Early reports on LulzSec cyber attacks are interesting if not surprising. A continuous thread through the media reports if you are looking for the root cause analysis it is poor computing practices by the companies. Now, to be fair this is the same kind of logic that says what were you expecting if you were carrying a wad of cash and got mugged. Who do you think you are carrying money around you’ll get mugged as a statement towards security isn’t much of a statement. Is it harmful to give LulzSec to much credence? If you accept the principle that victimizing people because you have the power to victimize them then you’re likely not reading this. Over the Weekend LulzSec appears to have hacked Bethesda and not published the customer data but once again this doesn’t pass the window test.
The window test of ethics is an analogy of the criminal theory of “broken windows” I use it to examine the hacking for security argument. It is assumed that anybody walking down the street has the power and ability to pick up a rock and throw it through a window. Only a certain percentage of people will actually pick up the proverbial rock and throw it creating damage. If there are broken windows that aren’t repaired, more windows get broken, and the slide of a neighborhood into dystopia occurs.
In our case the hacker group may assume or think that they are creating value by their havoc (breaking windows) and drawing attention to the issues of information security. In a similar thread they are taking a near Keynesian view of the parable of the broken window. They have justified or believe that they are benefactors by creating security incidents. This is an example of limited use as the polarized view rapidly comes into view. On the one hand, each human exists through the death and destruction of plants and animals and we call it nutrition. On the other hand, victimizing anybody when you have the power is nothing less than unmitigated evil. The conundrum between these points is the Robin Hood mythos.
You can take a few things away from the first part of the argument.
1. Hacking is trivial. The use of cross-site scripting, sql injection, and other forms of penetration into networks is fairly easy with the significant number of tool suites available.
2. There is an undeniable benefit to identifying non-trivial forms of system penetrations, but like fart humor trivial hacking is at best juvenile.
3. The creators and modifiers of tool suites to test systems security can’t be over appreciated. The elegance of a tool that does something totally unexpected by doing something as designed is purity.
We are starting to see with Anonymous and LulzSec their expansion from hacktivism as regards Wikileaks (and other issues) towards more advanced criminal enterprise. As with the tweaking of Senate.gov and their rejoinder on cyberwar what good does it serve? I’m left wondering what the sin of Bethesda or people against Wikileaks have actually done to the hacktivists and if the irony of their methods are even contemplated. Consider that the it could be argued a distributed denial of service is a form of repression and that as a tool can only be considered as an offensive weapon. A ddos shuts down all dialog and closes off the ability to have a discussion no less than Syria or Yemen turning off the Internet for their population. Is it right to victimize people ever? Does Anonymous/LulzSec have the maturity to even recognize the damage they’ve done?
If anything some of the arguments about computer and information security are specious. First, the argument about passwords is just about as silly as possible. Maybe a long time ago when I didn’t have a job, didn’t have a TWO mortgages, and I didn’t have to worry about feeding myself I could survive with a dozen or so passwords. Consider if you will that I have access to around fifty or sixty different websites that all have password construction requirements (capital, number, symbol, not dictionary, at least 8 characters long). That is before I get to work where the requirements are even more varied and a minimum of 16 characters. I don’t have any choice on using the web. If I want to have banking, car loans, buy pizza for gosh sakes, or manage the healthcare for me and my children I’m going to be doing it on the web. When and if my myriad passwords are exposed (different ones for every system) I’m screwed. I don’t even know all the systems I would have to change them on for sure. Exposing customer data of grandma and grandpa is like cursing them out. They are not going to understand how that is helping keep their electronic data safe.
Last year my undergraduates at my former job ran John the Ripper against 400K+ DOD spec passwords and were able to break them rapidly. Using a 500+ node computing cluster at Purdue Calumet the final approximation of time required would be about five hours and perhaps less if Rainbow tables were used (pre-computation of the tables wasn’t tested). Passwords simply aren’t any more of a security feature than padlocks are a security feature. They keep honest people honest, and increases the work factor to keep out petty criminals. With SQL injection attacks as a low barrier to entry the inspired hacktivist will go around the passwords at will. With over 40K current entries in the CVE the chances that any computing system is going to be secured completely is nearing on zero. Add to that a level of complexity as you apply traditional defense in depth strategies and attack surface grows exponentially while work factor is increases linearly.
Some take aways from the second part of the argument:
1. Is it ethical to abuse people simply because you have the power to do so? On the Glen Beck side of the scale you have Nazi Tourettes and fascism, and on the High School Musical side of the scale you have your classic sports motif bully.
2. There is an inherent issue with the argument of trying to bring light to security issues when the people being victimized simply are not able to understand the inherent security issues. I’m not sure how you balance the mega-corporation ignorance with the uneducated user base.
3. The fundamental issues of passwords themselves are inherently untrustworthy and untenable as a solution for security.
Finally, poor security practices don’t necessarily indicate poor security understanding. Any organization whether it be LulzSec or the National Signals Agency are comprised of individuals just like information technology environments are comprised of a variety of equipment, software, and procedural solutions. You operate at a security posture of the weakest link. This unfortunately is true for the average consumer of information technology services too. You can have great understanding of security, that one moment of inattention because you were up until 3AM with a sick kid, or that error in a website written by the crappy PHP programmer pissed off at the company they are working for can have similar debilitating effects.
You simply can’t throw unlimited resources at any solution, and at some point you have to expect social restraint to protect information assets. There simply is no perfect security. This is no different than the analogy of the determined burglar. Nobody can afford to protect their home, bank, or business from the highly sophisticated adversary for very long at the physical level of security. That is why we have police who come take the report and insurance to cover the loss. What is occurring now with hacktivism is the break-ins and losses are happening, but the consumers have no insurance (you can’t buy it if you want it which says something) and the police have no clue or the resources to do something if they do. The fact is the information sphere doesn’t operate a whole lot different than the physical realm. And, no it isn’t a perfect analogy.
It’s monday I need more coffee.
4 comments for “Interesting shift in infosec”