The AFR reports today that Huawei is still wishing to get into the NBN rollout.
The Coalition broadband Czar, Turnbull, supports considering them as suppliers, despite specific recommendations against this by National Security agencies.
After Edward Snowdon's revelations about the size and scope of the NSA surveillance and Internet penetration, we know that many state actors, not just the USA and certainly China, have very active intelligence programs, far more extensive and pervasive than anyone outside the Intelligence community has guessed.
Are Turnbull and his mates stupid, ignorant, wilfully blind, double-agents, mischievous and mendacious or trying to make their past workmates on the local Board of Huwaei a bunch of money?
National Security agencies never reveal what they know. This is a really big deal and one that Turnbull knows in intimate detail: he prosecuted and won the "Spycatcher" case in 1988 on declassifying WWII material.
For the Australian Intelligence community to say anything about a single supplier, let alone in public and name them is quite extraordinary. It hasn't happened before. It's more than ten times as big as all Big Four banks releasing details of their backup data-centres, their networking links and fallbacks and their operational contingency plans. How to emphasise that point enough, I don't know.
For the Coalition, especially Turnbull, to not understand or respect the publicly released opinion of our Intelligence Community is an indescribable action in Bad Faith. If it's a cheap political shot, it's incredibly poorly thought through.
If it's anything more, it would confirm the Coalition is the pack of fools and knaves they seem to be.
Snowdon broke world-changing news about the Internet, did Turnbull NOT notice or NOT understand its importance? If he did, why is he still ignoring the formal advice of our Intelligence chiefs?
It can only be one or the other, either answer brings his judgement & loyalty into question and should disqualify him from being a responsible Minister in any Government.
Earlier this year, Mandiant took the extraordinary and important step of identifying, naming and laying out years of secret work on an investigation: "Advanced Persistent Threat 1" (APT 1).
It was a unit of the Chinese Military. Look up the story, they've been hacking others for years.
What does Mr Turnbull need for him to take the recommendation of the most highly-informed, professional and expert group in Internet Security in Australia?
NBN Issues, Commentary & Opinion. 30 yrs in I.T. and Telecomms
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Thursday, 20 June 2013
Monday, 10 June 2013
NBN: Why Fibre? What it does better than Copper.
Bits are agnostic, they don't care what medium they travel over: wireless of any kind, HFC, Fibre, ADSL, VDSL, ethernet, infrared, power lines or dial-up modem.
One of the arguments against a direct Fibre to the Premises network is "anything you can do, I can do better, or at least as well", or, restated, if people want 25Mbps and VDSL gives it to them and its cheaper, then why wouldn't they go for the "sooner, cheaper and more affordable option"?
An FTTP means:
For the Network Operator, NBN Co, and Retail Providers, ISPs/RSPs, a pure-digital network with uniform Network Termination Devices (NTDs) under their full control is essential for properly running their network:
One of the arguments against a direct Fibre to the Premises network is "anything you can do, I can do better, or at least as well", or, restated, if people want 25Mbps and VDSL gives it to them and its cheaper, then why wouldn't they go for the "sooner, cheaper and more affordable option"?
An FTTP means:
- immunity from Thunderstorms and electricity leakage Less damage and danger.
- higher bandwidth per link (forty times), with less excess capacity required to be installed, subscribers won't be denied service from fully utilised infrastructure:
- subscriber don't require extra premise connections for increased bandwidth or multiple connections.
- running out of pairs on the local loop and ports in DSLAMs is common with the copper network. This is extremely expensive to address and often never happens. This is a well-known problem with the copper Customer Access Network
- predictable and guaranteed speeds: if you're connected, you can get the full range of services.
- This is critical for employer or agency supplied networks, e.g. Schools and University.
- guaranteed upload speeds
- guaranteed low latency and network/traffic prioritisation for Real Time services, such as Telephony and high-quality audio or teleconferencing.
- lower congestion without peak-hour latency "traffic jams" due to larger FSAM's with upgradeable uplinks. We know from the Gungahlin Experiment that nodes are particularly susceptible to under-diminsioned uplinks or saturated backplanes, both of which wi
- in-place upgrades to higher speeds with newer technology
- lower maintenance and no major upgrade hurdles.
- multicast, necessary for the much cheaper & more efficient broadcast services, works as designed using the NBN Co infrastructure directly.
- A single wholesale pure-digital telephone system, eliminating inefficient & costly equipment and systems duplication.
- This will remove a large deadweight cost from Telephone charges.
- It will allow new, affordable and innovative Telephony products to be sold to businesses and premium phone users:
- internal PABX's won't be needed. All switching can be done more cheaply via the NBN.
- lower call and trunk costs.
- seamless integration of multi-medium calls, especially from a smartphone: You can start a call from home via WiFi. move to the car using 3G/4G, then to a nanocell hotspot, back to 3G/4G, then to the office with WiFi, seamlessly and reliably.
- Off-peak mega-speed plans become possible for home, SOHO and SME backups.
- Backing up servers at 400Mbps (160GB per hour) allows Terrabyte drives to be copied or backed up cheaply & easily overnight without impacting normal operations of the customer network. This is at the lower-end of current demand.
- Compare this to the current Telstra rate-card for 10Mbps (forty times slower) symmetrical services: $7,931/month for 'unlimited' usage or just 2.5TB, maximum. 100GB/mth is $1,870/mth with $8 per GB after that. 850GB per month is the break-over point to 'unlimited'.
- versus ~$100/month for 40Mbps and 1TB currently with ISP NBN services.
- The NBN Co plan is to halve their download volume charges every 3 years, hopefully this will be reflected in ISP/RSP plans. Things will only get better from here, especially for micro and small businesses.
For the Network Operator, NBN Co, and Retail Providers, ISPs/RSPs, a pure-digital network with uniform Network Termination Devices (NTDs) under their full control is essential for properly running their network:
- Remote end-to-end line testing is possible simply and transparently.
- Firmware upgrades can be done securely, efficiently and frequently. This is the minimum necessary for a high reliability and secure, dependable network.
- If all premises have the same networking capabilities, 2-phone and 4-data, the Provisioning and Operations systems are much simpler and less error-prone.
