Kaspersky’s Intelligent Move

The latest move by Kaspersky Lab is definitely intelligent, perhaps a little too intelligent.

Computer security vendors are beginning to offer integrated cross-platform security for Windows, Mac and Android devices, with Kaspersky Lab leading the pack with its Internet Security—Multi Device 2015. At first glance it looks like déjà vu, as good or as bad malware protection as any other on the market. However, Kaspersky’s has a new feature — it protects all the devices you own, up to five of them. Convenient.

Initial reviews are good: http://www.pcworld.com/article/2459156/kaspersky-internet-security-2015-multi-device-review-new-interface-same-excellent-protection.html

From a business standpoint this makes perfect sense – uncluttering  the security arrangements of your devices and bringing security to one simple point. This should upend the competition that is selling long lines of unrelated programs.

However, there‘s another angle here. The simple truth is that a security system for your computer takes over your computer, whether you like it or not. So when you have a bunch of different security products, each one of them controls only the device for which it is intended.

One of the most reliable means of accessing all data in a computer is via its security system. But, with some technical exceptions, the ultimate targets of most security or intelligence organizations are people, not their computers per se. This means that if someone wants all your data on all your devices, and chooses to do so via your security system, he has to have control of all your security systems. Not too difficult, but certainly cumbersome in a large-scale outfit. Inconvenient.

Here comes a great innovation: one-stop shopping for  all your data – an integrated security system for all your devices. All your data can be obtained via a single security system. Convenient.

It’s not a big secret that Kaspersky Lab has cozy relations with the Russian Government and thus is a valuable resource for the latter. There was a lot of debate related to Kaspersky Lab and their relations to the Russian Government, someone even suggested once that they have a lot of customers and just one client.

I’d prefer to leave that to the reader’s judgment, but simply caution that in any case integrating all your devices via one security system makes you an easier cyber prey, and may be unwise, Kaspersky or not.

 

Why do Russia and China not cyberwhine?

Usually in my posts I try to provide answers. This time I can only manage a question, but it’s an interesting one.

We constantly hear complaints, if not outright whines, about the US being attacked in cyberspace, either by China or Russia. We’ve gotten used to these attacks, and our response is becoming more and more like “what else is news?”

But there’s an interesting angle here: in the more-or-less symmetrical US-Russia-China great cyber triangle we rarely if ever hear about Chinese or Russians being hacked. Is it that they are not being attacked? Not at all. For example, recently Russia detected a five-fold increase in powerful DDoS attacks over the last year, the longest one lasting ninety days. That one was by any standard a major cyber security event. Was it a big media deal in Russia? Not really– it was barely mentioned.

Initially I thought this difference was mainly a cultural thing. In Russia boys grow up in a culture where if you’re beaten up, you don’t cry “Mommy, he hit me!”, and for sure you don’t complain to teachers or the police. Just heal your bruises and learn to defend yourself. I believe that in China the culture in this respect is somewhat similar. The reaction to cyber attacks on the US is just the opposite. Instead of developing a really effective technology of cyber defense and immediate counterattack, we whine loudly time after time and waste our credibility with vague threats, when everyone knows there will be no real response.

However, cultural difference is probably not the reason for Russia’s and China’s  mute response. As an example of the opposite response, we can recall frequent border disputes between Russia and China in 1960s (over the areas where nobody was present for many miles except a few occasional border guards). During those clashes there were extensive media coverage on both sides, with many diplomatic notes saying something like “This is the 104th serious warning.”

So, the question remains: compared to our constant whining, what is the reason for the very muted Russian and Chinese responses to cyber attacks?

“Russian Hackers” brand

The media constantly speculate about what “Russian hackers” are doing against Western targets. Publications such as The New York Times are increasingly concerned about “Russian hackers” in the energy and financial sectors in particular:

http://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html?nlid=58721173&src=recpb

http://bits.blogs.nytimes.com/2014/07/07/russian-arrested-in-guam-on-array-of-u-s-hacking-charges/

The term “Russian hackers” needs some clarification. Cyber operations in Russia are conducted by numerous entities with vastly different objectives, resources,  and constraints.

