CyberSecurity Question Time on the FM website!

Ask any question about cyberwar or computer security, broadly defined. This is a topic area in which, in my experience, there is a great deal of “established wisdom” that is neither wise nor established. We — and others reading the FM website — will attempt to answer it in the comments.   All answers welcomed!

Article deleted at author’s request.

16 thoughts on “CyberSecurity Question Time on the FM website!

    1. “Secure” is a state of mind more than anything else, If Stratfor are like pretty much everyone else, they have figured out how to address the problem that let the attacker in, then have spent some time hypothesizing other avenues of likely attack and fixing them, too. If they’ve done that (and it sounds like they have) then they’re OK in general. What can happen is what happened to Sony: they fix the usual stuff and tighten the places that are obvious potential leaks, but the attackers are motivated enough to figure out much more subtle – entirely new – avenues of attack. In that sense virtually nobody is “secure” – there’s always the danger that someone cleverer than you is going to cook up something that never occurred to you.

      What they suffered was embarrassing but mostly insignificant. Their data is not especially valuable and their customer-base has reacted with understanding. The main exposure is/was the credit card database.

      By the way, if you are in the habit of joining pay sites of any type, make sure you never use a debit card. If you have a credit card compromised, your liability is limited to $50 whereas with a debit card the contents of your bank account plus whatever overdraft protection your bank is willing to extend you is the limit of your potential loss.

      I know one guy who thought he was safe because he used a debit card and only kept pocket change in the account. When it was compromised his bank cheerfully extended the attackers $2,500 credit line in the form of overdraft protection. If you are in the habit of using paypal (a good system for making one-time payments) do not attach your paypal account to your personal bank account; go to a nearby bank and open a free checking account, put in writing on it that they should never extend overdraft protection for that account, use that for paypal and occasionally “top it up” with a check deposited at an ATM. I cannot emphasize enough how valuable these basic measures are.

  1. Was this intentionally timed to coincide with the SOPA/PIPA protest blackouts?

    How important are SOPA/PIPA? They certainly look bad… but has our self-authorizing executive branch (e.g., the ICE domain seizures) rendered legislation more or less irrelevant, anyway?

    1. No; this was not timed to coincide with anything.

      SOPA and PIPA are unimportant. They represent an ongoing trend in which the government, which completely “does not get” cyberspace and is still trying to catch up, is taking guidance from corporate interests on what government’s regulation of cyberspace should look like. That is and will be an ongoing trend – on one hand you have the copyright cops and on the other you have the intelligence/police-state: and they both agree.

      We’ll get new forms of bad legislation until they feel that they have the internet under control. Unfortunately for them that won’t happen – so the legislation will be a constant stream.

  2. 1: Should I frequently change my password? If so, why?

    Changing your password is mostly pointless, nowadays. In the olden days it was worth doing because many of the computers we’d log into would announce “last login Jan 6, 2012 from kremvax.ru” (or whatever) or “there have been 5 failed login attempts since last login” etc. Nowadays nobody looks at that kind of information and most sites/systems don’t report it any more. One of the big values of changing passwords in this case was that it served as a sort of intrusion detection system – you could tell someone other than you had logged into your account. If you think about it, nowadays, you never get any indication that such a thing has happened, almost anywhere. That’s because today’s computer users are so infantalized that information like that is considered “confusing.”

    Password guessing is a real problem. Most web sites will not notify anyone or do anything if there are 1,382,278 failed log-in attempts on a user’s account. So do not use a password shorter than 10 characters. Personally, I use entire sentences – because memorable quotes are easy to retain and nobody attempting a brute-force is going to even consider a password that’s 16+ characters. I used “L’etat C’est Moi” for nearly a decade – but not this decade. Also, never use the same password for multiple sites, unless they are throwaway sites. I use a different password for Ebay, Paypal, my personal site, my email, and then I have two classes of throwaways – one is for credit-card based e-commerce sites like Amazon and iTunes and the other is for stuff I simply do not care about. Remember – it’s much safer to have a long password, written down, in your desk at home than it is to have an easily-remembered and guessed password in your head everywhere you go.

  3. Why hasn’t the credit card system been made more secure? How secure are ATM cards? If a criminal gets ahold of your ATM card but doesn’t have the PIN code, can he empty your account?

    1. The credit card system has been made more secure in most of the world other than the USA. Last time I was in Europe, other than at airports, I had trouble getting my plain mag-stripe USAian credit card accepted; chip-and-pin is obviously the way to go and has obviously been the way to go since the mid 1990s when Europe started shifting over to them.

      The reason the US lags behind is simple economics – the credit card companies were required to provide some kind of protection for their customers, whereas the vast majority of cards (ATM cards, PIN only) were not required to offer any protection for the customer. Consequently, the card companies spent a lot of money on fraud-detection systems on their backends – and they’re really good – and was able to more or less ignore the ATM card customers. The ATM users fees subsidize the cost of credit card fraud, as do the people who run a credit card balance month-to-month. The system will only change when there is an economic incentive for it to change, which there won’t be since the idea of lawmakers telling banks and credit card companies what to do is “so early ’90s.”

      If a criminal gets the card but not the code they may still be able to use it for online purchases. If your ATM card has a Visa or Mastercard logo on it there’s a good chance that it can be used for small purchases without a PIN. One way to find out if your ATM has credit card enabled is to try to buy gas with it as a VISA card without the PIN – if the pump takes it then you’d better not lose that card because the card companies aren’t liable for any of your losses in that case; someone can drain your bank account pretty quickly.

      In Europe there are complex scams in which people try to get the PIN codes for ATM cards; it’s much harder. Everyone in the USA should be going in to their banks and threatening to cancel their credit cards because they ought to be supporting chip+PIN.

  4. How can your chip+PIN recommendation for debit/ATM cards be safer than credit cards when my liability for credit card fraud is only $50 but unlimited for debit cards?

    1. A chip+PIN card is virtually worthless if it’s found or stolen, and it’s 100% worthless if it’s stolen online, which is where 60% of the card fraud is happening nowadays (and because USA cards are basically a 16-digit password and nothing else, USA cards are disproportionately targeted) – the result is that card fees/interest rates are inflated in order to ensure the profits for the credit companies and banks.

      That’s another reason that a switchover hasn’t happened: effectively banks are making money off of fraud because it justifies jacking the rates and then anything they can do with transaction-scoring systems to reduce successful fraud on the back-end goes right to their bottom line.

      While it’s true that your liability is limited to $50 with a USA credit card, it’s basically a mandatory insurance fee: everyone is subsidizing the cost of fraud for everyone else. But you are correct that the incentives are pretty much evenly balanced at this time; if you’re a smart customer and don’t run a balance on your card then you’re not spending as much to subsidize everyone else’s fraud protection.

  5. Do you think the current grassroots cyber-bashing between the 0xOmar gang and Israeli hackers will escalate, and is this a scenario that will be repeated in other places?
    .
    .
    FM Note: Here are some of the news stories about this tit-for-tat cyber-vandalism.

    1. This kind of scenario is pretty typical and will continue to happen. Because it’s fairly easy to do. Occasionally one of these types of attacks will really hurt a target, but in general they’re not that big a deal.

      There’s not a lot of room for this exchange to escalate unless one side or the other starts doing more than just “cyber”-attacks. The main risk of cyberwar appears to be that it’s a convenient potential causus belli. Israel recently declared that cyberattacks are “terrorism” and in the past Mossad has assassinated terrorists “pour encourager les autres.” I’ve always expected that sooner or later some country will send its special forces/drones/kill teams and go pay a surprise visit to some of these armchair amateurs. When that happens, the only players who’ll be willing to take the field will be the pros.