- From the Telstra HFC network, we know that software control systems can and do seriously degrade and become dysfunctional.
- Remote monitoring, control, supervision and administration/provisioning of all network devices, especially end-points (NTDs in Customer Premises) is the minimum now required to run large, complex digital networks.
- IPv6 (version 6 of the IP protocols) can be uniformly & transparently implemented. This will soon become a necessary migration.
- Automatic response against a concerted Network attack is only possible with a single, known network infrastructure.
- An "Internet Kill Switch" can be simply and effectively implemented, allowing rapid response to intentional or accidental network attacks or Denial of Service.
- individual NTDs, or groups of them, can be monitored and controlled in real-time to stop, slow or mitigate the propagation of Worms and malware.
- Post-event replay, necessary for detailed analysis, is possible by collecting NTD log files.
Tuesday, 26 February 2013
NBN + National Security: Turnbull, Mandiant and Huawei
In the "fifth dimension" of Warfare, Cyberspace (after land, sea, air & space), all Security is National Security. When Defence and Government and their contractors/suppliers are all connected to the wider Internet and all use the same platforms with the same weaknesses subject to the same exploits by the same group, the distinctions between Public vs Private, Defence vs Civilian and Commercial vs National Security espionage evaporate... On the Internet, it's all National Security.
When one of the premier Cybersecurity companies, founded by an ex-USAF expert takes the unprecedented step of breaking the cardinal rule of INFOSEC dating back to Churchill and Enigma, "Don't reveal your sources & capability", you know that something profound is up.
Mandiant recently released a detailed report of 6 years of study of "APT 1" [of 75 they track] with very precise evidence backing their claims, first with the New York Times and later by the BBC etc.
Not only did Mandiant name China and Chinese nationals as the attackers, they named the building they'd traced as the epicentre of the attacks and the PLA Unit that operates there. (Notably without saying the PLA Unit launched the attacks, a more subtle point).
You can be sure that the Pentagon, State Department and US President along with the NSA and other Intelligence Agencies/"Cyber Commands" were party to this decision.
The Military are very, very protective of their Intelligence, especially their techniques and capabilities. After 70 years, the work my father and his unit did in WWII, "Ultra", is not declassified. I doubt it will ever be fully released: the Military are that obsessive and protective.
So what has the very top echelons of the US Intelligence and Cybersecurity communities so spooked that they are prepared to break one of their most important basic Security Principles?
We know they are giving us "old and incomplete" information, presumably already known by all "opposition" agencies, not just those named, the Chinese.
What they've told us is simple: these are not "for-profit" hackers, but highly-resourced, skilled and persistent experts after highly specific information who prize stealth and misdirection over everything,
What are the tools and techniques they've started directing at new targets over the last 12 months?
It has to be massive and concerning to "break cover" so blatantly.
I suspect it is not unrelated to the banning of Huawei as a network provider to the US Military and Government and with the Australian Government following Intelligence advice and banning Huawei from the NBN.
Mark Gregory in The Conversation reminds us, via Josh Taylor of ZDnet, that Mr Turnbull in Aug-2012 spoke on NBN issues and in the Q&A session, very particularly says they'll "reconsider" the Huawei decision when they gain power. This was never a well-considered statement, at best disingenuous, at worst amazingly naive and ignorant of National Security. Which you can't accuse Mr Turnbull of... He broke the UK "Official Secrets" provisions with "The Spycatcher" case. The start of his answer:
The Opposition can never support countering the Intelligence recommendation against Huawei, and after the Mandiant report, even less so.
Mr Turnbull knew, of should've known, all this when he spoke Aug-2012.
So why did he speak such rubbish when he clearly knows much, much better?
Who was his audience for his remarks?
Not the people in the room of the "American Chamber of Commerce", so who?
Critical now, post Mandiant, to the Coalition's credibility on National Security, Cybersecurity and Internet/NBN is Turnbull-Fletcher and perhaps Abbott restate their position. It appears to me that the current modus operandi of the Opposition is to say anything, because we'll do something completely different when in power.
That's a very scary strategy and one, if exposed, that will lead to a massive electoral backlash.
Not unlike post-1993 and John Hewson's "Fight Back" policy release. A few thousand pages of detailed policy sounded to the academic Hewson like a great way to start an informed policy debate. Instead it turned out to be "the world's longest (political) suicide note".
Every leader of every Australian political party in every campaign since has been painfully aware of the implications and downside of being too specific and open with Policy. The upshot is that elections now are essentially "policy free zones", meaning all debates come down to rhetoric, promises/pork-barreling, personal attack and denigration/criticism.
"It's a far, far better thing to have done nothing, than to have done anything, because it can be criticised."
When one of the premier Cybersecurity companies, founded by an ex-USAF expert takes the unprecedented step of breaking the cardinal rule of INFOSEC dating back to Churchill and Enigma, "Don't reveal your sources & capability", you know that something profound is up.
Mandiant recently released a detailed report of 6 years of study of "APT 1" [of 75 they track] with very precise evidence backing their claims, first with the New York Times and later by the BBC etc.
Not only did Mandiant name China and Chinese nationals as the attackers, they named the building they'd traced as the epicentre of the attacks and the PLA Unit that operates there. (Notably without saying the PLA Unit launched the attacks, a more subtle point).
You can be sure that the Pentagon, State Department and US President along with the NSA and other Intelligence Agencies/"Cyber Commands" were party to this decision.
The Military are very, very protective of their Intelligence, especially their techniques and capabilities. After 70 years, the work my father and his unit did in WWII, "Ultra", is not declassified. I doubt it will ever be fully released: the Military are that obsessive and protective.
So what has the very top echelons of the US Intelligence and Cybersecurity communities so spooked that they are prepared to break one of their most important basic Security Principles?
We know they are giving us "old and incomplete" information, presumably already known by all "opposition" agencies, not just those named, the Chinese.
What they've told us is simple: these are not "for-profit" hackers, but highly-resourced, skilled and persistent experts after highly specific information who prize stealth and misdirection over everything,
What are the tools and techniques they've started directing at new targets over the last 12 months?
