Chaos Program

It seems that everywhere I look lately there’s news about a new “weakness” found in the RSA algorithm. This has been reported with headlines screaming about the “severe” weakness and how everything in the universe that is encrypted depends on RSA. For examples of those rather overheated stories look here and here.

Let’s have a moment of sanity please. The sky is not falling. The attack described depends on manipulating the power supply of the targeted system, making tiny changes in the voltage to generate bad output from the algorithm. It’s a very interesting attack technique but the actual risk of it happening in the real world is incredibly low. Anyone who can get close enough to manipulate the power to a unit can do lots of other much more interesting things to it.

In general, no one can get close enough to perform this kind of attack.  Locking the doors on the server rooms is a standard IT practice. You see, most criminals who get close enough to attach the equipment needed to play games with the power supply are much more likely to simply unplug it and steal the computer.  We guard against that sort of thing and, incidentally, against creative attacks on the power as well.

This is just one more example (in a nearly infinite list) of why the news should never be taken at face value. Read carefully. THINK. Apply salt liberally and move on to something less ridiculous.

In a computer forensics class I’m currently taking, we studied a federal document that goes in to great detail about how to handle computer security incidents. Malicious code, intrusions, denial of service attacks, the whole gamut of computer/network events that can cause an organization trouble. The document, put out by the National Institute of Standards and Technology is called the Computer Security Incident Handling Guide (aka SP800-61) and it is some of the most useful, albeit hideously boring, reading available for IT professionals currently available.

However, useful and wonderful though it is, I have some problems with this publication. There is very little I can point to and say, “This is wrong.” It covers a lot of territory in an organized way. It gives good advice. Yet I find the total effect to be unsatisfying. Sure, any organization that implements all of the recommendations in this document will be well protected and very capable at responding to incidents when they happen. The trouble is that no organization on Earth is ever going to implement ALL of the recommendations. I don’t think there is enough trained manpower or enough time or money in the world to ever achieve the level of protection detailed (I could even say mind-numbingly detailed) herein.

There is discussion of plans, policies and procedures, guidelines and knowledge bases. The document includes checklists and tables, incident categories and even a marvelous equation for rating the severity of an event. It’s all very complete and very thorough and, as I said, all very sound and reasonable.

I just can’t imagine it can possibly work in practice.

read more »

Two unrelated things clicked in my head today as actually being related on a theoretical level. Thing one I spent some time the other day looking over the websites of some potential vendors. I’ve done this sort of thing lots of times before. As per usual, I was unimpressed by the websites themselves (which may or may not say much about the company itself). Thing two: Someone cracked the algorithm for cell phone signal encryption (really a sort of hiding) to the internet. Both these things show the conflict between the old industrial era way of doing things (let’s call it web 0.5) and the newer Twitter-ified way of doing things (web X.0). It tells us a lot about the changing generations and the growing struggles of the information age.

After that slightly pompous lead in, it’s tempting to just stop but I’ll add some detail, starting with the cell phone encryption code, which is a pretty big deal news-wise. The biggest weakness of cell phone security – and it’s a very big weakness – is that, in order to work, cells broadcast their signal in all directions at once. It’s not like the old fashioned landline phones that send their signal down a wire. In order to intercept the signal of one of those old phones, you have to tap the physical wire. In order to intercept a broadcast signal, on the other hand, you just need to be within range with the right equipment.

For a couple decades now, most cell phones have attempted to evade broadcast interception by (somewhat) randomly changing frequency multiple times during every transmission. That way it’s very hard to intercept more than a single tiny portion of the signal, hopefully too tiny a portion to make sense out of the message. The flaw in this scheme is that for the message to be received, the other end (the cell tower) must be able to follow all the frequency hops and put the complete transmission back together. So both ends need to be synchronized. True randomness is impossible.
read more »

Arguably the biggest buzzword in computing today is “cloud computing.” Other candidates include “real time web,” “social computing” and (my favorite) “monetization.” Briefly, cloud computing means deploying internet based applications and services in a way that abstracts hardware needs out so that dependence on any particular server is limited and adding more servers (or virtual servers) makes scaling relatively easy. The example of cloud computing I am personally most familiar with is Amazon Electronic Compute Cloud which hosts the web site I have been developing at my job (Trailmeme). There are numerous others.

