Wednesday, March 11, 2015

Three Things Hackers Know That You Don't

[In this intermission in the "Personal Data Security" series, I discuss important key factors in the security landscape that the general public and media overlook.]

The Situation?
The situation is this: In an increasingly digital society, the forces of crime, espionage and anarchy have turned their attacks to the modern computing infrastructure.

Vendors and software developers simply can't keep up with the round-the-clock onslaught, as genius uber-hackers and cyber-terrorists write bewildering, masterful code that no one could have predicted.

Despite their best efforts, major businesses fall prey: Customer data is lost, all parties suffer equally. Curse you, demon horde!

Sorry, but - bullshit.

The Situation
These systems have never, ever been secure.

They were designed insecurely, because market pressures reward the release of the product far more than its security, the latter being basically invisible.

Increasing the security of an operating system, application, or device is mostly a matter of diligence - which means increased complexity. The code will be more complicated, as it checks for many "edge cases" that shouldn't ordinarily occur - but would be deadly if they did. All of this extra checking will slow it down. More time and effort must be invested to make it secure, but also still fast.

If life is good, you will never even know the difference. Because the condition is not supposed to happen, anyways. So that's a lot of extra resources invested in features that you will never know about.

Um, yeah...we're going to invest in that - and lag the competition to market. Real soon.

The Bottom Line is Still Tops
Do you get the "network inspection engine" part of the security product alone, or with the "security intelligence and monitoring" component - which doubles the cost. Can you live without the monitoring component? Probably. Should you? Clearly not. But of course the bottom line will usually win-out.

High encryption on everything, or just the "important" systems? Encryption slows everything down, which means you'll need more powerful computers (or routers, or VPN concentrators).

At every turn, the basic economies of business force almost everyone to the lowest common denominator - lest your competitor make widgets cheaper or faster than you.

Cutting close to the bone and running against an enemy of unknown size and force? Sounds like a heartbreak in the works, folks.

Fat is in the Fire
The systems are then deployed insecurely, owing to much the same corner-cutting dynamic.

Sometimes systems are deployed insecurely against the vendor instructions or designs. But often, no additional ineptitude is required: Many of these products bring with them inherently insecure architectures.

For example, most corporate LANs are overflowing with local (usually Windows) communications traffic and capabilities. If you are at your work computer now, there's a very good chance it's offering a wealth of totally superfluous network services - for file sharing, for example - that you never use. What's that you say? Close those unused doors and instantly decrease the "attack surface" dramatically? Great idea! (1)

Unfortunately, years of experience has taught savvy field admins that it is far more expensive to turn such things on "as needed" - usually an in person, i.e. expensive process - than to simply turn on everything they even remotely think you might ever use.

But even if you've never used them - and never will - there are people who can and do put them to use (and most of them are on IRC).

The implication that these weaknesses in security (which have lead to every single compromise you've ever heard of) are somehow endemic to the nature of modern digital business, is provably false. One may as well claim that scissors are just inherently dangerous, and running with them had nothing to do with one's gushing stomach wound. "We are mere victims!" they cry.

Each of these services acts a lot like a door. Some may be locked. Some have little more than an "Employees Only" sign. Others can be tricked into opening, because (guess what) someone didn't write the code to check for that trick. Because (guess why) it wasn't profitable.

Absolutely typical internet stupidity.
This proliferation of services permeates the internets: The computers inside them, their network infrastructure (2) - sometimes even the systems actually designed to defend this stuff.

Nearly everything, everywhere - running unnecessary services and other superfluous components that offer doors that don't even need to exist - out of ignorance, laziness, convenience, or financial expediency.

And you can add your phone to the list. (3)

Give Me Convenience Or Give Me Death
Security experts have long acknowledged that these compound factors make computing too variable to assume everything a machine is asked to do is actually safe.

The solution is limiting what users can do to "ordinary" tasks (say, computing a spreadsheet) and requiring special "super powers" to do crazy things like update Operating System components. Or install software that records your keystrokes.

Oh, hey, funny story: Remember when that IT geek came to install the new Office? Then you tried to print and it said you had to install a printer driver? You clicked "Ok" but it said you needed to be an administrator. Well, you caught geek boy (or girl)  and they said they'd install it for you. But you're no baby! Man, you gave them what-for. You must have administrative authority over your machine, right? Make me god, techno gopher! (4)

There's a very good reason that they wanted you to run as a "powerless" user. A powerless user is a safe user. Well - safer, anyway. Unix took this lesson to heart early, though it still falls to users to live by it.

