CyberSpark Archives - Sky's Blog

In the long run they’ll get you “in the code”

sky — Wed, 11 Sep 2013 07:40:46 +0000

Bruce Schneier says “Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.” (read original)

What this means is that the theory behind something — in this case encryption using “hard” mathematics — may be very good, but the implementation can be full of “gotchas” — errors, omissions, faults — and that‘s what will get you in the long term. He was specifically commenting on Edward Snowden’s revelations about the US National Security Agency and whether they can read all encrypted messages, but it can apply to many other software endeavors.

If you’re thinking of writing some software whose function is critical, and especially if lives depend on it, you have to be extremely careful with your implementation. And Open Source is a big plus because other eyes can look at your code and spot mistakes that you, as author, are likely to overlook.

So whatever you’re working on, be very, very careful with the implementation.

The post In the long run they’ll get you “in the code” appeared first on Sky's Blog.

Private armies in cyberspace? A kill switch on the Internet?

sky — Wed, 14 Jul 2010 16:09:19 +0000

The government of the USA was constituted “to provide for the common defense” among other things.^[1] Unfortunately the line between public responsibility and private responsibility for defense in cyberspace could be rather blurry.

Clearly when there is warfare in the physical world the combatants are also likely to utilize cyber tactics of some sort, even if only for informational or propaganda purposes, but more likely as powerful tactics to take down their target’s ability to respond quickly or in a focused manner. Because governments aren’t really equipped to handle these types of attacks, which would include attacks against private infrastructure, not just government systems, they’d have to rely on private companies, individuals and groups — essentially private armies — to deflect or thwart any attack.

There are some problems inherent in cyber attacks that make any kind of defense really tricky:

* During a cyber attack against private or military targets online, one might not be able to determine whether the attacker is civilian, criminal or military;

* Online citizen militias (hackers motivated by patriotism) could be impossible to distinguish from organized military cyber-attackers;

* Collateral cyber-damage to (or the freezing of, or interference with) the economic mechanisms that make daily life possible could paralyze large areas if not whole countries; the idea that a government (say the President of the US under the proposed cybersecurity bill) could shut down key elements of the Internet for up to 120 days without legislative recourse[2], could be more dangerous than the attacks themselves;

* An ISP in any particular country (say the US, for example) might be conflicted about whether to allow a sudden flood of traffic to pass through its network to “attack” some foe, or whether to stop that flood in order to preserve its ability to serve customers—in fact the ISP probably wouldn’t be able to tell the difference;

In a sense, were someone to “shut off the Internet,” which proponents say S 3480 does not allow, it would be suicidal, since the defenders would also lose their ability to communicate with each other and to thwart any attack. Turning off the Internet would not only deny your opponent a playing field, but would deny defenders the ability to respond. And the collateral damage would be that all financial, manufacturing, transportation and other systems that depend on the net would also shut down

Lots of room for debate, but clearly governmental agencies and legislatures are beginning to think about the necessary means and the possible limits of their actions.

[1] We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

[2] The Protecting Cyberspace as a National Asset Act of 2010; some fear that this bill provides a “kill switch” the President of the US could use to “turn off” the Internet;

[-] US Appoints first Cyberwarfare General in guardian.co.uk

[-] EU Committee in UK on protecting Europe against large-scale cyber-attacks

The post Private armies in cyberspace? A kill switch on the Internet? appeared first on Sky's Blog.

Why “Shadows in the Cloud” should open your eyes

sky — Fri, 09 Jul 2010 16:09:00 +0000

The public release of the document Shadows in the Cloud is important because this document contains some very important messages—stated very clearly—that haven’t really been said publicly before.

If you’re not a cyberspace expert and don’t care for geek talk, you may think it’s just another report on cyber espionage. But the messages are important for everyone. And my point is that they are very clearly explained!

Ron Diebert and Rafal Rohozinski, in their Foreward, point out that crime and espionage go together. Or that wherever one goes, the other is soon to follow.

