About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Monday, August 30, 2010

On protectionism, security, and international politics

In the news recently, there's been quite a bit of fear about hacking and data theft sponsored by foreign governments (usually China, but there's been some fear about North Korea and other nations as well).  Here's an example that may or may not have been connected to a foreign intelligence agency, and here is a more recent information stealing attack on government targets.  There's legitimate fear here, governments have wide resources that they can (and likely do employ) for electronic espionage.  Foreign and domestic companies are also known to employ industrial espionage (electronic and old-fashioned) to steal valuable data from their competitors.  As a result, governments and corporations are beginning to take foreign threats seriously and look at the ways they're vulnerable to foreign threats.

Unfortunately, the major espionage fear (corporate and government) is the same country that provides so much of our hardware and has significant government control over their corporations ... China.  We don't know what they might be putting into the hardware that we buy from them, which is a serious threat.

Although that's perfectly true, China buys lots of software (security software included) from the US.  Given that the US and China are global competitors, they have as much to fear from US espionage as we have to fear from theirs.  As a result, it was inevitable that China would take action to prevent foreign security software from being used to secure their critical infrastructure.  It's perfectly reasonable, and I think this exact concern would prevent Chinese-programmed security software from being widely used in the West.

At the same time, there are some claims of protectionism and fear that China is trying to shut foreign competition out of a major Chinese market.  This is also true, favoring local companies clearly goes against "free trade" principles and certainly the Chinese computer security market would hugely benefit from forcing foreign companies out or forcing them to work alongside local Chinese companies.

There's really no easy answer to this one, but really there never seems to be.  To keep free trade, you need to allow foreign companies in.  To keep security, you need to keep untrusted companies out.  China's trying to draw a line here by only banning foreign computer security products from critical infrastructure.  They're just as afraid of the US hacking their electrical grid as we are of them hacking ours.

I'm most interested in the parallel reaction to the same threat by our countries.  Information security seems to be shaping up into the great leveler of nations.  It doesn't matter if your military budget is $880 billion (US), $78 billion (PRC) or the much smaller budget of any other country.  To the hacker, we're all vulnerable.

But that's just my opinion, I could be wrong.  What do you think, is China overreacting?  Do you think the situation with China is fundamentally different than the situation in the US?

Thursday, August 26, 2010

On the intersection between politics, law, and computer security

One major annoyance on the internet is spam.  Much of the spam that's out there are either phishing emails (attempts to get users to divulge sensitive information), viruses, or pharmaceutical advertisements.  Now, the White House is calling a meeting with the top internet domain registrars (the companies that sell domain names (such as http://www.google.com) to companies.  If Obama can get the major registrars to stop selling domain names to criminal organizations like these rogue pharma companies (which sell fake drugs for cheap), it would do much to cut down on their profits and thus the amount of spam they can pay people to send on their behalf.  This would cut down the amount of spam sent and the amount of hacking being done in order to subvert mail servers to send out spam.

Based on the email that Brian Krebs posted, it seems that they're only talking about voluntary measures so far.  Obviously, voluntary measures are only effective when everyone ignores the money that can be gained by violating them.  For a current example, see how effective the voluntary safety inspections at egg farms are.  These rogue pharma operations seem to be able to toss around a decent amount of money, so I doubt voluntary measures would do more than raise the price of the domain names they register for their illegal businesses.

Still, having such a high-level meeting at all and getting political attention to internet security issues like this one is a major first step.  Hopefully it'll eventually lead to global regulations that are effectively enforced with significant punishments for violation.  Until then, don't buy drugs advertised in misspelled emails.  Seriously, why would anyone buy something advertised like that ... and then swallow it?

And yet, people do.  As I'm writing this post, I stumbled across an FBI press release about a Canadian, Hazim Gaber, sentenced to 33 months in prison for selling fake drugs to cancer patients.  Although he is Canadian, he was arrested in Germany.  The international nature of these internet crimes makes enforcement quite difficult.  Interestingly, the press release mentions specifics about his crime.  Apparently he was advertising DCA, and experimental cancer drug.  He was charging $45.52 for 20 grams, but actually shipping a white powder containing starch and sugars (dextrose or lactose).  Absolutely medically useless, and his 65 known victims are incredibly lucky they didn't get something toxic.  Good job, FBI.

