Why we have jobs in cybersec

I just got an email from my accountant:

Attached, please find your 2011 Tax Organizer, which has been password protected. The Password is the FIRST FOUR digits of the taxpayer's social security number.

This seems reasonable. After all, your card for ATM machines has only a 4 digit PIN number. In addition, since the LAST 4 digits is so often used, many people know it, so they chose 4 digits that somebody else wouldn't know.

But of course, the problems with this are obvious to any professional.

There are three reasons why 4 digits work for ATM machines, and why they don't work here.

• The ATM card itself the PRIMARY security, the PIN number is only SECONDARY.
  
• Guessing the PIN number is "online" (you can only guess a few numbers before the ATM machine eats your card), but PDF guessing is "offline" (you can make as many failed guesses as you want).
  
• The third reason things are different is that stealing money from an ATM is limited to only a few hundred dollars, whereas documents from your accountant can lead to loss of all your money.
  

I can pay my neighbor's kid $20 to sit in front of a computer for a couple hours trying all 10,000 combinations until they guess the right password. The kid might get smart and google social security number prefixes and reduce the number of attempts by quite a lot. Indeed, if he could figure out where I was born, he might reduce his search to only a few hundred attempts, because the first three digits are assigned by which state you are born in. Which is why people ask you for your last 4 digits rather the first 4 digits, because they are so easily guessed.

Or, I can download free software to do it for me. I downloaded this program and after 2 seconds of crunching numbers, it came up with the right password:

(This image is edited, of course, my SSN# does not actually start with "5967".)

So, what's the right solution? You can't send an encrypted PDF and the password in the same e-mail (as some people do), because then hackers yet again and decrypt the PDF. Instead, you have to exchange passwords "out-of-band", such as on the phone or when you visit the office. The encryption is only as strong as the password, so you have to choose a long one (more than 12 characters that are hard to guess).

The REAL correct solution is for vendors to better integration PGP or S/MIME into email systems. PDF encryption was chosen in this case because it's built-in. Likewise, generating public/private keys should be built into every e-mail system -- but it's not.

January 18: SOPA blackout day

Reddit has decided to blackout their site on January 18 in protest against SOPA and PROTECT IP. This blog will, too.

This blog is hosted on blogspot.com, so I can't pull the plug on it. What I can do instead is simply change the template so that the the background is black and the foreground is also black. I've done this for the demonstration site http://sopa-protest.blogspot.com. You can see that all the articles, such as this one and this one, have the same template, and thus have the same blackout effect, so I don't need to edit the articles individually to cause the blackout. After January 18th, I'll simply change the template back again.

Thus, the steps are:

1. SAVE the original template first!!!
   
2. Change the template ("Edit HTML") so that the text is black-on-black, so nobody can read it.
   
3. Add the protest message to the template, such after the <body> tag.
   
4. Save the new template at 8am on January 18, 2012.
   
5. Restore your old, saved template at 8pm January 18, 2012.
   
6. This November, send donations to the competitors of those politician who voted for SOPA.
   

(Of course, only a couple thousand people will notice the difference on our blog, most of whom oppose SOPA anyway, but the symbolic gesture is still important).

This message will self-destruct in five seconds.

(Warning: Spoiler Alert ahead... or maybe not. I mean, it's not like there's some big Shyamalanesque plot-twist at the end of these things...)

The other day a friend said, "You have to go see Mission: Impossible - Ghost Protocol! You will love it, ya know, because you're in security." I'm not really the type that goes and sees every action movie, but I was sufficiently intrigued by the promise that the fourth installment of the series might be a hacker flick. Those are always good for a sobering insight into what Hollywood thinks of our industry or for a laugh. So I went... and I loved it! It was the gadget filled awesomely insane tapestry of extreme action and suspense that we all have come to love and expect from Tom Cruise.

But it didn't seem to me to be a hacker flick. So I messaged my friend and I said, "The gadgets were by far the best in this movie. The story was the most appealing. The actors all had great chemistry. But that isn't why you said I would like it, so please explain, why did you call that a movie about infosec?" He then began recounting all of the scenes where Old Man Cruise has to rappelle from something or dive off something and get something out of some ridiculously locked room. But what he of course noticed that I had been too dazzled to see was that the real heavy lifting in those scenes was done by the team's standard issue hacker character (Simon Pegg). Tom has to go into the vault to get the microfiche (really, still??) but Simon is the one that gets that door open.

The most interesting part though is how the hacking is done. In a cruel twist of fate and conspiracy from the highest levels, the president initiates "Ghost Protocol" and the team becomes exiled with no access to the Carnivore-like CIA network that usually makes things like breaking the encryptions Hollywood-quick. So they're forced to kick it old-school and do a pretty nice variety of physical penetration hacks.

