Wednesday, August 10, 2011

USENIX: Three Cyber War Falacies, Dave Aitel, Invited Talk

Dave Aitel, CEO of Immunity, Inc, started out with a picture of "The truth shall make you free" - a quote from a wall in the offices of the CIA, which helped Aitel launch his talk on cyber security and cyber war and how irony pervades this industry.

According to Aitel, there are three fallacies of cyber war:
  1. Cyberwar is asymmetric
  2. Cyberwar is non-kinetic - as in it's in the virtual world, no "real" victims.
  3. Cyberwar is not attributable
Aitel notes that there won't always be explosions or "instant death" when it comes to cyber war, but there can still be great consequences - including loss of utilities, the more things come on line.

He warns Californians about the security implications of PG&E's SmartGrid, where a not-so-smart chip will control when you can have AC, etc., that will be very easy to compromise. That type of attack, along with recently discussed expoits on automobiles, put people's lives in jeopardy every day.

For example, STUXNET, which many took as a temporary trojan horse that is now totally under control - what the community at large doesn't seem to see, is that it was a demonstration that this (or something like it) can be used to target any factory or any utility at any time.

The problem with a lot of these trojans and worms, is that once your corporate network is infected, it is virtually impossible to to completely rid your network of these hackers. Think about it, if it took you six months to a year to discover the intruder, then you have to assume they are everywhere and you will unlikely be able to totally get them out.

Aitel then started on his point about how cyber war is NOT asymmetric by giving many counter examples, though, unfortunately he spoke very fast and the slide ware moved quickly (and was overcrowded and filled with tiny words) so I had a hard time following that point...

Automated computer security commonly involves things like vulnerability scanners, static analysis, web application scanners - they just don't work, too slow and tedious and really still require manual analysis. Aitel believes his team can find more bugs by just looking at the code, rather than relying on this analysis. Personally, I think that's great if we were all perfect, but I've definitely seen static analyzers find stuff that humans missed, both in writing and while reviewing.

Aitel has a very strong opinion on "script kiddies" - he believes that the term "script kiddie" belittles what is really a challenging career, which he compares to nuclear scientist. I'm sure he's trying to be a bit tongue in cheek, but, as someone with a science degree, I can say for certain that a nuclear scientist would most definitely be a lot more skilled than someone that runs someone else's attack scripts. Sure, there may be some learning curve to running these, but... it's not nuclear science.

Aitel then went on to quote CERN about how SSL based VPNs are all broken, due to fundamental flaws in the architectures, but did not go into details. I'm happy that I'm reading my mail over an IPsec connection ;-)

One thing that has changed over the years is that the attacking community is now mature, organized and highly motivated. After realizing that DefCon this year had reachead 19 years of age... and that I started attending back in DefCon 2, I can only imagine how accurate that statement is. [and at DefCon this year, there was a children's track.... ]

Regulation can't help here - it's too slow. Aitel argues until the "traditional bearded men that work on security get into Government" it isn't going to get better. I guess Professor Spafford meets that mold, but not sure how Susan Landau fits that mold.... guess she'd better work on her beard.

Overall, this talk was fun and entertaining, but seemed to be an agenda for why you couldn't possibly secure your own network or code on your own, and you need to hire his security team.

I think the important take-a-ways are that you cannot rely on static analyzers alone to make sure your code and network are secure, policies and tools need to be regularly re-reviewed, and keep ahead of the attackers.

The audio and video of the talk are now online.

This post is syndicated from Thoughts on security, beer, theater and bikes!