Monday, August 26, 2013

On the Ethics of Hacking

My favorite definition of "hacker" comes from golf: i.e., a determined, persistent, and self-taught amateur; an autodidact.  I have never quite trusted them to "call a stroke" on themselves.  

Similarly, I have always been cautious about computer hackers. Too many of them get off on the power.  Hacking is addictive.  Many hackers seem to see the Internet as a playpen where they are engaged in a game of "Gotcha," a game where they score points by exposing or embarrassing others.

I came of age in the fifties, when computers were scarce and dear, when it took a team of us to get them to do anything useful, when one's access was a function of the trust one had earned by contributing to the team.

Last week we had another case of a self-described "ethical hacker" being convicted of a crime.  The man was a member of his country's parliament.  I am sure he thought of himself as a "good guy."  I have met few people in my life, no matter how corrupt, who did not self-identify as good guys.  Most hackers think of themselves as good guys and many good guys think of themselves as hackers. How then to stay out of jail?  I have a few suggestions.

As a judge, here are some of the questions I might ask to distinguish between so called "ethical" and criminal hacking.

Was the hacker engaged in gainful employment?  If no one is willing to pay for an activity,  it is at least questionable.  Professionals do not work without pay. It is unfair competition with other professionals.  It takes food from the mouths of one's children.

Was the activity authorized by the owner of the network, system, application, or data?  Is there a record of this agreement, a letter or a contract?  Does it spell out the content of, and the limits on, the activity?  Such a letter might keep one out of jail.

Was the activity covert?  Is there anyone from whom the hacker might wish to conceal it?  Did it involve fraud or deceit?  If the activity were discovered while it was ongoing, would it surprise, embarrass, or frighten anyone?  Would it trigger alarms?  If one is shamed by one's activity, one has already judged it.

Was the hacker accountable?  Supervised?  Was he acting as part of a team or working with at least one colleague who could act as a check  on, or vouch for the legitimacy of, what was done?  Was a record kept?  Was it attested to by two or more parties? Acts authorized by one's employer are not always ethical; we settled that at Nuremberg. All unauthorized acts are not necessarily unethical. However, unilateral activity is always at least questionable..  

Was data disclosed to anyone not already authorized to see it? While unauthorized disclosure might not be criminal, it is probably not ethical.

Was anything broken?  Did networks, systems, or applications stop working?  Was there a loss of availability?  Was there a loss of data integrity or confidentiality?  Trust?  Reputation?  Did the target, not to say victim, have to reallocate resources to remediation?  Did the target incur liability to others? 
Was there any threat or coercion?  Were the results of the activity used to get someone to do something that they might not otherwise do, or to do something earlier rather than later?  Coercion is rarely ethical and often criminal.

Now, there are special cases.  Almost every hacker claims one or more of these as justification for otherwise anti-social, not to say sociopathic, behavior.   For example, some hackers lie.  Their rationale is that they have an authorization and are being paid to do it, usually by someone else for whom the lie would be unethical.  They claim that they must lie because rogue hackers do "social engineering," and they must test the ability of the target organization to resist it.  As with most ethical dilemmas, one has to decide for oneself.  However, I already know that social engineering works against most organizations.  I do not need to engage in it to satisfy myself on that issue.  

Many rogue hackers excuse their activity as "research."  However, much of it is outside the tradition of science.   Labeling an activity as "science" does not excuse otherwise unethical behavior.  Science is conservative; it does not make things worse.  It does not increase vulnerability, instability, or risk.  While there are destructive experiments, they break things that belong to the scientist, not the property of others.  That the scientist does not own, and cannot buy, a network of his own, does not justify experiments that break the public networks or the private networks of others. 

Another very special case is national security, espionage and sabotage, activity that would fail many of the tests above.  Since few of us are engaged in such activity and fewer still will be called to account for it, can we agree to leave this case for another day? 

Some claim "civil disobedience," appealing to a "higher good," admitting otherwise questionable, even criminal, behavior but claiming that it is justified.  Perhaps.   However the burden of proof and responsibility is on them.  

Professionals are confronted with difficult ethical dilemmas; it goes with the territory.  Even with scrupulous ethical tests, one professional presumes when he undertakesl to judge another.  However, it also goes with the territory that we must be scrupulous in our own behavior.  We may not be slipshod in our own behavior or make cheap excuses for ourselves. 

It is a mark of the immaturity of our profession that we must deal with so much questionable behavior and so many pretenders.  Physicians have separated themselves from"quacks" and lawyers from "shysters."  Not only have we not separated ourselves from our amateurs, hackers, we may secretly admire them and excuse them.  Indeed, I systematically qualify hacker with "rogue" so that I do not have to listen to my colleagues defend questionable activity.  I look forward to the day when hacker is on the same list as quack, shyster, shrink, and other pretenders. 


Thursday, August 22, 2013

Security with Persistent Threat but no Perimeter and no Edge

Whether one focuses on the consumerization of technology, "bring your own device to work," "Advanced Peristent Threat," or merely the exponential growth in use, uses, and users of information technology, we really have reached a tipping point. Our approach to Information assurance is no longer working.  We cannot discern "the edge."  We cannot control the user device.  While the network is spreading and flattening, the perimeter is crumbling.   As the base of the hierarchy of authority, privilege, capability and control is spreading, the altitude is shrinking.  The compromise of one system, can compromise the entire network.  A compromise of a single user can compromise the entire enterprise. We cannot afford for all of our data, the protection indicated for the most sensitive.

Our traditional tools, user identification and authentication, access control, encryption, and firewalls are not scaling well.

My purpose is not so much to tell you what to do as to change the way you think about what you do.  I hope to change your view of your tools  and methods and the materials to which you apply them.

First and foremost, you must identify and segregate the data you most want to protect.  This will include, but may not be limited to, the books of account, intellectual property, and personally identifiable data.  You cannot protect all your data to the level that is required by these.  "Classification" of data is essential to effective and efficient security.

Prefer closed systems for this sensitive data.  Think AS/400 and Lotus Notes but you can close any system.  While most of our systems will continue to be open, these will always be vulnerable to contamination and leakage and not reliable for your most sensitive data.  Lotus Notes is both closed and distributed.  Trusted clients are available for many popular edge devices.

Consider single application client systems for sensitive network applications.  In an era of cheap hardware, it can be efficient to use different systems for on-line banking on the one hand, and web browsing or e-mail on the other.

Prefer object-oriented formats and databases to flat files for all sensitive data.  This should include Enterprise Content Management or Document Management systems, for example, Lotus Notes, SharePoint, or netdocuments.   The common practice of storing documents as file system objects is not appropriate for intellectual property or other sensitive documents.

Control access as close to the data source as possible,  i.e., at the server, not on the edge device.  Control access at every layer, edge device, application, network, database, and file.  Do not rely upon one layer for exclusive control of access to another.  For example, do not rely exclusively upon the application to control all access to the database.  The application controls should mediate what data is passed to the user but database controls should be used to mediate what data is to be passed to the application.

Prefer application-only access, not file system, not database management systems, not device.  Prefer purpose-built application clients; think "apps."  Said another way, the application should be the only way for a user to access the data.  The user should not be able to bypass the application and access the data by other methods or tools.

Prefer end-to-end encryption, that is, known edge client to the application, not to the network, not to an operating system.  Said another way, when a user opens a VPN, he should see an application, not an operating system command line, not a desktop.  While there are many ways to accomplish this, for existing applications, an easy way to do this is to hard-wire an encrypting proxy, a router, in front of the application.  The cost of such a router will range from tens of dollars to low tens of thousands, depending upon the load. A limitation of this control is that what appears to be the edge device may be acting as a proxy for some other device.  While we can know that data passes to a known device, we can not know that it stops there.

Prefer strong authentication for sensitive data; consider the edge device identity, for example, EIN or MAC address, as one form of evidence.  Consider out-of-band to the user or token-based  one-time-passwords to resist replay. Check out Google Two Factor Authentication as an example.  (It takes advantage of the fact that the typical hand-held computer ("smartphone") has addresses in both public networks.  Thus, when I want to log on to Google, I am prompted for my e-mail address and my password.  However, these are not sufficient; knowing them would not enable you to impersonate me.  I am then prompted for a six digit number, a one-time password,  that Google has sent, in text or spoken language, to a telephone number of my choice, provided to Google by me at enrollment time.)  Consider the user's hand held or other edge device as the token.  Both RSA and Verisign offer complete solutions  for this.

Control the data rate at the source; prefer one record or page at a time.  One may not be able to prevent the user from "screen scraping" and reconstructing the document or database at the edge but one can resist it, the stick.

Provide a high level of service, the carrot.  You can make any control or restriction at least tolerable provided that you couch it in a sufficiently high level of service.  Remember that most leakage is of gratuitous copies.  These copies are made to trade off cheap local storage against scarce bandwidth and/or high network latency.  The faster you can deliver data from the source, the fewer copies will be made at the edge.  

Involve multiple people in privileged access and control. System administrators and other privileged users have become favored targets and means for compromising the enterprise.  Tools and methods are available to exercise control over them and to provide the necessary accountability.  These include such tools as sudo at the Unix system level to Cyber-Ark at the network or enterprise level.

These measures focus on the data rather than the technology.   They address malice, for example, state or organized crime sponsored commercial espionage, and errors and omissions, for example leakage or opportunistic contamination at the edge.  They address outsiders, the largest source of attack, and insiders, the largest source of risk.

They are not for those who look for or believe in "magic bullets."  They may be too expensive for all the data in the enterprise but efficient, and perhaps even mandatory, for the most sensitive data.  It is for drawing the line between the classes of data and applying the appropriate measures that we are called professionals and are paid the big bucks. 

Tuesday, August 13, 2013

Consumerization of Information Technology

One of the things that I try to bring to the this blog is historical perspective.    I argue for the importance of history, that if we do not know where we came from, we cannot appreciate where we are, much less where we are going.  I have been here longer than the average bear.  I can see things across time that are difficult to appreciate at a point in time.

