Thursday, October 5, 2017

Living With Insecurity

My post Not Whether But When took off from the Equifax breach, attempting to explain why the Platonic ideal of a computer system storing data that is safe against loss or leakage cannot exist in the real world. Below the fold, I try to cover some of the implications of this fact.

This is the most interesting aspect of the Equifax breach:
If the Equifax breach was a purely criminal act, one would expect at least some of the stolen data, especially the credit card numbers that were taken, to have showed up for sale on the black market. That hasn’t happened. ... “This wasn't a credit card play," said one person familiar with the investigation. "This was a 'get as much data as you can on every American’ play.
In that way it is similar to the hack of the Office of Personnel Management, the hack of health insurers including Anthem, and others.What are the bad guys interested in?

First, like the OPM hack, they are looking for information on specific individuals they think can be recruited, blackmailed or defrauded:
Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.
Second, they are stockpiling ammunition for a possible cyber Armageddon. Remember how during 2014 the Moon Worm was crawling the Internet looking for vulnerable home routers, then at Christmas the network of home routers was used to DDOS the gaming networks of Microsoft's Xbox and Sony's Playstation? And how, a year ago, a similar process of stealthy resource accumulation and sudden attack allowed the Mirai botnet to take down a major DNS provider? Mirai was the work of just a couple of guys., and it was not the worst they could have done. As I wrote in You Were Warned:
A more sophisticated tool than Mirai that used known vulnerabilities (such as the 12-year-old SSH bug) could create a botnet with say 20% of the IoT, a 100 exabit/sec DDoS capability. With the Shodan search engine, the source for Mirai and a set of known vulnerabilities, this is within the capability of ordinarily competent programmers. It could almost certainly take the entire Internet down.
Major criminal organizations, let alone nation states, have vastly greater resources than the Mirai guys. It is safe to assume that they have stockpiled the cyber equivalent of nuclear weapons, meaning that there are many actors out there capable at short notice of having much more severe impacts than Mirai's inability to tweet.

For example, impacts on the financial system. Having your individual credit and ATM cards stop working is annoying. Having everyone's cards stop working simultaneously crashes the economy. Cards stopping working, as happened last June in Ukraine, would be just the start. Ben Sullivan's A Hacker’s Guide to Destroying the Global Economy is based on 2015's Operation Resilient Shield. Sullivan writes:
cyberforces representing the U.S. and the U.K. commenced a joint exercise, the culmination of more than eight months of meticulous planning. Government and independent cybersecurity researchers, working alongside leading global financial firms, simulated their worst-case cyber scenario: a large-scale, coordinated attack on the financial sectors of the Western world’s biggest economies
Sullivan points out that:
Banks and financial institutions are not strangers to cyberattacks. A March 2017 report commissioned by Accenture found that a typical financial services organization will face an average of 85 targeted breach attempts every year, a staggering third of which will be successful. “Financial institutions across the world are a constant target for attackers, from nation-state hackers looking to cause disruption to old-fashioned criminals looking to steal vast sums of money,” says Lee Munson, a security researcher at Comparitech.
These are individual, un-coordinated attacks, and one in three succeeds. Resilient Shield war-gamed a coordinated attack of the kind Sullivan leads his piece with:
Overnight, unknown attackers had hijacked the websites and online customer portals of every single bank in the country. From the outside, nothing seemed amiss. In reality, a cyberheist on an unprecedented scale was underway.

The attackers were stealing login credentials from unsuspecting customers who thought they were visiting their banks’ websites but were in fact being redirected to bogus reproductions thanks to the hackers’ modification of the banks’ Domain Name System registrations. ... The attackers weren't just pilfering login credentials, though. Customers were infected with data-stealing malware from the hijacked bank websites, while the attackers simultaneously redirected the information of all ATM withdrawals and point-of-sale platforms to their own systems, hoovering up even more credit card information on the nation’s unsuspecting citizens.
The worst was yet to come. It wasn’t long before the issues at the stock exchange started. ... Rapid fluctuations started destabilizing the entire country’s economy within minutes; billions were wiped off the region’s largest companies’ market valuations. ... The lines stretched for blocks, but the ATMs were empty. ... This was all in the first four hours. The money stopped for two weeks. The effects could last a lifetime.
Kim Zetter at The Intercept has a readable overview of the increasing difficulty of figuring out who is behind attacks like this, or "attributing" them:
The growing propensity of government hackers to reuse code and computers from rival nations is undermining the integrity of hacking investigations and calling into question how online attacks are attributed, according to researchers from Kaspersky Lab.
This is a big problem:
Though copying techniques is common for the NSA, two former NSA hackers tell The Intercept they never saw the agency re-use actual code during their time there and say they doubt the agency would conduct a false flag operation.

“When we catch foreign-actor tools we’ll steal the techniques themselves,” one of the sources told The Intercept. But “there are a host of issues when you falsely attribute … you could start a war that way.
Or even start a war with a correct attribution. But if you can't be sure whether the attack originates from Eastasia or is really some skilled Freedonians masquerading as Eastasian so that Eastasia gets nuked but Freedonia doesn't get the blame, what can you do? Nuke them both? Do nothing?

The reason we still have an Internet and a banking system is MAD (Mutually Assured Destruction) or, looked at another way, that no-one wants to kill the goose that is laying so many golden eggs. Sullivan writes:
Between them, McGregor and Truppi have investigated dozens of cyberattacks against U.S. financial institutions, and they say that working out why a bank might have been attacked often leads to discovering who attacked it, and how. “A good example: China is not going to hack United States infrastructure and take down the trading platform, because that would affect them economically,” says Truppi. “What China would try to do is hack banking institutions and gain the upper hand with information, maybe information on mergers and acquisitions or other information on companies.”

