CyberSecurity Question Time on the FM website!

Ask any question about cyberwar or computer security, broadly defined. This is a topic area in which, in my experience, there is a great deal of “established wisdom” that is neither wise nor established. We — and others reading the FM website — will attempt to answer it in the comments.   All answers welcomed!


  1. Questions received so far
  2. Quote of the week
  3. To start the discussion: articles of interest about cyber-issues

(1)  Questions received so far

Click on the title to bring up this post.  Then click on the link below to go directly to that queston.

  1. What’s going on with Stratfor? Are they secure now or what?
  2. How important are SOPA/PIPA?
  3. Should I frequently change my password?  If so, why?
  4. Why hasn’t the credit card system been made more secure?   How secure are ATM cards?
  5. How can chip+PIN for debit/ATM cards be safer than credit cards?  My liability for credit card fraud is only $50 but unlimited for debit cards.
  6. Will the current cyber-bashing between the Saudi and Israeli hackers escalate? Will this be repeated elsewhere?

(2) Quote of the week

“Come on, people. I know that China hacking stories are plausible, but the bar for actual evidence should be higher than this. ”
— Bruce Schneier in his “CryptoGram” blog

(3)  Some articles of interest to start the discussion!

(a)  You leave your right to privacy at the border

Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices“, Electronic Frontier Foundation (“Defending your rights in the digital world”), 20 December 2012

Our lives are on our laptops – family photos, medical documents, banking information, details about what websites we visit, and so much more. Thanks to protections enshrined in the U.S. Constitution, the government generally can’t snoop through your laptop for no reason. But those privacy protections don’t safeguard travelers at the U.S. border, where the U.S. government can take an electronic device, search through all the files, and keep it for a while for further scrutiny – without any suspicion of wrongdoing whatsoever.

Am I the only one who finds it interesting that EFF has accurately identified that the enemy in this situation is our own employees?

(b)  Your laser printer is a computer; don’t leave it accessible to the Internet

HP Issues Firmware to Address Printer Vulnerability“, HP, 28 December 2012 — Openign:

Last month researchers at Columbia University discovered a new class of security flaws that could allow hackers to remotely control printers over the internet.  The discovery even indicated that hackers could cause actual physical damage to the device by heating up its fuser to dangerous levels, possibly causing a fire.

This is not a new problem; in 1986 when I was a system administrator at a hospital one of my workstations was being probed by an MRI machine.

(c)  More accusations of Chinese Hacking

iBahn, supplier of hotel internet services, denies breach“, IDG News Service, 15 December 2012 — “iBahn said it relentlessly monitors attempted hacks on its network.” Opening:

iBahn, a provider of internet services to some 3,000 hotels worldwide, denied on Thursday a news report that its network was breached by hackers. Bloomberg wrote that a highly skilled group of hackers based in China, which U.S. investigators have called “Byzantine Foothold,” attacked iBahn, citing unnamed sources, including one U.S intelligence official.

“Unnamed sources” should be dismissed without further ado; computer security is a complex issue and people who know what they’re talking about can and should go on record.


16 thoughts on “CyberSecurity Question Time on the FM website!

    1. “Secure” is a state of mind more than anything else, If Stratfor are like pretty much everyone else, they have figured out how to address the problem that let the attacker in, then have spent some time hypothesizing other avenues of likely attack and fixing them, too. If they’ve done that (and it sounds like they have) then they’re OK in general. What can happen is what happened to Sony: they fix the usual stuff and tighten the places that are obvious potential leaks, but the attackers are motivated enough to figure out much more subtle – entirely new – avenues of attack. In that sense virtually nobody is “secure” – there’s always the danger that someone cleverer than you is going to cook up something that never occurred to you.

      What they suffered was embarrassing but mostly insignificant. Their data is not especially valuable and their customer-base has reacted with understanding. The main exposure is/was the credit card database.

      By the way, if you are in the habit of joining pay sites of any type, make sure you never use a debit card. If you have a credit card compromised, your liability is limited to $50 whereas with a debit card the contents of your bank account plus whatever overdraft protection your bank is willing to extend you is the limit of your potential loss.

      I know one guy who thought he was safe because he used a debit card and only kept pocket change in the account. When it was compromised his bank cheerfully extended the attackers $2,500 credit line in the form of overdraft protection. If you are in the habit of using paypal (a good system for making one-time payments) do not attach your paypal account to your personal bank account; go to a nearby bank and open a free checking account, put in writing on it that they should never extend overdraft protection for that account, use that for paypal and occasionally “top it up” with a check deposited at an ATM. I cannot emphasize enough how valuable these basic measures are.


