Forget everything you've read on The Reg or anywhere else about wars that target computer networks, power grids and other essential electronic infrastructure because it's loaded with fallacies, a prominent security consultant said Wednesday. Contrary to conventional wisdom, the damage from cyberwar can kill people, and those …
"The ability of attackers half a world away to take out any factory they choose whenever they want only seems to strengthen the point that cyberwarfare is indeed asymmetrical."
This technically does not put his two statements in conflict, though it certainly doesn't help them either. The point of the assymetry statement was that the assymetry is not inherant to the internet and network security. There's no real reason that a handful of well-trained "operatives" should be able to take out a facility guarded by hundreds of similarly trained "operatives." The current reality is that it does appear this way, but more often it seems like a couple of experienced crackers manage to take out a poorly secured facility, which shouldn't be too surprising really.
The Stuxnet attack also doesn't really contradict the assymetry argument, because what assymetry exists in that attack was actually in favor of the attacker to begin with. Every major report on the likely attackers showed that it was probably performed by a large, experienced and well-funded organization. In return the defenders never showed much ability to defend against such a well-organized attack. Thus, the assymetry here seems more like a giant swatting a gnat.
A lot of the problem with computer & network security is that we have just learned how to build small forts and checkpoints for these computers. They seem to work well enough as near as we can tell, but the bad guys just keep smashing their way in anyway. Given time, we'll learn how to make huge nasty castles to defend our information and resources and the people trying to get in will find their work much harder, though still not impossible. However, at some point we may also need to figure out how to convince people to store their information in the safer castles, rather than their homemade forts.
"Given time, we'll learn how to make huge nasty castles to defend our information and resources"
Maybe when a few CEO's get jail-time for ignoring the obvious stupidity of putting critical resources on to a public communication system without several properly scrutinised mitigation process to limit damage, and to allow local manual control/alternate systems to be restored safely by already-trained staff, then we might see the biggest of threats go away.
Really, it appears that most of the 'critical infrastructure' threats comes from using crap-security-by-design system (typically based on Windows, with all of the existing hacking tools and knowledge to lube things up, and not even using Window to its best) and then making them remotely accessible to save money.
My rant for today.
I just wish there was a punishment for bad software
I mean there's software out there which, when you log in, it sends your login through an unencrypted TCP connection to a server. And if it's correct, it sends you back the administrator password for the MS-SQL server.
There's software storing _settings_ in SQL-servers! There's software which creates SQL statements by string concatenation so you can do SQL-injection.
There are operating systems out there which have network printer sharing functionality, which enables you to "print to file" on a remote system.
I believe we should allow programmers to be punched in the face for every security critical bug they create.
A Prime Product
11 out of 10 for Dave Aitel, CEO of Immunity, for one real slick presentation with that slide show.
Utter, utter bollocks
Of course the asymmetry ("asymetricness" FFS!) is built in. Your factory, website, database, whatever is a sitting target and the attacker is as mobile as he can be bothered to be. The attacker can spend as much time as he deems appropriate to setting up (routes in & out, 7 proxies, dosed USB stick etc) and the target has no choice but to sit there. This is why guerilla warfare is so effective.
Perhaps if the Governments passed laws
To prosecute companies and directors for not doing enough to protect the infra-structure they
would defended the systems they are responsible for properly
Point: Most "industrial" systems shouldn't be world read/writeable.
And I mean at the bit-level, not a more human readable format.
Security starts from the ground, and works it's way up. Security also needs proper nutrition ... If your system's roots don't have the proper fertilizer, your crop is going to decompose. There is a reason for the term "bit-rot".
The main problem with computer and network security, in my mind, is that the folks running the computers and networks have absolutely zero clue as to the underlying details of what is going on at the bit-level.
I blame the "ease of use" myth, first popularized by Apple, then picked up by Microsoft, and now Canonical is playing the same bogus card.
very true, but
You don't HAVE to be world accessible to be attack. Stuxnet proved that little theory (which had been floating around for a while). You just need to accept that sneakernet is still a valid attack vector.
Yes, they should fill in USB ports with epoxy, but that really doesn't happen often.
Yes.. Stuxnet had to have world connectivity...
maybe not for initial infection, but it had to have some sort of outside world connectivity to get instructions from its C&C servers.
If the network had been air gapped, then even if the machines had been infected via USB, they would have just sat there, unable to get updates for what to do next
What a load of codswallop...
So "the defenders can make the decision not to run this crap, and it's a very easy one to make". Hey, there's a very similar joke about computer security, "The first rule of computer security is: Don't buy a computer".
Firstly, the environment you work in can force you to use products you know are flawed, because the people and companies you need to work with are using them, e.g. Microsoft Word when the macro virus problem was bad.