On the other hand, Truppi says, attacks like those purportedly deployed by North Korea on South Korea are designed to wreak havoc on society. “The reason they have been able to take those destructive approaches is because they’re not economically entwined with the U.S. in any way, shape, or form. It’s making a statement,” he says.
I'm skeptical that North Korea's decision makers would want to crash the world's, or even the US' economy. Little if any of what distinguishes their lifestyle from that of the North Korean in the street originates in North Korea.

This is another way in which the nuclear analogy in Maciej Cegłowski's Haunted by Data can be considered. Stockpiling digital ammunition is like hoarding nuclear weapons hoping that by doing so you never have to use them. But the analogy breaks down along two axes:
  • Nuclear weapons are so expensive to create that only nation-states have them (we hope). But cyber-nukes are cheap enough that we face the equivalent of Raven, the character in Neal Stephenson's Snow Crash who has a nuke in the sidecar of his Harley, and POOR IMPULSE CONTROL tattooed across his forehead.
  • For high-yield nuclear weapons the attribution problem is addressed by satellites and radar that track the missiles from close to their launch. But cyber-nukes are more like the suitcase nuclear devices developed by both the US and the USSR. The idea was to smuggle the devices onto the enemy's territory where they could be detonated with no warning. During the Cold War attribution was trivial, based on the assumption that the combatants retained control of their nukes. But this may no longer be the case:
    Former Russian National Security Adviser Aleksandr Lebed in an interview with CBS newsmagazine Sixty Minutes on 7 September 1997 claimed that the Russian military had lost track of more than a hundred out of a total of 250 "suitcase-sized nuclear bombs".
An environment of rampant proliferation and obscure attribution is, to say the least, destabilizing. This particularly true of asymmetric warfare where the cost of the attack is vastly less than the cost of an effective defense (think IEDs). This is almost always the case in cyberspace, which is why cyber-crime is so profitable. For example, two years ago I wrote:
An attacker with zero-day exploits for each of the three major operating systems on which blockchain software runs could use them to take over the blockchain. There is a market for zero-day exploits, so we know how much it would cost to take over the blockchain. Good operating system zero-days are reputed to sell for $250-500K each, so it would cost about $1.5M to control the Bitcoin blockchain, currently representing nearly $3.3B in capital. That's 220,000% leverage! Goldman Sachs, eat your heart out.
What to do? In Haunted by Data Maciej Cegłowski makes three recommendations:
Don't collect it!

If you can get away with it, just don't collect it! Just like you don't worry about getting mugged if you don't have any money, your problems with data disappear if you stop collecting it.
If you have to collect it, don't store it!

Instead of stocks and data mining, think in terms of sampling and flows. "Sampling and flows" even sounds cooler. It sounds like hip-hop!

If you have to store it, don't keep it!

Certainly don't keep it forever. Don't sell it to Acxiom! Don't put it in Amazon glacier and forget it.
I have a different view. People tend to think that security is binary, a system either is or is not secure. But we see that in practice no system, not even the NSA's, is secure. We need to switch to a scalar view, systems are more or less secure. Or, rather, treat security breaches like radioactive decay, events that happen randomly with a probability per unit time that is a characteristic of the system. More secure systems have a lower probability of breach per unit time. Or, looked at another way, data leakage is characterized by a half-life, the time after which there is a 50% probability that the data will have leaked. Data that is deleted long before its half-life has expired is unlikely to leak, but it could. Data kept forever is certain to leak. These leaks need to be planned for, not regarded as exceptions.


David. said...

At The Register, Mark Pesce's Leaky-by-design location services show outsourced security won't ever work is a must-read:

"Of course our photos keep a record of our movements. Of course any app that has access to our photos can produce a map of our movements. Two unrelated features collide, generating a kind of retrospective self-surveillance of which the NSA would be proud."


"We need for much more finely-grained access controls for our image archives. Apps should be able to have write access easily, but read access provably needs to be far more restrictive and conditional and time-limited."

David. said...

It isn't just the NSA that can't keep important stuff secure. CNN reports that:

"North Korean hackers allegedly stole classified military documents from a South Korean Defense Ministry database in September 2016, ... the documents stolen included the South Korea-US wartime operational plan and a document that includes procedures to "decapitate" the North Korean leadership. About 235 gigabytes worth of military data was stolen by the hackers"

David. said...

So not the way to fix this problem:

"The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy "beaconing technology" to trace the physical location of the attacker."

What could possibly go wrong?

David. said...

A botnet much larger than Mirai is currently being assembled from Things in the Internet, reports John Leyden at The Register:

"hundreds of thousands of internet-facing devices are potentially vulnerable to Reaper's exploits. “Shodan shows potential devices," he said. "We don't know how many have already been compromised, but I've seen comment elsewhere that suggests about 2 million are in a queue to be exploited.”

During this month, the malware has been evolving to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes, Wi-Fi points, and so on, from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology."

David. said...

One approach to living with insecurity is described by Chris Mellor:

"Illusive Networks places extra network destinations and shares inside a server's deep data stores. An attacker lands on a decoy and looks where to go next, finding a mix of real and phoney destinations, which all look genuine.

By having enough fake destinations, attackers will eventually land on one or more of them. As soon as they do, the software knows it's a real penetration attempt and alerts network managers so that a response team can then deal with the attack."