Tuesday, April 26, 2011

FBI Take-down of Coreflood Bot-net

The week before last the FBI announced that they had taken down the Coreflood bot-net of perhaps 2 million systems by taking over the command-and-control system.

This was a major event. It demonstrated that we do not simply have to tolerate the existence of hostile networks of compromised systems. It also demonstrated that law enforcement can be effective in the Internet.

Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch, Shawn Henry. said, “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”Communications.

Although most people were happy to see the Coreflood bot-net go, some have expressed concern about the tactics used in its recent take-down. They are concerned that these may be seen to legitimize behavior that, after decades of debate, have finally been seen to be illegitimate.

Federal prosecutors obtained a temporary restraining order allowing them to replace several identified Coreflood command-and-control (C&C) servers with their own servers, which were then used to send shutdown commands to the Coreflood malware.

One colleague responded by saying "Remote administration without permission is 'hacking.'" I will grant him his semantics without granting him his point.

The first time I said that, and I may well have been the first to do so, I said it in response to the clever child who had created an "anti-virus virus." Of course, the same things are wrong with the idea of an anti-virus virus as with any other virus. First, like any virus, the anti-virus would not have the permission or knowledge of the target system owner.

The real problem is that, independent of the intent or motive of the author, he cannot know enough about the network to predict how his virus will behave. It is difficult enough for him to predict the behavior of his program in a single system that he controls. It is almost impossible to predict its behavior in a population of hundreds of thousands of systems connected in an arbitrary network.

The Electronic Frontier Foundation technology director, Chris Palmer, said the method "is not a safe way to go about [disabling malware] and it's divergent with standard practice."

The "standard practice" that he defends is to simply take down the command-and-control servers, while leaving the bots active. This non-standard practice may not meet Mr.Palmer's test for "safe" but it meets mine for "effective."

We rightly fear the awesome power of government. The preservation of Liberty requires constant vigilance against the abuse of that power. Our colleagues who have questioned this action are right to do so. However, the existence of the question does not imply, nor should we infer, the obvious answer.

Note that in this case, the FBI did not initiate communication with arbitrary systems. It waited until the compromised systems came to it. It did not send a program. It simply sent a command in response to a request. It sent the most conservative command, that is, "shut-down," do nothing.

It is this act which offends my friends, the purists. They are offended, in part, because the executive branch has not been explicitly authorized by the legislature to so act. However, one suspects that if the executive had asked the legislature for this authority, the same, or other, "purists" would have opposed it.

Public Safety, like information security, often involves difficult ethical choices, the lesser of evils. Sometimes it even involves the use of coercion or force. Note that government is the only institution in our society that is empowered to use force.

In this instance the executive did not act unilaterally; the FBI did get a court order. These are not vigilantes. Moreover, if they can be entrusted to use force, they can be entrusted to act in the Internet in ways that are forbidden to the ordinary citizen. That the police do something does not give the citizen license to do the same thing.

I invite my anxious colleagues to rest easy. The Internet is safer and the FBI has not gone rogue.

A final word of caution. One should not infer that all bot-nets can be brought down by the same method. Those networks that use the same collaborative protocols that are used by the file sharing programs (e.g., bitTorrrent) and do not rely on out-of-band command and control will not yield to this method.

Those charged with protecting public safety and those protecting the information infrastructure will continue to be confronted with difficult ethical choices. That is why we are both called professionals and are paid the big bucks.

Tuesday, April 19, 2011

One More Lost Laptop

Recently an employee of British Petroleum reported "one more lost laptop." In this case the laptop contained records on 13000 victims of BP's oil spill. One does not have to be an application genius to figure out how complete and sensitive those records are or how much work they encapsulated.

Let's consider the possibility that that copy of those records was the only copy. Without even considering any damage that might arise from the disclosure, the loss of those records could be catastrophic to the subjects.

A current search of the web shows that a typical business laptop comes with 250GB of secondary storage (or 128GB of solid state storage for $150- premium). We used to run whole enterprises on that much storage.

Moreover, for $100, one can buy 4 times that much storage to carry in one's shirt pocket; that's right, one terra-byte, $100-. The cost of storage is halving every twelve months. Parkinson's Law of Storage says that data expands to fill the storage available to hold it.

The processor power of these devices is 1000 times what it was a decade ago and increasing exponentially. While "experts" have been predicting the knee in the Moore's law curve for a generation, we continue to push it out.

I now have three old laptops stacked one on top of another that I use for application and storage servers. I have three TBs of storage in my living room network. Daily I operate this network from mobile devices, one, called an iPhone, that I carry in my pocket.