When I was selling computers for IBM, chief executive officers did not have the discretion to buy a computer.  It was an economic decision for the enterprise comparable to that of building a new plant or committing to a new product.  It was a board level decision.  While the CEO could say "no," he could not unilaterally say "yes."

As the scale of the technology has changed, as its price has fallen and its efficiency has exploded, the decision making has moved.  For almost a generation, we matched the scale of the computer to that of the enterprise.  Each enterprise had one computer, the most powerful that it could afford.  The decision was made in the executive suite.

By the time that the "minicomputer" came on the market, the decision had fallen to the level of the department.  We did not consciously make a decision to do that.  It was simply a reflection of the scale, price, and efficiency.  However, until very recently, most computers used in the enterprise were still purchased, owned, and managed, not to say controlled,  by the enterprise.

Recently we passed a tipping point;  most computers are now purchased, owned, and to the extent that they are managed, by individuals, by consumers.  We buy them at Wal-Mart and Costco, next to groceries, diapers, paper towels, and bottled water.  Because they are so cheap and so powerful, they are used for things that we could not have imagined as recently as a decade ago.  They are driving other devices, particularly single purpose devices, from the market.

As I sit here, there are seven computers within 5 feet of me and nine screens within 9 feet.  They are all connected and interoperable.  Moreover, to a first order approximation, they are connected to, and will inter-operate with, any and every computer in the world.  These do not count the application-only computers like my cable box, Sling-box, and "Smart-TV;"  they all "boot" so I assume that they are "computers."

As I sit here, I am waiting for one great niece to decide between a Kindle Fire and an iPad and am replacing an iPhone for another who dropped her's in the toilet at the mall.  The discretion, the decision making power, has now fallen to the children.  Remember?  The decision is made one level below the guy who signs the order, the check or the credit card?  I only pay, the kids decide.  Their decisions impact the enterprise and the infrastructure, those things that you and I are expected to control and protect.

Infants use computers.  I choose the term "use" advisedly.  They use them for their "work," at their age indistinguishable from "play," learning to master their environment.  They project the capability of one computer as requirements on another.  They "swipe" across TV screens and even magazine pages.  Seven year-old write critical reviews of applications, and teen-agers know more about computers than the information technology elites of a generation ago; different things perhaps, but more.  They have been called "digital natives" but digital savages might be more accurate.

There are some things that are beneath their level of notice.  For the most part they are agnostic as to where an application runs and its data is stored.  They are oblivious as to what we used to call "speeds and feeds."

It is almost impossible to remember that the first iPhone came out only five years ago and that about all it could do was phone calls, e-mail, and browse.  Oops, I forgot; play music.  Apple and Google now have a couple of major announcements and ship dates a year.  Just to keep up!  Teens track the features in new versions of iOS the way my generation tracked new car models.  By the time that YOU have figured out the security implications of one new product, another has shipped.

I remember when I had to keep a list of e-mail gateways and use embedded addresses to get from one domain to another.  No longer; the address space has flattened.  Now I keep a list, shorter, but still a list, of application proxies to get me around fire-walls and other security restrictions.  When I complained that the Naval Postgraduate School blocked my access to AOL Instant Messenger, two students quietly gave me the addresses of two different proxies.  Proxies now come plug-n-play-in-a-box or simply run as services in the Internet.

One niece and nephew go to a very traditional school, elite, but so traditional that they are still expected to carry fifty pounds of paper in and out of school everyday. They can take their iPhones, but cannot use them, and iPads and MacBooks must still be left at home.  So, they use Dropbox, Evernote, and thumb-drives.  No matter what controls or road-blocks we throw in their way, they will get around them.  Savages.  Not (yet) civilized.  

The good news is that there are only two popular operating systems for the most popular consumer products, right?  iOS and Android?  All you have to know about, right?  The bad news is that there are dozens of versions of Android, all different, most open.  

There is more bad news.  RIM has not gone away.  Windows Mobile has hardly gotten here.   Playstations and X-Boxes are becoming richer and more open.  Even Play Station Portables and DS Lites are being opened some.  Proxies and servers are popping up everywhere to expand their capabilities even further.

As I write this on Evernote, I am using the Window's Evernote Client on my  Dell, but I am using the screen and key-board on my MacBook Air.  In order to find the IP address of the Windows system across the room, the MacBook goes to an addressability server in the Internet, perhaps thousands of miles away, where the Dell has published its address.
The devices at the the edge are becoming smaller, cheaper, more diverse, more powerful, at an exponential rate. Now it is not news that one can buy gigabytes on a chip the size of one's pinky nail for dollars per gig or that one can buy a terabyte to fit in one's shirt pocket for under $100-.

All of this is by way of saying that you cannot prevent contamination and leakage at the edge.  You no longer own or control the edge.  You cannot even see it.  It has been a battle to see it since the edge began to include PCs but it is now clearly a lost cause.  Technology changes so rapidly that it is often obsolete before we can figure out how to control it.  Trying to achieve adequate protection by using or controlling the edge technology has probably been the wrong strategy all along.

In a future blog I will suggest an alternate approach.