Alrighty then, we had a basic intro to cyberwar in my previous post. In between then and now, the clever chaps at the SIS, commonly incorrectly referred to as MI6, told us about this little gem. This has to be one of the funniest things in existence... EVER!!! But minor state-sponsered hacktivism aside, back to the crux of the matter: the issues arising from cyberwar.
One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.
Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.
Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).
So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.
Monday, 6 June 2011
Friday, 3 June 2011
Cyberwarfare Part 1 (A post I have been procrastinating on)
Well this post has been in the works for a couple of week now. I have been procrastinating on a epic level about finishing this off. However the universe decide to give me a kick in the backside in the form of these related recent articles (all links to separate slashdot stories)
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
Sunday, 8 May 2011
Password Lockers Part 2
So, this is becoming a trend, well two trends: follow-up posts and data breaches. As you may or may not know, there was a MASSIVE breach involving Sony Entertainment, specifically the Playstation, but more on that later. More the the point you may recall my previous post on password lockers etc. Well, this post is about what can go wrong with a password locker.
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
Wednesday, 27 April 2011
Why the movies are wrong (Surprise, Surprise)
On the lighter side of life, my friend @zarino tweeted this link, which got me thinking about hackers in popular culture. Think about your favorite movie and/or TV hacker. My vote goes to Alec Hardison, but that's irrelevant. In any "hacking sequence" you see the hacker typing away furiously on a keyboard and all sorts of random green text on a black background. The green on black dates way back to the old days and I have no clue as to why they used those colours, but everybody loves it.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
IT'S ALL WRONG!
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Sunday, 24 April 2011
Location, Location, Location! What you don't know that they know! (Part 2)
So, some of you may remember this post. Well this is part two of that. I contemplated for about 15mins if I should end the post with the fact that your phone is also capable of tracking your movements but decided against it. Well that would been pretty cool, and mildly prophetic, but hindsight is always 20/20. Well back to the present and how your phone tracks you.
So, recently people discovered, much to their surprise, that the iPhone stores an unencrypted history of where you have been for the past 10 months. I seem to be the only person whom this did not surprise. In fact if the phone did not store any location history would surprise me. I often, mostly jokingly, say to my friends who own Apple products that Steve Jobs owns their souls. After reading this, some of them are starting to think it's true (side-note: this article seems to agree).
It also surfaced that android phones do exactly the same thing. So much for being the free and open platform right? So, I would normally take this time to be smug that I am use a Symbian smartphone, but in all honesty, I would not be surprised if they did the exact same thing. Of course I haven't forgotten all you lovely Blackberry users. RIM may well be doing the exact same thing, but I have not found any solid evidence either way.
So, base assumption: if you have a smartphone, it has a record of where you have been for the past x amount of time. Why is this a) done? and b) a problem? Well in the previous post, I covered most of the answer to b), so lets move on to why it is done. The official answer: "to improve the quality of our location based services." The real answer: "to improve the quality of our location based services." SHOCKER!
Yes, I am aware that this law enforcement agencies are aware of this data and sometimes use this data in the course of enforcing the law. But in all fairness, when the cops are looking for you, the normal rules don't totally apply. So, back to the main point: it really does help them improve the location based services. There is no other way than to actually use your actual location data. If you want a great app that finds the nearest bar, restaurant or even condoms in New York (was very amused when I read that article), your handset manufacturer needs to collect this data.
The upshot: this is something you have to give in order for you to get the services that you want. I for one think it's a fair trade-off. I have no proof that my phone does this, but if it turns out that it does, I'm OK with that. Again, in the digital age, privacy is not quite what it used to be, which is a fact we all have to deal with.
So, recently people discovered, much to their surprise, that the iPhone stores an unencrypted history of where you have been for the past 10 months. I seem to be the only person whom this did not surprise. In fact if the phone did not store any location history would surprise me. I often, mostly jokingly, say to my friends who own Apple products that Steve Jobs owns their souls. After reading this, some of them are starting to think it's true (side-note: this article seems to agree).
It also surfaced that android phones do exactly the same thing. So much for being the free and open platform right? So, I would normally take this time to be smug that I am use a Symbian smartphone, but in all honesty, I would not be surprised if they did the exact same thing. Of course I haven't forgotten all you lovely Blackberry users. RIM may well be doing the exact same thing, but I have not found any solid evidence either way.
So, base assumption: if you have a smartphone, it has a record of where you have been for the past x amount of time. Why is this a) done? and b) a problem? Well in the previous post, I covered most of the answer to b), so lets move on to why it is done. The official answer: "to improve the quality of our location based services." The real answer: "to improve the quality of our location based services." SHOCKER!
Yes, I am aware that this law enforcement agencies are aware of this data and sometimes use this data in the course of enforcing the law. But in all fairness, when the cops are looking for you, the normal rules don't totally apply. So, back to the main point: it really does help them improve the location based services. There is no other way than to actually use your actual location data. If you want a great app that finds the nearest bar, restaurant or even condoms in New York (was very amused when I read that article), your handset manufacturer needs to collect this data.
The upshot: this is something you have to give in order for you to get the services that you want. I for one think it's a fair trade-off. I have no proof that my phone does this, but if it turns out that it does, I'm OK with that. Again, in the digital age, privacy is not quite what it used to be, which is a fact we all have to deal with.
Wednesday, 20 April 2011
Why you are not dead from the robot-induced nuclear apocolypse (or why CAPTHAs still wotk)
If you are reading this then you are not dead. That is generally a good thing. Now, you may ask yourself as to why you should be dead. Well according to the popular Terminator series of movies, 18th of April the day when we all bite the big one. Unless you happen to be John Conner.
The original premise of the movie was that the Artificial Intelligence (AI) known as "Skynet" became self aware and decided that it reaaaaallly hated humans. So, it decided to get rid of them the best way it knew how; it nuked the living daylights out of EVERYTHING (Barring John Conner and the other lucky guys) and then some. And then we have time-travel and fights and craziness spread over 4 movies and a TV series. Why, you may ask, do I care about this. Well, apart from being a massive geek?
There is a mild connection between the Skynet and computer security. What Skynet represents is a sentient AI, which is basically a computer that can think for itself. Now, having personally worked with an AI (for my undergraduate thesis) I now look at all movies/TV shows that have real full AI with a great amount of scepticism. I know I am not an expert by any metric, but it took me close to 2 months to write an AI agent that learns to play blackjack. Nothing fancy at all, just plays a basic strategy. The upshot: it's really really hard.
I know that they have made some massive leaps in the field, such as Watson and Deep Blue, but that's not quite the same. There are supervised AI agents that can just do one thing and had to be fed a ton of data before hand. Watson for example has the whole of Wikipedia stored, which is in my books cheating just a little bit. Although these are very impressive, they are still far away from full self-awareness and sentience.
The only way that could happen is if we had an unsupervised agent, that is, an AI agent who is given only knowledge of the problem and needs to learn how to solve it. For example, you could tell an agent what a maze it and then put it in a maze and tell it to find it's way out. It will (eventually) learn how to do that. Then you give it another maze and it will learn and so on and so forth. And then you have to make it able to learn new tasks. But once you hammer out those little details, then you have the computer that will end the world.
To, the main point: the reason AI is interesting from a computer security point of view is several things, but the main is CAPTCHAs. Now, it's a little bit of an abuse of the term, but for simplicity I use CAPTCHA to mean all the systems and implementations thereof. The general idea is that you are shown a picture of somewhat distorted letters and you have to enter the letters in to prove you are a human.
