Monday, March 19, 2012

Why Antisec matters

A couple of weeks ago the FBI announced the arrest of five members of the hacking group LulzSec. We now know that these arrests were facilitated by 'Anonymous' leader* "Sabu", who, according to court documents, was arrested and 'turned' in June of 2011. He spent the next few months working with the FBI to collect evidence against other members of the group.

This revelation is pretty shocking, if only because Anonymous and Lulz were so productive while under FBI leadership. Their most notable accomplishment during this period was the compromise of Intelligence analysis firm Stratfor -- culminating in that firm's (rather embarrassing) email getting strewn across the Internet.

This caps off a fascinating couple of years for our field, and gives us a nice opportunity to take stock. I'm neither a hacker nor a policeman, so I'm not going to spend much time why or the how. Instead, the question that interests me is: what impact have Lulz and Anonymous had on security as an industry?

Computer security as a bad joke

To understand where I'm coming from, it helps to give a little personal background. When I first told my mentor that I was planning to go back to grad school for security, he was aghast. This was a terrible idea, he told me. The reality, in his opinion, was that security was nothing like Cryptonomicon. It wasn't a developed field. We were years away from serious, meaningful attacks, let alone real technologies that could deal with them.

This seemed totally wrong to me. After all, wasn't the security industry doing a bazillion dollars of sales ever year? Of course people took it seriously. So I politely disregarded his advice and marched off to grad school -- full of piss and vinegar and idealism. All of which lasted until approximately one hour after I arrived on the floor of the RSA trade show. Here I learned that (a) my mentor was a lot smarter than I realized, and (b) idealism doesn't get you far in this industry.

Do you remember the first time you met a famous person, and found out they were nothing like the character you admired? That was RSA for me. Here I learned that all of the things I was studying in grad school, our industry was studying too. And from that knowledge they were producing a concoction that was almost, but not quite, entirely unlike security.

Don't get me wrong, it was a rollicking good time. Vast sums of money changed hands. Boxes were purchased, installed, even occasionally used. Mostly these devices were full of hot air and failed promises, but nobody really cared, because after all: security was kind of a joke anyway. Unless you were a top financial services company or (maybe) the DoD, you only really spent money on it because someone was forcing you to (usually for compliance reasons). And when management is making you spend money, buying glossy products is a very effective way to convince them that you're doing a good job.

Ok, ok, you think I'm exaggerating. Fair enough. So let me prove it to you. Allow me to illustrate my point with a single, successful product, one which I encountered early on in my career. The product that comes to mind is the Whale Communications "e-Gap", which addressed a pressing issue in systems security, namely: the need to put an "air gap" between your sensitive computers and the dangerous Internet.

Now, this used to be done (inexpensively) by simply removing the network cable. Whale's contribution was to point out a major flaw in the old approach: once you 'gap' a computer, it no longer has access to the Internet!

Hence the e-Gap, which consisted of a memory unit and several electronic switches. These switches were configured such that the memory could be connected only to the Internet or to your LAN, but never to both at the same time (seriously, it gives me shivers). When data arrived at one network port, the device would load up with application data, then flip 'safely' to the other network to disgorge its payload. Isolation achieved! Air. Gap.

(A few pedants -- damn them -- will try to tell you that the e-Gap is a very expensive version of an Ethernet cable. Whale had a ready answer to this, full of convincing hokum about TCP headers and bad network stacks. But really, this was all beside the point: it created a freaking air gap around your network! This apparently convinced Microsoft, who later acquired Whale for five times the GDP of Ecuador.)

Now I don't mean to sound too harsh. Not all security was a joke. There were plenty of solid companies doing good work, and many, many dedicated security pros who kept it from all falling apart.

But there are only so many people who actually know about security, and as human beings these people are hard to market. To soak up all that cybersecurity dough you needed a product, and to sell that product you needed marketing and sales. And with nobody actually testing vendors' claims, we eventually wound up with the same situation you get in any computing market: people buying garbage because the booth babes were pretty.**

Lulz, Anonymous and Antisec

I don't remember when I first heard the term 'Antisec', but I do remember what went through my mind at the time: either this is a practical joke, or we'd better harden our servers.

Originally Antisec referred to the 'Antisec manifesto', a document that basically declared war on the computer security industry. The term was too good to be so limited, so LulzSec/Anonymous quickly snarfed it up to refer to their hacking operation (or maybe just part of it, who knows). Wherever the term came from, it basically had one meaning: let's go f*** stuff up on the Internet.

