Whenever we make a journey, physical or otherwise, it’s important to understand where we are before we decide what direction to take. Otherwise we’ll get nowhere. This is as true as ever in cybersecurity.
Russian cybersecurity portal cybersecurity.ru, citing security research company Group-IB, recently stated that only 3% of cyberattacks are detected and countered by bank IT experts. This conclusion notably relates to institutions that boast superior protection against cyber attacks. Mere mortals are obviously less successful.
That 3% is a significant drop from the 10% average attack detection reported by a similar British study a decade ago. More important, this is startling evidence of our deepening cyber security misery. What’s really vital here is for us to recognize the reality. And that reality is frightening. All these almost daily proud statements of detected “sophisticated cyber attacks,” usually followed by bravado announcements that the attack has been defeated and from now on the particular company is reliably protected, are nothing but wishful thinking.
Even if these optimistic announcements were true, the reality is that they’re based on just 3% of cyber attacks. Furthermore, these 3% represent the least sophisticated, often clumsy attacks, while the better than 97% of the attacks go undetected — and we have no idea what they are, nor what we lost in those attacks.
Until we acknowledge the reality of where we actually are in cybersecurity, we’re getting nowhere, faster and faster.
EU Cyber Incompetence
Utter incompetence of high-level officials is not exactly a scarce phenomenon. However, it’s rarely displayed so vividly as it was by Troels Oerting, the head of Europol’s Cybercrime Center, in his recent interview with the BBC’s Tech Tent radio show.
Mr. Oerting proudly declared that international law enforcement just needs to target a “rather limited group of good programmers.” He went further, proudly stating “We roughly know who they are. If we can take them out of the equation then the rest will fall down.” Voila, easy and simple. Arrest the 100 known dudes and cybercrime disappears. He didn’t specify what it means to know “roughly”–you either do or you don’t, and that is exactly, not “roughly.”
The man obviously hasn’t a clue. The trouble is that he’s speaking for Europol and the EU. And the idea that the EU’s main cybercrime law enforcement unit assesses the cybercrime situation this way is truly troubling. It would simply mean that the cybercriminals don’t have much to worry about.
The reality is drastically different. There are many thousands of programmers around the world good enough to hack most of the attractive targets. Many of them, for one reason or another, are disappointed with their employment or personal situation. Given the current dire state of our cybersecurity, making a few bucks off easy targets is really tempting. This temptation looks even more attractive if the target is a rich bank or some large allegedly unethical company. This often satisfies the conscience of many of the hackers. The continuing deterioration of the European economy worsens the situation.
Add the “script kiddies” to the equation and Mr. Oerting’s job becomes even harder than he probably can envision in his worst nightmares. He should also know that really good programmers only publish their crumbs for the script kiddies, scripts they developed long ago. They keep their best stuff for themselves.
Furthermore, many of these off-the-grid programmers have their own very large botnets capable of performing rather sophisticated operations that they can offer to all sorts of customers as a service.
All in all, Mr. Oerting should urgently realize that he is mainly dealing with the mediocre cybercriminals who are not good enough to be stealthy. Really good “top-100” programmers don’t get caught. I wouldn’t be at all surprised if one of them, having read Mr. Oerting’s statements, would hack his next target through this top EU cyber cop’s computer, just to demonstrate the point.
Cyber Backdoors: myth and reality
Every day we read articles on cybersecurity and privacy referring to “backdoors.” This term needs some clarification. I’ve seen all sorts of explanations of the term and its origin, including even linking it to Internet pornography. While the current situation in cybersecurity is certainly reminiscent of pornography, the origin and nature of cyber backdoors is very different.
The term is borrowed from residential architecture and means just what it says. It’s not the supposedly well-protected “front door,” but a relatively obscure entrance for casual private use, commonly having weaker protection for the residents. In cyber systems it’s exactly that: a supposedly secret entry point supplementary to the main entry point to a system, granting simplified logon procedures with deeper access to those in the know.
And that’s where the real problem lies.
First of all, any additional entry point to a network inevitably weakens a system’s security. The more entry points there are the more difficult it is to arrange and manage security. So, point one here is that even the very fact that any backdoor exists automatically weakens the security of a network.
Secondly, simplified entry procedures for the backdoors always mean they have weaker security than the front doors. For example, it’s not uncommon to have a backdoor to a network that creates a shortcut around a stronger VPN (Virtual Private Network) system protecting a front door, with the backdoor protected by a firewall that is always more vulnerable. So, point two here is that the common setup of a backdoor weaker than the front door always compromises the system.
Now, what’s the rationale for creating backdoors? For hackers, it’s pure and simple: it allows perpetual deep and undetected access to the system. The only risk is that it can be discovered and eliminated. So what? The hacker can simply make a different backdoor. With the Government it’s a totally different story; they seem to think that if a company creates a backdoor for them it’s for the Government’s exclusive use. The problem is that if a backdoor exists it can be discovered and hacked by anybody.