The reason for this is that computers, such as automated sign-ups and spambots etc were use to make THOUSANDS of false email accounts for the purpose of spreading spam, viruses, boredom, marketing maybe, but generally evil stuff. IF you can prove you are human, then all will be hunky-dory and you can sign up. A computer will almost always fail these tests. AIs can try to learn these things, for example, using neural networks. And some of these algorithms have had some reasonable success. This is exactly why you sometimes get a CAPTCHA that is completely unintelligible, to protect against smart AIs, with the side effect of annoying the humans, ironically, as the machines wanted.
But, if we could for a second just shift back to self-aware AI. Well, the upshot is if the AI were self-aware, it's well beyond breaking CAPTCHA. We would basically have a robot with human cognitive skills, but much more computing power. I leave it to your imagination (mostly sculpted by TV and movies) to do the rest.
SIDENOTE: More real/relevant blog posts to come soon.
The original premise of the movie was that the Artificial Intelligence (AI) known as "Skynet" became self aware and decided that it reaaaaallly hated humans. So, it decided to get rid of them the best way it knew how; it nuked the living daylights out of EVERYTHING (Barring John Conner and the other lucky guys) and then some. And then we have time-travel and fights and craziness spread over 4 movies and a TV series. Why, you may ask, do I care about this. Well, apart from being a massive geek?
There is a mild connection between the Skynet and computer security. What Skynet represents is a sentient AI, which is basically a computer that can think for itself. Now, having personally worked with an AI (for my undergraduate thesis) I now look at all movies/TV shows that have real full AI with a great amount of scepticism. I know I am not an expert by any metric, but it took me close to 2 months to write an AI agent that learns to play blackjack. Nothing fancy at all, just plays a basic strategy. The upshot: it's really really hard.
I know that they have made some massive leaps in the field, such as Watson and Deep Blue, but that's not quite the same. There are supervised AI agents that can just do one thing and had to be fed a ton of data before hand. Watson for example has the whole of Wikipedia stored, which is in my books cheating just a little bit. Although these are very impressive, they are still far away from full self-awareness and sentience.
The only way that could happen is if we had an unsupervised agent, that is, an AI agent who is given only knowledge of the problem and needs to learn how to solve it. For example, you could tell an agent what a maze it and then put it in a maze and tell it to find it's way out. It will (eventually) learn how to do that. Then you give it another maze and it will learn and so on and so forth. And then you have to make it able to learn new tasks. But once you hammer out those little details, then you have the computer that will end the world.
To, the main point: the reason AI is interesting from a computer security point of view is several things, but the main is CAPTCHAs. Now, it's a little bit of an abuse of the term, but for simplicity I use CAPTCHA to mean all the systems and implementations thereof. The general idea is that you are shown a picture of somewhat distorted letters and you have to enter the letters in to prove you are a human.
The reason for this is that computers, such as automated sign-ups and spambots etc were use to make THOUSANDS of false email accounts for the purpose of spreading spam, viruses, boredom, marketing maybe, but generally evil stuff. IF you can prove you are human, then all will be hunky-dory and you can sign up. A computer will almost always fail these tests. AIs can try to learn these things, for example, using neural networks. And some of these algorithms have had some reasonable success. This is exactly why you sometimes get a CAPTCHA that is completely unintelligible, to protect against smart AIs, with the side effect of annoying the humans, ironically, as the machines wanted.
But, if we could for a second just shift back to self-aware AI. Well, the upshot is if the AI were self-aware, it's well beyond breaking CAPTCHA. We would basically have a robot with human cognitive skills, but much more computing power. I leave it to your imagination (mostly sculpted by TV and movies) to do the rest.
SIDENOTE: More real/relevant blog posts to come soon.
Friday, 1 April 2011
More irony
So, after this post went up this story surfaced pretty soon. I never got round to writing about it, because I have just moved from my old flat to a new one. So, I've kinda preoccupied. There really isn't more to say about this than how ironic it is. I may be tempted to do a post on Cross-Site Scripting soon, but we'll see how that goes
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments