Saturday, April 30, 2016

Claude Shannon

CYBR650 Week 7

“The stone age was marked by man’s clever use of crude tools; the information age, to date, has been marked by man’s crude use of clever tools.”-Author Unknown

The Information Age offers much to mankind, and I would like to think that we will rise to the challenges it presents. But it is vital to remember that information — in the sense of raw data — is not knowledge, that knowledge is not wisdom, and that wisdom is not foresight. But information is the first essential step to all of these.  Arthur C. Clarke

April 30th marks the 100th birthday of Claude Shannon, credited with being the father of the information age.  So who is this person who gets this kind of title, but was unknown to me until I saw today’s Google Doodle

Born in 1916, Shannon was a mathematician and an electrical engineer.  The most significant work that Shannon did was his master’s thesis called “A Symbolic Analysis of Relay and Switching Circuits” which described a new mathematical way to analyze and design circuits rather than the trial-and-error method of the day.  This came from his work at MIT trying to build an analog computer.  It worked, but took a week to solve a simple equation.  He discovered little known Boolean algebra and expanded on it to describe digital circuits.  His work, explained in the thesis, is the basis of all digital circuits such as microprocessors.  A chart of boolean circuits, used in all digital electronics, is displayed here. 

Some consider his paper written 8 years later, while he worked at Bell Laboratories in 1948, called “A Mathematical Theory of Communication” more important.  It presented the founding work of information theory, which studies the transmission, processing and extraction of information on a highly theoretical level.  It is the basis of cryptography, artificial intelligence complexity science and informatics.  It has more to do with probability than data.  While this theory is quite complex, its where the concept of the binary digit, or bit, was defined by Shannon which can be used to describe any information such as a song or picture.  The transistor was invented at Bell Laboratories that same year.

One really interesting aspect of his life is his design of a wearable computer he used to beat Las Vegas casinos at Blackjack with professional gambler Edward O. Thorpe.  The money they won was invested using the same theoretical basis in probability to beat the stock market, and Shannon didn’t need to work for the rest of his life.  He invented a lot of things but didn’t have any further impact on the world.  He died at age 87 suffering from severe dementia, so he never saw the results of his work that we call the Internet.

This post doesn’t specifically address anything directly related to security, but we wouldn’t be actively working in the information age and using the Internet without his work. 


Wednesday, April 27, 2016

Cyberwarfare on a Personal Level

CYBR650 Week 6

The supreme art of war is to subdue the enemy without fighting.
Sun Tzu

Ten soldiers wisely led will beat a hundred without a head.
Euripides


Cyberwarfare is Internet-based conflict involving politically motivated attacks on information and information systems. Cyberwarfare attacks can disable official websites and networks, disrupt or disable essential services, steal or alter classified data, and cripple financial systems -- among many other possibilities.

In 2009 the Secretary of Defense established the United States Cyber Command.  They have a threefold mission; Defending the Department of Defense (DoD) Information Network; support military commanders for execution of their missions around the world, and strengthening our nation’s ability to withstand and respond to a cyberattack.  So how is the Cyber Command doing in its three fold mission seven years later? 

1.  Defend the DoD Information Network – One of the first actions the Cyber Command took was to consolidate all the IT systems from the entire DoD – three branches, four uniformed services and nine unified commands (over 7 million devices) into a single unified architecture.  Very soon, the entire military will be linked through one command-and-control structure.  They’ve modernized the equipment and streamlined operations. There are some potential weaknesses created by this, but it seems to be outweighed by centralized monitoring, easy updating and quick response to attacks.

2.  Support Military Commanders - One of the biggest advantages of the unification is being able to provide a unified response to any attack from all services and from air, land or sea.

