Tag Archives: Sheymov

Product Liability—the Unique Position of the Cybersecurity Industry

Leave a reply

There are three points that radically distinguish US cybersecurity industry from any other.
One – every cybersecurity company seems to be the self-declared “world leader in cybersecurity.” This can be easily verified by visiting their websites. I haven’t been able to detect any #2. Surprisingly, comedians and cartoonists don’t explore this hilarious situation.
Two – the industry as a whole is de-facto exempted from any product liability, even any implied warranty liability. This is a truly unique break that the cybersecurity industry has been getting away with for over thirty years. In the US every manufacturer is obligated at the very least to make sure that its products are reasonably fit for their intended uses . For example, a car manufacturer must make sure that its cars are at least drivable and can deliver a user from point A to point B. A hammer manufacturer has to make sure that its hammer handles do not break, at least not before you bring one home. The Uniform Commercial Code (UCC) is very explicit about this, and there have been millions of court cases where this principle has been upheld.
But not for the cybersecurity industry. Every firewall gets hacked even before it’s delivered to the first customer. On a daily basis we hear of “big” cases that one or another organization has been hacked with huge losses for millions of people. And don’t forget that only a small fraction of hacks is detected. We never hear about the undetected “big” cases and thousands of smaller ones. But nobody is held responsible despite of many billions of dollars in losses incurred by individuals, companies, and governments. The Government does promise to prosecute hackers – if they can catch them.
The interesting twist here is that every company assures its customers that their personal information and the money in their accounts is secure. Ironically, they assure their customers before they are hacked, while they are being hacked, and after they’ve been hacked. Somehow we listen to them and nod in agreement.
Three – the cybersecurity industry gets countless billions of our dollars for research and development of cybersecurity products. In fact, we spend more on this in a year than the entire cost of the Apollo program that put a few good men on the Moon. Amazingly, these funds seem to be going into a black hole. Nothing comes back. No product, no results, no responsibility for wasted money– the taxpayers money.
The most remarkable thing about this is that we, the people, have put up with this situation for over thirty years.
On a positive note: this industry should be a bonanza for investors — assured high returns with no risk. Stock brokers should take a note.

Latest cyber lunacy: we are going to sanction the rest of the world!

Leave a reply

In the latest example of the bureaucracy’s detachment from reality, the White House has just announced an executive order to sanction cyber attackers. Not to mention the checkered record of effectiveness of other sanctions, cyber sanctions are very difficult even to fathom.
For starters, who are we going to sanction? The whole history of cyber attacks clearly shows that determining the real source of cyber attacks with any degree of certainty is extremely difficult. Out of the thousands of attackers around the world we are able to identify only a handful in a year. Furthermore, those identified are not the most dangerous ones. The best we can do is to say that an attack came from a certain country.
So, who are we going to sanction — and how?
An individual attacker? Most of the identified hackers are not the most dangerous ones, often just scrip kiddies. But even then, how are we going to sanction them? Prohibit a teenager from the Ukraine to enter the United States? He doesn’t have the money to come here anyway. Bar him from McDonalds? He’ll find another place to get a hamburger. Prohibit a cyber dude from Nigeria from exporting oil? He’s unlikely to have any. Deny a sale of an F-16 to a company in Croatia? They probably don’t have a hangar to keep it in anyway.
A country? Unlikely. It’s a well known fact that most of the attacks, and definitely the most damaging ones, are “bounced” many times through “innocent” computers in other countries before being sent to the target. Given that, we’ll rapidly end up sanctioning the rest of the world. While this would become perpetual fodder for the press, it would be unlikely to have any real impact on cyber attacks. If anything, it would even increase them, when they start sanctioning us in retaliation. And chances are their sanctions would be more damaging than ours.
Besides, cyber attacks are already a felony anyway. That should be sanction enough — though it doesn’t seem to work.
The big question is, do we really understand what we’re doing in cybersecurity? It doesn’t seem so.
A better solution may be to sanction our own bureaucracy.

Latest solution: Share your cyber misery

2 Replies

There was a great deal of anticipation about President Obama’s participation in the recent conference on cybersecurity at Stanford University, in the heart of Silicon Valley, where he met with high-tech company executives last week.
It wasn’t a shocking surprise, however, that the Government’s proposal, to be enshrined into a Presidential Order, in reality only boils down to a call for sharing misery tales between the Government and private companies. Once the political rhetoric is stripped away this approach doesn’t offer any improvement in cyber security. The reality is that hacks are usually discovered months or even years after the fact, when all the damage has already been done. That’s assuming the hack is even detected in the first place.
It’s not the best kept secret in town that most hacks, and certainly the most dangerous ones, are rarely or never detected, or only long after the fact. A great example is the recently announced international multi-bank hack that netted somewhere between $300 million and $1 billion to the unknown attackers. See http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?emc=edit_th_20150215&nl=todaysheadlines&nlid=58721173&_r=0
The vagueness in the loss assessment speaks very loudly to how little the cyber security experts involved know about the hack even now. And, of course, they haven’t a clue as to who did it. Not to mention that it took them two years to discover the loss.
On the more optimistic side there is a rising public awareness of the problem that sooner or later will lead to a public demand for the development of a true cyber security technology. Unfortunately, this is unlikely before the pain from cyber attacks becomes really intolerable, probably as a result of a massive loss of human life.

Encryption: panacea or just an expensive “do something”?

Leave a reply

Once in a while we see a common cyber call to arms: “Let’s use data encryption and, voila, our problems will be over.” A typical example of this is the AP article http://cnsnews.com/news/article/no-encryption-standard-raises-health-care-privacy-questions.
This is a very common misconception. Encryption per se does not protect against hacking. Surely, encrypted files look impressive, with their very long strings of seemingly random characters. It must be mindboggling for a casual observer to imagine that anyone can actually decipher that without the secret key.
However, the reality is vastly different.
Strength of encryption is based on two main ingredients – the encryption algorithm and the secret key. Most encryption algorithms, and certainly all commercially available algorithms, are well known. They have been researched, and solutions—the ability to decrypt them without the secret key—have been found for most of them. The only undefeated algorithm so far remains the so-called “one time pad,” where the key is used only once. But even that algorithm’s strength rests on the quality and security of the key — issues that are far from trivial.
However, the main practical problem with encryption is the distribution system for the key. As in the example of a health system cited above, we are talking about a massive database with many millions of records. Sure, it’s not too difficult to encrypt all that data. But then what? The database has many legitimate users, sometimes thousands, and each one of them must have the secret key. It’s not difficult to obtain the key, one way or another, from at least one of them. Such a single breach would defeat the whole encryption scheme. I’ve often heard someone proudly declaring at a party, “I encrypt all data files in my computer.” Sometimes I will casually ask, “But where do you keep your key?” The answer invariably is, “In the computer.” Usually that person doesn’t understand that the key in his computer is also available to anyone who bothers to hack into his computer.
All in all, data encryption is a good concept, but the practicality of its deployment in databases with many users can only protect against middleschoolers. It would have marginal protection against smart highschoolers, and it would certainly be fruitless against professional cyber attackers.
Encryption per se would be just another expensive exercise in wishful thinking. It should be clearly understood: ENCRYPTION PER SE DOESNOT PROTECT AGAINST HACKING.

Power grid: when cyber lines cross

Leave a reply

We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html

Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.

Cybersecurity: 3% misery

Leave a reply

Whenever we make a journey, physical or otherwise, it’s important to understand where we are before we decide what direction to take. Otherwise we’ll get nowhere. This is as true as ever in cybersecurity.
Russian cybersecurity portal cybersecurity.ru, citing security research company Group-IB, recently stated that only 3% of cyberattacks are detected and countered by bank IT experts. This conclusion notably relates to institutions that boast superior protection against cyber attacks. Mere mortals are obviously less successful.
That 3% is a significant drop from the 10% average attack detection reported by a similar British study a decade ago. More important, this is startling evidence of our deepening cyber security misery. What’s really vital here is for us to recognize the reality. And that reality is frightening. All these almost daily proud statements of detected “sophisticated cyber attacks,” usually followed by bravado announcements that the attack has been defeated and from now on the particular company is reliably protected, are nothing but wishful thinking.
Even if these optimistic announcements were true, the reality is that they’re based on just 3% of cyber attacks. Furthermore, these 3% represent the least sophisticated, often clumsy attacks, while the better than 97% of the attacks go undetected — and we have no idea what they are, nor what we lost in those attacks.
Until we acknowledge the reality of where we actually are in cybersecurity, we’re getting nowhere, faster and faster.