MI:4 has reminded me how effective the physical security attack really is. While today's military grade firewall may be Fort Knox at keeping people out of the tubes, there's really nothing that's going to stop a hacker if they're sitting right in front of the machine. Or if their increasingly disgruntled team leader is sitting in front of the machine with a pocket router after having scaled the sheer side of the tallest building in Dubai using only a suction cup and a fire hose. Or if the guy on the team who was never part of the plan that has to slide down an HVAC shaft into a subterranean server room that without the cooling system has become "an oven", and by the way the walkie-talkies aren't working and the bad guys just cut the satellite feed, is sitting right in front of the machine. Or if the plucky new female agent with a grudge and something to prove floats a balloon holding a wireless connection device over a wall to get into the signal area.... Well, I guess they can't all be extreme, but it shows the excellent point that if your physical security strategy doesn't cover the 50 feet underground and the 15,000 feet of air space above it, you're doomed. (Don't worry the plucky female agent gets extreme redemption when she completes one of our other favorite old-school physical hacks, the 'beating someone with a $5 hammer [xkcd] until they tell you the password' technique.)

Oh, and also everyone on the property should probably be assigned a dog because people are incredibly dumb.

Multithreaded teaches the wrong lessons about multicore

This blog-post compares two open-source “packet logging” programs. These are simple programs that log network traffic directly to the disk. That blog-post finds that the multithreaded program is a lot faster than the single-threaded program, confirming people’s prejudices that in the modern world with multicore systems, multithreaded is better.

But the results are suspect. It finds that TWO-threaded program is SIX times faster. That doesn’t make sense. If the issue were truly just “multithreaded vs single-threaded”, then at most we’d expect at most a two-fold increase, not a six-fold increase.

Instead, the real problem here is the way that the application has to “wait” on either the network or the disk. One way to solve this waiting is to put the network portion on one thread, and the disk portion on another thread. That’s what Gulp does. It’s many times faster than Daemonlogger even on computers with only a single processing core.

Internet is indeed a human right

Vint Cerf (former Founding Father of the Internet, and current Google lobbyist) says that the Internet access is not a human right. He is profoundly wrong.

The gist of his argument is that the Internet is just technology. It’s how we use this technology (for things like speech) that is the human right, not the technology itself. That’s the wrong way to look at it. New technology adds new complications that require clarification.

That's what happened with the printing press. Our founding fathers chose to enshrine technology in our Bill of Rights, by saying that “Congress shall pass no law abridging the freedom of the printing press”. The invention of the printing press revealed new rights, new concerns nobody cared about until the printing press appeared. It's difficult trying to list these new rights without reference to the technology that enabled them. Instead of "right to publish", it's just easier to simply say "right to printing-press".

Passwords: uniqueness, not complexity

Hacktivists recently broke into the StratFor website and dumped details of 800,000 accounts, including e-mail addresses and password-hashes. Since the password-hashes were simple MD5, it meant that almost all the passwords were easily cracked. People have looked at the passwords, and found that most people chose simple ones, such as "password123". This has led to articles like this one (Breach shows that even experts chose bad passwords) that claims "Security experts recommend building long, complex, case-sensitive passwords with multiple characters".

Nope. That's wrong advice. Your password for a free or cheap StratFor account doesn't need to be complex, because there is little to lose if hackers guess it.

Instead, what's important is that the password be unique. Most sites are like StratFor and have poor cybersecurity. (StratFor wasn't even close to good cybersecurity, they were horrible on almost any measure). Any information you give them, such as your password, will eventually get stolen by hackers. If you use the same password for all websites, then eventually hackers will break into one of those sites, then gain access to all your other accounts.

Predictions for 2012

We predict there is a more than 80% chance the Mayan calender is wrong and the world will not end. Other predictions we have are:

Cloud

Cloud cloud cloud cloud cloud. Whatever products/services people come out with in the next year, they will position them as being perfect (or even necessary) for the cloud.

SCADA/ICS

How many cybersec experts does it take to change a lightbulb? Yes, SCADA/ICS systems are 15 years behind in terms of security, and yes, there is usually a path that can be found from the Internet to these systems, but no, there is no huge danger looming on the horizon. There will be no massive power blackout in 2012, and nobody will die from a probably malicious attack.

Cyber-war

The cyber-military industrial complex still needs more funding. Congress will pass more laws helping them.

Hacktivism

#Anonymous #LulzSec #AntiSec #OhMy

We'll see more lulz, but no import hacks will happen, like exposing the cyber-military industrial complex that created Stuxnet.