Cloud computing is one of the "big new things" in commercial computing today. The promises of cloud computing are broad and deep: lowered capital costs, lowered operational costs, ease of scale, broad accessibility, high availability, and more.
And then there's security. It's the usual follow-on question after hearing about all the benefits, "yes, great, and...what about security?".
The simple truth is that cloud computing carries with it each and every security risk that already existing in your commercial computing environment, and unfortunately significantly increased risks.
Why is this so? Simply because at the highest levels, there is little structural change in shifting elements of your computing infrastructure from "here" (inside your corporate data center) to "there" (inside an external vendors corporate data center). The same security controls you needed (and in many cases didn't have) are needed in your cloud providors environment (and in many cases they don't have), and the same fundamental attack vectors and risks are present.
As we drill down into the details however, it will become clear that the situation is worse than this, for two fundamental reasons: one is shared infrastructure, the second is a general loss of control. Let's look at each of these.
The foundation of the cost benefit premise of cloud computing rests on the leverage achieved through a shared computing infrastructure, with the cost benefits of scale and higher average utilization. But shared with who? That's risk #1; you don't know who, and you can't control who. "Other companies, other users." Shared at what level? At all levels: shared storage, shared networking, shared routers, shared firewalls, right on down to operating your applications on the same physical hardware being used by other cloud clients (though always in a separate virtual machine instance).
So what's the risk of that? The risk is the ease of access to your data and application software. By definition, an environment where "others" are running their software and maintaining their data in the same physical environment that you are running your software and maintaining your data creates very substantial incremental security risk, because environmental access is the first step in any and every IP and data theft attack. If I'm "in" the general computing environment, and I can run arbitrary application software, I've got a launching pad for attacks on local data and applications.
Another element of shared infrastructure in cloud computing is the extension of the insider risk. Many of your own insiders will still have cloud environment access similar to the access they had when you were running inside your own data center. However, you've now added a whole new class of insiders: the cloud provider employees! And unlike your own insider threats, where you can take active steps to reduce risk, with the cloud provider you have no controls and no influence. Relative to these unknown people, you applications and data might as well be considered "fully available", with all that that implies.
The second general area of risk is in a loss of controls. This loss of control is across the board, starting at the level of physical access; when you operated in your data center, you controlled physical access, and with a cloud provider you don't. Logical access is no different; what people (administrators or otherwise) can access your databases and your applications? You have vague assurances from the cloud provider, but you have no direct control whatsoever.
This control issue extends out to more subtle yet extremely significant areas. Take the example of web application security risks. These are the most pernicious security risks in computing today, with SQL injection attacks alone (just one of many types of web application security risks) resulting in the theft of millions of credit card numbers. The most recent attempt to harden web applications is through the deployment of so called web application firewalls. These are networking appliances that monitor networking traffic looking for evidence of a web application attack. These devices require a very high amount of customization in their specific monitoring practices, effectively to "tune" the firewall the specifics of the applications and their operations being protected. Can such a solution be applied in your shift to a cloud computing environment? Generally no, due to the difficulty of assuring the application firewall is both "in the right place" relative to what is now managed as a highly mobile set of applications within the large cloud infrastructure environment, and the need for your application firewall rules to apply to your applications data flow and your applications data flow only.
Control issues cut right through all traditional required practices in commercial computing. Backup? Of course the cloud vendor provides backup! Can you test that it's actually occurring and the data is recoverable? There have already been major examples of commercial cloud providers losing customer data. It's a risk, and it's driven by your loss of control when shifting your computing practices to an external provider, and those risks are exacerbated by the shared infrastructure nature of that environment.
All of this said, cloud computing is here and it's expanding it's footprint dramatically across the commercial computing landscape. Cost saving attracts commercial usage likes light attracts moths. The issues cited here are going to get incrementally addressed over time, as part of high value cloud solutions.
The better news is that some fundamental solution technology exists today. The essence of security protection in a cloud environment is to take advantage of what you do control to implement security mechanisms to the level required by your business. The two critical control points are, simply put, your applications and your data.
