Blame it on Amazon?
With Sony’s PlayStation Network offline since April 20 following what is being called the second largest breach in history, there has been plenty of time for rumours, speculation, and red herrings. The latest is Bloomberg’s report,
“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”
While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising. Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services. Given the alleged sophistication of the attack, EC2 is simply an obvious choice.
While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else. Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots. They probably even purchase their computers the same places we do.
The Sony PlayStation Network data exposure has two causes:
- Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
- The criminals. Let us not forget that Sony was the victim of a crime.
Like TJ Max, the Sony security breach should be a wake-up call. Consumers often feel safer dealing with larger, more established companies. But it appears that some of them don’t have security right yet.
We also need to understand that tracking down cyber criminals is becoming increasingly difficult. Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere. However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.
I’m sick of HBGary
I’ll admit it. I spoke about the HBGary hacks during a guest lecture I gave at Carleton University last week. But in all honesty I’m getting sick and tired of hearing about them. Journalists keep focusing on the wrong issues and people need to understand that many decisions – even in so-called security companies — are often not made by security professionals. Just because the company employs “security experts” doesn’t mean they consult them on internal matters. In my experience the opposite is often the case and the shoemaker’s children proverb applies.
From a technical perspective, the root cause of the initial security breach was poor software design, poor implementation, and inadequate testing. It’s an industry-wide problem that won’t change until customers demand better software and are willing to pay for it. Things got worse because the folks at HBGary appear to have ignored basic and well understood best practices with regard to passwords.
However, let’s not ignore the other root cause. While it doesn’t justify criminal behaviour, let us not forget that HBGary, in an apparent attempt to obtain publicity for themselves, allegedly did the cyber equivalent of visiting the nearest biker hangout to announce, “Just want to let you know we’re going to screw with you in the media tomorrow, but don’t worry, we’re only going to screw with you a bit.” Or, if you prefer a different analogy, they kicked the hornet’s nest without wearing the customary protective equipment.
As security pros dealing with people allegedly responsible for hacking and denial of service attacks on major companies, HBGary must have expected probes of their systems and at minimum a distributed denial of service attack. They reportedly kicked the hornet’s nest deliberately and intentionally. It leaves me wondering if becoming a victim was part of their publicity strategy. Getting yourself hacked would certainly be an bold publicity stunt for a security company, but it wouldn’t be the stupidest thing I’ve seen either.
Feds seek new ways to bypass encryption
CNET has an interesting article today entitled, Feds seek new ways to bypass encryption. While Declan included some interesting tidbits in his article, he completely missed a key point essential to the intensifying debate.
Any mechanism that allows the Government easier access allows criminals and foreign Governments easier access as well. The point of hard drive encryption, to name one example, is that it protects sensitive information if someone steals your computer. Whether that someone is a junkie, stalker, unethical competitor, or law enforcement officer with a warrant is irrelevant from a technical security perspective.
The issue of key escrow for “lawful” access will certainly be raised again and the answer is simple: Given the security breaches that many governments have suffered, they have proven themselves incapable of protecting their own sensitive information. Why should we trust them with more?
Businesses must ensure that they retain the ability to access encrypted information in the event that the user leaves or forgets their password. In that instance, the law enforcement solution is to serve a court order on company.
Personal computers, smart phones, and similar devices are becoming increasingly that — personal. They have become an extension of ourselves. Law enforcement agencies need to come to terms with this new reality and understand that their access will continue to decline. The cost of gaining access to such devices will continue to increase exponentially until it is impractical for all but the most serious investigations. The tricks Declan outlined in this article will become less effective as criminals quickly learn about them and implement countermeasures.
Back when I studied Criminology I learned that the average IQ of inmates was just slightly lower than the overall community average and that many criminologists believed it was because people with slightly lower than average intelligence were more likely to commit the type of crimes that could land one in jail. Twenty years of experience suggests another scenario: We’re much better at catching and convicting criminals with below average IQs.
Organized crime and terrorists have employed countermeasures such as encryption for decades. But what what appears to really make some law enforcement types uncomfortable is that you, me, and dumb criminals can now do it too.
TSA a disgrace to the security profession
The great lexicographer Samuel Johnson, on the evening of April 7, 1775, told us, “Patriotism is the last refuge of the scoundrel.” We’ve seen quite a bit of this behaviour since the 9/11 incidents as right wing politicians try to finesse the lifting of our liberties in the interests of being a “good citizen” and “fighting terrorism.” Perhaps today Johnson would have modernized his words by saying, “The Transportation Safety Administration is now the last refuge of the scoundrel,” as they continue to abuse public in the false name of “security” and prove themselves a disgrace to the security profession.
In case you’ve missed the latest developments in the United States, many passengers over the past few weeks have found themselves in the uncomfortable position of having to choose between two intrusive and dehumanization alternatives: Submitting to a virtual strip search courtesy of a “body scanning” machine, or being subjected to an “enhanced pat-down” of their entire body including breasts and genitals.
As a security professional one thing that makes my blood boil is when “security” is used as an excuse. I cringe when I hear the phrase, “for your comfort and security…” which is usually followed by words that have little – if anything – to do with comfort or security. But in more than fifteen years as a security professional I have seldom witnessed anything as disgraceful as TSA officials using “security” as an excuse to abuse passengers.
Preventing the introduction of weapons, explosives, and other dangerous items onto passenger aircraft has been a security concern since the first recorded aircraft hijacking in 1931. In 2001 the game changed when multiple aircraft were hijacked and flown into ground targets as improvised missiles. Additional threats, including the introduction of small amounts of explosives onto passenger aircraft, have further complicated the threat landscape.
There is no doubt that the nature of the threat against passenger aircraft has changed dramatically in the past decade. The era of hijackings in which crew and passengers passively cooperated with hijackers – and were usually released – has been replaced with a set of new scenarios in which immediate action by passengers and crew against anyone threatening the aircraft appears justifiable and the best chance for survival.
There is also no doubt that all aspects of aviation security, including passenger screening, need to be regularly reviewed and appropriate changes made to manage risks. However, there is a world of difference between imposing realistic security controls and using the threat of terrorism as an excuse to impose draconian, unnecessarily invasive, and abusive processes in the name of “security”.
It is true that there is a terrorist threat against aircraft, and passengers are one of many vectors that could facilitate the threat. But in passenger screening, as in most areas of security, the law of diminishing returns applies. X-ray machines for carry-on luggage, explosive residue detection equipment, metal detectors, and skilled security professionals are capable of detecting the vast majority of weapons and explosives. Perfection is simply not possible. Adding strip-search machines and intrusive “pat downs” adds little – if any – additional security, and the marginal gain is grossly outweighed by the negative impact of the security measure on the very people it is designed to protect. It is a dramatic example of an exceptionally poor security management decision.
Let’s also not forget that the threat of terrorism is not limited to aircraft. Around the globe busses, trains, schools, public buildings, restaurants, bars, hotels, and marketplaces have all be targeted by terrorists and other criminals. As security professionals we have an obligation to set aside knee-jerk, “increased security at all cost” reactions and seek out security controls that are both effective and acceptable to the population they impact. Nobody would consent to body scans or intrusive personal searches to get into a taxi, bus, shopping plaza or nightclub. So why should we tolerate it at an airport?
I’m sure the TSA will argue that their employees are not committing sexual assault (or whatever the crime is called in the airport’s jurisdiction) because they have “consent”. But do they really? What choice does a person whose job requires them to travel have? Much of the United States has “at will” employment – employers need no reason to dismiss an employee. Let the TSA view their naked image, let the TSA grope them, or risk loosing their job. Not much of a choice. Parents also have a difficult choice to make. Do they subject their children to TSA “searches” that would land anyone else in jail, or do they cancel the trip to Disney this winter?
The TSA’s new ‘scope or grope’ policy does not meaningfully improve security. No technology can compensate for poorly paid, poorly trained, and increasingly disenchanted front-line security staff. The fact that the TSA even considered this ineffective and unethical nonsense highlights the fecklessness of TSA leadership and the spineless politicians that support them.
Law abiding citizens and airport security staff should see each other as partners in security – both cooperating to ensure the security of their flights. But that won’t work until the TSA stops abusing those it is supposed to protect. It’s time for TSA chief John Pistole to pack his bags and for the American Government to put a real security professional in charge.
Buy online with confidence
I’ve made a lot of online purchases and I often purchase goods online to take advantage of better selection and prices. For example, I recently ordered a larger drive for my desktop PC. Newegg and Tiger Direct both had a good product for a good price, and shipping was reasonable considering the cost of gas and my time to go to the store.
I’ve only had two bad online experience, and I got my money back both times. Yet I continue to hear horror stories from others. So I thought I’d share my approach.
First and foremost, there is nothing magic about shopping online. The major difference when you walk into a shop is that you have a good idea where they are located. However, disreputable bricks-and-mortar stores (along with phone and mail order outfits) ripped off consumers for years before the Internet was invented.
So how can we shop online with confidence?
1) Consider ordering from businesses you know. Saving a few dollars on an unknown vendor may not be worth it.
2) If you’re looking for something and don’t know where to find it, consider using eBay or Amazon. Carefully check feedback on the vendor before buying.
3) Always pay by credit card. From time to time you may run across vendors who request payment by other means. They might want to you wire money using Western Union or a similar service. The problem is that once you’ve sent your money, there is little you can do about it. Real online merchants accept credit cards or use a service like PayPal that accepts credit cards on their behalf. Period.
4) Understand any rules that apply to disputes. For example, if you make a purchase on eBay and pay using PayPal you must open a dispute within 45 days. Be wary of anyone who may be trying to string you along with a series of excuses, delays and apologies.
5) Next to how they treat other customers, the best predictor of how a business will treat you after getting your money is how they treat you before. When shopping online we often have our choice of products and resellers. When I”m trying to decide, I’ll often email a few vendors to ask their advice or for product information. The timeliness and quality of their response speaks volumes about them.
Have other words of wisdom to share? Please comment!
Keep in Touch
Kudos
Recent Comments