The Art of Cyber Warfare - Educational Fail

Monday, April 04, 2011

J. Oquendo


Seems like someone in the Council on Foreign Relations is out of tune with reality: "In milliseconds, bandits were able to make off with several terabytes of data. " [1]

Really? Milliseconds? Were they using space age technology to transfer at such high speeds?

The reality is that a 2 Terabyte file being transferred over say an OC-192 would take 29 minutes and 19 secs if the connection was dedicated to ONLY sending data to ONLY one connection with no other connection sharing the line.

The fastest connection I can think of in existence right now would be an OC-768 which operates at 39.813 gigabytes per second. A grandmother in Sweden once had a 40Gbps experiment between two points. Data did not have to traverse the Internet in order to get to her [3]. She had a direct line connection to achieve these speed.

In keeping in tune with reality, we note: "South Koreans hook into the Internet at 14 megabits a second, seven times the global average, earning them the top spot on Akamai's list:" [3]

Price-wise, on OC-768 is a guessing game however, an OC768 can run into the hundreds of thousands of dollars just for the connection alone. The equipment needed to push that kind of bandwidth, into another couple of hundreds of thousands of dollars.

For a government, this is not a lot of money to dish out but the problem with this notion of a government connecting and stealing data at this speed is:

a) Impossible even if they copied data physically at the location,

b) Attribution, they would no longer be covert so the party being attacked would know who they are, where they are coming from (after all, at this speed, they would have the fastest connection in the world)

c) The initial author is clueless and or confused

d) All of the above.

Think about those for a moment. Anyone can subpoena a vendor and ask: "Who purchased such fast equipment?" They can then get the information based on that output and connect the dots.

It is akin to painting a bulls eye on one's chest (network): "Here I am, fastest speed in the world... I downloaded terabytes in millionths of a second. Possibly faster than the speed of light."

So what is the learning experience in the paragraph above? For starters we have debunked the misinformation without having to explain how costly it would be to create such a network which would be capable of transferring such a vast amount of data in millionths of a second.

Firstly, any attacker would lose any covert capabilities. Secondly, an attacker would need to have a dedicated connection which could move petabytes per second in order to accomplish such a feat. There is not one vendor I can think of dabbling with this technology.

Even if one did, the reality is, an attacker would also need a dedicated petabyte per second connection DIRECTLY LINKED to the Department of Defense to accomplish this amazing data transfer.

Along that theory, they would also need a direct line between every single network that is being traversed. Every single network would also need to support that speed in order to accomplish that task. Irrelevant little tidbits on networking so far, but they serve a greater purpose as a whole when you read on.

Information security is not going to be the statistically measurable science that security managers and professionals would like to believe it is going to be. Much has been said and much has been done to promote security concepts and technologies but the underlying issue of misinformation will forever cause the industry to continuously repeat the same mistakes.

Everything we as engineers and professionals learn has come from experience and training, however, what happens when that training and experience has been wrong all this time? We continue trekking down the wrong roads often ending up in places we did not intend to go. Not only have we wasted our time down this road, we may have spent an awful lot of money on gas, we may have been frustrated on our arrival: "How the hell did I end up here?"

Analogy (I love these): Imagine momentarily you purchased a GPS system for your automobile. You rely on this technology to get you from point to point. It can save you time and it can save you money to say the least. Imagine for this same moment that the GPS system you are relying on is constantly giving you false information. There is a caveat here. En-route to your unreliable destination, you come across a town littered with advertising for this GPS system. Once you arrive at this town, the GPS is then re-programmed to send you off to your proper destination. Would you be upset at this type of marketing?

There are many security companies, organizations and professionals that have agendas. Some of them are good, some of them are bad. A glass is always going to be half full, yet half empty. We must always bring to the forefront of common sense that, any and all companies have an underlying goal which is always going to be generating revenue. Whether or not their application, or technology, is great, or lacking is irrelevant. The fact that they generate revenue is their only concern, not your security posture, not defending your infrastructure.

There is a on-going conflict with this premise - security companies defending - when it comes to "defending a nation against cyberwarfare." Imagine the same GPS scenario only this time imagine that this GPS is installed on mission critical automobiles: A fire truck is rushing to put out a fire, relying on this GPS (the security company), they have to make wasteful pit stops along the way. See the conflict here?