3.  Defend our nation against a cyberattack – While not perfect, defenses are getting stronger through a series of initiatives.  The DoD experiences 41 mission scans, probes and attacks each month.  The penetrations that were detected have all been quickly dealt with.  One of the biggest weaknesses in all of the breaches has been the human factor.  And believe it or not, the Cyber Command is doing better in fixing the human factor weaknesses than most private sector companies using a concept called high reliability organization or HRO.  These are systems that can’t afford to learn from mistakes such as nuclear power plants, air traffic control systems and high-speed rail, they have to correct deviations before they become problems.

How they did it – If any of you have experience with the US military, you will recognize they got a lot of work done in 7 years.  The Cyber Command modeled its operation on the US Navy’s nuclear propulsion program which has arguably the best safety record.  The nuclear program has built a culture on six principles that limit the impact of human error.

Integrity – strongly held convictions that eliminate deliberate departures from clear protocol.  Everyone reports mistakes immediately.  The standard is set very high and there are no second chances.  Everyone is accountable and held accountable for their actions.  The result is minor problems are reported and fixed quickly.

Depth of knowledge – training is thorough and broad.  The system is fully understood, including weaknesses.  Close supervision, testing and drills are common.

Procedural compliance – operational procedures are followed to the letter.  There is an extensive inspection system including simulated emergencies.

Forceful backup – Everyone who performs a high risk action is backed up with another fully qualified person so all risky tasks are performed by two people.  Everyone is authorized to stop a process when a problem arises.

Questioning attitude – operators are trained to question any anomalies that are detected and they must be corrected.

Formal communications – Directions are clearly stated in a formal, prescribed manner and repeated back verbatim.  Small talk is discouraged.


What we can learn – What are the lessons cyber professionals can learn from Cyber Command and the nuclear program?  Pretty much every human factor that leads to a breach is a violation of at least one of the principles.  Is it possible for your organization to operate at such a high standard?  Most likely it’s not possible, but everyone can build these concepts into their daily practices.  Training goes a long way in recognizing when something isn’t right.  Document processes and then follow them.  Always have a backout plan.  Communicate clearly.  Empower everyone on the team to speak up when they aren’t sure or don’t understand.  Strong leadership is critical to build this kind of environment.  If you don’t have a leader like this that you can follow, lead from where you are by enforcing these principles on yourself and those you can influence.  Be a high reliability employee in your cyberwarfare.

Tuesday, April 19, 2016

Is Bitcoin Secure?

CYBR650 Week 5


Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo. You can quote them, disagree with them, glorify or vilify them. About the only thing you can’t do is ignore them. Because they change things. They push the human race forward. And while some may see them as the crazy ones, we see genius. Because the people who are crazy enough to think they can change the world, are the ones who do. –Steve Job

Digital currency.  Just the thing tech-savvy individuals like you and I should be both concerned and excited about.  It’s been around for 7 years now and all indications are it’s here to stay.  So, is bitcoin the currency of the future or just another way to lose money with technology?  Digital currency certainly could have security concerns.  It seems to be used for all sorts of illegal activities. But then again, real currency can be used for illegal activities.  First, let me explain how Bitcoin works.

Bitcoin is decentralized digital currency also referred to as cryptocurrency.  First, it’s digital, meaning there are no coins or paper money exchanged.  It uses public key cryptography certificates on a peer-to-peer network of bitcoin users.  It’s decentralized, meaning there is no main database of transactions and no central authority.  The transactions are stored redundantly on all the user’s computers in a blockchain ledger (distributed database), broadcast to the network.  A transaction is broadcast in a process that prevents bitcoin from being spent twice or spent in two transactions at the same time, since the transactions are recorded on all the computers in the peer-to-peer network.  Each transaction creates a hash value that is stored with the transaction.  If the hash changes, the transaction information has been changed and is not trusted.  Another blockchain ledger entry will be used to validate the data.

