Archives For Security

The deadline for you to opt out of the government’s ill advised national health record system is rapidly approaching, and for the record yes I have opted out. I’ll give you a concrete example of what I’m talking about when I say ‘ill advised’, currently it’s assumed that you’ll be OK to share your anonymised medical data for research purposes by setting sharing it as a default. This is despite it being shown time and time again that the anonymisation of such data just doesn’t work. You might share my concerns about this lack of concern and level of indifference to the idea of informed consent. What the agencies of the state clearly don’t get is that this this information belongs to you and I, it doesn’t belong to my doctor, your medical data is yours your doctor holds it in trust for you. And until the state demonstrates a clear and unequivocal understanding of that point I say no thanks and I’d invite you all to do the same. My Health Record? Not so much.

PS. The architect of My Health Record is Tim Kelsey, yes that same Tim Kelsey who presided over the UK Government’s Care.data, program which tanked over sharing data without explicit consent. And unfortunately for us that attitude is baked into My Health Record’s DNA.

PPS. To me the carelessness of of the government in this whole affair is indicative of the increasingly totalitarian relationship between the government and the people.

And the encryption law is passed…

Simply put, it is possible to have convenience if you want to tolerate insecurity, but if you want security, you must be prepared for inconvenience.

Gen. Benjamin Chidlaw (1954)

Update to the MH-370 hidden lesson post just published, in which I go into a little more detail on what I think could be done to prevent another such tragedy.

We are hectored almost daily basis on the imminent threat of islamic extremism and how we must respond firmly to this real and present danger. Indeed we have proceeded far enough along the escalation of response ladder that this, presumably existential threat, is now being used to justify talk of internment without trial. So what is the probability that if you were murdered, the murderer would be an immigrant terrorist?

In NSW in 2014 there were 86 homicides, of these 1 was directly related to the act of a homegrown islamist terrorist (1). So there’s a 1 in 86 chance that in that year if you were murdered it was at the hands of a mentally disturbed asylum seeker (2). Hmm sounds risky, but is it? Well there was approximately 2.5 million people in NSW in 2014 so the likelihood of being murdered (in that year) is in the first instance 3.44e-5. To figure out what the likelihood of being murdered and that murder being committed by a terrorist  we just multiply this base rate by the probability that it was at the hands of a `terrorist’, ending up with 4e-7 or 4 chances in 10 million that year. If we consider subsequent and prior years where nothing happened that likelihood becomes even smaller.

Based on this 4 in 10 million chance the NSW government intends to build a super-max 2 prison in NSW, and fill it with ‘terrorists’ while the Federal government enacts more anti-terrorism laws that take us down the road to the surveillance state, if we’re not already there yet. The glaring difference between the perception of risk and the actuality is one that politicians and commentators alike seem oblivious to (3).

Notes

1. One death during the Lindt chocolate siege that could be directly attributed to the `terrorist’.

2. Sought and granted in 2001 by the then Liberal National Party government.

3. An action that also ignores the role of prisons in converting inmates to Islam as a route to recruiting their criminal, anti-social and violent sub-populations in the service of Sunni extremists.

And there goes net neutrality & privacy… Thanks Trump

Second part of the SBS documentary on line now. Looking at the IoT this episode. 

Cyberwar documentary now running on SBS with a good breakdown of the Stuxnet malware courtesy of the boys at Symantec. Thank you NSA, once again, for the bounty of Stuxnet… Yes, indeed thank you. 