At least one distinct Russian military entity is tasked with infiltrating the critical infrastructure of potential adversaries, planting electronic/cyber bombs that can be activated when ordered, with a devastating result that would only be surpassed by a massive nuclear strike. This activity has been successfully carried out against the US for decades, and several generations of this malware are now sitting all over our critical infrastructure. Top American experts have deemed it practically impossible to detect and eliminate this malware. Welcome to the real world.

Totally different tasks are assigned to other Russian government entities. Acquiring technical/technological intelligence has been a traditional Russian favorite, and has become significantly more aggressive with the opportunities presented by cyberspace. This kind of  intelligence can save a lot of research money, effort and time while providing solutions with minimal delays. In the energy sector this is particularly significant for gaining competitive advantage  in world energy markets. The results are easy to coordinate since most of the Russian energy companies are government-controlled, which gives a great advantage to companies like Gasprom.

The financial sector offers a different kind of target. It attracts the concentrated attention of a wide variety of Russian hacking entities. This sector is simultaneously a part of our critical infrastructure, a vital resource for successful financial investment strategies for the vast amounts of various types of Russian money in the West (and East), and also a practically unlimited source of money to steal with little chance of being caught. Consequently, this industry is under attack from  all sorts of hackers: government, corporate, and private entrepreneurial.

This brief breakdown shows why so-called “Russian hackers” should be differentiated, and as a phenomenon it is certainly not unique to Russia. The players involved differ vastly in size, resources, sophistication and risk tolerance. Taking these differences into account enable us to better understand the nature, origin, and objective of Russian cyber attacks.

Don’t Blame the Hacking Victim; Blame the Cyber Security Product

“People are the weakest link in security” is an adage that has proven valid over the centuries. It’s also a common rationale for explaining cyber security breaches. It sounds like a pretty convincing explanation, but is this proposition really true?

There’s one important factor in these historical failures: otherwise good security systems—i.e. if a human being had not made a mistake, the system would have remained undefeated. That’s a fundamentally different situation from what we have now with our legacy cyber security systems. These systems are built on current technologies that have for some time been well proven to be thoroughly flawed. Virtually every firewall and router delivered to the first customer has already been hacked, and thus proven unfit for their intended purpose even before they are installed. The human factor in cyber security is only a very convenient excuse for the failure.

But clearly, the human factor is not the real reason for the failure.

Router vulnerability is especially critical because it can be exploited to perform “man-in-the-middle” cyber attacks that can very quickly cripple entire networks. Router manufacturers regularly blame their customers for failing to reset the default password on the router. Never mind that the new password would delay a competent hacker by just a few minutes at best. But officially it’s the customer’s fault and “human failure” is the cause.

Blaming the customer for equipment failure is not generally a successful business strategy, but, cyber security companies somehow manage to get away with it – perhaps because of the still somewhat mysterious nature of cyberspace.

There’s a very simple conclusion to be drawn here: currently available cyber security technology is not anywhere at the level where the “human factor” is the weakest link. The weakest link is the fundamentally flawed cyber security technologies that fail well before the “human factor” can even come into play.

So, stop blaming the customers. The real cause of the failure is the human factor of those who are supposed to protect our cyberspace assets with real security technologies but consistently fail to do so –while charging their customers heftily for products that are known to be unfit for the purpose.

Privacy Posturing in the Great Cyber Triangle

The recent New York Times article, “Internet Giants Erect Barriers to Spy Agencies,” reflects the current political rhetoric over privacy, but it also misrepresents the reality of the situation.

http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html

The companies cited– Google, Facebook, Yahoo, and the like– are taking steps to make NSA interception of their data more difficult. But this is a basically political move. They are merely reducing levels of voluntary cooperation with the government. The simple truth is that with the cybersecurity technology currently available and deployed these companies are not capable of protecting themselves, and ultimately their customers, from cyber attacks.

