My wife and I were watching the 700 club show recently and they did a piece about cyber security. The article and video can be found here.

The guest on the show describes a number of cyber threats
before recommending his book as a way to know how to protect yourself from them. I haven’t read the book, so I can’t comment on it’s content, but let’s break down some of the “cyber threats” he describes:

1. Attacks on our electric grid

2. A cyber hacking unit which is “the most sophisticated perhaps in the world”

3. Cyber attacks on stock exchanges (“They could just hack into it. They’ve hacked the NASDAQ multiple times, they’ve hacked the NYSE, they’ve hacked the Navy, the White House, the NSA, you name it.”

4. That we have no way of preventing the stock exchange from being shut down, we just have to be ready to bring it back up

5. High frequency trading algorithms that could crash any exchange in the world (“He walked out with high frequency trading algorithms” “Those are the computers that trade continually”)

As a side note he described someone as “walking out with algorithms” as though they’re candy bars you could shop lift. Algorithms are ideas, like recipes. They can be written down, but they can also be explained to someone who would then just know it.

6. Associated Press Twitter feed hack that claimed the white house has been struck which caused the stock market to drop

7. EMP from a nuclear bomb that would “shut everything down” (“You could be isolated and alone, and you wouldn’t know what to do”)

Now that is a lot of topics, covering a broad range of ideas and threats. It sounds very scary, but there are a number of read flags that come up for me when listening to this.

Fast transitions between unrelated topics and threats
We start with “high frequency trading algorithms” and then jump to hijacking a twitter account and doing some social engineering. Those are very different things. They are related because they involve stock markets, but they require different skills sets and talents. These kinds of transitions make things seem connected and sound scary, but unless there is some evidence of a connection explained it’s usually less concerning than it may sound.

Dramatic terminology
Here I’m referring to the line about being “isolated and alone and not knowing what to do” or the line in the opening about “effecting the average American’s retirement account”. These are emotional appeals, not factual or logical appeals. Loneliness or financial security from a retirement account are big emotional deals, but unless someone can explain specifically what the threat to those things is, you probably shouldn’t react emotionally to the information.

This also applies at some levels to the targets he described. Supposedly our enemies have simply hacked into the NSA, White House (what does that mean, exactly? Computers inside of the white house, perhaps? Obama’s Facebook maybe?), and a number of other high profile targets. But no details are given. These are all very patriotic targets that generate an emotional response.

The threat descriptions end with a sales pitch
My favorite hash tag (that apparently only I use) is: #iquestionyourmotives Anytime that someone uses emotional appeals and then offers to sell you something, take a step back and find a third party to discuss it with.

The author’s area of expertise
The author is probably a brilliant man, but if you look at his qualifications he is an economist, not a security expert or even a computer scientist. I’m not saying he doesn’t know things about those fields, but just like you should take any financial advice I give with a grain of salt, we should probably take his cyber security warnings with a grain of salt as well.

Generalized Statements of Impossibility
Any time some one says there is no way to do something involving a computer it should throw up a red flag. Of course we have methods of preventing attacks on different stock exchanges, just like we have methods of preventing attacks on anything else (IPS/IDS, Firewalls, SIEM, anti-virus, etc).

There are other red flags for me, but that’s all I’ll list.

This is very good reporting. It is interesting and exciting to watch, the guest is an excellent speaker. But it is not good education. It doesn’t present actual examples of attacks or vulnerabilities and it doesn’t point people towards accessible resources that can be used to improve the situation. Rather than scaring the public we are better off educating them to be concerned about things that are actually threatening than trying to panic them with dramatic terms that may or may not mean anything.

As a disclaimer, I’m lazy with my file IO. As lazy as I can be. Which is why I love left shift
(<<) in groovy. You don't have to worry about streams, opening or closing files, nothing. Groovy goodness takes care of it all for you. But with most syntactic shortcuts, there can be a catch.

Let’s look at an example.

This code took over 6 minutes to write a 600 KB 3172 line file. This is easy to write (go left shift!) but it’s also a really bad way to do it. Let’s look at a better method:

It’s an extra line, and you don’t get to use left shift, but this snippet was able to write the same file in 0.07 seconds. Why do you ask? The answer is really in what is missing from the Groovy File API documentation examples: There is no instruction to close the file. As it turns out, left shift is a complete operation that opens the file, writes your object to the end, and closes the file again. And it’s that opening and closing of the file that takes a lot of time. The second code block keeps the file open for writing until it is actually done.

Technically this is a linear function, but the added time of waiting for the operating system to open the file is significant enough to actually matter here.

Lesson learned: Groovy is cool, and the things it will take care of for you are convenient, but you should always know what those short cuts are doing in the background. If you don’t, you could wind up writing extremely inefficient (or even broken) code.

1. It should never be necessary to open traffic to the entire internet from a single app. A company can only own so many IPs, and those should be spelled out so that we can keep the firewall as narrow as possible
2. I realize that proxy servers should be inline at this point, but a number of enterprises still use explicit proxy’s. If your app is aware of the proxy for it’s main operation, it should also be aware of it when the app is updating.

A lot of media attention has been given to the unrest in Ukraine and Russia. With so much media focus, it’s not surprising that terms like Cyber Security and Cyber Warfare will come up a lot. But there are often gaps in the information presented.

My sister asked an interesting question about this article. Specifically a comment from Cloudflare: How can they not know the target of the attack?

That does seem odd. At it’s core, the internet is a structure for transferring information. So how can you not know the intended recipient of the information?

Well, the internet is usually more complicated than it would seem at first glance. For this question there are two factors driving the additional complexity: IPv4 exhaustion and Clouflare being a web hosting company.

Normally when information travels through the internet it is directed to an IP address and a port number. The IP address represents (more or less) a computer on the internet, and the port number represents (more or less) an application running on that computer. For instance most http (web) goes over port 80, https (secure web traffic) goes over port 443.

There are 65,535 available ports so you’ll probably never have more applications running on a computer than there are port numbers. But there are only 4,294,967,296 IP addresses available in IPv4. This might sound like a lot, but to put it in perspective Forbes estimated that there were 8.7 billion internet connected devices in 2012. So we’re out of IP addresses. Way, way out of IP addresses. So what do we do?

The answer we came up with was changing an IP address from representing one computer to representing a gateway to a number of computers. And instead of port numbers representing applications, they represent a specific computer and an application.

So now our DDoS attacker doesn’t have to target a specific computer, he can target that gateway device represented by an IP and potentially impact any computers that are sitting behind it. And he may or may not choose to use a port number to specify a specific application and computer behind that gateway.

Add to that the fact that Cloudflare is a hosting company. That means they run websites and internet services for other companies. One of their computers (represented by an IP address and a port number) could have websites for more than one company on it. The attacker may have been going after website A, but impacted websites B, C, and D in the process.

It can quickly become verify difficult or impossible to determine what an attacker was going after, and answers like “we’re not sure who the intended target was” start to sound completely reasonable.

Now that’s an interesting proposition. Let’s take a closer look. For sources, I’m using the digital attack map and this article by the BBC

There were two DDoS attacks hitting Ukraine from unknown sources on December 7th.

My BBC article shows a large attack taking place on December 8th.

There are no major DDoS attacks hitting Ukraine for a while, but then there’s one on January 26th.

And the BBC shows some unrest on the 28-29

There was activity on February 25th

And then a lot of political activity February 23rd – 28th.

Obviously three occurrences is not proof. It’s also not clear that these DDoS attacks are significantly higher than attacks going on anywhere else in the world with no such corresponding political unrest. But it is interesting to correlate internet attacks with real world happenings.

As a disclaimer, I have no insider information so I’m not accusing or revealing anything. Just asking the question.

The name that occurred to me today was IBM. If I were an NSA analyst tasked with gathering useful information about people one of my first targets would be IBM. The reason why is easy enough to see if we list a few of IBM’s major products:

IMS/DB2 – Database with a significant userbase in the financial industry
WAS – A web application server with significant user base in the financial industry
z/OS and Mainframes – Large servers with a significant userbase in the financial industry
RAD – Development platform primarily for applications running on WAS
Guardium – Database transaction monitoring software with significant userbase in the financial industry

A pattern does seem to be emerging. And yet the only real bit of news I’ve been able to find on IBM cooperating with the NSA is a lawsuit in which IBM tried to deny much of a connection.

If anyone has more information on IBM and the NSA or PRISM, feel free to share.

If you haven’t watched the Quadcopter TED Talk go ahead and pause your day until you’ve done that. Trust me, it’s worth it. Really the only limiting factor to the demo is that you need a camera and a computer to do the calculations. From what I can tell, very little of the processing happens on the quad itself.

Now come back and watch the Project Tango intro video (sparse on details, but really cool concept).

And now think about combining the two of them!

The processing power available in a relatively light weight smartphone is incredible, and I feel like it would be a great addition to the demo in the TED talk.

Totally within our grasp, who knows when it will actually happen. I can dream, though.

How hard is it to write a port scanner?

That depends on what you’re willing to use. For building my own port scanner I took the software engineering proverb, “Don’t re-invent the wheel” to heart.

Until recently my company did port scans by having a list of ports that were allowed to be open without connecting them to an IP address they were supposed to be open on. I’m sure you can see the wholes here (E.g. someone could start an FTP server on a webserver, and it would never get caught).