The internet goes nuclear

20140122-072236.jpg

A clank of botnets

More bad news for the Internet this week as a plague of BotNets launched a successful wave of denial of service attacks on Dyn, a dynamic domain name service provider. The attacks on Dyn propagated through to services such as Twitter (OK no great loss), Github, The Verge, Playstation Network, Box and Wix. Continue Reading…

20140122-072236.jpg

Dispatches from the cyber-front

Interesting episode on the ABC’s Four Corners program this monday that discloses more about the ongoing attacks against government computer networks. Four Corners sources confirmed that, as I predicted at the time, the Bureau of Meteorology infiltration was a beach head operation to allow further attacks on higher value government targets (such as the Australian Geospatial-Intelligence Organisation and Intelligence/Surveillance assets such as the JORN  system). OK, smug mode off. Continue Reading…

Data is toxic

11/08/2016

A pertinent article by Bruce Schneir on the toxicity of long stored data. Perhaps David Kadisch, head of the ABS, will read this and have a long hard think about what Bruce is saying, but probably not.

Side note. There may be a more direct and specific reason why the Feds have kyboshed the sale of NSWs power poles to the Chinese than wooly national security concerns… 

Anna Johnson on boycotting the census

20140122-072236.jpg

In breaking news the Australian Bureau of Meteorology has been hacked by the Chinese. Government sources are quoted by the ABC as stating that the BoM has definitely been compromised and that this may in turn mean the compromise of other government departments.

We’re probably now in the Chinese’s operational end game as their first priority would have been to expropriate (read steal) as much of the Bureau’s intellectual property as they could, given that follow-up exploits of other information systems naturally carry a higher likelihood of detection. The intruders running afoul of someone else who was not quite so asleep at the switch may well be how the breach was eventually detected.

The first major problem is that the Bureau provides services to a host of government and commercial entities so it’s just about as good a platform as you could want from which to launch follow on campaigns.  The second major problem is that you just can’t turn the services that the Bureau provides off, critical infrastructure is, well, critical. That means in turn that the Bureau’s server’s can’t just go dark while they hunt down the malware. As a result it’s going to be very difficult and expensive to root the problem out and also to be sure that it is. Well played PLA unit 61398, well played.

As to how this happened? Well unfortunately the idea that data is as much critical national infrastructure as say a bridge or highway just doesn’t seem to resonate with management in most Australian organisations, or at least not enough to ensure there’s what the trade calls ‘advanced persistent diligence’ to go round, or even for that matter sufficient situational awareness by management to be able to guard against evolving such high end threats.

It is a common requirement to either load or update applications over the air after a distributed system has been deployed. For embedded systems that are mass market this is in fact a fundamental necessity. Of course once you do have an ability to load remotely there’s a back door that you have to be concerned about, and if the software is part of a vehicle’s control system or an insulin pump controller the consequences of leaving that door unsecured can be dire. To do this securely requires us to tackle the insecurities of the communications protocol head on.

One strategy is to insert a protocol ‘security layer’ between the stack and the application. The security layer then mediate between the application and the Stack to enforce the system’s overall security policy. For example the layer could confirm:

  • that the software update originated from an authenticated source,
  • that the update had not been modified,
  • that the update itself had been authorised, and
  • that the resources required by the downloaded software conform to any onboard safety or security policy.

There are also obvious economy of mechanism advantages when dealing with protocols like the TCP/IP monster. Who after all wants to mess around with the entirety of the TCP/IP stack, given that Richard Stevens took three volumes to define the damn thing? Similarly who wants to go through the entire process again when going from IP5 to IP6? 🙂

Jeep (Image source: Andy Greenberg/Wired)

A big shout out to the Chrysler-Jeep control systems design team, it turns out that flat and un-partitioned architectures are not so secure, after security experts Charlie Miller and Chris Valasek demonstrated the ability to remotely take over a Jeep via the internet and steer it into a ditch. Chrysler has now patched the Sprint/UConnect vulnerability, and subsequently issued a recall notice for 1.4 million vehicles which requires owners to download a car security patch onto a USB stick then plug it into their car to update the firmware. So a big well done Chrysler-Jeep guys, you win this years Toyota Spaghetti Monster prize* for outstanding contributions to embedded systems design.

Continue Reading…

More woes for OPM, and pause for thought for the proponents of centralized government data stores. If you build it they will come…and steal it.

The offending PCA serial cable linking the comms module to the motherboard (Image source: Billy Rios)

Hannibal ante portas!

