Dear Information Security Industry,

Stop exploiting current events by making dubious or outright false statements in order to advance your own agenda. You do nothing more than devalue yourselves and the credibility of the rest of us when you do so.

Case in point #1: Allen Paller's statements on the recent (and long overdue) analysis of the predictability of SSN's. To wit,

"I don't think this is a high priority, because it doesn't deliver a big enough payoff" for hackers, he said. "You do identify theft so you can steal money, but it's easier to steal money by taking over someone's computer."

Are you serious? One compromises a computer to impersonate another. If you have an SSN, name, and other basic information like birthday, etc (that's often publicly available on social networking sites), it's Game Over - impersonation can be achieved at a much deeper level than simply userid/password - nevermind that more and more sites are implementing some sort of 2-factor authentication. This reeks of "look over here where I can make money," ignoring reality. SANS has a lot to offer the information security community, but when its leaders make such questionably accurate and profit-driven comments, it hurts all of our credibility (what professional doesn't have a cache of SANS certs these days) and devalues the institution as a whole.

Case in point #2: The questionably accurate stories floating around about this alleged North Korean-sourced DDoS against a completely random set of targets. I don't know for sure, but it seems the source of this attributional rumor is the Korea Communications Commission. Here's a sample of one of their statements:

“An aggressive distribution of vaccine programs against the attack has helped fight back,” the official, Shin Hwa-soo, said. “But we are not keeping our guard down. We are distributing the vaccine programs as widely as possible and monitoring the situations closely because there might be a new attack.”

A vaccine? Really? Please tell me we're not taking these people seriously. It seems to be a fact that some sort of DDoS attempt took place, but keep in mind the attribution to DPRK is hinging on people who distribute "vaccine programs" against a DDoS - whatever the hell that means. Initially, the attacks were downplayed - until 24/7 news got a hold of it and realized that CNA can be sexy. Then the "cyber security professionals" realized there was a platform for advancing an agenda and poured fuel on the hype fire. There are plenty of examples. Below are a few.

Google hosted news:
"Just from looking at footprint, it was Bigfoot, not Bambi," said Charles Dodd, founder and chief technology officer for Nicor Cyber Security.

What started off as "Cyber Attacks" on the east coast became "massive" by the time they got to San Francisco.
The US sites experienced a “massive outage”, according to Keynote Systems, a company which monitors 40 government sites in America.

Even Ron Beckstrom, whose comments were mostly well tuned, eventually fell victim to the hype cycle in a most spectacular way:
"[It's] a little bit like launching some Scud missiles towards the U.S.," noted Beckstrom. "These are cyber-scuds, very low-tech, but a lot of them, and kind of annoying."
No, Ron, it is nothing like this.

All of this hype, yet when you ask the victims, they tell you that the impact was negligible [source: ABC World News Tonight, 7/8/2009]. This underscores the classic properties of CNA that makes it much less effective in terms of real economic impact than CNE:

1. Its effectiveness is often limited to the period over which it can be sustained - except when machine or software destruction is involved, in which case it simply becomes a DR exercise,
   
2. It is difficult to sustain,
   
3. It is open conflict and identifiable immediately, and
   
4. It rarely maps to the intended strategic or tactical goals of the executor (what, for instance, was achieved here?)

So, can we please stop participating in the hype and lend some credibility to our young and rapidly emerging field by focusing on factual and rigorous investigation? Exaggeration and misrepresentation in the media is inevitable, but we encourage it when we reinforce it with expert opinion.

Administrivia Jul 2009

After a few months off, I'm resurrecting this blog. I've been busy with a variety of personal issues, like relaxing, over the past few months, as well as focusing what little time I have available on the SANS Forensics & IR blog. I'd considered abandoning this blog altogether in lieu of my contributions there, but have realized that I need an outlet for more spontaneous and opinionated entries that I feel do not belong there. Also, my criteria for contributing here is lower - I do not feel the need to positively contribute something new and meaningful with each entry, as I feel is appropriate for SANS.