      Israel Says Cyber Attacks Are Terrorism, eSecurity Planet, 9 January 2012 — “The country’s deputy foreign minister said cyber attacks are ‘a breach of sovereignty comparable to a terrorist operation.'”

    1. If you look at the US infrastructure at a component level, there are tremendous weaknesses that can be found. So it’s easy to imagine some one or some organization eventually exploiting them to cause harm.

      Where it gets tricky is if you imagine these piece-meal vulnerabilities somehow all being sprung at once, in a coordinated manner. That’s what it would take, to do serious damage, and the larger such an operation was, the more organized it would have to be, the bigger its footprint, the more likely it would be to be noticed and backtracked to its origin. So then there’s the geopolitical question of who’d benefit from doing such a thing and whether they were aware that it would be suicidal. So, if it sounds like I’m waffling in response, it’s because the answer is a bit odd: it’s possible but probably pointless and therefore unlikely.

      As far as what we’re doing about it – “Spend money!” is the perennial cry from the beltway crowd – but throwing money at the problem won’t help. What’s needed is a discipline of data management and infrastructure reliability. The discipline is sadly lacking. To give you an analogy: there are people who will try every possible fad diet or miracle cure to lose weight – except eating less and exercising more. That, in a nutshell, is the government’s attitude toward computer security.

  6. re: “What’s needed is a discipline of data management and infrastructure reliability. ”

    In what model of human psycho-sociology is that possible? Most organizational cultures are inadequate, there is no incentive to do the right thing until significant damage has already happened.

    As far as I can tell, bureaucratic controls/regulations and corresponding internal responses within many organizations are driven by “style over substance”: audit compliance is far more important than “real” IT security.

    This is because managers/executives are clueless about technology at the depths required to make intelligent decisions about IT security.

    And competent IT managers are (usually) bad at the politics necessary to convince an organization to take on the expense/pain of “real” IT security.

    1. “In what model of human psycho-sociology is that possible?”

      There are plenty of ultra high-reliability safety-oriented extremely complex systems that humans build. Part of why they are successful is because they are recognized as extremely important. In some cases, like with commercial aviation, it took a while for the discipline of reliability engineering to be adopted – but once it was, we saw some pretty impressive drops in catastrophic system failures.

      Computer software is as complicated as a space shuttle but we treat it like it’s a toy, changing parts on the fly and expecting an inexperienced operator to get good results with it. As you point out, the “style over substance” model, such as the government’s focus on “top 20 controls” lists or checkbox/punchlist security, rule the day. And the proof is in the pudding, which is not particularly tasty. We have the same people who complain about systems being easily penetrated, who overruled the design disciplines that might have prevented it. In all walks of complex engineering we see this happen over and over again – the managers who just want to get it done overrule the serious engineers who wave red-flags; the truth only comes out in the post-mortem after a disaster. It’s normal. It’s human fallibility.

      Our question is whether we want IT that’s a house of cards which occasionally produces a costly fallover, or whether we want costly IT that seldom falls over. So far the money has voted again and again for the shiny thing.

      I wrote a rather grumpy article about this, inspired by reading about Professor Feynman’s involvement in the Challenger Commission: The anatomy of security disasters

  7. Tangent: Home wireless network (router) vulnerability

    (1) From Vulnerability Note VU#723755 – WiFi Protected Setup (WPS) PIN brute force vulnerability, from the US Computer Security Readiness Team of the Dept of Homeland Security:

    I. Description

    WiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called “external registrar” that only requires the router’s PIN. By design this method is susceptible to brute force attacks against the PIN.

    When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total.

    It has been reported that many wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.

    II. Impact

    An attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.

    III. Solution

    We are currently unaware of a practical solution to this problem. Please consider the following workarounds: {go to the article to read the detailed info}

    (2) Hands-on: hacking WiFi Protected Setup with Reaver“, Sean Gallagher, Ars Technica, 6 January 2012

Leave a Reply