Tag Archive for Internet security

Cyber defense by semantics: hacks are now called “computer glitches”

The New York Stock Exchange is down and United Airlines is not flying for half a day. Naturally, everyone’s wondering, What’s going on? The public wants an explanation from the FBI and the affected institutions, and fast.
The response is quite astounding.
Voila! Cyber security problem solved: from now on all hacks are to be called “computer glitches.” United and the NYSE computer network outages are only the latest glaring examples of a classic bureaucratic solution to the problem – defense by semantics.
This “expert” explanation means two things: a) it’s a fairytale designed for little children and big fools; and b) the “cyber security experts” of the affected entities and the FBI probably have no clue as to what happened. That’s a very good indication of an expertly executed cyber attack – the effect is obvious but the attack has not even been detected — and forget figuring out that “the Chinese” or the “the Russians” did it. Because it is really unfathomable to imagine that programmers working on critical programs like these found “glitches.” Such programs are written and implemented by highly qualified programmers and software engineers and are tested numerous times under all imaginable circumstances. Furthermore, they’ve been running for quite some time with no “glitches” detected, and all those systems have built-in redundancies precisely in case of a “glitch.”
The “glitch” explanation is very convenient for those who failed to provide cybersecurity of this country.
All these events are a clear indication of our massive cyber security failure. This failure was inevitable. On the one hand in the last quarter century widely known cyber attack technology has advanced dramatically, and is becoming increasingly widespread. What a while ago only a few government agencies in the world could do can now be done by a lot of people, often by mere script kiddies, and certainly by our sworn enemies who aren’t restricted in what they can attack—the more damage the better. On the other hand, our cyber security has not advanced at all for the same quarter of a century. This is the inconvenient truth, despite of all the marketing and politically soothing statements from the entrenched cybersecurity establishment.
It is really sad that people responsible and paid for providing our cyber security are getting away with this cyber defense by semantics. No doubt the next step is to make the term “hacking” politically incorrect and make everyone use “computer glitch” instead. When that fairy tale runs out, they’ll think of another term. That’s assuming our computers are still functioning.

Cybersecurity: 3% misery

Whenever we make a journey, physical or otherwise, it’s important to understand where we are before we decide what direction to take. Otherwise we’ll get nowhere. This is as true as ever in cybersecurity.
Russian cybersecurity portal cybersecurity.ru, citing security research company Group-IB, recently stated that only 3% of cyberattacks are detected and countered by bank IT experts. This conclusion notably relates to institutions that boast superior protection against cyber attacks. Mere mortals are obviously less successful.
That 3% is a significant drop from the 10% average attack detection reported by a similar British study a decade ago. More important, this is startling evidence of our deepening cyber security misery. What’s really vital here is for us to recognize the reality. And that reality is frightening. All these almost daily proud statements of detected “sophisticated cyber attacks,” usually followed by bravado announcements that the attack has been defeated and from now on the particular company is reliably protected, are nothing but wishful thinking.
Even if these optimistic announcements were true, the reality is that they’re based on just 3% of cyber attacks. Furthermore, these 3% represent the least sophisticated, often clumsy attacks, while the better than 97% of the attacks go undetected — and we have no idea what they are, nor what we lost in those attacks.
Until we acknowledge the reality of where we actually are in cybersecurity, we’re getting nowhere, faster and faster.