It has to be massive and concerning to "break cover" so blatantly.
I suspect it is not unrelated to the banning of Huawei as a network provider to the US Military and Government and with the Australian Government following Intelligence advice and banning Huawei from the NBN.
Mark Gregory in The Conversation reminds us, via Josh Taylor of ZDnet, that Mr Turnbull in Aug-2012 spoke on NBN issues and in the Q&A session, very particularly says they'll "reconsider" the Huawei decision when they gain power. This was never a well-considered statement, at best disingenuous, at worst amazingly naive and ignorant of National Security. Which you can't accuse Mr Turnbull of... He broke the UK "Official Secrets" provisions with "The Spycatcher" case. The start of his answer:
Right, well I think dealing with Huawei firstly and you know you’re really asking us what do I think about the decision not to allow Huawei not to provide equipment to the NBN.In light of the Mandiant report, I'd have expected a comment from Mr Turnbull, even something low-key.
The difficulty we have there is that we are not privy to the advice that the Government has had from the intelligence services.
So that was a very very big decision to make and I’m very conscious of the fact that the British Government has taken a very different approach to Huawei and the Britons’ security concerns you would think would be just as intense as ours.
So all I can say in that we will look at that matter when we get in to government, if we get in to government, in the light of the advice.
The Opposition can never support countering the Intelligence recommendation against Huawei, and after the Mandiant report, even less so.
Mr Turnbull knew, of should've known, all this when he spoke Aug-2012.
So why did he speak such rubbish when he clearly knows much, much better?
Who was his audience for his remarks?
Not the people in the room of the "American Chamber of Commerce", so who?
Critical now, post Mandiant, to the Coalition's credibility on National Security, Cybersecurity and Internet/NBN is Turnbull-Fletcher and perhaps Abbott restate their position. It appears to me that the current modus operandi of the Opposition is to say anything, because we'll do something completely different when in power.
That's a very scary strategy and one, if exposed, that will lead to a massive electoral backlash.
Not unlike post-1993 and John Hewson's "Fight Back" policy release. A few thousand pages of detailed policy sounded to the academic Hewson like a great way to start an informed policy debate. Instead it turned out to be "the world's longest (political) suicide note".
Every leader of every Australian political party in every campaign since has been painfully aware of the implications and downside of being too specific and open with Policy. The upshot is that elections now are essentially "policy free zones", meaning all debates come down to rhetoric, promises/pork-barreling, personal attack and denigration/criticism.
"It's a far, far better thing to have done nothing, than to have done anything, because it can be criticised."
Friday, 11 January 2013
Security: Healthcare systems are "soft-targets": the Next Big Exploit
Previous pieces on Security:
There are two ways to monetise e-Health Records:
If the CyberCrims haven't understood this yet, they will in 12 months.
The other group of attackers to be aware of are "Advanced Persistent Threats" (APT's) - known to do Cyber-Terrorism, and what better target than disrupting Healthcare? It is commonly believed the resources of Nation States are needed to pursue APT's.
From the Washington Post article, a quote that shows NO understanding of the CyberCrime world and how dangerous this ignorance is:
- NBN: the business case for 100-1000Mbps symmetric for SOHO & SME
- Security: The Massive hole in the PCEHR system
- Cyberwar: paper-tiger or real threat?
- NBN, stuxnet and Security: It's worse than you can believe
- Cyberwar: Bush/O'Bama authorised Stuxnet
- The NBN and defending against Cyber warfare attacks.
- The NBN as an Essential Strategic Defence for Cyber-warfare.
- CyberWars, Governments and Internet Security
- Why new Secure Internet solutions are technically Hard
There are two ways to monetise e-Health Records:
- Identity Theft. Huge amount of high-quality info. Medicare Cards are worth 'points' as Govt. ID's.
- Ransomware: healthcare can't operate without its data and they print money by the truckload.
If the CyberCrims haven't understood this yet, they will in 12 months.
In 1998, I couldn't see a way to monetise MP3's on the Internet. How do you charge for freely distributed files?
A: You don't... Apple invented end-to-end Security to sell iTunes to Content Providers.
The other group of attackers to be aware of are "Advanced Persistent Threats" (APT's) - known to do Cyber-Terrorism, and what better target than disrupting Healthcare? It is commonly believed the resources of Nation States are needed to pursue APT's.
The day this piece was written, I'd received a SANS Newsletter, the read for IT Professionals. The lead piece was a long investigative piece by the Washington Post on vulnerabilities in Healthcare Systems.
This is going to be a long running story with some really deep and disturbing implications and exploits.
What other practices/ventures of Organised Crime will we see turn up on the Internet?? We can only wonder...
Since 2004 when the Hackers turned Pro, Organised Crime has been moving in and repeating its real-world trade/tricks on-line. We've also seen more Organisation and increasingly "Industrial Scale" operations...
From the Washington Post article, a quote that shows NO understanding of the CyberCrime world and how dangerous this ignorance is:
OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them.Yes, exactly correct, BUT dangerously ignorant and wrong:
- which is why since the days of "script kiddies", pre-2000, the actual coders have packaged their exploits and on-sold them. That's the primary trade, the secondary market is those whom we perceive to be CyberCriminals... They are clowns running software they didn't write and don't know much about - but just as effective as anyone.
- they are poor and their economies in disarray. People will do "whatever they have to do".
