Tag Archive for firewall

Power grid: when cyber lines cross

We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html

Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.

Don’t Blame the Hacking Victim; Blame the Cyber Security Product

“People are the weakest link in security” is an adage that has proven valid over the centuries. It’s also a common rationale for explaining cyber security breaches. It sounds like a pretty convincing explanation, but is this proposition really true?

There’s one important factor in these historical failures: otherwise good security systems—i.e. if a human being had not made a mistake, the system would have remained undefeated. That’s a fundamentally different situation from what we have now with our legacy cyber security systems. These systems are built on current technologies that have for some time been well proven to be thoroughly flawed. Virtually every firewall and router delivered to the first customer has already been hacked, and thus proven unfit for their intended purpose even before they are installed. The human factor in cyber security is only a very convenient excuse for the failure.

But clearly, the human factor is not the real reason for the failure.

Router vulnerability is especially critical because it can be exploited to perform “man-in-the-middle” cyber attacks that can very quickly cripple entire networks. Router manufacturers regularly blame their customers for failing to reset the default password on the router. Never mind that the new password would delay a competent hacker by just a few minutes at best. But officially it’s the customer’s fault and “human failure” is the cause.

Blaming the customer for equipment failure is not generally a successful business strategy, but, cyber security companies somehow manage to get away with it – perhaps because of the still somewhat mysterious nature of cyberspace.

There’s a very simple conclusion to be drawn here: currently available cyber security technology is not anywhere at the level where the “human factor” is the weakest link. The weakest link is the fundamentally flawed cyber security technologies that fail well before the “human factor” can even come into play.

So, stop blaming the customers. The real cause of the failure is the human factor of those who are supposed to protect our cyberspace assets with real security technologies but consistently fail to do so –while charging their customers heftily for products that are known to be unfit for the purpose.

Symantec Dead Wrong, Again

In a recent Wall Street Journal article Symantec declares the current antivirus products dead and announces their “new” approach to cyber hacking: instead of protecting computers against hacking they will offer analysis of the hacks that have already succeeded.

http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj

This is the equivalent of a pharmaceutical company failing to develop an effective vaccine, and offering instead  an advanced autopsy that hopefully will determine why the patient has died.

At its core this approach is based on two assumptions: 1) that developing effective antivirus products is impossible, and 2) that detecting damage that has already been done is easier than defending the computer.

Let’s take a quick look at both these assumptions.

It’s true, of course, that Symantec, along with a few other cyber security vendors, has failed to develop anti-hacking protection systems, because all these systems were based on the same fatally flawed firewall technology. However, that doesn’t mean such products cannot be developed if they are based on valid new cyber security principles. Cloning for one.

The second Symantec assumption, that they can detect the damage already done, doesn’t look convincing either. It’s hard to understand how one can “minimize damage” when the damage has already been done. Moreover, detecting damage, especially stolen data, is significantly more difficult than the task they have already conspicuously failed at. Modern malware is very good at morphing itself, possibly multiple times, into a variety of forms, splitting itself in several components and hiding in the depths of increasingly complex operating systems.

The bottom line is that it’s true that the currently deployed antimalware technology is dead– but this “new” approach is even more dead. The only likely benefit is that the participants will get a few billion dollars from the Government for their “advanced” research.

Conclusion:  instead of offering a cyber coroner’s facilities we’d be much better off developing fundamentally new technologies.  Essentially, new cyber vaccines.

Don’t Bother Changing Your Password

The news of the day is the Heartbleed bug. The mainstream media is full of the headline “Change your password. Hurry”.

Don’t. Just don’t bother. This is one of the daily occurrences of “major” cybersecurity breaches. The reality is that with this bug or the next one, the issue is not the bug, the issue is the password, as a concept. Any password can be hacked by a serious hacker with a decent computer in minutes if not seconds. How many times do we have to be hacked to get the message across  that we need to develop an effective cybersecurity technology instead of stitching patches on the constantly punctured bubble of the firewall?

Doing the same thing and hoping for a different result is not exactly the definition of intelligence. We’ve been doing that every day for a quarter century and calling ourselves cybersecurity experts. It doesn’t  seem that qualification is deserved.