In any case, a quick update. After many months of consideration, I decided it was in my best professional and personal interest to join Facebook and Twitter. If I don't understand these communication and interaction technologies as I understand others, I will inevitably find myself falling behind and unable to exist at the forefront of security (whether I will ever get there is debatable as well, heh). I likely won't be very active with these accounts, but will likely tweet at BlackHat this year in an effort to keep in touch with all the folks I'll know there. It'll be my first BlackHat, and I'm looking forward to it!

Security, DHS, and the NSA

A number of people have asked me my opinion on the recent reports that authority for "cyber security" at the national level is moving from DHS to the NSA. I think the most concise analogy I can give is this: It's like taking one of your valuables from your younger brother who's irresponsible, and giving it to your older brother who's greedy. We're substituting one set of problems with another.

Opinions aside, I think it's interesting that the job of computer network defense at a national level is being placed subordinate to its equivalent offensive arm. An insight into fundamental policy shift? Time will tell...

What passwords and condoms have in common

I just read my favorite blog post of the month, by Adam on Emergent Chaos comparing the Holy See's comments on condoms in Africa to our often-dogmatic approach to Information Security. His comments:

In information security, we often keep saying the same thing over and over again, because we know it's right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don't, and yet we keep saying those things. We tell them they "have to" fix all the security problems all the time.

I'd like to go further, and do, in my reply to his post. At issue is our propensity to reflect all of the hardest problems in security today onto those who are least equipped or capable of handling them: end users. Nobody asks to get in the security business when they buy a computer, they want to entertain themselves, or positively contribute to some task, or fill an everyday need... yet we do. We ask everyone who buys a computer to join us in our perverse universe of paranoia. This is a lazy, improper, and unsustainable approach. If anyone is looking for the hardest problems to solve in our industry, look no further than your parents' complaints about their computer, your friends' complaints about websites, or your coworkers' complaints about corporate policy. We've left them holding the bag on the hardest problems.

My comment on Adam's post is reproduced below.

Adam,

Fascinating and apt analogy. The "blame the user" fallback has bothered me for years... and it truly is a fallback.

To follow on to your password example: Why do users write down their passwords? Because we insist they be complex, temporal, and different between systems. Why do we do this? So they're not easily guessable. Isn't, then, the authentication mechanism the problem? We have an obtuse, antiquated authentication mechanism that belies the nature of the beast using the system. We wouldn't ask a donkey to type on a keyboard - what we have built here is the psychological equivalent. We don't change it because it is hard - technologically, procedurally, institutionally - to do so. Therefore, we insist on a system poorly suited to today's computing realities, and blame the user.

As you suggest, there are many manifestations of this, passwords being but one. Microsoft's sage advice to mitigate Office vulnerabilities ("don't click on attachments from people you don't know") is yet another of my favorites. But in the end, it seems many of these situations end up shifting the burden of blame to the end user, subjugating them to our whims of what is and isn't "easy," rather than facilitating their use of the equipment and letting them focus on what their real job is.

It's going to be very, very hard for IT to break this very inviting habit...

Michael Cloppert

I write on this topic frequently... I can only hope more people begin to realize the seriousness of this problem, and that we must begin to make it a tractable one.

Speaking Engagement: CMU INI

I will be a guest speaker for CMU INI graduate students next Friday, 2/27/2009. The abstract of my presentation is below.

Careers in Information Security and Tales from the Front Lines of Network Defense

In this two-part presentation, Michael will introduce the field of information security from a career development perspective, giving attendees a broad view of the industry and how their various academic backgrounds may align. As the lecture progresses, Michael will give an insider's view into what it's like to defend a network used for the design of the next generation of national defense technologies.

