quarta-feira, abril 12, 2017

This is How the World Will End: "The Art of Invisibility" by Kevin Mitnick, Robert Vamosi

This book calls for a limerick of "me" own:

This is how the world will end.
This is how the world will end.
Not with the roar of a lion
But with the click of a mouse.

Mitnick's and Vamosi's book is for the layman. You won't find here buffer overflows (NOP sled,  or overwriting the stack return pointer), network scans/DoS attacks, integer overflow exploitation, details about recent techniques to bypass ASLR, shell-code injection, network sniffing, no kernel hacking/rootkit exploits, i.e., it does not break ground as a book to explain how hacking and software exploits work and how readers could develop and implement their own. It's a breezy read with lots of information, but the deep dives aren't there.

Reading this, it got me thinking once again on IT security aspects. I've done this recently when I read my last security book. Every time I read something like this, I always get in the mood "Oooh spooky, 'cyber security', how hip, how now." Cyber security is what used to be called 'spying' and that goes back to erm...Caesar Augustus as emperor lived in a modest two story home in central Rome. Two floors around an open central area and thin columns sparsely placed to form colonnaded mezzanine ground and top floor and no drapes or hangings - he lived in a modest house with open mezzanines so that NO ONE COULD HIDE BEHIND columns and listen to his conversations. Spying is as old as ancient governments.

Technology helped the dissemination to become global, helping thus "disseminators" on all sides to keep each other in power even easier.
The actual sides in that war are not different groups of "disseminators", but all "disseminators" of fake news on one side, and all recipients of fake news on the other.
Hacking, being digital or "analogue" one, is a weapon of recipients' defense, therefore all hackers, being digital or "analogue" ones, are "Fifth Column" to all of the fake news "disseminators". And, of course that "disseminators" is the term borrowed from management theory. The Fake News War is about management of facts, which to hide and which to reveal in averted form.

I mean, come on... people are being fired and/or punished for accidentally forgetting one confidential paper on the office table overnight and not under the lock.  So, we are not talking then about hacking as the warfare which started the cyberwar, but about cyberspace as the warfare, however and whatever for it is used. Then we may say that the cyberwar started not in 21st century, but in the late 70s, when the first permanent ARPANET link was established between UCLA and the Stanford Research Institute. Besides, we call them First and Second World War, not the gas/tanks/trenches war and plane/rockets/atomic war respectively. I'm arguing that hacking is not the most important weapon of choice to alleged sides in war, but the fake news which has been disseminated for ages before the cyberspace started to exist.
The next world war may well be fought in Cyberspace but it won’t resemble the mischief or the malicious hacks we've been witnessing (Stuxnet gave a glimpse of the potential - the Iranian nuclear centrifuges were driven into meltdown). It will be an altogether more devastating attack on vulnerable civilian and military infrastructure, as likely as not launched from a third world country without a developed economy vulnerable to counter attack (not that the targets will be able to identify the source of the attack).
The greatest danger is not Russia but probably ISIL or a small rogue state - North Korea is a possibility. Imagine the damage if the Internet is taken down, if transport, water, power and utilities cease to function. We're sleepwalking into a potential meltdown.

I still hear lots of people talk about the TalkTalk situation (forgive me the pleonasm...). Let's be clear about it. Broken into by a young hacker? How bloody fortunate you all are that it was not the Chinese, Russians, Koreans, or Americans. But perhaps they already did, and you haven't yet found out. Would they even know? Apparently they still don't know whose data may or may not have been compromised. The real story here appears to be a lack of adequate security. Data that is not encrypted. A lack of layers of protection that prevent access to anything of importance. And a level of overall control of access that is so poor that a 15-year old can get in. Perhaps the word is porous. If anyone is at fault, it is not the successful hacker, but the company that failed to apply the time and resources (including funds) required to meet their responsibilities and obligations to those whose information they hold in trust. Too many companies are run by non-technical posho/MBA idiots who think the IT team are the home help, and not the people who keep the engine room running.
There are clear issues of due diligence and corporate responsibility which can only be solved by fines for board members and disqualifications addressed at company members.  Until then we'll have to put up with the corporate equivalent of directors who leave customer secrets in a filing cabinet in the street under a sign saying "It's not locked." if only TalkTalk spent 10% of what they spent on advertising on security.

All the cushy over paid jobs are in marketing, law etc. Engineers need more respect / pay. They do all relevant work. Marketing people are mostly about trying to get you to choose one brand over the other. But so much is spent on it - they lose out on quality and service in their product. Talktalk is a classic example. "Sponsoring" popular TV programmes (more money of our money going to over paid talentless people: “Portugal’s Got Talent, and crap like that).

There is a bit of a secondary problem which gets no attention at all: running a badly secured computer may end up making you an unwitting collaborator in crime - the Denial Of Service attacks (basically flooding a service so it no longer works) is only possible using thousands of hacked systems, and hacked systems are often used as proxies for the real criminal to hide behind. Strangely, the most prevalent OS still needs the sticking plaster of anti-virus software to be anywhere near suitable for use on the Internet. Back in the day, when I was doing this as a night job, I remember having found a page on one website that always took a long time to render. If I hit it with a few requests the whole of the website was inaccessible. I could kill the site from a browser. Turned out, talking to one of the developers I knew, that there was some badly written SQL used to render that page that caused the database server(s) to grind to a halt. WTF?? And don't let me start talking about the way operating systems can be got at. There have been totally new concepts of PC software put forward by those far better than me, which would cut down a lot of the vulnerabilities we now see, but no one cares and they would involve a radical re-think of how we use the web. It would involve total ownership of the Operating System by the user, it would be impossible to alter or add to and would be a physical non writeable entity. No agreement to terms or any of that rubbish, it would be yours only. Beyond that there would be a 4 stage later before you get out to where we use the web today. Attacks would be more and more difficult as you go down through the layers and compromise of the Op. System would be impossible. I have heard techies walking through this set-up and agreeing that only the host of the router would be able to trawl or snoop in a blanket way, and any suspected compromise could be cleaned immediately. It would be better than we have today, but would curtail lots of money making habits companies are used to currently, and involve the users actively maintaining their Op. System a bit like looking after a fish tank. We just don't seem to care much about the security, so any improvement is unlikely, plus there are an awful lot of people doing very nicely out of the way it is currently thank you. It is my firm opinion that people are not too bothered about the Secret Services looking and watching, under some supervision, for security reasons, but the ongoing access of all activity to be disseminated to others on an "official" basis is the widespread concern on most.

As the snooping could be done at all routers or by piggy backing onto hubs, the Secret Services should be able to get whatever they want, there should not be a problem.
I imagine key depression is what they are wanting to monitor through the Op. System upgrade, they then pick up everything before encryption, and get decent profiling of keying speed and the personal idiosyncrasies of the user's hand actions, but the whole thing could be a lot simpler and robust with most people getting largely what they want, except the criminals (in the main).
The whole thing is in a real mess, and when the Secret Services can't even keep the Atomic Bomb, The Watergate Project, or even the current Mass Surveillance infrastructure secret, it does make people feel like some new thinking is required.

The typical hacker relies on lack of defenses, inadequate security budgets and ineptitude of middle managers (let's direct resources at this non-problem, and leave all the SQL un-encrypted). I worked on lots of "on-the-side" projects where these hackers were constantly trying to break in and award themselves "the sword of dobber". Simply encryption and authentication took care of every hacker except the military grade/Israeli. Most of these guys knew how to run Linux as root and frequent forums that give them most of what they know, aside from that they succeed where the gatekeepers leave the back door open.

On a side note, because I really hate Mr. Robot, let me once more add fuel to the fire. As a piece of drama Mr. Robot is pretty rubbish. Its world view is naïve, adolescent, and confused. The Christian Slater character is an immature and delusional idiot - the eternal narcissistic adolescent clown. Please do not re-boot.

3 comentários:

Book Stooge disse...

"and involve the users actively maintaining their Op. System a bit like looking after a fish tank."

Hahahhaahaa, that made me laugh. Because you are correct that people don't want to do that, period. I suspect even a cyber attack that takes down some regional power grid isn't going to change peoples' minds...

Manuel Antão disse...

It's difficult to pay attention to what is really important...

Luís Filipe Franco disse...

My friend... I know you still haven't seen the Mr Robot to the end of the first season. You should review your review when you complete the first season :)!!!