Introducing: Transitive Trust


Transitive trust is when A trusts B, and B trusts C, A trusts C and probably doesn’t realize it.

Currently, the state of the art of network defense is so poor that hackers don’t bother designing transitive trust attacks. They just smash and grab systems, see what’s on the other side, and occasionally a system they’ve compromised gets plugged into something interesting.

When that happens, the victim traditionally howls about it being an incredibly sophisticated attack, probably from a nation-state. Because only nation-states launch sophisticated attacks. Because they buy sophisticated attacks from hackers, who …   wait… if the nation-states are buying tools from hackers that must mean the hackers have better tools than the nation-states, right?*

Anyway, the US Navy is now red-facedly admitting that it’s got a transitive trust bite: a contractor from HP who had a compromised laptop connected it to a US Navy network and blammo. The US Navy(A) trusts Hewlett Packard(B) and Hewlett Packard trusts the employee’s laptop(C). This was not a very sophisticated attack, in all likelihood. Some hacker woke up and checked the catch from a phishing campaign and discovered that they had hooked a minnow swimming in the middle of a great big bunch of tuna.

Things:

Unknown hackers compromised a number of the U.S. Navy’s computers and gained access to sensitive information, including names and social security numbers, of more than one hundred thousand current and former sailors, officials said Wednesday.

Hewlett Packard Enterprise Services has informed the Navy that at least one of the company’s laptops used by their employees, under a naval contract, was compromised. HP first notified the Navy on Oct. 22.

Thing 1: The Navy didn’t detect it. HP did. Apparently once that HP laptop was behind the firewall, on the Navy’s network, it was trusted. So HP had to tell them “one of our people screwed up.”

Thing 2: The Navy’s investigative service appears to have been able to identify that data was stolen, and how much. Judging from the number, “all of it” from a certain database.

Thing 3: If you’re running a network where any asshole that plugs in a laptop can parlay access to your employee database, your employee database is not set up right, and neither is the rest of your network. Back in the late 1980s Bill Cheswick used to call this “the hard shell around a soft chewy center” network architecture. Security people who understand security have been explaining why this is a bad idea for a very long time. It’s still a bad idea, but network engineers (and their bosses) still seem to operate in the mode that network engineering is “you stick the wire into the big Cisco box and if it turns green, you are good.” Breaking a network up by purpose and putting access controls and detection-points that trigger on access violations: nah, that’s hard.

I am seriously scared that having horrible security has become so normalized that organizations will begin adopting the strategy of “Whatever. We’ll just have one of our CSOs throw themself on their sword.” About a decade ago I was invited to meet with some people at a huge E-tailer about the job of CSO. As we talked I pretty quickly realized that that was what they wanted: a figurehead that could be chopped overboard if they needed someone to take a fall. So I asked, “what ability will I have to affect change?”  And that was the end of the courtship.

It’s so bad, and security is so lame – especially in the government – that the only people who generally take a fall for failures are a contractor or two, and (only after years of culpable negligence) a department head.

divider

In 1994 I explained it as:

One way to view the result of a firewall being compromised is to look at things in terms of what can
be roughly termed as “zones of risk”. In the case of a network that is directly connected to the Internet
without any firewall, the entire network is subject to attack. This does not imply that the network is
vulnerable  to attack, but in a situation where an entire network is within reach of an untrusted network, it
is necessary to ensure the security of every single host on that network. Practical experience shows that
this is difficult, since tools like rlogin that permit user-customizable access control are often exploited by
vandals to gain access to multiple hosts, in a form of “island hopping” attack. In the case of any typical
firewall, the zone of risk is often reduced to the firewall itself, or a selected subset of hosts on the network,
significantly reducing the network manager’s concerns with respect to direct attack. If a firewall is broken
in to, the zone of risk often expands again, to include the entire protected network; often a vandal gaining
access to a login on the firewall can begin an island hopping attack into the private network, using it as a
base. In this situation, there is still some hope, since the vandal may leave traces on the firewall, and may
be detected. If the firewall is completely destroyed, however, the private network is entirely in the zone of
risk, but can undergo attack from any external system, and the chances of having useful logging
information to analyze the attacks are very small.
In retrospect, I was wrong that attackers might “destroy” a firewall (take it offline)  “Firewall breaker” trojan horses
(what is now called “malware”) was a theoretical possibility Paul Robertson and I were kicking around in the firewalls mailing list by 1995. At that time we thought organizations would wise up and put egress blocks and controls in place, but the world wide web really put the kibosh on that idea. Today, most networks are built so that it’s trivial to bypass the firewall once you find a single sucker behind it, who’ll click on an attachment.

divider2

(* Take for example Dave Vincenzetti. Dave’s organization supposedly only sells to governments and police and I guess it depends on the color of your cash.)

Marcus Ranum, “Thinking About Firewalls“(1994)

Comments

  1. John Morales says

    Interesting if not controversial.

    BTW, your copypasta from 1994 with the lifefeed delimiters almost reads like beat poetry.

    (I’m sure you know, but many don’t that one can force ASCII characters within a Windows environment by using Alt-Keypad [decimal] numbers for the various codes. Linefeed is Alt-0-1-0)

  2. chigau (ever-elliptical) says

    So. Michael Crichton actually wrote documentaries.
    A series of lazy, dumbass, easily fixable errors got us here.

  3. Dunc says

    I am seriously scared that having horrible security has become so normalized that organizations will begin adopting the strategy of “Whatever. We’ll just have one of our CSOs throw themself on their sword.”

    And it’s actually getting worse… Note that in this case it was a company laptop that was compromised. OK, it was compromised, but the machine is at least theoretically under some kind of management… A lot of places are now operating “Bring Your Own Device” systems, where even that marginal level of control is thrown overboard. Hell, my phone is connected to my office WiFi network right now…

    People would rather be cheap and lazy than secure.

  4. Pierce R. Butler says

    Unknown hackers compromised a number of the U.S. Navy’s computers and gained access to sensitive information, including names and social security numbers, of more than one hundred thousand current and former sailors, officials said Wednesday.

    Hrrrm. The personnel data loss could easily turn into hard-to-sweep-under-the-rug ID $henanigan$, so they probably had to divulge that. Other, more strategic information (e.g., “Why the big increase in anti-aircraft systems training, comrade?” that might have slid out might not require such candor.

    Once upon a late-20th-century time, our Pentagonic protectors had a lovely nerdy vision of running everything with a single integrated language. My quick net search failed to turn up anything about how far that quest actually got, but I note with some dismay that the Wiki Ada article uses the string “secur” only once, in a book title citation…

  5. EigenSprocketUK says

    My last employer: every manager in the HR dept had access to all 2000 employees’ full details (even if they didn’t need it or didn’t work in that department) because it was all on one massive excel spreadsheet with one password. Ugh.
    Yes, they were very good at excel. But they were not security-savvy.
    One compromised laptop … and the rest would have been an easy task to crack the excel spreadsheet password offline. (Or just social-engineer a reminder from a colleague of the person with the compromised laptop.)

  6. says

    John Morales@#1:
    BTW, your copypasta from 1994 with the lifefeed delimiters almost reads like beat poetry.

    Yeah, I wasn’t sure what it would look like on a smartphone. The answer is “bad” — blockquote is generally a bad idea, but I figured since I was lifting directly from the paper, I’d just do it and see.

  7. says

    chigau@#2:
    So. Michael Crichton actually wrote documentaries.
    A series of lazy, dumbass, easily fixable errors got us here.

    Chrichton has been amazing at being on the front edge of a lot of new stuff, and novelizing it. I’ve never enjoyed his writing much, but his aggressiveness is impressive.

    Yes, it’s a series of lazy dumbass easily fixable errors. It’s even worse than it sounds:
    https://www.youtube.com/watch?v=o59mQhBiUo4
    is a talk I did on this topic back a decade or so ago.. The premise is that many of the security problems we have today – and billions of dollars – could have been saved with a few well-placed software upgrades. That remains the case.

    Why Navy is letting contractors plug machines that have been off their network, into their network, I do not know. Probably they just roll over and take it because enforcing network access controls is, you know, hard.

  8. says

    Dunc@#3:
    A lot of places are now operating “Bring Your Own Device” systems, where even that marginal level of control is thrown overboard. Hell, my phone is connected to my office WiFi network right now…

    A lot of organizations have adopted “BYOD” policies without thinking through what BYOD means. It’s incredibly dumb. The results, in the next decade or so, are going to be as expected: more data leakage, more compromised networks, more managers saying “we can’t believe this happened to us!!!”

  9. says

    EigenSprocketUK@#5:
    My last employer: every manager in the HR dept had access to all 2000 employees’ full details (even if they didn’t need it or didn’t work in that department) because it was all on one massive excel spreadsheet with one password. Ugh.

    Ugh, indeed.

    There are excel password brute-forcers that cost $19 and can crack most spreadsheets in a couple days of crunching.

  10. says

    Pierce R. Butler@#4:
    Once upon a late-20th-century time, our Pentagonic protectors had a lovely nerdy vision of running everything with a single integrated language.

    I lived through that. And almost started to teach myself ADA, thinking it’d be interesting. Then, I discovered that there weren’t really any development toolchains for the language. The DoD standardized on it in advance of its actually fully existing. It was the F-35 of programming languages.

    The nail in the coffin was that the DoD allowed waivers from the ADA requirement. It was much easier to get a waiver than to code everything in ADA so everything was waived.

  11. Dunc says

    A lot of organizations have adopted “BYOD” policies without thinking through what BYOD means. It’s incredibly dumb.

    I think they get as far as “we don’t need to buy people the tools to do their jobs!” and faint with the excitement.

Leave a Reply