It’s Time to Redefine Information-Security (So we can win the CyberWar)
Information Security Redefined: preventing our adversaries from hurting our interests using data as medium.
The more standard definitions for InfoSec that talk about eavesdropping, modifying and destroying data and access thereto, are leaving too much behind. We are in a CyberWar, facing an adversary who is constantly exercising imagination and skills to develop attack scenarios that we have not come to conceive. If we limit our role to defend against known attacks, we secure our position as inferior, as a leg behind. We are not only overwhelmingly more vulnerable than our often shadowy adversaries, we are also heavier. We are afflicted with multi-story vertical command and control hierarchies that asphyxiate ‘blue-sky ideas’ popping from the bottom. We are big, wide-spread, and burdened by a coordination challenge, by an authorization spread,’ and by political obstacles. We have a large footprint, and our rules of engagement are well known and widely advertised. Our enemy is invariably smaller and nimbler. Our well perceived moral superiority tends to ill-impress us with a corresponding mental superiority. Alas, not only don’t we have any control over how much imagination is exercised by our adversaries, we cannot even measure, and can hardly estimate its bounds. We must solemnly note that the next Alan Turing may have beeen born in Gaza. We must also note that as much as we enjoy the power of our conviction, our adversaries are powerfully motivated by the realization that the cyber arena is the only place where they have a chance against their perceived goliath. The computer is their slingshot, and some of them really, really hate America.
We can only defend against threats that we have had the imagination to conceive. And if we restrict our thoughts with a narrow definition we dis-encourage the blue-sky ‘what if?’ questions with which to meet our CyberWar challenge. Here is an example of a recent move against our interests that falls outside the traditional definition of InfoSec: Email traffic from ‘marked countries’ has shown a considerable increase in volume of encrypted messages. Naturally these messages are fed into the powerful NSA super-computers for cryptanalysis. The harvest was poor and a recent theory emerged: it’s a new attack! By flooding the Internet with random data emails, our adversary ties up its arch-enemy: the NSA super computers. This will water down our capability to cryptanalyze the meaningful messages. Now that is not eavesdropping, there is no data destruction; no information is altered, no transaction is defrauded — this act of war does not fit into any of the stale and old definitions of information security or CyberWar. This is what they do today, who knows what they will do tomorrow? We better know, and for that we need a systematic “Awareness and Creativity-Harvesting Campaign” — to become fit despite our inherent rigidity and complexity. But first we need to broaden the definition of what CyberWar and information security really is. So again: information security is the effort to prevent our adversary from hurting our interests using data as medium.
#RFID in your wallet, on your shirt — I bet you didn’t know!
Nothing excites corporations today as the craze over RFID tracking. Lately companies issued free cards for instant discount, and/or useful information that people mindlessly insert into their wallets, not realizing that they have just marked their pocket for any proximity RFID reader. Some versions also include a micro battery that makes remote tracking feasible. In most cases this is harmless. Shops would like to know which shelves you walk by, how long you spend at each corner of the store, etc. This is valuable data for them to design and allocate shelf space. Law enforcement on any pretext get a warrant for that data to spot which adult seemed to have stalked a missing child. RFID chips are stealthy stored in clothing articles so that the store can track shoppers who revisit the store they bought a coat from last month (wearing the purchased coat). This is not just eree –it is of great concern because hackers steal tracking RFID, or duplicate them, and use or sell them for others to use in questionable behavior. You may find the police knocking on your door because they tracked the RFID chip that was fitted into your leather coat. it registered on a street corner when and where a crime was committed. It’s getting close for us to recommend to our clients to daily scan their environment for unwanted and unbeknownst RFID chips. Myself, I install an aluminum sheet in my wallet to prevent any known or unknown RFID chips from being tracked. Time and again the hackers prove themselves faster and more imaginative in exploiting a new technology while we on the security side are, huffing and puffing, trying to play catch up.
