About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Wednesday, July 28, 2010

On the US Cyber Challenge and up-and-coming IT security workers

Last week, I was one of the fortunate 22 winners of the California Cyber Challenge selected to attend a week-long training camp at Cal Poly Pomona.  We had four days of intensive SANS training on exploit writing, Linux security, incident response/penetration testing, and digital forensics.  We also had panels on ethics and education, and a job/scholarship mixer.  The final day hosted a "capture the flag" event.

All in all, the event was wonderful.  Events ran from 9-9, and great conversations with fellow "campers" and the instructors frequently ran until 1 or 2 am.  The classes were so intense and packed with information that we frequently came out of them with headaches from the information overload, and more material on our DVDs and in our books to go over in our own time.

One of the really great things about information security in general and the camp in particular is that there are many different specialties a person can get involved in.  Penetration testing (testing a company's security), vulnerability research (testing a program's security), reverse-engineering malware (taking apart a virus or other malicious software to see how it works), intrusion detection (watching a system for signs of hacking), and digital forensics (retrieving evidence from computer systems) all require different skill sets and personalities, and that's not even a complete list.  I'm still new to computer security and until this camp I wasn't really sure what all the different fields were, what I would enjoy and what I was good at.  A varied training camp like the USCC camps introduces the attendees to a variety of different disciplines and the methods required, which lets us discover what we're good at and what we enjoy, while also giving us a better background in the parts that aren't our preference.  Learning how to write exploits is useful for determining how a virus works, or tracking down what happened on a system.  For me, one of the great virtues of the camp learning for certain that I enjoy computer forensics.  Now I can study it in more detail and get work experience for a career.

One aspect of events like the camp and similar security training events that is frequently underestimated is the social networking opportunities.  I'm talking about the old-fashioned face-to-face kind, which can be supplemented by the Web 2.0 kind.  Not only did I learn a lot from my outside-of-class discussions, but I also made connections that has resulted in me getting some volunteer experience and a team to enter the DC3 forensics challenge.

All in all, the Cyber Challenge camp is a wonderful kick-start for my career, and I'm incredibly grateful I had the opportunity to be a part of the first one.

Tuesday, July 13, 2010

On "Cyberwar" - Part 2: Cyberattacks and the damage they can do

Although cyberespionage is a very real threat, it's not exactly the kind of nightmare that you see in Hollywood movies, news articles or defense contract applications.  The real question is, what kind of physical damage can a "cyberwar" or "cyberterrorism" do?

Website defacement is a very common cyber "attack", sometimes including using the server to host viruses and malware.  Denial-of-service (DoS) attacks can take a website down for a period of time.  Both can cause serious damage to a victimized business, but they're not exactly militarily effective.  Security expert Bruce Schneier vividly described the threat of DoS attacks like this:
A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear.
In 2007, Estonia's government systems were hit by a major DoS attack.  While reporters widely reported it as the first cyberwar, in retrospect this seems to have been hyperbole.

There have been a number of cases of "cyberattack" reported in the media over the past few years, but it's been difficult to tell what's really going on.  Computers don't explode or fire bullets, they're just used to control other systems, so any malfunction in any system might possibly be a computer problem ... or deliberate digital sabotage.

For example, The Economist recently reported that in 1982, the CIA tampered with Soviet software to cause a gas pipeline explosion.  If true, this would be an excellent example of the physical damage a computer attack could cause (although whether it would be an act of war or an act of sabotage is a matter of opinion).  The question is, did that really happen?  It's difficult to know for sure.  In 2007, Brazil suffered a massive blackout that 60 Minutes ascribed to hackers, but it seems that it was mundane poor maintenance.

This doesn't prove or disprove the possibility of destructive hacking attacks, of course, but it does show that unlike conventional war, in the case of a cyberattack, it's difficult to even determine if you've been attacked, much less who is responsible.  This spring, Howard Schmidt was in an interview with Wired Magazine  and quite frankly said "There is no cyberwar." and "As for getting into the power grid, I can't see that that's realistic."

At present, the evidence seems to point against computer attacks causing physical damage.  However, it seems prudent that we engineer critical systems (such as powerplants) to be resistant to hacking attacks.  That way, we can keep this sort of "cyberwar" squarely in Hollywood.

Thanks to Bruce Schneier for extensive discussion of "cyberwar".  His analysis and research form much of the basis of my understanding of the concept and underlies these posts.

Wednesday, July 7, 2010

On "Cyberwar" - Part 1: War and espionage

Lately, the news has been hyped up about "cyberwar", both offensive and defensive. Many articles have been written about the concept, if it's likely (or not), and even whether or not the term "cyberwar" makes any sense at all.

I'm not a "cyberwar" expert, but all the rhetoric and essays being slung about the topic have convinced me that there really aren't any "experts" in this. Indeed, depending on whose article I read, different people have different opinions on what "cyberwar" is. When it comes to hacking and computer systems, where's the line between espionage, sabotage, and war? It certainly doesn't help that in modern politics and society, the line between the three concepts is being increasingly blurred even before you add in the complication of when it takes place on the Internet.

Traditionally speaking, "war" was considered to be declared combat operations between two (or more) countries, both fielding uniformed armies. Legally, soldiers needed to be uniformed, making it certain whose nation they were acting for (example, Geneva Conventions Articles 37-39, 46, 66 among others). Non-uniformed combatants taking part in war were typically considered spies, mercenaries or illegal combatants. Thus, traditional law establishes that in order to be acting in legal war, combatants on both sides must be positively attributable to the government they're acting for. "Cyberwar" obviously can't fit this definition, as positive attribution is very difficult if not impossible. A "war on terrorism" (or even war on a particular terrorist group) also doesn't fit this definition of war, which leads to further confusion but it beyond the scope of this blog.

Espionage, sabotage and piracy are traditionally considered to be actions taken against a government which may or may not be on behalf of another government. There's a degree of secrecy and deception that's not present in the modern legal definition of war. Espionage is typically considered to be non-violent, stealing information. Cyber-espionage is a real threat, with several clear examples of data stolen from both government and non-government ("corporate espionage") sources. Although this sort of attack would be incredibly useful for government and military uses, the fact that there's no destruction or potential loss of life makes me believe that it is more properly considered a type of espionage.

The real grey area comes when we consider sabotage, attacks that cause interference or damage to data or systems. This is a complex issue, so I'll cover that in it's own post.

Sunday, July 4, 2010

Who I am, and what I mean by Renaissance security professional

The "Renaissance man" is an ideal that's fallen out of favor in modern times. These days, people are expected to be specialists instead of having skill in a range of disciplines. In my opinion, the modern ideal is short-sighted. No person can be effective unless they have skill in several areas, intellectual and social. The people who achieve the most in their lives are those who have diverse skills and interests, such as Ben Franklin.

Although I've always had a diverse set of interests, it was JJ Thompson of Rook Consulting who really showed me how valuable it is to have a broad range of skill for a computer security career, and who coined the term "Renaissance security professional". Computer security needs to be more than just about technology. There is no "magic box" (hardware or software) that will make our networks impenetrable. Computer security professionals need to have an understanding of business so that we can converse with people outside our fields to show them why we're trying to make whatever change we're doing, rather than just trying to use fear, uncertainty and doubt (FUD) to make our arguments. We need to understand psychology and human behavior so that our security policies are realistic, rather than trying to demand people remember impossibly complex passwords without writing them down. An understanding of military history can inform better strategies for network defense. Besides these examples, a broad-based skill set makes one better prepared for whatever comes in life, and makes for a better person.

This is what I intend to do, and this blog will be part of that effort.