A recent article in Wired discloses how hospital drug pumps can be hacked and the firmware controlling them modified at will. Although in theory the comms module and motherboard should be separated by an air gap, in practice there’s a serial link cunningly installed to allow firmware to be updated via the interwebz.

As the Romans found, once you’ve built a road that a legion can march down it’s entirely possible for Hannibal and his elephants to march right up it. Thus proving once again, if proof be needed, that there’s nothing really new under the sun. In a similar vein we probably won’t see any real reform in this area until someone is actually killed or injured.

This has been another Internet of Things moment of zen.

Cyber security (Image Source: IT-Lex, via Google Images)

Safety versus security

There is a certain school of thought that views safety and security as essentially synonymous, and therefore that the principles of safety engineering are directly applicable to that of security, and vice versa. You might caricature this belief as the management idea that all one needs to do to generate a security plan is to take an existing safety plan and replace ‘safety’ with ‘security’ or ‘hazard’ with ‘threat’. A caricature yes, but one that’s not that much removed from reality 🙂

Continue Reading…

iVote_Logo

The best defence of a secure system is openness

Ensuring the security of high consequence systems rests fundamentally upon the organisation that sustains that system. Thus organisational dysfunction can and does manifest itself as an inability to deal with security in an effective fashion. To that end the ‘shoot the messenger’ approach of the NSW Electoral Commission to reports of security flaws in the iVote electronic voting system does not bode well for that organisation’s ability to deal with such challenges. Continue Reading…

The Electronic Frontier Foundation reports that a flaw in the iVote system developed by the NSW Electoral Commission meant that up to 66,000 online votes, were vulnerable to online attack. Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague, who had previously predicted problems, found a weakness that would have allowed an untraceable man in the middle attack. The untraceable nature of that attack is important and we’ll get back to it. Continue Reading…

20140122-072236.jpg

The GAO has released its latest audit report on the FAA’s NextGen Air Traffic Management system. The reports updates the original GAO’s report and when read in conjunction with the original gives an excellent insight into how difficult cybersecurity can be across a national infrastructure program, like really, really difficult. At least they’re not trying to integrate military and civilian airspaces at the same time 🙂

My analogy is that on the cyber security front we’re effectively asking the FAA to hold a boulder over its head for the next five years or so without dropping it. And if security isn’t built into the DNA of NextGen?  Well I leave it you dear reader to ponder the implications  of that, in this ever more connected world of ours.

Comet (Image source: Public domain)

Amidst all the soul searching, and pontificating about how to deal with the problem of pilot’s ‘suiciding by airliner’, you are unlikely to find any real consideration of how we have arrived at this pass. There is as it turns out a simple one word answer, and that word is efficiency. back when airliner’s first started to fly  they needed a big aircrew, for example  on the Comet airliner you’d find a pilot, copilot, navigator and flight engineer. Now while that’s a lot of manpower to pay for it did possess one hidden advantage, and that was with a crew size greater than three it’s very, very difficult (OK effectively impossible) for any one member of the flight crew to attempt to commit suicide. If you think I exaggerate then go see if there has ever been a successful suicide by airliner where there were three or more aircrew in the cockpit. Nope, none. But, the aviation industry is one driven by cost. Each new generation of aircraft needs to be cheaper to operate which means that the airlines and airline manufacturers are locked in a ruthless evolutionary arms race to do more with less. One of the easiest ways to reduce operating costs is to reduce the number of aircrew needed to fly the big jets. Fewer aircrew, greater automation is an equation that delivers more efficient operations. And before you the traveller get too judgemental about all this just remember that the demand for cost reduction is in turn driven by our expectation as consumers that airlines can provide cheap mass airfare for the common man.

So we’ve seen the number of aircrew slowly reduce over the years, first the navigator went and then the flight engineer until we finally arrived at our current standard two man flight crew. There’s just one small problem with this, if one of those pilots wants to dispose of the other there’s not a whole lot that can be done to prevent it. In our relentless pursuit of efficiency we have inadvertently eliminated a safety margin that we didn’t even realise was there. So what can we really do about it? Well the simple ‘we know it works’ answer is to go back to three crew in the cockpit, which effectively eliminates the hazard, of course that’s also a solution that’s unlikely to be taken up. In the absence of going back to three man crews well, we get what we’re currently getting, aspirational statements about better management of stress and depression in aircrew, or the use of cabin crew to enforce no go alone rules. But when that cockpit door is closed it’s still one on one, and all such measures do in the final analysis is reduce the likelihood of the hazard, by some hard to quantify amount, they don’t eliminate it. As long as we fly two man crews behind armoured doors unfortunately the possibility and therefore the hazard remains.

Happy flying 🙂

Data and Goliath

27/03/2015

Data and Goliath (Image Source: Bruce Schneier website)

Bruce Schneier has a new book out on the battle underway for the soul of the surveillance society, why privacy is important and a few modest proposals on how to prevent us inadvertently selling our metadata birthright. You can find a description, reviews and more on the book’s website here. Currently sitting number six on the NYT’s non-fiction book list. Recommend it.

Postscript

New Scientist has posted an online review of Bruce’s book here

Or how to avoid the secret police reading your mail

Yaay! Our glorious government of Oceania has just passed the Data Retention Act 2015 with the support of the oh so loyal opposition. The dynamics of this is that both parties believe that ‘security’ is what’s called here in Oceania a ‘wedge’ issue so they strive to outdo each other in pandering to the demands of our erstwhile secret secret police, lest the other side gain political capital from taking a tougher position. It’s the political example of an evolutionary arms race with each cycle of legislation becoming more and more extreme.

As a result telco’s here are required to keep your metadata for three years so that the secret police can paw through the electronic equivalent of your rubbish bin any time they choose. For those who go ‘metadata huh?’ metadata is all the add on information that goes with your communications via the interwebz, like where your email went, and where you were when you made a call at 1.33 am in the morning to your mother, so just like your rubbish bin it can tell the secret police an awful lot about you, especially when you knit it up with other information.  Continue Reading…

15 Minutes

11/02/2015

What the future of high assurance may look like, DARPA’s HACMS, open source and formal from the ground up.

A Critical Systems Blog

Some of the work I lead at Galois was highlighted in the initial story on 60 Minutes last night, a spot interviewing Dan Kaufman at DARPA. I’m Galois’ principal investigator for the HACMS program, focused on building more reliable software for automobiles and aircraft and other embedded systems. The piece provides a nice overview for the general public on why software security matters and what DARPA is doing about it; HACMS is one piece of that story.

I was busy getting married when filming was scheduled, but two of my colleagues (Dylan McNamee and Pat Hickey) appear in brief cameos in the segment (don’t blink!). Good work, folks! I’m proud of my team and the work we’ve accomplished so far.

You can see more details about how we have been building better programming languages for embedded systems and using them to build unpiloted air vehicle software here.

View original post

Enigma Rotors (Image source: Harold Thimbleby)

Or getting off the password merry go round… 

I’m not sure how this happens, but there are certain months where a good proportion of my passwords rollover. Of course password rollovers are one of those entrenched security ‘good ideas’, and you’d assume it makes us more secure? Well no, unfortunately it has entirely the opposite effect.

Continue Reading…

20140122-072236.jpg

A report from Beecham research on challenges in securing the IoT, my favourite quote from the press release, “Security in the Internet of Things is significantly more complex than many system designers have previously experienced...”.

I’ll be interested to see whether they put the finger on Postel’s robustness principle (RFC 793) as one of the root causes of our current internet security woes or the necessity to starve the Turing beast.

Interesting, and a little weird. From Krebs on Security the strange tale of Loren Ipsum and Google.

More speed bumps on the road to the Internet of Everything

Continue Reading…

The Heartbleed ‘bug’, elegantly explained in pictures.

The recent Cisco Internet of Things (IoT) grand security challenge is a tacit recognition that the current security problems of the connected world may not be sustainable when scaled to well, to everything. Last year of course there was the well publicized security flaws of Belkin’s WeMo, and the subsequent response is a poster child for what we can expect as the Internet of Things (IoT) turbocharges the the second great crisis of computing, i.e security.

Continue Reading…

20140227-185813.jpg

So if you’ve been following the Snowden leaks, you’ll understand how egregious that agencies poking and prying has become. To the point that we should probably abandon any pretense that much of the NSA’s program serves any rational purpose.

This seems to be a case of normalised deviance on a massive industrial scale. Apparently conducting black ops, with no consideration of such time honoured military principles as economy of force, all behind a veil of secrecy and legal obsfucation makes you vulnerable to that sort of collective craziness, what a surprise.

Continue Reading…

iOS-7 (Image source: Apple)

What iOS 7’s SSL/TLS security patch release tells us

While the commentators, pundits and software guru’s pontificate over Apple’s SSL/TLS goto fail bug’s root cause, the bug does provide an interesting perspective on Least Common Mechanism one of the least understood of Saltzer and Schroede’rs security principles. For those interested in the detail of what actually went wrong with ‘SSLProcessServerKeyExchange()’ click over to the Sophos post on the subject.

Continue Reading…

Linguistic security, and the second great crisis of computing

The components that make up distributed systems fundamentally need to talk to each other order to achieve coordinated behaviour. This introduces the need for components to have a common set of expectation of behaviour, including recognising the difference between valid and invalid messages. And fairly obviously this has safety and security implications. Enter the study of linguistic security to address the vulnerabilities introduced by the to date unrecognised expressive power of the languages we communicate with.

Continue Reading…

20140122-072236.jpg

The failure of NVP and the likelihood of correlated security exploits

In 1986, John Knight & Nancy Leveson conducted an experiment to empirically test the assumption of independence in N version programming. What they found was that the hypothesis of independence of failures in N-version programs could be rejected at a 99% confidence level. While their results caused quite a stir in the software community, see their A reply to the critics for a flavour, what’s of interest to me is what they found when they took a closer look at the software faults.

…approximately one half of the total software faults found involved two or more programs. This is surprisingly high and implies that either programmers make a large number of similar faults or, alternatively, that the common faults are more likely to remain after debugging and testing.

Knight, Leveson 1986

Continue Reading…

Separation of privilege and the avoidance of unpleasant surprises

Another post in an occasional series on how Saltzer and Schroeder’s eight principles of security and safety engineering seem to overlap in a number of areas, and what we might get from looking at safety with from a security perspective. In this post I’ll look at the concept of separation of privilege.

Continue Reading…

The kettle of doom

20/12/2013

My thanks to Charlie Stross for alerting us all to the unfortunate incident of the Russian kettle, bugged with malware intended to find unsecured Wi-fi networks and co-opt them into a zombie bot net (1). Now Charlie’s take on this revolves around the security/privacy implications for the ‘Internet of Things’ movement, making everything smart and web savvy may sound really cool, but not if your toaster ends up spying on you, a creepy little fore-taste of the panopticon future.

Continue Reading…

Toyota ECM (Image source: Barr testimony presentation)Economy of mechanism and fail safe defaults

I’ve just finished reading the testimony of Phil Koopman and Michael Barr given for the Toyota un-commanded acceleration lawsuit. Toyota settled after they were found guilty of acting with reckless disregard, but before the jury came back with their decision on punitive damages, and I’m not surprised.

Continue Reading…

ImpStarDestroyer (Image source: Star Wars Wikia)

Over on The Emergent Chaos blog, there’s a neat post of Saltzer and Schroeder’s security principals using scenes from Star Wars as illustration. A fun introduction to a classic work on the security of information systems.

The article also made me stop and think about how the principles of security and safety engineering seem to overlap in a number of areas, and what we might get from looking at safety with our security glasses on.

The subject of another post perhaps. 🙂