The Shadowy Operator Remained in the Shadow
Twelve years of research were all uploadable on a tiny USB stick, but the chemical structure formulas were spread throughout the multi-site corporate network and it was discovered by mistake that the chemical structure depicted on some of the working copies was minutely different from the original. In fact, the changes were so minute, and the motivation for a hacker to inflict them seemed nonexistent that when they called us they did not know whether we are the right people to call — was it a security problem? We found out that the chemical structure was frequently encrypted because it captured almost the 100% of the R&D knowledge accumulated by the company for 12 years. So we took our own copies of the ciphers they employed, and encrypted and decrypted in a shadow mode. After quite a long time some inconsistencies surfaced. We concluded that something was wrong with the installed cipher program. In fact we were very curious to find out whether the errors are innocent or malicious, but our client simply asked that we install our own trustworthy software version, and look no further. The shadowy operator remained safe and lurking in the thick shadow.
Preparation for Lay-Offs: The Peril of Disgruntled Employees
In reality the decision to lay off good people because of economic downturn is daunting, and the last thing on one’s mind is the peril of a disgruntled employee with robust system knowledge, releasing his anger as well targeted very painful weapon of revenge. And because you are so unsettled when you have to do so, you better prepare ahead of any such tense time. First make sure you have on file all the policy dictated commitment for honesty, and release of certain rights that all employees with sensitive data access should be signed to. Second you refresh the “disengagement protocol” for system knowledgeable people, so you have a protocol to guide you when your head spins. Third, you make sure that the potential damage report is well documented in your files. This report should be prepared by a professional security analyst who examines what that employee knows, and estimates what damage scenarios he or she could initiate if they were so inclined. Fourth — and this is our most emphasized step — you check the corporate knowledge tree, and make sure that there is nothing that that employee knows that nobody else in the company is knowledgeable about. Fifth: you invest in a short executive seminar on how to do well what is mentioned above. AGSgo is at your service.
London Rioters CyberWar Triumph
While the arson and the violence grab the headlines, a rather daunting lesson should be drawn from the cyber aspects of the latest riots in the UK. The full extent of the cyber battle is not yet known, but we do know that rioters sidetracked the cyber police by flooding the lines with random data that were suspected to be meaningful encrypted messages, keeping UK cyber hunters away from the real hunt. The rioters also used the weapon of drowning the real messages in a sea of faked ones. Hundreds of faked calls to gather in various places at various times were crunched over very busy Blackberries, using a secret code name for the few real ones (All assembly calls that did not include the phrase ‘keep it up’ were false calls). While the UK, like the US, are building larger, stiffer, inflexible cyber walls, the people on the other side use ad-hoc creativity, and edge-wise imagination to win and prevail. What we see so far is small and inconsequential. One should be very troubled indeed towards a more serious showdown.
“Crypto Warning” a Pre Publication Announcement
For a confluence of reasons the United States relies on but a few well known cipher systems to protect its civil order: communication, transportation, industry, commerce, and social activity. Cracking those few foundation ciphers is the only real chance any enemy of America has to prevail in a future conflict. These present and future enemies of the United States fully realize this, and hence invest tremendous efforts, desperately try every means, assemble any machine, bring to bear any talent, to secretly crack these pillar foundations of American cyber security. And we, on the other end, rely on our expectation that they would be too dumb to succeed. The history of cryptography from Caesar to the Nazi Enigma is a repeating story of unchallenged overconfidence that the other side is not smart enough for its challenge. And here we go again. The inertia of the present situation, and its entrenched politics seem, so far, stronger that the warning herein, even though this warning is followed with a remedy and a cure that is inexpensive, and readily implementable. The book by Pf. Gideon Samid is scheduled for December 2011 pub
lication date.