- in the post Soviet Union era, that corrupt system has transformed into Organised Crime
- there are large numbers of very talented, highly-trained and and motivated people available
- they have some areas of very good Internet connectivity
**************************************************************************
SANS NewsBites December 28, 2012 Vol. 14, Num. 102
**************************************************************************
TOP OF THE NEWS
Health Care Sector Lagging Behind Others in Cybersecurity
Banking Regulator Issues Warning Regarding DDoS Attacks Against Financial Institutions
FOIA Docs Reveal NSA Industrial Control System Vulnerability Research
US Legislators Approve National Defense Authorization Act Requiring Contractors To Report Breaches
***************************************************************************
TOP OF THE NEWS
--Health Care Sector Lagging Behind Others in Cybersecurity
(December 25, 2012)
Researchers say that the health care sector is vulnerable to a variety of cyberattacks. The industry moved quickly to embrace the benefits offered by the Internet but in doing so, exposed medical devices and computers at medical facilities to hackers, who could potentially steal patient information to commit identity fraud and even launch attacks on critical systems within hospitals. Health care "lags behind [other industries] in addressing known problems." Granted, medical facilities have not been the target of attacks as frequently as financial, corporate, and military networks have, but the US Department of Homeland Security (DHS) has recently become concerned that health care could prove an enticing target for hackers. The most recent cybersecurity guidance from the Food and Drug Administration, which oversees medical devices, dates to 2005.
http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html
[Editor's Note (Murray): The healthcare sector lags in use, let alone the management, of IT. Their failure to use electronic healthcare records is killing and impoverishing us.]
NBN: the business case for 100-1000Mbps symmetric for SOHO & SME
Backups don't just protect you from fire, theft or hardware failure: they are now a critical element of security. If you're business cannot run with its computer systems, you cannot run your business without trusted backups.
Around Christmas 2012, there were reports of Ransomware attacks in Queensland. But it was Old News... "Police knew of 30 attacks" two months earlier. Nigel Phair, author of a book on Cybercrime, was quoted in multiple sources.
Potentially Medical Records are being especially targeted. This is Hacking-for-Cash, not healthcare related hacktivism as seen in the UK. AFR had a story in early December and mentioned AusCERT's posts on ransomware.
Regardless how a system is compromised, the only reason "ransomware" can succeed is simple:
What the "authorities" aren't saying is how far and how fast this particular monetisation of exploits will travel.
Every small business that doesn't want to be shutdown by hackers needs guaranteed, verified off-site backups. Just like fire and theft insurance, you need good backups - and via the NBN is what you want. For this is to be useful in an age of Gigabyte and Terrabyte data storage is at least 100Mbps (gives you 3.6Gb/hour). But it needs to be symmetrical, the same upstream as downstream, to be useful for both backups and restores.
Remember: no user has ever asked for a backup, they only ever ask for restores.
Ideally, Retail Service Providers and ISP's will offer local access off the same PoI (Point of Interconnect, the NBN version of a Telephone Exchange for 100,000 subscribers). This means your data packets won't have to travel down and back the transit/backhaul link from the PoI to the ISP/RSP, uselessly consuming expensive bandwidth and clogging the ISP's network.
Which may need the co-operation of NBN Co for ISP/RSP's to install the appropriate network appliance at the PoI.
In a reasonable world, you'll be able to partner with someone you know in your area and each serve as the off-site backup site for the other. If the hardware fails or fills up, they are close by and you can buy a new disk and dash over there...
But that only works if:
Around Christmas 2012, there were reports of Ransomware attacks in Queensland. But it was Old News... "Police knew of 30 attacks" two months earlier. Nigel Phair, author of a book on Cybercrime, was quoted in multiple sources.
Potentially Medical Records are being especially targeted. This is Hacking-for-Cash, not healthcare related hacktivism as seen in the UK. AFR had a story in early December and mentioned AusCERT's posts on ransomware.
Regardless how a system is compromised, the only reason "ransomware" can succeed is simple:
People cannot restore from backups.As the AusCERT post says, just because you once scheduled backups to run, doesn't mean they are running.
Case 2: Medical centreAusCERT advises those affected to not engage with the attackers. There's a simple reason:
The attacker took control of the doctors’ database containing patient records. The attacker provided proof that recovery was possible by safely returning two sample files belonging to the medical centre. The ransom demand was $4,000.
In this case, the attacker had actually infiltrated the medical centre some weeks prior to the ransom demand. During this time the attacker had made numerous strategic changes within the system such as disabling the patient database in the tape backup scheduler. After several weeks of backup tape rotations, recent backups were not available even in the medical centre’s offsite storage location. Additionally the medical centre’s USB hard disk backup device was plugged in to the system, and had therefore already been seized by the attacker.
The cure was to erase and rebuild the server, and recover older data from backup tapes. In this case, the medical centre had good practices such as keeping two different types of backup, applying security patches and maintaining an up-to-date business continuity plan. However, repelling these targeted ransomware attacks requires stronger defenses.
They want to make the maximum amount of money from you, they aren't bound by any code of ethics or morality, as demonstrated by the metaphorical gun to the head of the hostage, they can't be tracked easily and dealing with International cyber-criminals is notoriously difficult.The initial payment you make will only be the first payment of many, not full and final as they'd like you to believe. Like any good parasite, they'll quickly figure out how much blood they can draw: how much this thing is worth to you and your capacity to pay.
What the "authorities" aren't saying is how far and how fast this particular monetisation of exploits will travel.
We know its not going to double its reach every few seconds like "slammer", because of the manual work involved in identifying targets and setting up the backups.Business Case for High-Speed symmetrical links
Even if it doubles just every month, that's a 1000-fold increase in a year. Because the Internet is "born global", what we see in Australia will happen everywhere.
Every small business that doesn't want to be shutdown by hackers needs guaranteed, verified off-site backups. Just like fire and theft insurance, you need good backups - and via the NBN is what you want. For this is to be useful in an age of Gigabyte and Terrabyte data storage is at least 100Mbps (gives you 3.6Gb/hour). But it needs to be symmetrical, the same upstream as downstream, to be useful for both backups and restores.
Remember: no user has ever asked for a backup, they only ever ask for restores.
Ideally, Retail Service Providers and ISP's will offer local access off the same PoI (Point of Interconnect, the NBN version of a Telephone Exchange for 100,000 subscribers). This means your data packets won't have to travel down and back the transit/backhaul link from the PoI to the ISP/RSP, uselessly consuming expensive bandwidth and clogging the ISP's network.
Which may need the co-operation of NBN Co for ISP/RSP's to install the appropriate network appliance at the PoI.
In a reasonable world, you'll be able to partner with someone you know in your area and each serve as the off-site backup site for the other. If the hardware fails or fills up, they are close by and you can buy a new disk and dash over there...
