bureaucracy. The literal name of the group is “Red Honkers Union,” with Honker meaning “guest” in Chinese. But these were all Internet nerds out to avenge insults to the motherland.

You have to wonder how many script kiddies ever thought they’d end up being government operatives.

February 16, 2011

QotD: For dictators, storm troopers are not a luxury

Filed under: Government, Middle East, Military, Quotations — Tags: , , , , — Nicholas @ 09:11

A major reason for the inability of the recently deposed Egyptian dictatorship to suppress anti-government demonstrations was the lack of a large, loyal and reliable security force. Not having such a force handy was unthinkable for any security conscious dictator. For example, in Iraq, Saddam Hussein had his Republican Guard, a force that was filled with well paid, well armed men who were, above all, loyal to Saddam. All other successful dictatorships have similar forces. Russia had the KGB, which not only employed spies, but also several divisions of troops trained and equipped to deal with rebellions by the population, or the armed forces. Iran has a similar force, the Revolutionary Guard, that serves a similar role as the old KGB. During World War II, Adolf Hitler had the SS, Gestapo and his private army, the Waffen SS, all of which kept Germany fighting until the very end.

Former Egyptian ruler Hosni Mubarak got lazy and greedy by filling his “regime maintenance” forces with conscripts (as troops) and recent college graduates (as officers). Theses security forces, like the 325,000 paramilitary police in the Central Security Services (belonging to the Interior Ministry, nor the Defense Ministry), were more loyal to the people than to the small group of corrupt politicians running the country. Things had gotten so bad that the small secret police force had taken to hiring criminal gangs to harass or intimidate visible opponents of the government. These thugs fled if faced with serious opposition. And that’s what they got during February, 2011.

“Murphy’s Law: Storm Troopers Are Not A Luxury”, Strategy Page, 2011-02-16

February 11, 2011

Human hacking: the overconfident CEO

Filed under: Law, Media, Technology — Tags: , , , — Nicholas @ 07:19

An interesting story at PC World talks about the methods used to get inside information on individuals and companies:

“He was the guy who was never going to fall for this,” said Hadnagy. “He was thinking someone would probably call and ask for his password and he was ready for an approach like that.”

After some information gathering, Hadnagy found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names and titles, and much more. But the real prize of knowledge came when Hadnagy managed to learn the CEO had a family member that had battled cancer, and lived. As a result, he was interested and involved in cancer fundraising and research. Through Facebook, he was also able to get other personal details about the CEO, such as his favorite restaurant and sports team.

Armed with the information, he was ready to strike. He called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were offering a prize drawing in exchange for donations — and the prizes included tickets to a game played by his favorite sports team, as well as gift certificates to several restaurants, including his favorite spot.

The CEO bit, and agreed to let Hadnagy send him a PDF with more information on the fund drive. He even managed to get the CEO to tell him which version of Adobe reader he was running because, he told the CEO “I want to make sure I’m sending you a PDF you can read.” Soon after he sent the PDF, the CEO opened it, installing a shell that allowed Hadnagy to access his machine.

When Hadnagy and his partner reported back to the company about their success with breaching the CEO’s computer, the CEO was understandably angry, said Hadnagy.

“He felt it was unfair we used something like that, but this is how the world works,” said Hadnagy. “A malicious hacker would not think twice about using that information against him.”

Takeaway 1: No information, regardless of its personal or emotional nature, is off limits for a social engineer seeking to do harm

Takeaway 2: It is often the person who thinks he is most secure who poses the biggest vulnerability. One security consultant recently told CSO that executives are the easiest social engineering targets.

January 24, 2011

Recognizing the right to self-defence

Filed under: Cancon, Law, Liberty — Tags: , , , — Nicholas @ 12:38

Lorne Gunter wants our government to recognize that Canadians have a right to self-defence:

Canadian officialdom is conducting an all-out assault against self-defence. Quite simply, few politicians, Crown prosecutors, judges, law professors and police commanders believe ordinary Canadians have any business using force to defend themselves, their loved ones, homes, farms or businesses.

The latest example of the campaign against self-defence comes from southern Ontario. In August, retired crane operator Ian Thomson, who lives near Port Colborne, awoke early in the morning to find masked men attempting to burn his house down with him in it. When he fired at them with a licensed handgun he had stored in a safe, he was charged.

How out-of-touch are police and prosecutors when you are not even allowed to defend yourself and your property from thugs attempting to incinerate you? Their attitude seems to be that it is better to die waiting for police to respond than to take matters into your own hands.

[. . .]

When Canada became independent at Confederation in 1867, Canadians retained the rights they had at the time as British subjects. These included three “absolute rights”: the right to personal liberty, the right to private property and the right to self-defence, up to and including the right to kill an attacker or burglar.

William Blackstone, Britain’s famous constitutional expert, argued the right to self-defence included the right to kill even an agent of the king found on one’s property after dark, uninvited. He also traced the right to armed self-defence back to the time of King Canute (995–1035) when subjects could be fined for failing to keep weapons for their own protection.

« Newer PostsOlder Posts »

Powered by WordPress