Monday, March 4, 2013

UPDATE: Next Gen Credentials

UPDATE: Recently, I posted some musings on fixing the issue of too many passwords, security and next gen credentials.

It turns out that there is another approach I was unaware of: Behavioral Biometrics. Here's the idea. The system will confirm that the user is who they say they are by the way that they type, not by their password. The concept of using behavioral biometrics for authentication is nothing new, but prior approaches use the typing style as a secondary credential in multi-factor authentication schemata. I.e. a user would both need to know a password AND type it properly.

Obviously, the two-factor scheme would be more secure and not solve the remembering-passwords issue. The biometric only scheme would solve that issue, but would it be more secure than password authentication?

Aside from the problem of false positives (granting access to an unauthorized user), the more likely issue would be false negatives. It isn't clear to me that everyone types in a way that could be consistently recognized all the time. Perhaps for trained stenographers, but what about non-touch typers? I don't touch type. Rather I hunt and peck rapidly and inconsistently. How would a system recognize my style? Perhaps the algorithms are sufficiently robust. Perhaps these systems will only be adopted in situations (such as the NSA) where security is prized above ease-of-use.

It makes me wonder, though how robust these approaches are. Could an attacker watch someone type and mimic their style? Probably, but an attacker who could do that could more easily discover the password by watching.

Identification by behavioral biometrics was pioneered by authorities in Big Brother Britain (which has installed around 4 million cameras to spy on its citizens). British authorities use gait recognition, a computer vision technique whereby software identifies users by their walking style.

Ironic that security firms are using these techniques to secure people's personal information whereas Britain is using them to invade privacy.

Friday, March 1, 2013

A Brief Primer: Hackers and Hacking

Hacking is a serious problem that should be taken more seriously. This primer should help the technological beginner understand many of the issues.

Note that there are two definitions of hacking:

  1. Informal engineering
  2. Software based attacks on computing resources, usually using network infrastructures
This article concerns definition #2

Script Kiddies at Play

Much hacking has been the domain the domain of so called script kiddies. These mischief makers often have minimal technical skills. Instead they use freely available tools to break into poorly administered websites. They are not terribly organized, malicious, or dangerous.

Hacking Inspired by the Godfather

Criminal organizations hack for profit. Often they steal financial data, send spam, or commit click fraud (automatically click ads into order to earn ad revenue). They use malware such as viruses, worms, and trojans to hijack consumer PCs. Once they gain control of a PC, these groups link the machine up to a botnet, a group of hijacked machines that coordinate. These botnets usually consiste of more easily hijacked windows machines, but are often led by higher-powered hijacked Linux machines. Another technique criminals use is phishing, deliberately misleading someone into giving away their user name and password. Usually, this is done by presenting the user with an email or webpage that appears to be from a reputable online bank, retailer, or service provider. When the user enters their password, the criminal stores it and exploits the user later. This technique can lead to illegal credit charges, bank transfers, and even identity theft. Sometimes the thieves use social engineering or active impersonation to deceive users (over the phone or in person). Estimates of the cost of these cyber-crimes range from the low billions to $1 trillion. The true cost is probably somewhere in between.

Hacking Inspired by MLK, Ghandi, and Mandela

Hacktivists constitute another category of hackers. These collectives view hacking as a form of non-violent social or political protest. Anonymous is by far the best organized, most famous, and most capable such collective. One of the most common techniques used by Anonymous and other hacktivist organizations is the distributed denial of service attack. This form of attack sends so many requests to a server, that the server cannot handle legitimate requests. Many hacktivists have argued that DDoS attacks are legal. Another common hacktivist strategy is to steal data or hijack a website in order to humiliate its target. One of the most dramatic hacktivist actions occurred on live television. Anonymous announced that it hacked the infamous Westboro Baptist Church while the organizations' representative debated live on air.

Hacking as Patriotism

Recently, there have been many controversial reports regarding state sponsored hacking. Although not 100% confirmed (approximately 99.99% confirmed), these hacking incidents are particularly scary for two reasons:

  1. Nation states have an order of magnitude more hacking resources
  2. Nation states may attack enemy's critical infrastructure

More on state sponsored hacking upcoming.

Chinese State Sponsored Cyber Attacks and Our Response

First, if you are unfamiliar with the basics of hacking, check out my previous post. Stay tuned for more specific info on how to secure your business.

Executive Summary

The Chinese State has been hacking U.S. and multinational companies, stealing valuable intellectual property. Businesses must take software security seriously, investing more resources in locking down computers and networks. The U.S. government should strike back at this Chinese aggression, disabling Chinese Internet censorship, and shedding light on Chinese government atrocities.


Chinese Cyber Attacks

Mandiant Corporation recently released a report on coordinated cyber attacks by the Chinese on large U.S. businesses and other organizations. The report raised lots of alarm bells and rightfully so. So what should we do about these attacks? We should respond in the name of liberty.

Sitting on our hands is not an option.

The detailed, well-written report focuses on APT1, the largest Advanced Persistent Threat to face American companies. APT1 is far more than a few script kidding with fast broadband. Mandiant presents a large body of evidenced that this organization is, in fact, Unit 61398, the cyber-warfare unit of the People's Liberation Army. This report was released in the wake of a New York Times article detailing a four month intrusion into its systems. The Washington Post reported a similar incident. The papers believe they were targeted in retaliation for less than favorable stories they ran on Chinese Prime Minister Wen Jiaobao.