Tuesday, August 24, 2010

On the difficulty of preventing identity theft

A week ago, I was moving to a new house and helping my in-laws move their stuff too.  They've run various businesses in the past, which of course creates LOTS of paperwork, including personally identifiable information (PII).  Since the business in question has ended, it was time to destroy the data.  In the chaos and stress of moving, it would have been easy to accidentally throw the private information out with the regular garbage/recycling.  That sort of mistake happens often, and it's one way personal information gets stolen.  Information security isn't just a matter of high-tech software and log files, it's also about making sure documents are destroyed properly and people can't look over your shoulder when you're accessing confidential stuff.  Preventing loss of data due to dumpster-diving isn't cool, but it's important.

If you're a business (regardless of the size of the business), you're going to generate paperwork.  The way you prevent this sort of problem from arising is by creating a clear document policy.  Take a page from the government and assign your documents to clear, simple categories.  For example, "not private", "internal use only", "secret", etc.  Clearly define who can have access to what document type, and make sure anything secret isn't in a location where untrusted people like visitors, janitors or contractors can wander across it.

For any kind of PII, intellectual property or trade secrets, establish how long you need to store it and securely destroy it (shred, incinerate, etc) when it's past the expiration date.  If you keep up with your document destruction duties, it won't become an overwhelming pile that you need to destroy right now!  That's how mistakes happen and a file/database of bank accounts ends up in the dumpster for some opportunistic thief to steal.

Everyone should have a shredder for this sort of task, but if you're a business you may be better off using a document destruction service.  Typically, they leave some sort of locking container for you to place your confidential information into, and collect it at regular intervals.

Tuesday, August 3, 2010

On the Security Psychology and Ethics

Good security people, whether physical or cyber, share a common mindset that makes us distinct from most people.  Living in society, most people follow the rules of what's considered acceptable behavior and they expect everyone else to do so as well.  As a result, much of the time people don't even think about other ways even being possible.  It's that blind spot that creates vulnerabilities for criminals to exploit.  Good security people are able to look at the rules and assumptions people have about what other people do and say "That's how they're expecting people to act.  What if I do this instead?".  This allows us to find these vulnerabilities, hopefully before criminals do, and encourage people to close them.  Bruce Schneier wrote an excellent article on the subject.

At the California Cyber Challenge camp this year, I was watching a discussion between security people which erupted in an interesting way.  One side was arguing in favor of leniency towards criminal hackers, arguing that as long as their crime is motivated by curiosity rather than profit or malice, they can still be turned back to be a productive member of society.  The other side was arguing that it's still a crime and they should be punished for their infractions.  This is, of course, an old argument that crops up not just in the computer security field, but in the criminal justice system at large.  Watching it play out, I realized that there's not just one security mindset, but at least two.

On one side we have the penetration testers, vulnerability researchers, cryptanalysts, and other "offensive security" types.  They're good at seeing the vulnerabilities in systems and figuring out how to exploit them, so that other people can fix the vulnerabilities.  The people arguing for leniency for "non-malicious" cyber criminals were from this category.

On the other side we have the system administrators, security researchers, intrusion detectors, incident response people, and other "defensive security" types.  They're good at detecting and blocking attackers and implementing and enforcing security policy.  Forensics people have some of both talents, able to detect and analyze attacks, but also cracking passwords and reverse engineering malware.  However, in terms of mindset and ethics, they seem to be more closely aligned with the "defensive" types.  The people arguing against the category of "non-malicious" cyber criminals were from this category.

My interests and talents lie on the "defensive" side of the spectrum.  Although I can understand how the offensive people may have dabbled in criminal behavior in their youth, fundamentally security positions are powerful.  We hold the keys to the integrity of the network.  We stand between the criminals and secret data. We need to have very strong ethics and personal integrity, because organized crime is getting involved and may try to corrupt us.  In my opinion, once someone starts justifying and using the darker aspects of security, it makes them vulnerable to corruption.

But that's just my opinion, and I'm interested to know what others think.