Rethinking the network perimeter

Does anyone remember bastion hosts? Marcus Ranum describes them in his 1993 paper on firewalls, just to give you an idea of how old the concept is. There was an obvious problem in the notion of a bastion host (as originally devised): having a "critical strong point in the network's security" provides a single point of failure and big target for exploitation. Leaving a system exposed, regardless of how secure it is believed to be initially, will inevitably lead to failure. The principle of least privilege needs to be enforced at the network level. Thus, we created the notion of the DMZ.
Naturally, the notion of a bastion host evolved to be a not-so-exposed system, partially protected by firewalls and isolated from the internal network so as to mitigate the damage resulting from compromise. The crown jewels are, by this model, inside the LAN and isolation was tantamount. And thus have we operated since...

Naturally, this model has made various evolutions. Initially, the focus on protection was outside-in. Various pressures - security, policy, and otherwise - necessitated greater control on network egress. If you want to make sure a compromised internal system can't arbitrarily funnel data outbound over some ephemeral port, you need to restrict what services can be accessed on the internet from clients on the LAN. If you want to keep your employees from surfing pr0n on the job, you needed to be able to restrict what web sites they access. From this came proxied services: HTTP, DNS, email, and other services now must be funneled through a relay for greater control.

Do you see what's happening here? Our control over our networks has slowly crept up the OSI model as we realize the perils of a lack of control over the next layer up. From the flat networks of the early 80's, to segmentation later in the 80's and early 90's, to control over the transport layer with firewalls, and finally up as far as the application layer with insistence on proxying all services in the most "secure" networks accessing the internet today, our defenses were pushed upward by adversaries who understood how to exploit the lack of control at higher layers.

I've got bad news: even this isn't good enough. While we've definitely raised the bar for adversaries, they have nevertheless stepped up to the plate. How do you compromise systems and funnel data out of a protected network which insists upon protocol compliance and restricted connections? Obey the rules. Comply to the protocol. Repurpose the available communication points outside of the network. And this is precisely what adversaries are doing.

If you didn't already know, I'm telling you now: protocol-compliant command-and-control channels that communicate to compromised websites are all the rage in sophisticated attacks today. How can one attack a computer? Use the inbound communication channel: email. How can one establish bi-directional control over a compromised host? Use the outbound data channels to initiate a connection, and proceed from there: HTTP, DNS, email, these all permit bi-directional communication to every workstation in a protected network connecting to the internet today.

What does this mean? It means that every host which can participate in these types of data transmission is an internet-facing host. Bastion hosts, firewalls, proxied services, all exist in vain against these techniques. This is the very point of this whole post: your most exposed hosts are your workstations. And today, in 2009, you have as many internet-exposed hosts as you have workstations. Considering that today, all work is done on workstations, this means your data is residing on the most vulnerable systems on your network - even if only temporarily while in active use or development. There are many implications here, which I won't go into, beyond to say if you've been sleeping soundly because you believe your network controls are strong, I hope you've enjoyed it.

Update: Somehow this got back-dated... fixing.

Irresponsible disclosure

Did you know that last year, Heartland Payment Systems suffered a data breach that "may have compromised tens of millions of credit card transactions?" Me neither, until I received a notice in the mail that my card may have been one of the ones compromised. Why hadn't we heard of this? Perhaps because Heartland decided to announce the data breach... wait for it... on inauguration day. Curious timing, don't you think, considering the breach happened last year?

A few other confounding aspects of this breach:

• The date of compromise is unknown
• Heartland had to be notified of this by Visa and Mastercard. They did not discover it on their own.
• Transactions occur unencrypted, according to the bankinfosecurity.com report: 'Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."'

Heartland boasts their advocacy for end-to-end encryption despite that last bullet:

For the past year, Robert O. Carr, Heartland's chairman and chief executive officer, has been advocating for payments industry adoption of this technology — which will protect data at rest as well as data in motion — as an improvement for payment transaction security.

Certainly this claim seems dubious. In any case, the data capture and exfiltration appears to be enabled by malware installed on hosts in their payment systems network. Disk, database, and transactional encryption won't prevent compromised hosts from having access to the data in clear-text form as it's processed - clearly, this data must be unencrypted at some point in the process in memory (at least).

This is a whole bucket of fail right here.