Recently I was invited to do a talk for the Minnesota ISSA at their June chapter meeting; I hope they don’t regret it.
If you haven’t done conference speaking, the routine is usually that you get contacted with an invitation, say “yes” or “no”, nail down a date and time, then ask “what is my topic?” Then, you get a vague idea what the conference is about (if it has a theme) and propose a few titles for some possible talks. After some back and forth (usually the program committee approves or disapproves the talk title) it’s on.
The organizers suggested I do a talk on “Who Can You Trust?” – in the sense of what system vendors, systems, cloud services, were trustworthy. I suggested that I invert it and just do a quick walkthrough of organizations that can’t be trusted. Spoiler: none of them can be trusted.
In security, the term “trust” is a magic word. “Trust” only makes sense in terms of a threat model – what are you afraid of happening and what are its consequences? Once you have a threat model, then you can decide if the system is trustworthy in terms of that threat model. Traditionally, the internet security threat model has been “keep the hackers out.” but then around 1996 something started to change: there were foreign hackers. My suspicion is that the US government started worrying about having its systems compromised by other state powers at around the same time that it began successfully compromising the systems of other state powers. In general, when the US government starts loudly worrying that someone might do something to them it’s because they are doing it to someone else. In case that sounds like paranoid conspiracy theory, go look up the very credible accounts of the NSA’s compromising encryption systems from Crypto AG [wapo] – old cold war stuff. The CIA also ran successful operations producing subverted Xerox copy machines (which kept a copy of each copy) that were made available to the USSR. One of the seminal papers in computer security was Roger Schell’s paper on subversion,[schell] in which he proposed that systems be designed using trusted computer operating systems – software constructs that would monitor the hardware and prevent it from being subverted. [This triggered a long-lasting battle in security between those who believe that is a) possible, b) practical, c) capable of performing adequately, d) cost practical] Schell’s concern was the design of the communications network for the US Air Force – and whether or not Soviet agents would be able to build backdoors into it.
My talk is here:
It’s not the best talk I’ve ever given, but I think it’s a fair run-down of how bad the situation is. Most commercial systems are backdoored at least 2, probably 3 or more, ways. The CIA has its own malware and backdoor stacks, the NSA has their own, the FBI has a few and buys commercial implementations of backdoors and mandates backdoors under the PATRIOT act – and then there are the Israeli, Chinese, and probably Russian backdoors. It’s a miracle that anything works at all, though you can probably blame a lot of mysterious system slow-downs and restarts on prosumer malware doing bitcoin mining or hunting for credit cards or bank accounts.
The conclusion I reach at the end is bleak: the bar for computer security is low, but if we try to raise it, there are already forces in place that will moot the impact of any improvements we try to make. In other words, “computer security will be just as bad as it can possibly be, and no better” [-Nat Howard] That probably sounds extreme, but consider this: the deep subversion attacks are mostly latent – they are long-term backdoors that exist to re-establish a foothold in a system, once the attacker has been kicked out. See the problem? Suppose that attackers have 3 backdoors into your system and only use one all the time; by some quirk of fate you might discover it and block it, and if they still want to get into your system they might burn their second backdoor – presumably each backdoor has a different command set and control channel, designed to make it hard to detect. I have actually seen this in real life at one incident response I was involved with: my client detected malware on a system, and called for assistance to see what kind of data was being exfiltrated and to where. Upon closer analysis, and closing down the command channel for the malware, another command channel opened up over an LTE cellular signal a few days later. The signal was brief, then shut down, and the old malware started up again using a different network access method. Usually, an attack such as that would be considered sophisticated, and if the FBI or a government agency was involved in the investigation, they would make dark mumblings about “state-sponsored actors” but the fact is that it was all off-the-shelf malware such as you can buy in pen-testing tools such as a PwnPlug [ars] – it’s vastly more sophisticated than most network administrators expect to deal with, but it’s far down the power curve from some of the malware that the NSA brilliantly leaked.
The NSA’s malware (which they, no doubt, paid a pretty penny for) is pretty intense stuff. The tools that leaked were old but the NSA’s “equation group” [NSA X Group] controlled the entire software series of Flame/Duqu/and Stuxnet, which were implicated in the attacks on Saudi Aramco’s petroleum mining infrastructure, the attack on Iran’s uranium enrichment centrifuges at Natanz, and the generator failure of Iran’s nuclear reactor at Bushehr. Depending on who you talk to, that was an American operation using help from the Israelis, or the Israelis “went rogue” using NSA tools to launch attacks on their own. In either case, it’s cause for concern because that means NSA is sharing US government-developed malware with Israel. One of the more disturbing tools that leaked from the NSA’s collection was what appears to be a piece of malware that injects code into the bios of hard drives (most major manufacturers were represented). That’s a perfect illustration of the subversion principle: it doesn’t matter if the operating system tries to use its filesystem to delete malware, if the firmware of the hard drive makes those sectors invisible and remaps them except for at system boot. Another example is the subversion function in every Intel processor from 2000-2013: Intel “management engine” which is a separate CPU that has complete access to the network interfaces, the rest of the processor, system memory, and file systems. IME is not the only example of this sort of processor-based subversion, but it’s the sneakiest that has been discovered so far.
The US government is, naturally, terrified that China is preparing to do the same thing in return, when the US and its allies purchase 5G network gear from Huawei. Huawei’s stuff is compellingly better than US/UK/EU brands, and it’s cheaper, too. Not only this is a national security threat, it’s a threat to Cisco and Intel’s bottom line, too. The US is reacting like a narcissist who has been punched in the nuts, which is pretty much exactly what has happened.
I have been predicting this since the government started publicly talking about “information warfare” in the mid/late 90’s. When 9/11 happened, the intelligence community got a huge infusion of cash for “cyberdefense” and … I know that astute stderr readers can predict exactly what happened: they spent nearly all of it on offense. There is a long argument that I can make [and have made elsewhere, unfortunately it was deleted when I discovered that the site I published it on was fond of political equivocation and was run by a libertarian] that in cyberspace the best defense is a good defense and that any normal balance between offense/defense doesn’t hold because there is no battlefield. The only way a strong offense is a good defense is if you’re trying to terrify everyone, which is the US’ default strategy. As you can see, it has worked great on cybercrime.
If you catch the part about “offline attacks” against iCloud, please listen carefully to it and think really hard before you start jumping on me about how great Apple is. They have great marketing, nothing more.
I was shocked when I researched this talk and discovered that there are 15 million Office365 users and 50% (by some counts) of corporate sensitive data at rest is in Office 365. Since “cloud computing” became a thing, I have thought it was a dumb idea, except for in the case of a few limited client/server applications, but apparently the entire industry has collectively lost its mind – or I have.
Most Americans don’t know that Huawei is a conglomerate formed with the approval of the US government between the Chinese government (which created half of the company) and US computer device and communications company 3Com. 3Com once owned the small network interface card and hub business, as well as a goodly chunk of the modem business, but failed to migrate up the stack and were looking at becoming yet another failed silicon valley former giant, when someone had the brilliant idea of taking over the Chinese market by bringing US technology to a company that could provide cheap labor. Naturally, the Chinese government was happy to do this because it taught a whole generation of networking equipment makers, and included ready-made products that could be repackaged. Maybe Huawei is a double-reverse back-knuckle trojan horse. Maybe the whole thing is a CIA op.