Author Archive for Russell

‘Don’t Ask, Don’t Tell in Davos’ — Act 3 in the Google-China affair

Published by Russell on February 1, 2010 in Amusements, breaches and government. 2 Comments

Taboos are willful ignorance, socially-enforced.  They are so not New School.  We have to deal with them, but we don’t have to be happy about it.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

The Face of FUD

Published by Russell on January 20, 2010 in Amusements. 5 Comments

For your amusement: This image came as an banner on an opt-in email from NetWitness.   You’ll recognize this image as the face of F.U.D. (“fear, uncertainty, and doubt”)

If this is how you feel, buy our products. Then you'll feel better.

Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”.    The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”

I don’t blame them for surfing the publicity wave of “Operation Aurora”  (China, Google, Adobe, et. al.).  And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit: 

“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”

OK… so here’s a glimmer of NewSchool hope in the last lines of the email:

“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.” 

So they are willing to show how their solution will actually work in your organization.  Not bad.  But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever.  It would be even better if they published such data or made it available via various information sharing organizations.  We can only hope.

(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)

Doing threat intelligence right

Published by Russell on January 18, 2010 in Doing it Differently, Links and Science of Risk Management. 2 Comments

From a great article by Robert Jervis, professor of international politics at Columbia University:

The problem isn’t usually – or at least isn’t only – too little information, but too much, most of it ambiguous, contradictory, or misleading. The blackboard is filled with dots, many of them false, and they can be connected in innumerable ways. Only with hindsight does the correct pattern leap out at us, and to fix what “broke” the last time around only guarantees you have solved yesterday’s problem.

Far more important, and useful, is to address the flaws in how we interpret and use the intelligence that we already gather. Intelligence analysts are human beings, and many of their failures follow from intuitive ways of thinking that, while allowing the human mind to cut through reams of confusing information, often end up misleading us. This isn’t a problem that occurs only with spying. It is central to how we make sense of our everyday lives, and how we reach decisions based on the imperfect information we have in our hands. And the best way to fix it is to craft policies, institutions, and analytical habits that can compensate for our very understandable flaws.

[...]

The first and most important tendency is that our minds are prone to see patterns and meaning in our world quite quickly, and then tend to ignore information that might disprove them. Premature cognitive closure, to use the phrase employed by psychologists, lies behind many intelligence failures.

[...]

Second, people pay more attention to visible information than to information generated by an absence. In a famous Arthur Conan Doyle story, it took the extraordinary skill of Sherlock Holmes to see that an important clue in the case was a dog not barking. The equivalent, in the intelligence world, is information that should be there but is not.

[...]

Third, conclusions often rest on assumptions that are not readily testable, and may even be immune to disproof.

I’ll add a fourth — ignoring threat intelligence all together or treating it as taboo.  This may take several forms: ”it’s beyond our control”, “we don’t have good data”, “it’s too hard to quantify”, “we aren’t paid for guess-work”, “we rely on vendors for that”, “everybody knows what the threats are”, “if we bring it up, we will get too many questions we can’t answer”, or other excuses.  (See Josh Corman’s post on the folly of relying on security vendors for your threat intelligence.  Vendors only have incentive to inform you about threats they can mitigate.)

If you want a good methodology for threat intelligence, look at Intel’s.    It was adapted for use by the Information Technology Sector Coordinating Council in their risk assessment for critical IT industry infrastructure.

As good as it is, it could even be better if they had some systematic methods to actively seek out contradictory information and contrary hypotheses about threats.  One simple way to do this is to create a “Mental Model Red Team” whose primary job is to disprove everything you think you know, or at least generate and validate contrary hypotheses.  (For social and cultural reasons, you should probably rotate your staff through this team rather than keeping the team membership fixed.)    Formal methods exist, including “Analysis of Competing Hypotheses” (slides).  (I’m in the process of evaluating a tool for this called SHEBA.  I hope to have a demo read for Mini-metricon, something like this.)  Another possible method is prediction markets, but I’ve never seen them used for this purpose.

“It’s so Confidential, even we don’t know the number”

Published by Russell on January 14, 2010 in Amusements. 0 Comments

I’m just wondering how often any of you encounter this phenomena.  The dialog goes like this:

You: “We’d like to define a metric for overall security and risk, and then publish it to stakeholders and business partners…”

Executive: “Wait right there!  No way!  That’s too confidential!”

You: “Excuse me?  Confidential?  You mean you already know what the number is, and revealing it will seriously harm your business?”

Executive: “No, we don’t know the number.  It’s so confidential, that even we don’t know what it is.”

Of course, the conversation never goes like this exactly, but I hope you get the drift.   The executive asserts the importance and critical nature of an overall metric for security and risk, but uses that as an excuse to not even try to estimate it in the first place.

I’m going to coin a label for this:  “meta-taboo”.   The topic itself is not taboo, but any discussion about how to actually get there or deal with the topic is taboo.  (Another example: a humorous label for a design document from my early days in engineering: “Burn before reading.”)

Of course, this is a sign of an unresolved inner conflict in the executive, or more likely a blind spot in the social psychology where we bury our collective fears, our collective fictions, and our quid pro quo’s.

The Cone of Silence from "Get Smart" TV program. It was so effective that it prevented all communication!

Anyone else encounter this?

Emerging threat: Social Botnets

Published by Russell on December 9, 2009 in Uncategorized. 2 Comments Tags: , .

We think of botnets as networks of computing devices slaved to some command & control system.  But what about human-in-the-loop botnets, where humans are either participants or prime actors?  I’m coining this label: “social botnet”.  Here’s the blog post that got me thinking: “Health Insurers Caught Paying Facebook Gamers To Oppose Reform Bill“:

From Business Insider:

Instead of asking the gamers to try a product the way Netflix would, “Get Health Reform Right” requires gamers to take a survey, which, upon completion, automatically sends the following email to their Congressional Rep:

“I am concerned a new government plan could cause me to lose the employer coverage I have today. More government bureaucracy will only create more problems, not solve the ones we have.”

gethealthreformrightWhen looking at the “Who we are” tab on the GetHealthReformRight.org. Here is the excerpt from this page below.

Get Health Reform Right is a project of organizations whose shared mission is to ensure consumers continue to have access to employer-sponsored healthcare plans. We are concerned about federal legislation that would create new government bureaucracies that would unravel the workplace healthcare system where more than 160 million people get their coverage.

* Association of Health Insurance Advisors
* America’s Health Insurance Plans
* American Benefits Council
* BlueCross BlueShield Association
* Council of Insurance Agents & Brokers
* Healthcare Leadership Council
* Independent Insurance Agents & Brokers
* National Association of Health Underwriters
* National Association of Insurance and Financial Advisors
* National Retail Association

I call it a “botnet” because the people playing the game don’t really know what’s being done with their personal information and what actions are being taken in the world, under the illusion that the person consciously initiated the action (which they did not).  This is a form of “soft control”, where incentives, peer influence, and appearances are manipulated to get the player to do what the controller wants them to do.

I call this an emerging threat because of the proliferation of virtual worlds and virtual currency systems, where the individuals participating are highly motivated to maximize their virtual earnings.  Any virtual world+currency system is vulnerable to this sort of social botnet if a link can be made between some in-world activity (both fun, lucrative, and social) and some real world mass action (petition letters, flash mob, download, or what ever).  Your organization may be far outside this virtual world, but your organization may still be the target of the mass action.  One more thing to add to your threat model.

NEW: Verizon 2009 DBIR Supplement

Published by Russell on December 9, 2009 in Reports and Data. 0 Comments Tags: , , .

verizon DBIR sup

Full report is here.  A quick overview from a Wired magazine article:

The supplement provides case studies, involving anonymous Verizon clients, that detail some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

[Disclosure: Alex's paw prints are on this report somewhere.]

