The Fallacies of Network Security

hizzo3 · May 19, 2015, 03:47:51 PM

Quote from: AspiringNetworker on May 19, 2015, 11:37:34 AM
Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.

Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....

Say that about the tanker truck of JP9 heading down a major freeway. Car tech and semi tech is rarely different. In fact, many will use the exact same ecu with different parameters in the same software revision. My car runs an E67 ecu which is currently set up for an I4... But a change of one parameter will let it run a LS3/LS9 motor.

Or even worse, with this concept of OTA updates that is new to come, imagine a trigger of full thottle to all vehicles of a make and model at a given time.

When you are talking security holes, those with ill intent are usually pretty apt for connecting the dots with something more dangerous than a single ford fiesta with a baby on board placard.

NetworkGroover · May 20, 2015, 12:45:48 PM

Quote from: hizzo3 on May 19, 2015, 03:47:51 PM
Quote from: AspiringNetworker on May 19, 2015, 11:37:34 AM
Quote from: hizzo3 on May 19, 2015, 10:22:22 AM
Your car isn't much different. Look at all the problems with CANBUS. I was looking at writing an app for Cadillac's CUE system and the EULA was so bogged down with don't do this or don't try that that I gave up. Apparently it can access the car's 'lan' and pull info about the car's performance. All of us here know if you can read, then you're only an injection away from writing on something without authentication.

Agreed, but a car doesn't carry nearly the amount of innocent people in it, and in a crash, I'd wager the survival rate is higher in a car than a plane. That's my issue with this airline thing... not to mention the ability to dive-bomb a plane into a building....
Say that about the tanker truck of JP9 heading down a major freeway. Car tech and semi tech is rarely different. In fact, many will use the exact same ecu with different parameters in the same software revision. My car runs an E67 ecu which is currently set up for an I4... But a change of one parameter will let it run a LS3/LS9 motor.

Or even worse, with this concept of OTA updates that is new to come, imagine a trigger of full thottle to all vehicles of a make and model at a given time.

When you are talking security holes, those with ill intent are usually pretty apt for connecting the dots with something more dangerous than a single ford fiesta with a baby on board placard.

Closer, but I still don't see the two as the same. No point arguing about it though. I just hope, and I'm sure there are, just like a car/truck/whatever, there are manual means of overriding a command sent maliciously - like on a car/truck you have brakes/emergency brake.. dunno what you have on a plane, but I'm sure there's something.

deanwebb · May 20, 2015, 12:59:49 PM

Air brakes. Duh.

However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment.

hizzo3 · May 20, 2015, 02:15:47 PM

Just slip it in neutral, turn they key to off (push button doesn't work, must be mechanical key), then coast to the nearest cloud. Wait, you mean Mario walking on clouds can't happen in real life?

NetworkGroover · May 21, 2015, 11:37:02 AM

Quote from: deanwebb on May 20, 2015, 12:59:49 PM
Air brakes. Duh.

However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment.

God no - thankfully I think(hope?) that was identified a long time ago as a major threat so I'm sure(hope?) that all that can be done there is being done...

deanwebb · May 21, 2015, 12:27:31 PM

Quote from: AspiringNetworker on May 21, 2015, 11:37:02 AM
Quote from: deanwebb on May 20, 2015, 12:59:49 PM
Air brakes. Duh.

However, there's not a lot of easy fix for something like a nuclear power plant. Definitely do NOT want to see little devices that can make big problems get into THAT environment.

God no - thankfully I think(hope?) that was identified a long time ago as a major threat so I'm sure(hope?) that all that can be done there is being done...

Y U NO MAKE MY REACTORS SECURE?

These guys get to have 30-day advance notice of "surprise" inspections. Honestly, the fact that there *haven't* been major attacks on these guys leads me to conclude (REDACTED DUE TO POLITICAL COMMENTS THAT REQUIRE TINFOIL HEADGEAR TO PROPERLY ACCEPT). I mean, really, all anyone would have to do would be to (HIGHLY ILLEGAL THING), followed by (ANOTHER HIGHLY ILLEGAL THING) and then, just like that, the headlines would read "(HIGHLY ILLEGAL AND DISASTROUS CONSEQUENCES OF AFOREMENTIONED HIGHLY ILLEGAL THINGS)!" So why hasn't more of that already happened?

Without discussing the methods that would be used to compromise security at nuclear reactors, LNG storage facilities, or other multi-megaton civilian gear in the USA, take a look at what would be needed somewhere with much less stringent requirements, followed even more laxly than the USA follows its requirements. Look at a nation's rate of industrial accidents and compare that to the USA's number, and that gives one an idea of how much more likely an incident at a nuclear or other major energy facility would be.

State actors would be less likely to try and penetrate US resources because they know that the USA would nuke 'em good and hard if they pulled a stunt like that... it's in the "act of war" category, and they're not ready to go there just now. But non-state actors seem fixated on pipe bombs and small-arm fire for now.

Sadly, security is in such a state that it won't be until the day *after* a non-state actor decides to target a system with destruction in mind - and then successfully pulls that off - that firms will decide to be much more serious about security. Even then, profits will still trump security - Blue Cross just had its second major hack made public in less than a year, and that means it's also the second time in less than a year that they've said that no major data was breached, it was an advanced attack, they are taking steps to minimize the damage and to close the holes, and that they've called in Mandiant.

Now, for state actors, it's a different thing. The Spratly Island thing just heated up more with Indonesia blowing up a Chinese fishing boat there and China setting up beacons to declare territorial sovereignty there. If we used that and aggression over the Senkakus to actually go to war with China, imagine how many of their grad students at major US research universities will turn out to be sleeper agents for the PRC... and then add to that number the *active* agents among Chinese national grad students, and they've basically got a forward-deployed fifth column that could rain hell on the USA's research and technological infrastructure.

deanwebb · August 18, 2015, 09:34:16 AM

Codified the fallacies and updated the OP.

deanwebb · August 18, 2015, 10:19:30 AM

Effects of the Fallacies
1.   Ignorance of network security leads to poor risk assessment.
2.   Lack of monitoring, logging, and correlation hampers or prevents forensic investigation.
3.   Failure to view competitors and users with some degree of suspicion will lead to vulnerabilities.
4.   Insufficiently deep security measures will allow minimally sophisticated penetrations to succeed in ongoing and undetected criminal activity.

deanwebb · August 18, 2015, 05:58:40 PM

... aaaaand now there's a video: https://www.youtube.com/watch?v=OjocuBME3pU

deanwebb · March 15, 2016, 04:48:24 PM

Gonna bump this after RSA...

Last year, a regional dam in the USA got hacked - someone left an RDP host exposed to the Internet with a username Admin and no password... and a group of hackers basically:

1. Did a port scan and picked up an IP address of something listening to port 3389
2. Tried logging in with admin and no password for lulz
3. Laughed their butts off when that worked
4. Started clicking around in "DAMCONTROL.EXE" so that they could get familiar with dam control software

It's not that they were determined to hack that particular dam, which was a very very minor dam, almost barely an improvement over a beaver dam, but that they were determined to hack whatever they discovered on the other side of port 3389. Now that group has some intel, screen shots, and maybe even recorded desktop video of what some US dam control software looks like. That, in turn, might enable or embolden some other group that purchases that info to take a crack at a bigger dam and to actually try to do some damage.

Kind of like what happened in the Ukraine last year when a group shut down three power relay stations, cutting off power to about 300,000 Ukrainians. The group also shut down the phone service for the Ukrainian power company. The company recovered by falling back to manual controls and is not yet back to full capacity. They're lucky that the group didn't run commands to damage or destroy physical equipment, which they could easily have done. And how did this group get in? Say hello to another unsecured RDP connection exposed to the Internet.

Then there was the recent hack at the New York Federal Reserve, in which $100 million was transferred from the Central Bank of Bangladesh's account there to a bunch of casinos in the Philippines. That's what got out - the hackers tried to move $800 million. Government of Bangladesh is furious and accuses the NY Fed of having an insider or group of insiders that approved the highly unusual transactions. I believe that the Government of Bangladesh is correct in its accusation.

All of these are "minimally sophisticated penetrations" that resulted in major daaaaaaaaaaaaaaaaaaaaaaaamn!

It's like I can study for the CISSP just by reading news stories...