Data security solutions have been increasingly developed and deployed over the last ten years, and these solutions generally can be deployed coupled directly into the cloud hosting environment. Any computing solution migration to the cloud must seriously consider the addition of such security technologies.
Application internal security solutions are a relatively new technology area. This kind of technology derives from military grade technology utilized to protect critical military technology assets from reverse engineering and tampering. This technology is now available for and being applied to commercial software.
Application internal security technology puts security functions directly into the application software. These security functions start with obscuring the code flow, the instruction sequencing, and even the unencrypted presence of critical blocks of code, to protect against reverse engineering and through reversing, the identification of critical value components and/or critical points for effective tampering. They extend to dynamic monitoring of code correctness both in terms of actual instruction to dynamic code behaviors. And such security units can, internally within the application, monitor data flows to detect and respond to evidence of web application security attacks.
The tremendous benefit of application internal security technology is the complete independence such technology has from location considerations. An internally secured application carries it's security properties with it, where ever it goes: in your data center, on your employee's laptops and cellphones, or in a external provider's cloud computing environment. Such technology is immune to network topology changes, and protects the application in private and shared infrastructures.
Cloud computing is still in it's infancy, and it's reasonable to say that cloud computing is one of several fundamental change agents that is transforming our information world at a faster rate than ever before. While cloud computing has dramatic benefits and is highly attractive as a computing environment solution, it must be approached extremely cautiously from a security perspective. The shared nature of the cloud and the loss of controls that occur when utilizing the cloud dramatically increase your security risk footprint. The best and most immediately available technologies for dealing with these two factors are the deployment of application internal security technologies and data security technologies.
Monday, November 9, 2009
Tuesday, October 20, 2009
The Democratization of Software
It's a strange new software world!
For those of us old enough to remember things like mainframes (my first ever computer programs ran on an IBM 360 model E22 at a local community college!), minicomputers (Dec PDP's, HP1000's, Data General Nova's, etc.), then the world changing arrival of the "PC" in 1983, the world of software was generally a "dark art". Very very few people knew what software was, and the population of those who actually wrote software was even smaller.
I personally learned my programming chops first in that same community college's computer center, writing Cobol code to schedule the lazy counselors to appointments with students (a brilliant idea of a new school VP administrator promoted out of the computer center, knowing that since the kid doing the programming was the son of a member of the board of trustee's, they couldn't effectively fight it!). Then it was on to writing assembly code for a PDP 11/35 running a customized version of RT-11, to drive and test a custom data acquisition board built by a small shop (Acroamatics) for the Navy. Then on to kernel level operating system development in HP, working again in assembly language on kernel level code for the HP1000 and the RTE (IV, VI, and A) operating system.
In those days, the late 70's and the 80's, software was generally incomprehensible to the masses. Literally. People just had no clue. By the early 90's that was changing pretty fast; people "knew about" software, but for the most part, in the same way they "knew about" automobile engines. That is, they knew software was there, was important, and "made the computer go", but not much more.
This starting changing in a major way with the development of the web and web site programming, starting with HTML (arguably not a programming language but let's not quibble). Suddenly a lot of "non-technical" people (non-computer scientists) were "programming". And as abilities to link in actual run-time software into web pages (PHP, Perl, Javascript, etc.) have become prevalent, this same group advanced into what is definitely the world of writing procedural software.
Now we have the iPhone and an open development environment for it. We are witnessing another huge shift in the breadth of activity in the creation of software, driven by this new ubiquitous platform. The opportunity to sell a few hundred thousand copies of a cool little application for a buck apiece suddenly brings the opportunity of "software for profit" right into the mainstream...and the mainstream is responding. We are seeing an explosion of a new cottage industry right before our eyes. I don't know the actual numbers of downloads of the objective C development environment for the iPhone, but I'm certain the numbers are staggering. The volume of applications available for the iPhone from this cottage industry is certainly staggering, and considering what a small percentage of actual development activity out there that represents, we have to acknowledge that a seismic level expansion of software development is underway.