Believing that a backdoor is exclusive is fundamentally flawed. It’s as flawed as the wishful thinking in some government circles that they can develop a cyber security technology that they alone can hack. This is an arrogant assumption that historically has been defeated time and time again. You are never the smartest guy on the planet. Period.
So, in addition to all other issues involved in the Government’s pursuit of backdoor data collection, the uncomfortable but obvious conclusion is that by requiring backdoors they further weaken the already weak enough security of our networks, making them easier prey for any attacker.
JPMorgan Chase Tooth Fairy Hack
JPMorgan Chase is the latest victim of a cyber attack. The company announced that unknown hackers broke into their computer system and stole over 80 million customers’ names, addresses, phone numbers and email addresses. This is a really odd announcement for a serious company. Believing that a hacker broke into a bank’s system only to get what he can get from the White Pages is more naïve than believing in the Tooth Fairy. It’s like believing that a burglar broke into the house just to look at the clock because he lost his watch.
The company somewhat hedged its conclusion by stating that there’s no evidence of hackers stealing anything else, but still assuring their customers that there’s nothing to worry about.
The reality is that this tells us that whoever did it is a competent hacker. He either obtained all the financial data right away and covered his tracks well enough that neither JP Morgan nor the FBI could find anything, or left malware that will be sending him that data later. This type of malware is extremely difficult to detect, and the JP Morgan/FBI failure is typical.
This is also indicative of a well-heeled hacker who is financially already very comfortable and can afford to wait until a later date when he can safely start milking the golden cow.
The scariest part of this story is that if this hacker is so good technically and astute financially JPMorgan Chase and its millions of customers are in for a very interesting future. At this time most banks can afford to absorb losses from cyber fraud (but of course passing on the cost to us in interest and fees). It remains to be seen for how long this is going to be the case.
Apple-Google-FBI Phone Encryption Spat or Public Image Campaign?
Apple and Google announced encryption programs for their smartphones that supposedly increase their customers’ privacy. As a result we’ve just seen a very public privacy vs. security debate with Apple, Google, and the FBI making statements worthy of desperate pre-election politicians. An interesting aspect is that the debate rages around the technical issue of encryption, even though practically no technical information has been released. So no technical evaluation of the claims is feasible, but a closer look at the underlying issues seems in order.
First of all, the very basis of encryption as we know it is that every party privy to encrypted data has to have the key. Simply put, this means that there are always at least two keys involved. Even if you encrypt your files within your own computer with a password that you remember, there has to be a reciprocal key somewhere in you computer for validation. Otherwise, there is no encryption.
Apple and Google announced that they would no longer have a “master key,” or possibly a database of the passwords of all users on their servers. (A very interesting question pops up: how are they going to update software in your phone or computer? That wasn’t mentioned.) That sounds like they’re transferring your privacy destiny into you own hands. It’s just not so. Suppose they really aren’t going to have your password. What they’re really saying is that somebody else will have your password, presumably your mobile phone carrier. So the whole hoopla is really about them saying that they don’t want to deal with Government demands for massive amounts of our private data. They’re just saying that the Government has to deal with someone else.
The best case scenario here would be for Apple and Google encryption to be arranged in a way that your personal data such as your rolodex, your pictures and notes, etc. would be stored in your phone encrypted with your personal password, and your carrier would not have a copy of it.
Either way, the FBI has a difficult case to complain about. Their statement that encryption will hinder criminal investigation is clearly disingenuous. It’s not a matter of technical difficulty, it’s a matter of convenience and constitutionality. The only problem this would make for the FBI is that they couldn’t come to a company with a vague sweeping order for a vast amount of private data of a lot of their customers. They’d have to hack every suspect’s phone individually. This is certainly not difficult, and if they don’t know how to do it they can consult the NSA. They’d also have to go to court to obtain a search warrant for every individual suspect. Inconvenient, but that’s the way the Constitution meant it to be.
Cyber Guns for Hire
Dawn of a New Era of Hacking
Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.
My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.
There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.
This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.
The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.
What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.
This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.
I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.
Apple Pay Security—a Token or for Real?
As usual Apple created a good deal of hype around its new product rollout, this time with the iPhone 6, with its proposed Apple Pay system drawing the most attention. Apple Pay offers much improved convenience at the checkout counter, though its claimed applicability to phone call orders and interoperability with other methods of payment have not yet been publicly explained. Those issues notwithstanding, Apple Pay could be a major step forward in the technology of retail banking transactions.
