Author Archive for Russell

In case you haven’t been following all the talk about cyber war, many people are advocating “offensive cyber capability” — which basically means “hack them before they hack you” (c.f. here, here, and here). If you work in InfoSec outside of the military, you may be thinking that this doesn’t apply to you.  Don’t be so sure.  I think it’s worth considering for every organization.

Consider this new development: “U.S. Military Developing Hacking-for-Dummies Cyber-Warfare Device“:

Apparently, there are several [offensive hacking] devices currently being developed behind closed doors specifically for such [offensive] purposes, but the one Aviation Week talks about is intriguing.  It is basically a highly complex hacking tool designed for the unexperienced that is to turn soldiers into veritable script kiddies. Granted, script kiddies with a lot of firepower.  [Wired article here]

This expensive hacking gadget can be carried around in the backpack on the battlefield and used to assist in missions that might require breaking into wireless networks, such as the ones used for VoIP or satellite communications. However, the icing on the cake is the ability to hack into SCADA (Supervisory Control and Data Acquisition) systems. These systems are used to administrate industrial equipment at power and chemical plants, nuclear facilities, oil refineries, etc., so one can easily imagine how that would be extremely valuable.  [emphasis added]

Here’s the twist:  what if the potential target knows that such attacks may be coming?  They could sets up a deceptive defense to counter the “hacking gadget”, redirecting it to another organization’s network.  The most effective tactic would be to redirect or spoof to a similar network elsewhere in the world (e.g. SCADA, as mentioned above).  Because the people running the “hacking gadget” are equivalent to “script kiddies”, they won’t have the skills to know whether they are attacking the real enemy network or the spoofed network.   Thus, instead of shutting down a chemical plant in Country X (enemy), the soldier-script-kiddies might be shutting down a chemical plant in Country Y (ally), or some other spoofed target.

OK… this particular scenario may be technically infeasable, or it may play out differently.   Someone more knowledgable than me could fill out the specifics.  My point is that arming offensive “script kiddies” creates a risk because the could easily “misfire” and not know it.  Outside of this “hacker gadget”, there are plenty of other friendly fire scenarios.  It’s worth considering them.

Last point: Let’s hope that offensive capabilites do not become prevalent in non-military organizations.  That could lead to a “Mad Max” cyber world, which Bruce Schneier warns against here.

[Update]  While I admit that my SCADA spoof scenario may be too fanciful, I found another example of “friendly fire” that is much more plausable and potentially widely damaging:

One scheme has been proposed that a nation, particularly the United States, could in times of extreme need, induce their software industry to push updates to their installed base that included malware that could be used to disable their enemy’s computers. Imagine the impact Microsoft, Cisco, or Oracle could have if they used their automatic update capability to secretly infect millions of machines with back doors, Trojan horses, or kill switches.

I wonder how the automatic update program would differentiate between “enemy computers” from every other computer.  Oh, I know!  Just look at registry entries: “Organization = Al-Qaeda”. 

The Wall Street Journal and 103 hundreds of other news outlets have published articles about the stolen/leaked email files from the Hadley Climate Center University of East Anglia (UEA) Climate Research Unit, in the UK.  The blogs are going nuts.  Sadly, there is no critical investigation or reporting about the credibility of the leaked email files.  Instead, all the news outlets are all caught up in the debate over whether this proves that the Global Warming science is a con job and conspiracy.  (A sampling of the more moderate reports: Washington Post, Associated Press, and Christian Science Monitor.   The blogs and tweets are more rabid:  e.g. proof that “Al Gore lied!”)   

Everyone is treating these stolen/leaked documents as real and undoctored, without any real evidence.  I couldn’t find any critical/questioning articles when I did a web search.  To this, I can only repeat Homer Simpson’s exclamation when he is hit in the face with (his own) stupidity:  “D’oh!!“.

For example, the WSJ blog stated that the emails were confirmed as “genuine” by the Director of the breached organization, but a close reading of the source news article shows that the Director only states that the files “appear” to be from his organization.   Hadley Climate Center UEA Climate Research Unit hasn’t actually had a chance to review the posted files or even investigate the breach. 

Also, no one has questioned the claim that this was the act of “hackers”.   The WSJ blog called them “Russian Black Hats”  based on the report that the ZIP file first appeared on an FTP server hosted in Russia.  Ridiculous!    It is easy for anyone located anywhere to upload files to an FTP server with a Russian domain name. 

I did find a few security bloggers commenting on this incident, e.g. Graham Cluley, and they are more reserved about the implications of this incident, given the lack of real information.  Hopefully, more security experts will speak out on this in the coming days.

Now a rant for the uncritical news organizations and bloggers:

NEWSFLASH — Anyone who has the motives and skills to steal private documents and to upload them on a Russian FTP server in order to generate a public scandal also has the motives and skills to “doctor” those documents .  DO NOT trust their content until it is proven genuine!

