Fresh Defense

PKI is typically the object of much scorn: something this inherently dependent on human-level trust surely cannot provide digital trust, especially between (for example) countries that have no diplomatic ties. See, for example, the classic point/counterpoint:

Ten Risks of PKI: What You’re Not Being Told

7 and a Half Non-risks of PKI

For these kinds of reasons and what has become a certain amount of institutional prejudice in the security community, PKI typically takes more constrained forms: SSH host and user keys; SSL server certificates signed by a slew of vendors pre-installed in major browsers, etc.

The experience of Dartmouth and its partners in academia and government provide a model for extending PKI into the real world across organizational boundaries.

After some investigation and casting about, I started to write a small C library for measuring entropy.

The libdisorder Web page has more.

An interesting detective story dealing with hardware disassembly to check the provenance of micro SD cards:

http://www.bunniestudios.com/blog/?p=918

Not exactly trojan hardware, but a good case illustrating the actual level of trustworthiness of real hardware nonetheless, and it includes an interesting foray into the economics of micro SD production near the end.

[I picked this link up from a post to a private mailing list -Ed.]

RFC 3227 is a handy resource for students interested in the challenges of beginning the recovery process:

http://www.faqs.org/rfcs/rfc3227.html

I hadn’t known about this until reviewing a paper recently. This (short) RFC contains some guidelines for performing forensics on a compromised computer system. Nothing earth-shattering, but it does provide a nice collection of principles.

Why do these practices matter? Because expert witnesses and the legal system can easily question the quality of digital evidence:

http://www.piercelaw.edu/assets/pdf/release-mavis-case-expert-report.pdf
(this report received Slashdot coverage last summer).

I recently installed Bootcamp and Microsoft Windows XP SP3 on my MacBook Pro.

While this was mostly straightforward, the process got complicated because I did not have my Leopard installation DVD with me, and the cost of traveling to it…well, you can guess. Not worth it.

The lack of the DVD is crucial because it contains Windows XP drivers for the Mac-specific hardware. Fortunately, this page:

http://support.apple.com/kb/HT1999

helped me run down what drivers I needed (mostly the RealTek sound driver). I got an updated NVidia driver from the Apple web site, so the laptop, when booted into Windows, is now able to display proper video and sound — which is, along with external keyboard and mouse, what one needs for Windows-only video games. Network, trackpad, and other misc items are still not working. It has been a heck of a time, especially since the “updates” to Bootcamp that Apple has available:

http://support.apple.com/kb/DL967

and

http://support.apple.com/downloads/Boot_Camp_Update_2_1_for_Windows_Vista_32

don’t seem to run in WindowsXP SP3 (a clean, from ISO install, not an SP2 to SP3 upgrade).

The DHS is indeed committing to hiring 1000 clearable US citizens over the next three years. If you’re interested, you can “attend” their cyber job fair:

http://www.dhs.gov/xabout/careers/cyberjobfair

They are looking to fill these types of roles:

• Cyber Incident Response
• Vulnerability Detection and Assessment
• Networks and Systems Engineering
• Cyber Risk and Strategic Analysis
• Intelligence and Investigation

I’m glad that this amount of hiring is happening, but I’m still unconvinced that this will bring DHS (and the American people) 300 high-quality cybersecurity professionals per year. I’m guessing 80 to 90 percent of the hires in any given year will be trainable Computer Science and/or Computer Engineering B.Sc. students — those who can gradually obtain cybersecurity skills over the course of their govt. careers. And that’s not necessarily a bad thing, except that in three years, the US cybersecurity defense posture and capabilities won’t be measurably improved.

One thousand extra people does not translate directly into an improvement — not at the rate at which network traffic flows, attacks and exploits of software vulnerabilities happens, the complexity of real systems software increases, new technologies come on line, etc. Most of the roles that DHS is seeking seem to be more on the strategy end of things rather than the tactics or operational side of the house — and I see that as a good thing, but it’s easy to misuse a sudden influx of manpower on the tactical side, even if they’re initially meant to have a strategic, forward-looking focus.

It looks like a manual containing information about TSA screening procedures has been posted to the web (with yet more poor redaction — will they never learn? Actually, software vendors should really improve their redaction function to eliminate all versions of sensitive info from the given file, and prove it to the user).

http://us.cnn.com/2009/TRAVEL/12/08/u.s.tsa.training.manual/index.html

Although most quotes in the above article express alarm and frustration at the release of this “sensitive” information, and the TSA claims that the information about procedures is “outdated” and “unimplemented” (which I see as simply a thin way to re-create some uncertainty in an attacker’s mind), I see this sort of release of information as a good thing: it lets the traveling public understand the actual level of security the TSA achieves rather than some vague, fuzzy notion of safety.

Responsible or ethical disclosure of information (be it vulnerabilities, exploits, proof-of-concepts, proprietary or confidential information, etc.) has long been a favorite sawhorse and controversial subject in the information security community. At least some forms of whistleblowing have some public value, and in general I think more information is a good thing.

The key question, however, is this: if indeed the act of creating uncertainty in an attacker or adversary’s mind has value, why does it have value and how can we measure this value? Although security through obscurity is an oft-derided “technique” (even that word gives it too much credibility as a defensive mechanism), keeping secrets has arguably had at least some value in a variety of contexts (mostly espionage or military operations). The problem, of course, is measuring how much your ability to keep information secret has limited the enemy’s options, and so counterintelligence is needed. Such active techniques, however, seem distasteful as an academic research area, since presumably many of the techniques would require attack techniques, and thus some loss of moral authority (hey, we’re not the “good guys” anymore).

Followup & Updates: (added 9 Dec)

CNN has a followup: some heads rolled (predictably — this is a terribly MAJOR BREACH of national security).

http://us.cnn.com/2009/TRAVEL/12/09/tsa.training.manual/index.html

A good article from Wired:

http://www.wired.com/threatlevel/2009/12/tsa-leak/

The Wired article has a link to an Adobe guide to “proper” redacting techniques.

Finally, those wishing to actually read the manual can download it here:

http://cryptome.org/tsa-smoke/tsa-smoke.htm

Yesterday I gave a talk at the USENIX LISA conference about the difficulties involved in the process of recovering a network infrastructure from a large-scale intrusion.

Stories about post-mortem analysis of such incidents are rare. Here are a few links and pointers:

“Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack” (HTML)

Chronicle of a Server Break-In (HTML, see link to Paul’s actual postmortem)

Abe Singer. “Tempting Fate,” ;login:, Volumn 30, #1, Usenix Association, November 2005. (grab a copy of ;login)

Eugene H. Spafford. The Internet Worm Program: An Analysis (PDF)

Cliff Stoll. “The Cuckoo’s Egg” (HTML)

Bill Cheswick. “An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied” (PDF)

Biometrics as a measure of intent dates at least to the polygraph. Humans often do have physical reactions to stress, but does this kind of system employed as a filter for further screening really buy us much safety?

In the name of finding terrorists before they board an airplane, the TSA has adopted a number of “advanced” personal profiling methods: essentially, agents looking for tells, signs of nervousness, or other vague symptoms that may or may not be harbingers of doom.

There are of course many innocent explanations for a nervous manner, sweaty shirt or face, irritated look, twitchy fingers, etc. They include people just having had arguments with their friend or spouse, hurrying to catch a flight, getting caught in traffic on the way to the airport, being recently fired, being nervous about a first flight, having a sweating problem by nature, or hurriedly typing an emotional blog entry or Facebook post into their cell phone.

The TSA apparently believes so much in this approach that they want to scale it up. And the only way to do that is to make a computer do the scanning for you. CNN had this article on October 6th: “Will Airports Screen for Body Signals? Researchers Hope So.”

I like the title, because it’s likely that only the researchers getting paid to conduct this work are hopeful that it will get adopted. There is a really nice quote from the article:

“I haven’t seen any research that shows that those measures from the autonomic nervous system … measuring blood pressure, measuring breathing, measuring heat on the face, are at all related to intent,” said Stephen Fienberg, professor of statistics and social sciences at Carnegie Mellon University.

Spot on! Identity doesn’t measure intent, and neither does your biometrics, if just for the plain fact that your individual heat signature, heart rate, etc. are exactly that: an individual signature about which the population statistics have nothing to say and no predictive power. Forensic psychology researchers involved in creating risk assessment measures (e.g., for criminal recidivism rates) argue about whether such measures can actually predict an individual’s behavior, since the rates of a population don’t determine what an individual released on parole and able to exercise free will (and subject to both the social support and temptations of the outside world) might actually do. For example, measures like the HCR-20 are instruments for assessing the risk of violence, but mainly with in the context of ongoing psychotherapy sessions in a doctor-patient relationship.

Now, as a researcher who routinely solicits money from Federal agencies to support my work, I understand that the scientists involved in trying to create this technology will have some reasonable claims about its limitations and shortcomings. They’ll have a justification for why it will work well, and they may even had made a few fundamental breakthroughs in terms of gathering data from dark or dimly lit faces, bad angles, and the like. Unfortunately, they are also likely to have adopted the beliefs of their funding agency: that this type of profiling works to pick out those engaged in illegal activities or those intent on causing harm to air or rail passengers.

I’d like to see this system made to work from high up above Grand Central Station’s main floor, or in a high school auditorium, a supermarket, a sports venue, or a crowded student center. These are dynamic, real environments, not controlled lab conditions where the subject peers directly into the camera in good lighting.

All that aside, however, this view stunned me:

Civil liberties groups maintain this screening technology is an invasion of privacy. “Nobody has the right to look at my intimate bodily functions, my breathing, my perspiration rate, my heart rate, from afar,” said Joe Stanley of the ACLU.
…
[Project manager Robert] Burns denied the project is a violation of privacy. “We’re looking at signals you give off naturally. We’re not asking for any personal information. We’re not asking anything about you,” he said.

Burns is entirely correct — they are not asking anything about you: they are taking it forcefully from under your nose without permission. Earlier in the article, Burns states that “We’re looking for those signals that your body gives off naturally.” The problem is that technology is allowing government workers to do something that they didn’t have the power to do before. These properties are subtle and not detectable by the human eye when scanning a large crowd: heart rate, body temperature, perspiration under clothing, eye movement, etc.

Although your body does display these properties, it does not advertise them on a billboard: there is no neon sign with your heart rate plastered to your forehead. Why should government agents have the power to effectively augment their five senses to know your physical condition perhaps more intimately than you know it yourself?

This recent Washington Post article highlights the competition between DHS and NSA in their publically stated goals of hiring 1000 to 3000 new cybersecurity professionals per year over the next few years.

I find it extremely doubtful that this level of expertise even exists. The sum total of “real” cybersecurity expertise (in terms of deep technical knowledge and strategic foresight) is probably only on the order of 1000 people worldwide. Yes, there are many people who are operational security experts (meaning that they stare at screenfuls of log entries and pretty pictures of network traces flying by), but there are very few who actually understand the internal workings of systems, the properties that lead to weaknesses and vulnerabilities, and how to manipulate real systems, hardware, networks, and program execution in order to install malware or subvert system control.

Without a commitment to educating such a workforce, it is impossible to hire such a workforce into existence. And as Gene Spafford notes, the NSA CAE (Centers of Academic Excellence in Information Assurance) program isn’t really effective in this regard (nor, might I add, is the NSF Scholarship for Service program, at least at producing the sheer volume of needed workers).