Thursday, October 5, 2017

Living With Insecurity

My post Not Whether But When took off from the Equifax breach, attempting to explain why the Platonic ideal of a computer system storing data that is safe against loss or leakage cannot exist in the real world. Below the fold, I try to cover some of the implications of this fact.

This is the most interesting aspect of the Equifax breach:
If the Equifax breach was a purely criminal act, one would expect at least some of the stolen data, especially the credit card numbers that were taken, to have showed up for sale on the black market. That hasn’t happened. ... “This wasn't a credit card play," said one person familiar with the investigation. "This was a 'get as much data as you can on every American’ play.
In that way it is similar to the hack of the Office of Personnel Management, the hack of health insurers including Anthem, and others.What are the bad guys interested in?

First, like the OPM hack, they are looking for information on specific individuals they think can be recruited, blackmailed or defrauded:
Besides amassing data on nearly every American adult, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value.
Second, they are stockpiling ammunition for a possible cyber Armageddon. Remember how during 2014 the Moon Worm was crawling the Internet looking for vulnerable home routers, then at Christmas the network of home routers was used to DDOS the gaming networks of Microsoft's Xbox and Sony's Playstation? And how, a year ago, a similar process of stealthy resource accumulation and sudden attack allowed the Mirai botnet to take down a major DNS provider? Mirai was the work of just a couple of guys., and it was not the worst they could have done. As I wrote in You Were Warned:
A more sophisticated tool than Mirai that used known vulnerabilities (such as the 12-year-old SSH bug) could create a botnet with say 20% of the IoT, a 100 exabit/sec DDoS capability. With the Shodan search engine, the source for Mirai and a set of known vulnerabilities, this is within the capability of ordinarily competent programmers. It could almost certainly take the entire Internet down.
Major criminal organizations, let alone nation states, have vastly greater resources than the Mirai guys. It is safe to assume that they have stockpiled the cyber equivalent of nuclear weapons, meaning that there are many actors out there capable at short notice of having much more severe impacts than Mirai's inability to tweet.

For example, impacts on the financial system. Having your individual credit and ATM cards stop working is annoying. Having everyone's cards stop working simultaneously crashes the economy. Cards stopping working, as happened last June in Ukraine, would be just the start. Ben Sullivan's A Hacker’s Guide to Destroying the Global Economy is based on 2015's Operation Resilient Shield. Sullivan writes:
cyberforces representing the U.S. and the U.K. commenced a joint exercise, the culmination of more than eight months of meticulous planning. Government and independent cybersecurity researchers, working alongside leading global financial firms, simulated their worst-case cyber scenario: a large-scale, coordinated attack on the financial sectors of the Western world’s biggest economies
Sullivan points out that:
Banks and financial institutions are not strangers to cyberattacks. A March 2017 report commissioned by Accenture found that a typical financial services organization will face an average of 85 targeted breach attempts every year, a staggering third of which will be successful. “Financial institutions across the world are a constant target for attackers, from nation-state hackers looking to cause disruption to old-fashioned criminals looking to steal vast sums of money,” says Lee Munson, a security researcher at Comparitech.
These are individual, un-coordinated attacks, and one in three succeeds. Resilient Shield war-gamed a coordinated attack of the kind Sullivan leads his piece with:
Overnight, unknown attackers had hijacked the websites and online customer portals of every single bank in the country. From the outside, nothing seemed amiss. In reality, a cyberheist on an unprecedented scale was underway.

The attackers were stealing login credentials from unsuspecting customers who thought they were visiting their banks’ websites but were in fact being redirected to bogus reproductions thanks to the hackers’ modification of the banks’ Domain Name System registrations. ... The attackers weren't just pilfering login credentials, though. Customers were infected with data-stealing malware from the hijacked bank websites, while the attackers simultaneously redirected the information of all ATM withdrawals and point-of-sale platforms to their own systems, hoovering up even more credit card information on the nation’s unsuspecting citizens.
The worst was yet to come. It wasn’t long before the issues at the stock exchange started. ... Rapid fluctuations started destabilizing the entire country’s economy within minutes; billions were wiped off the region’s largest companies’ market valuations. ... The lines stretched for blocks, but the ATMs were empty. ... This was all in the first four hours. The money stopped for two weeks. The effects could last a lifetime.
Kim Zetter at The Intercept has a readable overview of the increasing difficulty of figuring out who is behind attacks like this, or "attributing" them:
The growing propensity of government hackers to reuse code and computers from rival nations is undermining the integrity of hacking investigations and calling into question how online attacks are attributed, according to researchers from Kaspersky Lab.
This is a big problem:
Though copying techniques is common for the NSA, two former NSA hackers tell The Intercept they never saw the agency re-use actual code during their time there and say they doubt the agency would conduct a false flag operation.

“When we catch foreign-actor tools we’ll steal the techniques themselves,” one of the sources told The Intercept. But “there are a host of issues when you falsely attribute … you could start a war that way.
Or even start a war with a correct attribution. But if you can't be sure whether the attack originates from Eastasia or is really some skilled Freedonians masquerading as Eastasian so that Eastasia gets nuked but Freedonia doesn't get the blame, what can you do? Nuke them both? Do nothing?

The reason we still have an Internet and a banking system is MAD (Mutually Assured Destruction) or, looked at another way, that no-one wants to kill the goose that is laying so many golden eggs. Sullivan writes:
Between them, McGregor and Truppi have investigated dozens of cyberattacks against U.S. financial institutions, and they say that working out why a bank might have been attacked often leads to discovering who attacked it, and how. “A good example: China is not going to hack United States infrastructure and take down the trading platform, because that would affect them economically,” says Truppi. “What China would try to do is hack banking institutions and gain the upper hand with information, maybe information on mergers and acquisitions or other information on companies.”

On the other hand, Truppi says, attacks like those purportedly deployed by North Korea on South Korea are designed to wreak havoc on society. “The reason they have been able to take those destructive approaches is because they’re not economically entwined with the U.S. in any way, shape, or form. It’s making a statement,” he says.
I'm skeptical that North Korea's decision makers would want to crash the world's, or even the US' economy. Little if any of what distinguishes their lifestyle from that of the North Korean in the street originates in North Korea.

This is another way in which the nuclear analogy in Maciej Cegłowski's Haunted by Data can be considered. Stockpiling digital ammunition is like hoarding nuclear weapons hoping that by doing so you never have to use them. But the analogy breaks down along two axes:
  • Nuclear weapons are so expensive to create that only nation-states have them (we hope). But cyber-nukes are cheap enough that we face the equivalent of Raven, the character in Neal Stephenson's Snow Crash who has a nuke in the sidecar of his Harley, and POOR IMPULSE CONTROL tattooed across his forehead.
  • For high-yield nuclear weapons the attribution problem is addressed by satellites and radar that track the missiles from close to their launch. But cyber-nukes are more like the suitcase nuclear devices developed by both the US and the USSR. The idea was to smuggle the devices onto the enemy's territory where they could be detonated with no warning. During the Cold War attribution was trivial, based on the assumption that the combatants retained control of their nukes. But this may no longer be the case:
    Former Russian National Security Adviser Aleksandr Lebed in an interview with CBS newsmagazine Sixty Minutes on 7 September 1997 claimed that the Russian military had lost track of more than a hundred out of a total of 250 "suitcase-sized nuclear bombs".
An environment of rampant proliferation and obscure attribution is, to say the least, destabilizing. This particularly true of asymmetric warfare where the cost of the attack is vastly less than the cost of an effective defense (think IEDs). This is almost always the case in cyberspace, which is why cyber-crime is so profitable. For example, two years ago I wrote:
An attacker with zero-day exploits for each of the three major operating systems on which blockchain software runs could use them to take over the blockchain. There is a market for zero-day exploits, so we know how much it would cost to take over the blockchain. Good operating system zero-days are reputed to sell for $250-500K each, so it would cost about $1.5M to control the Bitcoin blockchain, currently representing nearly $3.3B in capital. That's 220,000% leverage! Goldman Sachs, eat your heart out.
What to do? In Haunted by Data Maciej Cegłowski makes three recommendations:
Don't collect it!

If you can get away with it, just don't collect it! Just like you don't worry about getting mugged if you don't have any money, your problems with data disappear if you stop collecting it.
If you have to collect it, don't store it!

Instead of stocks and data mining, think in terms of sampling and flows. "Sampling and flows" even sounds cooler. It sounds like hip-hop!

If you have to store it, don't keep it!

Certainly don't keep it forever. Don't sell it to Acxiom! Don't put it in Amazon glacier and forget it.
I have a different view. People tend to think that security is binary, a system either is or is not secure. But we see that in practice no system, not even the NSA's, is secure. We need to switch to a scalar view, systems are more or less secure. Or, rather, treat security breaches like radioactive decay, events that happen randomly with a probability per unit time that is a characteristic of the system. More secure systems have a lower probability of breach per unit time. Or, looked at another way, data leakage is characterized by a half-life, the time after which there is a 50% probability that the data will have leaked. Data that is deleted long before its half-life has expired is unlikely to leak, but it could. Data kept forever is certain to leak. These leaks need to be planned for, not regarded as exceptions.


  1. At The Register, Mark Pesce's Leaky-by-design location services show outsourced security won't ever work is a must-read:

    "Of course our photos keep a record of our movements. Of course any app that has access to our photos can produce a map of our movements. Two unrelated features collide, generating a kind of retrospective self-surveillance of which the NSA would be proud."


    "We need for much more finely-grained access controls for our image archives. Apps should be able to have write access easily, but read access provably needs to be far more restrictive and conditional and time-limited."

  2. It isn't just the NSA that can't keep important stuff secure. CNN reports that:

    "North Korean hackers allegedly stole classified military documents from a South Korean Defense Ministry database in September 2016, ... the documents stolen included the South Korea-US wartime operational plan and a document that includes procedures to "decapitate" the North Korean leadership. About 235 gigabytes worth of military data was stolen by the hackers"

  3. So not the way to fix this problem:

    "The Active Cyber Defense Certainty Act (ACDC) [PDF] amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy "beaconing technology" to trace the physical location of the attacker."

    What could possibly go wrong?

  4. A botnet much larger than Mirai is currently being assembled from Things in the Internet, reports John Leyden at The Register:

    "hundreds of thousands of internet-facing devices are potentially vulnerable to Reaper's exploits. “Shodan shows potential devices," he said. "We don't know how many have already been compromised, but I've seen comment elsewhere that suggests about 2 million are in a queue to be exploited.”

    During this month, the malware has been evolving to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes, Wi-Fi points, and so on, from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology."

  5. One approach to living with insecurity is described by Chris Mellor:

    "Illusive Networks places extra network destinations and shares inside a server's deep data stores. An attacker lands on a decoy and looks where to go next, finding a mix of real and phoney destinations, which all look genuine.

    By having enough fake destinations, attackers will eventually land on one or more of them. As soon as they do, the software knows it's a real penetration attempt and alerts network managers so that a response team can then deal with the attack."

  6. It doesn't matter how rich you are, your law firm still can't keep your information secure:

    "A major offshore law firm admitted it had been hacked on Tuesday, prompting fears of a Panama Papers-style exposé into the tax affairs of the super rich.

    Bermuda-based Appleby only admitted it had suffered the breach – which actually happened last year – after a group of journos from the International Consortium of Investigative Journalists (ICIJ), who had seen the leaked information, began asking awkward questions."

  7. A more detailed report on Reaper from Dan Goodin at Ars Technica:

    "But so far, the threat of Reaper remains overshadowed by Mirai—for which source code is one download away—and Hajime—which is extremely hard to block or take down. While it's worth keeping an eye on Reaper, the more alarming prospect still may be Mirai or Hajime adopting Reaper's exploit mechanism."

  8. Some excellent points from the #IRISSCERT conference in Dublin:

    "Brian Honan, founder and head of Ireland's first CSIRT and special adviser on internet security to Europol, argued that failures in cybersecurity should be viewed as an opportunity to learn lessons and prevent them happening again.
    He used commercial airlines as an analogy. Fatal accidents per one million flights have decreased from four in 1978 to less than one in 2016. A similar, more disciplined approach has the potential to push down infosec failures too."


    "Sean Sullivan, a security advisor at F-Secure, made a similar point in a different context to El Reg earlier this week. "People aren't learning from each other when they get hacked," he said.

    No postmortem was carried out following the iPhone SDK hack in February 2013. This attack was blocked by Facebook and other targets but hackers were able to use the same techniques of abusing Java in the browser to successfully attack Sony Pictures Entertainment years later."

    Hat tip to John Leyden at The Register.

  9. "A New Jersey man has pled guilty to hacking charges and creating the devastating Mirai botnet, which spread via vulnerabilities in Internet-connected devices to unleash numerous massive distributed-denial-of-service attacks. As recently as last week, new Mirai strains continued to proliferate online." reports Cyrus Farivar at Ars Technica.

  10. "A new variant of the notorious Mirai malware is exploiting kit with ARC processors. ... "There are likely more than 1.5 billion devices out there with ARC processors, enough to overwhelm the largest of networks," warned Barry Shteiman, director of threat research at security vendor Exabeam." reports John Leyden at The Register.

  11. New IoT botnet offers DDoSes of once-unimaginable sizes for $20 by Dan Goodin at Ars Technica starts:

    "Organizers of a new botnet made up of infected home and small office routers are brazenly selling denial-of-service attacks of once unimaginable volumes for just $20 per target.

    Calling itself Los Calvos de San Calvicie, the group is advertising several services on this site. Among the services are distributed denial-of-service attacks of 290 to 300 gigabits per second for $20 each. While a third the size of some of the biggest recorded attacks, 290Gbps is still enough to bring most sites down unless they seek DDoS mitigation services, which in many cases cost considerable amounts of money."

  12. "Python code has emerged that automatically searches for vulnerable devices online using – and then uses Metasploit's database of exploits to potentially hijack the computers and gadgets.

    You set this script running, it crawls the internet looking for machines that are possibly vulnerable to attack – typically due to unpatched security bugs – and automatically takes over them for you. No super-l33t skills required." This isn't good news from Thomas Claiburn at The Register.

  13. "A massive cryptocurrency mining botnet has generated as much as $3.6 million dollars' worth of the digital coin known as Monero since last May, a researcher said Wednesday. The windfall isn't the only noteworthy thing about the botnet. Dubbed Smominru, it's also significant for the 526,000 computers it has infected and for the ability of its operators to withstand takedown attempts by whitehats." writes Dan Goodin:

    "researchers from security firm CrowdStrike issued their own report on a botnet that bears some resemblance to Smominru. Named WannaMine, it also mines Monero and uses EternalBlue. A CrowdStrike spokeswoman said company researchers believe WannaMine is distinct from Smominru."

  14. It didn't take long. On Feb 27 Cloudflare reported a spike in the frequency of a previously obscure DDoS attack that uses memcached to amplify UDP packets by an enormous factor:

    "203-byte request results in a 100MB response"

    Dan Goodin at Ars Technica picked up the story the same day:

    "Officials at content delivery network Cloudflare, which reported the attacks here, said the attacks they're seeing come from fewer than 6,000 memcached servers that are reachable on the Internet. Searches show there are more than 88,000 such servers, an indication there is potential for attacks to get much bigger."

    The very next day the world record for DDoS bandwidth was smashed when Github was hit with a 1.35Tbps attack.

    And today:

    "What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption."

  15. "On Monday, researchers from a separate DDoS mitigation service, Arbor Networks, reported a 1.7Tbps DDoS that also relies on the newly documented memcached amplification method." reports Dan Goodin at Ars Technica. The world record for the DDoS event lasted less than a week.

  16. New LTE attacks can snoop on messages, track locations and spoof emergency alerts by Zack Whittaker reports that:

    "Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages.

    Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number.

    Although authentication relay attacks aren't new, this latest research shows that they can be used to intercept message, track a user's location, and stop a phone from connecting to the network."

  17. "Last Wednesday, the risks posed by Internet-facing memcached processes took on a new colour, when security vendor Corero explained that a debug command could let a remote attacker retrieve, modify, or insert data into a system.

    Corero said that there's a kill-switch it was deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends." according to Richard Chirgwin at The Register.

  18. "A recent malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said Tuesday. ... the latest sign of continuing sophistication of malware attacks. A decade ago, multistage malware that relied on counterfeit certificates and compromised supply chains were the stuff of nation-sponsored attack groups. Now, common criminals are relying on the techniques to mine digital coins." reports Dan Goodin at Ars Technica.

  19. Dan Goodin's A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips describes a remarkably sophisticated attack on the UPnP support:

    "Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means."

  20. Cory Doctorow's Companies keep losing your data because it doesn't cost them anything riffs on Erik Sherman's Massive Data Leaks Keep Happening Because Big Companies Can Afford to Lose Your Data. Doctorow writes:

    "An awful lot of change could be made simply by adjusting the law, and it needn't even be something as far reaching as the European General Data Protection Regulation: even establishing a set of statutory damages that people caught in breaches were entitled to collect, and banning the use of binding arbitration clauses to escape these liabilities would go a long way.

    The statutory damages should reflect the cumulative nature of breaches: how a breached dataset can be combined with other breached datasets to build up devastatingly effective attacks -- the kind of thing that can cost you your whole house, even."

    Sherman's post has some interesting numbers on breach costs.