Secondly, there are classes of attack that cannot be eliminated:
Malware: if it can be programmed to do something useful, it can be programmed to do something damaging.
Denial of Service: there is a limit to system capacity that can be exceeded.
Bruce's big problem with Cyberwar wasn't the asymmetry, it was the anything-you-like definition, "there seem to be as many definitions of the term as there are people who write about the topic".
Anyway, why is everyone complaining about asymmetry? Especially the military? Military analysts have pointed out since the time of Sun Tse that the warrior should make sure it is an asymmetric contest - to your advantage. A General that complains he host to an asymmetric attack is saying he didn't do his job.
So speaks the man selling defensive products!!
I think you only need to look at what he's selling to understand his point of view. Current conflicts like Afghanistan have shown that relatively small numbers of poorly armed combattants can cause mayhem at relatively low cost to a much bigger force of heavilty armed soldiers. The internet is exactly the same. You can be anonymous provided you are careful and cause mayhem to companies etc. (such as Sony) with relative ease. So, what he says is completely wrong and driven by his desire to sell more products.
All military personnel know that defending a small base is realtively easy and various conventional wisdoms exist over the force ratio required to attack such a base. The internet used to be like this, with small areas needing defending. However, the internet has now sprawled massively and the war is much more like Afghanistan. You can hold bases, but this is relatively useless without holding the ground as well. In Afghanistan, this is what's taking all the personnel and is largely a failure. Small numbers of insurgents are wreaking havoc, pretty much at will. In the same way, now that the internet has sprawled, you can't just hold the bases, you also need to hold the ground. And, at the moment, this is largely a failure as a small number of people can wreak havoc.
Even being anonymous on the internet isn't necessary anymore in some cases, as it rather depends on where you live. Someone in Iran sabotaging American websites is not likely to feel too threatened!!
Good point, wrong example...
Total Coalition deaths in Afghanistan since 2001 : 2583
Total Taliban deaths in Afghanistan in 2010 : 5225
Total Taliban deaths in Afghanistan in 2009 : 4610
Total Taliban deaths in Afghanistan in 2008 : 3800 - 5000
Now if you start to include civilian deaths it changes a bit, but you still can't say that the Taliban is causing "mayhem at relatively low cost to a much bigger force of heavily armed soldiers. " unless you have a very broad definition of "low cost".
Based on the number of fatalities from both sides I would say they're pesky or maybe irritating, but I agree with your point, if not the example you used.
says it all.
Always dangerous to disagree with Bruce
There is an inherent asymmetry in computer (in)security. Let's suppose I'm a car thief. I've heard of an infallible method to steal cars, but it only works against dark green Audi A5s manufactured between June and August 2009. In the real world, I'd have to spend a lifetime searching for the right target. But an analogous attack over the Internet allows me to try, almost without cost, millions of potential targets every night.
There have been numerous examples of malware searching for exposed SQL ports to attack. We all know (don't we?) that such ports should not be exposed over the Internet. But with countless millions of SQL servers worldwide, it only needs a tiny proportion of misconfigured devices to cause a substantial problem.
Forward thinking of them
I first read the conference name as "20th Unisex Security Symposium".
asides that undermined his premise
not hard to imagine, seeing as his premise is utter tosh.
(unless that is mastercard is _a lot_ smaller and anon is _a-fuck-of-a-lot_ bigger that i previously thought)
and the stuxnet observation - hubris or what! i'd rewite it to say that the only people who didnt get what stuxnet really means are the idiots who wrote it, and Dave Aitel.
He may have some point, but hardly coherent.
Physical damage from "cyberwarfare" is overstated. Stuxnet isn't typical and there are simple methods to protect against such threats.
Computer configuration and user training is more important than any AV package.
Cyberwar: your worst enemies are your own people
They just aren't paranoid enough. They insist (despite all the education, procedures, regulations, warnings and threats of dismissal) on loading unapproved software or data onto supposedly secure computers. They take confidential information away on laptops or thumb drives - and then lose it. They don't bother to encrypt data they move around. They divulge passwords. They use company computers for personal entertainment and they leave them unattended with their work screens unsecured.
The biggest problem is that everything that goes on with computers is intangible. They never get to see the data that's so important and therefore disregard it. Even in cases where data is in physical form, such as paper, they STILL manage to treat it with such slapdash attitudes that it gets lost, left on trains or thrown away where anyone (who wanted it) could easily find it.
Hell, people don't even bother to cover their own tracks and delete emails that could land them, personally, in chokey.