A recent study reported at Dark Reading claims that adoption of cloud computing is being hampered by concerns about security. I think this at least somewhat misleading.

The article gives two numbers related to this. First, almost exactly half of companies are not using the cloud and do not plan to at this time. The second number is that half of those mention security as one of their reasons for not rushing to adopt cloud computing. The conclusion of the article is that security is a major concern in cloud computing. I wish this were true but I don’t believe it.

read more »

A little while ago I saw a TV commercial that offered to pay people to make themselves targets for identity theft.

Oh, that wasn’t the intention. It was more a side effect of the campaign, which offered to pay people for referring friends to use the service. The part that made me start thinking about ID theft was the line that advised that, in order for you and your friend both to receive the cash the program offers, your friend must use your account number to sign up.

Have you seen the one? Sounds enticing, doesn’t it? It’s like free money!

Just as long as you trust your friends with access to your account. I have nightmares (well, not really, but play along with me on this) of greedy people putting their account number on a business card, or in an ad on Craig’s List, to get others to help them cash in on this program. So what if a complete stranger then hijacks their account? In a way, anyone that stupid deserves what happens to them.

I have an even worse nightmare that the company that ran the ad would say that their security is too good for someone to misuse an account just by knowing the account number. They have to also know something else, like a social security number! (For those folks who came in in the middle, SS number should never be used as a customer identifier because every use exposes it to possible theft).
read more »

There’s a big push in the U.S. right now to computerize health records so they can be more easily searched, transferred and analyzed. The potential benefits touted include greater portability – go to a new doctor and never worry about getting all your records for them – and wonderful new technologies like automatic checking for unsafe drug interactions.

Of course there’s a lot of money involved, too. The American Recovery and Reinvestment Act of 2009 (you know. The stimulus bill) created an Office of the National Coordinator for Health Information Technology and allocated billions of dollars to promote adoption of electronic health records (see article here). Yeah. That’s what the health industry needs: More bureaucracy.

The Spring 2009 issue of Rand Review (no link. I’m working from a hard copy) has an impressive array of charts and graphs and numbers claiming that health technology can save vast amounts of money. They even make the hilarious claim that computerizing people’s health records will improve privacy! Usually at this point I would put a list of links to articles about hacking incidents related to the subject I’m discussing but that doesn’t begin to show the magnitude of the problem. Instead, here’s one link to a Google search for medical records compromised: http://www.google.com/#hl=en&q=medical+records+compromised. It’s showing me 649,000 records when I run it today. Interestingly, there doesn’t seem to be a lot of duplications.

read more »

A doctoral candidate in Virginia developed a highly accurate (as far as we can tell) and probably one of a kind map of North Korea (Wall Street Journal article here). This may become important in light of other developments, including North Korea’s announcement of having done a second, successful underground test of an atomic bomb (see AP story here).

Earlier this year, researchers for the Open Security Foundation used seemingly unrelated newspaper articles to learn details of the Heartland Systems data breach, one of the biggest data hacking incidents yet known (Wired story here), before the breach was made public.

Both of these items reminded me of an old story about one of the first people to study serial murder. This was a detective (whose name I should be able to remember but can’t just now. Sorry!) who began studying newspapers from all over California in order to find similar murders that were not thought to be linked, as likely as not because they were in different jurisdictions so that the investigators involved did not even know about them. He discovered quite a few links no one else had noticed this way.

