Chaos Program

I’ve been taking a class in computer forensics and, possibly because the textbook is very dull, sometimes my mind wanders to odd implications of what I’m reading. There are some known facts about most operating systems that work in favor of forensic investigators. For example, the contents of deleted files linger on a system, sometimes for a very long very long time. The traces can be found and reconstructed by someone with the right tools and know how.

There are times when there are legitimate reasons to try to avoid this. The most widely known of these is when the defense department gets rid of old equipment. It’s important to wipe the data on a hard drive in such a way that it is close to impossible to recover, in order to protect defense secrets. And whatever porn and games the poor defense workers may have downloaded during lunch.

What about resistance members (assuming there are any) in totalitarian countries (assuming they can even get their hands on a computer)? Don’t they also have legitimate reason to hide the traces of what they’ve done? How about spies? When someone from a free country tries to gather hidden information in a totalitarian country (let’s say British spies in Iran, since the Soviet Union is gone and the CIA is not what it once was), being caught could mean torture and death. For them, having an operating system that reliably deletes evidence could literally be a life saver.

That was what got me thinking, wouldn’t it be goo dif those people had access to an operating system that automatically did things to protect their lives? read more »

It seems that everywhere I look lately there’s news about a new “weakness” found in the RSA algorithm. This has been reported with headlines screaming about the “severe” weakness and how everything in the universe that is encrypted depends on RSA. For examples of those rather overheated stories look here and here.

Let’s have a moment of sanity please. The sky is not falling. The attack described depends on manipulating the power supply of the targeted system, making tiny changes in the voltage to generate bad output from the algorithm. It’s a very interesting attack technique but the actual risk of it happening in the real world is incredibly low. Anyone who can get close enough to manipulate the power to a unit can do lots of other much more interesting things to it.

In general, no one can get close enough to perform this kind of attack.  Locking the doors on the server rooms is a standard IT practice. You see, most criminals who get close enough to attach the equipment needed to play games with the power supply are much more likely to simply unplug it and steal the computer.  We guard against that sort of thing and, incidentally, against creative attacks on the power as well.

This is just one more example (in a nearly infinite list) of why the news should never be taken at face value. Read carefully. THINK. Apply salt liberally and move on to something less ridiculous.

The big tech story of the week is the one about Google making people mad with it’s new “Buzz” service. The most interesting aspect of this story is that everyone seems to have gotten it wrong.

Here’s the short version of the story: Google has some new social media application that makes all your email contacts into “friends” in the social networking sense and a lot of people objected to that, claiming that email contacts should be kept private, not advertised to the world as a friends list. This is stupid on so many levels – Google, their users, all the “analysts” – it’s hard to know where to start. So I’ll start at the beginning as far as I knew it.

The other morning, as I do most mornings, I brought up my gmail account and glanced to see if there was anything new. There was some kind of banner or thing about something called “Buzz.” I immediately thought “Hmm. Could this be a whack at Yahoo’s boring Buzz bookmarking service?” But no. I saw that my boss had already been there and made a comment. I also saw that to reply to his comment I had to create a “profile” that would make all of my email contacts into friends who I could then get Buzzy with, or some such thing.

I decided not to create the profile because I don’t use my gmail account for general email purposes. I have a yahoo account for that. My gmail account is mostly for poetry and other writing. I use it to communicate with the members of the Science Fiction Poetry Association, a lot of editors and a few close friends and family. It’s the kind of account – intentionally – receives the kind of joke emails that people forward all the time. In other words, while it’s a public address, I tend to use it for more private purposes.

Weirdly, Buzz shows that I have 6 followers, including 4 who do not have public profiles – which I also do not have. How do you follow someone who does not have a profile to follow? And if you don’t have a profile, how is it possible to follow someone else without a profile? What the hell is going on here? read more »

In a computer forensics class I’m currently taking, we studied a federal document that goes in to great detail about how to handle computer security incidents. Malicious code, intrusions, denial of service attacks, the whole gamut of computer/network events that can cause an organization trouble. The document, put out by the National Institute of Standards and Technology is called the Computer Security Incident Handling Guide (aka SP800-61) and it is some of the most useful, albeit hideously boring, reading available for IT professionals currently available.

However, useful and wonderful though it is, I have some problems with this publication. There is very little I can point to and say, “This is wrong.” It covers a lot of territory in an organized way. It gives good advice. Yet I find the total effect to be unsatisfying. Sure, any organization that implements all of the recommendations in this document will be well protected and very capable at responding to incidents when they happen. The trouble is that no organization on Earth is ever going to implement ALL of the recommendations. I don’t think there is enough trained manpower or enough time or money in the world to ever achieve the level of protection detailed (I could even say mind-numbingly detailed) herein.

There is discussion of plans, policies and procedures, guidelines and knowledge bases. The document includes checklists and tables, incident categories and even a marvelous equation for rating the severity of an event. It’s all very complete and very thorough and, as I said, all very sound and reasonable.

I just can’t imagine it can possibly work in practice.

read more »

Two unrelated things clicked in my head today as actually being related on a theoretical level. Thing one I spent some time the other day looking over the websites of some potential vendors. I’ve done this sort of thing lots of times before. As per usual, I was unimpressed by the websites themselves (which may or may not say much about the company itself). Thing two: Someone cracked the algorithm for cell phone signal encryption (really a sort of hiding) to the internet. Both these things show the conflict between the old industrial era way of doing things (let’s call it web 0.5) and the newer Twitter-ified way of doing things (web X.0). It tells us a lot about the changing generations and the growing struggles of the information age.

After that slightly pompous lead in, it’s tempting to just stop but I’ll add some detail, starting with the cell phone encryption code, which is a pretty big deal news-wise. The biggest weakness of cell phone security – and it’s a very big weakness – is that, in order to work, cells broadcast their signal in all directions at once. It’s not like the old fashioned landline phones that send their signal down a wire. In order to intercept the signal of one of those old phones, you have to tap the physical wire. In order to intercept a broadcast signal, on the other hand, you just need to be within range with the right equipment.

For a couple decades now, most cell phones have attempted to evade broadcast interception by (somewhat) randomly changing frequency multiple times during every transmission. That way it’s very hard to intercept more than a single tiny portion of the signal, hopefully too tiny a portion to make sense out of the message. The flaw in this scheme is that for the message to be received, the other end (the cell tower) must be able to follow all the frequency hops and put the complete transmission back together. So both ends need to be synchronized. True randomness is impossible.
read more »

According to the Wall Street Journal, up until recently the United States Air Force was too stupid to encrypt the video feed from attack drones such as the predators used in Afghanistan and Iraq.

I know that sounds harsh. Maybe it’s even too harsh. Let’s look at the story (original report here) and see how it develops. The short version is that sometime “late last year” (apparently December 2008) the computer of a captured Shiite fighter in Iraq was found to contain video from U.S. aerial drones. In July, more of these intercepted videos were found. The WSJ report claims that the interception was done with (or with something like – the writing is unclear) Skygrabber, software advertised as intercepting satellite transmissions of various file types. The price on the website is $45.95 (apparently was $26.95 a few days ago. Did they raise the price to capitalize on increased demand due to the publicity?).

According to the WSJ report, the Air Force has understood that these feeds were vulnerable to interception since the 1990s but did not do anything to encrypt them because a) It costs a lot of money and b) This kind of interception is too hard for the primitives we fight against anyway. (Okay, I’m paraphrasing, but the gist seems accurate.)

In their defense, Skygrabber probably did not exist in the 1990s. The Internet was less developed in those days too. According to Defense Tech the Global Information Grid used by the U.S. military to transfer data is 25 years old. One consequence of this is that security measures that are considered basic today are completely lacking. Defense Tech estimates that upgrades needed could run to $65 billion over the next three years.

Hackers work faster than that.

read more »

Cyberwar and related issues have been in the news lately. Since the cyber attacks on Estonia during the Russian invasion of 2007 (see here and here) the topic is popular. Maybe even almost sexy.

