Author Archives: Marcus J. Ranum

About Marcus J. Ranum

Marcus J. Ranum, CSO at Tenable Network Security, Inc., is a world-renowned expert on security system design and implementation. He has been involved in every level of operations of a security product business, from developer, to founder and CEO.

The Best Defense Is a Strong Defense. Never Fight a Land War in Cyberspace.

Summary: Why defense experts obsess about the relative advantages of different military hardware (e.g., the A-10 vs the F-35), the US has unleashed the tools of cyberwar on Iran. We can expect more in the future, begun by friends and foes. So let’s learn the rules. Today Marcus Ranum explains the nature of attack and defense in cyberwar, and the advantages of each.  {@nd of 2 posts today.}

Cyber Warriors

Introduction

My 2014 presentation “Never Fight a Land War in Cyberspace” compared key elements of warfare in the real world with warfare in cyberspace, exploring the interchangeability of tactics and strategy in those domains. I expected that “cyberwar” would have similar underlying principles as regular war, but found that “cyberwar” bears no resemblance to warfare at all — tactically or strategically. Of course it fits in the overall grand strategy of conflct and power, but our tendency to reason by analogy breaks down quickly here.

In this series I will lift some of the main themes from that presentation and give them the more detailed explanation they deserve.

I will use two terms as shorthand.

Cyberwar“, which I do not think is a real thing, as shorthand for “conflict in cyberspace” — which I consider real. This series continues my attempt to explain why “cyberwar” is not a useful concept; unfortunately, the term has taken on a life of its own. Caveat Emptor.

Topological warfare” as shorthand for the idea of warfare that is bound to a real-world existence. The real-world-ness of topological warfare is the basis for what we know as military strategy and tactics; it’s an environment in which armies have to eat and cannot move at light speed, etc. The topological nature of warfare deeply penetrates virtually all of our thinking about strategy and tactics.

“The Best Defense is a Strong Offense”

Continue reading

The horror of cyberspace: we can’t easily identify our attackers.

Summary: In this last of Marcus Ranum’s 2 posts about identifying cyber-attackers, he explains why the usual methods we read in the news are quite fallible — no matter how confidently they’re stated. Our difficulty with this is a common if scary aspect of modern warfare and crime.  {2nd of 2 posts today.}

Attribution Is Hard - Part 2

Attribution is Hard, Part 2

By Marcus Ranum, Senior Strategist at Tenable Network Security

This article originally appeared on the Tenable Blog.
Reposted with their generous permission.

Yesterday’s part 1 described a classic hacking incident and discussed the challenges of establishing attribution. Today I explain what weak attribution is, and I conclude the discussion on the four requirements of establishing attribution.

Yesterday’s cliff hanger probably left you wondering what I mean by “weak attribution.” There are several forms of weak attribution that warrant discussion.

Attribution by tools

The first form of weak attribution is an argument based on tools used, if those tools are available in the wild to security researchers. Just because a tool is available and used by an attacker doesn’t mean that any other frequent user of the tool is your current perpetrator. There are plenty of hacking tools available for repurposing by other attackers. I hate to sound like a cynic, but apparently some people haven’t yet realized that there are security researchers who play both sides of the game-board; if I wanted to go rogue, I could assemble a state-of-the-art set of custom “state-sponsored” quality malware in about a week.

Tools are clues, not fingerprints.

Attribution by guessing about cui bono

Continue reading

How do we identify our attackers in cyberspace?

Summary: The news overflows with confident identification of cyberattackers. Today we have an account of hacking from a defender’s perspective, explaining the difficulty of attribution, written by our co-author Marcus Ranum. After reading this, you’ll regard the news about these things more skeptically. {2nd of 2 posts today.}

Attribution Is Hard - Part 1

By Marcus Ranum, Senior Strategist at Tenable Network Security

This article originally appeared on the Tenable Blog.
Reposted with their generous permission.

In 1995 I landed my first independent consulting project: an incident response for an important financial institution in New York City. That experience has informed my attitude about attribution ever since, because it was one of the rare incidents I’ve ever been involved in when we actually learned the identity and location of the attacker with a high degree of certainty.

The attacker was accessing an X.25 connection to the institution, had guessed an account/password pair on one of the Unix hosts, logged in and began looking around. He was first detected by one of the system administrators who noticed something unusual: a service account that normally didn’t log in was logged in, running the telnet command. An incident response team was assembled and we started charting out what was going on, what the attacker was doing, and when the break-in had occurred.