So in the interest of hardening up the port scans, I created this program. It allows you to specify an IP address and then add the ports that it is approved to have open behind it in a csv format (see the readme file in the git repository for details).

One thing that was important was that the reports need to be something our compliance department can look at and work with, hence the CSV format. My intention being to allow them to format them as they wished upon receipt.

I used nmap to do the actual port scanning. If you’re familiar with nmap, you know that means I did very little work here of any real consequence. The program’s real use is in parsing the output, comparing it to a list of approved ports and writing out easy to read reports of what’s changed in an environment.

Without further ado, the program can be found here.

I recently got asked to work on a project to help finalize a Security Engineering Process for my company. I haven’t delved too deeply into the goals and deliverables yet, but the project title is interesting enough to me: Security Engineering Process Assessment. This is one of the few times I’m going to argue semantics are important, so let’s break this down a little.

I’m comfortable with the words “Security”, “Engineering”, and “Assessment”, but “Process” is an interesting choice. The corporate connotation of process (at least at my company) is that you have a defined set of steps that are well documented and anyone (with a little training) can take the documentation and complete the process. For some things this is a totally reasonable idea, but is it reasonable for cyber security?

I’m going to cop out here and say, “Yes and no” with a caveat that it really depends on how you write your process.

There are some common sense security precautions you should take when designing any system such as require a user to login before they can do anything, expire sessions, use SSL by default, require passwords to be complex, etc. These fit well into a process, they can be defined and measured and are relatively straight forward.

But then there’s the side of cyber security where it transitions from (don’t hate my cheesiness) science to art. Because there is a level of art involved in looking at a system that is open to the internet, discerning where an attack may come from, and then finding ways to secure against that.

Here I’m thinking of things like the bad bios example or the recent Target breach that you could never hope to define process for. Anything you could define and document would fall miserably, pathetically, laughably short of protecting against an attack that can pivot within systems and compromise multiple companies, or jump air gaps and cloak itself when you are close to finding it. For defense against this kind of thing, you need artists. People who have as much creative ability as technical.

Yes, a defined process is a good idea. Most large companies will need it to show auditors and help developers who may not have a security mindset to design more secure systems. But the first step in your process should be, “Doubt the entire process” and the second step should be “Confirm doubt of entire process.”

As anyone who works in the IT Industry knows, how easily the media can understand a technical concept and then generate hype about it has a lot to do with how much attention it gets. While sometimes this brings important issues to light other times it lands pretty far off the mark.

Let’s take two relatively recent Google projects for example. Project Glass and Project Tango.

Glass has received a ton of media attention and cautionary advice. It seems like every time you read the news someone is writing another article about how suspicious we should be about Glass and it’s invasion of our privacy. Law makers, business, and individuals are all getting involved trying to ban, limit, and berate Glass users.

The common tag line is that Glass is a way for someone to photograph you without your knowledge, and while that is true in a sense Glass is not a concealable camera (you wear it on your face). Even if it were, someone interested in photographing you surreptitiously has far better options than a camera sitting on their face (just search spy camera on amazon). We should have some concerns about Google glass, but it’s impact on privacy isn’t the biggest one. So why does it get talked about so much?

The answer, I believe, is that it’s easy to talk about. “Take a picture of you without your knowledge” is an easy concept to understand and thus easy for the media to make scary and get attention about.

So what is Project Tango? I won’t go into the gory details, but it’s basically a way for you to use your phone to map an environment in 3D. Now that has some real privacy implications. Currently it looks like the technology only maps what’s in front of the phone, but it can detect a 3D environment and the movement of the phone apparently pretty well. Google suggest the technology could be used to extend Google Maps beyond streets, help you find things on shelves in large stores, and record the dimensions of your furniture.

Holy crap. That should scare some people. Ask yourself this: How often are you within 50 feet of someone with a smartphone? However often that is is potentially how often there could be a device watching your every move as you wake up in the morning, walk down the street to work, leave your secret spy drop point for all those Russian secrets you are selling, you know, typical every day stuff.

But it isn’t getting a whole lot of media hype or concern because it’s harder to talk about. It takes more steps to explain how a 3D mapping tool could be a threat to your privacy than to explain that someone could take a picture of you with the girl your cheating on your girlfriend with.

As a disclaimer, I think Project Tango is incredible, really cool stuff. It’s probably the natural progression of where technology will go (first we had phones, then we had phones that knew when we touched them, then we had phones that knew which direction they were turned, now we have phones that can map their environment. But we should ask some serious questions about how comfortable we are with this technology being everywhere on the streets and who should be allowed to get at the data it collects.