Hitachi ID Systems Blogs

The recent disclosure by Edward Snowden about the NSA’s PRISM surveillance system has been quite interesting. It seems certain that they are collecting meta data about all phone calls that pass through US infrastructure (or perhaps even infrastructure of US domiciled telcos that is located elsewhere). There are also claims that they have access to content from major B2C cloud providers such as Facebook, Google, Microsoft and Skype.

First, was anyone seriously surprised? Surely not! The US government is in a siege mind-set and both surveillance and development of a social graph to find accomplices are reasonable approaches (never mind legality) to defend against terrorism.

Why the siege mentality? Because of the ominous terrorist threat! Never mind that the number of people killed or injured in the western world, by terrorism, is statistically indistinguishable from zero and that no government can point to any successful prevention despite billions in spending. The best the US government can point to is a few dead terrorists, thanks to the drone assassination program over Pakistan. And a lot of dead soldiers in Afghanistan and Iraq. Tragic.

So given that wire-tapping without a court order is supposed to be illegal in the US, how might the government justify the legality of this program?

One approach might be to collect all the data, store it, but only analyze any of it with a court order. Another approach might be to run analyses on the social graph, generate reports on interesting sets of people but without identifying who they are and get a secret court to approve display of identity data for the people identified in a report.

Who knows? I am not a lawyer. It’s fun to speculate, though!

So is any of this useful?

As an IT security practitioner, my first instinct is to say “yes” — i.e., it seems plausible that you would find some bad guys this way.

The trouble is, have the US feds found any bad guys? I can’t imagine politicians resisting the urge to brag about the success of this kind of effort if they actually caught someone. They haven’t really done that, so I have to conclude that the program has been a dud. Very much like the video surveillance in London – sounds good on paper, but where is the data to show that it had an impact on crime rates? (hint: there is no such data).

I’m a big believe in “if you can’t measure it, it doesn’t exist” – and extreme surveillance like PRISM or like the London camera system have yielded no measurable value, as far as I can tell.

But what about 9/11 you might ask? It’s a single event, and it could be prevented by better doors on cockpits (done). Seriously – you don’t need a TSA or DHS to prevent it. Even if you include 9/11, in objective terms, terrorism still poses a lower risk than slippery bathtubs (On an average, 370 persons of all ages sustain injuries from bathtub/shower daily in the United States.).

If you accept my thesis that all this anti-terror activity is a huge waste of energy, then what effect does it actually have? Well, if the purported $200,000/year salary for high-school-educated Edward Snowden is any indication, it has an impact on the IT labor market. As does the fact that the NSA and its contractors certainly employ tens of thousands (perhaps hundreds of thousands, collectively) of talented individuals in work that has no economic benefit. This isn’t good for the US economy (diverting labor away from productive work) or for the US federal budget deficit (this isn’t cheap folks!).

Another impact is on cloud computing. While US-domiciled firms may continue to be comfortable moving their corporate infrastructure and apps to the cloud, firms domiciled elsewhere will either not feel comfortable using US-based cloud providers (such as Amazon, Salesforce, etc.) or may even be legally prohibited from doing so (I’ve heard that medical researchers in Canada cannot host their IT on US servers). This means that all the surveillance has the unintended effect of making otherwise world-leading US cloud providers uncompetitive.

Another angle on all this is that it makes US government behaviour uncomfortably similar to Chinese government behaviour. Extensive surveillance? Check! Ability to block content? Check! (the US do this with DNS take-down orders due to claimed IP violations, but still…). Did the moral high ground just making a whooshing noise as it disappeared?

What else could they monitor? Full speech-to-text of voice calls comes to mind. The technology almost certainly exists (I have heard that the Israeli government has had this capability for years). You could use same legal cover to add this feature.

Why the fancy new data centers in Utah and Maryland? Well, if you collect this kind of voluminous data, you have to store it somewhere. Surely the telcos and cloud B2C web site companies won’t want to spend their own money to store all this data on their servers, in their facilities. Violating customer privacy is one thing. Spending big money to do so is something else again.

The US public seems to be sanguine about all this surveillance. That’s an uncharacteristic trust in government’s good intentions, quite at odds with the recent IRS abuse of power scandal. Nishant Kaushik pointed out something really smart today — Americans would likely respond quite differently if they clued in to the idea that PRISM could probably be used to create a gun owners registry. Imagine the NRA‘s response! LOL.

So is this just a US problem? Well, obviously more repressive regimes like China and Russia do the same thing. I think we should assume, by default, that other Western countries (including my home in Canada) do so too. That’s gotta be the safer assumption.

That’s what comes to mind. Quite a lot. We certainly live in interesting times!

This sort of thing is distressingly common:

networkworld.com

Basically a technical guy – developer/sysadmin – didn’t get promoted, got mad, quit and then spent weeks hacking into his old workplace and causing trouble. Electronic version of old crimes: “break and enter” and “vandalism.”

With a robust system to control privileged access, the amount of damage he managed would have been far reduced…

Every so often, I run across discussions about the end of passwords, and what will come next. Seems like a popular topic on linkedin discussion forums, of late.

So why is it, really, that we’re still using passwords? We all thought they’d go away years ago, right?

It turns out that every type of credential is some sort of compromise, so let me try to capture all in one place what’s nice and what’s not so nice about every approach (in general – I won’t pick on any products here):

An interesting court verdict in the US today:

wired.com

Basically a couple of guys who, in 2010, noticed that AT&T was improperly publishing e-mail addresses of customers with iPads and who (a) collected those e-mails and (b) sent the list to the press to point out AT&T’s lapse, got slapped with jail time today.

To be clear: these guys just fetched content from the web which should not have been there. They didn’t “hack” into any system, unless I misread this.

This will doubtless have a chilling effect on security research and on reporting of security problems.

Of course, the bad guys don’t care about such rulings — it just handcuffs (literally in this case) the good guys.

Scary how powerful large corporations have become in the US – it looks like they influence over both the legislative branch of government and over the judiciary.

Just noticed this at xkcd:

I couldn’t have said it better myself. Why do people persist in weird and wacky date formats? What’s the point? Isn’t 2013-03-05 simply better, clearer, shorter, more sortable and basically superior in every conceivable way?

Do different cultures and locales really still need their own, weird, mutually-incomprehensible and obviously-not-as-good-as-ISO date formats? Really?

Seems like security exploits are all the chatter these days. People tend to think of these things as anonymous, remote things, but what about if you can get (briefly) physical access to your adversary’s premises?

This would be a cool device to surreptitously plug into their AC and wall power:

Very slick. And very dangerous. Funny that nobody talks about these things … is it because only the low-tech, user-must-have-been-duped attacks are press-worthy?

Sometimes press releases are so dumb that they are funny.

Recently, the security firm Mandiant provided a detailed analysis of systematic, industrial-scale attacks against US and other private interests by a large, government-supported, well funded Chinese military agency. This was a wonderfully interesting read because it was full of evidence, analysis, clear links to a state actor as the aggressor, estimates of the scope and duration of attacks against private sector targets and more. Brilliant stuff.

Obviously, China denied the allegations (and why wouldn’t they?). Of course, none of that detracts from the detailed and convincing evidence, so clearly the Chinese feds are just engaged in mindless damage control and PR. No big deal – that’s the sort of stuff governments do.

Forceful public denials didn’t seem to convince anyone, though, so now they have a new tactic – complain that US hackers are attacking them instead. They claim 144,000 “attacks” per month against a couple of military-related web sites.

Call me crazy, but I’m dubious. First, no evidence was provided, so who knows if the number just came out of some marketing hack’s rear end or represents anything factual?

Second, what constitutes an attack? Our corporate web site is hit by thousands of script kiddie connection attempts daily, presumably hoping to take advantage of a buffer overflow or bug in some software or other, which isn’t even installed on our site. This sort of “attack” traffic is just a normal part of the web traffic for most sites. Should we consider these connections to be “attacks” or just random “probes?” If they come from compromised machines that happen to be in the US, does that mean that “the US is attacking us?” I hardly think so.

So clearly the Chinese government’s public relations hacks are behaving like children, as you would expect them to:

• They don’t seem to know what an “attack” is.
• They don’t seem to understand the value of “evidence.”
• They are engaging in a transparent effort to save face, after having been caught with their hand in the cookie jar.
• They cannot seem to differentiate between “state actors” and “IPs registereed in that jurisdiction.”
• Of course, they have provided no evidence that Mandiant’s report is in any way untrue. Think about it — if that report was wrong, they could just march some reporters from the BBC or CNN or something into the building where the operation is purported to be taking place and show them that there are no hackers here. Easy, case closed, Mandiant would have egg on their face. What? They haven’t done that? Surprise, surprise!

The discussion above is not meant to imply, by the way, that the US military does not engage in “cyber warfare” — just that they are much more sophisticated and effective than this silly press release suggests. Think Stuxnet, not script kiddie. I’m not sure that they target China much either. Probably not enough Chinese-speaking US hackers to do that effectively. I think they are much more concerned with military and nuclear targets in Iran than Chinese commercial interests.

I just heard about an organization – who shall remain nameless to save them embarassment and reduce their risk exposure – who is seriously considering doing the following:

• Eliminate security question enrollment and authentication using security questions from their internal, corporate password reset system.
• Instead, ask each user to enroll their personal e-mail address (i.e., @gmail.com, @yahoo.com, etc.)
• If a user forgets their corporate AD password, send a PIN to their personal e-mail address that will then be used as the sole form of authentication.

Now maybe you’ve been living under a rock, but it seems to me that a bunch of consumer-facing web sites have been hacked in the past year or two. That means that this organization would lower the security of their corporate systems and applications to the security of public e-mail systems, which are vulnerable to phishing, keylogging attacks, DNS poisoning attacks, cookie stealing attacks, PC malware and who knows what else.

In short, no security at all.

I’m amazed that any corporation would consider such a thing.

Much has been made in the past couple of days of the report put out by Mandiant which links a bunch of recent, high profile security attacks to a group of Chinese hackers that are presumably a part of the People’s Libration Army (PLA) — i.e., the Chinese military.

The report is here by the way — and it’s a very interesting read. Recommended.

Anyways, people are treating this as though it’s shocking new information. Really? You didn’t know that the Chinese state spies on foreign entities, principally corporations, to gain commercial advantage? I would think that’s well known and unsurprising.

At the same time, people treat this as though it’s only the Chinese doing it. One of the largest government agencies in the US is the National Security Agency (NSA). What do you imagine they do for a living?

More than that – we should think about the nature of cyber warfare. The Chinese, from recent experience, are really interested in just two things:

• Criticism of their leadership, and in particular the interesting ways in which their families accumulate extreme wealth.
• Commercial information — intellectual property, pricing information, plans for take-overs, mineral development, etc.

So what does the US focus on? It seems they’re more interested in traditional targets for spying — foreign governments and military agencies. Interestingly, the US does something in the cyber warfare space that no other government seems to do (yet?), and that is to deploy an offensive capability. Worms such as Stuxnet have been spectacularly successful at delaying Iran’s ability to refine weapons-grade uranium, and represent a capability and military policy totally unlike China’s.

So what do we take away from all this?

• Yes, just as everybody already knew, and despite the totally non-credible denials, China’s military engages in espionage on an industrial scale.
• China’s hacks are focused on fairly mundane stuff: IP theft, commercial intelligence and protecting the reputations of their leadership.
• The US, in contrast, has a conventional espionage regime, targetting governments and military agencies.
• Also unlike China, the US both possesses and has deployed an offensive cyber-warfare capability

It may only be a matter of time before other players engage in the offense or emulate China’s commercially-oriented spy tactics.

We live in interesting times.

We do a lot of Identity Manager deployments, and the standard operating procedure (SoP) of most of our customers seems to be to provision a second, privileged account for many IT workers. The thinking here is decades old — users should sign in with their normal, unprivileged account for day-to-day work and only use their privileged account for administrative tasks. This reduces risk, because if the user in question makes a mistake while signed in with their normal account, the amount of harm that may ensue is limited.

That’s all well and good – it made perfect sense in an environment where security rights are assigned to a user persistently, without a time domain component. These days, however, we have products such as Hitachi ID Privileged Access Manager, and doubtless others. Using software in this category, it becomes possible to temporarily grant a user membership in privileged groups (e.g., Domain Administrators and the like), for just long enough to complete a task. That means that a user’s normally unprivileged account can be made privileged for a short time period. This approach has audit benefits — we can track not only who has admin rights, but when and for what purpose.

If this approach is used, going back to the notion of two accounts per user, we should ask ourselves: do IT workers such as system administrators still need that second, privileged account?

I think the answer is “no” – temporary privilege escalation is a cleaner, more transparent and easier to manage solution.

So lets stop creating these admin IDs, and instead focus on controls around and audit records of privilege escalation.