A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
This article from the Guardian claims that our friends in Redmond are cooperating with the NSA to give the spying agency access to all sorts of cloud based comms and data as part of their 1984-esque PRISM collection program. The haul includes Skype audio, video, and chat messages, which were until recently thought to be resistant to eavesdropping.
It’s not often that I disagree with Bruce Schneier, one of the leading lights of the security world… however, I do have a teensy weensy bone to pick with him regarding one of his recent blog postings. A recent test conducted by the Department of Homeland Security on its employees found (to no one’s surprise) that people are prone to pick up unidentified USB drives and pop them into their computers with abandon, providing nefarious personages the ability to infect their systems with malware. Schneier took issue with the following quote from a security expert regarding the study:
Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”
In Schneier’s view, the idiocy really rests with operating system manufacturers who allow their products to access untrusted USB devices with providing the user with any protection and that the users are simply doing the best that they can under the circumstances. This is where I disagree.
While OS manufacturers should be doing a better job of securing their products against unknown USB devices, in the current situation users need to exercise extreme caution in what they stick into their computers’ USB ports. Until we have better tools to mitigate this risk, users have to play an active role in protecting themselves and their organizations from USB borne threats. There has been a lot of news coverage (and at least at my organization, security awareness training) to let people know about the risks of USB devices of uncertain provenance. I happen to think that the people in my organization are smart (and good looking) enough to remember a few very basic security messages and behaviors needed to protect our systems and networks:
Don’t open links or files from strangers
Don’t open unexpected/strange links or files (that seem to be) from friends
Don’t take USB candy from strangers
Yes, I know that application of these rules will not provide 100% protection from malware, but following them will definitely mitigate the risks involved, which is really the best we can hope for at this time.
So, Bruce, you are still my hero, but I think we need to hold our colleagues to a slightly higher standard in terms of their role in protecting our computers and networks.
Oh, and as for Mr. Rasch’s “idiot” comment, I think he was a bit rough on users in terms of his choice of language. I would have said “boneheaded” or “Homer Simpson-like” instead. This is why I am beloved at my workplace.
Spear phishing has been in the news quite a bit lately – it seems like just about all of the recent high profile hacks began with someone clicking on a link or opening a document. Here’s a data point which seems to corroborate the innate sense of trust that leads people to do really stupid things. According to an entry in Bruce Schneier’s blog… in Istanbul, police dressed up as doctors, knocking on doors unannounced, were able to persuade 86% of subjects to take a pill. And this is after a rash of crimes in which people who are not police did the same thing, using powerful sedatives to disable victims and ransack their homes. My belief in knowledge of human psychology as the most powerful hacking tool remains strong. Or maybe there is something in the water in Istanbul…
I love the obituaries in UK newspapers… none of that namby pamby covering up of the dearly departed’s foibles or less than stellar achievements. This past week, the Telegraph ran a (sort of) tribute to Colonel Albert Bachmann who in the words of the of the obit writer, “had reduced the Swiss military intelligence agency, in which he had mysteriously managed to rise to a senior role, to a state bordering on chaos, not to mention bankruptcy. So catastrophic was his impact that, when he was finally unmasked, many assumed he must be a double agent. He was not.”
While this was a loss for the good guys, it does provide security professionals with some valuable information. First, choosing a strong (long non dictionary word with special characters, numbers and the like) password is still an integral part of good basic meat and potatos security practice. Second, if the FBI is unable to crack a TrueCrypt protected drive without the user having chosen a boneheaded password, it seems like the program is a good and cost effective choice for protecting personal data as well as in small business environments. The only thing missing for bigger business is some sort of key management and recovery scheme… sounds like an opportunity for an entrepeneurial crypto programmer.
End of July? Vegas? Security folk and shady folk in one place? Stifling heat? You know I’m there… (If anyone points out that “it’s a dry heat” I reserve the right to throw something heavy and possibly explosive).
I’m planning a Vegas double header this July, attending both Security B-Sides and DefCon. I’m planning to blog/tweet during the festivities and would love to meet up with any of my readers… dm me (@alberg) when you are there… and if you are not planning to attend, consider it – both of these events are great places to learn security-fu, meet your peers (as well as many people whom you would not typically meet up with), and for the corporate types amongst us (myself included), they are very cost effective uses of your training budget dollars.
The NSA is one of the most secretive of the US Government’s TLAs (three letter agencies), which makes sense since it is charged with intercepting, decrypting and analyzing communications for the intelligence community. However, in addition to its role in SIGINT, the NSA is also tasked with helping the government and private industry secure systems against cyber attack (information assurance). If you go to the agency’s web site, you’ll find a number of configuration guides which provide security advice for products such as computer operating systems, database servers, and Cisco routers. These guides are a great use of our tax dollars (IMHO) – they help protect government systems from attack and (with some modifications) are helpful to private industry. So why am I telling you this?
This week, we’ve seen some press wondering whether Microsoft’s and the NSA might have cooperated to place secret back doors in Windows 7 to allow the spooks to access all of our computers (as well as those of the bad guys). Hackles were raised when a senior NSA official testified before Congress that the agency had “assisted” Microsoft with security for the new OS release. According to the NSA and Microsoft, the assistance provided was limited to the production of a security configuration guide for the new OS and did not include any special access methods for the agency.
So, is Microsoft helping the NSA get access to millions of computers worldwide? Probably not… Microsoft would be risking its customer base worldwide if news of such a backdoor were to leak. But this incident does reveal a perceptual conflict in the NSA’s information assurance and SIGINT missions. Maybe it is time for the government to separate the jobs of protecting information and gathering information.
One of the issues that the private sector has with taking security advice from the NSA is the perception that the NSA is in the business of protecting (and swiping) state level secrets. After all, widget production figures don’t need the same level of protection as the nuclear launch codes. I think a lot of security professionals pass the NSA documents by because of this perception. What would be really great would be a separate release of private sector versions of these types of documents from a less ominous and more civilian oriented agency. For example, the Windows 7 Security Compliance Management Toolkit (which the NSA assisted in preparing) could be a starting point for much less complicated sets of instructions aimed at:
Small and medium sized businesses
Critical Infrastructure Providers
I’ll take this a step further… I would like to see these documents form the basis of a description of the minimum level of due care that any enterprise handling the information owned by others or controlling critical infrastructure must meet. Having some very basic standards (and some teeth to back them up) would do two things:
Provide incentives to enterprises to secure their systems
Provide a generally accepted security baseline
Provide small and medium sized businesses who don’t have a high level of security expertise in house with a clear and concise roadmap (and instructions) as to what they need to do.
I think that there would need to be private sector involvement in developing these documents, of course. It would be a large undertaking, but I think it would also be a large step in the fight against cybercrime and cyberwarfare.