The financial institution was extremely lucky that the system administrator was so observant: the attack was discovered within the first 3 days of the initial break-in. As shown in this animation:

Continue reading

In cyberspace you don’t see your attacker (that’s why we don’t know who hacked Sony).

Our hawks (aka warmongers), with their loyal journalist-enablers, have sparked a new round of hysteria about North Korea’s cyber-attack on Sony. Kim Zetter at Wired gives a good analysis in “North Korea Almost Certainly Did Not Hack Sony“. The Hollywood Report cites insiders pointing to disgruntled current or former employees (Sony has many of both). To understand why we might never know the guilty party, see this post by Marcus Ranum from 2011: attribution of cyberattacks runs from difficult to impossible. Click at the end to see the full post.

Cyberwar: About Attribution (identifying your attacker)

Summary:  Identifying the attacker is the key to modern military defense, so one can launch a reprisal or counter-strike.  But attributing cyberattacks is difficult because nothing in cyberspace has to look like anything familiar. How do you attribute a weapon that was created out of thin air and used by an enemy that has no physical location?  Links to other chapters of this series are at the end.

CyberCrime .

Contents

  1. Cyberspace, Novel Weapons, and Location Independence
  2.  Technology, Language, Culture, and Cui Bono
  3.  A Model For Attribution
  4. About the author
  5. For more information

(1)  Cyberspace, Novel Weapons, Location Independence

Cyberspace does have some unique attributes which are not mirrored in the real world. Such as the nonexistence of “territory”.  There is no “there” there.  Some of the things we are accustomed to taking into account in warfare are missing: hostile forces do not need an ‘assembly zone’ that can be detected and watched. Nor do they have to cross ground — where they leave traces of the type that we’re used to dealing with.

Imagine if a hostile power was going to insert a cover operations team into a target area and wanted to be stealthy enough to achieve plausible deniability. In the past troops could be outfitted with uniforms that had been carefully scrubbed of clues to their origin, “sanitized” weapons, etc. Providing such kit was expensive and exacting work. Inserting them into a target, nowadays, would entail avoiding the ubiquitous video-surveillance cameras, providing false identities under which to travel, laundering funds for the operators, and then having an equally carefully scrubbed extraction plan.

In the real world, this kind of thing is expensive and complex. In cyberspace it is relatively easy and practically free. There are some caveats about the “easy and free” claim, depending on the quality of the defenses that are being attacked but — as we’ve been assured over and over again by our government’s own technical experts — our defenses, to put it bluntly, suck.

{ Click here to read the full post }

Cruel, deliberate, and unusually vicious. It’s us.

Summary: Today, one of the bloggers that I follow regularly linked to Charles Pierce’s angry opinion piece on the State Of Oklahoma’s execution of Clayton Lockett: Barbarians In Oklahoma. Because I’ve recently been under a general anaesthetic for surgery, I was curious and decided on a whim to look up the drugs used in the “lethal injection cocktail.”  Shaken and upset, I hope that my interpretation of the pharmacological effects is wrong. I’m pretty sure I am not.

Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted.
— Eighth amendment to the US Constitution

Execution by Firing Squad

Contents

  1. Introduction
  2. The three drugs
  3. Putting it all together
  4. Death with Dignity
  5. Torture is a crime
  6. About the 8th amendment
  7. For More Information

(1)  Introduction

Let me state for the record that I am not an anesthesiologist or a pharmacologist. I am currently trying to vet this material with a few professionals and am already  gathering feedback that leads me to believe I am not wrong. I may be. If I am wrong, I will publish a suitably public correction/retraction.

(2)  The three drugs

The lethal injection package consists of three drugs given in sequence.

(a) The First Drug

The first drug is a mild hypnotic/disassociative. The subject would feel sleepy and dizzy, but it would not provide an anaesthetic effect. Hypnotics are often used in surgery because they tend to block the formation of long-term memories; subjects appear less likely to suffer PTSD symptoms as a result of surgery if their ability to remember the experience is blocked.

(b) The Second Drug

The second drug is Vecuronium Bromide – basically, Curare. Curare causes rapid and severe paralysis of muscles. The subject remains conscious and the curare does not block pain; it renders the subject unable to move, blink, speak – or breathe. Someone on curare feels as if they are being held down by impossible force, and they begin to strangle as their diaphragm muscles stop functioning.