Mandiant Corporation discovered those attacks and repelled the attackers. Their research has uncovered more than 140 total hacking incidents perpetrated against international organizations by APT1–most of them relatively sophisticated. The attacks originated from Shanghai and required a huge number of computing power and manpower. The pattern of attack used by APT1:

  1. Launch a spear phishing attack to acquire the password of a member of the target organization
  2. Use that user's credentials to load malware into his/her computer
  3. Leverage that malware to infect other systems in the target network
  4. Transfer a huge amount of intellectual property (often terabytes) back to APT1's servers
  5. Wash
  6. Rinse
  7. Repeat

The APT1 attacks were largely to steal intellectual property. This should be no surprise to anyone. China has written its laws so that foreign companies must partner with local firms in order to do business there–largely so that foreign companies will have to share IP in order to access China's burgeoning labor or consumer goods markets. Of course, these hacking incidents are far more sinister.

Who knows how far China will go? By one account, Chinese officials have already used stole IP to blackmail a corporate boss. What's to prevent China from attacking critical infrastructure? If China invades Taiwan and the US responds, might China be willing to take down the systems that operate the US power grid? You bet your sweet ass they would.

See no evil. Hear no evil. Hack no evil.

The Chinese government claims to have no knowledge of any attacks calling the Mandiant's report a fabrication. How beleievable are China's claims? Not very. Attacks of that magnitude could only have been carried out by a large organization, either a government or a large corporation., their location makes it nearly certain that they were at least tolerated. Furthermore, the Chinese government keeps a tight reign on their network. They use deep packet inspection in order to spy on and censor their own citizens. They maintain such tight control of their networks, and they didn't notice such large scale hacking happening in Shanghai? Yeah, right.

So what should we do?

Obviously, defensive measures are de rigueur. The Department of Defense, Central Intelligence Agency, and National Security Administration and many other government agencies have taken IT security seriously for a while now. Of course, the Chinese have chosen to attack the weak underbelly of U.S. corporations whose investors and management don't understand the threat. U.S. businesses need to get in the game. Firewalls, security policies, threat modeling, application security, data encryption, penetration testing, and more. If you don't know how to secure your networks, applications, and data, learn fast. Stay tuned for some specific information on how.

But are defensive measures enough? What we have here is a cyber-war. Or some would argue that cyber-espionage is a more appropriate term. That's all semantics. It doesn't matter what it's called. We need to fight back. Even if the group launching these attacks is not directly associated with the government, it is being sheltered. Remember, the Afghan government did bomb our embassies, but they harbored those who did. The U.S. government ignored the attacks, and a few years later, the thousands died in the 9/11 attacks. We don't know how far China is willing to go.

The NSA, CIA, and military cyber operations should strike back. But how? They attacked our businesses and stole valuable intellectual property. We could respond in kind, but we don't want their IP. What would we do with it anyway? We could escalate the war by taking down their infrastructure, grounding their airlines, stopping their trains, or take down their data centers, but that would achieve little.

Hacking for Liberty

We should steal embarrassing Chinese state secrets and use them to further its citizens liberty. China's government treats its citizens horribly. Those who seek redress are sent to labor camps, tortured or even executed. Rule of law does not even exist. Corruption is rampant at all levels. Rich public officials demand bribes from even the miserable poor.

China has gone to great lengths to keep its citizens in the dark regarding these injustices. The formal press is state run and the Internet is completely censored. We should use cyber operations steal data on all of China's injustices and corruption and give it to the press. Furthermore, the Chinese people are completely cut off from the press by Chinese censors, so we should change that. We should take down their censorship infrastructure and shine rays of light on their darkest secrets so that their citizens can demand justice.

What would happen? Certainly, this activity would raise Chinese awareness of their government's despotic nature. And this would foment change. Whether the change would come fast as in Egypt or slowly as in Myanmar, I do not know, but change would come. Change will come anyway. As China's population journeys from subsistence living to middle class, it will demand not just prosperity, but freedom. The first American colonists made this journey and these demands in the 17th and 18th centuries. Liberty is one of the cornerstones of American foreign policy. Recently, the U.S. has attempted to spread democracy in the Middle East. The imposition of democracy by ground troops failed. Many died, and the U.S. economy was gravely injured. But we have met success in Egypt, Libya, and Tunisia by supporting dissidents. The Chinese government is stronger than those Arab dictators, but the prize is bigger. First, in China, unlike in the Middle East, no violent, fundamentalist religion holds sway. The downfall of the Chinese Communist Party would certainly mean democracy. Second, the Chinese economy will be the world's largest by 2030. It is crucial, that such a large influential country be a force for good.

Of course, the U.S. is likely responding to these attacks as I am writing. If nothing else, security is being tightened in datacenters all over the country. Perhaps, agressive counter-attacks are happening. We won't know the details for years if ever. We'll continue to follow this fascinating story as it unfolds. Loyal readers, keep your Internet dial tuned right here for updates.


  1. The Chinese Government is operating large scale attacks on US business
  2. China denies everything
  3. Lock down your business! SECURE SECURE SECURE
  4. The U.S. government should respond by hacking back
  5. China's human rights abuses should be exposed to all
  6. The Chinese people should not be kept ignorant by their government any longer
  7. Hacking can be used as a tool for freedom