And did someone mention digital death? Well...that would be my department.

Securing the Eggshell
Now you've got a network full of insecure operating systems, dialed-down to their weakest setting so you don't complain to the admins - who have given up, and are trolling Craigslist and playing Fantasy Football.

But we can still secure the network itself, right? You've got firewalls, and intrusion prevention systems, and web application filtering doohickeys. We can watch for foul play, and release the hounds at the first sign of trouble!

But at what sign? There is so much activity in and around a modern corporate or service network, it's like trying to hear a whisper at a Metallica concert (5). The subtleties of these architectures are now such that it requires an expert - in your specific environment - and armed with some pretty fancy technology, to distinguish between what is "normal" and what is not.

In the best environments, you will find this person (or persons) in and around the Network Engineering, Network Security and/or Security teams. They'll have spent sufficient time and effort - the company will have invested those resources - to know the strengths and weaknesses of the digital "castle" they have vowed to protect. They'll have the tools they need to monitor the chaos, and keep order. They are the cyber-knights of this chapter of digital security. Their story is for another day.

But these capabilities are expensive, and - when employed properly - have no noticeable impact. That's right: If we do our job right, you won't even know we do anything useful, at all. How's that for a selling point, huh?

As you can imagine, this doesn't inspire businesses - who are in it for, you know, profit - to spend a lot of money on security. Or like - any. And if they haven't been hacked, why should they? As far as they know, there's no actual existing problem to be addressed, yet. You try convincing the board to spend half a million dollars on "security intelligence" which hopes to discover - best case scenario - nothing at all.

Of course, as should be obvious to all by now, you either have been - or will be - compromised. You just don't know which, yet.

Regulations to the Rescrew
Wait, did I mean rescue? No. I definitely did not.

The situation is further constrained by regulations that, sadly, are designed to help. While the threat of regulatory penalties (6) help to balance the demands of running a business at the lowest cost against the expense of good information security, it necessarily inspires companies to prioritize the regulatory demands first.

First in the security budget are all of the things required to ensure the company does not fail an audit for regulatory compliance. Auditing systems, software and services will be bought, and extensive records will be kept. All of which does absolutely nothing to help secure the network, users or systems - but does a great job protecting the company from liabilities when the inevitable incident occurs.

No surprise, then, that there's not usually much left - in love or resources - for the mission of "riding range" in these digital badlands. And as a result, they're just about as rowdy and lawless as the real deal.

Bake Until Crispy
So that's the situation you've got. Inside pretty much every corporate network, most university campuses, nearly every service or vendor network that has anything of value to anyone, and also at a horrifyingly large percentage of important networks and systems that you would really rather not even know about.

For our younger readers: The Clash
That's the rule of the day, in the digital world: Overflowing chaos, mismanagement, and the absolute minimum investment required to cover one's own ass - "never mind the people" as The Clash put it.

In this morass, brilliant but too-small in number, dedicated but under-powered white hats, grey hats, and unhackers (hi!) are losing a battle against expanding hordes of an organism similar to them genetically, but of a lineage criminal, economically disadvantaged, or nihilist. (7)

Mea Culpa, Ad Infinitum
And all of this hand-waving from the businesses, vendors and services begging forgiveness when they lose your data? It is totally - and completely - bullshit.

They knew precisely the risks of the systems, applications and configurations they chose. Because their security people told them. There was a 30-page report. There were instructions on what had to be done and how much it would cost. It was all delivered, signed-off as "accepted risks", and promptly lost behind a filing cabinet in a flooded basement.

They run fast and loose because it is cheap. And that's business - you can't really blame them, any more than you blame car makers for not adding seat belts to cars until customers demanded it.

Nor can you blame them any less.

And that is really where the conversation needs to go: Business  must be held accountable to what amounts to a modern consumer's digital safety, with respect to their products and services. It is absolutely not sufficient, or acceptable, for them to simply fall on their swords and claim they were outsmarted by "genius hackers".

Because we know they were not: They were running naked in a world populated by flying, heat-seeking piranhas. And yeah, that's going to hurt. Unfortunately we are all bitten in the process.

Given that the capabilities exist to avoid these incidents, and they choose not to spend money they are not required to spend (big surprise), the now-accepted "oops, sorry" response is not even valid.