In the great US-Russia-China Cyber Triangle each government has enjoyed the quasi-voluntary cooperation of its cyber-based large companies. The other two governments were simply attacking the companies at will, and with full success. Of course, the companies’ cooperation was helpful to their host government, but it should be clearly understood that this was merely a matter of convenience and efficiency, and had little bearing on the actual result.

So the only change this new US cyber company fad  is that it will take a little more effort by the US Government to get the same results. The other two sides of the great triangle aren’t affected (nor, for that matter, are several  other governments).

This might suggest that the only way to protect people’s privacy is a legislative approach that would prohibit the Government from spying on its own citizens. But then we have to clearly understand that while we can prohibit NSA collecting Americans’ personal and private data, we cannot prevent Russia or China from doing the same. This is a symmetrical situation: Russia and China, and any other country, cannot prohibit the US collecting whatever they want. The situation would be awkward indeed if only American Government cannot collect unrestricted information on Americans. Spying is the oldest profession, and it’s going to prosper for the foreseeable future.

There’s a simple conclusion to be drawn: until and unless we develop new and truly effective cybersecurity technologies all the discussions about our privacy are just exercises in political rhetoric.

 

Symantec Dead Wrong, Again

In a recent Wall Street Journal article Symantec declares the current antivirus products dead and announces their “new” approach to cyber hacking: instead of protecting computers against hacking they will offer analysis of the hacks that have already succeeded.

http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj

This is the equivalent of a pharmaceutical company failing to develop an effective vaccine, and offering instead  an advanced autopsy that hopefully will determine why the patient has died.

At its core this approach is based on two assumptions: 1) that developing effective antivirus products is impossible, and 2) that detecting damage that has already been done is easier than defending the computer.

Let’s take a quick look at both these assumptions.

It’s true, of course, that Symantec, along with a few other cyber security vendors, has failed to develop anti-hacking protection systems, because all these systems were based on the same fatally flawed firewall technology. However, that doesn’t mean such products cannot be developed if they are based on valid new cyber security principles. Cloning for one.

The second Symantec assumption, that they can detect the damage already done, doesn’t look convincing either. It’s hard to understand how one can “minimize damage” when the damage has already been done. Moreover, detecting damage, especially stolen data, is significantly more difficult than the task they have already conspicuously failed at. Modern malware is very good at morphing itself, possibly multiple times, into a variety of forms, splitting itself in several components and hiding in the depths of increasingly complex operating systems.

The bottom line is that it’s true that the currently deployed antimalware technology is dead– but this “new” approach is even more dead. The only likely benefit is that the participants will get a few billion dollars from the Government for their “advanced” research.

Conclusion:  instead of offering a cyber coroner’s facilities we’d be much better off developing fundamentally new technologies.  Essentially, new cyber vaccines.

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

Utilities Hacking Paradigm Shift

 

With the pleasant long weekend over, now is a good time to check up on recent cyber history. It’s a common Government practice to release potential “hot potatoes” just before a holiday in the hope that they will pass generally unnoticed. So it’s useful to review the pre-holiday week’s releases right after the holiday. There is something there that caught my eye that I would like to address.

Interesting questions were raised by the following article, oddly published by an Australian publication on May 22: http://www.gizmodo.com.au/2014/05/hackers-broke-into-a-public-utility-control-room-by-guessing-a-password   (“Hackers Broke Into A Public Utility Control Room By Guessing A Password.”) In short, the story is commenting on the DHS announcement of the discovery and fixing of a hackers’ break-in into an unspecified public utility’s controls. This raises at least two questions.The first question is why the announcement was made at all. Everybody who is anybody in cybersecurity knows that within the US-Russia-China triangle practically all internet-connected utilities have been penetrated for decades. Malware representing electronic bombs have been mutually installed by these countries and have gone through several generations of upgrades; they are ready to use, and extremely difficult to detect. Obviously, the most vulnerable side of the triangle is the US, since it has the most advanced and most connected network of utilities. The existing status quo in the triangle is somewhat similar to the famous MAD – Mutually Assure Destruction– of the Cold War, and the situation is pretty stable. So, if it’s not news, why announce it? This question can probably be answered by the second question.