  1. Was this intentionally timed to coincide with the SOPA/PIPA protest blackouts?

    How important are SOPA/PIPA? They certainly look bad… but has our self-authorizing executive branch (e.g., the ICE domain seizures) rendered legislation more or less irrelevant, anyway?


    1. No; this was not timed to coincide with anything.

      SOPA and PIPA are unimportant. They represent an ongoing trend in which the government, which completely “does not get” cyberspace and is still trying to catch up, is taking guidance from corporate interests on what government’s regulation of cyberspace should look like. That is and will be an ongoing trend – on one hand you have the copyright cops and on the other you have the intelligence/police-state: and they both agree.

      We’ll get new forms of bad legislation until they feel that they have the internet under control. Unfortunately for them that won’t happen – so the legislation will be a constant stream.


  2. 1: Should I frequently change my password? If so, why?

    Changing your password is mostly pointless, nowadays. In the olden days it was worth doing because many of the computers we’d log into would announce “last login Jan 6, 2012 from” (or whatever) or “there have been 5 failed login attempts since last login” etc. Nowadays nobody looks at that kind of information and most sites/systems don’t report it any more. One of the big values of changing passwords in this case was that it served as a sort of intrusion detection system – you could tell someone other than you had logged into your account. If you think about it, nowadays, you never get any indication that such a thing has happened, almost anywhere. That’s because today’s computer users are so infantalized that information like that is considered “confusing.”

    Password guessing is a real problem. Most web sites will not notify anyone or do anything if there are 1,382,278 failed log-in attempts on a user’s account. So do not use a password shorter than 10 characters. Personally, I use entire sentences – because memorable quotes are easy to retain and nobody attempting a brute-force is going to even consider a password that’s 16+ characters. I used “L’etat C’est Moi” for nearly a decade – but not this decade. Also, never use the same password for multiple sites, unless they are throwaway sites. I use a different password for Ebay, Paypal, my personal site, my email, and then I have two classes of throwaways – one is for credit-card based e-commerce sites like Amazon and iTunes and the other is for stuff I simply do not care about. Remember – it’s much safer to have a long password, written down, in your desk at home than it is to have an easily-remembered and guessed password in your head everywhere you go.


    1. The credit card system has been made more secure in most of the world other than the USA. Last time I was in Europe, other than at airports, I had trouble getting my plain mag-stripe USAian credit card accepted; chip-and-pin is obviously the way to go and has obviously been the way to go since the mid 1990s when Europe started shifting over to them.

      The reason the US lags behind is simple economics – the credit card companies were required to provide some kind of protection for their customers, whereas the vast majority of cards (ATM cards, PIN only) were not required to offer any protection for the customer. Consequently, the card companies spent a lot of money on fraud-detection systems on their backends – and they’re really good – and was able to more or less ignore the ATM card customers. The ATM users fees subsidize the cost of credit card fraud, as do the people who run a credit card balance month-to-month. The system will only change when there is an economic incentive for it to change, which there won’t be since the idea of lawmakers telling banks and credit card companies what to do is “so early ’90s.”

      If a criminal gets the card but not the code they may still be able to use it for online purchases. If your ATM card has a Visa or Mastercard logo on it there’s a good chance that it can be used for small purchases without a PIN. One way to find out if your ATM has credit card enabled is to try to buy gas with it as a VISA card without the PIN – if the pump takes it then you’d better not lose that card because the card companies aren’t liable for any of your losses in that case; someone can drain your bank account pretty quickly.

      In Europe there are complex scams in which people try to get the PIN codes for ATM cards; it’s much harder. Everyone in the USA should be going in to their banks and threatening to cancel their credit cards because they ought to be supporting chip+PIN.


  3. How can your chip+PIN recommendation for debit/ATM cards be safer than credit cards when my liability for credit card fraud is only $50 but unlimited for debit cards?


    1. A chip+PIN card is virtually worthless if it’s found or stolen, and it’s 100% worthless if it’s stolen online, which is where 60% of the card fraud is happening nowadays (and because USA cards are basically a 16-digit password and nothing else, USA cards are disproportionately targeted) – the result is that card fees/interest rates are inflated in order to ensure the profits for the credit companies and banks.

      That’s another reason that a switchover hasn’t happened: effectively banks are making money off of fraud because it justifies jacking the rates and then anything they can do with transaction-scoring systems to reduce successful fraud on the back-end goes right to their bottom line.

      While it’s true that your liability is limited to $50 with a USA credit card, it’s basically a mandatory insurance fee: everyone is subsidizing the cost of fraud for everyone else. But you are correct that the incentives are pretty much evenly balanced at this time; if you’re a smart customer and don’t run a balance on your card then you’re not spending as much to subsidize everyone else’s fraud protection.


  4. Do you think the current grassroots cyber-bashing between the 0xOmar gang and Israeli hackers will escalate, and is this a scenario that will be repeated in other places?
    FM Note: Here are some of the news stories about this tit-for-tat cyber-vandalism.


    1. This kind of scenario is pretty typical and will continue to happen. Because it’s fairly easy to do. Occasionally one of these types of attacks will really hurt a target, but in general they’re not that big a deal.

      There’s not a lot of room for this exchange to escalate unless one side or the other starts doing more than just “cyber”-attacks. The main risk of cyberwar appears to be that it’s a convenient potential causus belli. Israel recently declared that cyberattacks are “terrorism” and in the past Mossad has assassinated terrorists “pour encourager les autres.” I’ve always expected that sooner or later some country will send its special forces/drones/kill teams and go pay a surprise visit to some of these armchair amateurs. When that happens, the only players who’ll be willing to take the field will be the pros.

      Israel Says Cyber Attacks Are Terrorism, eSecurity Planet, 9 January 2012 — “The country’s deputy foreign minister said cyber attacks are ‘a breach of sovereignty comparable to a terrorist operation.'”


    1. If you look at the US infrastructure at a component level, there are tremendous weaknesses that can be found. So it’s easy to imagine some one or some organization eventually exploiting them to cause harm.

      Where it gets tricky is if you imagine these piece-meal vulnerabilities somehow all being sprung at once, in a coordinated manner. That’s what it would take, to do serious damage, and the larger such an operation was, the more organized it would have to be, the bigger its footprint, the more likely it would be to be noticed and backtracked to its origin. So then there’s the geopolitical question of who’d benefit from doing such a thing and whether they were aware that it would be suicidal. So, if it sounds like I’m waffling in response, it’s because the answer is a bit odd: it’s possible but probably pointless and therefore unlikely.

      As far as what we’re doing about it – “Spend money!” is the perennial cry from the beltway crowd – but throwing money at the problem won’t help. What’s needed is a discipline of data management and infrastructure reliability. The discipline is sadly lacking. To give you an analogy: there are people who will try every possible fad diet or miracle cure to lose weight – except eating less and exercising more. That, in a nutshell, is the government’s attitude toward computer security.


  5. re: “What’s needed is a discipline of data management and infrastructure reliability. ”

    In what model of human psycho-sociology is that possible? Most organizational cultures are inadequate, there is no incentive to do the right thing until significant damage has already happened.

    As far as I can tell, bureaucratic controls/regulations and corresponding internal responses within many organizations are driven by “style over substance”: audit compliance is far more important than “real” IT security.

    This is because managers/executives are clueless about technology at the depths required to make intelligent decisions about IT security.

    And competent IT managers are (usually) bad at the politics necessary to convince an organization to take on the expense/pain of “real” IT security.


    1. “In what model of human psycho-sociology is that possible?”

      There are plenty of ultra high-reliability safety-oriented extremely complex systems that humans build. Part of why they are successful is because they are recognized as extremely important. In some cases, like with commercial aviation, it took a while for the discipline of reliability engineering to be adopted – but once it was, we saw some pretty impressive drops in catastrophic system failures.

      Computer software is as complicated as a space shuttle but we treat it like it’s a toy, changing parts on the fly and expecting an inexperienced operator to get good results with it. As you point out, the “style over substance” model, such as the government’s focus on “top 20 controls” lists or checkbox/punchlist security, rule the day. And the proof is in the pudding, which is not particularly tasty. We have the same people who complain about systems being easily penetrated, who overruled the design disciplines that might have prevented it. In all walks of complex engineering we see this happen over and over again – the managers who just want to get it done overrule the serious engineers who wave red-flags; the truth only comes out in the post-mortem after a disaster. It’s normal. It’s human fallibility.

      Our question is whether we want IT that’s a house of cards which occasionally produces a costly fallover, or whether we want costly IT that seldom falls over. So far the money has voted again and again for the shiny thing.

      I wrote a rather grumpy article about this, inspired by reading about Professor Feynman’s involvement in the Challenger Commission: The anatomy of security disasters


  6. Tangent: Home wireless network (router) vulnerability

    (1) From Vulnerability Note VU#723755 – WiFi Protected Setup (WPS) PIN brute force vulnerability, from the US Computer Security Readiness Team of the Dept of Homeland Security:

    I. Description

    WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

    When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

    It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

    II. Impact

    An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

    III. Solution

    We are currently unaware of a practical solution to this problem. Please consider the following workarounds: {go to the article to read the detailed info}

    (2) Hands-on: hacking WiFi Protected Setup with Reaver“, Sean Gallagher, Ars Technica, 6 January 2012


Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s