Tag Archives: security

What really causes cyber outages?

WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of "cyberwar" against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations' fabric have been foretold repeatedly over the past two decades, and each round has become more dire. The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US "faces imminent danger from a cyber attack."

So far, however, the damage done by cyber attacks, both real (Stuxnet's destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian "attack" on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels.

Source: Who’s winning the cyber war? The squirrels, of course | Ars Technica

The ultimate fuzz testers.

If you take credit cards, you don't just sell hammers

Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”

via Ex-Employees Say Home Depot Left Data Vulnerable - NYTimes.com.

This NY Times piece on Home Depot's giant data breach pairs pretty well with the recent opening of a Planet Money episode on data security: Episode 568: Snoops, Hackers And Tin Foil Hats:

"One thing we've learned is the hackers always win. If what you do is have a lot of really valuable information in one place, and you try to secure it, you are going to lose."

- Moxie Marlinspike, TextSecure

Things we sometimes forget

Last night I was reading though the CiviCRM documentation, which is actually incredibly well written for tech docs. I came across the following, which stopped me in my tracks.

Data storage jurisdiction

As mentioned before, CiviCRM can be run from the server or from the cloud. When working with issues around human rights, or if an organisation is gathering sensitive information about a country's government or its officials, it is quite important to know where your data is stored. This is especially important when data is stored "in the cloud", when it's not obvious where the data is physically stored. Not getting into details, it might be good to have detailed information about where the servers are physically located, and which country's jurisdiction is used in case of governmental requests for information.

Other security concerns

It should be remembered that many successful attempts of unauthorised access don't have too much to do with IT systems security. It's often social engineering, physical access to server and client machines or using violence against people who have authorised access to data that are responsible for break-ins. Therefore, making sure that data is secure requires also extensive, on-going training of system users and making sure that they are familiar with all the necessary precautions.

Right. This software is getting used by organizations in countries where governments are actively trying to get this data to stomp out political unrest. While I'd still have to worry about security for my deployments, I don't have to worry about the worst of this. But for many people, in many parts of the world, this is a real and present danger.

That's important not to forget.

You can't fight fear with fear

A lot of people are upset about the TSA scanners, and I'm with them. It's ridiculous how burdensome flying is becoming for no appreciable safety increase. The most dangerous part of flying is driving to the airport. We surely aren't spending $8b to make that safer.

Unfortunately, a big part of the rallying cry is around "be afraid of the x-rays". I was surprised how many of my tech friends got wrapped up in this one, even though the available data suggests otherwise. The FDA has a pretty thorough write up about the process and testing for the scanners. I do get that people, in general, aren't interested in facts, but I was hoping that in a more educated and technical audience that wouldn't be as true. Running around saying "be afraid of x-rays" is the same kind of scare mongering as the TSA is using to put all these ridiculous enhanced security measures in place.

Fighting fear with fear just generate hysteria and stampedes, and drowns out all the rational conversation, the one that shows just how ineffective and invasive these scanners are.

It's time to rethink the TSA

I think Seth Godin gets to the heart of things around the TSA and the new scanners:

Smart marketers know how to pivot. I think it's time to do that. Start marketing the idea that flying is safe, like driving, but it's not perfect, like driving. If someone is crazy enough to hurt themselves or spend their life in jail, we're not going to stop them, and even if we did, they'd just cause havoc somewhere else. So instead of spending billions of dollars a year in time and money pretending, let's just get back to work.

The current model doesn't scale.

The TSA scanners suck, but not because of the radiation

I'm anti TSA back scatter scanner, but it's not because of the radiation, which is actually quite small. Coming in at a measure of 0.005 mrem, it's about 1/2 of what you get by eating a banana. If you live in a brick house you are getting at least 20x that radiation level every day.

I'm anti back scatter scanner because I think it's a 4th amendment violation, and that it's an incredibly expensive waste of money. That money could be better spent on kitchen safety, as kitchen appliances kill more people a year than terrorists do.

HTTPS Everywhere: interesting idea, terrible implementation

Last night I finally figured out why Amazon wouldn't let me view inside books, it was because I still had HTTPS everywhere enabled for amazon.  It's a neat idea to force your web session secure for sites that support it, but don't make it easy.  Good in theory... in practice not so much.

When I finally figured out that it attempted to work with Amazon I noticed that I had disabled all the sites I actually use in the tool.  Twitter is rediculously slow under https, like 1 minute to load a page slow.  Google images aren't searchable under https, so you don't see it on the sidebar as an option.  Some of the facebook javascript wasn't fetchable over https.  Wikipedia inbound search from google doesn't work if it's enabled.

It makes me wonder what part of the internet is used by the folks writing this addon, because it doesn't seem to be the same part that I'm using.

Air marshal arrest rates

Via Bruce Schneier:

Air marshals are being arrested faster than air marshals are making arrests.

Actually, there have been many more arrests of Federal air marshals than that story reported, quite a few for felony offenses. In fact, more air marshals have been arrested than the number of people arrested by air marshals.We now have approximately 4,000 in the Federal Air Marshals Service, yet they have made an average of just 4.2 arrests a year since 2001. This comes out to an average of about one arrest a year per 1,000 employees.

Now, let me make that clear. Their thousands of employees are not making one arrest per year each. They are averaging slightly over four arrests each year by the entire agency. In other words, we are spending approximately $200 million per arrest. Let me repeat that: we are spending approximately $200 million per arrest.

We're fearing fear quite a bit now

This theme can be found all over the web, especially among security folks.  Anyone that can do basic math can work out for themselves their chance of death from terrorists vs. their morning commute, for instance.  And yet, the underwear pants on fire guy, who caused no casualties, got weeks of media coverage.  Tom Engelhardt provides a good current summary:

Under the circumstances, you would never know that Americans living in the United States were in vanishingly little danger from terrorism, but in significant danger driving to the mall; or that alcohol, tobacco, E. coli bacteria,
fire, domestic abuse, murder, and the weather present the sort of
potentially fatal problems that might be worth worrying about, or even
changing your behavior over, or perhaps investing some money in. 
Terrorism, not so much.

Encryption, or lack there of, in military drones

There is a news story out there today about insurgents in Afganistan being able to use $26 worth of equipment to capture and record predator drone video reconnaissance.  At first I was pretty aghast by the following:

The potential drone vulnerability lies in an unencrypted downlink
between the unmanned craft and ground control. The U.S. government has
known about the flaw since the U.S. campaign in Bosnia in the 1990s,
current and former officials said. But the Pentagon assumed local
adversaries wouldn't know how to exploit it, the officials said.

But then I thought about it a bit more.  By the time Bosnia happened the internet was just a fledgling thing.  The spread of information and cheap wireless tech was still pretty limited, and beyond that I'm sure these were designed well before that time.  Having no encryption on the video signal was an oversite, but given the state of tech, and the risk, probably a reasonable call.

However the article ends with:

Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

Even before finding laptops full of predator video in Afganistan, it's pretty clear that in this day and age you can't put any manner of sensitive information unencrypted through the air.  Point to point wireless, cellular tech, and even Satellite TV have all gone encrypted in the mean time.  It's a bit disconcerting that DishNetwork has better security than new drones that we are about to put out into the field.