Security Old School vs. Security New School

[1]

As difficult as technology change is to anticipate, it’s even more difficult to determine its impact on our security and privacy.  Our security choices are predicated upon knowledge and assumptions that may have been appropriate at one time, but are no longer appropriate.  Attackers feed upon our complacency and our misguided sense of trust.  This is why when attacks occur people are taken by surprise.

Before I get started, I feel some explanation is worthwhile about my use of Security Old School vs. Security New School.  Old School is simply our security attitudes, thoughts, or actions around a topic at some point in the past.  New School is how we should think and act about the same topic given changes in the world and industry.

Following are a few points I would like to lightly touch upon to educate and raise awareness of readers.  It’s not an exhaustive list but some points I’ve considered at the time of writing.

Security Wack-a-Mole
Old School, Organizations can be destroyed or rendered ineffective by targeted attacks
New School, Leaderless organizations difficult to control or destroy

Combating terrorist organizations is difficult enough for nation states, consider the years of searching for Osama Bin Laden and resources required.  Now consider an organization like Anonymous.  Leaders emerge from the organization’s background from time to time, rise to prominence, execute their agendas, and sublime into the background.  It’s hard to imagine how nation states will be successful against Anonymous.  Anonymous is essentially an ideology.  Fighting an ideology requires a different type of program and techniques.  It was difficult enough to find one man let alone thousands of individuals.  This is why governments abhor anonymity; it’s impossible to fight what cannot be seen.

Vulnerability Reports
Old School, Researchers reporting vulnerabilities to organizations for industry recognition
New School, Researchers sell vulnerabilities to highest bidder

In the past, independent security researchers reported vulnerabilities to companies out of professional courtesy.  To be the researcher who finds a 0-day vulnerability in a package deployed on everyone’s computer creates fear, fear commands attention, and more importantly recognition and respect.  The objective of reporting was to earn some individual credit, garner a fan club, and move on to better paying or more interesting jobs.

Increasingly gray hats are getting a little dirtier and becoming more militant and mercenary[2].  Vulnerabilities are a traded commodity.  If you possess the commodity then you can conduct business.  A single unpublished vulnerability resulting in a complete host compromise may fetch as much as $100,000 USD.  Find a vulnerability or two and you can pay off the mortgage on your home.  A tempting proposition for talented gray hats living in impoverished countries; deliver pizza or sell vulnerabilities for lots of money?  Not much of a choice.  Resting on the good nature or professional courtesy of these individuals is far too much to trust in my opinion.

Vulnerability bounty programs are essential tool to motivate gray hats to make the best choice for organizations.  There’s no guarantee organizations will not be double-crossed.  For instance, a researcher sells a vulnerability to a bounty program and also sells it on the black market, doubling their money.  The one real guarantee a vulnerability bounty program provides is that, in addition to Internet baddies, organizations will also be informed of their vulnerabilities.  It might feel like borderline extortion but this is the world we live in today.  The best way for organizations to avoid such dilemmas is to ensure security investments are commensurate with level of risk.  Don’t let pride or arrogance stand in the way, you either play by the new rules or you’re not included.

Vulnerability buyers may be anyone from nation states to corporations and well-funded individuals.  Why hire and manage a team of security ninjas when you can amass a battery of vulnerabilities to launch like scuds at your command?  Cash is King, is the saying.   The security ecosystem is changing like global warming.

Cyber Weapons
Old School, Your enemies dropped bombs causing terror, people hurt or die.
New School, Your enemies tamper with critical infrastructure, no terror, people hurt or die.

What is a Cyber Weapon?  A cyber weapon is malware engineered for military purposes.  When a bomb falls from the sky, explodes on it’s target, it’s terrifying and lots of people can be hurt or killed.  A cyber weapon is different.  No explosive impacts, or directions you can run, and quite likely no terror.  But the effects are very real.  A city may find itself without critical infrastructure like electric power or water and kill lots of people.  Imagine a hospital in the summer with no electricity and air conditioning.  Attacks against critical infrastructure have been around for many years.  My favorite was a disgruntled worker releasing millions of gallons of raw sewage on the Australian countryside [4].

Truth in Numbers
Old School, A product or service is good if it has lots of “likes” and positive reviews.
New School, A product or service is good if people you know personally like it.

It’s more or less common sense that large numbers of “likes” or positive reviews for a product or service mean it’s good, right?  Well, it’s not exactly a guarantee anymore.  Economic incentives to fake “likes” and positive reviews are powerful motivators.  Couple economic incentives with low cost of labor in many nations and what do you have — Internet Water Armies.  Internet Water Armies[3] are large virtual labor forces used to artificially inflate like counts and write positive reviews for products and services.  Water armies are used to influence crowd behaviors like purchase decisions and public opinion.  The best way for individuals to combat opinion manipulation is improved fact checking.  Check with friends you trust, check multiple sources, are the reviews good quality (e.g., grammar, misspellings, etc).  The amount of fact checking should be proportional to the value of product you’re purchasing or decision you’re making.  Really expensive decisions require careful checking whereas inexpensive less checking is required.

Service Anonymity in the Cloud
Old School, Internet services can be traced back easily to host providers
New School, Internet services deployed into cloud infrastructure are difficult to trace to host providers

The Pirate Bay(TPB) provides file sharing technology infrastructure to individuals throughout the world.  TPB servers do not host users files but their infrastructure helps users locate and share files with network peers.  Often the files shared by users of TPB are commercial, software programs, books, movies and songs covered by copyrights.

TPB servers have been raided many times.  Like the evolutionary processes of mutating genes, TPB has evolved from locally hosted services into globally hosted cloud services.  TPB services are virtualized as a disk images for quick deployment and encrypt data during transit as well as data at rest.  Encryption makes shutting down TPB very difficult since it’s not easy for ISP’s to know there hosting TPB services.  Load balancers as well as services are virtualized and deployed in many locations around the globe.  TPB encrypted cloud deployment paradigm is likely to be adopted by organizations placing a premium on operational and user anonymity.  We will see more of this innovative architecture in the future I’m sure, Tor exit relays, there’s lots of possibilities.

Incidentally, even if you feel you’re completely anonymous and untraceable I don’t recommending downloading from TPB or similar services.  I have nothing against the TPB or copyright holders.  My concerns are limited to security and privacy.  Aside from the questionable legalities, such downloads are rumored malware vectors.  Perhaps, it’s a rumor started by copyright holders.  Nevertheless, I don’t recommend it.

News and Information
Old School, News is reported by journalists distributed via tv, paper, or electronic media outlets
New School, Everyone with a smart phone is a journalist, reporting is blistering fast and raw

Social media is changing the world.  When hurricane Sandy struck the east coast I knew everything about it before I saw my first news cast on television.  The power of Twitter really impacted me when I saw tweets of a collapsed crane in New York.  I received the tweets an entire day before I saw it on the news.  Likewise when the conflict in Gaza heated up, many people on the ground armed with smart phones posted news and photos.  Some of the pictures were shocking showing the good, bad, and ugly of war raw and unedited right on our smart phones.  Of course, some individuals confuse fact and fantasy or conflate facts in their reports but its no more or less worrisome to me than the highly polished and expertly crafted nightly news.

Anti-Virus
Old School, AV protects your computer from miscreants
New School, Be afraid…be very afraid

Anti-virus(AV) is definitely helpful but it’s not the panacea it once was.  The weakness with AV is signature-based technology and if you don’t have updated signatures or if there is no signature then you are vulnerable if exploited.  AV can also create weird performance problems sometimes difficult for novices to identify especially video gamers.  AV when combined with personal firewalls it’s even more helpful.

A few quick tips for personal safety, use firewalls to block inbound network traffic.  Many AV programs come with built-in firewall controls, check your documentation.  Shutdown any operating system components or services you don’t use.  Uninstall any unnecessary components you no longer use.  Don’t run as root on *NIX or with administrator privileges on Windows.  If you’re really cavalier about security you might consider full disk encryption.

Cloud Security
Old School, Data was stored in data center of the company providing the service
New School, Data is securely stored and in the cloud

To me the Cloud is like All Natural or Organic.  If you’re telling me your cloud is secure you might as well be selling me Sal Pimento or St. John’s Wort for my health.  Most claim their solutions are secure but evaluating them is difficult and time consuming for those of us with technical background.  For those with little technical background, you’re forced to trust in the claims of cloud providers at face value.

Even if your data is secure, it may be stored in offshore data centers without your knowledge.  How would you feel if your data is stored in China?  If you’re a US government agency or government contractor you may care.  Likewise it’s getting difficult to find good applications that are not cloud enabled.  Users are almost forced to put data into the cloud.  Often features like syncing between, desktop, mobile, and tablet require cloud support.  Cloud security is not a technology problem it’s a security and privacy problem.  The industry needs better rules over handling, use, distribution, and disclosure of personal data.

Abnormally Large Energy Bills
Old School, Increased energy use is an indicator of residential marijuana farm
New School, Increased energy use caused by residential Bitcoin mining

I included this in for fun and it’s a classic case of mistaken assumptions.  I was watching a DEFCON 19 video and Skunkworks describes a home profiled by law enforcement and raided due to high energy consumption.  A little background, law enforcement uses electric energy consumption profiles as an indicator for marijuana growing.  Stealthy indoor marijuana growers use energy hungry lighting and hydroponics for growing plants.  During the police raid it was discovered the homeowner was not farming marijuana but instead mining Bitcoin.  Generating Bitcoin is a computationally intensive task.  The homeowner deployed a significant number of computers in his home, likely SLI GPU style gaming rigs, increasing his energy usage over other residences.  And thus a target for an power profiling by law enforcement agencies.

Our society is becoming more and more Internet enabled every day.  The implications of our technological capabilities and connectedness often evade our notice.  As a colleague of mine would say, the genie is out of the bottle and the genie likes to be free.  There’s no going back to the way things were before.  The world is forever changed.  Our information systems are growing explosively across national boundaries and it’s sure to surprise us on occasionally.

[1]  Pisa. Digital image. Openclipart.org. Openclipart.org, 2 Nov. 2006. Web. 1 Dec. 2012. <http://openclipart.org/detail/1186/leaning-tower-of-pisa-by-johnny_automatic>.

[2] Chickowski, Ericka. “How The Sale Of Vulnerabilities Will Change In 2013.” Http://www.darkreading.com/. Dark Reading, 30 Nov. 2012. Web. 02 Dec. 2012. <http://www.darkreading.com/vulnerability-management/167901026/security/news/240142947/how-the-sale-of-vulnerabilities-will-change-in-2013.html>.

[3] “Internet Water Army.” Wikipedia. Wikimedia Foundation, 20 Nov. 2012. Web. 02 Dec. 2012. <http://en.wikipedia.org/wiki/Internet_Water_Army>.

[4] Danchev, Dancho. “Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge.” : SCADA Security Incidents and Critical Infrastructure Insecurities. Blog, 5 Oct. 2006. Web. 02 Dec. 2012. <http://ddanchev.blogspot.com/2006/10/scada-security-incidents-and-critical.html>.

Author: milton

For bio see, https://www.securitycurmudgeon.com/about/