Even in the office there is now a preference for laptops over desktops. Outside there is movement to more, and more mobile, devices, laptops to notebooks to netbooks to tablets to "smart-phones." Note that the only reason we continue to refer to these mobile computers as "smart-phones" is because we buy them from the phone company.

This is only likely to get better or worse, depending on your point of view. The cost per cpu cycle and per bit of storage is likely to fall by a factor of four in 3 to five years. As the price falls the number of devices sold increases and the absolute number of applications grows and the number of applications per device increases. Even the cost of software is falling as the number of copies that can be sold increases.

Five years ago we could not have imagined the applications that we use today. No more so can we anticipate the applications of five years, our planning horizon from now.

Come on guys. The risk is not about laptops. It is about CD Roms. It is about thumb-drives. It is about GBs, and then TBs on one's fingernail. It is about users who have never used a computer they could not carry. It is about powerful computers in one's pocket. It is about what one can buy for a $100-. it is about new use, uses, and users on a barely imaginable scale. All of this involves, not to say invites, risk on an a scarcely imaginable scale.

Consider the bad things that can happen to mobile systems, applications, and data that is less likely to happen to others. First, while robust, these devices can be dropped, broken, or can suffer mechanical or electronic failure. They can be lost or left. They can be stolen, usually for the property value but sometimes for the contents.

Recently we learned that ICE, Immigration and Customs Enforcement, is examining and impounding mobile devices at the borders. Ostensibly this is to look for "contraband" data, specifically child pornography. The courts have consistently held that this kind of search is "reasonable" enforcement of the borders and does not violate the Fourth Amendment prohibition against "unreasonable searches and seizures." In the twenty months of the program, ICE has "examined" more than 6000 systems.

For most of us, and while it is a growing one for frequent business travelers, this risk is dwarfed by the other risks of mobile devices. Like those, it is one to which the same applications and data are not vulnerable when done on stationary systems. It is addressed by some, but not all, of the same security measures.

For example, while loss and leakage are addressed by encryption, ICE will simply demand the key. More over, encryption offers no protection against the far more likely threat of failure or breakage.

On the other hand, not taking data or applications addresses everything except property loss. I now carry a sterile MacBook Air when I travel. No enterprise, client, personally identifiable information, intellectual property, payment system, or other sensitive data.

* Consider the following policies and practices:
* Store sensitive data only on enterprise servers.
* Prefer remote access to enterprise servers to personal, local, or portable copies.
* Save new work on mobile devices to stationary servers
* Permit portable copies only with specific management approval.
* Any portable copies on devices with full-device encryption.
* Any portable copies in encrypted file systems or databases.
* Prefer mobile devices (e.g., Blackberrys, iPads, iPhones) with remote location and remote erasure capabilities.
* Prefer client-server object-oriented databases (e.g., Lotus Notes) with end-to-end encryption by default.

Keep in mind that these are risk mitigation, not risk elimination, policies. Leakage from mobile devices is a fact of life. We cannot solve the general problem but we can address it for ourselves and our enterprises. Note that they do not mitigate the risk of loss or breakage of property.

Of course, even justifying, much less implementing, these policies and practices will not be easy. That is why we are called professionals and are paid the big bucks.

Wednesday, April 6, 2011

Near Field Communication (NFC)

There is a new communication standard on the horizon. It is called Near Field Communication, NFC, ISO-18000-3, and you might want to spend a few minutes with the Wikipedia article on it. It has all sorts of wonderful applications. It has a number of security applications and, of course, security limitations and implications.

NFC is intended for use on mobile computers, such as "smart-phones" or PDAs, that the user will be likely to carry, like keys or a wallet, most of the time. More than a dozen implementations, mostly smart-phones, have been shipped or announced by manufacturers including Benq, Google, LG, Motorola, Nokia, Samsung, and others. Applications await sufficient numbers but payment application trials are planned for San Francisco and New York.

Proposed applications include mobile payment, smart card emulation, including EMV, transportation and theatre ticketing, electronic keys, identity documents, cryptographic key management, and dozens of others. Of course, while not requiring NFC, these same devices can be used to implement both token-based and out-of-band strong authentication.

One application of NFC is as a reader of passive RFID tags and passive emulation of RFID tags. For example, eCLOWN is a program for a Nokia NFC phone to read the RFID information on an e-passport.* As you are probably aware there is significant opposition to any use of RFID from those who fear that the value likely from such applications will not justify the leakage or other unintended consequences. This opposition is likely to include NFC. (That the ability to read this information might marginally reduce the cost of forging an e-passport is sufficient reason for some to resist the use of the technology altogether. This, in spite of the fact that an e-passport is much more difficult to forge than an ordinary one.)