Bitcoins are mined by allowing a computer to process bitcoin transactions as part of the peer-to-peer network.  Anyone allowing their computer to be used for the transactions gets a small bitcoin reward for participating and the new bitcoins are added to the blockchain.  Bitcoins are stored in a bitcoin wallet, either an application on your computer or cell phone that stores your bitcoins, a web based third party that stores them for you or a hardware wallet which stores the keys on specially designed removable media.  Only the person with the private cryptokey can spend the bitcoin.  The wallet stores the private keys and a record of anyone you exchange bitcoins with without actually knowing who the other person is since you only have an address for the person.  The address doesn’t have any personal information.  The address is actually just a number.

Key Characteristics
Open Source – nobody owns or controls bitcoin.  Once it was introduced to the world, it started being used and will only cease to exist if everyone stops using it.

Efficient – There’s no third party (bank or credit card company) processing the transaction, so it’s fast and reliable. 

Inexpensive - There’s no third party (bank or credit card company) processing the transaction, so it’s very low cost.  Credit cards typically charge 2 to 4% per transaction for processing (transferring the funds from the buyer’s bank to the seller’s bank).  This is cheap because there is no bank involved, only the buyer and seller.  The transaction is stored in the blockchain.

Anonymous – transaction is recorded but the two parties are untraceable.  Anyone can see how many bitcoin are in an address, but they can’t find out who has that address.  To increase anonymity, a person can use multiple addresses for a single transaction.  There’s no record of what was bought or sold.

Secure – Bitcoin uses SHA-256 encryption for transactions and verification.  The next section outlines the security problems that bitcoin has had so far.

Security
There have been four bitcoin security breaches, but the security problems weren’t bitcoin issues, they were the same security issues any network faces.  All involved attacks on bitcoin wallets or accounts.  The first breach one was a social engineering attack that stole a password to an email address used for a bitcoin account.  The second, the Mt. Gox bankruptcy, was caused by inadequate network security in what was at one time the largest bitcoin exchange.  What wasn’t stolen by hackers was lost to poor management.  The third, Silk Road 2.0 was an attack against the darknet website’s bitcoin account.  There is speculation that it was a cover-up for corruption within the illegal site.  The fourth breach, called the Pony botnet, stole passwords to 85 personal, locally stored bitcoin wallets.  The weakness exploited was the computer system security, not a weakness in the bitcoin algorithm. 

Bitcoin appears to be here to stay.  There’s even some talk about banks and other large financial organizations using blockchain technology for transactions.  So the bottom line seems to be, bitcoin is safe, quick, cheap and reliable--as long as you protect your digital wallet.  Once again we find the importance of good security practices.


Bitcoin image courtesy of Imgur, http://imgur.com/Jdszyq9

Saturday, April 9, 2016

Snowden and the Panama Papers: A Comparison

CYBR650 Week 4

“There are pockets of wealth in this country. Mostly those pockets are in the politicians’ pants.” 
 Jarod Kintz, How to construct a coffin with six karate chops

I remember when I first heard about Edward Snowden’s leak of thousands of classified documents.  I remember distinctly feeling that what he had done was illegal and immoral and traitorous.  Last week when the Panama Papers were leaked I felt that something good had been done.   I immediately wondered what was fundamentally different about these two incidents.  On the surface, they’re very similar. There are also some important differences.  Is Snowden justified in what he did?  Is it morally any different than the reporters who disclosed the Panama papers?

Both were very large collections of documents that were never intended to be available to the public.  Both implicated political figures and government leaders for behavior that is generally considered inappropriate and unacceptable.  Both caused great political turmoil and both were major security incidents, at least for those whose documents were revealed. 
But there are some distinct differences as well.  Snowden was sworn to secrecy by the government whose documents he leaked.  The reporters who disclosed the Panama Papers didn’t break any laws as far as we know.  Snowden is considered by many a traitor, the reporters will probably get an award for great journalism.  Snowden revealed what he and many others felt were illegal and invasive practices by government agencies.  The Panama Papers may not show any illegal actions, only questionable behavior by politicians, not government agencies.