Manditory web client scripts analogous to CDOs

Published by Russell on December 7, 2009 in Uncategorized. 0 Comments

Insightful:

Let me compare the widespread and often mandatory use of client scripts in websites (e.g., JavaScript) to CDOs [Collateralized Debt Obligations]: they both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy. They have also both caused a lot of damage, as having scripting enabled is required for many attacks on browsers. How much smaller would botnets be without scripting? Like CDOs, scripting is a financial affair; it is needed to support advertising and measure the number of visitors and click-throughs. Scripting will stay with us because there’s money involved, and if advertisers had their way, there would be no option to disable plugins and JavaScript, nor would there be extensions like NoScript. To be fair, there are beneficial uses for JavaScript, but it’s a tangled mess with a disputable net value.  [emphasis added]

By the way, here’s a beautiful set of animations explaining how CDOs went wrong.

Time to update your threat model to include “friendly fire”

Published by Russell on December 7, 2009 in Uncategorized. 1 Comment

mousecomestodinner-717479In case you haven’t been following all the talk about cyber war, many people are advocating “offensive cyber capability” — which basically means “hack them before they hack you” (c.f. here, here, and here). If you work in InfoSec outside of the military, you may be thinking that this doesn’t apply to you.  Don’t be so sure.  I think it’s worth considering for every organization.

Consider this new development: “U.S. Military Developing Hacking-for-Dummies Cyber-Warfare Device“:

Apparently, there are several [offensive hacking] devices currently being developed behind closed doors specifically for such [offensive] purposes, but the one Aviation Week talks about is intriguing.  It is basically a highly complex hacking tool designed for the unexperienced that is to turn soldiers into veritable script kiddies. Granted, script kiddies with a lot of firepower.  [Wired article here]

This expensive hacking gadget can be carried around in the backpack on the battlefield and used to assist in missions that might require breaking into wireless networks, such as the ones used for VoIP or satellite communications. However, the icing on the cake is the ability to hack into SCADA (Supervisory Control and Data Acquisition) systems. These systems are used to administrate industrial equipment at power and chemical plants, nuclear facilities, oil refineries, etc., so one can easily imagine how that would be extremely valuable.  [emphasis added]

Here’s the twist:  what if the potential target knows that such attacks may be coming?  They could sets up a deceptive defense to counter the “hacking gadget”, redirecting it to another organization’s network.  The most effective tactic would be to redirect or spoof to a similar network elsewhere in the world (e.g. SCADA, as mentioned above).  Because the people running the “hacking gadget” are equivalent to “script kiddies”, they won’t have the skills to know whether they are attacking the real enemy network or the spoofed network.   Thus, instead of shutting down a chemical plant in Country X (enemy), the soldier-script-kiddies might be shutting down a chemical plant in Country Y (ally), or some other spoofed target.

OK… this particular scenario may be technically infeasable, or it may play out differently.   Someone more knowledgable than me could fill out the specifics.  My point is that arming offensive “script kiddies” creates a risk because the could easily “misfire” and not know it.  Outside of this “hacker gadget”, there are plenty of other friendly fire scenarios.  It’s worth considering them.

Last point: Let’s hope that offensive capabilites do not become prevalent in non-military organizations.  That could lead to a “Mad Max” cyber world, which Bruce Schneier warns against here.

[Update]  While I admit that my SCADA spoof scenario may be too fanciful, I found another example of “friendly fire” that is much more plausable and potentially widely damaging:

One scheme has been proposed that a nation, particularly the United States, could in times of extreme need, induce their software industry to push updates to their installed base that included malware that could be used to disable their enemy’s computers. Imagine the impact Microsoft, Cisco, or Oracle could have if they used their automatic update capability to secretly infect millions of machines with back doors, Trojan horses, or kill switches.

I wonder how the automatic update program would differentiate between “enemy computers” from every other computer.  Oh, I know!  Just look at registry entries: “Organization = Al-Qaeda”.  :-)

Can quantitative risk estimation serve as a guide for every-day policy decisions?

Published by Russell on December 5, 2009 in Science of Risk Management. 7 Comments Tags: , , , .

[Update: The main purpose of this post is to present and demonstrate a method of risk estimation and quantification to support practical policy decision.  The email password policy is just a simplistic case to facilitate the debate.  I also modified the blog post title and the text below to make it clear that this method is aimed to support quantitative risk estimation.]

Our favorite colliquist, Anton Chuvakin, posted a provocative challenge in his blog post “Is Risk Just Too Risky?” :

What is the risk-driven, correct frequency of changing my email password?

<crickets…. silence… more silence>

Yes, we all can quote that “PCI DSS says 90 days” or “whatever regulation says 30 days”, but what does risk say? What actuarial information we need – if we are to define risk through probability of loss? What info about my email usage? Value of information stored there? Frequency of attacks on other similar email accounts? Chances of attack success? My approach to protecting the password? My personal password reuse “policy?” Anything else? On a related note, maybe this is simpler: what is my risk [of having the account compromised] if I change the password every 30 days, 90 days, 300 days?

So, any idea how to go about it?

This little experiment might well show us that “risk-based security” is an awesome thing – but not one achievable in this world today… [emphasis in original]

I wanted to blog about this, but hadn’t collected enough specifics.  Now I can, thanks to the blog conversation by David Mortman, Rich Mogull,  Chris Popper, and “Steve”, we have some smart/experienced people providing the needed detail.

Below, I offer a method for reasoning in order to estimate relative risk of alternatives that is compatible with quantitative risk analysis management, but doesn’t require massive amounts of risk calculations.  I use the conversation by Mortman, et. al. as an example of this method in action (armchair-style).

Continue reading ‘Can quantitative risk estimation serve as a guide for every-day policy decisions?’

Miscommunicating risks to teenagers

Published by Russell on December 2, 2009 in Amusements, Science of Risk Management and presentation. 4 Comments

Security programs that depend on 100% compliance are a bad idea, especially if they depend on 100% compliance from people who are proven to be poor in compliance capabilities.

Case in point:  I saw a documentary about “Abstinence only” sex education programs for teens in the public schools of New Mexico — one negative example in Albuquerque and one positive example in Socorro.   (This is federally funded.)  Skipping over the most aggregious errors and misstatements in these programs, I noticed one big blooper regarding risk estimation and risk communication.

The educators who developed and deliver this program emphasize the failure rate of condoms as argument against relying on them.  In contrast, abstinence-only is touted because it is 100% effective in preventing unplanned pregnancy and all the negative stuff that goes along with it.  Funny thing–they never mentioned the failure rate of abstinence-only when implemented by teenagers!     Sure, you can tell teenagers to be abstinent and they can even commit to it, but would you bet on it?   What odds would you demand for a large bet(say, $100,000 from your bank account) that a large group of teens would remain abstinent for five years?  There are plenty of studies (e.g. here and here) that demonstrate the limited capabilities of teens to avoid risky behavior, control impulses, rationally balance short-term gain against long-term pain, think beyond a short planning horizon, resist peer pressure, etc.    For most teens in the US, their “failure rate” (i.e. failing to avoid risky behaviors) is greater than 0%, and in cases of “multiple-risk adolescents ” the failure rate is far above 0%.

full-body condom

I would bet that condoms are much more reliable than the average teenager’s commitments to eschew immediate pleasures.   Of course, using both would be much more reliable than either alone.   This is “defense in depth”, of course.  Better still, take it to the max and advise that they add a “full-body condom”.  Then they would be “fer sher,  fer sher!”, as the Valley Girl might say. :-)