Continue reading

The Empire Strikes Back: The Demonization of Snowden Begins

Summary: Marcus Ranum, our in-house cyber-expert, looks at the next stage of the government’s defense against the revelations of NSA surveillance. Like the surveillance itself, they rely on non-governmental agents to get the job done.

I’m sure we’re all shocked to see attempts to downplay the significance of the PRISM story.

What’s that you say? You’re not? Well, me either.

That was why I rushed together my article about finely slicing the word salad of “direct access” to servers, etc. It’s useful to try to clarify in advance the lies you are about to be told – it makes them more clear.

The attacks on Greenwald’s scoop tend to break into four categories:

  1. Traitor! Traitor! USA USA USA!
  2. It’s not new; we already knew all that.
  3. It’s not possible, it’s not feasible (reasons given)
  4. That’s not true! (no reasons given)

The people taking the second line of reasoning above either haven’t done their research or are deliberately ignoring the rich history of leaks about this kind of stuff dating back years. Past leaks about the surveillance state show not only the desire to massively tap data, but the resources spent doing so, and the technological capabilities. It is the latter that give the lie to responses such as farcical stories about thumb drives and FTP. Oh, we can be sure that thumb drives and FTP have occasionally been used, but that’s probably to collect information that can’t be gotten indirectly.

People who claim that Greenwald has it wrong are ignoring the rather obvious fact that the “Boundless Informant” slides show 97 billion records of data being injected into the system daily. That’s a lot of thumb-drives worth! They also are ignoring that Greenwald says there are more disclosures to come; my suspicion is that Greenwald has a couple bombs left up his sleeve and he’s waiting for the surveillance state to strongly stake out a position before he pulls the carpet out from under them.

Articles such as Rick Perlstein’s article in The Nation (“Glenn Greenwald’s Epic Botch?“) – title complete with face-saving question mark – show a lack of understanding of history. If Perlstein’s “no expert”, as he says, he should probably invest a day or two studying, rather than an hour or two writing. I find it amazing that any journalist would take a corporate spokesperson’s words at face value when they’re responding to a crisis, without researching the back-story. Was he born yesterday?

Room 641a

Previous whistle-blowers such as Mark Klein, who revealed the existence of Room 641A, have already described systems that align perfectly with what Snowden has revealed. For that matter, Duncan Campbell was documenting ECHELON back in the 80s.

Continue reading

Someone call Nixon’s plumbers. We need them again.

Summary: Marcus Ranum looks to our past — the government’s history of surveillance — to see the future which the government’s vast surveillance machinery makes possible, and perhaps will help bring into being.

We prepare the way for a Leader

We prepare the way for a Leader

.

The NSA Doppleganger and Enemies

The Nation currently has an excellent piece on some of the history of surveillance in the US. Combine it with reading Tim Weiner’s latest book Enemies, and you have a picture of a government that has always illegally surveilled its citizens (also see Subversives: The FBI’s War on Student Radicals, and Reagan’s Rise to Power).

Occasionally, as today, we are brought to confront that fact, and it’s always instructive because you can tell from the backlash how badly it stung those who enjoy secret power and status. The rule of law is something that you criticize other countries for not following. This amounts to moving from “US Exceptionalism” to exceptionalism for the US power elites.

In the long-term it’s poor strategy because it amounts to building the weapons that will eventually be used against one faction when there’s a disagreement among elites. It’s laying the framework for an eventual takeover of the republic by centralized power. The more you centralize and aggregate power, the worse it is when your Stalin or Bonaparte comes along. As soon as one faction of the power elites realizes they can use the power of the police state to silence internal dissent among the elites, rather than simply controlling the lumpenproletariat, the republican experiment will be conclusively ended.

What the article at The Nation, and Enemies show us is the constant presence and evolution of a society that does double-entry bookkeeping regarding the rule of law. While the US sports the largest prison population in the world thanks to the endless and unwinnable War On Drugs, the elites casually excuse each other for crimes that would result in long jail sentences for the 99%. Indeed the very notion of criminality becomes inverted and corrupted when it’s a greater crime to disclose a crime than it was to commit it in the first place.

The problem with living under a system that is so immoral, Kant would tell us, is that we can only expect its immorality will eventually be turned upon us and we will suffer in turn.

Irony is not the tool for patching leaks

Continue reading