Purely from a security standpoint, Snowden broke the law.  He held a position of trust with a top secret security clearance.  He signed a non-disclosure agreement that basically says he wouldn’t reveal the secrets he learned while performing his duties.  Some have said took an oath “to protect and defend the constitution against all enemies foreign and domestic.”  Apparently, only military members and the president take that oath.  But even if he had taken the oath, many would argue he did not violate it as he felt the agencies were overstepping their authority.  Snowden feels he did what was morally correct, a higher standard of loyalty to the Constitution than to the law.

There’s no doubt in my mind the politicians implicated by the Panama Papers are dodging taxes and doing so legally, but in violation of the trust of the citizens they represent – at least those leaders who represent democratic governments. 

I still think what Snowden did was wrong.  It violated security laws.  However, he did act very morally, he did what he thought was right.  For that I applaud him.  I have more respect for Snowden than I ever will for any politician.  Many politicians consistently operate on the edge of laws, always being careful to obey the letter of the law, but somehow always violating the intent of it.  

Either way, we always end up with the human factor being the weakest link in security.

Tuesday, April 5, 2016

Passive Authentication: The Future of Security

CYBR650 Week 3

Without change there is no innovation, creativity, or incentive for improvement. Those who initiate change will have a better opportunity to manage the change that is inevitable.
William Pollard


Security Week blogger Kevin Townsend, a guy who’s been writing about information security for 15 years, published a blog post entitled Is Passive Authentication the Future for User Authentication?  My initial reaction was to be skeptical.  The concept of being passive about security goes against everything I’ve been taught in the last few years.  I took a deep breath and decided to explore with an open mind.

Everybody hates passwords.  They are a necessary evil.  Like shaving or changing the oil in your car, something that has to be done.  Those who reject this concept in the name of convenience threaten everyone’s security by being the weakness in the security structure.  But mobile computing has changed the landscape as people have pushed for easier security.  Passwords have been exchanged for PIN codes.  Banks and others who have higher security requirements have started using 2 step verification—you log in with a password or PIN and then must also provide a code that is sent to your Smart phone.  It’s much harder to steal login information because you have to have both parts to get in. 

Everything I was able to find on passive authentication was very technical in nature like this blog post by KidoZen which has a pretty good explanation.  But if you want the less technical version, read on…

Meet Bob, a young professional sales representative who is fully connected to the digital world through his technology.  Bob’s company feels strongly about security, but knows Bob will get around security if he’s given any opportunity to do so.  Bob logs into his corporate VPN with his chip enabled smart card and password on his corporate laptop when he’s away from the office.  Bob hates having to carry the card and has lost it on several occasions.  Bob’s company is tired of replacing them at $20 each.

Bob’s company decides to replace the smart card with a one-time-password application.  OTP apps work on a smart phone or other mobile device.  Bob had to set it up at work so the network trusts his phone and syncs the OTP which was a pain, but once it was done, all Bob has to do is open the app when he wants to login.  He provides his usual login password and the one-time password, a randomly generated number that the company and the smart phone both know.  It works great until Bob loses his cell phone. 

If Bob’s sales figures weren’t so high, they would fire him.  So they decide to try passive authentication.  When Bob logs into the VPN on his corporate laptop, the network recognizes the laptop as a trusted corporate computer.  The VPN also recognizes the network that Bob is logging in from, one of his regular customers.  Because the laptop and the location (network) are recognized, Bob only has to enter his password.  The laptop and recognized network provide the second factor.  Later, when Bob is at the airport bringing his latest sales contract back to corporate headquarters, he has to use the OPT app on his smart phone again since he’s not on a trusted network. 

Passive authentication relies on some known factor about the user or the user’s device to act as the 2nd factor.  If only one factor is required it could be the device, so Bob wouldn’t need to use his password at all.  This will most likely be used first for mobile devices like smart phones (after it’s registered to the user) when they are on known networks (networks that are deemed secure). 

I don’t know if passive security is as safe as current active security measures, but I have no doubt that the convenience will drive the change to make it more secure.  Devices and networks will be configured to work with passive security systems.  

Someday Bob’s children will ask him to explain what a password is.