Tag Archive for failed security

Dawn of Cyber Reality

It’s being presented as mainstream media shockers that a Russian cyber gang stole 1.2 billion cyber identities, including user names and passwords, or that somebody stole 4.5 million hospital records including including addresses, birth dates and social security numbers. How awful!

Now, a good reality check is clearly in order. The alleged Russian criminal gang of less than a dozen members comes from a small town in the middle of Russia that most people never heard of. By any measure this gang is nowhere close to the top of Russian cyber criminal outfits, never mind the government spooks of many countries. If they managed to get all the data reported, there’s absolutely no doubt that higher-level cyber attackers have much more — they just prevent others from finding out about it. Actually, it’s usually wisest to hide your success in any intelligence operation or theft.

The current cyber reality is that practically all user data is stolen. One of the qualities of cyberspace is that the same cyber asset can be stolen multiple times by multiple perpetrators. In other words, in the physical world a burglar can steal your asset only once; in cyberspace it can be stolen many times by multiple cyber burglars. So understand: whether you like it or not, all user data is stolen by many attackers, including multiple cyber gangs and, of course, by several countries’ spooks.

The real question isn’t whether user data is stolen, nor who stole it—it’s what to do about it. And, in another reality check, it’s being recognized by more and more “experts” that nothing can be done about it beyond fuming until we finally get to develop a real cyber security. Indeed, what difference does it make who stole your assets? There is none, unless you have a preferred burglar for your house.

So, it looks like all this hype about stolen identities is no more than a lot of hot air until we develop a cybersecurity technology that actually works. Then we can seriously discuss the issues now hotly and fruitlessly debated in apparent perpetuity.

 

Don’t Blame the Hacking Victim; Blame the Cyber Security Product

“People are the weakest link in security” is an adage that has proven valid over the centuries. It’s also a common rationale for explaining cyber security breaches. It sounds like a pretty convincing explanation, but is this proposition really true?

There’s one important factor in these historical failures: otherwise good security systems—i.e. if a human being had not made a mistake, the system would have remained undefeated. That’s a fundamentally different situation from what we have now with our legacy cyber security systems. These systems are built on current technologies that have for some time been well proven to be thoroughly flawed. Virtually every firewall and router delivered to the first customer has already been hacked, and thus proven unfit for their intended purpose even before they are installed. The human factor in cyber security is only a very convenient excuse for the failure.

But clearly, the human factor is not the real reason for the failure.

Router vulnerability is especially critical because it can be exploited to perform “man-in-the-middle” cyber attacks that can very quickly cripple entire networks. Router manufacturers regularly blame their customers for failing to reset the default password on the router. Never mind that the new password would delay a competent hacker by just a few minutes at best. But officially it’s the customer’s fault and “human failure” is the cause.

Blaming the customer for equipment failure is not generally a successful business strategy, but, cyber security companies somehow manage to get away with it – perhaps because of the still somewhat mysterious nature of cyberspace.

There’s a very simple conclusion to be drawn here: currently available cyber security technology is not anywhere at the level where the “human factor” is the weakest link. The weakest link is the fundamentally flawed cyber security technologies that fail well before the “human factor” can even come into play.

So, stop blaming the customers. The real cause of the failure is the human factor of those who are supposed to protect our cyberspace assets with real security technologies but consistently fail to do so –while charging their customers heftily for products that are known to be unfit for the purpose.

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

Utilities Hacking Paradigm Shift

 

With the pleasant long weekend over, now is a good time to check up on recent cyber history. It’s a common Government practice to release potential “hot potatoes” just before a holiday in the hope that they will pass generally unnoticed. So it’s useful to review the pre-holiday week’s releases right after the holiday. There is something there that caught my eye that I would like to address.

Interesting questions were raised by the following article, oddly published by an Australian publication on May 22: http://www.gizmodo.com.au/2014/05/hackers-broke-into-a-public-utility-control-room-by-guessing-a-password   (“Hackers Broke Into A Public Utility Control Room By Guessing A Password.”) In short, the story is commenting on the DHS announcement of the discovery and fixing of a hackers’ break-in into an unspecified public utility’s controls. This raises at least two questions.The first question is why the announcement was made at all. Everybody who is anybody in cybersecurity knows that within the US-Russia-China triangle practically all internet-connected utilities have been penetrated for decades. Malware representing electronic bombs have been mutually installed by these countries and have gone through several generations of upgrades; they are ready to use, and extremely difficult to detect. Obviously, the most vulnerable side of the triangle is the US, since it has the most advanced and most connected network of utilities. The existing status quo in the triangle is somewhat similar to the famous MAD – Mutually Assure Destruction– of the Cold War, and the situation is pretty stable. So, if it’s not news, why announce it? This question can probably be answered by the second question.

The second question is: what has been left unsaid in the announcement? This is probably the key to the whole thing. The announcement mentioned “hackers,” with no hints as to their identity. But the interesting detail is that the attack was performed by a very unsophisticated “brute force” approach, which any hacker with a  modern computer can do that easily. So, the only plausible explanation for the whole announcement is to tacitly acknowledge that some rogue hackers were able to penetrate a public utility, and to suggest that more such attacks may be coming. Obviously, rogue hackers of many denominations do not have the mutual restraints of the US-Russia-China triangle, and without such restraints they can do real damage.

Overall, it looks like the DHS is laying down the proposition that when some real damage is done, they can say that now anybody can take control of our utilities, as we warned you.

Fake Defenses

The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.

Instead, we engaged in a series of four nontechnical solutions:

  • Defense by marketing
  • Defense by politics
  • Defense by deterrence
  • Defense by semantics

Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.

Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.

Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.

Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.

Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.