This is news/publicity incident is just more evidence of wide-spread misunderstanding about trust and credibility regarding online information, and also misunderstandings about nature of security breaches, Black Hats vs. White Hats, etc.    This is another case of the meme: “If it’s on the Internet, it must be true”.  Sadly, the “echo chamber” of free Internet news media and “advocacy journalism” only makes it worse.   Takeaway: This is yet another call-to-arms to security experts to provide evidence-based analyisis that educates the broad public and the institutions that serve them.

[Update -- Corrected the name of the breached organization]

[Update 2:   See Comment #2 below for additional "connect the dots" that make the insider attack most plausible, not a "Russian Black Hat".]

How can ordinary folks tell the good guys from the bad guys?  Case in point: the online service Virscan.org .  I stumbled upon last week while trying to help a friend with her malware problems.  Looks like a nice, simple service that scans uploaded files using multiple AV software with latest signatures (25 total).  But then it dawned on me that it might be much more useful to bad guys (malware writers and distributors) than for good guys.  They could use it as part of their development/test cycle to refine their malware so that it is not detected by any of the AV services.   Easy, peasy!

Who does Virscan.org serve?  Who supports it financially?  Is it really a Black Hat operation, or just a well-intentioned White Hat operation that is easy to subvert?  How would I or anyone know? 

According to Alexa, 70% of Viruscan.org’s visitors are from China, where it is the 5,973rd most popular web site.  Hmmmm, makes me suspicious.  Reviews and evaluations are here , here, and here.  It’s hosted in China, and appears to have been in existence since the summer of 2007.  But this information isn’t conclusive.  I’m still scratching my head.

I wish there were some sort of map of the Black Hat ecosystem that would reveal the existence and role of such “fellow traveler” services that appear legit’ but aren’t.  This would make it easier for everyone involved in security to know who they are dealing with — White Hat, Black Hat, and otherwise.   If anyone knows of such a map, please give me a link.

[Update: This isn't the same as http://www.virusscan.org which redirects to  http://www.mcafee.com/us/ .  McAfee has a product called Virus Scan. ]

[Update #2: On further thought, virscan.org could even be a super-secret covert white hat operation acting as a honey pot for malware developers and their malware code, masquarading as a black hat service which is masquarading as a white hat service.  Whoah!  Spooky stuff! ]

In a pithy post, Anton Chuvakin uses colorful metaphors as caricatures for our debate: 

Q: If you ride a smelly, ugly goat along the road and then meet  a  handsome stranger who promises to give you a new ride: a beautiful unicorn that can fly, teleport, butt enemies with its horn and doesn’t need any cleaning, should you take it?

A: No! Unicorns are mythical creatures. Please keep your goat for now

This sort of rhetorical tactic is popular among slimy politicians, to wit:  “If you vote against my bill, you are voting in favor of mass rape of barn yard animals, and taking food out of the mouths of starving babies.”

There’s a real message here.   Anton is saying that the New School and/or risk management approach is impossible in principle and therefore is folly at all levels, like the quest for perpetual motion machines or large-scale time travel.  He is skeptical to an extreme.

A real unicorn, though now extinct, refutes the claim of impossibility

At the risk of extending Anton’s metaphor too far, I’ll point out that unicorns (of some sort) are not impossible in principle, only non-existent in recent times.  As evidence of their potential existance, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. I found this artist’s impression of the dinosaur, nicknamed “the Unicorn Dinosaur” because it has some elements in common with the mythical unicorn (“the traditional unicorn also has a billy-goat beard, a lion’s tail, and cloven hooves—these distinguish it from a horse”.)

Moral: just because something doesn’t exist right now doesn’t mean it’s impossible.  Back to the real debate…

No one is seriously advocating NewSchool or Risk Management as having magical properties, or claim that they are perfect or fully formed.  I, for one, have been very vocal and public about the unsolved research problems .  I welcome and encourage skepticism.   It may turn out that certain approaches or methods are indeed impossible or infeasable.  Fine.  Let’s find that out.  But there is no value in debates that are based on caricature and strawmen.

Those of us who advocate new methods are arguing that the current “smelly” methods just perpetuate the problem of poor security, even if you get periodic “wins” through FUD and other tactics.   We are arguing that the new methods are more promising, in spite of their current difficulties and unsolved problems.

I’ll close with my own colorful metaphor: FUD and similar tactics are like peeing in a swimming pool.  They may make you feel good at the moment and you may get away with it for a while, but if enough people do it, eventually everyone is swimming in piss.    There’s a great book called The Self-Defeating Organization that describes this process and how it is one pattern (among many) that leads to downward spiral in organization performance.

[Update:  From past communications, I believe that Anton has most objections to "the risk management approach" rather than the "New School approach".  They overlap somewhat, but aren't identical.  See Adam's comment, below.]