Again, here's the point: for the FIRST time ever, we've are experiencing a "grand conjunction" of a widely popular platform with broad computing and I/O capabilities, with a freely available development environment, with a effective channel with a strong demand pull, with a world wide population who through web programming already has some awareness, skill and inclination. And viola...instant massive cottage software industry.
What are the longer term impacts of these "force vectors" going to be? I have several projections.
First, in the world of personal computing devices (which how I think of the iPhone by the way; the "phone" part of it I consider to merely be one of it's many I/O features), a free and open development platform is going to be a must. A single company can't compete against the forces of "solution" innovation and availability that Apple has shown can be unleashed.
Second, this "democratization" of software development isn't going to stop. SW skills are expanding across the population at an unprecedented rate, and that growth is going to continue and even accelerate. What exactly the impact of that will be is hard to predict, but I do believe as the world increasingly is driven by and supported by software, this is an enabler for the world's economy.
Third, the world of software cracking (finding technological ways to run this commercial software for free or for a black market low price) is going to continue to be a huge technology area and force in the industry. You can't discuss iPhone apps too long with friends and colleagues before hearing about the ability to "unlock" all the apps available "for free". There is a dark side of this democratization, a black market side. The technology race to fight those black market forces is just getting going in this particular market. Of course my company, Arxan Technologies, has been working for years with more serious users of such technologies, namely the US Department of Defense. These technologies are becoming more prevalent in the mass market consumer software space, helping to protect the product software that your son, your sister, and maybe even YOU wrote and published yourself!
For those of us old enough to remember things like mainframes (my first ever computer programs ran on an IBM 360 model E22 at a local community college!), minicomputers (Dec PDP's, HP1000's, Data General Nova's, etc.), then the world changing arrival of the "PC" in 1983, the world of software was generally a "dark art". Very very few people knew what software was, and the population of those who actually wrote software was even smaller.
I personally learned my programming chops first in that same community college's computer center, writing Cobol code to schedule the lazy counselors to appointments with students (a brilliant idea of a new school VP administrator promoted out of the computer center, knowing that since the kid doing the programming was the son of a member of the board of trustee's, they couldn't effectively fight it!). Then it was on to writing assembly code for a PDP 11/35 running a customized version of RT-11, to drive and test a custom data acquisition board built by a small shop (Acroamatics) for the Navy. Then on to kernel level operating system development in HP, working again in assembly language on kernel level code for the HP1000 and the RTE (IV, VI, and A) operating system.
In those days, the late 70's and the 80's, software was generally incomprehensible to the masses. Literally. People just had no clue. By the early 90's that was changing pretty fast; people "knew about" software, but for the most part, in the same way they "knew about" automobile engines. That is, they knew software was there, was important, and "made the computer go", but not much more.
This starting changing in a major way with the development of the web and web site programming, starting with HTML (arguably not a programming language but let's not quibble). Suddenly a lot of "non-technical" people (non-computer scientists) were "programming". And as abilities to link in actual run-time software into web pages (PHP, Perl, Javascript, etc.) have become prevalent, this same group advanced into what is definitely the world of writing procedural software.
Now we have the iPhone and an open development environment for it. We are witnessing another huge shift in the breadth of activity in the creation of software, driven by this new ubiquitous platform. The opportunity to sell a few hundred thousand copies of a cool little application for a buck apiece suddenly brings the opportunity of "software for profit" right into the mainstream...and the mainstream is responding. We are seeing an explosion of a new cottage industry right before our eyes. I don't know the actual numbers of downloads of the objective C development environment for the iPhone, but I'm certain the numbers are staggering. The volume of applications available for the iPhone from this cottage industry is certainly staggering, and considering what a small percentage of actual development activity out there that represents, we have to acknowledge that a seismic level expansion of software development is underway.
Again, here's the point: for the FIRST time ever, we've are experiencing a "grand conjunction" of a widely popular platform with broad computing and I/O capabilities, with a freely available development environment, with a effective channel with a strong demand pull, with a world wide population who through web programming already has some awareness, skill and inclination. And viola...instant massive cottage software industry.
What are the longer term impacts of these "force vectors" going to be? I have several projections.
