A few weeks ago Bruce Schneier wrote an article entitled “memo to the next president“. In it he has several pieces of advice, including asking the president to use the government’s immense buying power to increase the security of products. The government’s buying power has been used before to influence products, whether deliberately or accidentally, and Schneier wants to see the government weild this power for the greater good. This is logical – after all the government exists to provide for the greater good where no other actor is able to do it.

On the same theme, OMB recently announced that it was requiring all government agencies to start deploying DNSSEC, and then gave them a deadline of January 2009. (See the wikipedia page on DNSSEC if you don’t know what it is). While it will almost assuredly be completed behind schedule (it is government after all), it is great news. Simply put, DNS is inherently flawed. As was pointed out by commenters in a previous post, assuming that the first response is the correct one is just a bad idea. DNSSEC fixes all of that by enforcing digital signatures. Most commercial enterprises right now are simply applying the newest patch and leaving it at that. As everyone knows though, continuing to try and patch over breaches in the dike will only work so long – eventually you have to build a whole new dike (In this case DNS). Hopefully with such a large entity getting behind DNSSEC, we’ll see a large movement to it, and we can avoid the next DNS cache poisoning attack before it ever comes, because we all know it will.

It looks like the first computer virus to cross into outer space is the W32.Gammima.AG worm.

As a followup to my previous post about cyber-war, it looks like the cyber-attacks against Georgia started before the Russian invasion. Although interesting, it doesn’t change the basic concept of cyber-war very much. The initial attacks garnered little attention until they were combined with conventional kinetic warfare. The reason is simple – cyber-war, on it’s own, doesn’t do a whole lot.

I think this isn’t a bad idea, but the implementation is inherently flawed:

the company plans to release a toolbar for major browsers that will check visited Web sites for obvious security issues. The add-on software will check for twenty signs — such as the version numbers of the Web server and the content management system — to make sure that the site has no obvious flaws.

As I said, it seems like a good idea. It’s non-invasive, and it alerts users (even non security savvy ones) that a site may be insecure. Ultimately it provides a very real and direct consequence of lax security to e-commerce sites – be secure or you may scare off customers. (And we all know that fear of affecting the bottom line is often the only thing that makes corporate entities act in favor of security). The problem is that without being invasive (think SQL injection), you can’t really tell if a site is secure. I’m afraid that this is going to turn into another one of those McAfee hackersafe style logos – just a green light that makes you feel safe without actually doing anything.

I got way behind on my reading over the past few days. Now that I’m catching up I noticed that TippingPoint has launched Threatlinq. a product which provides a lot of information about the global attack landscape. It looks very interesting and seems to have a lot of good data. It would be interesting to poke around in their data and try to come up with interesting conclusions, but alas it is only available to their customers. Rats.

In the spring of 2007, the world’s first real cyber-war commenced. Now, with hostilities in the same area of the world flaring up again, we appear to have the world’s second cyber-war. Although the history of cyber-war is still very new, it is interesting to note that in the first case cyber-war was performed in the absence of state sponsored military action, while in the second case it only supplemented the tanks, guns, and bombs that go along with conventional warfare. In the former case the damage may have been swift and shocking, but it was also temporary and somewhat ephemeral. No lives were lost, no infrastructure was permanently crippled. (There are however a lot of lessons learned – the postmortem interview with Estonia’s secretary of defense is highly recommended.) In the latter case, the war seems to be having serious geopolitical ramifications, but the effect of the cyber-attacks is as of yet unclear. All that we can currently say for certain is that it has helped to weaken the Georgian PR machine, which in this era of 24 hour news cycles,  UN resolutions, and the more globally connected world, is more important during wartime than ever before. What the future of cyber-war entails I clearly can’t tell for certain, but I do have a feeling that it can’t stand on it’s own. Cyber-war may get people’s attention, force societies to alter how they function in the short term, and annoy people who can’t check their bank balances, but they don’t have serious geopolitical implications when they stand on their own. Cyber-war works best when it works in concert with conventional warfare.

The Race to Zero is a competition which recently wrapped up at Defcon. In it, teams of contestants are given ten known pieces of malware – viruses and exploits – and are tasked with obfuscating the malware in such a way that antivirus programs cannot detect the malware. The competition was ultimately won by Mandiant which completed the task in a little over six hours. (About 36 minutes per challenge). This contest simply serves to illustrate the point that signature based antivirus scanning is a failing proposition. As I’ve said before, there are a virtually infinite number of possible malware signature out there, and trying to write an infinite number of signatures is an exercise in futility. It makes a lot more sense to enumerate good than to enumerate bad. We figured this out years ago when we started making firewalls use a default deny – we should be doing the same for antivirus.

Over the last few days there have been a lot of headlines about how the US has cracked the biggest ID theft ring ever. Frankly it’s a load. Biggest? Perhaps. ID theft? Only by the worst definition. The suspects in question are alleged to have stolen 40 million credit card numbers by breaking into retailer’s networks. (Most notably the much maligned TJ Maxx). The problem is that the US government defines stealing a credit card number as identity theft. This is the most inclusive definition but it’s also the worst. If someone steals your credit card number you simply cancel the card and are not held responsible for the fraudulent charges. No one can wreck your credit score or open a line of credit in your name. (For that they usually need your social security number.)  Including credit card numbers in ID theft numbers artificially inflates them and makes for great scare tactics from companies like lifelock, but doesn’t actually measure the real risk to your credit score. Some organizations that have no vested interest in scaring you (like the privacy rights clearinghouse), but most simply use the largest and scariest number possible. It’s time for this tactic to stop. Stealing someone’s credit card number is not the same as stealing their identity, and if reliable crime statistics are important, then we need to stop equating the two.

The New York Times has an article on passwords and OpenID. Frankly, I couldn’t have said it better myself:

Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.

…….

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on.

Exactly what I’ve been saying.

This year blackhat debuted the pwnie awards – given out (mostly) for massive failures in the field of information security. The candidates were nominated in July, and the winners last night, although the list of winners is not on the pwnie website as of yet. If you’re curious, a little digging revealed the award winners here. It was hard to argue with any of the winners.