October 23, 2012

Finally, the media gets it: The cyber-jihad that the NSA bought to hometown America

I have struggled to write this story for a long time, and now Business Insider has written it for us:

In a world where you can watch cyberattacks happen in real-time, it's no wonder that nation-states are doing little to hide the cyber arms race and low-grade cyberwar that's taking place. However, what's surprising is that the country leading the charge — the U.S. — may also be the one with the most to lose.

"There is a world of bytes and a world of atoms, and increasingly the world of bytes is driving the world of atoms," Dr. Jarno Limnell, director of cyber security at Stonesoft, told us. "This is a whole new capability for these state-actors — previously there was no way to touch the U.S."

(fast forward to the crux of the issue)

Capabilities vary. China, which began its Information Warfare (IW) plan in 1995, has been stealing America's business secrets for more than a decade. Russia recently stated that it's "not making a secret of their plans to gain offensive [cyber] technologies."

The U.S. isn't in the best position to invite cyberwar. As RedSeal Chief Technology Officer Dr. Mike Lloyd told us when he described how easy it would be to attack the physical U.S. infrastructure: "People in glass houses shouldn't throw stones. [And] unfortunately, it's not just that—very simple stones can break our glass windows. We have very thin defenses."

OK, I'll spell it out - the USA has the most developed computer base of all countries, and is also the most attractive target. It is also as badly defended as anyone else, and may be the worst. E.g., it is the home of phishing, DDOS, breaching, and BotNet nodes. In particular, the record of breaches and phishing suggest that the USA is the country that was most at risk and had most losses from these attacks. (Question for all - Europe missed out on phishing, Russia got Kaspersky - why did USA get the worst of it?)

So in this environment, what is the Pentagon thinking? Good question. Here's an example of what the Pentagon is thinking:

The big question is whether a cyberattack can trigger a "real world" attack. Last year the Pentagon concluded that cyberattacks would justify a traditional military response. And in August BBC reported on a leaked Israeli memo that spelled out the hybrid use of cyber and military warfare in a proposed assault on Iran.

"This is the most troubling aspect of developing these weapons," said Limnell. "What is the action of the president if an attack happens, does it immediately become kinetic?"

Limnell said the difference between traditional warfare and cyberwarfare is that often cyberwarfare includes, indeed even prioritizes, civilian targets. And like the situation with the nuclear weapons in the 50s and 60s, there are no international rules for how we can use these weapons.

"Cyberwarfare is like Wild West right now, there’s a huge lack of norms and rules," Limnell said. "We will experience some type of major problem before we learn how to use weapons in the cyber domain."

Dumb. We already know that cyber attacks are mostly unattributable - the Chinese have been spying using these techniques for decades and China has not been caught. We now know the Pentagon generals are justifying their position by saying "it's cool, we'll just go kinetic if they dare throw a packet our way."

Dumber. So who do they throw their bombs at? Other than a country, their stuck - they have to go to the world and say "bad Iranians hurt us with packets, now we want to bomb them back into the stone age." That doesn't work, because the world saw the Iraqi debacle and won't play stupid again, but it seems that the Pentagon didn't get the memo. Worse - their casus belli is already known to be outright fraud because the USA has admitted launching StuxNet against the Iranians.

Can it possibly get any dumber?

The U.S. isn't in the best position to invite cyberwar. As RedSeal Chief Technology Officer Dr. Mike Lloyd told us when he described how easy it would be to attack the physical U.S. infrastructure: "People in glass houses shouldn't throw stones. [And] unfortunately, it's not just that—very simple stones can break our glass windows. We have very thin defenses."

Oh yeah -- it gets leveraged dumb. It's because the equation is stacked against the USA. The Pentagon have launched what is probably the dumbest attack of all time. The Stuxnet attack that they might see as an exchange of a pawn, letting their kinetic queen rove free, is actually exposing their entire board. Dumbest of all.

The reason for this is politely called the equity question in NSA circles. When it came to cyber defence, the NSA decided in the early 1990s that it was more important to make the Internet weak and vulnerable to spying, than to let the Internet be able to defend itself. This decision was prosecuted publically through crypto export regulations -- remember the crypto wars -- but also through a host of other interventions into the IETF, corporates, critical infrastructure (to them) and other places. When thinking about why USA banking suffered the brunt of phishing and breach losses, a large part of the big picture goes back to the NSA.

