Thursday, November 11, 2010

Can I Steal A Vowel ? Never Mind...I Don't Need To.

The human mind is capable of some amazing feats.  The conceptual capabilities of a young child, for example, astound me.  I am a fairly good chess player, and recently my 6 year old son decided he wanted to learn chess (having seen "Wizard Chess" played in a Harry Potter movie), and I decided to indulge him.

Being a firm believer that children are far more capable of what some tend to give then credit for, I play him just as hard as I would play anyone, which meant the first few games resulted in quick checkmates.  It did not take long for him to figure out how to think ahead and use inference as a strategic method, and he has since managed to achieve stalemate.  Games now frequently last for an hour or more.  Not bad for a 6 year old.  Pappa is so proud!

What amazes me is watching him "think".  I swear I can almost feel his brain thinking, and I swear I can sense his "brain muscles" getting stronger.  I also believe that ANYONE can build those "brain muscles" if the drive exists to do so.

Let's consider an interesting story I read this morning.  It was an article on esquire.com about a Wheel of Fortune contestant who solved the puzzle with 1 letter (and a freebie apostrophe).  I read the story and realized that she was using a highly tuned level of inference in order to arrive at her conclusion.  It reminded me of a conversation I recently had with Dr. Fred Cohen (we occasionally meet at the local Peet's for coffee and conversation).  He stated that he believes that inference is impossible to prevent,  and I have to say that I tend to agree with him.

A hacker (researcher, penetration tester, whatever term you like) is presented with overwhelming amounts of information surrounding a system all the time.  In fact, the challenge is not where to find the information, but how to filter out what does not matter.  With a little mental exercise, this can be accomplished very quickly...mainly because most organizations charged with protecting information are inherently lazy, and fail to understand the power of aggregation and inference.  I have discovered countless pieces of company "confidential" information from piecing together bits of information available in various "sanitized" versions of documents.  Bear in mind, I am not a "hacker" (at least not in the modern sense of the word), but I get how hackers think...at least to some degree.

I think about this a lot when I consider Smart Grid technologies, as well as health care information technologies.  As these technologies grow we are going to see new sources of information emerge, and in our inherent somewhat lackadaisical manner of dealing with security at the decision making helm of our corporate culture, we will create plenty of early opportunities for aggregation and inference.

Things are going to get interesting....

Monday, November 8, 2010

Smart Grid Hackenomics

I recently attended (and presented at) the Department of Homeland Security Industrial Control Systems Joint Working Group (DHS ICSJWG) meeting in Seattle Washington. It was a interesting event, and STUXNET seemed to be the hot topic everyone was discussing. Most of the sessions were quite good, and many were informative.

When I attend these types of events, I often find the side conversations I have with attendees more interesting than the conference itself. I had the opportunity to chat with people who work at DHS, FBI, NRC...and just about any other 3 letter agency seeking to get a handle on cyber security issues. It does my heart good to know that our government is indeed serious about cyber security, and truly seeking knowledge.

The most interesting discussion I had, however, was on the last day. It was during a lunch break with one of the attendees, and we started a discussion on the economics of attacking the Smart Grid. Essentially, we agreed that "hobbyist" attackers and "nation-state" attacks are perhaps not the types of threats that should (or do) cause great levels of concern at the C-level's of stakeholder companies. At the highest decision making level of any organization directly affected by security threats, the only issue that consistently keeps them awake at night is money...or rather the loss of money. In fact, when we talk about security, we must constantly understand that an enterprise's chief (and arguably exclusive) security concern is in securing their ability to keep making money (and not lose money).

In other words, if security does not lead to more $$$, expect some rolling eyes. Likewise, if a lack of security leads to a loss of $$$, expect some wide eyes. This is the beginning of my Theory of Hackenomics.

In our discussion, we used the financial industry as an example of an economic model that makes a lot of sense to organized criminal enterprises. In the former Soviet Union, there are criminal enterprise organizations that provide tools and support services (for a fee) to criminals who want to make a career out of exploiting security holes in the financial industry. This is a very popular target for criminals because it is both large in size, and the direct result of a successful attack is immediate access to cash. So as part of my theory I want to state the following: The quicker an attack leads to cash for the attacker, the greater the likelihood that the attack moves from theory to reality.

This is, however, only part of the theory. The other part has to do with volume. For organized crime to get involved, the volume needs to be big enough to take the risk. Remember, organized crime is just as concerned with risk as corporations are (some will argue that corporations are the "new" organized crime anyhow). Therefore a quick path to cash that does not include a large enough volume is not necessarily a win for organized crime.

Another important issue to consider is keeping the attack as "clean" as possible, in order to make collecting and retaining the cash as easy as possible. A good example of this is how financial firms created Credit Default Swaps as a way to hedge high risk investments. This instrument allowed the potential for a large return on the chance that those who took out those crazy loans on overpriced homes (and such) would default. Well, as it turns out, those who purchased Credit Default Swaps seem to have done quite well. It was essentially a low risk method of shorting the entire financial system, and it is perfectly legal under today's laws.

So now this brings me to what became an interesting part of the lunch discussion. I postulated that if a large stakeholder in the Smart Grid ecosystem (in other words, a large publicly traded utility or AMI product vendor) was vulnerable to a major Smart Grid related attack, and an attacker held onto a 0-Day vulnerability, he could potentially sell the 0-Day vulnerability for a lot of money to a large criminal enterprise, who could then short the stock of the utility or product vendor, and then publicly announce the vulnerability. Granted, this would require some coordinated effort, but if done correctly, one could make a killing when the stock plummeted on the bad news. The news alone would probably drop the price enough to make a lot of money with a high enough volume. The news immediately followed by an actual attack would probably lead to a very big win for the criminal enterprise.

As we continue to have lunch, we discussed a few more ideas, and I thought of a few more over the last several weeks (I am not going to go into them here), and I came to the conclusion that Smart Grid Hackenomics may indeed be an interesting discipline for criminal organizations to investigate...and they probably already are.

Hopefully, the C-Level people at stakeholder organizations have thought of this as well.


Sunday, November 7, 2010

Mobile Application Insecurity

Being someone who has develops secure mobile applications, I am consistently dumbfounded at large enterprises (who should know better) that fail to secure their mobile applications. A recent article in The Wall Street Journal highlighted some findings by viaForensics which pointed out several banking applications for mobile devices that store passwords unencrypted on devices.

The banking industry is no stranger to security concerns. They are indeed one of the largest purchasers of security products and services globally. The rush to bring mobile applications to the marketplace by enterprises has not overlooked financial firms, however, and they are simply not applying basic principals of secure application development - such as build security in from the very beginning, and test the security before deploying the applications. I am absolutely floored by the number of financial applications available on the iPhone (for example) that do not require something as simple as a PIN to enter the application after storing the password (let alone encrypting the password).

It is carelessness at best, and completely irresponsible at worst. Banks, Large Enterprises, and Health Care organizations should make maximizing security a priority with any and every application that deals with ANY potentially sensitive information...and they consistently fail to do so often enough to convince me that there will be a lot more breaches before things get better.

What I also find remarkable is how a company like Apple, who scrutinizes application submissions and regularly rejects applications that use foul language, show nudity, or (God forbid) replicates Apple functionality. Yet Apple does not bother to reject applications submitted by banking and health care organizations (the latter being something I am personally well aware of) that fail to encrypt information. Is this their responsibility?

Yes it is!

Security is everyone's responsibility, and until we understand that, we will continue down the same path with every new technology, platform, and latest and greatest thing that comes down the pike.

You can bank on that.