They don’t say this directly—these are my words: Crime, espionage (and warfare) seep into the interstitial spaces of society and occupy any vacuum they find. And from there they can grow to occupy the whole of the space, like a mold, fungus, or rot.

What we are seeing in online attacks against free speech sites these days, particularly drive-by attacks^[1], is that they do not seem to be politically or idealistically motivated, instead they are opportunistic and (presumably) economically motivated because they’re focused on injecting spambots and trojans, not on altering the message of the nonprofit web site.

[1] See CyberSpark.net and click “drive-by” on that page

The post Why “Shadows in the Cloud” should open your eyes appeared first on Sky's Blog.

DDoS, EDoS, then “that bad aftertaste”

sky — Wed, 07 Jul 2010 16:09:06 +0000

In early June, I was in a nice rainy East Coast US city for meetings dealing with particularly thorny issues related to ways the Internet experience is being killed off for regular folks—and for institutions (NGOs) that are promoting free speech and human rights. Over a small breakfast, I sketched in my book some notes about the progression of malware over time. Basically paralleling the development I describe in my site The Social Graph of Malware, malware has gone from simple and juvenile defacement of web sites to become sophisticated and bandwidth-hogging socially-engineered schemes designed to get people to fall for a purchase they didn’t want to make, or just to click a link to enroll their computer in a network of zombies poised to conduct nasty attacks on other people.What strikes me as the next stage in targeted attacks^[1] hasn’t really been spoken of much, and the attacks only began in earnest during mid-2009—it’s that I think we’re entering an era in which attacks will be positioned to create a “bad aftertaste” and thus kill off the visitor/audience for some big web sites. The attacks are, in a sense, damaging the reputation, good will, and the brand of the attacked sites. These attacks take advantage of the Google Safe Browsing interface now available in Firefox and Chrome browsers, and the (new) BrightCloud toolbar for Firefox and for Chrome—both of which alert a web user that they are about to use a web site that could contain malware [see diagram]. A would-be site visitor is presented with one of these “warnings” and is dissuaded from viewing the site. (Once the site has been cleaned up, the warning disappears, and visitors may decide to click through and go to the site anyway, if they wish.) The problem is that you are left with the bad aftertaste of having gone to a legitimate site, seen this explicit warning, and you may decide never to go back even if the warning has been removed!

In prior years, attacks have been positioned to “take down” legitimate businesses by denying access to their sites [DDoS].^[2] Soon it was discovered (and is not widely exploited yet) that if an attacker simply hammers a site so hard that the defending organization has to dedicate more resources (read “money”) to defense, they can wear down the organization by depleting its budget and even its “will to stay alive online.” This doesn’t work if the attacker is just exploiting a site to drive traffic to its own illegitimate sales site, but it does work if the attacker’s intent is to take the organization down.

I already see evidence of small to medium attacks of the economic sort, and predict that we will see far more of them during the remainder of 2010 and 2011. I am working with NGOs now to prevent this type of “bad aftertaste” attack trend, and will report on how it’s going as I gather more information and evidence.

To get a feel for how much this is happening, see the StopBadware and the BadwareBusters web sites (forums where people are discussing these attacks and their remediation).

[1] Many attacks taking place on web site today are opportunistic rather than targeted, meaning that an attacker finds a web server that can be exploited and compromised and then uses it regardless of who it represents or affects. By and large, these attackers want to remain undiscovered, if possible, so the compromised server doesn’t get fixed any time soon. Therefore, it’s usually a “silent” attack with no immediately visible consequences on the web page.

[2] (Distributed) Denial of Service attacks bog down the target web servers so they can’t respond to legitimate requests from customers. They make it impossible to reach the business or organization. In some cases, the attacker asks for a “ransom” payment to stop the attack, is other cases they conduct a short-lived attack to make a protest or prove a point, and in some cases they continue their attack long enough to have a direct economic impact on the target.

The post DDoS, EDoS, then “that bad aftertaste” appeared first on Sky's Blog.