Today’s blog entry was inspired by something my friend and colleague, John Pirc shared with me over the weekend. It was interesting from both a timing and content perspective as we had (the previous Friday – November 21, 2009), released the first of a series of seventeen white-papers focusing on the seventeen domains identified as being “critical” to the United States by the FBI, DHS and Intelligence communities. That first paper titled Critical Infrastructure Part 1: Trains and Transit Systems is both germane to this blog entry and to our collective concern with respect to critical infrastructure – regardless of where it might be, the world over. The white paper dealt with the potential hazards facing Trains and Transit systems – physical and logical, because of attack or tampering. For those of you who downloaded and read it, you know that we discussed in detail several examples and scenarios (some fictitious others all too factual), carefully articulating the means by which these aspects of critical infrastructure can and are being exploited in addition to how to defend them. Our mission and reasoning for writing them is and remains simple and pure: educate those who would otherwise remain blind, lost, uninformed or misled while providing salient detail with respects to the potential for and realities associated with exploitation of these environments, and how to best prevent them. Ultimately, our desire in doing is to prevent – via education and awareness tragedies if possible. Sadly, this is not always possible however, it is a part of the mission; the goal we have set for ourselves. Much of our writing – individual or collective, deals with malicious code and content, threat vectors, reverse engineering, advanced persistent threats amongst other things however an equally vast amount deals with those third parties driven by agenda to either profit from that which we study in labs or in the sale and execution of these tools to achieve an end. These third parties may include traditional criminal entities and organizations, cyber-criminal entities and organizations, state sponsored cyber-warfare initiatives, and sub-nationally sponsored cyber-warfare initiatives (aka cyber-terrorism).
Terrorism can be defined as the systematic use of terror to achieve a goal. As there is no universally accepted definition for terrorism, I will use this as a base from which to build and expand; as I believe that, most conventional approaches eventually unite. Often these systematic approaches involve coercion in addition to violence, psychological impact (which can both manifest and affect the targets differently even when the victims share the same root experience for terror) and fear, politicism, the deliberate targeting of non-combatants, and unlawfulness. I realize that is a rather generic definition however if you would like more information I suggest looking here, here or here at Dr. Dorothy Dennings collective works.
Terrorism is a major concern the world over and Russia is not unique in this case. Since 1991 and the collapse of the Soviet Union, Russia has incurred terrorist activity as it clashed with Chechen rebels in two wars. As a result, Islamist separatists continue to target non-combatants in order to push forward their agenda. On Friday November 28, 2009, an act of terror took place within Russia’s borders. 249 miles Northwest of Moscow, in an area noted for its beauty and remoteness, a high explosive device derailed a high-speed train (favored by Russian executives and government officials) traveling between Moscow and St.Petersburg. The attack left 26 dead with another 100 injured. The explosion derailed the last three cars of the 14-car high-speed train that carried 652 passengers and approximately 30 crewmembers according Russian authorities. Russian authorities have concluded that this was a terrorist act similar to those carried out on the same line in 2007.
In 2007, the Nevsky Express was derailed causing no deaths. The derailment was attributed to two men with ties to Chechen terrorist organizations. Reports are surging throughout Russia claiming that the party responsible for the attack on the 27th is the same who is responsible for an almost identical attack on the same track, which took place in 2007 injuring dozens as the train passed over the explosive device. Though two suspects were detained a third suspect, Pavel Kosolapov, a former military officer believed to have links to Chechen separatists, remains a fugitive. Russian officials released a composite sketch on Monday November 30, 2009 of a man thought to have been involved in the bombing. Russian railroad officials have suggested that this attack had all the hallmarks of attacks used by insurgents from the volatile North Caucasus. The explosive device in question was comprised of approximately 15 points of TNT (Trinitrotoluene). The blast left a five-foot (1.5 meter) crater near the Nevsky Express train No.166. Rescue crews worked throughout the night in order to move victims from the debris. A second, smaller blast came Saturday afternoon from a second a-bomb that authorities believe malfunctioned. No one was injured in the second blast however it delayed rescue and repair work for several hours. When quoted with respect to this event, Russian President Dmitry Medvedev stated that the effect of the event had every at their wits end or as he put “”Everyone’s nerves are at the limit,”. It is not hard to understand why he, law enforcement and the people of Russia feel that way. According to Russian sources, this was the worst attack that they suffered since 2005.
What struck me about this event was the timeliness in proximity to the paper we released but also the fact that it affected the same train line within a two-year period. This last fact troubled me greatly in that though no one was killed or injured in the 2007 attack, the line was clearly considered unworthy of additional monitoring; perhaps even deemed an unlikely target for re-attack by Russian intelligence and law enforcement. This same type of thinking was applied in 1993 after the initial bombings of the World Trade Center in New York City. The buildings were not considered a likely target of attack again, at least via the same means. Terrorists rely on the unconventional becoming the conventional; it aids them in their ability to maintain surprise accomplish their mission of using fear and terror to reap either a physical or psychological reward. Therefore, what can we learn from this recent tragedy in Russia? What can we do to avoid the similar threats here in the United States and around the world with respect to trains and transit systems? We discussed mechanisms for mitigating the risks associated with these critical infrastructure assets in our paper releases on November 21. However, my challenge to you (and to myself), in the wake of this tragedy is that we ask ourselves what we can do to ensure events such as this are not ignored? We need to ensure that they are brought to the attention of policy and legislation makers, defused before the they occur via collaboration with local, state and federal law enforcement or that the opportunities for exploitation leading to such an attack lessened greatly by virtue of great vigilance.
Human Frailties
I’d like to talk a bit today about two security failures I’ve read about recently. One of these was very widely publicized, and the other seems to have been swept under the rug. One of these failures was a genuine shock, from an organization that is normally a paragon of reliability, and another is from an organization who’s name has, sadly, become synonymous with security failure. There are lessons to be learned from each of these, however.
Here in the United States, we celebrated Thanksgiving on Thursday. Most of us gathered with our families to share a meal, and to give thanks for the things that we all too often take for granted. One of the things I quietly gave thanks for this past Thursday was the fact that I’m not Jim Mackin. Because if I were Jim Mackin, I would have had the unenviable task of explaining to the American press how in the hell two unscreened, uninvited people were able to social-engineer their way past the Secret Service and in the process, gain personal direct access to the President of the United States.
The United States Secret Service is one of those institutions that we Americans kind of take for granted. They’re widely known as one of the best-trained, best-equipped, and highest-performing security forces in the world, and have, at least until this week, held nearly-universal respect among the people of this country. Its mission is simple – “to protect national leaders, visiting heads of state and government, designated sites, and National Special Security Events”. (less well known is the other prong of the Secret Service’s mission – the USSS is also the government agency historically responsible for the investigation of counterfeiting, as well). One could reasonably assume that protecting an event like this would be pretty well-paved ground for the Secret Service. Although every event has special requirements, I would imagine that the plan for the protection of Tuesday’s state dinner was largely a boilerplate item, containing many processes and procedures that had been time tested.
But despite this event being a pretty standard protection operation for the USSS, and there being exhaustively documented and tested processes in place to ensure that security was maintained, two unauthorized people got in, seemingly without any extraordinary effort. How did it happen? At this time the investigation of what happened is still ongoing, but news reports indicate that someone in the Secret Service’s uniformed division failed to check the attendees’ names against a list. To be fair, the potential damage was mitigated greatly by other physical checks that were performed, such as a metal-detector wanding, etc, but the fact remains that two people who weren’t supposed to managed to get withing a handshake’s distance of President Obama, Vice President Biden, the Prime Minister of India, and untold numbers of VIPS. Needless to say, we’ll be hearing more about this incident.
The second failure I’d like to talk about today is a bit less well-publicized, and comes from the recent news that Choicepoint, the consumer data aggregator, has once again been fined by the US Federal Trade Commission for a data breach. You might remember that back in 2005, Choicepoint was the hub of what was at the time one of the largest personal-information disclosures in history, involving 163,000 consumer records and resulting in 800 documented cases of identity theft, for which Choicepoint settled with the FTC for $19 million dollars in fines and restitution to harmed consumers. The second breach, which occurred last year, was somewhat smaller than the first, involving the personal information of 13,750 individuals. This breach occurred after Choicepoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off”. In other words, all the lessons learned from the 2005 breach and 2006 settlement were for naught, because someone flipped the wrong switch. Incidentally, this second Choicepoint breach cost the company $275,000, which, astute observers may note, is 78% less per compromised record than the financial penalty for the first, larger breach (I’ve another post brewing about this, which I’ll save for later).
So, what do these two failures have in common? They both had humans at their root – humans not following procedures, either willfully or accidentally. Human frailty caused both of these failures in security. Neither of these were failures in technology, or procedure, or the implementation of either. For all accounts, the security plans behind both the Secret Service and Choicepoint breaches were solid, but yet they both failed because someone, somewhere simply didn’t do what they were supposed to do.
There are lessons to be learned by IT security practitioners from these incidents, however. The first and most important thing to remember is that “To err, is human.” Human beings are inherently fallible machines. The idea then would be to minimize the potential effect of human factors when planning for the protection of high-value assets.
Think of it this way: One of the first principles of systems administration is to eliminate single points of failure whenever possible. The most prominent example of this principle is a RAID array, where the failure of one (or more, in some cases) physical hard disk drive does not result in either the loss of the data on the array or an interruption in service. Hard disks, like humans, are fallible, and this relatively simple mechanism was designed to work around that fact.
So, how do you implement a RAID array of people? Simple: Procedures for security operations should be designed that no individual person has the ability to leave a protected asset vulnerable through their action or inaction. Furthermore, processes should also be designed so that each person, while acting as part of a team, also must perform their role independently of others – this, to avoid the temptation for a person performing a secondary check to become less vigilant, under the assumption that the person performing the primary check did their job correctly.
Clearly, implementing multiple human checks is not feasible for protection of most assets, labor being as expensive as it is. But for the protection of high-value assets, such as the safety of world leaders or the personal data of millions of consumers, implementing these multiple checks is crucial to ensuring that you, like Jim Mackin, do not end up having to explain an embarrassing security failure.
“Mensch tracht, un Gott lacht” “Men plan, God laughs” Yiddish proverb
It is Thanksgiving here in the United States. A day for reflecting on what we have been given and are privileged to experience. Seeing that opportunity handed down from generation to generation is both humbling and exciting; it is the perpetuation of a dream set motion hundreds of years ago. A lot occurs on Thanksgiving. Multi-course dishes are prepared with care and style in millions of households, while friends and family gather to celebrate and spend quality time with one another often on the field of battle — the touch football field. It is a wonderful day. It is a favorite of many, in some cases more special than Christmas. Thanksgiving Day is a beautiful thing that is until software houses begin hiring hackers as developers, placing millions at risk. Happy Thanksgiving! While preparing for my own festivities I ran across this and had to stop and consider it on this day of thanks.
Today it was officially announced that an Australian mobile application development firm has hired Ashley Towns as a software developer. For those of you not familiar with Ashley’s work, he brought the world its first iPhone worm. Ashley created the now infamous ikee worm (aka Rickrolling). The ikee worm developed by Towns and released earlier this month changed the wallpaper of vulnerable, jail broken iPhones to a picture of Rick Astley. Though the code’s earliest iterations were full of bugs and issues, it managed to accomplish its mission of replicating and posting a ghastly picture of Astley as a calling card. Towns has yet to be arrested for this offense however I seriously hope that when it occurs the courts take into consideration the fact that he re-inflicted Rick Astley on the planet, a crime for which hard labor is surely warranted. Town’s worm brought light upon a major challenge facing the world today, the gaping security holes present in jail broken iPhones. A number of other samples of malicious code and content can exploit jail broken the iPhones as well. Some, like the Duh worm possess the capability to implement command and control (C&C) functionality onto the device thusly enrolling the jail broken iPhone in a botnet as a drone.
As its Thanksgiving, I am giving thanks that I do not own a jail broken iPhone. Additionally I am giving thanks that others within our industry, our peers such as Graham Cluley at Sophos feel the same way. Here is what Graham had to say about this “Don’t get me wrong – I don’t think virus writers shouldn’t be allowed to rehabilitate and do something worthwhile with their lives. But, it jars with me that Towns has shown no regret for what he did, and that now his utterly irresponsible behavior appears to have been rewarded. Will Towns be offering a token $5 compensation to all those he infected for the inconvenience he caused? I doubt it. There are plenty of young coders out there who would not have acted so stupidly, are just as worthy of an opportunity inside a software development company, and are actually quite likely to be better coders than Towns who made a series of blunders with his code.”
It jars me as well Graham and my hope is that after the Tryptophan induced comas here in the United States where off, we will be able to explore this more in detail. For the time being though, I would ask the readers of this blog and our peers and colleagues to consider the implications of the Town’s case. Recall that in another post I wrote about Blackhats, Whitehats and Grayhats…I feel that as Town’s has neither demonstrated nor shown remorse for his actions; it speaks highly of his character. Additionally, it speaks to the character of the firm who would — hire an unrepentant Blackhat as a legitimate application developer.
Money for Nothing Relatively Risk Free: Why They Do What They Do
At the conclusion of the previous installment of this series I closed by saying that in the next we would begin exploring in more detail, the nature and reasoning of those things which influence the sub-economic ecosystems associated with the cyber criminal realm. It is extremely important to note that the world over, the lines between traditional criminal organizations and those born in the cyber age have blurred. The rate of occurrence and frequency of this blurring are difficult to diagnose. The point of genesis is unclear though it shows no signs of slowing. As I have commented before, cyber criminals are innovative opportunists. They share this trait with their more organized traditional criminal counterparts. It is in their individual and collective best interest to be. It aids in their being able to secure their livelihood and lives; high stakes for high stake players.
Due to this innovative opportunistic trait, a strange and interesting phenomenon began occurring. It would have profound impact over time on the entire world. Sophisticated ecosystems emerged reflecting this innovative opportunistic nature of the criminal mind. Recognizing the market needs present (supply and demand), traditional criminal organizations began evolving , investigating new means by which to generate revenue, conversely, cyber-criminals began meeting and either joining forces with traditional criminal organizations or began being groomed from the ranks within resulting in a level of sophistication not previously seen yet organic. This was not a localized event nor an stereotype associated with an ethnic or cultural group; it was the dawn of something new with a global world view. The following list – though extensive is not representative of all criminal activity blurring the lines between these worlds:
- Extortion / Protection Rackets
- State Sponsored / Cyber Terrorist / Cyber Mercenary Activity
- Cargo Heists / hijacking
- ATM / Credit Card Fraud (carding)
- Fraud
- Online Gaming, Gambling, Racketeering
- Money Laundering
- Theft of Property / Identity
- Sex and Pornography
- Confidence Scams
- Trafficking in Criminal Contraband / Fencing of Stolen Property
- Counterfeiting of Currency / Legal tender
- Manufacturing and sale of counterfeit goods
- Illegal substances
- Human smuggling
It is important to note that interest in cyber crime by professional criminals – traditional, cyber or otherwise, would not be as great were it not for the opportunity to generate revenue and demonstrate a profit while incurring the least amount of risk possible. Were this not the case, there would be far less speculation as to the true dollar amount associated with cyber crime globally (again recall estimates range from 600 billion to 1 trillion USD as of 2009 though I tend to believe they fall towards the lower end of the spectrum which is still a huge amount), in addition to the case logs being marked and researched. Recently we have seen several examples of this – examples that reflect the diversity of the activity seen and lengths to which individuals and organizations alike will go to achieve their goals. On November 10, 2009, the United States Department of Justice brought up charges against an alleged international hacking ring suspected of stealing $9 million dollars from more than 2,100 ATMs in approximately 280 cities worldwide.
The multi-national team of cyber criminals responsible for this theft targeted the RBS Worldpay organization, a division of the Royal Bank of Scotland. By undermining the data encryption utilized by the teams at RBS Worldpay, these criminals were able to generate 44 counterfeit payroll debit cards. With these debit cards, the parties making the withdrawals were allowed to keep up to half the amounts withdrawn while sending the remainder to the ringleaders. This activity in its entirety took all of 12 hours to conduct. This case demonstrated the creativity (innovative approach), that the team was willing to take in addition to the level of cooperation and collaboration required to achieve a crime of this level in such a short period of time. Additionally it displays the and solidifies the position taken by most law enforcement and security researchers today regarding the likelihood of international cooperation thusly supporting the risk-reward principle discussed earlier.
In September of this year, another case being prosecuted by the United States Department of Justice was made public. This case involves a Chinese national living and working here in the United States. The party in question was indicted in New Jersey for participating in an elaborate plan to steal confidential (e.g. proprietary intellectual property) information from the organization at which he was employed as an environmental engineer. His intention was to sell this information in China to other corporations and the Chinese government with the aid of his two Chinese co-conspirators. The information he had stolen (and transmitted to his private email account and co-conspirators in China), was related to a comprehensive hazardous waste information management system specifically designed for the Chinese market by his American employer. Its target audience was the Chinese equivalent of the Environmental Protection Agency in addition to those organizations that interact with the environmental & regulatory agency such as hazardous waste producers and shippers. The former employer of this individual pushed for prosecution under the fullest extent of the law. The organization, referred to as Company A, pled for the courts to take into consideration the damage that this infraction caused their business holistically. Due to this industrial corporate espionage, Company A argued that their opportunity to engage the Chinese government formally had now, as a result of the actions of this individual been seriously hampered as had their opportunity reach those organizations which do business with the Chinese governments EPA equivalent. Their assertion is that this cyber based industrial espionage has tarnished and likely made it impossible for them to business in the region.
In both of these cases (and these are just two random recent ones which I felt were interesting enough to demonstrate the diversity seen within the cyber criminal underground), the use of cyber intelligence, tactics, and techniques were employed. As a result, the required level of human involvement (direct physical involvement), was minimal. This lack of direct human involvement increased the reward proposition while minimizing the risk factors though not eliminating them. The following points were originally listed for consideration in the first post and I believe remain true:
- It often directly impacts those who cannot protect themselves – preying on the weak is always easier than preying on those who can defend but this does not mean that it does not happen and with great success as seen in the examples above and elsewhere
- Cyber-crime represents a real threat to the U.S. Economy and economies of nations the world over
- Cyber-crime represents a threat to the security interests of the United States of America and nations the world over (see first bullet)
- Cyber-crime transcends borders and national boundaries – rarely if ever, discriminates
- Impacts governments, businesses, and the private lives of law-abiding citizens the world over — most of whom are unaware that activity of this nature and degree is taking place, much less that they might be unwittingly made a part of it via a myriad of exploitative means
- It’s truly a global problem with global implications as there are individuals, gangs, cohorts, syndicates, organized crime elements, terrorists, and state sponsored entities actively participating and supporting the economies which support these criminals
- It’s impact, prevalence and maturity are underestimated and as a result often negated
With respect to these points, I will pose the same question I did in the initial post of this series before closing:“In the 21st Century, what has the potential to do more harm? Bombs, Bullets or Bits?”
The Rosie Scale and Stopping Stupid
Ok, girls and boys, gather round the campfire, because it’s story time here at Camp Cassandra. A long time ago, and in an office building far far away, I worked in the I.T. department at the corporate headquarters of a large telecommunications company. I liked my job, and the people I worked with were, generally speaking, pretty easy to deal with. There was, however, one person who’s name struck fear into the hearts of everyone on not only my team, but my entire department. This person wasn’t feared because she occupied a position of great authority, or had corporate political clout, or social connections. This person was feared by my colleagues in the I.T. Department for one reason and one reason alone; she might have been the dumbest person to ever sit down in front of a keyboard, and her name was Rosie. The people in my department knew that when Rosie called, it was more likely than not to consume the better part of a day. A visit to Rosie’s desk became a hazing event, in fact – the desktop support people reveled in sending new techs, oblivious to Rosie’s reputation, just to see the look of horror on their faces when they got back into the bullpen where we all sat.
This is not to say that Rosie was bad at her job – she was certainly competent at whatever it was that she was there to do, or they wouldn’t have kept her around. She also wasn’t a rude or unpleasant person to deal with – quite the contrary, in fact. She was actually quite a smart and witty person, but put her in front of a computer and her IQ would drop by an order of magnitude. Rosie had the tragic touch – she could cause a blue screen of death by walking PAST a computer. She once single-handedly took down the entire company’s network of email servers for an afternoon, in a single act of “wow, I didn’t know that would happen.” (if you’re curious about how she accomplished this, she did it by sending an email containing a 200MB attachment addressed to all 90,000 people in the company, and inadvertently exposed a serious flaw in the message size limit mechanism built into Microsoft Exchange 5.5 in the process.) Rosie could break a computer like no one else I’ve seen before or since. She’d have made a great QA engineer, if she could only tell anyone with any degree of specificity what the heck it was that she was doing when her computer went up in a mushroom cloud. Training Rosie on how to properly use her machine was a pointless exercise – it was like trying to fill a bucket that had a hole in the bottom. Rosie could make an abacus crash. She might have been the reason Microsoft invented Bob. The term “stupefyingly stupid” seems redundant, but it’s really not all that far off the mark. We’re talking weapons-grade stupidity here.
One night, after many beers and while swapping war stories at happy hour, a few of us decided to come up with a (admittedly imprecise) metric of end-user technology ability, which became known as The Rosie Scale. It’s been a few years, but from the best I can recall, the Rosie Scale looked something like this:
0 – Alan Turing
1 – Tim Berners-Lee, Dennis Ritchie, Steve Wozniak, Grace Hopper
2 –Linus Torvalds, Larry Wall
3 – Sysadmins, clueful developers, QA folks and support people
4 – Your average MCSE bootcamp graduate
5 – Your average corporate end user
6 – Your average AOL user (hey, it was the late 90s)
7 – Algae
8 – bellybutton fluff
9 – a bag of hammers, a box of rocks
10 – Rosie
Now, the sad thing is that Rosie is by no stretch of the imagination a unique individual. In fact, I’m willing to bet that among those reading this who’ve done end-user facing support for any length of time, a fair percentage have already given themselves whiplash from nodding in acknowledgement. We’ve all known our own Rosie, and we’ve got the emotional scars to prove it.
And this brings me to the moral of this little story. I came across this article earlier tonight and thought it worth a mention. This article discusses something that’s fairly well-established among I.T. Security professionals: that the biggest threat to the enterprise isn’t from the outside – it’s from the inside. Typically, the threat is from insiders who are not only acting without malice, but more than likely acting without the knowledge of why what they’ve done was bad in the first place. A colleague of mine once told me that he thought that 90% of IT security with regard to the endpoint was “stopping stupid,” and I couldn’t possibly agree more. Think about it: Most endpoint-based malware prevalent in the wild these days relies, at least in part, on social engineering; taking advantage of the end user’s trust or lack of sophistication. In fact, DLP, which has almost overnight become an endpoint must-have, is almost ALL “stopping stupid” – again protecting the end user from doing something dumb, like copying data including orders for troop movements to an unencrypted USB stick and then losing it in a nightclub in Cornwall, like this guy did. This person wasn’t acting with malice, and didn’t intend to compromise the data to which he was entrusted. He was being stupid, and worse yet didn’t know how stupid, and got caught out for it – but only because the person who found the USB stick turned it over to a newspaper rather than to the UK Ministry of Defense.
And this brings me back to my old friend Rosie. For the IT people out there, I want you to close your eyes, and think about your Rosie, the least-sophisticated, error-prone, “oh I wasn’t supposed to click on that attachment?” user you have. When viewed in the light of “stopping stupid”, this is the person you have to worry about the most.
I’ve noticed something recently: that we, as an industry, talk a good game when it comes to internal threats (the above-linked article being an example of that) but it still seems that we have a bit of a blind spot when it comes to providing actual protection, focusing more on direct attacks from external sources. As much as we worry about Eastern European or Asian organized crime gangs, or foreign government spies, or some kid sitting in their basement with too much time on his hands, anti-social tendencies, and a full bottle of Ritalin, the real threat is sitting in your office right now. The well-meaning but clueless person in your company who just doesn’t understand the consequences of what they are doing (in other words, your Rosie) is a bigger threat than all of those people combined, because they’re the ones holding the door open for the guys who are acting with malice.
And, your Rosie is the only thing standing between you and your organization’s next outbreak or data breach. If that doesn’t scare the pants off you, you’re in the wrong business.
Cassandra Security Logo
The following white paper is the first in a series discussed earlier today by Cassandra Security. The authors of this piece, Will Gragido and John Pirc, are proud to present it to you and the community:
No Longer Available for Download, see Critical Infrastructure Part I: Trains and Transit Systems Revised Edition 120509!
Seeing Tomorrow Today,
Cassandra Security
Critical Infrastructure White Paper Series Coming Soon!
Cassandra Security Logo
Critical infrastructure comprises a variety of networks, systems, services, industries, and utilities which all play a key role in our existence and way of life. Any disruption to them has echoing, long lasting effects which can lead to a variety of outcomes some more dire than others. We here at Cassandra Security are currently producing a series of technical white papers each addressing an individual aspect of securing critical infrastructure. These papers will feature original thought and research while also introducing data provided via alliance partners and guest authors. We at Cassandra Security are pleased to present this series of papers and body of work to you as we feel strongly that the need and timing warrants a fresh insight into the challenges facing critical infrastructure today. The first in the series deals with Railway Systems and Transportation we hope it stimulates and peeks your interest and curiosity in the successive installments. It should be ready for publication within the week. Stay tuned!
Without Tesla, we security researchers may never have had formal reverse engineering procedures. What you say? Tesla was, in addition to other things, a security researcher focused on reverse engineering? Clearly no, he was not. Nikola Tesla was a brilliant man who lived in the age of Edison (or Tesla depending on who you ask 
making his living as a specialist in areas of research having to do with mechanical and electric engineering. He is known for the following:
- Tesla coil
- Tesla principle
- Tesla turbine
- Tesla’s Egg of Columbus
- Teleforce
- Alternating current
- Tesla’s oscillator
- Induction motor
- Tesla electric car
- Rotating magnetic field
- Wireless technology
- Particle beam weapon
- Bifilar coil
- Death ray
- Telegeodynamics
- Terrestrial stationary waves
- Electrogravitics
Nevertheless, perhaps what he is most noted for is the controversy, which ensued between 1891 – 1893. At the time, Nikola Tesla was living and working in St.Louis, Missouri where his focus was on the production of devices used in his experiments with electricity. His work saw the construction of various devices and apparatus that produced between 15,000 and 18,000 cycles per second. Within the scope of his work, the transmission and radiation of radio frequency energy was a feature exhibited by Tesla that he proposed might be used for telecommunication of information. He gave several demonstrations of his technology and work to very prestigious institutes including the Franklin Institute and the National Electric Light Association. He was articulate, crisp and concise in his description of his wireless work that was both fascinating and groundbreaking. The descriptions provided by Tesla contained all of the elements that were later incorporated into radio systems well before the development of the vacuum tube a feat which still amazes many to this day largely due to his staunch rejection of hertzian waves which he considered wasteful. His work both superseded the work being conducted by Hertz and Bose while eclipsing the work of Edison and Marconi as well. Tesla was truly the master of wireless transmissions. He received the following US patents for his work in this space:
- Tesla’s U.S. Patent 447,920, “Method of Operating Arc-Lamps” (March 10, 1891), describes an alternator that produced high frequency (for that time) current of around 10,000 hertz. His innovation was suppression of the sound produced by arc lamps that were operated on alternating or pulsating current by using frequencies beyond the range of human hearing.
- U.S. Patent 645,576, “System of Transmission of Electrical Energy” (March 20, 1900; filed Sept. 2, 1897). In US645576, Tesla cited the well-known radiant energy phenomena and corrected previous errors in theory of behavior. Within this specification, Tesla declared, “The apparatus which I have shown will obviously have many other valuable uses – as, for instance, when it is desired to transmit intelligible messages to great distances [...]“.
- U.S. Patent 649,621, “Apparatus for Transmission of Electrical Energy” (May 15, 1900; filed February 19, 1900). In US649621, Tesla established a system which was composed of a transmitting coil (or conductor) arranged and excited to cause oscillations (or currents) to propagate via conduction through the natural medium from one point to another remote point there from and a receiver coil, or conductor, of the transmitted signals.
Through reasons not his own, Tesla’s innovation was (like that of others), misattributed to Guglielmo Marconi, who has been called the father of radio. Marconi is said to have read about the experiments that Hertz did in the 1880s while he was on vacation in 1894 and about Tesla’s work as well and that this information led to the creation of his device that was largely comprised of components conceptualized by others. It was at this time that Marconi began to understand that radio waves could be used for wireless communications. As interesting as all of this is, this is not the purpose of this blog post. No, today’s blog focuses on a concept, a principle developed by Tesla, known as the Tesla Principle, which was paramount to his work and over time became less relevant but no less important in other forums. What is the Tesla Principle? Put plainly the Tesla Principle was used to describe (amongst other things) certain reversible processes invented by Nikola Tesla himself. It was a brilliant and yet obvious means by which he could if the need arose work backwards in order to troubleshoot issues if necessary. It was developed during Tesla’s research in alternating currents where the current’s magnitude and direction varied cyclically. It marks the official birth of reverse engineering.
Reverse engineering is integral in puzzle solving and for those of us who make part or all of our living reverse engineering products, ideas, concepts, situations, the ability to work fluidly and linearly is important. It enables us to, in an organized fashion; ensure that A led to B, B to C and so on. It empowers us to interject a timeline and workflow where one does not exist. It is quite elementary yet terribly important. We in the information security industry require from time to time a healthy dose of the Tesla Principle whether wish to admit it or not. I cannot imagine doing what we do without Tesla’s Principle in some form being utilized. Simple because consumers are consuming and products are being purchased does not mean that challenges are being solved truly, completely and comprehensively. As a result, the ability to reverse engineer or retrace our steps is both necessary and integral to success in technological pursuits as well as those having more to do with the philosophical and political elements of our craft. Application of the theory however requires a level Dutch courage that is not ubiquitous throughout our industry or any industry for that matter. It requires we use and put into practice observing ego and separate ourselves (personally), from the challenge in order to assess the incidents independently in order to gain the appropriate point view while arriving at best prospective and solution.
Tesla’s Principle can and should be applied to all we do as security thought leaders, practitioners, vendors and intelligentsia. However, in doing so it requires an honest forth-coming response to the challenges we face, some being result of stagnation within the practitioner community, others the result of stagnation within the ranks of ownership and still others within the areas of responsibility belonging to the vendor community. In explore what doesn’t work, hasn’t worked and cannot possibly work based on the facts as we have them, we enable ourselves to create a new, dynamic and effective solution designed to address the deficiencies seen in the original while delivering on all the promises articulated in the product release document (regardless of the form this takes).
Ultimately, it requires a scientific approach that calls for emotion to be considered, yet side lined in order to focus on improving people, process and technology for the greater good. Can our industry withstand this change? I don’t see how it has any choice given where business is going in general and the observable failures witnessed over the last several years (breaches, losses, compromises due to poor policy enforcement etc.), which could have been prevented had a re-engineering thought and process been conducted. When I think of issues such as those seen in recent years. Incidents such as those related to the VA, or Choicepoint, or more recently the loss of 60+ systems from Los Alamos Labs, I can only hope and pray that we as the leaders of the new generation take a lesson from Tesla and apply a similar principle in reinvestigating our efforts to see what is and is not working….clearly there is room for this today!
