Category Archives: IT Securiiy

Traffic Control Viewed as ISP Risk

pirates.jpg Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what’s happening in China:
Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to “purify” the Internet — an apparently urgent task. “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state,” President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

The Great Firewall: China’s Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don’t know how, that article provides tips. Continue reading

Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?

-jsq

Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.

-jsq

What to Measure

05ANT-20070-1465-navigation.jpg Adam evaluates a New York Times article about NYC school evaluations, and sums it up:
The school that flunked has more students meeting state standards than the school that got an A.

Measuring the Wrong Stuff, by Adam Shostack, Emergent Chaos, 9 Nov 2007

Measurement is good, but for example in information security if your measurements aren’t relevant to the performance of the company (economic, cultural, legal compliance, etc.), measurement can waste resources or steer the ship of state or company onto ice floes.

-jsq

Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

figure4.gif How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.

-jsq

Storm Botnet Movie

Cory always has a way with words:
The Storm Worm botnet (thought to be the largest network of compromised machines in the world) has begun to figure out which security researchers are trying to disrupt its command-and-control systems and knock them offline with unmanagable crapfloods from its zillions of zombie machines.

StormWorm botnet lashes out at security researchers, Cory Doctorow, BoingBoing, October 24, 2007 12:35 PM

But Michael Froomkin found a movie illustrating the situation:

Hiding inside while hordes of zombies dance outside and eat away at the doors; yep, that’s pretty much the state of Internet security.

-jsq

Better Products Bootstrap

Gunnnar notes the formation of a software vendor security best practices consortium and asks:
Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?

Secure Coding Advocacy Group, Gunnar Peterson, 1 Raindrop, 23 October 2007

Yes, if the customers demanded it, that might make some difference, and the vendors do pay the most attention to the biggest customers. Of course the biggest customer is the U.S. government, and they seem more interested in CYA than in actual security. And I’m a bit jaded on “best practices” due to reading Black Swans. But regardless of the specific form of better such a group demanded, demanding better security might make some difference.

Maybe they could also demand risk management, which would including having watchers watching ipsos custodes. Not just in the circular never-ending hamster wheel of death style, but for actual improvemment.

-jsq

Silver Bullet Security Considered Harmful

Silver_Bullet.jpg In the comment discussion about Linus’s schedulers vs. security polemic, Iang mentioned a paper he’s writing:
We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do? Continue reading

DRM: The Secret that Can’t be Kept

Cory Doctorow on why DRM can never work:
It’s great for email, but it can never work for movies, TV shows or music, because in the case of “copy protection” the receiver is also the person that the system is meant to guard itself against.

Say I sell you an encrypted DVD: the encryption on the DVD is supposed to stop you (the DVD’s owner) from copying it. In order to do that, it tries to stop you from decrypting the DVD.

Except it has to let you decrypt the DVD some of the time. If you can’t decrypt the DVD, you can’t watch it. If you can’t watch it, you won’t buy it. So your DVD player is entrusted with the keys necessary to decrypt the DVD, and the film’s creator must trust that your DVD player is so well-designed that no one will ever be able to work out the key.

Pushing the impossible, by Cory Doctorow, Guardian Unlimited, Tuesday September 4 2007

So as long as you can keep a secret from yourself, DRM will work….

-jsq