So the biggest dumb mistake of them all is that the Pentagon wants any excuse to go kinetic against the Iranians, but they've not defended their home ground over the last 20 years. The gates to the cyber-kingdom are not only wide open, they're 6 inches high and guarding a line of warning signs.

Posted by iang at October 23, 2012 09:54 AM | TrackBack

Having been on the inside for over a decade I blame the entire thing on accountability or lack of. FISMA, for all it's bloat and misguided garbage, did force NIST to put out some solid process documents which, if actually followed, would do wonders to decrease the threat profile and increase the defensive posture of the Federal networks. Sure the law mandated agencies follow and apply them (hell see the latest FY13 FISMA/Cyberscope guidance from OMB which reinforces this) but the RMF is intentionally vague and misguided to simply allow the authorities (who don't like security anyways) to simply ignore it under the guise of risk acceptance. It's hard to secure a government when the majority of the links are all equally weak as a result of "risk accept not doing anything because security interferes with operations, i.e. I can't install that latest malware widget or I'm required to actually read and do something (i.e. work)".

I'm not going to argue about absolute security by compliance, etc but the simply fact is compliance will get you most of the way there so you can focus your limited resources on the sexy zero day / apt / manual hacks / obscure stuff. Until compliance with the basics like patch and configuration management happens, who cares about the rest.

Posted by: Peter at October 29, 2012 08:31 PM


It's nice to see the link of to "Bruce" ;-)

But yes I would agree the NSA has a lot to answer for for the lementable state of security on the Internet.

It was not just "the hand on the shoulder" routien over research it was other little triks such as "lies of ommission"

If you think back to NIST's AES competition the NSA were NISTs technical advisors not just with reviewing the candidates but also in setting up the competition requirments.

One of which was candidate evaluation code being put up on the NIST site which could be freely downloaded and making one of the candidate requirments for AES being high performance on standard processors etc.

Now the NSA must have been more than aware of the following,

1, Efficincy -v- Security, as a general case when one goes up the other goes down in a similar way to Usability -v- Security.

2, Time based side channels from the use of Cache Memory.

3, Nearly all implementations would use the speed optomised freely download code.

4, Nearly all users would use AES in "online mode" enciphering not "offline mode".

5, Nearly all "code libraries" would either use the freely downloaded code or their own "speed optomised" code.

Thus you could say they either "rigged the contest" or failed to warn of the consequences of the contest, which we are still lliving with.

Oh and we have good reason to believe the NSA are fully aware of this, if you go and look at their specs for the equipment they use AES in such as the inline Media Encryptor (IME) they are careful to say it's only certified for "data at rest" not whilst it's encrypting or decrypting.

Some analysis has shown that for all the AES finalists the worst offending as far as side channels go is the one finaly selected...

Oh and there are a few other interesting little tricks they have pulled in the past as well.

If I was the NSA with their required "schizophrenic" behaviour I would these days look to attacking not the individual algorithms or how they are implemented but the standards for the protocols they are to be used in. Both SSL and TSL have had protocol weaknesses and I expect there to be others.

The thing about protocol failures is they are in many sytems and thus vulnerabilities that will still be around in thirty years due to the likes of embeded systems in "smart meters" and "Implantable Medical Devices". Thus systems to talk to old broken protocols will likewise have to be around for a similar period of time. And this gives rise to a nice little man in the midle attack of "fallback" in "initial protocol negotiation".

That is when you connect to another system the first thing that happens is the protocol negotiates to find the strongest compatible algorithms etc. The process is one where the protocols and algorithms selected are the strongest in the mutual subset. Now if you sit in the middle when this negotiation goes on you can ensure that the subset only contains the weakest or broken protocols or algorithms. And you will get away with this most times because commercial software providers will put everything in they can think of including the "kitchen sink of plain text" just to ensure they have maximum compatability. But further to stop the users worrying their pretty little heads and making lots of tech support calls the software providers will make the negotiation process "invisible" to the user, so the user has no idea that they are using the weakest not the strongest of protocols and algorithms...

Oh and the chances are the software provider won't make it easy for you to remove or lockout the weak protocols and algorithms you don't want to use...

Why do we know this well look at the debacle with Webbrowsers and CA Certs and just how difficult it is to do those useful things like locking out CA's and Certs you don't want to use...

Posted by: Clive at November 25, 2012 06:45 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.