Notatypewriter's Blog

Umm… what?

Posts Tagged ‘computer security

Lecture Notes: UMD Cybersecurity Seminar “The Argument for Data-driven Security” by Prof Stefan Savage, UCSD

leave a comment »

I attended a lecture (video) given by Professor Stefan Savage at the Google & University of Maryland Cybersecurity Seminar Series on the need for data in computer security.

He says the computer security field today is driven by patching or mitigating the vulnerability of the week. Presenters at the premiere computer security conferences like Black Hat and DEFCON talk about their latest exploit. Savage says this approach is ineffective at actually keeping people secure. Savage proposes that viewing security problems through the lens of business and economics can be used to gain insight into the effectiveness of measures taken to protect against or attack the computer criminals and those who enable them.

Quickies:

  • Savage says in the business context, the effectiveness of security is not a yes-no answer (Did it work?) but rather it should be phrased in a cost-benefit analysis. By how much did a security measure increase costs for the bad guys? Does a security measure trash the investments the bad guys made into their infrastructure? In the case of takedowns, can the bad guys quickly switch to another provider of services you just took down? Economics and business can help us understand mitigations.
  • I would tend to agree. His analysis of the spam ecosystem made sense, not that it has been put into practice… yet. I do agree with the need for more data.
  • Savage’s data collection infrastructure is massive and awesome. He claims to be able to view 1% of global Internet traffic. Thousands of instances of Firefox clicking on millions of spams. Dozens of Internet connections distributed across the world used to browse spammer’s sites. Automatic clustering and classification of illegal pharmacy sites to tie these sites to the affiliate marketer that made the site. Without this infrastructure, Savage’s research and ultimate recommendation would not have been possible.
  • “Before we had cloud, we had botnets.”
  • Apparently, bank scams can be run out of Iran. It wasn’t clear whether this was officially sanctioned, officially ignored, or just the result of lax enforcement.
  • Kill the illegal payment processors now.

Read the rest of this entry »

Written by notatypewriter

2011 September 2 at 12:30 am

Things I learned today: apt, cron, and unattended-upgrades

leave a comment »

Today, I noticed my dad’s desktop was not updating Flash, Chrome, Java, and other high-risk items, which was odd because I use unattended-upgrades on that computer. The last time I logged in was a few months ago, so… yeah. Pretty bad. For example, Flash version was at 10.3.181.14 and the current version is 10.3.181.34. Chrome was at version 11.0.696.68-r84545 (released 2011 May 13) and the current stable version is 13.0.782.107-r94237 (released 2011 August 2). The installed Java was 6.24 and the current version is 6.26. So, security holes galore.

Read the rest of this entry »

Written by notatypewriter

2011 August 4 at 11:36 pm

Cybersecurity consultants don’t really care about your security #fb

with one comment

I don’t get why privacy advocates and cybersecurity consultants are at each other throats. These two concepts are not complementary, not mutually exclusive. More secure code leads to better protection of the data being handled by that code.

No I lie. I do get why.

Cybersecurity consultants are almost never peddling methods to detect insecure code, but rather they want to enable an attribution system. After all, selling one off analysis solutions doesn’t make any money and you have to spend a lot of money to employ smart people to make better tools. However, government contracts to develop and maintain hardware and software that would be large ISPs would be mandated to purchase, now that’s the money maker.

So I wish all these “cybersecurity experts” would change their job titles to something like “Internet attribution expert”. Then they would be easier to laugh at.

Never mind that attribution is a strategy designed to enable deterrence. Then these cybersecurity guys would like you to forget that deterrence really only works against nations that have something to lose (think Cold War). Deterrence doesn’t work against criminal organizations, lone wolf hackers (increasingly rare), or terrorist groups because these groups reside among civilians or hide out in countries where they are outside the reach of American law. Will a President order a Predator strike on a known hacker in Kazakhstan who has 11 million credit card numbers? I don’t think so. Bombs don’t work well against these small groups.

Not that deterrence worked all that well during the Cold War either. Look at all the people who died in the Korean War, Vietnam War, Soviet invasion of Afghanistan, etc etc. We just avoided nuclear war but millions of people still died. That’s not the kind of deterrence I want to see.

Furthermore, attribution will only work if the attack is detected. The cybersecurity experts don’t tell you that there is no known way to tell when your system has been compromised by a well designed piece of malware. You can’t trust the output your system is returning, so you need to bring in a known good tool. (Please define known good. How do you know if your upstream is secure?) A well designed piece of malware would hide so well that the victim would not realize anything has changed. And by then, you have already lost the game. Your systems are compromised and you can never trust them again.

The ONLY thing that will help in this fight to keep your data safe is to have better engineering, code, and interfaces. This means hiring well-educated CS majors (most of whom reside in expensive first world countries) and not outsourcing crap to China and India. (I’ve seen Indian code, and it is mostly crap. Kid you not.) It means paying for classes to keep your programmers up to date with the latest in software security. It means developing and enforcing security policies. It means funding and rewarding white-hat hackers to find vulnerabilities in systems. It means funding research into automatically detecting vulnerabilities.

This is expensive and the rewards are not very visible. But it’s the only correct path forward.

Written by notatypewriter

2010 September 28 at 6:35 pm

Posted in Nerding out

Tagged with ,

Second to last place is not good enough anymore

leave a comment »

They say that if you’re running from a hungry bear, you only need to be the second slowest person in the group.

I’m taking a Secure Programming course and my professor said basically the same thing: that you only need to be marginally better than the worst guy to discourage many attacks. To put this into context, he was talking about using canaries to detect heap overflows. This would make your program slightly harder to exploit and you would hope an unskilled attacker would just move on.

Then, I was reading about how Google is redirecting it’s .cn site to .hk to route around censorship and I was thinking about how we got here. Basically, Google claimed it was the target of a sophisticated hacking effort coming from the Chinese mainland, and at the very least tacitly approved by the PRC government.

Putting these two thoughts together, I’ve come to the conclusion that I don’t think my professor’s advice holds anymore in the era of the Advanced Persistent Threat (APT)*. Read the rest of this entry »

Written by notatypewriter

2010 March 22 at 8:26 pm

%d bloggers like this: