Wednesday, 20 June 2012

NBN, stuxnet and Security: It's worse than you can believe

What  did US Intelligence tell the Australian Government about Real Network Security when a chinese vendor was vetoed  as supplier of NBN (central?) switches?
Now that we have O'bama admitting "we did Stuxnet, with a little help", we know that they aren't just capable and active, but aware of higher level attacks and defences: you never admit to your highest-level capability.

Yesterday I read two pieces that gave me pause: the first, the US Navy replacing Windows with Linux for an armed drone was hopeful, the other should frighten anyone who understands Security: there's now a market in Zero-Day vulnerabilities.

The things the new-world of the NBN has to protect us against just got a lot worse than you can imagine.

Links in that article:

For once, I’m hoping Bruce Schneier is wrong. But, I doubt it. I’ve already read where high-level contestants who normally compete in Pwn2Own aren’t any more. They would rather keep what they found secret, and make the big bucks.
I've written previously that a Cyberwar will be won an lost in 3 minutes  and that the NBN is a central element in a National Security and Economic Security protection strategy for Australia.

Since the O'bama disclosure, Governments and essential Utilities and Businesses should be required to run multiple diverse systems, at least for desktops so they aren't susceptible to monoculture failures: think Irish Potato Famine but 10-100 times worse.

The US Navy announcing they'd needed to rehost a secure, armed platform (move from Windows to Linux) seems to suggest that even their operational/combat networks get compromised (remind you of Stuxnet? "air-gaps" are good but no defence against a determined, capable attacker).

That they've publicly stated "we chose linux when it absolutely had to be trusted" (my words) might be them hinting, none too subtly, that every other Government and Military should follow their lead: Move critical systems off Windows because even we can't keep them "ours".

The other news, that there are both providers and brokers for "zero-day" attacks ($50,000-$250,000 a go for significant platforms) says:

  • there are people or services who can validate claims of "original zero-day exploits".
  • this is far from new, we ("joe public") are just finding out about it now, and
  • there will already be a whole stash of "zero-day" attacks in the hands of Governments and potentially others.
  • Don't think this is just about National Security Espionage, it's also about Commercial Espionage and infiltration, targeted Financial System attacks, 'ransomware' and much more: its opens the way for Organised Criminal Activity way beyond simple Identity Theft in scale and returns. Would the Drug Cartels and Arms Traders be in on this? Who can say... Sophisticated Bad Guys with a ton of cash, no scruples and able to buy pretty much any technical talent they want. Not a bet I'd take.
But there's a subtlety that's not brought out in the article:
  • many more "zero-day" exploits will be bought, than uniquely exist.
  • This isn't just one vendor selling the same thing to multiple buyers. [A great scam until just hustle the wrong people with Big Military Weapons - and then you're dead.]
A wise Intelligence Agency will have its own crew finding "zero-day" exploits and will be wanting to identify all the people working in the area who might be as capable as themselves and also may just save themselves the cost of developing exploits that require lots of leg-work. We know that high-level Intelligence Agencies routinely attempted to recruit outstanding Mathematicians and Systems folk - like Alan Turing during WWII, good commanders will put them on tasks that need more intellectual horsepower and leave (relative) donkey-work to others.

If someone offers an Agency a "zero-day" exploit they've just found, for the Agency to refuse it means they've already developed or acquired it elsewhere: this gives away a bunch about what the Agency does and doesn't know. The Agency will always buy to hide its capability. But not before doing a little 'background check' on the seller/discovers to avoid the scam of "lets sell the same toy to everyone".

Also, if an Agency truly believes that a seller/discoverer is legit and will only pass on its work once, it's worth its while to acquire real and dangerous new exploits to prevent "others" from getting their hands on them. If those third-parties are accessible and like-minded, an Agency might attempt to "bring them into the fold" - to hire them and at least take them off the market.

You'd think that an Agency would harden its own systems against against its whole portfolio of "zero-day" exploits, would track the public registries and even create "honey-trap" systems for those exploits: systems that are just secure against the exploit, but allow the attacker into a fake environment containing false/misleading information (mis-information from highly 'reliable'/'credible' sources is a counter-espionage coup de grace) - or even initiate active counter-attacks or less invasive track-back and monitoring.

It is guaranteed that all the many Intelligence Agencies (if the US has a unit, so will everyone in the G20 and maybe beyond, especially those in Intelligence sharing partnerships) know the cost of finding zero-day exploits against many types of targets. As in, call tell you a dollar value. Part of the drivers for third-party purchases will be additional resource/capability, but also very pragmatic: it's cheaper. You'll always pay 3rd-parties less than it costs you :-)

How do I know this for sure? In 1998, Robert Morris (senior) talked at the AUUG Conference in Sydney. He'd 'retired' from the NSA, (and said "you never retire from them") and after lengthy service at senior levels, knew intimately what could be said publicly and what was never to be said.

He calmly talked about the US mis-placing nuclear weapons (more times than I remembered being widely reported), described a really neat hack that let them listen in on terrestrial phone conversation (put a satellite or plane in the line of a microwave link).

And he said unequivocally, "It's costs us $10MM for an 'intercept'". Not only did that imply they had the tools and techniques to break most or all codes, but did so at "industrial scale". It wasn't a little cottage industry like Bletchley Park had been, but large enough that they absolutely knew how to cost it and would bill-back those resources when requested. Generals and others would have to consider what certain information might be worth to them before blindly requesting it.

Things are much worse than you can imagine, now there are acknowledged Cyberattack Units and a market in "zero-day" exploits. We can only know after the event just how bad things have been - like the Cold War's Nuclear "incidents".

BTW, while its possible companies or individuals might deliberately insert backdoors or vulnerabilities into critical software, I find it highly unlikely. The next plodder that comes along to fix a bug in your code (you don't stay after scoring the jackpot) might just wreck it. If you're really good, people will never notice what you've done.

While there are some people that are that good, there are a huge number who only think they are. They will be caught and dealt with, either via the normal Law Enforcement and court system or by covert activities.

A far more plausible and probable occurrence is for a vendor of "proprietary systems" (closed source, not Open Source) to bow to pressure from Friendly Governments to allow controlled administrator access, a variation of the Ranum Conjecture, whereby undercover agents infiltrate critical work-teams and insert malicious code.

Whatever Intelligence Agencies are capable of, large Organised Crime is potentially capable of as well. The difference is, "can we make a buck off this". They will do different things and target different systems.

The NBN will become our first line of defence against Cyberattack: let's get everyone behind it both publicly and privately.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.