A Hidden Curse Called ‘False Positives’
It took a beating, more than once for me to fully realize the hidden curse called ‘false positive’. Like most security professionals I was keen on catching any and all attempts to compromise the system I am commissioned to defend. This zeal, necessarily, comes with a price which is quite expensive for the client, but not readily appreciated, especially so by the security team. It’s called ‘false positives’: marking innocent actions as malicious or adversarial. When an online merchant rejects honest buyers — how much is lost? It’s anyone’s guess! When innocent emails are deleted as spam or infected — what business prospect has just gone under? The philosophers of justice say that it’s better to let hundred murderers go free rather than execute an innocent man. But in security the question is how many malicious attempts will you allow to sneak in, in order to avoid a single false positive?” “None!” said my boss at the time, categorically, when I relayed to him the academic question. The difference is that an ‘undetected positive that compromises the system we are charged to defend, is counted directly against our reputation, while most instances of ‘false positive’ create a loss that is usually not captured in any accounting log, and is rarely counted against the security people. In the years since, I have invested a lot in a just solution based on the concept of ‘suspicion scale’. Instead of marking as offensive logins, emails, and queries, we associate a suspicion grade. The low suspects are admitted, the high suspects are rejected, and the in-between zone is routed for further examination. The only problem with this intellectually satisfying solution is that clients think that we are too expensive. To no avail I keep making the point that the cost of false positives is way higher. One no-nonsense client barked at me: “That may be so, but your cost comes in an invoice — crystal clear, and the cost of false positive is buried in accounting clouds”. I had no reply only to murmur, it’s a curse, a bone fide curse!
To read more go to Digital Transactions magazine, the September 2011 issue.
The Victim and the Offender Were One and the Same.
My lawyer called, calmed me down: “No bad news”, and quickly introduced me to a colleague of his whose client was prosecuted for storing child pornography on his computer. The client claimed that he was unaware of the videos and has no clue how they got into his hard drive. “Everybody says so” quipped the lawyer, but as his attorney it’s my duty to explore every possible angle of defense. And so I come to ask you if there is any credible explanation to this tired “someone else did it” defense. “Of course” I replied, a hacker could have taken control of your client’s computer, and use it to store his illegal material, then stream it down for at-will viewing”. “Can you prove it?” the lawyer asked. “Sure!” I replied, and sent someone to install a copy stream for the Internet traffic from that computer. We copied the original disk which served as evidence, and waited. The next day someone went in, wiped out all the illegal files, and nothing further happened since. We did not have proof, but a strong indication that the client, a divorced accountant, was a genuine victim of a vicious hacker, only that it was strange that the hacker wiped out all his files just when we were ready to close in on him. How did he know? It was much later when in a casual conversation someone mentioned the name of that accused client as a uniquely clever hacker, and I hit my forehead with a hard blow: of course, why didn’t I think of it myself? The accountant hacked his own machine, and it got him scot free too!
Semantic Search — the Hacking Route
A lot of work has been published in the literature on the issue of semantic search of the Internet. Going beyond Google and discriminating documents by their contents and theme, not just using a stray keyword. And Web search is improving accordingly. It was natural then to expect that the dark side of the science will exploit the new technology much the same. Expected, in theory; surpsring in practice: when we found new malware that searches files on infected machine based on their appraised topic and theme. The new rootkits and worms can spot the ultra sensitive documents in the hard drive, copy them and send them over the Internet to their controller. One smart fellow in our shop thought of a counter attack — to infect sensitive-looking documents in our client’s machine so that when they are executed in the controller machine they explode there! We like our young and creative guys, but we also worry about mishandling — sending the explosive files to friendly targets… The unending cyber war goes on, this round is still showing advantage for the bad guys, but we are not done yet!
It Was Not The Secretary
Henry Mint did not believe that Linda, his trusted secretary, was outwitted by a stranger she met in the Gym. But that was the result of the inquiry into how his medical condition became public, and sorely hurt his chances to replace the aging CEO of the corporation. Linda admitted her fanciful talk with the good looking stranger; yes, it was one-on-one in the cafeteria, and yes they exchanged phone numbers, but no, she did not discuss her boss’ medical condition — no way! When we heard about it, we suspected the now quite common scheme of hacking-cover-up. An adversary will hire hackers to pry sensitive information from his opponent, and build a cover-up story to explain how he came to know these damning secrets. Nobody in corporate security has suspected as much. So we stuffed Henry’s computer with bogus data, which some days later appeared as a rumor around the water cooler. Case closed. The aging CEO is hanging on for now, but Henry promised us that if he gets the job he knows who he would hire to provide security. “I now understand better, what you keep repeating — that the cyber war is a contest of imagination!” he bristled, and pushed his way out as the elevator door opened.