Cyber Backdoors: myth and reality

Every day we read articles on cybersecurity and privacy referring to “backdoors.” This term needs some clarification. I’ve seen all sorts of explanations of the term and its origin, including even linking it to Internet pornography. While the current situation in cybersecurity is certainly reminiscent of pornography, the origin and nature of cyber backdoors is very different.
The term is borrowed from residential architecture and means just what it says. It’s not the supposedly well-protected “front door,” but a relatively obscure entrance for casual private use, commonly having weaker protection for the residents. In cyber systems it’s exactly that: a supposedly secret entry point supplementary to the main entry point to a system, granting simplified logon procedures with deeper access to those in the know.
And that’s where the real problem lies.
First of all, any additional entry point to a network inevitably weakens a system’s security. The more entry points there are the more difficult it is to arrange and manage security. So, point one here is that even the very fact that any backdoor exists automatically weakens the security of a network.
Secondly, simplified entry procedures for the backdoors always mean they have weaker security than the front doors. For example, it’s not uncommon to have a backdoor to a network that creates a shortcut around a stronger VPN (Virtual Private Network) system protecting a front door, with the backdoor protected by a firewall that is always more vulnerable. So, point two here is that the common setup of a backdoor weaker than the front door always compromises the system.
Now, what’s the rationale for creating backdoors? For hackers, it’s pure and simple: it allows perpetual deep and undetected access to the system. The only risk is that it can be discovered and eliminated. So what? The hacker can simply make a different backdoor. With the Government it’s a totally different story; they seem to think that if a company creates a backdoor for them it’s for the Government’s exclusive use. The problem is that if a backdoor exists it can be discovered and hacked by anybody.
Believing that a backdoor is exclusive is fundamentally flawed. It’s as flawed as the wishful thinking in some government circles that they can develop a cyber security technology that they alone can hack. This is an arrogant assumption that historically has been defeated time and time again. You are never the smartest guy on the planet. Period.
So, in addition to all other issues involved in the Government’s pursuit of backdoor data collection, the uncomfortable but obvious conclusion is that by requiring backdoors they further weaken the already weak enough security of our networks, making them easier prey for any attacker.

Cyber Guns for Hire

Dawn of a New Era of Hacking

Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.

My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.

There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.

This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.

The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.

What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.

This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.

I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.

A Hack Is Forever

Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to be a little longer and include some characters requiring the shift key.

This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and  that makes our individual passwords irrelevant.

These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.

Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing your mother’s maiden name is difficult. All these are available to identity thieves.

And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.

So a hack is forever.

Symantec Dead Wrong, Again

In a recent Wall Street Journal article Symantec declares the current antivirus products dead and announces their “new” approach to cyber hacking: instead of protecting computers against hacking they will offer analysis of the hacks that have already succeeded.

http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj

This is the equivalent of a pharmaceutical company failing to develop an effective vaccine, and offering instead  an advanced autopsy that hopefully will determine why the patient has died.

At its core this approach is based on two assumptions: 1) that developing effective antivirus products is impossible, and 2) that detecting damage that has already been done is easier than defending the computer.

Let’s take a quick look at both these assumptions.

It’s true, of course, that Symantec, along with a few other cyber security vendors, has failed to develop anti-hacking protection systems, because all these systems were based on the same fatally flawed firewall technology. However, that doesn’t mean such products cannot be developed if they are based on valid new cyber security principles. Cloning for one.

The second Symantec assumption, that they can detect the damage already done, doesn’t look convincing either. It’s hard to understand how one can “minimize damage” when the damage has already been done. Moreover, detecting damage, especially stolen data, is significantly more difficult than the task they have already conspicuously failed at. Modern malware is very good at morphing itself, possibly multiple times, into a variety of forms, splitting itself in several components and hiding in the depths of increasingly complex operating systems.

The bottom line is that it’s true that the currently deployed antimalware technology is dead– but this “new” approach is even more dead. The only likely benefit is that the participants will get a few billion dollars from the Government for their “advanced” research.

Conclusion:  instead of offering a cyber coroner’s facilities we’d be much better off developing fundamentally new technologies.  Essentially, new cyber vaccines.

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

Don’t Bother Changing Your Password

The news of the day is the Heartbleed bug. The mainstream media is full of the headline “Change your password. Hurry”.

Don’t. Just don’t bother. This is one of the daily occurrences of “major” cybersecurity breaches. The reality is that with this bug or the next one, the issue is not the bug, the issue is the password, as a concept. Any password can be hacked by a serious hacker with a decent computer in minutes if not seconds. How many times do we have to be hacked to get the message across  that we need to develop an effective cybersecurity technology instead of stitching patches on the constantly punctured bubble of the firewall?

Doing the same thing and hoping for a different result is not exactly the definition of intelligence. We’ve been doing that every day for a quarter century and calling ourselves cybersecurity experts. It doesn’t  seem that qualification is deserved.

Fake Defenses

The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.

Instead, we engaged in a series of four nontechnical solutions:

  • Defense by marketing
  • Defense by politics
  • Defense by deterrence
  • Defense by semantics

Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.

Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.

Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.

Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.

Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.