The second question is: what has been left unsaid in the announcement? This is probably the key to the whole thing. The announcement mentioned “hackers,” with no hints as to their identity. But the interesting detail is that the attack was performed by a very unsophisticated “brute force” approach, which any hacker with a  modern computer can do that easily. So, the only plausible explanation for the whole announcement is to tacitly acknowledge that some rogue hackers were able to penetrate a public utility, and to suggest that more such attacks may be coming. Obviously, rogue hackers of many denominations do not have the mutual restraints of the US-Russia-China triangle, and without such restraints they can do real damage.

Overall, it looks like the DHS is laying down the proposition that when some real damage is done, they can say that now anybody can take control of our utilities, as we warned you.

US charges Chinese military (legally)

The indictment of five Chinese military officers on charges of hacking American companies shows a blatant disrespect for intelligence of the American voters.

This legal pursuit at best is plain silly. Despite a couple of other unsubstantiated claims, spying is the world’s oldest profession. Spying has been going on for thousands of years, is going on, and will go on for the foreseeable future. Furthermore, it is the duty of every national military to provide intelligence for its country. How are we going to assert jurisdiction over military officers of another country acting on their own territory? How we are going to prove beyond reasonable doubt that it was they who indeed did or controlled the hacking? The indicted officers must be grateful for this recognition of their efforts and doubtlessly will be decorated and promoted. This will be the only real result of our action.

This legal charade perfectly fits the election cycle and is clearly aimed at showing American voters that the current Administration is doing something about the daunting problem of hacking. However, American voters are surely smart enough to understand that instead of developing real defenses against cyber attacks we are wasting money on a legal farce. What should we expect next? The indictment of every designer, manufacturer, and operator of foreign satellites and eavesdropping equipment?

We probably have enough lawyers to sue every foreigner that spies on us, but not enough money to pay for them. As a nation we would be much better off effectively defending ourselves rather that whining about being helpless victims and becoming the world’s laughing-stock.

 

What happened?

All mainstream media have been flooded with never ending announcements of cyber security breaches for quite some time. All of a sudden, in the last couple of weeks, there are none. Total silence. What happened? Have cyber attacks stopped or have they become so stealthy that no one can detect them? Probably neither.

This sudden silence make me wonder about controllability of the media by political powers. Let us put it on our watch list. This could be a litmus test for mainstream media independence.

Meanwhile, since there is no cybersecurity new to discuss, I’d like to touch upon a very interesting subject of laws and rules of cyberspace.

There are two general categories of law: spatial and societal. Spatial laws are native to the space; objects in a space can discover them, but cannot change them. Newtonian laws of motion are an example of spatial laws in our physical space.

No entity has jurisdiction over entire cyberspace, i.e., there is no overall authority in cyberspace. Furthermore, no entity has jurisdiction even over a subspace such as the Internet or the international postal system. Thus, societal or relative laws cannot effectively exist in cyberspace. This means that any attempt to make a relative law for cyberspace is futile. For instance, suppose country A enacts a law that makes it illegal to communicate with any cyber object in country B. This is hardly an enforceable law. For instance, an object in country B can have a related object in a neutral country C. This way, this object in country B can communicate with objects in country A through its related object, with a low probability of detection in cyberspace. Thus this law can be enforced in country A with some chance of success through its government’s means in physical space, but not in cyberspace. This means that any attempt to create societal laws relative to objects in cyberspace is essentially futile.