Apple-Google-FBI Phone Encryption Spat or Public Image Campaign?

Leave a reply

Apple and Google announced encryption programs for their smartphones that supposedly increase their customers’ privacy. As a result we’ve just seen a very public privacy vs. security debate with Apple, Google, and the FBI making statements worthy of desperate pre-election politicians. An interesting aspect is that the debate rages around the technical issue of encryption, even though practically no technical information has been released. So no technical evaluation of the claims is feasible, but a closer look at the underlying issues seems in order.

First of all, the very basis of encryption as we know it is that every party privy to encrypted data has to have the key. Simply put, this means that there are always at least two keys involved. Even if you encrypt your files within your own computer with a password that you remember, there has to be a reciprocal key somewhere in you computer for validation. Otherwise, there is no encryption.

Apple and Google announced that they would no longer have a “master key,” or possibly a database of the passwords of all users on their servers. (A very interesting question pops up: how are they going to update software in your phone or computer? That wasn’t mentioned.) That sounds like they’re transferring your privacy destiny into you own hands. It’s just not so. Suppose they really aren’t going to have your password. What they’re really saying is that somebody else will have your password, presumably your mobile phone carrier. So the whole hoopla is really about them saying that they don’t want to deal with Government demands for massive amounts of our private data. They’re just saying that the Government has to deal with someone else.

The best case scenario here would be for Apple and Google encryption to be arranged in a way that your personal data such as your rolodex, your pictures and notes, etc. would be stored in your phone encrypted with your personal password, and your carrier would not have a copy of it.

Either way, the FBI has a difficult case to complain about. Their statement that encryption will hinder criminal investigation is clearly disingenuous. It’s not a matter of technical difficulty, it’s a matter of convenience and constitutionality. The only problem this would make for the FBI is that they couldn’t come to a company with a vague sweeping order for a vast amount of private data of a lot of their customers. They’d have to hack every suspect’s phone individually. This is certainly not difficult, and if they don’t know how to do it they can consult the NSA. They’d also have to go to court to obtain a search warrant for every individual suspect. Inconvenient, but that’s the way the Constitution meant it to be.

Cyber Guns for Hire

Leave a reply

Dawn of a New Era of Hacking

Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.

My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.

There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.

This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.

The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.

What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.

This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.

I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.

Apple Pay Security—a Token or for Real?

Leave a reply

As usual Apple created a good deal of hype around its new product rollout, this time with the iPhone 6, with its proposed Apple Pay system drawing the most attention. Apple Pay offers much improved convenience at the checkout counter, though its claimed applicability to phone call orders and interoperability with other methods of payment have not yet been publicly explained. Those issues notwithstanding, Apple Pay could be a major step forward in the technology of retail banking transactions.

The main claim and the main attraction of the Apple Pay system is its security. Characteristically and perfectly understandably Apple was a little short on describing the security functionality. The particulars of these security arrangements are probably the most important aspect of the whole iPhone 6 exercise, and a lot of cybersecurity experts are waiting for the details to render a real judgment on the system.

Given its historical record Apple is unlikely to disclose the Apple Pay algorithm, though that’s not really justified by any security consideration. Only the implementational details of cybersecurity systems should be secret, for both security and competitive proprietary reasons. But the underlying algorithm should be published and analyzed, as is usually done for most crypto systems. In the evaluation of cybersecurity systems it’s always assumed that the algorithm is known to the attackers.

But we’ll know the Apple Pay algorithm anyway as soon as the system is available in the real world. The algorithm can be determined with a couple of simple experiments at the point of sale (POS). If the algorithm provides for a full change of cyber identity for the buyer and the purchase card with every transaction, it would be extremely difficult, if not practically impossible, to defeat. If, however, Apple Pay turns out to be just another run-of-the-mill token system, it would only be a marginal improvement over existing systems, only protecting the point of sale. Such a system  can be hacked in several different ways, perhaps by hacking it through Apple servers, which has proven to be a task of only moderate difficulty for a competent hacker.

So, we need to wait and see what system Apple came up with – the major breakthrough they claim, or just a marginal step forward.

A Hack Is Forever

Leave a reply

Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to be a little longer and include some characters requiring the shift key.

This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and  that makes our individual passwords irrelevant.

These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.

Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing your mother’s maiden name is difficult. All these are available to identity thieves.

And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.

So a hack is forever.