If existence is turtles all the way down, then when it comes to technology and linked infrastructure, John Robb’s latest thought is Cyberhreats all the way down. There’s no good way to excerpt it, so you’ll have to just go read it. But that’s not a Bad Thing.

Still, as you read them, consider that these statements also apply to each component of the infrastructure with generally only syntactic tuning. Within a government or corporate entity, the same framework holds true. Within a business unit. Within a department. On a workstation. Within an application. Within a .dll or .so. etc.

Courtesy of Heise, we learn details of flaws that researchers have found in the storm worm botnet.

The whole article is interesting, but I found this most interesting:

Using this background knowledge, they were able to develop their own client, which links itself into the peer-to-peer structure of a Storm Worm network in such a way that queries from other drones, looking for new command servers, can be reliably routed to it. That enables it to divert drones to a new server. The second step was to analyse the protocol for passing commands. The researchers were astonished to find that the server doesn’t have to authenticate itself to clients, so using their knowledge they were able to direct drones to a simple server.

What kind of savant goes to all the trouble of building a worm as sophisticated as Storm and then leaves out authentication? This sort of thing is why I still hold out hope for the future of computing–the Bad Guys can make just as serious dumb moves as the rest of us.

In his excellent essay on the security issues with VoIP, “The Wild World of VoIP,” by Wes Brown, a researcher at Matasano, he reminds us that

Many of these protocols are derived from older digital switching stuff such as Signaling System 7. And the mindset that comes from completely controlling the communications mechanism carries over, creating huge exposures. These systems were never designed to be on an open untrusted network, and the inheritors of these legacy protocols are essentially digital switching carried over IP instead of the control channel of a T1. There are plenty of issues to be found during testing because of this.

Quite often, the most significant risks in any situation are both inherent and largely beyond our ability to control. The origins of VoIP in protocols that were never designed for an insecure environment are a great example of this. Any attempt to bolt security on later will be hampered accordingly. This means that we either cannot mitigate the risk, or must effectively re-create the old environement.

In the case of VoIP, this would mean using a separate wiring and switch fabric (for an office or enterprise deployment), which destroys much of the cost avoidance benefits of deploying VoIP and not allowing soft phones or unified communications features, which in turn wipes out all the interesting features and also destroys the value proposition of enabling a more agile workforce.

So what we’re left with is risk acceptance (aka “hoping nothing bad happens”) or the status quo.

I love VoIP as an enabling technology for mobile workers like myself, but I’m also consistently disappointed with the lack of security mindset that so many vendors still seem to possess.

This may be one of the worst ideas I’ve heard in a long time.

Cary Sherman of the RIAA…[is]…trying to convince other industries to step up and help the entertainment industry as well. His latest, as pointed out by Broadband Reports, is that one possibility would be for anti-spyware/anti-malware applications to also watch for the transfer of unauthorized copyright material. Sherman suggests that this would be one way to get around the question of people simply encrypting traffic to avoid ISP filters.

The original TechDirt piece does a fine job of explaining how it is not the job of others to break their products to help prop up a broken business model, and I wholeheartedly concur. As a general rule, if your business model needs people beyond your influence to change what they’re doing in a manner that’s not in their own best interest, then you’re the one with the broken model.

Fortunately, I think that the risk of this actually happening is close enough to zero that I can just laugh at the absurdity of it all and maybe have some fun batting it around like a cat with a toy mouse.

I mean, how much better example could you provide of how not to solve a problem? Ignoring the fundamentally shifting business landscape for music (micro-targeting, the Internet breaking the radio+record company cartel, etc.) and instead trying to screw up the new distribution mechanisms is just silly.

All that tying an evil-and-unnecessary thing to an irritating-but-necessary thing (if you run Windows) does is reduce the effectiveness of the irritating-but-necessary thing, since you now create a strong disincentive for some of the the most at-risk people (in this case, downloaders) to use the product.

Security, as we all (should) know, is a people problem. Throw a little bit of technology into the mix and it can get messy in a hurry. I’ve got two interesting tales of security woe today, both addressing the role of people and, more specifically, the interaction of people and technology leading to security woes.

First, consider the case of a Powerpoint presentation from the Office of the Director of National Intelligence:

Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within. The result is that she, (and all of us, thanks to her blog) now know that the budget of the 16 US intelligence agencies is 25% more than previously thought - $60 billion.

Oops. For some reason, people often fail to comprehend that that data-driven tools (such as graphing controls) are backed by data, and that unless they explicitly sever that relationship (for example, by copying and pasting the values they want to use into a new document), that the underlying data from which they distilled their pretty pictures is still there, either directly or indirectly.

But the problems don’t stop there. A critical eye and a fundamental understanding of the system that the data is modeling can catch all sorts of interesting opportunities.

For example, a couple of years ago I was reviewing the results of our annual employee satisfaction survey. The information included not just my department, but the totals for each department in the entire group up through the CISO.

I noticed that there seemed to be an off-by-one error in one of the results, and realized that it wasn’t an error, but rather that the CISO’s answers had been included in the totals (”x people rated us a 1, y people rated us a 2 on it,” etc.) as an unlisted one-person department! It therefore became trivial to extract out his “confidential” answers to the entire survey.

Fortunately, the survey had not been widely distributed yet (and most people who had a copy hadn’t looked hard enough to notice this), but even so HR was loathe to withdraw and re-issue every report that was vulnerable to this simplistic Data Mining Attack.

Next, carrying forward the theme of the importance of knowing how much you do or don’t know, there’s a tale of social engineering gone horribly wrong. For a little background, Steam is a combination online community and license key management application that Valve Software, a major game developer, built to support their online games and (eventually) roll in some fairly DRM-ish anti-piracy features into their products.