Misinformation can cause more harm then good especially when that misinformation is forcing security personnel to shift resources elsewhere. In an area where it is not needed. Looking at the term: "In milliseconds, bandits were able to make off with several terabytes of data" makes me wonder whether the authors have any idea of what they are talking about or pushing an agenda. Ultimately, it is the blind leading the blind without any walking stick through New York City.

When powerful individuals and organizations speak, far too many take their words as gospel. Following others aimlessly to destinations that not only they do not want to travel to, but waste their time and resources trekking to. This continues to be the case all too often. Professionals, politicians, researchers and the likes need to break out of this awful habit. In the case of a fire truck being sent in circles, the outcome can be dire.

"Cyber" warfare, espionage and all these other "media awesome" terms are rarely understood, always over-hyped and always misrepresented. Whether misrepresentation is intentional or not, the fact is, even responsible and genuinely helpful individuals get it wrong consistently. This is how, and why, we fail, and will continue to fail, to defend against any "computer related" attack. We are learning incorrectly. We are "following the herd" too much. There are not enough individuals speaking out against these mistakes and or correcting them.

For those that do take the time to speak, we are often fighting a marketing machine where I have $.02 to offer versus the flashing glittering lights of think tanks with pie charts who have little idea of what they are seeing. While it may look good on paper and it certainly looks good on Gantt, pie, bubble, axis, radar and other types of charts, the fact is, the data is wrong from its inception.

So how do we overcome this nonsense of splintered agendas from industry especially the security vendor industry? The answer is that we probably cannot. This is because as security professionals, no one is really paying attention to what we (those in the trenches) say. Reliance on intuition, experience, ingenuity and engineering have gone out the door. For those in the forefront of "being heard," it is far better to rely on Excel and statistics to paint pretty security pictures.

From my perspective however, it is far better for me to think of studying chaos as it was intended to be: "formless" rather than deterministic. I have the freedom to explore and learn as I go as opposed to relying on measurements which are never going to be static. Measurements that are never going to mean much by the time it is understood.

This is because technology evolves too fast, the attack vectors change instantly. I may have an idea after the fact, but that idea is now hindsight. No one can claim to have protected a compromised infrastructure via hindsight. The network was owned. They can and will claim: "we have seen this before, we are defending against that now" which is quite an impressive statement to make considering that attackers don't always use the same techniques, tactics, and or locations. Sure, they are likely defending against a re-occurrence, but definitely not any future attacks.

Is there a solution to the ever continuing FUD machine? The answer is obvious however, we continue choosing to tailor our interpretations to what is suitable to our ears. What makes us happy; after all, no one likes bad news. Reality being what it is, if we keep going down the misinformation route, we will never understand how to properly defend, investigate and or understand attacks.

We have been taught the wrong way from the jump. This is evident for almost all security technologies. It started with firewalls: "Defend against an attacker." It moved into intrusion detection: "be advised when an attacker is after you." Evolved into intrusion prevention: "prevent an attacker from compromising you."

A company went as far to tell you "we will let them compromise you to a degree" with an "Intrusion Tolerance System." More recently we have moved into DLP (Data Loss Prevention): "alright so they compromised you however, we MAY be able to stop them from downloading your intellectual property!" This list goes on and on. RSA compromise [4] anyone?

Technologies can and will fail. Intuitive and creative people (otherwise known as hackers in its respectful form) understand this and they tinker and adjust in order to make it suitable to their needs. Let me be clear by stating that many of these technologies (IPS, IDS, and so on) can and do work, however, let me also be clear in stating that people are the ones getting it wrong.

We ought not blame the security professionals all the time though, the fact is, they have been learning it wrong all the time or rather, their GPS has been sending them down bad roads.



Cyberwarfare Fail

Possibly Related Articles:
Information Security
Advanced Persistent Threats Network Security hackers Cyber Warfare Education IDS/IPS
Post Rating I Like this!
Jamie Adams Excellent article.
Javvad Malik I agree, an excellent article and very well articulated.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked