Sep 10 2013
I find it increasingly difficult these days to shake the feeling that the cyberpunk dystopia our world is becoming is shaping up to be more and more like Shadowrun. Ever since 2012 (which turned out to be a slightly less tumultous year than Terrence McKenna had always preached) things have become more and more surreal and disturbing (in a David Cronenberg and not a David Lynch kind of way). The Snowden/NSA scandal continues to bring truly frightening information to light, and the first thing that comes to mind is that ECHO MIRAGE exists as a real thing which is hard at work making the field of information security utterly irrelevant.
Yes, that's right. I'll say it again: I think the NSA is making security practitioners irrelevant. Let's unpack that:
It should come as no surprise to anyone involved in the infosec field that 0-day exploits are bought and sold for stupid amounts of money on the white and black markets. What is less well known is that at least one manufacturer is giving them to the NSA before they patch them, which leaves gods know how many systems and networks out there potentially vulnerable. There is also some evidence that they don't patch certain vulnerabilities at all. The rest of us can't patch what we don't know about; the best we can do is minimize the vulnerability footprint as much as possible and hope it's enough. Cryptosystems that protect data-in-transit across the Net, from banking transactions to medical records to stock trades to privileged information have been circumvented and the plaintext captured. Lawyers, police, and physicians should be worried because somebody you don't trust has probably hold of information very important to your careers. Everybody else should worry that somebody knows what you buy online. Speculation that the NSA deliberately weakened cryptosystems that are used in the public and private sectors every moment of every day (including that little padlock icon you occasionally see in your web browser's URL bar) are no longer speculation. Groups of experts are busily figuring out what may have been weakened, how it was done, and what the implications are. The National Institute of Standards and Technology is on the defensive because the criteria by which they write The Standards(tm) are now being called into question because, as some have put it, "If they're the experts, why the hell didn't they catch this???"
As it turns out, they were in cahoots and here's a proof of concept implementation.
Cellphones and other handheld communication devices must now be considered risks in just about every industry. Companies inside and outside of the United States were pwned and on top of that there probably isn't any way of proving that there was no tampering to any of their products. There are even allegations that open source software projects were tampered with. A colleague of mine whose opinion I regard highly did some looking around and discovered what could be be the first evidence of this having happened. Oh, my.
So, why did I say what I did earlier?
The function of security practitioners is to help businesses and agencies carry out their missions in a more secure manner. We are supposed to help businesses improve their security postures, minimize risk by mitigating or eliminating real or potential vulnerabilities, and help them be compliant with any of the Noah's Ark of laws and regulations that may or may not apply to what they do. (Yes, I know compliance and security are two different things. It still has to be said.) We help them identify, assess, and defend against threats all across the board, from J. Random Intern that browses a dodgy porn site at work and gets nailed by the Java or Flash vulnerability of the week to spear phishing attempts aimed at C-levels for the express purpose of gaining a foothold in a target's network from a privileged position. We ensure that value continues to be gotten rather than lost due to something critical getting compromised (and the shitstorm that always causes). We help keep sensitive information confidential, uncorrupted, but accessible to those who need it to do their jobs. I could go on and on but I'm not at work and your eyes are probably bleeding from all the certification-speak.
Suffice it to say that we're supposed to help keep Bad Things(tm) from happening with the knowledge and resources available to us. It's looking less and less like this is actually possible short of disconnecting from the Net completely and installing everything in gargantuan Faraday cages. A massively powerful, scarily well funded, amazingly well equipped entity with no oversight to speak of is now known to be doing, as far as we civilians can discern, whatever it wants, whenever it wants to bring about whatever goals it wants. Agents are spying on their significant others because they can, and due to the fact that history tends to repeat itself much scarier things may (and I say again, MAY) be happening (yes, PAEDOINT is a real thing). Offensive or defensive, there isn't much the best and brightest in the public and private sectors can do if the routers or firewalls have been subverted (here's the original whitepaper if you want to read it; suffice it to say, this has probably been possible for a lot longer than civilian infosec's known about it) or the crypto protecting traffic on the wire takes a lot less time to break than it theoretically should. Remember, every bit in the key you know ahead of time means a lot less time guessing bits.
There is another thing that needs to be said: Backdoors in any system, regardless of who puts them there are always a bad thing. The reason for this is simple: Backdoors never stay secret. Sure, the entity that put them there can exploit them to sneak into a system but there are always motivated entities out of anyone's control scrutinizing every system looking for vulnerabilities. Occasionally they find one of those backdoors (it was deliberately put in the code for in.telnetd years and freaking years ago, so that's what I'm calling it) and use them for their own purposes, with no one the wiser. Final result, you're even worse off than you thought you were because it's not just one shadowy entity you have to worry about, it's any shadowy entity that takes the time to go poking around.
Welcome to the grim meathook future.