Since (per my expanation above) network security was pretty much a joke at this point, this didn't look like too much of a stretch.

And so a few isolated griefing incidents gradually evolved into serious hacking. It's hard to say where it really got rolling, but to my eyes the first serious casualty of the era was HBGary Federal, who -- to be completely honest -- were kind of asking for it. (Ok, I don't mean that. Nobody deserves to be hacked, but certainly if you're shopping around a plan to 'target' journalists and civilians you'd better have some damned good security.)

In case you're not familiar with the rest of the story, you can get a taste of it here and here. In most cases Lulz/Anonymous simply DDoSed or defaced websites, but in other cases they went after email, user accounts, passwords, credit cards, the whole enchilada. Most of these 'operations' left such a mess that it's hard to say for sure which actually belonged to Anonymous, which were criminal hacks, and which (the most common case) were a little of each.

The bad
   
So with the background out of the way, let's get down to the real question of this post. What has all of this hacking meant for the security industry?

Well, obviously, one big problem is that it's making us (security folks) look like a bunch of morons. I mean, we've spent the last N years developing secure products and trying to convince people if they just followed our advice they'd be safe. Yet when it comes down to it, a bunch of guys on the Internet are walking right through it.

This is because for the most part, networks are built on software, and software is crap. You can't fix software problems by buying boxes, any more than, say, buying cookies will fix your health and diet issues. The real challenge for industry is getting security into the software development process itself -- or, even better, acknowledging that we never will, and finding a better way to do things. But this is expensive, painful, and boring. More to the point, it means you can't outsource your software development to the lowest bidder anymore.

Security folks mostly don't even try to address this. It's just too hard. When I ask my software security friends why their field is so terrible (usually because they're giving me crap about crypto), they basically look at me like I'm from Mars. The classic answer comes from my friend Charlie Miller, who has a pretty firm view of what is, and isn't his responsibility:
I'm not a software developer, I just break software! If they did it right, I'd be out of a job.
So this is a problem. But beyond bad software, there's just a lot of rampant unseriousness in the security industry. The best (recent) example comes from RSA, who apparently forgot that their SecurID product was actually important, and decided to make the master secret database accessible from a single compromised Windows workstation. The result of this ineptitude was a series of no-joking-around breaches of US Defense Contractors.

While this has nothing to do with Anonymous, it goes some of the way to explaining why they've had such an easy time these past two years.

The good
  
Fortunately there's something of a silver lining to this dark cloud. And that is, for oncepeople finally seem to be taking security seriously. Sort of. Not enough of them, and maybe not in the ways that matter (i.e., building better consumer products). But at least institutionally there seems to be a push away from the absolute stupid.

There's also been (to my eyes) a renewed interest in data-at-rest encryption, a business that's never really taken off despite its obvious advantages. This doesn't mean that people are buying good encryption products (encrypted hard drives come to mind), but at least there's movement.

To some extent this is because there's finally something to be scared of. Executives can massage data theft incidents, and payment processors can treat breaches as a cost of doing business, but there's one thing that no manager will ever stop worrying about. And that is: having their confidential email uploaded to a convenient, searchable web platform for the whole world to see.

The ugly 

The last point is that Antisec has finally drawn some real attention to the elephant in the room, namely, the fact that corporations are very bad at preventing targeted breaches. And that's important because targeted breaches are happening all the time. Corporations mostly don't know it, or worse, prefer not to admit it.

The 'service' that Antisec has provided to the world is simply their willingness to brag. This gives us a few high-profile incidents that aren't in stealth mode. Take them seriously, since my guess is that for every one of these, there are ten other incidents that we never hear about.***

In Summary

Let me be utterly clear about one thing: none of what I've written above should be taken as an endorsement of Lulz, Anonymous, or the illegal defacement of websites. Among many other activities, Anonymous is accused of hacking griefing the public forums of the Epilepsy Foundation of America in an attempt to cause seizures among in its readers. Stay classy, guys.

What I am trying to point out is that something changed a couple of years ago when these groups started operating. It's made a difference. And it will continue to make a difference, provided that firms don't become complacent again.

So in retrospect, was my mentor right about the field of information security? I'd say the jury's still out. Things are moving fast, and they're certainly interesting enough. I guess we'll just have to wait and see where it all goes. In the meantime I can content myself with the fact that I didn't take his alternative advice -- to go study Machine Learning. After all, what in the world was I ever going to do with that?

Notes:

* Yes, there are no leaders. Blah blah blah.