Simply put, it's just a cost-effective lie.

The current "digital contract" between business and consumer abandons you and your data to the tender mercies of the internets.

But this isn't new, is it? Isn't it really just the time-honored business classic known as the "screw you?" They cut the corners, you pay the price. I'm pretty sure that if we look at the history of capitalism, we'll find this situation doesn't usually resolve itself in the consumer's favor.

We're the ones that have to demand digital seat belts.

Why Three Things is Enough
That's really the only thing hackers know that others don't. The rest is just "geek trivia" - what code goes where, how some protocol works. None of these things, in their design, are supposed to be dangerous.

What hackers know that you don't is that the "information superhighway" (6) is constructed of eggshells, suspended on popsicle sticks and guarded by unarmed Red Shirts. (8)

The Hacker Secret is simply the reality of the chaos that you are already soaking in:
  1. Systems are not built as well as they could be, and code is not as secure as it could be, because those things cost money, and no one really sees the benefit. (9)
  2. It is all then deployed insecurely because it's easier and cheaper, and because you insist on installing your own printer drivers. Also Angry Birds.
  3. The people who could help, who are indeed your only defense, are negated by economic constraints, poorly equipped for the fight, and quickly being overpowered by sheer numbers.

Humans Are Stupid - But Computers Are Still Stupider
Computers are, even now, still utterly stupid. Hard-wired to obey any instruction alleged to come from their user, in their current form they will probably always be hackable (10). Future computing paradigms may well change this, but the problem we face isn't subtle or academic in any way.

The current security "standard operating procedure" for businesses is so fast and loose, that were it applied to their financial dealings, they'd be in jail. Tomorrow.

This aspect doesn't get much coverage in most media reporting, but you wouldn't expect it to. The corporate victims, paying the technical debt incurred by their shortcuts, would certainly love you to believe there is nothing they could possibly have done any better, in your defense.

Just ask yourself how often, in your dealings with for-profit business, has that ever - ever - been true?

And it's not a glamorous tale to tell, either. A super hacker outsmarting a Fortune 500 has got to be a more romantic story than - oh, say - just plain getting screwed over by negligent business practices, again, for (big surprise) an extra buck on the bottom line?

No, hackers - by and large - are not super-powered cyber wizards. Not that they couldn't be. They just don't have to be.

Because the target is soft as cream cheese. And no one is even watching.


Notes


1. I know, I know, I should provide more data. Someone send me a netstat -an from their work PC, I've no Windoze box atm. Some of you may also be skeptical that businesses typically know about most of these problems well before they are "surprise, hacked!" I'll have to compile some more data on that....

Update: Let's get that data! Please answer my anonymous 4-question survey about "security defect negligence".

2. Don't believe me? Spend a few minutes getting to know ShodanHQ, aka the Hacker's Google and one of my secret weapons. As search is to web, Shodan is to external passive reconnaissance. Any night of the week you'll find thousands of network routers and other key infrastructure with their admin consoles hanging right out of their pants. It's unseemly, to be honest. Buy a belt.

3. While we're at it, why anyone would be eager connect the rest of their life - refrigerator, car, light bulbs - to this murky digital cesspool is beyond my comprehension. I'm looking at you, "Internet of Things" fanboys.

4. If you think that example was specious, here are just a couple of Windows vulnerabilities, selected at random, which would not have worked had users not been logged-in with administrative powers:

    MS14-060 OLE Remote Code Execution
    https://technet.microsoft.com/en-us/library/security/ms14-060.aspx

    MS14-066 Remote Code Execution
    https://technet.microsoft.com/en-us/library/security/ms14-066.aspx

5. Yes, I am old.

6. The privacy component of HIPPA, for example.

7. Or whatever, I'm not political. You know whether it's okay to steal, or spy, or not - and if you don't, then you don't (and go stand over there please).

8. Insert picture of red shirts here. And remind me to write sometime about how security teams are thrown under the bus after every single customer information disclosure "incident."

9. In the same way no one really sees the immediate benefit in water flouridation. Today. Tomorrow it might matter.

10. For the truly geek-inclined, check out Dave Ackley's discussion of "Robust-First Computing" and start thinking about how an "unhackable" computer might differ from the gullible calculators on which we currently rely: https://www.youtube.com/watch?v=7hwO8Q_TyCA