I suppose the problem is that staff just aren't punished enough for their transgressions. Maybe that's because these systems aren't rigorously monitored and security protocols enforced: "Hey, Jim. I noticed you logged in to the central control machine yesterday without clearance. You know that's a sackable offence - pack your bags and this nice gentleman will escort you to the door." What we need for our secure and critical systems is the same sort of controls that banks have to prevent their staff sampling the product. It won't catch all offenders, but it should at least give us a better chance of repelling the invaders.
..The ability of attackers half a world away to take out any factory they choose
Reall, I could find thousands, if not 10's of thousands of factories that would be completly unaffect by a "cyberattack".
Not all machines have network connections and USB ports you know.
Coulda shoulda woulda
So the take home message is that is *is* as bad as everyone says, but shouldn't be? Well, we'll add that to the big heap of similar issues including poverty, healthcare, politics and the world economy.
Same problem against assassins/terrorists
The defender has to win every time, the legions of attackers just have to succeed once. A 99% success rate in defending your systems from attack just means that 1 in every 100 people get into your systems.
Software security certainly favours the attacker in terms of the disproportionate amount of effort needed to wreak havoc. To say otherwise is total bollocks.
Why? Because of the automated toolkits that can scan for vulnerabilities (SQL injection and XSS is trivial to do) on an entire website and exploit all of them in seconds. Now the defender could run the same toolkits to find out the vulnerabilities in their systems, but fixing them might cost millions, involve a hundred people from different departments in disparate geographic locations and take months of time to test and fix. If you're lucky, you'll have all the skills to do this in house, and not involve consultants or third parties to help you out or fix their software that your app depends on.
"automated toolkits that can scan ... in seconds"
You mean to tell me that the designers/implementers did not test this before they went live, and periodically during on-going support?
Tell me it is not so!
Stuxnet is the proverbial 'exception that proves the rule', to my mind. With all the cyberwarfare going on over the last decade or so, has there been any other actual real-life damage/injury directly caused by a malicious blackhat sitting at a keyboard or their evil electronic pets?
Actually, it's possible
I wish I remembered where I heard it, or even if it's true, but there was a story of a hacker who was paid to break into a medical database and change some information. According to the story, he later discovered that the changed caused the patient to get the wrong prescription and die; effectively a murder by hacking.
Again, I can't verify this, but it's certainly feasible.
Mabel, the swimming monkey, RIP
<- Icon: A toast to the departed.
OK, so it wasn't intentional, but a computer cock-up did kill a monkey.
(Really, this story and the phrase "Always use a scratch monkey" are classics in the field! Tch, kids these days!)
Great Game Muscle ..... Raising the Stakes into Quantum Cosmic Levels of Play
Err.... excuse me, but with regard to the slide [available for viewing here, http://prezi.com/wdqab38lxr89/three-cyber-war-fallacies-usenix-2011/] which reads ....
1. Cyberwar is asymmetric
2. Cyberwar is non-kinetic
3. Cyberwar is not attributable
Why do security groups think these things." .... does the presentation break down and extraordinarily render itself null and void whenever security [cyber security] groups don't think those things.
And "Aitel saved his most biting criticism to challenge the notion advanced by a chorus of renowned security analysts – Bruce Schneier and Deputy Secretary of Defense Michael Lynn by name – that the fundamental characteristics of the internet and critical infrastructure allow a handful of well-trained operatives to wage guerrilla warfare campaigns against much larger adversaries." just simply reveals that Aitel do not have the intellectual capacity or property to deal with, or provide, a handful of well-trained operatives able to wage guerrilla cyberwarfare campaigns against any and all adversaries, for that is the current fundamental characteristic of the internet which challenges critical infrastructures to provide SMARTer Security Intelligence Services.
Being on the defensive automatically grants initiative to the opponent letting them dictate the pace, timing and form of battles fought. This is a basic Warfare 101 principle.
Internet resources and assets are by their nature fortresses: i.e. they are totally defensive.
It is a trivial exercise to extrapolate that a priori web-connected assets are an inherently vulnerable infrastructure, and that the advantages lie with the attacker.
Systems are only as secure as their weakest link
... which, in just about every case, is the stupid man sat in front of the stupid computer.
Yes, systems and networks should of course be designed with security in mind, but as long as you have just one idiot who's going to walk off with a laptop full of unsecured data or plug in a strange USB stick into a critical system (nearly always because he doesn't know any better), this is always going to happen.
Educate the users, not the machines. If they fail to comply, fire 'em.
“The unfortunate thing is that price pressure means you're going to [build meters] with chips that cost about a half cent,”
Given that the meter is useless until you spend $50 in labor to install the thing, there's a definite asymmetry to building it weak just to save $0.005.