** I apologize here for being totally rude and politically incorrect. I wish it wasn't true.

*** Of course this is entirely speculation. Caveat Emptor.

10 comments:

  1. A nice summing up of the truth. Sadly.

    ReplyDelete
  2. THIS! This is what I keep complaining about. If 25% of the security industry worked on building/fixing code, systems, and software instead of selling the latest greatest shiny, I'd be happy. As it stands its a lot of manchildren saying "ha ha i broke your shit aren't I clever?"

    ReplyDelete
  3. Machine Learning would have been a great class. What with all the sudden emphasis on big data.

    ReplyDelete
  4. When I read your account of e-Gap, my jaw hit the floor - I mean it - the bottom of my chin actually picked up dirt my dust-buster missed. You're kidding, right? Please tell me you were kidding?!

    ReplyDelete
    Replies
    1. http://www.sans.org/reading_room/whitepapers/firewalls/disconnect-internet-whales-e-gap-in-depth_802

      Delete
  5. This was a very interesting read; and I would definitely agree on your thoughts. This can be compared to any product companies offer - they don't get any better unless a competitor is pushing them to do so; if they don't keep up - they lose customers. In the security world, people are working harder to keep secure since other's are working harder to break things.

    ReplyDelete
  6. "More to the point, it means you can't outsource your software development to the lowest bidder anymore."

    The shift of all software development employment to companies that are willing to send the jobs overseas, or eliminate them altogether just to give the CEOs a bigger bonus has resulted in a workforce that really has no vested interest in doing their best. As long as it works, ship it. And QA has always been something tacked on at the end of the process at most places, and have been seen as the group that "delays the release". If these things ever change, you will see a huge improvement in quality, especially if Quality Assurance is combined with Security Assurance.

    ReplyDelete
  7. The job of security in any field I think is to answer the question, "What would you yourself trust, within an operating framework/installment". It assumes the question that there are so many other things more important than yourself. Will security ever truly be about securing the individual? If that is where we are at, we can expect it to be a good field to get into. However if not everyone needs the Internet as much as we think, well perhaps it is not a great field. However as stated above all major corporations seem to need the Internet, so the industry is nearly a iPhone/Cloud mirror image. A few courses in current marketing economics might hold the answer?

    I certainly would not jump into this with a for profit motivation though, but wait a sec your in academics at JH that cannot be bad (and from my leaf readings your in good company). I actually have other reasons for being in the field, and I think having an inter-disciplinary approach is a good test for any career goal, unless of course your looking to study gambling etc.(caveat online gambling). In any regard, now that you've made a choice just follow it through for what it is worth to you. See if you have a passion for it. I think it is possible to see the good in pretty much anything, and if that doesn't work for you... well your life is just starting. But hmmm I see lots of papers here, something tells me you are in this for a reason... or you've got to be the final test of will in the matter (caveat: a final test of will only need get as bad as you permit it to be.).

    Just so my minimalist view point is not haxor'd, I would caveat this with the fact I entered into academic security, pretty much because it was one of my only choices to choose from. My career choices had ebbed sharply, and I needed to take breather and remember why I even had the drone job I did. At the time it actually fit like a glove on so many levels into my erroding life. When I was done studying (having no further academic encouragement from the faculty), I analyzed the market gap and realized it was not a sure win for me to personally 'stay in the market'. Besides all I really wanted to do was code. This recent/strange twist of fate brings me back into the field, and I actually invite friends to help me find reasons I should not be here. Its the best test for my own overt commitment. My whole life has been about peace, so I have no understanding how security fits into the mix, except via. karmic lessons. If you can find life amidst death maybe you can survive this field. Its the question I am still answering.

    ReplyDelete
  8. Someone had to say it. Thank you.
    The good news is there are some bright spots that illustrate what we can do when we try hard enough - djbdns and sel4 come to mind.
    The bad news is that it seems that as a whole the software development world is moving in the wrong direction even while several large players try to move slowly in the right direction (for example, the quality of msft code has improved drastically since 2000, and google on the whole has some well done code, but line-for-line theres probably more bad code out there doing important work now than there was 10 years ago).
    And to make matters worse, it seems that this country has chosen as a strategy to play offense rather than defense. We stand to lose the most in an offense game since we're most dependent on our software, yet we're encouraging security players to hoard and weaponize vulnerabilities rather than fix them. This is going to be a very large long-term lose.

    ReplyDelete
  9. All this stuff was going on for decades before the Anonymous/Lulzsec fools came along and publicized it. Everyone on both sides of the fence was in on the joke.

    Nothing has really changed.

    ReplyDelete