Monday, August 31, 2015

Is Cyber Protectionism on the Rise?

Cyber cold war is clearly heating up. Nation economies may start trending inward for IT and cyber support as fears about state-sponsored hacking are on the rise. High-profile technology vendors are being exposed as arms-length extensions of their motherlands state security apparatus.  Examples include an expose' claiming Kaspersky is working closely with FSB (link), the Snowden leak suggesting clear and possibly extra-legal cooperation between the NSA and Facebook, Google, and Apple.  Consider the silent implications of U.S. security companies that publish threat intelligence who are notoriously silent when it comes to threat groups that tie back to the U.S. government. And Chinese telecom giants like Huawei have already been suppressed in U.S. markets due to security concerns. Conversely, China has exactly the same concerns regarding imported technology.  Government agencies in all nations are notorious for mistrusting outside technology.  For example, in the U.S. government you won't find Israeli technology deployed anywhere.  The State already practices cyber protectionism. As more high-profile vendors continue to be exposed, will the civilian market respond in kind?  Will governments take extra steps to regulate the import of potentially untrusted technology?  Can a free market continue when the buyers can't be trusted to understand the implications of cybersecurity?

Wednesday, June 17, 2015

Creepy Dystopian Reality mirrors Cyber Fiction

Somewhere downstream from the economic churn of the cyber affluent, layers of humans pry and burn minerals and the occasional component from e-Waste to live on less than $100 USD a month.
A man smelts cadmium-laden circuit boards for steel
A massive alluvial fan of e-Waste is spreading across Asia at an alarming rate. Illegal [unlicensed] 'kabadi wallahs' call for scrap on their daily runs through the alleyways.  Buying and selling here has the feel of an illegal drug deal [or something decidedly cyber from Neil Stephenson].
e-Waste deal going down in a Delhi alley
Circuit boards and plastic are smashed to extract components in Ghana
Ripping wires to salvage metals in South China
Dealers make trades and sell extracted components to others who smelt them or resell them.  Some stuff just ends up back in cyberspace - posted by weight on eBay.

picture found on eBay search for e-Waste
52 lb load of medium-high grade circuit boards posted for $110 USD on eBay
Crushing and stripping have their place, but the preferred method of extraction is burning. Metric tons of plastic and hyper toxic materials are converted to gasses for our atmospheric pleasure.
"Cooking Off" motherboards
Burning is the preferred way to recover copper
e-Waste is a poison generated on the crest of economic progress.  As usual, the fallout settles in the lower economic strata affecting the poorest counties and people the most.  These images give me a feeling that the dystopian future imagined by cyber fiction writers has already arrived.


note: the images were obtained from a Google Image search, the sources of the images are marked in the alt text.

Sunday, April 19, 2015

Silk Road for Zero Day

I had to be amused after hearing about the TheRealDeal, a Silk Road for 0-day. First, that there really isn't anything illegal about selling a zero day - but I can understand the concerns about liability. Back in 2002 I had proposed starting a site called ZeroBay that would auction working 0day, but the possible liability scared me off the project. But for a few years afterward I privately worked with many 0day and I have to say, these RealDeal guys have a load of problems to deal with.

First, there are the 0day researchers who won't trust the site operators enough to hand over the goods for verification prior to a sale. Without third party verification and escrow the whole model will break down.

Next, most of the exploits will only work on a certain VM and only when the moon is full. They will inevitably broker a deal where the buyer can't get it to work and the seller vanishes or becomes unresponsive after stating "Works for me!".

Also, the sellers are going to sell it to multiple parties. I see Internet Explorer client side exploits listed at $17,000 - this is about 1/4 of what an 0day like that is worth, so they must be uninformed or planning on selling to multiple parties. Or, it's not theirs to begin with and it's already being shared in closely knit circles. 

Here is a big gotcha - some of the people selling bugs are going to be actual employees of the vendor, possibly working in the QA lab - so they are 100% insider threats and a huge amount of liability is backpacking on those exploits.

Be aware that finding a crash bug is a heck of a lot easier than writing reliable shellcode - and I wonder how many sellers on the site have the skills, procedures, or willpower to craft reliable payloads?  The number of people that can find bugs outnumbers the number who can make reliable exploits by several orders of magnitude.

Let me suggest something - if you want to make an 0day deal work, first you enter into a legal contract with the seller that absolves you of liability if the seller is breaking any laws or contracts (i.e., non disclosure, employee intellectual property agreements, etc). Second, you broker the deal so the seller receives a portion of the total payment per month as long as the 0day remains an 0day - if any disclosure or patch occurs, the payments stop early. This keeps sellers financially motivated to stay honest. Finally, don't ever pay up front for something that hasn't been vetted -- under no circumstance trust some video of the guy running it against a VM - you will end up with broken unreliable code.

0day sales have been around a long time and it's a trust-based business - it doesn't really need some weird blacknet site on Tor to work - it's silly. Start a legitimate above-the-line business doing the same thing and it would work better and provide contractual legal protection to all parties. My conclusion is this: trust is hard to come by - making a darknet anonymized brokerage is just making a hard problem harder.

Tuesday, April 14, 2015

The network perimeter has been turned inside out

The CISO needs to understand that modern cyberspace is turning the perimeter model inside out. Cloud and social applications have accelerated adoption in the Enterprise, but their protocols are effectively sealed at the perimeter. Think layered, custom, and encrypted. This has rendered network appliances and proxies nearly useless. In effect, the logical perimeter has been forced out onto the endpoint device itself. This has huge implications with regard to the monetary investments made by the Enterprise. Embrace the current state, when you say the word ‘perimeter’ you should immediately think ‘Endpoint’. The lack of this “perimeter is the endpoint” thinking, combined with an ever-increasing sophistication of attacks, is putting Enterprises at severe risk.

I posted a short (~5 min) video prezo about this here: The Vanishing Perimeter - YouTube

Come see me in SF next week if you have time, RSA booth #3032