Since there are lots of news articles lately (mostly without much substance, but there are a few links at the bottom of this post if anyone’s interested) I’ve been giving the subject some thought. The first thing I think about it is that fears are somewhat overblown. To date, I am not aware of even one confirmed case of a cyber attack actually killing anyone. That’s what war is about, remember. Even in Estonia, the cyber attacks were much less of an issue than the Russian tanks.

This doesn’t mean cyberwar can’t cause problems, including problems for the military. Cyber attacks can be used to target communications, to block (or alter) global positioning systems (see this report) and possibly change the behavior of critical infrastructure items like dams and nuclear power plants. In the near future it may be able to cause traffic jams or accidents, make hospital systems go haywire, redirect ships and planes and many other potentially devastating things. At least those are some of the potentials. Fortunately, none of that potential has yet been reached.

Yet.
read more »

Arguably the biggest buzzword in computing today is “cloud computing.” Other candidates include “real time web,” “social computing” and (my favorite) “monetization.” Briefly, cloud computing means deploying internet based applications and services in a way that abstracts hardware needs out so that dependence on any particular server is limited and adding more servers (or virtual servers) makes scaling relatively easy. The example of cloud computing I am personally most familiar with is Amazon Electronic Compute Cloud which hosts the web site I have been developing at my job (Trailmeme). There are numerous others.

A recent study reported at Dark Reading claims that adoption of cloud computing is being hampered by concerns about security. I think this at least somewhat misleading.

The article gives two numbers related to this. First, almost exactly half of companies are not using the cloud and do not plan to at this time. The second number is that half of those mention security as one of their reasons for not rushing to adopt cloud computing. The conclusion of the article is that security is a major concern in cloud computing. I wish this were true but I don’t believe it.

read more »

A little while ago I saw a TV commercial that offered to pay people to make themselves targets for identity theft.

Oh, that wasn’t the intention. It was more a side effect of the campaign, which offered to pay people for referring friends to use the service. The part that made me start thinking about ID theft was the line that advised that, in order for you and your friend both to receive the cash the program offers, your friend must use your account number to sign up.

Have you seen the one? Sounds enticing, doesn’t it? It’s like free money!

Just as long as you trust your friends with access to your account. I have nightmares (well, not really, but play along with me on this) of greedy people putting their account number on a business card, or in an ad on Craig’s List, to get others to help them cash in on this program. So what if a complete stranger then hijacks their account? In a way, anyone that stupid deserves what happens to them.

I have an even worse nightmare that the company that ran the ad would say that their security is too good for someone to misuse an account just by knowing the account number. They have to also know something else, like a social security number! (For those folks who came in in the middle, SS number should never be used as a customer identifier because every use exposes it to possible theft).
read more »

There’s a big push in the U.S. right now to computerize health records so they can be more easily searched, transferred and analyzed. The potential benefits touted include greater portability – go to a new doctor and never worry about getting all your records for them – and wonderful new technologies like automatic checking for unsafe drug interactions.

Of course there’s a lot of money involved, too. The American Recovery and Reinvestment Act of 2009 (you know. The stimulus bill) created an Office of the National Coordinator for Health Information Technology and allocated billions of dollars to promote adoption of electronic health records (see article here). Yeah. That’s what the health industry needs: More bureaucracy.

The Spring 2009 issue of Rand Review (no link. I’m working from a hard copy) has an impressive array of charts and graphs and numbers claiming that health technology can save vast amounts of money. They even make the hilarious claim that computerizing people’s health records will improve privacy! Usually at this point I would put a list of links to articles about hacking incidents related to the subject I’m discussing but that doesn’t begin to show the magnitude of the problem. Instead, here’s one link to a Google search for medical records compromised: http://www.google.com/#hl=en&q=medical+records+compromised. It’s showing me 649,000 records when I run it today. Interestingly, there doesn’t seem to be a lot of duplications.

read more »