This sort of research to link up scattered, seemingly unrelated information is called open source intelligence gathering and we may not be far from the time when you can get a degree in it and (hopefully) lots of high-paying jobs. The term should not be confused with open source software or artificial intelligence. This intelligence is the kind that concerns intelligence agencies like the CIA. And the open just means not hidden. read more »

How can you not love a domain named “cryptohippie.com?”

Okay, so it’s a business that sells unusual and interesting services that broadly fall under the heading of “security.” I say broadly because this is not the usual anti-virus or hacker proofing kind of stuff. Check out the website if you like. For now let’s just say that CryptoHippie lives up to its name.

What I really want to discuss is CryptoHippie’s report on the Electronic Police State, 2008. (Available here). The title caught my eye immediately, partly because I recently finished a class that included in the reading list a couple books that were chock full of scare stories about that same topic, more or less [See No Place to Hide by Robert O'Harrow, Jr. and Darknet: Hollywood's War against the Digital Generation by J.D. Lasica]. The class wasn’t quite about that, though. It was about the law as it relates to computer and internet security and privacy (It was also brutal but it looks like I got the A).

Of course, some of what we covered included the hoops the government has to jump through to gather and the way that was changed by the USA PATRIOT Act. Privacy policies and the laws that govern or even require them were also a large part of the class. And other interesting things. Never did the phrase “Electronic Police State” come up. That would be worth another class by itself and I hope to take it one of these days.

The first topic should be What does “Electronic police state” mean?

First, what is a “regular” police state? According to Wikipedia, the term “describes a state in which the government exercises rigid and repressive controls over the social, economic and political life of the population” (Police state). This is a nice start but doesn’t tell the half of it. A police state is one where citizens have few, if any, rights. It’s a place where they can be arrested at any time with, or without a reason. In the old Soviet Union the crime of committing “anti-soviet activities” (or was it un-Soviet?) was a catchall that could be used to collect dissidents or prostitutes with equal ease (the story goes that it was used against prostitutes because there were no laws against prostitution, since that was said to exist only in decadent western countries like the U.S.A. But that law could be used to nab almost anybody for almost anything, so it worked just fine).
read more »

Computer security seems to be an endlessly hot topic. Recently, there has been talk of a bill in the U.S. Senate that would dramatically change the security landscape in this country. Under the guise of protecting national infrastructure, this legislation would raise the price tag for security significantly while allowing the federal government to take charge of any and all systems and networks it happened to choose.

Great idea. “We’re from the government, and we’re here to help your computers. Here’s our secure example. It’s called Colossus” (That’s a somewhat obscure movie reference. See Colossus: The Forbin Project or even Colossus: The DVD. See what people worried about long before we ever heard of Skynet).

The bill is The Cybersecurity Act of 2009, co-sponsored by Democrat John Rockefeller of West Virginia and pretend Republican Olympia Snowe of Maine. As of yet (if I remember correctly and didn’t miss something in my reading), the bill has no sponsors in the House. That’s a hopeful sign. Let’s see why.

read more »

There’s already a new chapter in the story of the alleged confession that Russia was behind the cyber attacks on Estonia in 2007. (See http://www.chaosprg.com/blog/2009/03/the-coming-cyberwars/) for previous discussion. In that post I discussed the (improbable, I thought) claim of a Russian official that his assistant had started the attacks for purely patriotic reasons. Now there’s a new story that the previously unnamed assistant has come forward and said it’s true, and added some fascinating details.

In an article by Charles Clover in the Financial Times (Kremlin-backed group behind Estonia cyber blitz), the assistant in question, a Mr. Konstantin Goloskokov, is quoted as claiming not only that he started the attacks but – and this is the really interesting part – that he enlisted members of a group called Nashe to carry them out. He insists that the decision to do this was spontaneous, not something prompted by orders from the Russian government and that there was nothing illegal about it. It wasn’t a denial of service attack, it was just more service requests than the Estonian servers could handle. The article does not say if he used air quotes or an “end sarcasm” tag when explaining this.
read more »