Category Archives: Security

Security

‘Active Defense’ will Improve Cyber Security

Leave a comment

Lately I’ve seen many articles about “active defense” and “hack back.” This is good because current defenses aren’t working and being in a constant state of defensive mode is not a lot of fun.  Something needs to be done.  The problem is many of these articles take a doomsday approach to the topic. 

Comments like, “it’s illegal, you can’t do it;” “you will disrupt someone’s life support in a hospital;” “we will end up with vigilantes hacking back;”and many more, do not facilitate a discussion but appear to seek to end the debate.  Many of the naysayers claim the only solution is law enforcement and more of it.  How many more police would be enough and is this a realistic response? 

Consider this: one person can command a million bot attack from the comfort of his living room; nation-states are training their people to use cyberspace to attack, steal, disrupt; and working for organized crime and terrorist groups pays much better than working a legitimate job in many countries.  So, what will it take to raise the stakes and make hacking a more risky business?

Active defense will actually improve security for those who consider it.  However, regardless of how the debate proceeds and no matter what the perceived outcome, companies are not likely to suddenly flip a switch and begin hacking back.  There are still too many variables and unknowns involved, e.g. risks, liability and legal issues.  There will continue to be much caution and debate, primarily since the law on this topic is so unsettled and at this point it is difficult to tell from one jurisdiction to the next how this activity will be perceived.

A company with any sense of corporate responsibility will attack this problem with a very cautious approach.  For instance, if your company is persistently attacked the first question is why and how.  Is the company being targeted for a particular reason or is your security so crappy that every hacker and his brother are using you as their playground? 

If your security is good, which is relative because no matter whom you are, your security can always be improved, you will likely take an escalated approach to the problem and not jump right in to hacking back.  During this escalated approach you should be collecting the necessary intelligence to evaluate the problem. 

To use an analogy, let’s say you are in a combat zone and encounter a sniper.  In most circumstances you will not call in an airstrike on the sniper.  There are many factors to consider, like where is he, what type of collateral damage may occur, what is the least amount of effort and resources necessary to take him out, etc.?  So, when facing a cyber-attack the same considerations apply:

  • Where is the hacker coming from;
  • What is his motive and end-state;
  • Based on the Intel you have collected, what tools and techniques can you use;
  • What collateral damage may occur; and,
  • Since time and resources are money, what is the least time and resource intensive course of action you can take to resolve this issue?

Companies have too much to lose to take this lightly and jump forward without a very careful analysis.  It is this analysis that will inevitably lead to much better security and more focus on the problem.

Other questions for a company to ask are, is the attack persistent or a one-time hit and how much Intel can be collected regarding the attack: can a motive be determined, what is the source and means of the attack, potential location and/or identity of the attacker, how many hops in-between your network and the attacker, what type of servers and who owns those servers; then, what is your end-state (block attack, find hacker, prevent further disruption, retrieve intellectual property/trade secrets, etc.), and finally, what are the risks, liability, and legal issues involved? 

Any company that would attempt to hack back without ensuring that their security is good or better than average is just asking for trouble.  A lot of avenues of approach beyond the standard defenses currently employed exist for companies persistently attacked.  The fear mongering spewed in many articles over active defense and hack back will simply drive companies, which are persistently attacked and frustrated with the state of security, to go underground with their response, act in a haphazard manner, and hope they don’t get caught.

Security

2012 CONSEGI Presentation: CyberFall

Leave a comment

I presented “CyberFall: Active Defense 2012” (PDF, Article) at the Fifth Congress International Free Software and Electronic Government – Consegi 2012.

IT is a matter of when, not if, your systems will be breached by attack. Many security experts argue against an active defense plan for fear of legal ramifications, harm to innocent bystanders or risk of failure. This presentation takes the audience through the heart of the debate; participants will learn key legal, ethical and business considerations to practice technical self-defense in cyberspace. The latest trends in threat innovation and actions are contrasted with conflict theory in order to offer the philosophical, political and economic framework of a successful active defense. As Carl von Clausewitz might say: “CyberFall is the continuation of political intercourse with the addition of other means”.

When: 11:30am, Friday, December 7, 2012
Where: Belém do Para, Brazil – Centro de Convenções e Feiras da Amazônia Avenida Dr. Freitas, S/N – Marco

Security

Evolution VEVENT Errors with Google Read-Only Calendar

1 Comment

I’ve been submitting bugs far more often than usual since I moved to Ubuntu 12. Last week saw five or six in two days. At one point evolution gave me a segfault and on restart my Google sync’d calendar went to read-write only mode. I also couldn’t delete the calendar. Every time I started evolution I was given the dreaded unable to read a vEvent error.

No backend factory for ‘google’ of ‘VEVENT’

It probably was related to a crash. I was unable to find answers online for how to remove or repair the calendar so the fix for me was to manually edit the connection in gconf and then re-configure it in evolution.

WARNING: Since editing gconf is destructive be sure to have a backup of your evolution data before proceeding. You may lose everything if you do not back it up first.

To start, while not completely necessary, I reset evolution to its defaults to get a clean slate:

gconftool-2 --recursive-unset /apps/evolution

Next, run gconf-editor and navigate to “apps -> evolution -> calendar”. If you click on the “calendar” folder icon you should see “sources” in the right window under the name column.

Double-click on it and you will see the “Edit Key” window for /apps/evolution/calendar/sources.

Scroll through the values, find the Google XML statement, and click remove.

Then close down evolution.

evolution --force-shutdown

Now you should be able to start evolution, re-configure the Google calendar settings and continue using it.

Security

Apple’s map “errors could prove deadly”

Leave a comment

The Australian police have been rescuing people who become stranded after blindly following Apple devices into unfamiliar wilderness and getting lost or stuck. A public warning has been issued to try and help avoid catastrophe:

“If it was a 45-degree day, someone could actually die,” Mildura’s Local Area Commander Inspector Simon Clemence told state broadcaster ABC.

“It’s quite a dangerous situation, so we would be calling for people not to use the new Apple iPhone mapping system if they’re travelling from South Australia to Mildura.”

Police said at least five vehicles had become stranded in the park after drivers followed directions on their Apple iPhones, some of them after being stranded for up to 24 hours without food or water.

It seems a bit extreme to tell people not to use the system at all. I’d have said use it with extreme caution or use it as a secondary device to local knowledge or recently verified information.

What the Australian incident news I have read fails to mention is that this is a long-standing problem. Not only are map devices prone to error but local authorities have previously warned about people relying on them too much.

I have spoken about this many times when presenting on the security risks of Big Data. Integrity issues of the data that people rely upon are a major problem. Here’s the most recent version of a slide from my deck:

The tiny white URL at the bottom of the slide takes you to the story.

Three young women escaped the sinking Mercedes-Benz SUV after the vehicle’s GPS directed them down a boat launch and into the Mercer Slough in Bellevue, Washington.

The driver thought she was on a road while following her GPS unit just after midnight, but she was actually heading down the boat launch.

Just last year after a conference in Las Vegas I started driving through the vast desert to the south of Death Valley. I noticed warnings both from Garmin and from law enforcement about over-reliance on any electronic map. The most common problem, they explained at that time, was taking a turn onto a road that no longer (or never) existed and becoming stuck in the sand.

It was true. As I drove down roads narrowed by soft and dangerous shoulders I could see on my map several turns where there was nothing but drifting sand.

The real story is thus that Apple is not doing enough to warn users of the risks of trusting their maps, leaving it up to small and local community budgets to carry the weight of education as well as rescue of outsiders arriving with flawed technology.

And it’s not just Apple.

This point was driven home to me (pun not intended) when I watched a Google speaker last week present on the future of big data applications. The presentation painted an almost nauseatingly rosy picture of transportation entirely dependent on their service. It was one of those moments when I knew the security industry was not being integrated enough and there would be a lot of work ahead.

Is there a song called “Let’s go everywhere man, only if we can get out again?”