Their technology is good enough that social engineering has become the preferred method of stealing keys. Of course, it works better for some than others, and so our story begins…

Greg_ValveOLS says:
my name is greg a member of the valve online Support team

br0kenrabbit says:
On MSN?

Greg_ValveOLS says:
yes :)

br0kenrabbit says:
Why?

Greg_ValveOLS says:
we logged multiple ips from your account and ned to verifi your information

br0kenrabbit says:
My information?

Greg_ValveOLS says:
we believe someone may have stolen your account mmmm you havent shared youre account infomation with anyone have you?

I won’t endorse the final outcome of the conversation, but needless to say, social engineering can be kind’ve like picking a fight in a bar–you won’t know just who you’re up against until it’s too late.

The Inquirer has some commentary which includes a nice rant about the economics of the security industry today.

Whose interests are really threatened by cybercrime? Well, certainly not the software makers, the chip makers, the hard disk makers, the mouse makers, and least of all the virus busters and security firms which daily release news of the latest “vulnerabilities” plaguing the web.

No, the victims are the poor users. Not that they’re likely to have their identity stolen or their bank account plundered or their data erased by some malicious bot or other. The chances of that happening are millions to one.

No, what they are forced to do is continually fork out for spam-busting protection, for “secure” operating systems, for funky firewalls, malware detectors or phish-sniffing software. All this junk clogs up their spanking new PC so that they continually have to upgrade to newer chippery clever enough to have a processing core dedicated to each of the bloatsome security routines keeping them safe while they surf.

It’s a con, gentlemen. A big fat con.

No one has a business interest in catching identity thieves or malware writers. There’s no money in it, so no-one’s bothered.

There’s too much money to be made in solving the problems to actually eliminate them. No amount of software security liability is going to change that fact. The Legal OODA Loop is orders of magnitude too slow to keep up with the situation on the ground, the concepts are still too esoteric to lawyers and judges, and the entrenched interests are too well-funded.

You manage the risks this world brings and you go on. That’s all there is to it.

It’s been said that the first step to solving a problem is realizing you have one. Fortunately, problems can be anywhere, you just have to look. And ignore fundamental precepts of logic such as “you can’t prove a negative. And avoid awkward topics like “math” and “science.”

Thus the beauty of Silent Blinking Death.

A little bit of thought food from DamnInteresting about Rogue Waves :

Over the years experienced captains have made very credible reports of meeting behemoth waves which appear spontaneously, cause extensive damage to their ships, and shrug back into the sea just as mysteriously as they had appeared. One account describes the appearance of a giant wave trough which onlookers likened to a “hole in the sea”, followed by a twelve-story-tall “wall of water.” To further compound the mystery, some such waves have been said to appear mid-ocean, and often in calm weather.

Wow, very scary. But not to worry, the computer models say that while rogue waves are an extremely high impact event, they’re also extremely unlikely.

Despite these and other encounters with rogue waves, scientists long rejected such claims as unlikely. Anecdotal evidence is often unreliable, so researchers used computer modelling to predict the likelihood of such massive waves. Oceanographers’ findings indicated that waves higher than fifteen meters were probably very rare events, occurring perhaps once in 10,000 years.

Unfortunately, reality would beg to differ.

More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected ten monster waves in a 1.5 million square kilometer area. Satellites and direct observations have also established that rogue waves can happen anywhere, but they are most numerous in the North Atlantic and off the western shore of South Africa. In spite of their frequency, monster waves rarely meet with sea vessels because they are so short-lived.

How do you manage this risk? Well, so long as you’re not the actual guy on the ship, you transfer it with insurance. But which data set are the insurance rates being set on? If it’s the computer models, then the risk is being underpriced, which is good for the ship owner protecting his investment, but bad for the insurance company which is writing the policy. If the two data sets were significantly enough different, then the ship owner might find that the default risk on the part of the insurance company had now replaced the rogue wave risk, such that he might now find himself effectively paying to accept the original risk.

In the IT Security world, people play these games all the time. We like to think that we’re the shipowner, managing our risk based on the information from our Security Event Management Systems or based on models that we adjust over time. In reality, though, we’re that guy on the ship, looking out across the horizon and hoping for yet another day when we don’t meet the “hole in the sea.”

Cnet has an article on the topic of “The future of Malware” and basically, it’s all about the 0days.

Widespread worms, viruses or Trojan horses spammed to millions of mailboxes are typically not a grave concern anymore, security experts said at the Virus Bulletin conference here Thursday. Instead, especially for organizations, targeted Trojan horses have become the nightmare scenario, they said.

I lose sleep over a lot of things, but this is not one of them. Fortunately (for me, at least), the article puts it in perspective:

Targeted attacks are, at most, a blip on the radar in the big scheme of security problems, researchers said. MessageLabs pulls about 3 million pieces of malicious software out of e-mail messages every day. Only seven of those can be classified as a targeted Trojan attack, said Alex Shipp, a senior antivirus technologist at the e-mail security company.

Seven emails out of 3 million pieces of malware blocked per day across the entire messagelabs customer base (More than 13,000 businesses around the world, with 5 million users, according to their Web site). That’d need to be a damn high impact (like infecting the CEO’s PC and actually stealing something valuable) to be an unacceptable risk, and the likelihood (assuming randomness, which may be a bad bet) is lower than the odds that he’ll lose his hard drive on any given day.

Even so, the odds that your CEO will even be targeted are still pretty damn low–basically 1 in 2000. I don’t know about you, but I’ve got a lot more to worry about than a one-in-five year chance that my CEO is going to receive targeted malware.

Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for.

Yes, (bad) security analogies are a pet peeve of mine. Analogies are defended as a mechanism to help people begin to understand a concept. Mostly, however, they seem to be used as an alternative to understanding a concept.