Tag Archives: hacking

Apple-Google-FBI Phone Encryption Spat or Public Image Campaign?

Apple and Google announced encryption programs for their smartphones that supposedly increase their customers’ privacy. As a result we’ve just seen a very public privacy vs. security debate with Apple, Google, and the FBI making statements worthy of desperate pre-election politicians. An interesting aspect is that the debate rages around the technical issue of encryption, even though practically no technical information has been released. So no technical evaluation of the claims is feasible, but a closer look at the underlying issues seems in order.

First of all, the very basis of encryption as we know it is that every party privy to encrypted data has to have the key. Simply put, this means that there are always at least two keys involved. Even if you encrypt your files within your own computer with a password that you remember, there has to be a reciprocal key somewhere in you computer for validation. Otherwise, there is no encryption.

Apple and Google announced that they would no longer have a “master key,” or possibly a database of the passwords of all users on their servers. (A very interesting question pops up: how are they going to update software in your phone or computer? That wasn’t mentioned.) That sounds like they’re transferring your privacy destiny into you own hands. It’s just not so. Suppose they really aren’t going to have your password. What they’re really saying is that somebody else will have your password, presumably your mobile phone carrier. So the whole hoopla is really about them saying that they don’t want to deal with Government demands for massive amounts of our private data. They’re just saying that the Government has to deal with someone else.

The best case scenario here would be for Apple and Google encryption to be arranged in a way that your personal data such as your rolodex, your pictures and notes, etc. would be stored in your phone encrypted with your personal password, and your carrier would not have a copy of it.

Either way, the FBI has a difficult case to complain about. Their statement that encryption will hinder criminal investigation is clearly disingenuous. It’s not a matter of technical difficulty, it’s a matter of convenience and constitutionality. The only problem this would make for the FBI is that they couldn’t come to a company with a vague sweeping order for a vast amount of private data of a lot of their customers. They’d have to hack every suspect’s phone individually. This is certainly not difficult, and if they don’t know how to do it they can consult the NSA. They’d also have to go to court to obtain a search warrant for every individual suspect. Inconvenient, but that’s the way the Constitution meant it to be.

Cyber Guns for Hire

Dawn of a New Era of Hacking

Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.

My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.

There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.

This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.

The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.

What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.

This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.

I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.

Apple Pay Security—a Token or for Real?

As usual Apple created a good deal of hype around its new product rollout, this time with the iPhone 6, with its proposed Apple Pay system drawing the most attention. Apple Pay offers much improved convenience at the checkout counter, though its claimed applicability to phone call orders and interoperability with other methods of payment have not yet been publicly explained. Those issues notwithstanding, Apple Pay could be a major step forward in the technology of retail banking transactions.

The main claim and the main attraction of the Apple Pay system is its security. Characteristically and perfectly understandably Apple was a little short on describing the security functionality. The particulars of these security arrangements are probably the most important aspect of the whole iPhone 6 exercise, and a lot of cybersecurity experts are waiting for the details to render a real judgment on the system.

Given its historical record Apple is unlikely to disclose the Apple Pay algorithm, though that’s not really justified by any security consideration. Only the implementational details of cybersecurity systems should be secret, for both security and competitive proprietary reasons. But the underlying algorithm should be published and analyzed, as is usually done for most crypto systems. In the evaluation of cybersecurity systems it’s always assumed that the algorithm is known to the attackers.

But we’ll know the Apple Pay algorithm anyway as soon as the system is available in the real world. The algorithm can be determined with a couple of simple experiments at the point of sale (POS). If the algorithm provides for a full change of cyber identity for the buyer and the purchase card with every transaction, it would be extremely difficult, if not practically impossible, to defeat. If, however, Apple Pay turns out to be just another run-of-the-mill token system, it would only be a marginal improvement over existing systems, only protecting the point of sale. Such a system  can be hacked in several different ways, perhaps by hacking it through Apple servers, which has proven to be a task of only moderate difficulty for a competent hacker.

So, we need to wait and see what system Apple came up with – the major breakthrough they claim, or just a marginal step forward.

Dawn of Cyber Reality

It’s being presented as mainstream media shockers that a Russian cyber gang stole 1.2 billion cyber identities, including user names and passwords, or that somebody stole 4.5 million hospital records including including addresses, birth dates and social security numbers. How awful!

Now, a good reality check is clearly in order. The alleged Russian criminal gang of less than a dozen members comes from a small town in the middle of Russia that most people never heard of. By any measure this gang is nowhere close to the top of Russian cyber criminal outfits, never mind the government spooks of many countries. If they managed to get all the data reported, there’s absolutely no doubt that higher-level cyber attackers have much more — they just prevent others from finding out about it. Actually, it’s usually wisest to hide your success in any intelligence operation or theft.

The current cyber reality is that practically all user data is stolen. One of the qualities of cyberspace is that the same cyber asset can be stolen multiple times by multiple perpetrators. In other words, in the physical world a burglar can steal your asset only once; in cyberspace it can be stolen many times by multiple cyber burglars. So understand: whether you like it or not, all user data is stolen by many attackers, including multiple cyber gangs and, of course, by several countries’ spooks.

The real question isn’t whether user data is stolen, nor who stole it—it’s what to do about it. And, in another reality check, it’s being recognized by more and more “experts” that nothing can be done about it beyond fuming until we finally get to develop a real cyber security. Indeed, what difference does it make who stole your assets? There is none, unless you have a preferred burglar for your house.

So, it looks like all this hype about stolen identities is no more than a lot of hot air until we develop a cybersecurity technology that actually works. Then we can seriously discuss the issues now hotly and fruitlessly debated in apparent perpetuity.

 

“Russian Hackers” brand

The media constantly speculate about what “Russian hackers” are doing against Western targets. Publications such as The New York Times are increasingly concerned about “Russian hackers” in the energy and financial sectors in particular:

http://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html?nlid=58721173&src=recpb

http://bits.blogs.nytimes.com/2014/07/07/russian-arrested-in-guam-on-array-of-u-s-hacking-charges/

The term “Russian hackers” needs some clarification. Cyber operations in Russia are conducted by numerous entities with vastly different objectives, resources,  and constraints.

At least one distinct Russian military entity is tasked with infiltrating the critical infrastructure of potential adversaries, planting electronic/cyber bombs that can be activated when ordered, with a devastating result that would only be surpassed by a massive nuclear strike. This activity has been successfully carried out against the US for decades, and several generations of this malware are now sitting all over our critical infrastructure. Top American experts have deemed it practically impossible to detect and eliminate this malware. Welcome to the real world.

Totally different tasks are assigned to other Russian government entities. Acquiring technical/technological intelligence has been a traditional Russian favorite, and has become significantly more aggressive with the opportunities presented by cyberspace. This kind of  intelligence can save a lot of research money, effort and time while providing solutions with minimal delays. In the energy sector this is particularly significant for gaining competitive advantage  in world energy markets. The results are easy to coordinate since most of the Russian energy companies are government-controlled, which gives a great advantage to companies like Gasprom.

The financial sector offers a different kind of target. It attracts the concentrated attention of a wide variety of Russian hacking entities. This sector is simultaneously a part of our critical infrastructure, a vital resource for successful financial investment strategies for the vast amounts of various types of Russian money in the West (and East), and also a practically unlimited source of money to steal with little chance of being caught. Consequently, this industry is under attack from  all sorts of hackers: government, corporate, and private entrepreneurial.

This brief breakdown shows why so-called “Russian hackers” should be differentiated, and as a phenomenon it is certainly not unique to Russia. The players involved differ vastly in size, resources, sophistication and risk tolerance. Taking these differences into account enable us to better understand the nature, origin, and objective of Russian cyber attacks.

Symantec Dead Wrong, Again

In a recent Wall Street Journal article Symantec declares the current antivirus products dead and announces their “new” approach to cyber hacking: instead of protecting computers against hacking they will offer analysis of the hacks that have already succeeded.

http://online.wsj.com/news/article_email/SB10001424052702303417104579542140235850578-lMyQjAxMTA0MDAwNTEwNDUyWj

This is the equivalent of a pharmaceutical company failing to develop an effective vaccine, and offering instead  an advanced autopsy that hopefully will determine why the patient has died.

At its core this approach is based on two assumptions: 1) that developing effective antivirus products is impossible, and 2) that detecting damage that has already been done is easier than defending the computer.

Let’s take a quick look at both these assumptions.

It’s true, of course, that Symantec, along with a few other cyber security vendors, has failed to develop anti-hacking protection systems, because all these systems were based on the same fatally flawed firewall technology. However, that doesn’t mean such products cannot be developed if they are based on valid new cyber security principles. Cloning for one.

The second Symantec assumption, that they can detect the damage already done, doesn’t look convincing either. It’s hard to understand how one can “minimize damage” when the damage has already been done. Moreover, detecting damage, especially stolen data, is significantly more difficult than the task they have already conspicuously failed at. Modern malware is very good at morphing itself, possibly multiple times, into a variety of forms, splitting itself in several components and hiding in the depths of increasingly complex operating systems.

The bottom line is that it’s true that the currently deployed antimalware technology is dead– but this “new” approach is even more dead. The only likely benefit is that the participants will get a few billion dollars from the Government for their “advanced” research.

Conclusion:  instead of offering a cyber coroner’s facilities we’d be much better off developing fundamentally new technologies.  Essentially, new cyber vaccines.

Real Target of eBay Hack

Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.

A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a  casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.

Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.

All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.

US charges Chinese military (legally)

The indictment of five Chinese military officers on charges of hacking American companies shows a blatant disrespect for intelligence of the American voters.

This legal pursuit at best is plain silly. Despite a couple of other unsubstantiated claims, spying is the world’s oldest profession. Spying has been going on for thousands of years, is going on, and will go on for the foreseeable future. Furthermore, it is the duty of every national military to provide intelligence for its country. How are we going to assert jurisdiction over military officers of another country acting on their own territory? How we are going to prove beyond reasonable doubt that it was they who indeed did or controlled the hacking? The indicted officers must be grateful for this recognition of their efforts and doubtlessly will be decorated and promoted. This will be the only real result of our action.

This legal charade perfectly fits the election cycle and is clearly aimed at showing American voters that the current Administration is doing something about the daunting problem of hacking. However, American voters are surely smart enough to understand that instead of developing real defenses against cyber attacks we are wasting money on a legal farce. What should we expect next? The indictment of every designer, manufacturer, and operator of foreign satellites and eavesdropping equipment?

We probably have enough lawyers to sue every foreigner that spies on us, but not enough money to pay for them. As a nation we would be much better off effectively defending ourselves rather that whining about being helpless victims and becoming the world’s laughing-stock.