July 11, 2013

The failure of cyber defence - the mindset is against it

I have sometimes uttered the theory that the NSA is more or less responsible for the failure in defence arts of the net. Here is some circumstantial evidence gleaned from an interview with someone allegedly employed to hack foreigner's computers:

Grimes: What do you wish we, as in America, could do better hacking-wise?

Cyber warrior: I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don't have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.

My main thesis is that the NSA has erred on the side of destroying the open society's capability of defence (recall interference with PGP, GSM, IETF, cryptography, secure browsing, etc). We are bad at it in the aggregate because our attempts to do better are frustrated in oh so many ways.

This above claim suggests two things. Firstly, they only know or think to Attack! whatever the problem. Secondly, due to a mindset of offense, the spooks in the aggregate will be unsuited to any mission to assist the defence side. And will be widely perceived to be untrustworthy.

Hence, any discussions of the dangerous state of civilian defences will only be used as an excuse to boost attack capabilities. Thus making the problem worse.

For amusement, here are some other snippets:

Grimes: What happened after you got hired?

Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.

Grimes: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

Grimes: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.

Posted by iang at July 11, 2013 04:32 AM | TrackBack

I periodically tell this story about realizing in the 80s there was three kinds of crypto 1) the kind they don't care about, 2) the kind that you can't do, 3) the kind that you can only do for them. There would be periodic news about prohibited crypto (type #2).

I had HSDT project with T1 and faster links. All the links on the internal network were required to have link encryptors (some comment that in the mid-80s that the internal network had more than half of all link encryptors in the world).

T1 link encryptors were really expensive and it was almost impossible to get anything faster than T1. I got involved in project where the objective was to have hardware encryptors that could handle LAN speed, cost less than $100 and be able to change key on every packet.

The crypto products group reviewed it and claimed that it significantly reduced the crypto strength compared to standard DES. It took me three months to figure out how to convince them that it was actually much stronger than standard DES. However, it was hollow victory ... I then got told we could build as many as we wanted ... but there would be only one customer ... all would be shipped to location on the east cost (aka type #3).

Old email about benchmarking software DES where it would take a dedicated mainframe processor to handle sustained 1.5mbits/sec and two dedicated mainframe processors to handle full-duplex T1.

old email about proposal for pgp-like implementation for the internal network
http://www.garlic.com/~lynn/2007d.html#email810506 ..

Posted by: Lynn Wheeler at July 11, 2013 08:21 AM

"Secondly, due to a mindset of offense, the spooks in the aggregate will be unsuited to any mission to assist the defence side."

I would proffer this is actually true. To use a physical security example, a guy who knows how to blow up a building doesn't necessarily known how to design one resist it being blown up. I can't tell you how many "attackers" eye's have glazed over when I talk to them about defense fundamentals (change/configuration/patch management, asset inventories, personnel HR security, etc).

In the private sector we used to always talk about (and seen it when we hired) about how 1337 zero day hackers only have to be good at single issue items whereas defense has to be good at everything. Sure there is some crossover but lots of it either doesn't or run into mindset problems. A guy who get his rocks off evading IDS's isn't going to enjoy spending 8x5 staring at IDS logs trying to find somebody evading IDS's.

Posted by: Peter at July 11, 2013 12:34 PM

from a different perspective, posted recently a number of times

How Edward Snowden Snuck Through

a lot of this seems to misdirect from the mechanics of being able to obtain all the information at all. 20yrs ago, open security literature had gov. agency state-of-the-art was not only strict access controls but also behavior based monitoring that would catch employee atypical activity. all of that appears to have gone by the wayside as part of privatizing the intelligence community and transition to for-profit operation. It appears that they not only aren't doing monitoring but don't appear to even have any idea what may have been taken. References to super administrative privileges imply that provisions requiring multiple individuals have also gone by the wayside.

NSA Networks Might Have Been Missing Anti-Leak Technology

Would appear to be regression from 20yrs ago ...possibly associated with transition to for-profit operation. Also possibly more technology monitor public than internal security. In the financial industry in the past, open security literature claims that as much as 70-80% of breaches have involved insiders ... although it might be more ... in the financial services presidential critical infrastructure protection meetings, a major concern was making sure that the exploit information sharing ISAC not be subject to FOIA.

... also not exactly unexpected given the stories about classified details of major weapons systems leaking out over the internet for years.

reference to growing "Success of Failure" culture

Booz Allen, the World's Most Profitable Spy Organization
Spies Like Us

Private contractors like Booz Allen now reportedly garner 70 percent of the annual $80 billion intelligence budget and supply more than half of the available manpower.

... snip ...

the whistleblower in the "Success of Failure": case was treated very badly. The scenario is for-profit operations have discovered that a series of failures is a lot more revenue than an immediate success (sort of natural evolution of the beltway bandits "leave no money on the table" paradigm). The congressional investigation put the agency on probation for five years (but did little for the whistleblower) and not able to manage its own projects. However, that may have been just a ploy ... further privatizing the gov. (solution to the problem of for-profit companies in projects is to have more for-profit involvement ... of course, some quarters claim that there is guaranteed 5% kickback to congress on appropriated funds to for-profit companies ... which doesn't happen if it is straight gov. agency)

oh and a little IBM connection.

Louis V. Gerstner Jr. lays out his post-IBM life

more detailed histories talk about him being in competition to be the next CEO of AMEX ... the looser then leaves ... and eventually does take over some other companies and eventually citibank ... in violation of glass-steagall ... greenspan gives him an exemption while he lobbies congress for repeal of glass-steagall ... originating too-big-to-fail and major factor in the financial mess.

AMEX and KKR are in competition for private-equity take-over of RJR ... KKR wins ... but runs into trouble with RJR and hires Gerstner away to turn it around ... before the IBM board hires Gerstner away to resurrect IBM. Gerstner then leaves to be chairman of another major private equity company.


It mentions that private equity leveraged buyout of RJR had been the largest buyout up until that point.

http://en.wikipedia.org/wiki/Louis_V._Gerstner,_Jr .
after IBM, becomes Chairman of
which then does private equity buyout of ... guess who?

Posted by: Lynn Wheeler at July 11, 2013 02:56 PM

a little more on privatizing gov. by for-profit companies and economic espionage

Penalties Are Weak for Misbehaving Contractors
Snowden case not the first embarrassment for Booz Allen, or D.C. contracting industry

Posted by: Lynn Wheeler at July 12, 2013 04:53 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.