The name derives from the inductive effect of the "near field," i.e., within two wave-lengths distance, of the antenna. The reliance of the technology on this effect limits its effective range to about 4cm but the "far field" effect of the antenna might leak information beyond the effective range, perhaps at a distance of a few meters. Because, unlike Bluetooth, NFC does not provide encryption, for some applications encryption such as SSL or Mime, might have to be implemented at a higher layer

NFC is low-power, 15ma, as well as near-fieled inductive, and consequently relatively low speed, 421 kbps. This is fast enough for security and financial applications but much too slow for streaming video or even surfing the web. However, it has one great advantage over competing technologies, i.e., connection setup time. While Bluetooth may take seconds to establish a peer-to-peer connection (after "pairing"), NFC takes less than a tenth of a second. (One proposed application of NFC is for pairing of Bluetooth.)

As with any technology that is vulnerable to eavesdropping and replay, NFC is weak, that is, "one-factor," authentication. Most of the security applications will require strong authentication, at least two factors and resistance to replay. To the extent that NFC is implemented on hand-held computers, a wide variety of authentication schemes will be open to application designers.

NFC signals via amplitude modulation; its ability to resist a the modification of a bit is a function of the strength of the modulation and the coding used. However, some NFC applications may have to provide encryption to resist data modification attacks.

Because NFC is low power, electronic jamming will be relatively easy. Of course, the same is true of Bluetooth. The experience with Bluetooth suggests that this is a vulnerability without a problem. However, NFC may not be suitable for applications where ultra-high availability is a requirement.

NFC devices are vulnerable to loss, along with any credentials, privileges, and capabilities associated with them. Applications should resist the use of lost devices by implementing lock-words for use of the device, remote disabling and erasure, and other security mechanisms. Abandoned NFC connections might be vulnerable to exploitation until and unless they time out. Therefore, devices and applications should be designed to time out in the minimum time adequate for the application.

Those of you that are followers of IGTV or of my blog know that I am a long time critic of the use of mag-stripe and PIN for our point-of-sale payment system. Outiside the US, EMV cards are being used to improve the system. However, progress is limited by implementations that are backward compatible with mag-stripe and PIN. Perhaps this is to be able to process the cards carried by American travelers.

Although there are trial EMV cards and merchants prepared to accept them in the US, there are no plans to deploy them widely, much less pervasively, or exclusively. This is in part because of the cost of cards and readers, and in part because they do not solve the "card-not-present" problem. It is in part because transiting the intervening payment card service providers is difficult.

Not only can NFC devices both emulate and read EMV cards, these smart devices can address the card-not-present problem for mail-order, phone order, and Internet commerce. Moreover, hand-held devices can emulate multiple cards and accounts, functioning as e-wallets and reducing the number of credentials and tokens that a consumer must carry.

Like many such technologies, Near Field Communication is inherently neither secure nor insecure. It is proposed in good faith and with high hopes for legitimate applications. However, I have now lived long enough to expect poor implementations, inappropriate uses, and unintended consequences for any novel technology. I am not without sympathy for those who fear technology in general and RFID in particular. I will be surprised if NFC is not chosen for some applications for which it will not be secure and for others where, as with mag-stripe and PIN, it will survive long after use has stressed it to the breaking point.

The "securability" and reliability of NFC applications will depend in large part on the devices on which they are implemented, that is, in the ability of those devices and their operating system software to resist application-to-application data leakage and interference. These mobile devices are already being used for financial transactions over the Internet and using graphical readers for bar codes or QR codes. However, it is clear that these systems will vary greatly in their ability to protect their applications and will rely to some degree upon their users and vendors to keep them sanitary and current. We must be prepared for the NFC technology to be blamed for any compromise with which it is even remotely associated.

Still, I am hopeful that NFC will find many security applications and "securible" implementations. I particularly hope that it will find application in the payment system, and, for example, by emulating EMV, encourage its adoption. We must design and chose carefully and apply and use conservatively. We should err on the safe side. We have to prepare diligently and advance cautiously. It will be difficult and risky and it will challenge our knowledge, skills, and abilities. That is why we are called professionals and are paid the big bucks.


* Step 2 of the instructions for using eCLOWN is "Insert the passport (crypto) key." It is silent on where to obtain this key. However, because there are many copies of the key, that will be, at best, difficult.