First, in the world of personal computing devices (which how I think of the iPhone by the way; the "phone" part of it I consider to merely be one of it's many I/O features), a free and open development platform is going to be a must. A single company can't compete against the forces of "solution" innovation and availability that Apple has shown can be unleashed.
Second, this "democratization" of software development isn't going to stop. SW skills are expanding across the population at an unprecedented rate, and that growth is going to continue and even accelerate. What exactly the impact of that will be is hard to predict, but I do believe as the world increasingly is driven by and supported by software, this is an enabler for the world's economy.
Third, the world of software cracking (finding technological ways to run this commercial software for free or for a black market low price) is going to continue to be a huge technology area and force in the industry. You can't discuss iPhone apps too long with friends and colleagues before hearing about the ability to "unlock" all the apps available "for free". There is a dark side of this democratization, a black market side. The technology race to fight those black market forces is just getting going in this particular market. Of course my company, Arxan Technologies, has been working for years with more serious users of such technologies, namely the US Department of Defense. These technologies are becoming more prevalent in the mass market consumer software space, helping to protect the product software that your son, your sister, and maybe even YOU wrote and published yourself!
Monday, August 3, 2009
Code protection is critical in a web 2.0 world!
Neil McDonald of Gartner blogged on the differences between byte code and binary code analysis:
http://blogs.gartner.com/neil_macdonald/2009/07/24/byte-code-analysis-is-not-the-same-as-binary-analysis/
His points are important at a deeper level as it relates to the risk of reverse engineering and tampering. Specifically, byte code (.NET and Java) is almost trivially reversed engineered, and fairly easily tampered with using available tools...unless active steps are taken to address the risk.
Byte code representations of programs contain sufficient information to allow a complete inverse compilation back to source code. To address this problem, use of a .NET or Java obfuscator is necessary. The best in class obfuscators can perform a host of transformations with minimal to no impact on performance that raise very large hurdles for the would be theft. The transformations include general code encryption, code restructuring to create complexity that is not understood by inverse compilers (and difficult to understand by human analysis as well), string encryption so that variable and static data names become unintelligable, deletion of meta-data that describes program attributes, and even insertion of code for dynamic detection of evidence of tampering.
This kind of code protection becomes paramount in a Web 2.0 world were significant application components are being deployed to and executed by customers. Additionally, this kind of code protection is critical in a highly mobile world where applications and data frequently are on the move with employees.
http://blogs.gartner.com/neil_macdonald/2009/07/24/byte-code-analysis-is-not-the-same-as-binary-analysis/
His points are important at a deeper level as it relates to the risk of reverse engineering and tampering. Specifically, byte code (.NET and Java) is almost trivially reversed engineered, and fairly easily tampered with using available tools...unless active steps are taken to address the risk.
Byte code representations of programs contain sufficient information to allow a complete inverse compilation back to source code. To address this problem, use of a .NET or Java obfuscator is necessary. The best in class obfuscators can perform a host of transformations with minimal to no impact on performance that raise very large hurdles for the would be theft. The transformations include general code encryption, code restructuring to create complexity that is not understood by inverse compilers (and difficult to understand by human analysis as well), string encryption so that variable and static data names become unintelligable, deletion of meta-data that describes program attributes, and even insertion of code for dynamic detection of evidence of tampering.
This kind of code protection becomes paramount in a Web 2.0 world were significant application components are being deployed to and executed by customers. Additionally, this kind of code protection is critical in a highly mobile world where applications and data frequently are on the move with employees.
Friday, July 10, 2009
Source Code Stolen by Insider at GS...Where Are Your Assets Tonight?
So the news is full of a source code theft by an insider (a "programmer") at Goldman Sachs, specifically some proprietary trading system code. Security industry analysts are talking about it (http://blogs.gartner.com/neil_macdonald/2009/07/07/security-no-brainer-7-if-you-have-intellectual-property-embedded-in-software-protect-it/) and it's a very current example of a couple of significant trends:
How best to execute such thievery? Find new and innovative ways to penetrate network firewalls, avoid application firewalls, dodge data leak detection circuits, avoid application tamper detectors, and the like? That's an approach and it is actively used and every enterprise must utilize all of these security methods (and more) to fight against such attacks.
