VCC -Variable Cyber Coordinates

In my previous posting I mentioned VCC – Variable Cyber Coordinates method of communication. In response to questions from readers the following is a an article on the subject in Wikipedia (April 25, 2014).

Variable Cyber Coordinates (VCC) is a method of network communications by which the cyber coordinates of the participating objects or entities are constantly changing. It provides an algorithmic foundation for the dynamic security of network devices against network-based cyber attacks.

Cyber coordinates are sets of statements that determine the position of an object in cyberspace. For instance, an IP address singularly determines the location of a computer within the Internet. Cyber coordinates enable computers connected to the Internet to “find” each other and to communicate, much in the same way that knowledge of geographic coordinates of a location on Earth enables guidance of an object to travel to that location. Essentially, any communications parameter can be viewed as a cyber coordinate. Other examples of cyber coordinates are computer Port numbers, MAC addressestelephone numbers, file names, radio calls, etc.

With the VCC method of communications cyber coordinates of participating objects or entities are made variable. They are assigned temporary values, often random or pseudorandom. These temporary cyber coordinates are usually encrypted and distributed only to authorized devices. Authorized devices can communicate with each other using the currently valid set of cyber coordinates. Other devices on the network that are not privy to the currently valid set of cyber coordinates, cannot communicate with the authorized devices. However, a determined attacker with sufficient resources, effort and time can identify the currently valid cyber coordinates. To prevent this, the currently valid set of cyber coordinates is periodically changed. The process is repeated at predetermined or random intervals sufficiently frequent to prevent a potential attacker from finding the protected devices and launching a successful attack.

An example of a simplified explanation of the VCC method of communications is illustrated in Fig.1.

Variable Cyber Coordinates
Fig.1

       The black line denotes regular computer communications;
       The red arrow denotes distribution of currently valid variable cyber coordinates.

In this example computer A is assigned an IP address xxx.xxx.xxx.123. Only computers B and C are authorized to communicate with computer A. Thus, computer A’s current IP address xxx.xxx.xxx.123 is sent to B and C only. Since computer D has not been sent A’s IP address, it would be difficult for it to determine A’s IP address. Thus no computer except B and C can communicate with A. The controller assigns cyber coordinates to protected computers and ensures their compatibility with the network administration’s policies and procedures.

To further strengthen computer A’s protection, A’s IP address is at some time changed to xxx.xxx.xxx.234. While not affecting A’s physical location, it moves it to another cyber space location. The new coordinates are sent to B and C, but to no other computer. Then even if computer D has made some progress in identifying A’s cyber coordinates, this progress is instantly obsolete with every new cycle of changing A’s cyber coordinates. Using the VCC methodology enables protected computers to evade cyber attacks even before they are launched.

Real VCC-based systems are much more complex than the example above and involve changes of multiple cyber coordinates for computers based in different networks.

The VCC method of communications was invented by Victor Sheymov and patented in 1999.

Net Neutrality

The just released FCC proposal for new rules governing broadband traffic management is a clear victory for the Telecoms/ISP political lobby. This proposal is aimed at starting to unravel the net neutrality principles that made Internet a reasonably democratic environment. The ultimate irony here is that that lobby is financed by the Internet users themselves through payments to the ISPs. So, the anti-user proposal is financed by the user. This makes the Iran-Contra affair look like child’s play.

From a technical perspective there are two issues here. One is band usage per se, and the other is the content/protocol discrimination. The cost of bandwidth is going in the same direction as the cost of computing power and memory: down and fast. On the other hand, the demand for bandwidth is going to taper off – a user is unlikely to watch more than one movie at the same time. The two curves are going to cross at some point and then there will be an excess of bandwidth.

Furthermore, the proposed content /protocol discrimination can be easily defeated by obfuscating the traffic content and protocol, using methods such as VCC – Variable Cyber Coordinates. This means that attempts to discriminate the net traffic can be only marginally feasible in the short term, and are economically infeasible in the long term. The Telecoms/ISPs are smart enough to recognize that.

This leaves us with a very interesting question: why are the efforts to control Internet traffic so persistent? The only reasonable answer is that they are motivated by the desire to control the content of Information travelling through the Internet. The Telecoms and ISPs are mandated to provide clear communications channels amongst all kinds of Internet users. The content of our communications is none of their business. They are keen to “throttle” traffic, but throttling the speed of communications will inevitably lead to throttling the content.

It is imperative to defeat any and all attempts to attack the principle of net neutrality. Given the number of Internet users and its fundamentally democratic nature, we should be able to do that.

What is cyberspace?

Some people view cyberspace as a set of computers and the wires connecting them; others view it as a source of readily available inexpensive information; others view it as a marketing space designed to facilitate their sales and increase profits; and yet others apparently view it as a target-rich space for committing crimes with little risk of being caught and punished. Instinctively, by cyberspace we generally mean the same recently evolved phenomenon, but we often imply different aspects of it. This may be acceptable for general discussions, but for specific work in the security field we need more precision.

But formulating a precise single definition of cyberspace is difficult at this time when we are just beginning to understand the concept. What seems to be clear is that cyberspace is an information and communications space. It is an abstract space. Indeed, cyberspace is where information exists and is stored, processed, and communicated with certain laws and rules applied.

Recognition of cyberspace can be attributed to development and growth of the Internet, but they are not the same. Cyberspace is a much broader concept while the Internet is a part of it. As consumers of information we don’t care if it is delivered to us by Internet through fiber optics or is flown in by a pigeon. What we really care about are things like its content, reliability, convenience and speed of delivery, cost, etc., i.e. attributes of information itself. We do not care whether our Internet provider is Verizon or Sprint, whether the routers used are Cisco or Juniper. This may be important to the equipment and service vendors but not us, information consumers.

This subject may look a little academic, but it isn’t. Proper definition of cyberspace is very important and has many practical implications.

Don’t Bother Changing Your Password

The news of the day is the Heartbleed bug. The mainstream media is full of the headline “Change your password. Hurry”.

Don’t. Just don’t bother. This is one of the daily occurrences of “major” cybersecurity breaches. The reality is that with this bug or the next one, the issue is not the bug, the issue is the password, as a concept. Any password can be hacked by a serious hacker with a decent computer in minutes if not seconds. How many times do we have to be hacked to get the message across  that we need to develop an effective cybersecurity technology instead of stitching patches on the constantly punctured bubble of the firewall?

Doing the same thing and hoping for a different result is not exactly the definition of intelligence. We’ve been doing that every day for a quarter century and calling ourselves cybersecurity experts. It doesn’t  seem that qualification is deserved.

Fake Defenses

The popularity of the Internet quickly led to cyber attacks. We realized the danger and developed our defenses, largely based on variations of a firewall. It does not work, and never did; in fact, it has been mathematically proven that any firewall can be penetrated; furthermore, any firewall can be penetrated in an unlimited number of ways. In the high-tech world, if something does not work within three to four years in the mainstream, it’s dead. Remarkably, we have been clinging to the firewall regardless for a quarter of a century. Why? We did not come up with an alternative.

Instead, we engaged in a series of four nontechnical solutions:

  • Defense by marketing
  • Defense by politics
  • Defense by deterrence
  • Defense by semantics

Defense by marketing. Marketers of numerous firewall manufacturers did wonderful job. “Firewall” sounds solid and reassuring. Actually, “fig leaf” protection is a far more accurate description of the firewall technology. No matter, we kept manufacturing, selling, and buying firewalls, happily using the electronic version of the proverbial king’s clothing.

Defense by politics. As technical measures did not work, we started the second phase. We tried to contemplate legal obstacles to cyber attacks, both domestically and abroad, by pressuring other countries to “crack down” on cyber criminals. This approach was quickly proved largely ineffective and quietly stopped. The latest attempt to revive this approach was made at a London conference for cyber security at the end of October 2011, and it was promptly rejected by most participants, notably the British.

Defense by deterrence. Some politicians and generals fighting the traditional “last war” have tried to resurrect the Cold War approach of strategic deterrence. This is a spectacularly misguided effort. During the Cold War, we knew exactly who the offender would be, and the threat of swift retaliation would follow. In cyberspace this is not valid. We can sometimes, but not always, discover who the offender is. However, we can never be certain. In fact, often we don’t even know there even is an offender because we often cannot detect an attack that has already succeeded.

Furthermore, there is a wide range of a potential deterrence measures. At one end of the spectrum, a mother’s notion of not giving a new bike for a guy’s fifteenth birthday is deterrent enough. At the other end, for an al Qaeda terrorist, a potential death penalty would not be deterrence but a badge of honor. Who are we supposed to deter and how? Luckily, the idea of defense by deterrence was sent back to happy retirement.

Defense by semantics. Under pressure of the facts, in the last few years it has become possible to say, off the record, that the firewall concept does not work. This was progress—at least it was a late triumph for free speech. So the second nontechnical solution tried, incidentally usually performed by technical “experts,” was defense by semantics. A large number of new terms and acronyms flooded the market, and we came to a point where computer security lingo became an alien foreign language that everybody speaks but nobody understands. However, the facts were still pressing, and the danger has become too obvious to ignore.

Cyber Bombs

Victor Sheymov’s Blog on Cyber Security and Intelligence

An important and often overlooked aspect is that many computers are infected by malware well before this malware is triggered. It means that many of our critical infrastructure computers already contain “cyber bombs” that are waiting to be triggered at the time chosen by the attacker to maximize the damage. This malware is extremely difficult to detect, and on a large scale such detection is a practical impossibility. Furthermore, disconnecting computers from the Internet in most cases would be ineffective, since malware can easily reconnect the computer to the Internet if a proper hardware and a wireless access are present, and they usually are. So we are sitting on multiple bombs embedded in our critical infrastructure at the mercy of multiple unknown attackers.

Thus we are facing a grim reality that we do not fully comprehend, and not much has been done about it so far. Our vulnerability has not improved over the years; indeed, it has deteriorated. The technology of cyber attacks has advanced more than technology of computer security. Let us review how we got into this situation and, more importantly, how to get out of it.

Running out of Time

Victors Sheymov’s Blog on Cyber Security and Intelligence

As a country, we are slowly coming to the realization that we are vulnerable. We are almost subconsciously accustomed to knowing that we are vulnerable to a nuclear attack by a very powerful potential adversary; luckily, there are only two of them on this planet. We are getting used to the realization that we are vulnerable to a possible collapse of the globalized monetary system. But we have yet to realize that we are vulnerable to a cyber attack that could be more damaging than anything except a massive nuclear strike. The most startling fact is that such an attack could be delivered by an individual or a small group with a few thousand dollars and access to nothing more than the Internet. This aspect is politely called “asymmetric warfare,” but in fact it represents the failure of our security technology.

The estimated annual cost of global cyber crimes is $960 billion, but that is just a small part of the threat. Damage to critical infrastructure and major industrial assets can easily surpass that, not to mention the potential of massive loss of life. We are beginning to realize that a cyber attack can literally incapacitate our critical infrastructure. Cyber attacks can explode oil refineries and chemical factories, clog up our streets and make emergency services powerless if they themselves are still available, and leave our houses without heating and air conditioning—or even blown up by the manipulation of gas distribution systems. If this list is not impressive enough, it can be very easily extended. And the reality is that at this time we are not doing much to defend against such attacks.