But that only works if:
- links are fast (daily backups under and hour, weekly under 10 hours), and
- access is cheap. (not $1,000's/month for 10Mbps, but ~$100/mth for 100Mbps symmetrical).
Wednesday, 20 June 2012
NBN, stuxnet and Security: It's worse than you can believe
What did US Intelligence tell the Australian Government about Real Network Security when a chinese vendor was vetoed as supplier of NBN (central?) switches?
Now that we have O'bama admitting "we did Stuxnet, with a little help", we know that they aren't just capable and active, but aware of higher level attacks and defences: you never admit to your highest-level capability.
Yesterday I read two pieces that gave me pause: the first, the US Navy replacing Windows with Linux for an armed drone was hopeful, the other should frighten anyone who understands Security: there's now a market in Zero-Day vulnerabilities.
The things the new-world of the NBN has to protect us against just got a lot worse than you can imagine.
Links in that article:
Since the O'bama disclosure, Governments and essential Utilities and Businesses should be required to run multiple diverse systems, at least for desktops so they aren't susceptible to monoculture failures: think Irish Potato Famine but 10-100 times worse.
The US Navy announcing they'd needed to rehost a secure, armed platform (move from Windows to Linux) seems to suggest that even their operational/combat networks get compromised (remind you of Stuxnet? "air-gaps" are good but no defence against a determined, capable attacker).
That they've publicly stated "we chose linux when it absolutely had to be trusted" (my words) might be them hinting, none too subtly, that every other Government and Military should follow their lead: Move critical systems off Windows because even we can't keep them "ours".
The other news, that there are both providers and brokers for "zero-day" attacks ($50,000-$250,000 a go for significant platforms) says:
Now that we have O'bama admitting "we did Stuxnet, with a little help", we know that they aren't just capable and active, but aware of higher level attacks and defences: you never admit to your highest-level capability.
Yesterday I read two pieces that gave me pause: the first, the US Navy replacing Windows with Linux for an armed drone was hopeful, the other should frighten anyone who understands Security: there's now a market in Zero-Day vulnerabilities.
The things the new-world of the NBN has to protect us against just got a lot worse than you can imagine.
Links in that article:
- Google's responsible disclosure [and payments]
- “The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)"
- “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits"
- a ZDNet interview with Christopher Sogholan
- Bruce Schneier Forbes article
Closing:
For once, I’m hoping Bruce Schneier is wrong. But, I doubt it. I’ve already read where high-level contestants who normally compete in Pwn2Own aren’t any more. They would rather keep what they found secret, and make the big bucks.I've written previously that a Cyberwar will be won an lost in 3 minutes and that the NBN is a central element in a National Security and Economic Security protection strategy for Australia.
Since the O'bama disclosure, Governments and essential Utilities and Businesses should be required to run multiple diverse systems, at least for desktops so they aren't susceptible to monoculture failures: think Irish Potato Famine but 10-100 times worse.
The US Navy announcing they'd needed to rehost a secure, armed platform (move from Windows to Linux) seems to suggest that even their operational/combat networks get compromised (remind you of Stuxnet? "air-gaps" are good but no defence against a determined, capable attacker).
That they've publicly stated "we chose linux when it absolutely had to be trusted" (my words) might be them hinting, none too subtly, that every other Government and Military should follow their lead: Move critical systems off Windows because even we can't keep them "ours".
The other news, that there are both providers and brokers for "zero-day" attacks ($50,000-$250,000 a go for significant platforms) says:
- there are people or services who can validate claims of "original zero-day exploits".
- this is far from new, we ("joe public") are just finding out about it now, and
- there will already be a whole stash of "zero-day" attacks in the hands of Governments and potentially others.
- Don't think this is just about National Security Espionage, it's also about Commercial Espionage and infiltration, targeted Financial System attacks, 'ransomware' and much more: its opens the way for Organised Criminal Activity way beyond simple Identity Theft in scale and returns. Would the Drug Cartels and Arms Traders be in on this? Who can say... Sophisticated Bad Guys with a ton of cash, no scruples and able to buy pretty much any technical talent they want. Not a bet I'd take.
But there's a subtlety that's not brought out in the article:
- many more "zero-day" exploits will be bought, than uniquely exist.
- This isn't just one vendor selling the same thing to multiple buyers. [A great scam until just hustle the wrong people with Big Military Weapons - and then you're dead.]
A wise Intelligence Agency will have its own crew finding "zero-day" exploits and will be wanting to identify all the people working in the area who might be as capable as themselves and also may just save themselves the cost of developing exploits that require lots of leg-work. We know that high-level Intelligence Agencies routinely attempted to recruit outstanding Mathematicians and Systems folk - like Alan Turing during WWII, good commanders will put them on tasks that need more intellectual horsepower and leave (relative) donkey-work to others.
If someone offers an Agency a "zero-day" exploit they've just found, for the Agency to refuse it means they've already developed or acquired it elsewhere: this gives away a bunch about what the Agency does and doesn't know. The Agency will always buy to hide its capability. But not before doing a little 'background check' on the seller/discovers to avoid the scam of "lets sell the same toy to everyone".
Also, if an Agency truly believes that a seller/discoverer is legit and will only pass on its work once, it's worth its while to acquire real and dangerous new exploits to prevent "others" from getting their hands on them. If those third-parties are accessible and like-minded, an Agency might attempt to "bring them into the fold" - to hire them and at least take them off the market.
You'd think that an Agency would harden its own systems against against its whole portfolio of "zero-day" exploits, would track the public registries and even create "honey-trap" systems for those exploits: systems that are just secure against the exploit, but allow the attacker into a fake environment containing false/misleading information (mis-information from highly 'reliable'/'credible' sources is a counter-espionage coup de grace) - or even initiate active counter-attacks or less invasive track-back and monitoring.