But there's an easier way, is there not? A bag of cash up front, with a promise of another bag of cash on delivery, to the right employee with access. Bingo bango bongo! Got the goods, everyone is happy. Well, except the company losing their assets.
A fascinating aspect of the Goldman Sachs story is the fact that their data leak prevent software was just enough security to help them know they'd been robbed...but not enough to catch the thief in the act and stop the theft. Why? Because he copied the source code to another computer inside the company, then took that computer (or disk drive) out with him. The DLP system noticed the unusual traffic of the source code, but since the code wasn't leaving the perimeter, didn't block its transfer. In the past, such a theft was rarely noticed. So I will acknowledge that what looks like a major trend might in fact be growing visibility of a long standing problem. I suspect both are the case.
What can be done? The only real answer is "more", in the way of security mechanisms. The core assets must be encrypted and decrypted only under managed legitimate usage situations. The applications operating on internal systems must be self protecting from tampering. The application firewalling must be complete. Data flows in general must be monitoring to look for unusual activitivies. Security practices must be rigorous in s/w development.
On the human side, the most pragmatic solution is a combination of training and awareness of the risks. Awareness takes two forms: awareness inside the company of the potential for insider execution theft, and awareness across all employees of the stringent security practices and the severe cost of getting caught executing any such theft. Faced with a high likelihood of detection and serious jail time, people are much less likely to have the discussion with the high tech mobster who just wants to chat. It's when they think it'll be easy and low risk that people start bowing to temptation.
- Enterprise security is now defending against organized crime, not merely casual hackers or disgruntled employees.
- Insider threats are a tremendous problem.
How best to execute such thievery? Find new and innovative ways to penetrate network firewalls, avoid application firewalls, dodge data leak detection circuits, avoid application tamper detectors, and the like? That's an approach and it is actively used and every enterprise must utilize all of these security methods (and more) to fight against such attacks.
But there's an easier way, is there not? A bag of cash up front, with a promise of another bag of cash on delivery, to the right employee with access. Bingo bango bongo! Got the goods, everyone is happy. Well, except the company losing their assets.
A fascinating aspect of the Goldman Sachs story is the fact that their data leak prevent software was just enough security to help them know they'd been robbed...but not enough to catch the thief in the act and stop the theft. Why? Because he copied the source code to another computer inside the company, then took that computer (or disk drive) out with him. The DLP system noticed the unusual traffic of the source code, but since the code wasn't leaving the perimeter, didn't block its transfer. In the past, such a theft was rarely noticed. So I will acknowledge that what looks like a major trend might in fact be growing visibility of a long standing problem. I suspect both are the case.
What can be done? The only real answer is "more", in the way of security mechanisms. The core assets must be encrypted and decrypted only under managed legitimate usage situations. The applications operating on internal systems must be self protecting from tampering. The application firewalling must be complete. Data flows in general must be monitoring to look for unusual activitivies. Security practices must be rigorous in s/w development.
On the human side, the most pragmatic solution is a combination of training and awareness of the risks. Awareness takes two forms: awareness inside the company of the potential for insider execution theft, and awareness across all employees of the stringent security practices and the severe cost of getting caught executing any such theft. Faced with a high likelihood of detection and serious jail time, people are much less likely to have the discussion with the high tech mobster who just wants to chat. It's when they think it'll be easy and low risk that people start bowing to temptation.
Friday, May 29, 2009
Yes a Cyber Czar IS Necessary!
So we've all watched and/or read or read about Obama's cyber security speech today, and his call for a new high level federal "coordinator" to lead the solutions charge.
Some are saying "it's about time", and some are saying "is this really necessary?".
I'm here to tell you YES, it is about time, and YES, it really is necessary. And here's why.
First, speaking at a broad philosophical level, systems tend to optimize locally, for and around local optima. What does that mean you ask? It means for example that Microsoft at one level doesn't really care much about the security of their products...unless and until the lack of security in their products affects their bottom line. Local optimization, for local profits. If the whole country (and world) has insecure s/w as a result, but Microsoft has maximized revenue while minimizing costs (let's face it, it costs more to product high quality secure software that it does to ship garbage), then it's a win for Microsoft!
This applies across the spectrum of computer activities: s/w development, personal computer usage, enterprise systems, you name it. Security is a "as and when needed" component, and the learning of as and when needed is usually driven by the sharp end of a sequence of costly or even crippling attacks. Think about it: when did YOU finally start using firewalls and anti-virus software? I'm guessing that it wasn't until you experience the sharp end of the malware spear!
Now the second point: government, among other things, must serve to guide social action (broadly speaking; I'm including business action here) for global optima, versus pure local optima. Security comes through making security a high priority, across many fields of endeavor that result in computer based "solutions". Government has a wide variety of tools at their disposal to guide social action and thereby drive priorities, including taxation practices, government led investment, and government procurement practices both in the civilian (federal and state government) and in the defense domains. All these need to be utilized in a coordinated manner, to drive computer security in general as a priority, and to drive the specifics of that priority in consistent manner. That level of coordination is NOT going to happen through random, chaotic governmental processes. A high level federal "coordinator" is needed to lead, guide, and drive through multiple areas of government, in a consistent manner and in an aggressive manner.
Of course there are an infinitude of risks here. Largest perhaps are dictates of what "must" happen at an inappropriate levels of specificity, which invite solutions that salute the requirement at a superficial level. Result? More cost for all, and no improvement. Another is requirements that drives lots of bureaucracy that slows down innovation and adoption and deployment of improved security solutions.
These kinds of risks are why, in my opinion, the specific leader chosen is so enormously critical. They must be a solid systems thinker, someone who understands how to enable and support virtuous cycles, rather than merely create more "requirements". How do you enable, drive, encourage and support a security focus through the computer enabled and driven business world...without creating a crippling mess?
Some are saying "it's about time", and some are saying "is this really necessary?".
I'm here to tell you YES, it is about time, and YES, it really is necessary. And here's why.
First, speaking at a broad philosophical level, systems tend to optimize locally, for and around local optima. What does that mean you ask? It means for example that Microsoft at one level doesn't really care much about the security of their products...unless and until the lack of security in their products affects their bottom line. Local optimization, for local profits. If the whole country (and world) has insecure s/w as a result, but Microsoft has maximized revenue while minimizing costs (let's face it, it costs more to product high quality secure software that it does to ship garbage), then it's a win for Microsoft!
This applies across the spectrum of computer activities: s/w development, personal computer usage, enterprise systems, you name it. Security is a "as and when needed" component, and the learning of as and when needed is usually driven by the sharp end of a sequence of costly or even crippling attacks. Think about it: when did YOU finally start using firewalls and anti-virus software? I'm guessing that it wasn't until you experience the sharp end of the malware spear!
Now the second point: government, among other things, must serve to guide social action (broadly speaking; I'm including business action here) for global optima, versus pure local optima. Security comes through making security a high priority, across many fields of endeavor that result in computer based "solutions". Government has a wide variety of tools at their disposal to guide social action and thereby drive priorities, including taxation practices, government led investment, and government procurement practices both in the civilian (federal and state government) and in the defense domains. All these need to be utilized in a coordinated manner, to drive computer security in general as a priority, and to drive the specifics of that priority in consistent manner. That level of coordination is NOT going to happen through random, chaotic governmental processes. A high level federal "coordinator" is needed to lead, guide, and drive through multiple areas of government, in a consistent manner and in an aggressive manner.
Of course there are an infinitude of risks here. Largest perhaps are dictates of what "must" happen at an inappropriate levels of specificity, which invite solutions that salute the requirement at a superficial level. Result? More cost for all, and no improvement. Another is requirements that drives lots of bureaucracy that slows down innovation and adoption and deployment of improved security solutions.
These kinds of risks are why, in my opinion, the specific leader chosen is so enormously critical. They must be a solid systems thinker, someone who understands how to enable and support virtuous cycles, rather than merely create more "requirements". How do you enable, drive, encourage and support a security focus through the computer enabled and driven business world...without creating a crippling mess?