Today my friend Dillon sent me another link on the Las Alamos security issues which I commented and wrote a blog entry about last week. It’s a good read and it, in conjunction with the GAO report, and articles I referenced should be give you pause to consider the issue and its gravity. I wanted to say thanks to Dillon for bringing this to my attention and sharing this link with us all. For what it is worth, I for one would be willing to donate my time at a reduced rate to aid in securing this critically important facility, would you?
In most instances were I conducting an audit or an assessment and the results were so blatantly poor I’d be asking the age old and feared question that no one wants their assessor or auditor to ask: who gets fired or who goes to jail if this fails or is compromised? Do I think that someone needs to be fired here? You know, yes yes I do. Do I believe jail time is warranted…well I’m a firm believer in upholding ones duty and last time I checked the DOE and their facilities had cleared and non-cleared (as this article and the ones I wrote about last week outline), so I will default to their mechanisms for discipline. Would it be appropriate? Well…I’m not going to speculate on what is or is not appropriate however were I in charge I’d be looking at all measures within the realms of my authority as they relate to dereliction of duty 
If we look at the history of the DOE we can see that in the case of Sandia Labs and Shawn Carpenter he was stripped of his clearance and ousted from his job for doing the right thing…life is strange.
Los Alamos We Hardly New You…But the GAO Fixed That
Well it is Friday night and I was not going to write anything or post anything for at least 24 hours; I promised myself. I like me and think it is poor form to break promises to me. That was before I read this article.
Upon initial read, I found myself floating quietly in low earth orbit enjoying a panoramic view of the Earth as my oxygen levels 
depleted slowly. Then came the descent. Hurtling towards the Earth at speeds not intended for man, I again found myself reading this article debating whether another trip in low earth orbit was in the cards. Thankfully, cooler heads prevailed and I am here, writing this blog entry.
This is colossally embarrassing and scary for a number of different reasons, many of which you may imagine, relate directly to the business which goes on at Los Alamos. I am a huge fan of the GAO because they get it; they tell it like it is good, bad, and often ugly. It is a quality I find endearing and necessary. Now, Los Alamos National Laboratory is not unique in that they have suffered breaches, several in fact, in recent years. They are, in my opinion, less unique than most would like to believe or dreamt was possible.
What is disturbing is the factual nature of the findings. The GAO writes great auditor friendly reports; they remind me of Sgt.Friday from Dragnet “Just the facts ma’am”. I am aghast, and quite honestly shocked that despite all that has occurred and that we know of (and are permitted to discuss in non-classified environments), that they found “”significant weaknesses … in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network…”, on the Los Alamos Laboratories Network. Significant weaknesses at a laboratory whose primary focus is national defense and security. They say so right here on their website, and in fact this is what they say right here:
“Los Alamos National Laboratory is a premier national security research institution, delivering scientific and engineering solutions for the nation’s most crucial and complex problems. Our primary responsibility is ensuring the safety, security, and reliability of the nation’s nuclear deterrent.”
The assessment demonstrated that the lab has vulnerabilities in several “critical” areas some of which include deficiencies in identifying and authenticating users, authorizing user access, encrypting classified information and maintain secure software configurations…how is that possible? As luck would have it, the GAO reports tells us just how it is possible and get this: No amount of ‘Cloud’ or ‘PCI’ Voodoo could achieve what is required of the solution! (ready the ominous risk management music):
“A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained..”
Heaven help us. The lab reportedly has not conducted a comprehensive risk assessment (well there goes my decision to not have a beer tonight) to date, nor has it achieved a proper state of data classification. What does that mean data classification? Well means that they have not marked the classification level of information stored on its classified network (a very serious problem in environments where one ought never to commingle classified and non-classified data). Additionally, as if all this was not enough, they have failed to implement adequate training for their users with security responsibilities…, which in my humble opinion means ALL USERS! The labs have “lost” assets due to theft, since January of this year approximately 67 computers have simply vanished…again in a secure environment I ask you…how is that possible? Over the last several years, they have experienced other breaches and losses, which resulted in fines for the lab, most notably the one incurred as the result of a contract worker illegally downloading and removing hundreds of pages of data from the lab via USB thumb drives…yes, bar tender, I will have another one. Additionally, the lab has taken flack in the past for not leveraging cryptographically sound email to share highly classified information.
According to the folks who broke this story @ PC World; a representative for the lab said in general they agreed with the report citing that the lab has made progress in its cyber-security efforts. According to Michael Kane, associate administrator for the NNSA, in a letter to the GAO the lab has addressed a number of key technical issues and is actively implementing policy to address the concerns brought to their attention via the report.