It is guaranteed that all the many Intelligence Agencies (if the US has a unit, so will everyone in the G20 and maybe beyond, especially those in Intelligence sharing partnerships) know the cost of finding zero-day exploits against many types of targets. As in, call tell you a dollar value. Part of the drivers for third-party purchases will be additional resource/capability, but also very pragmatic: it's cheaper. You'll always pay 3rd-parties less than it costs you :-)
How do I know this for sure? In 1998, Robert Morris (senior) talked at the AUUG Conference in Sydney. He'd 'retired' from the NSA, (and said "you never retire from them") and after lengthy service at senior levels, knew intimately what could be said publicly and what was never to be said.
He calmly talked about the US mis-placing nuclear weapons (more times than I remembered being widely reported), described a really neat hack that let them listen in on terrestrial phone conversation (put a satellite or plane in the line of a microwave link).
And he said unequivocally, "It's costs us $10MM for an 'intercept'". Not only did that imply they had the tools and techniques to break most or all codes, but did so at "industrial scale". It wasn't a little cottage industry like Bletchley Park had been, but large enough that they absolutely knew how to cost it and would bill-back those resources when requested. Generals and others would have to consider what certain information might be worth to them before blindly requesting it.
Things are much worse than you can imagine, now there are acknowledged Cyberattack Units and a market in "zero-day" exploits. We can only know after the event just how bad things have been - like the Cold War's Nuclear "incidents".
BTW, while its possible companies or individuals might deliberately insert backdoors or vulnerabilities into critical software, I find it highly unlikely. The next plodder that comes along to fix a bug in your code (you don't stay after scoring the jackpot) might just wreck it. If you're really good, people will never notice what you've done.
While there are some people that are that good, there are a huge number who only think they are. They will be caught and dealt with, either via the normal Law Enforcement and court system or by covert activities.
A far more plausible and probable occurrence is for a vendor of "proprietary systems" (closed source, not Open Source) to bow to pressure from Friendly Governments to allow controlled administrator access, a variation of the Ranum Conjecture, whereby undercover agents infiltrate critical work-teams and insert malicious code.
Whatever Intelligence Agencies are capable of, large Organised Crime is potentially capable of as well. The difference is, "can we make a buck off this". They will do different things and target different systems.
The NBN will become our first line of defence against Cyberattack: let's get everyone behind it both publicly and privately.
Friday, 27 April 2012
The NBN and defending against Cyber warfare attacks.
CYBER-WARFARE and the Australian NBN.
We know from "Stuxnet" that Nation States are actively building and deploying Cyber warfare tools, applying them to National Security concerns and running them as Military, not technical, operations. This includes accurate reconnaissance and network topology and vulnerability mapping. The worst case is that attackers will gain access to the network control tools and infrastructure.
Recent coverage suggests that Obama denied a US Military request to launch a cyber attack on Syria's infrastructure during the recent 'troubles'.
From the "slammer" worm, we know that any Cyber warfare attack will be fully developed within 3 minutes, and any attack will be launched at the worst possible time for defenders, possibly accompanied by physical distractions.
Recovery from "munitions grade" worm/malware compromise will be long and expensive. Experience is that malware infections is as damaging to businesses as a fire: Within 12 months of a fire, 80-90% of small businesses fail.
We've no idea of what the impact and cost will be if major Government I.T. infrastructure is compromised: ATO, Finance, Centrelink and Medicare (and with e-Health, the PCEHR).
Never mind State Govt. Education, Hospitals and Police.
Will Banks and the financial system, including Superannuation companies, be immune??? Obviously, some will go down.
If, like the destruction of all clients (4800!) data at "Distribute IT" in 2011, some "preparatory work" is done by the attackers, not only will "business as usual" not be possible for the week after an attack, many businesses will lose all their data - including backups.
Saying, "but nobody would attack us" is pure wishful thinking.
Nobody may ever intend to attack us, but as the Internet's first worm in 1988 showed (the "morris worm"), the Internet is a single thing and it's really easy to mess up your first attack, with no way back.
Morris had been raised with computers (at Bell Labs) with his father becoming the Computer Security advisor for the NSA. He had talent, experience and great knowledge - and even then his experiment escaped from his control. Australia will be most likely be "collateral damage", not a prime target unless there are real wars over resources and clean water.
DSD already has a Network Security monitoring facility and at some point, as a critical National Security measure, it will have to be upgraded to defend against a Cyber warfare attack, for Government and all other users.
This requires:
Without a single shared "wholesale" infrastructure, ie. in the current highly variable anarchic ISP arrangement, not only is this necessary protection a hard problem, it is impossible. The ability for the
authorised protection authority to, in real-time, disconnect or move any identified system into a quarantine area with a single system, is a critical feature only available on the NBN.
An attacker only needs one breach, just like a dam, dyke or flood-levy only needs to spring one leak to fail completely, often with devastating speed.
Careful, patient and capable attackers will construct their beachheads well ahead of time and be completely undetected. It's a given that our current "anything goes" Internet design is indefensible.
Patient, capable and determined attackers will still be able to wreak havoc on the Internet within Australia even with the NBN with long-running stealth attacks and multiple beachheads, but with a uniform, consistent, universal network monitoring, management and control system, DSD (or whomever) stands a chance of limiting an attack. Without a single, real-time and automatic detection/response system, we have no chance of defending ourselves.
We know from "Stuxnet" that Nation States are actively building and deploying Cyber warfare tools, applying them to National Security concerns and running them as Military, not technical, operations. This includes accurate reconnaissance and network topology and vulnerability mapping. The worst case is that attackers will gain access to the network control tools and infrastructure.
Recent coverage suggests that Obama denied a US Military request to launch a cyber attack on Syria's infrastructure during the recent 'troubles'.
From the "slammer" worm, we know that any Cyber warfare attack will be fully developed within 3 minutes, and any attack will be launched at the worst possible time for defenders, possibly accompanied by physical distractions.
Recovery from "munitions grade" worm/malware compromise will be long and expensive. Experience is that malware infections is as damaging to businesses as a fire: Within 12 months of a fire, 80-90% of small businesses fail.
We've no idea of what the impact and cost will be if major Government I.T. infrastructure is compromised: ATO, Finance, Centrelink and Medicare (and with e-Health, the PCEHR).
Never mind State Govt. Education, Hospitals and Police.
Will Banks and the financial system, including Superannuation companies, be immune??? Obviously, some will go down.