The main claim and the main attraction of the Apple Pay system is its security. Characteristically and perfectly understandably Apple was a little short on describing the security functionality. The particulars of these security arrangements are probably the most important aspect of the whole iPhone 6 exercise, and a lot of cybersecurity experts are waiting for the details to render a real judgment on the system.
Given its historical record Apple is unlikely to disclose the Apple Pay algorithm, though that’s not really justified by any security consideration. Only the implementational details of cybersecurity systems should be secret, for both security and competitive proprietary reasons. But the underlying algorithm should be published and analyzed, as is usually done for most crypto systems. In the evaluation of cybersecurity systems it’s always assumed that the algorithm is known to the attackers.
But we’ll know the Apple Pay algorithm anyway as soon as the system is available in the real world. The algorithm can be determined with a couple of simple experiments at the point of sale (POS). If the algorithm provides for a full change of cyber identity for the buyer and the purchase card with every transaction, it would be extremely difficult, if not practically impossible, to defeat. If, however, Apple Pay turns out to be just another run-of-the-mill token system, it would only be a marginal improvement over existing systems, only protecting the point of sale. Such a system can be hacked in several different ways, perhaps by hacking it through Apple servers, which has proven to be a task of only moderate difficulty for a competent hacker.
So, we need to wait and see what system Apple came up with – the major breakthrough they claim, or just a marginal step forward.
A Hack Is Forever
Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to be a little longer and include some characters requiring the shift key.
This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and that makes our individual passwords irrelevant.
These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.
Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing your mother’s maiden name is difficult. All these are available to identity thieves.
And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.
So a hack is forever.
Dawn of Cyber Reality
It’s being presented as mainstream media shockers that a Russian cyber gang stole 1.2 billion cyber identities, including user names and passwords, or that somebody stole 4.5 million hospital records including including addresses, birth dates and social security numbers. How awful!
Now, a good reality check is clearly in order. The alleged Russian criminal gang of less than a dozen members comes from a small town in the middle of Russia that most people never heard of. By any measure this gang is nowhere close to the top of Russian cyber criminal outfits, never mind the government spooks of many countries. If they managed to get all the data reported, there’s absolutely no doubt that higher-level cyber attackers have much more — they just prevent others from finding out about it. Actually, it’s usually wisest to hide your success in any intelligence operation or theft.
The current cyber reality is that practically all user data is stolen. One of the qualities of cyberspace is that the same cyber asset can be stolen multiple times by multiple perpetrators. In other words, in the physical world a burglar can steal your asset only once; in cyberspace it can be stolen many times by multiple cyber burglars. So understand: whether you like it or not, all user data is stolen by many attackers, including multiple cyber gangs and, of course, by several countries’ spooks.
The real question isn’t whether user data is stolen, nor who stole it—it’s what to do about it. And, in another reality check, it’s being recognized by more and more “experts” that nothing can be done about it beyond fuming until we finally get to develop a real cyber security. Indeed, what difference does it make who stole your assets? There is none, unless you have a preferred burglar for your house.
So, it looks like all this hype about stolen identities is no more than a lot of hot air until we develop a cybersecurity technology that actually works. Then we can seriously discuss the issues now hotly and fruitlessly debated in apparent perpetuity.
Kaspersky and Symantec Kicked Out of China – For a Reason
The great cyber triangle of US-Russia-China seems to be shaping up in a definitive way. For a while China was technologically and skill-wise behind the US and Russia, the two early leaders in cyberspace, but it’s catching up, and fast.
It was announced last week that Kaspersky Lab and Symantec have been taken off the list of approved vendors in China’s government cybersecurity software market. Reuters recently reported one example: http://www.reuters.com/article/2014/08/03/us-china-software-ban-idUSKBN0G30QH20140803
Traditionally very polite, the Chinese did not cyberwhine, did not make any fuss, did not lay any blame, but simply took the pair off the list. Some Western and Russian analysts were very quick to assume and announce that this was a trade protectionist move to favor China’s national cybersecurity companies. That’s definitely wrong. If that were true, China would bar foreign companies from the country altogether – their private market is huge and very profitable. But they didn’t; they specifically only addressed their government cyberspace security. Apparently Chinese cyber experts found some extracurricular activities in products from both companies, which is not terribly surprising. Furthermore, they probably realized that detecting all the malware in modern software is practically impossible, and correctly decided to keep the foreign security well-wishers away, at least from their government.
The Chinese perception of individual privacy is different from the Western, and they don’t seem to be very concerned about the privacy of the regular common users, at least currently. However, they will probably watch Kaspersky’s and Symantec’s products sold to the Chinese private sector very carefully from now on. If they detect any sizeable collection of data from customers’ computers they will probably bar Kaspersky, Symantec, or both from doing business in China altogether.
The great cyber triangle is definitely becoming more and more equilateral. Interestingly, for the first time that I can recall, China is taking the lead in a trend that is logical and most likely to continue.