Tuesday, May 5, 2009
Devices All Around Us Are NOT SAFE!!
Conficker has now invaded medical devices: http://tinyurl.com/ck3z3n
Why and how is pretty easy to understand:
- medical devices with "intelligence" embedded in them (microprocessors and a lot of software to control the device) are sometimes designed using Windows. Yes I think this is a horrible horrible choice but it is a choice that is often made.
- once developed and certified, these devices rarely get updated. So "old" security flaws in Windows stay there, "forever".
- sometimes the devices are not supposed to get connected to the internet, but do anyway.
- viola, detection and infection...
So what are the device types in general we have to worry about potentially be targetted by viruses or other takeovers by "bad guys"?
Well, let's see, not too many, it only includes:
- internal systems on automobiles
- internal systems on airplanes
- home networking equipment
- home TV's (my 42" high def LCD TV is running Windows inside, I'm almost certain!)
- digital video recorders
- DVD players, particularly Blu-Ray devices
- medical equipment, both hospital based and advance home care devices
- automated tellers
- traffic control systems
- railway control systems
- power control systems
Folks I could go on. The point is, increasingly, the world around us is "controlled" by "intelligent" devices. And these devices are hugely suscpetible to being compromised in their operations, through software/network based attacks.
I don't want the owners of conficker effectively "owning" my TV, much less the system that controls the local mass transit system, much less systems on the Boeing or Airbus plane I'll be on later today.
The world needs secure software and systems, and we need it NOW. Getting there includes:
- better security training for s/w development engineers
- better security requirements managed through the software lifecycle
- use of best of breed tools for security assessment of code, both through static and dynamic analysis
- use of defensive mechanism in code to detect, defend and react to internal security breachs (yes this is where my company, Arxan Technologies, has solutions).
- use of updating capabilities and processes to ensure that security faults in ALL devices are addressed quickly and responsibily, rather than left to be taken advantage of in later months or years.
- choice of appropriate operating systems and other tools for the task, rather than use of known low security quality software such as Microsoft Windows
So are the conficker owners going to issue an update that is specific to a medical device to cause it to misbehave? Not likely...but they could. It's really quite unbelievable. We are giving control of the world around us away, to those whose only interest is leverage their control for profit and/or mayhem.
Funny, that hunting and gathering life is sounding more and more appealing. No you may not take over my spear!!
Why and how is pretty easy to understand:
- medical devices with "intelligence" embedded in them (microprocessors and a lot of software to control the device) are sometimes designed using Windows. Yes I think this is a horrible horrible choice but it is a choice that is often made.
- once developed and certified, these devices rarely get updated. So "old" security flaws in Windows stay there, "forever".
- sometimes the devices are not supposed to get connected to the internet, but do anyway.
- viola, detection and infection...
So what are the device types in general we have to worry about potentially be targetted by viruses or other takeovers by "bad guys"?
Well, let's see, not too many, it only includes:
- internal systems on automobiles
- internal systems on airplanes
- home networking equipment
- home TV's (my 42" high def LCD TV is running Windows inside, I'm almost certain!)
- digital video recorders
- DVD players, particularly Blu-Ray devices
- medical equipment, both hospital based and advance home care devices
- automated tellers
- traffic control systems
- railway control systems
- power control systems
Folks I could go on. The point is, increasingly, the world around us is "controlled" by "intelligent" devices. And these devices are hugely suscpetible to being compromised in their operations, through software/network based attacks.
I don't want the owners of conficker effectively "owning" my TV, much less the system that controls the local mass transit system, much less systems on the Boeing or Airbus plane I'll be on later today.
The world needs secure software and systems, and we need it NOW. Getting there includes:
- better security training for s/w development engineers
- better security requirements managed through the software lifecycle
- use of best of breed tools for security assessment of code, both through static and dynamic analysis
- use of defensive mechanism in code to detect, defend and react to internal security breachs (yes this is where my company, Arxan Technologies, has solutions).
- use of updating capabilities and processes to ensure that security faults in ALL devices are addressed quickly and responsibily, rather than left to be taken advantage of in later months or years.