If, like the destruction of all clients (4800!) data at "Distribute IT" in 2011, some "preparatory work" is done by the attackers, not only will "business as usual" not be possible for the week after an attack, many businesses will lose all their data - including backups.
Saying, "but nobody would attack us" is pure wishful thinking.
Nobody may ever intend to attack us, but as the Internet's first worm in 1988 showed (the "morris worm"), the Internet is a single thing and it's really easy to mess up your first attack, with no way back.
Morris had been raised with computers (at Bell Labs) with his father becoming the Computer Security advisor for the NSA. He had talent, experience and great knowledge - and even then his experiment escaped from his control. Australia will be most likely be "collateral damage", not a prime target unless there are real wars over resources and clean water.
DSD already has a Network Security monitoring facility and at some point, as a critical National Security measure, it will have to be upgraded to defend against a Cyber warfare attack, for Government and all other users.
This requires:
- fully automatic responses, opening us to disruption by false attack detection, and
- full coverage of the whole Australian Internet.
- The Internet is a single thing, protection is "all or nothing".
pull the plug and put known infected machines into quarantine.Next, identify and clean up the damage piece by piece. Whilst some of this can be automated and be performed within the network, compromised systems will need to be scrapped or physically visited and rebuilt. The economics seems odd, but when low-end machines are ~$500 and casual hourly service rates from tier-1/2 companies are $150-$250/hr, it's cheaper to supply a new, clean machine and remove/destroy the compromised hard-drive. The alternative is for householders to take their machines to a "clean and restore" site that may take a month or two to fix their machine.
Without a single shared "wholesale" infrastructure, ie. in the current highly variable anarchic ISP arrangement, not only is this necessary protection a hard problem, it is impossible. The ability for the
authorised protection authority to, in real-time, disconnect or move any identified system into a quarantine area with a single system, is a critical feature only available on the NBN.
An attacker only needs one breach, just like a dam, dyke or flood-levy only needs to spring one leak to fail completely, often with devastating speed.
Careful, patient and capable attackers will construct their beachheads well ahead of time and be completely undetected. It's a given that our current "anything goes" Internet design is indefensible.
Patient, capable and determined attackers will still be able to wreak havoc on the Internet within Australia even with the NBN with long-running stealth attacks and multiple beachheads, but with a uniform, consistent, universal network monitoring, management and control system, DSD (or whomever) stands a chance of limiting an attack. Without a single, real-time and automatic detection/response system, we have no chance of defending ourselves.
Wednesday, 18 April 2012
The NBN as an Essential Strategic Defence for Cyber-warfare.
Whilst reading this piece today I 'had a thought'.
The National Security kind that interest the Intelligence agencies and Military, a.k.a. "Cyber-warfare".
This is as far removed from normal Cyber-security as guarding bank vaults is from fighting a war. Attack, and hence Defence, is taken to a whole new level: because the resources employed and what is at stake is taken to a whole new level.
The Y2K debacle/non-event conclusively demonstrated a number of things, one of which was Federal Government "front office" functions (normal day-to-day tasks) were completely dependent on I.T. and the 'Net. Their dependence has only become more embedded and ubiquitous since then. [FeGovt "back office" functions were, like Banking, completely dependent on I.T. by around 1990-1995. Widespread automation started 1955-1960.]
The Nick Hopkins piece takes this one step further, the militarisation of cyberspace attacks, with all the attendant organisation, funding, talent, 'hardware' and strategies - including reconnaissance, stealth incursions and long-term, low-visibility high-impact campaigns where patience is the key. One to Five year operation lifetimes are not unthinkable.
The Australian equivalent of the NSA, DSD (Defence Signals Directorate) already takes the possibility of Cyber-warfare quite seriously with its "CSOC – Cyber Security Operations Centre".
The guy who detected and defeated the first known "Denial of Service" (DoS) attack, Bill Cheswick, later started "The Internet Mapping Project" in mid-1998 as an aide in controlling these attacks.
The first element of which is, "What link(s) are they coming at us from?". [The current version is a Distributed Denial of Service (DDoS) attack, where 'zombies', ordinary PC's infected with malware, are controlled in real-time in a "BotNet" (robot network).]
Ideally, you'd also like to be able to identify all the originating machines so they could be potentially isolated.
So why are the new capabilities of the NBN so important to National Security?
Because of its implementation: 802.1ad, a.k.a. "QinQ" or Stacked VLAN's (Virtual Local Area Networks). VLANs on the NBN Co site: 2010 consultations, Access Seeker Certification.
With the militarisation of the Internet, not having the NBN compromises National Security in the immediate future. Any person or organisation that claims otherwise doesn't understand the problem. Any political group not supporting the full NBN is deliberately sacrificing our security for short-term political gains. [I'd personally be more comfortable with a faster implementation schedule as well. More costly, but safety arrives sooner.]
Wide-scale coordinated Cyber-attack isn't a possibility, it is a certainty, the only uncertainty is the timing. We can choose to be prepared, or not.
The outcomes of ineffective defences will not be pleasant. I'm sure there must be Military or Intelligence briefings that describe the results in awful detail. They won't be for the feint of heart.
One argument in support of the NBN I've not heard is about Security, but not the "how to keep your bank account and credit card safe" kind - the usual direct theft or Identity Fraud talked about at Cyber-Security conferences.online", Nick Hopkins, guardian.co.uk, Monday 16 April 2012 15.00 BST
The National Security kind that interest the Intelligence agencies and Military, a.k.a. "Cyber-warfare".
This is as far removed from normal Cyber-security as guarding bank vaults is from fighting a war. Attack, and hence Defence, is taken to a whole new level: because the resources employed and what is at stake is taken to a whole new level.
The Y2K debacle/non-event conclusively demonstrated a number of things, one of which was Federal Government "front office" functions (normal day-to-day tasks) were completely dependent on I.T. and the 'Net. Their dependence has only become more embedded and ubiquitous since then. [FeGovt "back office" functions were, like Banking, completely dependent on I.T. by around 1990-1995. Widespread automation started 1955-1960.]
The Nick Hopkins piece takes this one step further, the militarisation of cyberspace attacks, with all the attendant organisation, funding, talent, 'hardware' and strategies - including reconnaissance, stealth incursions and long-term, low-visibility high-impact campaigns where patience is the key. One to Five year operation lifetimes are not unthinkable.
The Australian equivalent of the NSA, DSD (Defence Signals Directorate) already takes the possibility of Cyber-warfare quite seriously with its "CSOC – Cyber Security Operations Centre".
The guy who detected and defeated the first known "Denial of Service" (DoS) attack, Bill Cheswick, later started "The Internet Mapping Project" in mid-1998 as an aide in controlling these attacks.
The first element of which is, "What link(s) are they coming at us from?". [The current version is a Distributed Denial of Service (DDoS) attack, where 'zombies', ordinary PC's infected with malware, are controlled in real-time in a "BotNet" (robot network).]
Ideally, you'd also like to be able to identify all the originating machines so they could be potentially isolated.
So why are the new capabilities of the NBN so important to National Security?
Because of its implementation: 802.1ad, a.k.a. "QinQ" or Stacked VLAN's (Virtual Local Area Networks). VLANs on the NBN Co site: 2010 consultations, Access Seeker Certification.
- Unlike the uneven, disparate designs and capabilities of existing ADSL and Cable networks, the NBN gives us a single network that has designed in from day-zero, sufficient security capabilities.
- Limited interconnection points (121) allow common event detection and reaction at realistic costs and complexity.
- The Stacked VLAN approach of the NBN allows high-speed traffic analysis to be performed without inspecting the content. Bytes, and potentially traffic flows, may be counted, but information privacy is respected. Sudden changes in traffic volumes and targets are indicative of BotNet attacks.
- ISP's can elect to drop all traffic from suspect links and sources.
- Co-operating ISP's can automatically, and in real-time, put all identified members of a BotNet into a quarantine VLAN, to which the CSOC would have special access.
- Because there will be a small number of very well identified and controlled international links into and out of Australia, we can selectively "pull the plug" on overseas DDoS or BotNet attacks.
- Because every link has two ends, and both parties must trust each other, one option is to drop attack packets before they get onto the link into Australia (or outbound link for attacks originating in Australia), preventing link congestion. This requires one trusted, controlling authority in Australia and cooperation agreements with far-end operators to facilitate secure remote commands.
- More subtly, DSD might direct all identified attack traffic into a set of HoneyPot VLAN's: it will look to the attackers that their attack is succeeding, while they are just playing with a set of Virtual Machines at the CSOC. This comes at the cost of congesting the international links.
- The NBN allows one consolidated and co-ordinated set of defences, no "market driven" scheme allows this. It isn't an issue of cost, complexity or convenience, it is entirely about being able to defend ourselves at all from Cyber-warfare attacks.
What may not be clear is the speed at which attacks will originate and propagate in Cyber-warfare, and hence the importance of real-time co-ordinated defences. From a 2003 piece on the "Slammer" worm:
... the number of infected machines doubled roughly every 8.5 seconds, the study found. This is more than 250 times faster than Code Red, which hit in mid-2001 and had a doubling time of 37 minutes, according to the report. The worm hit its full scanning rate of around 55 million scans per second at around three minutes after the attack began at roughly 05:30 GMT on Saturday.
I don't have figures to hand, but network speed/capacity, as well as size of BotNets, has increased 100-fold or more in the intervening decade.
What everyone should understand is "Internet Time". The rate of increase (doubling time) of capacity, endpoints and "events" (or attacks) is measured in weeks and months. 12 months from inception, some new technique or attack vector will have completely saturated the Internet. With the advent of Internet connected smartphones and tablets, the number of new devices connecting has accelerated another 10-fold.
What everyone should understand is "Internet Time". The rate of increase (doubling time) of capacity, endpoints and "events" (or attacks) is measured in weeks and months. 12 months from inception, some new technique or attack vector will have completely saturated the Internet. With the advent of Internet connected smartphones and tablets, the number of new devices connecting has accelerated another 10-fold.
At the 3-minute mark, the Cyber-warfare event is pretty much won or lost. Defences have to be both automatic and high-speed. [Hence there will be false positives when defences are accidentally or deliberately triggered. This is an unavoidable and inevitable cost of good defences.] We no longer have the option of "turning off the Internet", nor even can we just "unplug the problem link".
As well, because the attacker can select their timing, they will choose the worst time for the defenders. If somehow they gain Intelligence (remember this is military in nature, not just a bunch of techno-crims) about even the shortest of times critical controls are unmanned or incapacitated, that's when they'll go in. You wouldn't expect less from highly trained, success-focussed professionals.
The other issue is the degree-of-coverage.
With a consolidated infrastructure, you have the possibility of complete coverage because its physically possible and economically feasible to have a single control network with complete coverage originating from the authorised defence organisation.
With the anarchic, decentralised free-for-all "market-place" model we have now, this uniformly high-standard of defence and control, guaranteed across the whole system, is impossible. At the very best it is an N2 problem, but more likely the far larger N! (N-combinatnorial). This scale is completely unmanageable and uncontrollable.
Complete coverage is needed for any large-scale Internet defence system.
It's exactly like a dam or flood levy: you only need one undetected breach and the whole asset is quickly lost.
Complete coverage is needed for any large-scale Internet defence system.
It's exactly like a dam or flood levy: you only need one undetected breach and the whole asset is quickly lost.
With the militarisation of the Internet, not having the NBN compromises National Security in the immediate future. Any person or organisation that claims otherwise doesn't understand the problem. Any political group not supporting the full NBN is deliberately sacrificing our security for short-term political gains. [I'd personally be more comfortable with a faster implementation schedule as well. More costly, but safety arrives sooner.]
Wide-scale coordinated Cyber-attack isn't a possibility, it is a certainty, the only uncertainty is the timing. We can choose to be prepared, or not.
The outcomes of ineffective defences will not be pleasant. I'm sure there must be Military or Intelligence briefings that describe the results in awful detail. They won't be for the feint of heart.
Subscribe to:
Posts (Atom)