Computer security story
NPR has this story:
The hacktivist group Anonymous is at it again. This time, it has humiliated an Internet security firm that threatened to out the group’s hierarchy.
If you remember, Anonymous has been in the news, first, because in support of WikiLeaks, it undertook cyberattacks that brought down the websites of Visa and Mastercard. Second, because it brought down the sites of some government entities in Egypt and helped the anti-government protesters with technical help. Third, because as NPR’s Martin Kaste reported, the FBI is hot on the group’s heels.
Today, the website ArsTechnica ran a piece that details how Anonymous methodically went after HBGary Federal’s digital infrastructure. Earlier this month, HBGary Federal’s CEO Aaron Barr said the company, which specializes in analyzing vulnerabilities in computer security for companies and even some government agencies, had undertaken an investigation of Anonymous and had used social media to unmask the group’s most important people.
Barr said an HBGary representative was set to give a presentation at a security conference in San Francisco, but as soon as Anonymous got wind of their plans, it hacked into HBGary’s servers, rifled through their e-mails and published them to the web. The group defaced HBGary’s website and published the user registration database of another site owned by Greg Hoglund, owner of HBGary.
Amazingly, reports ArsTechnica, Anonymous managed all this by exploiting, easy and everyday security flaws. …
If even professional security firms are this vulnerable, I hate to think what will happen when the cyber war really starts.
Clearly, except for a tiny minority of super-conscientious experts, humans aren’t capable of maintaining the level of knowledge and especially discipline necessary to keep the computers they operate reliably secure. On several occasions, I’ve seen hilarious instances of super-smart people with advanced degrees in computing, some of them even security experts, leaving their machines or data wide open to intrusion by some petty accidental oversight.
This isn’t limited to computers, of course. For example, Richard Feynman’s stories of his hobbyist safe-cracking provide some amusing examples from a previous era. The only way to force people to maintain discipline in security are the old-fashioned military methods, but this requires draconian penalties (up to and including death penalty) for petty negligence.
On the other hand, it can be argued that most people’s negligence in computer security is quite rational, in that additional marginal benefit from added security effort wouldn’t be worth the (internalized) cost. See e.g. C. Herley, “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.” (Ungated link here.)
My father used to do work for a company that made him change his password every two weeks and wouldn’t let him reuse any of the last ten passwords he used. As a result, he resorted to writing down the password and taping it to his laptop so he could remember what the current password was—and made a point of it to the IT department.
If I had to do that I’d just incorporate the date into the password somehow and otherwise leave it the same.
If he had stored the paper in his wallet rather than on the laptop, I would have said the he handled the situation very well. For most people, the physical security afforded by their wallet is more than sufficient to safely store passwords. HBGary Federal would certainly have been better off if Aaron Barr and Ted Vera had used better passwords but written them down.
Telling people to never write down their passwords probably does more harm than good. Many people have too many passwords that change too often to legitimately expect them to be able to memorize them all. And when they do write them down, they have never been told that their wallet is a safer place to store them than under their keyboard.
My father and I eventually came up with a better system: he came up with a list that had enough passwords that he could reuse the first one after the last one on the list expired, and then taped to his laptop a list that had about half of each password on it. He would then put a little pencil mark next to whatever password hint corresponded to the password he was using at the time.
One thing I find fascinating is people’s occasional ingenuity in getting around password strength requirements. For example, faced with the requirement that the password can’t be the same as their name or username, sometimes they’ll figure out what is the smallest change that will make it acceptable (like e.g. leaving out the last letter), and use that.
(Come to think of it, the very fact that I know all this also says something by itself.)
You need to change your password. I checked it and you’re using the wrong one. Set it to “Vladimir_”—make sure to use the capital letter and underscore so it will be more secure.
If you think that’s terrifying, you should see how easy it is to steal, rape and murder.
It’s not that hard to kill most people, but it’s usually pretty hard to kill someone without getting caught.
Killing most people would be tough! I suspect I’d be stopped well before reaching .0001% of people, myself.
Have you ever actually tried?
Don’t get me wrong, I’ve not actually tried to kill anyone either, but I’ve thought about the pragmatics of it, and I don’t think premeditated murder is actually prohibitively difficult to get away with. I’m pretty sure it’s more of a psychological barrier than anything else.
Really? One of three murders in the U.S. go unsolved.
http://www2.fbi.gov/ucr/cius2009/data/table_25.html
jdinkum:
That’s not a good number to base your calculations on. Getting away with any crime nowadays is extremely difficult if the police and prosecutors are willing to invest significant resources in investigating and prosecuting it. How much they’ll be willing to invest heavily depends on all sorts of circumstances, even when it comes to the most serious crimes.
In particular, murders and other violent crimes are investigated far more vigorously if committed in a respectable environment, in a way makes high-status people feel unsafe.
It’s still hard enough that we can’t build autonomous machines for doing it, the way we have been able to for decades for computer intrusion.
My point was one about social transgression rather than orders of scale.
Mine was that humans are sensitive to social bounds, even when breaking them, while machines are utterly oblivious to them. Society stays together since most people don’t steal and murder, despite theft and murder being rather easy to do for anyone determined to, but if someone could build swarms of self-replicating murder-bots, we might want to rethink the physical security thing a bit.
Computer users who don’t care about security using the logic of them being uninteresting targets and there being few crooks often end up having their machines automatically infected to serve a botnet.
Also of note is that, for some individuals at least, anonymity fosters deindividuation, which removes social inhibitions that would prevent such social transgressions. Deindividuation actually does have benefits (in some circumstances it can lead to more altruistic morals), but the dangers thereof are important to bear in mind as well.
I had no idea human-generated computer networks were this insecure. Maybe I should try hacking instead of debating apes.
Undiscovered software vulnerabilities are worth many thousands of dollars on the right market.
Speaking of HBGary, their collection of 0-days is apparently a major reason they could charge 60k for their standard rootkit and could plan to charge up to 240k for their new rootkit: http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars
I thought it already had...
HBGary did confess to firing the CMS company that created the vulnerabilities. Apparently they didn’t do it themselves.
At a very high level, the problem is almost intrinsic; it is very difficult to stop a determined attacker given the current balance between defensive and offensive capabilities. A strong focus on hardening only makes it expensive, not impossible.
That said, most security breaches like the above are the result of incompetence, negligence, ignorance, or misplaced trust. In other words, human factors. Humans will continue to be a weak link across all of the components involved in security. There comes a point where systems are sufficiently hardened at a technical level that it is almost always easiest to attack the people that have access to them rather than the systems themselves.
How come nobody has pointed out the absurd ignorance of how Anonymous works evident in this? Anonymous isn’t a coherent group with a leadership or shared goals it’s just a Smart Mob.
This misrepresentation is fairly standard in media coverage of Anonymous; it seems like they want to avoid the concept of decentralized organizations for some reason. Maybe it’s uncomfortable for people to think that a disorganized mob is collectively smarter than they are?
Well there are operators on the IRC channel. And hacktivist Anonymous is mostly IRC anonymous, not 4chan anonymous.
The constant small-scale break-ins and attacks, like this one, serve to constantly drive up security on the internet as every tiny new exploit is immediately valuable, and the results are widely publicised. This makes it less likely that a single big attack could have a very large impact.
This is the opposite to what happens when someone builds a damn that can hold back 99% of floods, so people get lazy, then when a top-1% flood comes along it is much more catastrophic than if the damn had never existed.
I’d just like to point out that “anonymous” is a pre-existing term for all people who choose not to identify themselves, so any time a journalist says “anonymous” did something they are merely professing their own ignorance, regardless of whether the A is capitalized or not. That said, the term seems to have become popular among a particularly low-status sort of person, so I advise everyone to use pen names and explain their unidentifiability in complete sentences.
http://en.wikipedia.org/wiki/Anonymous_%28group%29
Anonymous is an actual group. Members think of themselves as members of Anonymous.