- choice of appropriate operating systems and other tools for the task, rather than use of known low security quality software such as Microsoft Windows
So are the conficker owners going to issue an update that is specific to a medical device to cause it to misbehave? Not likely...but they could. It's really quite unbelievable. We are giving control of the world around us away, to those whose only interest is leverage their control for profit and/or mayhem.
Funny, that hunting and gathering life is sounding more and more appealing. No you may not take over my spear!!
Friday, May 1, 2009
Cyber attack on an American City
Bruce Perens, a well known technologist and open source evangelical, wrote a fascinating review and analysis of the recent attack on the city of Morgan Hill in California, via the simple but highly effective means of merely popping manhole covers, entering and cutting fibre optic lines. Read the story here: http://perens.com/works/articles/MorganHill/
I believe this story points out what I've been suggesting in my recent blogs regarding conficker: we are a society highly dependent on a live, running internet. Hugely dependent. This story is direct evidence.
So I ask again, how effectively could several million computers be, working in concert, in shutting down sections of the internet, or targeted commercial properties from operating on the internet? Because that is the power the owners of conficker have. The latest usage appears to be the more traditional usage of heisted computers: spambots and capturing keystrokes to capture credit card information or other high $ value information from the user.
If that's all they can come up with, I have to say I'm unimpressed with the meta-level creativity of the owners of this worm. Yes they've shown some create technical creativity and implementation skills in what they've done, but to what effective end? Sure they should be able to make some $'s from stealing CC#'s and from selling spam services. But that's pennies compared to leveraging what might be within their capability set at this point.
Think about it: shut down Citibank for a day. Wait a few days. Then send a private message to their president saying they will be randomly shut down again, over and over...until they pay a $50M ransom into such and such bank account. That's serious, serious criminality on a scale that's Bond film worthy, if you ask me.
I just can't figure out why they aren't executing on it. And I can't figure out why some serious brainpower isn't being applied to figure out how to stop them.
Maybe it is and we just don't know it. I can only hope so. Because the nonsense about "check and make sure your computer isn't infected and you have latest Windows patches applied" is both important...and completely irrelevant at this point. The owners of conficker already have a fascinating and potentially extraordinarily potent weapon under their control.
Does anyone really know how powerful? I'm don't know! I guess it's good so far that we haven't found out. But as the attack on Morgan Hill demonstrates, the western world at least is far, far more vulnerable to this weapon than we believe or understand.
I believe this story points out what I've been suggesting in my recent blogs regarding conficker: we are a society highly dependent on a live, running internet. Hugely dependent. This story is direct evidence.
So I ask again, how effectively could several million computers be, working in concert, in shutting down sections of the internet, or targeted commercial properties from operating on the internet? Because that is the power the owners of conficker have. The latest usage appears to be the more traditional usage of heisted computers: spambots and capturing keystrokes to capture credit card information or other high $ value information from the user.
If that's all they can come up with, I have to say I'm unimpressed with the meta-level creativity of the owners of this worm. Yes they've shown some create technical creativity and implementation skills in what they've done, but to what effective end? Sure they should be able to make some $'s from stealing CC#'s and from selling spam services. But that's pennies compared to leveraging what might be within their capability set at this point.
Think about it: shut down Citibank for a day. Wait a few days. Then send a private message to their president saying they will be randomly shut down again, over and over...until they pay a $50M ransom into such and such bank account. That's serious, serious criminality on a scale that's Bond film worthy, if you ask me.
I just can't figure out why they aren't executing on it. And I can't figure out why some serious brainpower isn't being applied to figure out how to stop them.
Maybe it is and we just don't know it. I can only hope so. Because the nonsense about "check and make sure your computer isn't infected and you have latest Windows patches applied" is both important...and completely irrelevant at this point. The owners of conficker already have a fascinating and potentially extraordinarily potent weapon under their control.
Does anyone really know how powerful? I'm don't know! I guess it's good so far that we haven't found out. But as the attack on Morgan Hill demonstrates, the western world at least is far, far more vulnerable to this weapon than we believe or understand.
Subscribe to:
Posts (Atom)
